Signature Based Detection of User Events for Post-Mortem Forensic Analysis

As seen on DigitalFIRE
<div class="separator" style="clear: both; text-align: center;"></div>The concept of signatures is used in many fields, normally for the detection of some sort of pattern. For example, antivirus and network intrusion detection systems sometimes implement signature matching to attempt to differentiate legitimate code or network traffic from malicious data. The principle of these systems that that within a given set of data, malicious data will have some recognizable pattern. If malicious code, for example, has a pattern that is different in some way to non-malicious data, then the malicious data may be able to be differentiated with signature-based methods. In terms of malware, however, signature based methods are becoming less effective as malicious software gains the ability to alter or hide malicious patterns. For example, polymorphic or encrypted code.

This work suggests that signature based methods may also be used to detect patterns or user actions of a digital system. This is based on the principle that computer systems are interactive. This means that when a user interacts with the system, the system is immediately updated. In this work, we analyzed a user’s actions in relation to timestamp updates on the system.

During experimentation, we found that timestamps on a system may be updated for many different reasons. Our work, however, determined that there are at least three major timestamp update patterns given a user action. We define these as Core, Supporting and Shared timestamp update patterns.

Core timestamps are timestamps that are updated each time, and only when, the user action is executed.

Supporting timestamps are timestamps that are updated sometimes, and only when, the user action is executed.

Shared timestamps are timestamps that are shared between multiple user actions. So, for example, the timestamps of a single file might be updated by two different user actions. With shared timestamps it is impossible to determine which action updated the timestamp without more information.

By categorizing timestamps into these three primary categories, we can construct timestamp signatures to detect if and when a user action must have happened. For example, since only one action can update Core timestamps, the time value of the timestamp is approximately the time in which the user action must have taken place.

The same can be said for Supporting timestamps, but we would expect Supporting timestamps values to be at or before the last instance of the user action.

Using this categorization system, and finding associations of timestamps to user actions, user actions in the past can be reconstructed just by using readily available meta-data in a computer system.

For more information, please see our article on this topic:

James, J., P. Gladyshev, and Y. Zhu. (2011) “Signature Based Detection of User Events for Post-Mortem Forensic Analysis”. Digital Forensics and Cyber Crime: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Volume 53, pp 96-109. Springer. [PDF][arXiv:1302.2395]</div>

Image courtesy of Salvatore Vuono /

2 min read

[Survey] Digital Forensic Research Workshop Europe

<h3 class="groups title" style="border: 0px; color: #333333; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Originally singleed by Eoghan Casey:</h3><div>
</div><h3 class="groups title" style="border: 0px; color: #333333; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Survey for DFRWS Europe Conference Planning To help the DFRWS grow, please complete the following survey: Survey - DFRWS Europe Conference in Amsterdam</h3><div>
</div><div class="summary" style="border: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Survey for DFRWS Europe Conference Planning

In response to growing international interest, is working with our European colleagues to organize a conference in Amsterdam in Spring 2014. The DFRWS Europe Conference will he held in addition to the DFRWS Conference that is held in North America every August.

To help the DFRWS grow, please complete the following survey:

Survey - DFRWS Europe Conference in Amsterdam

~1 min read

Social Media and Intelligence Gathering

As seen on DigitalFIRE

Online social media has changed the way many people, businesses and even governments interact with each other. Because of Twitter’s popularity and its ability to broadcast small pieces of information to a large number of people, it is an effective form of mass communication. However, ease in communication that allows the public to freely communicate anything they wish can be used for both benefit and harm in a number of ways.

For example, in 2011 panic ensued as parents in Veracruz, Mexico rushed to pick up their children from school amongst reports of gang-related kidnapping and shootings [1]. During this time, it was reported that panic led to an increased number of car accidents and denial of service on emergency response numbers [2]. The panic, however, was based on (plausible) claims from two people who singleed about the false gang-related activity on Twitter, which later went ‘viral’.

In 2012 a teen gained worldwide notoriety by asking her followers on Twitter to call the police, claiming someone broke into her home [3]. Her case was later determined to be a runaway attempt, but was not discovered before reaching the number 2 most popular worldwide topic on Twitter for that time-period [4].

And in the 2008 terrorist attacks in Mumbai, India, claims emerged that the terrorists were monitoring social media outlets to extract operational intelligence to avoid police and potentially locate more victims [5][6].

These, and other similar cases, are not necessarily new. Abuse of emergency response numbers for non-emergencies are relatively common [7][8], and are even sometimes used as a way to attempt to distract police [9][10]. But just like emergency response numbers, social media can also be used to help in many situations.

For example, many law enforcement agencies, and even some communities themselves, have been creating and advocating the use of social networks to create a ‘virtual neighborhood watch’ that can consist of crime alerts from law enforcement and the public alike [11][12][13].

Even though social media was potentially used by the 2008 Mumbai terrorists, it was also used during the attacks by the public to report the news before traditional media outlets, warn of dangerous locations, communicate to loved ones, and even help organize support services such as blood donation [14][15]. This type of public emergency coordination was again demonstrated during the 2011 Mumbai bombings, where social media was used to track the bombings as well as organize support services for victims [16].

The negative aspects of online social media have prompted some countries to consider shutting down communication infrastructure services when they can be used against the public or state [17][18], with one extreme example being the 2011 Egyptian Internet outage during riots against the government in an attempt by the government to suppress information and disrupt public coordination [19]. However, some experts believe that the benefits of social media far outweigh any potential abuse. For example, Schneier [20] claims that “[t]errorist attacks are very rare, and it is almost always a bad trade-off to deny society the benefits of a communications technology just because the bad guys might use it too”.

How social media will continue to shape the public, governments and even crime remains to be seen. However, from a law enforcement perspective, the ability to communicate with and inform a large number of citizens at a time can be invaluable during a crisis. Further, intelligence about crime and criminals can often be gained via online social media sites such as Twitter. Again, gained intelligence can be used for positive or negative purposes depending on the perspective, but nevertheless, many users and criminals are constantly producing a stream of publically accessible data that may help investigations.

While the content of singleings should normally be considered hearsay and treated with caution, analysis of the produced meta-data may provide some potentially relevant information for investigations. Several related online social networking security awareness campaigns have been created to raise awareness for the amount of personal information people are – normally unwittingly – singleing.

One such site, “” (I can stalk you), pulled Geo-Tagging information from the meta-data of pictures singleed on This Geo-Tagging information was then used to plot the user’s current location in real-time, and could potentially be used to track the current location and movements of a suspect, or help to place them at or near a location at the time of an incident. A more advanced, stand-alone program called “Creepy” [21] also uses the same Geo-Tagging information from many more social media outlets.

Another similar site that claims to raise awareness about over-sharing, is “”, which uses Twitter, Foursuare or Gowalla check-ins with associated times to attempt to report if the user is home or not. Similar location-tagging features now exist on many social media sites, and could potentially be used to gain intelligence about a particular user.

While location information may be relevant, perhaps an investigator needs to plan when an operation should take place. For this, the site “” may provide an analyst with the best time to find the user at home or away. uses a user’s Twitter account activity and time zone to estimate when the user is most likely to be asleep based on the time they normally do not have any twitter activity.

And finally, online social media is about social networks. Paterva’s Maltego [22] is a more advanced web mining application that can work with social network data, among others, to generate communication networks and conduct entity link analysis.

These are just some of the tools and potential intelligence that can be extracted from public sources for many users. Even without specific tools, publically available information about a particular user can oftentimes be mined with very little skill or time investment.

Because of social networking sites such as Twitter, a large amount of potentially valuable information can be provided to – and found about – the public, businesses, Law Enforcement, governments, and even criminals. Communication technologies can benefit the world; however, the same communication channels could also be abused. With the large amount of data being generated at present, and ability to easily communicate with a large population in near real-time, Law Enforcement should embrace social media outlets to more effectively share information, and also to receive intelligence that can help in the protection and prevention of crime.

Originally singleed in the Virtual Forum Against Cybercrime Newsletter, Issue 16 [PDF]

1. Miglierini, Julian. (2011) “Mexico Twitter terrorism chargers cause uproar.” BBC News.
2. (2011) “2 Mexicans face 30 years in prison for tweets that caused panic in violence-wracked city.” NY Daily News.
3. Murphy, Samantha. (2012) “Police: Teenage Girl’s Viral Tweet Was Kidnapping Hoax.”
5. (2008) “Terrorists turn technology into weapon of war in Mumbai.”
6. Oh, Onook, Manish Agrawal, H. Raghav Rao. (2011) “Information control and terrorism: Tracking the Mumbai terrorist attack through twitter”. Information Systems Frontiers. Vol. 13. Issue 1. P. 33-43. Springer.
7. Nichols, Mike. (2008) “False 911 calls are alarmingly common.” Journal Sentinel Inc.
8. Esposito, Richard, Christina Ng. (2012) “Police: Angry Ex-Girlfriend Triggered US Airways Bomb Hoax.” ABC News.
9. FitzPatrick, Lauren. (2011) “Man pleads guild to making fake 911 call to try to help buddy.” Sun-Times Media, LLC.
10. (2012) “Smugglers Use Fake 911 Calls to Distract Police.”
11. Catone, Josh. (2009) “Virtual Neighborhood Watch: How Social Media is Making Cities Safer.”
12. Johnson, Kirk. (2012) “Hey, @SeattlePD: What’s the Latest?.” New York Times.
13. Barr, Meghan. (2009) “Neighbors Twitter, blog to keep criminals at bay.” NBC News.
14. Beaumont, Claudine. (2008) “Mumbai attacks: Twitter and Flickr used to break news.” Telegraph Media Group Limited.
15. Stelter, Brian, Noam Cohen. (2008) “Citizen Journalists Provided Glimpses of Mumbai Attacks.” New York Times.
16. Ribeiro, John. (2011) “Mumbai Uses Internet, Twitter to Cope with Terror Blasts.” IDG Consumer & SMB.
17. (2011) “British Government Considering Social Media Ban. Was China Right?”
18. Phillip, Joji Thomas, Soma Banerjee. (2012) “Government for state-specific ban on social media, asks ISPs to build embedded technology.” Bennett, Coleman & Co. Ltd.
19. Bates, Theunis. (2011) “Protesters Left in the Dark as Egypt Blocks Internet.”
20. Schneier, Bruce. (2009) “Helping the Terrorists.”

6 min read

Notes on Installing Linux Mint on a Dell Inspiron 15z 5523

[Update 29/5/2013] The last several days the Banshee music player tends to crash the audio driver sometimes when skipping tracks. Ctrl+alt+backspace brings sound back without a full restart. Had no problem with Spotify crashing driver, so I assume it is a problem with Banshee itself. Everything else is still running with no problems.

[Update 13/4/2013] It has been a few weeks with Linux Mint 14 (Unbuntu) on my Dell Inspiron 15z 5523. From a software side, Mint is running perfectly. Except for a few extra features lacking in Cinnamon desktop (which I am sure they will integrate sooner or later), it has been a quick, solid system all around. Battery life is about 4 hours with wireless enabled, surfing the web and listening to music.

The only complaints I have is with the hardware. First the resolution of the display (not a touch display) is too low. For most things it is fine, but attempting to work on multiple documents is not very convenient. An external monitor could solve this.

The other problem is with the keyboard. Compared to the trackpad, the center of the main typing space (the position of the spacebar, for example) is shifted slightly to the left. The result is that, when typing, my right palm hits the trackpad often, causing the mouse to go flying across the screen, deleting text, etc. Again, not a software problem, but a hardware design problem. For anyone who types a lot with the built-in keyboard and has the trackpad enabled, it can be annoying. Again, easily solved with an external mouse and/or keyboard.

Installing Linux Mint 14 on a Dell Inspiron 15z 5523.
Disabled UEFI to boot.

Wireless works out of the box.
Intel works video out of the box.
Sound works out of the box.
Webcam works out of the box.

LAN connection not working (does not show up in network connections)
sudo apt-get install linux-backports-modules-cw-3.6-quantal-generic
After reboot, it should show up in network connections.

To be able to use the GeForce card, Bumblebee is required. This is recommended anyway because if the driver is not installed then the battery life will be about 2 hours (about 6 hours estimated after install).
NVIDIA GeForce 650M:

In my case the bumblebeed service was not starting, so if I wanted to run optirun it would fail. Try this:

If it is asking if the service is started, try ‘sudo service bumblebeed restart’.
If bumblebee does not start on reboot, use this (last entry):

I was getting about 108fps with glxspheres, and battery estimation doubled.

Disable bluetooth by default (can turn on again if you want)

Fix huge panel icons in Cinnamon.
Right click on the panel, click panel settings, click “use customized panel size” and “allow cinnamon to scale panel text and icons…”.

I’ve not tried the sd/mmc card slots or HDMI out yet. I will update as I find anything else.

2 min read

Automata Intersection to Test Possibility of Statements in Investigations

As seen on DigitalFIRE.

When conducting an investigation, many statements are given by witnesses and suspects. A “witness” could be considered as anything that provides information about the occurrence of an event. While a witness may traditionally be a human, a digital device - such as a computer or cell phone - could also help to provide information about an event. Once a witness provides a statement, the investigator needs to evaluate the level of trust he or she places in the validity of the statement. For example, a statement from a witness that is known to lie may be considered less trustworthy Similarly, in the digital realm, information gathered from a device may be less trustworthy if the device has been known to be compromised by a hacker or virus.

When an investigator gets statements from witnesses, the investigator can then begin to restrict possibilities of happened events based on the information. For example, if a trustworthy witness says she saw a specific suspect at a specific time, and the suspect claims to be out of the country at that time, these are conflicting statements. A witness statement may not be true for a number of reasons, but the statement may be highly probable. At a minimum when conflicting statements occur, these indicate that one or both statements should be investigated further to find either inculpatory or exculpatory evidence.

If an action happens that affects a computer system, observation of the affected data in the system could be used a evidence to reduce the possible states the system could have been in before it’s current state. Taking this further, if we create a complete model of a system then without any restriction on the model, any state of the system could possibly be reachable.

Computer systems can be modeled as finite state automata (FSA). In this model, each state of the system is represented as a state in the FSA. The set of all states is defined as Q. Each action that alters the state of the system can be represented as a symbol in the alphabet (Σ) of the automaton. Moving from one state to another is controlled by a transition function δ where δ: Q × Σ → Q.

In the case of an investigation of a computer system, the investigator may be able to directly observe only the final state of the system. The set of final, or accepting, states is defined as F, where F ⊆ Q. The start state (q0, where q0∈ Q) is likely to be unobservable, and may be unknown. Because of this, any state in the model may potentially be a start state. To account for this, a generic start state g, where  g ∉ Q, can be defined. g is a generic start state with a tradition to each state in Q on each input leading to that particular state. The result of this process is a model of the system that allows for any possible transitions in the system that result in the observed final state from any starting state.

This FSA of the system can then be used to test statements about interactions with the system. As a very basic example, consider an FSA with only two states. The first state is the system before a program is ran, and no prefetch entry has been created (!PrefetchX). The second state is after a program has been ran, and a prefetch entry has been created (PrefetchX). The transition symbol is defined as “Run_Program_X”. The FSA can be visualized as:

(!PrefetchX) -> Run_Program_X -> (PrefetchX)

For the sake of this example, it is known that a prefetch entry will not be created unless a program is ran, so the start state is defined as (!PrefetchX). An investigator observes that in the final state of the system PrefetchX did exist, so the final accepting state is (PrefetchX).

A suspect who normally uses the system is asked whether they executed Program X, and she claims she did not. Her statement may then also be modeled in terms of the previous FSA, where any transition is allowed except “Run_Program_X”. Her statement can be visualized as: 

() -> !Run_Program_X -> ()

In this statement, she is claiming that any state and transition is possible except for “Run_Program_X”. When both the system and the suspect’s statement are modeled, the FSA can be intersected to determine if the final observed state of the system is reachable with the restrictions the suspect statement places on the model. In the given example, the only possible transition to get to the observed final state is Run_Program_X. If the system model were intersected with the suspect’s statement, the final state (PrefetchX) would not be reachable because the transition that leads to the final state would not be possible. In this case, the suspect statement is inconsistent with the observed final state, and should therefore be investigated further.

This very simple example can be applied to more complex situations and models; however, a challenge with using a computational approach to model real-world systems is a very large state-space to model even for relatively simple systems.

For a more in-depth explanation, please see Analysis of Evidence Using Formal Event Reconstruction.

[1] James, J., P. Gladyshev, M.T. Abdullah, Y. Zhu. (2010) “Analysis of Evidence Using Formal Event Reconstruction.” Digital Forensics and Cyber Crime 31: 85-98. [PDF][arXiv:1302.2308]

Image courtesy of Stuart Miles /

4 min read

Encrypted backup and the importance of redundancy

As more online storage is made available, it is often convenient to store our personal documents on the web to share between devices or with friends, family, co-workers, etc. How much you trust these services is entirely up to you. There are many benefits such as convenience and accessibility, as well as drawbacks, such as privacy concerns, denial of service and others.

I have noticed that with online storage, more people are backing up their documents (consciously or not), than were before online storage became so seamless. There is also an assumption that their data will be available when they want/need it. The important thing to remember, however, is that no backup solution is perfect. Be it online storage in the Cloud or backup to a local disk, there are potential risks to access and integrity of your data.

In my case, I rarely use Cloud-based storage services. I find that I don’t always have access to an Internet connection, and many of the files I want to back up are unlikely to be accessed in the short term. Basically, I am archiving some of my data, and there is really no benefit for me to archive to the Cloud. So for backup and archiving I have two external drives that I keep synced with rsync.

Both disks use full disk encryption. I do not keep personal information or secrets per se, but in 2010 I had an unencrypted disk stolen (and miraculously recovered). When it went missing, I was not worried about the information about me that was on the disk. I found that I was more worried about the pictures and movies of my friends and family (especially my niece and nephew), and what someone could potentially do with them. It is unlikely that a thief would use the pictures, but that was still my concern.

Since then most of my data is encrypted. However, there are still potential risks to the data, which I was reminded of recently. For data backup I have a primary backup drive to which the local machine is backed up daily, and a secondary drive that gets synced from the primary weekly.

Last week my system crashed while the computer was apparently in the process of backing up. Either the encrypted device or the file system got corrupted, and the backed-up data was effectively lost. Recovery might have been possible, but I didn’t take the time to do an analysis. This is because I could just recreate the primary encrypted disk, rsync from the secondary backup, then backup the local system like normal. Without the secondary backup, my current working documents would still exist, but I would potentially loose some archived information of sentimental value.

Long story short, no matter how you decide backup your data if you care about the data, keep at least a secondary backup in another location. This can minimize the risks to the access and integrity of your data since you never know what might happen.

Image courtesy of Renjith Krishnan /

2 min read