Digital Forensic Science

Digital Crime Categorization using the AFP CCPM

When attempting to gather statistics about digital crime and investigations in different countries, and sometimes on a national level, the inconsistency in categorization of different digital crimes makes measurement and analysis difficult. Looking at various digital crime categorization schemes, like those described in Casey’s Digital Evidence and Computer Crime categorization is limited to categorizing the role of the technology in the crime. Crime categorization by law enforcement, however, is based on crime type. From what I have seen, digital investigators would categorize crimes they are interested in not based on the role of technology in the crime, but the type of crime committed. The digital component seems to rarely be a factor in categorization - the digital component is assumed - but practical classification instead relies on the type of crime.

The Australian Federal Police have made available their crime categorization and prioritization model (CCPM), and to my knowledge this is the only publicly available one that I have found. If you know of another case categorization and prioritization model that is available, either publicly or for law enforcement specifically, please leave a comment or contact us. The CCPM is a good starting point for the categorization of all types of crime.

We are currently looking at applying the AFP’s model as a template for the categorization and prioritization of crime with a digital component. Prioritization is an interesting problem, that will be discussed further later. But in attempting to prioritize, it is important to have crime categories clearly and meaningfully defined. We will be working on this more over the next few days.

Update: Financial fraud category reference: http://fightfraud.nv.gov/fin_fraud_types.htm

Developing an Open Source Digital Forensics Laboratory

<div class="p1">The UCD CCI Forensic Summer School will be held here in Dublin from 20^th-30^th August, 2012. This year’s topic is the development of Open Source digital forensic laboratories.</div><div class="p1">
</div><div class="p1">You can find additional information on the summer school, including topic list and schedule. General information is available at www.cci.ucd.ie and registration for the event will remain open until Friday 29^th June.</div><div class="p1">
</div><div class="p2">To register for this event, please complete the form at http://cci.ucd.ie/content/digital-forensics-summer-school-2012

General topic areas include:</div>
<ul><li>Hardware:</li><ul><li>Computer Evidence Storage</li><li>Forensic Processing Hardware</li></ul><li>Software:</li><ul><li>Triage</li><li>Preliminary Analysis</li><li>Full Forensic Analysis</li></ul><li>Forensic Processes:</li><ul><li>Child abuse cases</li><li>Email retrieval </li><li>Chat retrieval</li><li>Fraud/Theft/Counterfeiting</li><li>Drug Case Examinations </li><li>Money Laundering Examinations</li></ul><li>Reporting on Forensic Examinations: </li><ul><li>Formulating a Triage Report </li><li>Formulating a Preliminary Analysis Report </li><li>Formulating a Full Forensic Report </li></ul><li>Exhibit and Case Management: </li><ul><li>Managing cases / updating examination results incrementally </li><li>Associating exhibits submitted for examination with individual cases </li><li>Associating forensic examination reports with cases and exhibits</li></ul></ul>

Project ATOM

Project: ATOM
<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Purpose: Digital forensic investigation process automation framework</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Status: Active</div><div class="p1" style="background-color: white; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">License: GNU GPLv3</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Developer(s): Joshua James, Martin Koopmans</div><div class="p2" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">
</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">More information:</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;"><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">Project ATOM is a digital forensic investigation process automation framework for triage, preliminary analysis and full examination automation tasks. It is designed to be an easily extendable framework that allows expert investigators to create fully-automated investigation process models that are ran from a CD/USB device against a suspect system. Investigators can configure process models per case type to allow extraction, and possible analysis of case-type-specific data.</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">
</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">Project ATOM also seeks to support localization as much as possible, allowing investigators and first responders to work in their own language irregardless of the process models and tools used.</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">
</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">Related Publications:</div><div class="MsoNormal" style="line-height: 22px; margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">
</div><div class="MsoNormal" style="margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">Links:</div></div>

Automated Network Triage (ANT) / Profiler

Project: Automated Network Triage (ANT) / Profiler
<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Purpose: Client-server based triage of suspect systems for case relevance sorting</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Status: Active</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">License:
Developer(s): Martin Koopmans</div><div class="p2" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">
</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">More information:</div>ANT is a tool to conduct triage (artifact sorting) on-scene in large corporate networks. ANT is also very useful in a forensic lab to help reduce backlogs.

ANT has been developed using a client-server model, where the network clients will boot from a forensically sound Linux OS that is served by the ANT server using PXE. With ANT it’s easy to find targeted suspect data on network clients that can be centrally analyzed on the ANT server.

Profiler is an extension has been developed to get a fast overview of information on a system before starting a full investigation. Profiler parses all Windows Registry files (sam, system, software, security) and Internet files (Chrome, Firefox, Safari and Internet Explorer). Profiler reads EWF images, DD images and physical disks.

Profiler functions have been integrated into ANT.

<div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px;">Related Publications:</div><div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">
<ul><li>Koopmans, M.B., J.I. James (2013) “Automated Network Triage”. Digital Investigation. Elsevier. ISSN 1742-2876. 10.1016/i.diin.2013.03.002.</li><li>James, J. I., M. Koopmans, P. Gladyshev. (2011, June 14). Rapid Evidence Acquisition Project for Event Reconstruction. The Sleuth Kit & Open Source Digital Forensics Conference, McLean, VA, Basis Technology. <http://www.basistech.com/about-us/events/open-source-forensics-conference/2011/></li></ul></div><div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">Links:</div>

Goldfish

Project: Goldfish
<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Purpose: MAC OS X automated memory acquisition and analysis tool</div><div class="p1" style="background-color: white; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Status: Not Active</span>
License: GNU GPLv3</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Developer(s): Afrah Almansoori, Pavel Gladyshev</div><div class="p2" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">
</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">More information:</div><div class="p1" style="background-color: white; margin: 0px; outline: none; padding: 0px; text-align: justify;"><div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px;">Goldfish is a MAC OS X live forensic tool for use by law enforcement. Its main purpose is to provide an easy to use interface to dump system RAM of a target OS X machine via a firewire connection. It then automatically extracts the current user login password and any open AIM conversation fragments that may be available.</div><div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px;">
</div><div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px;">Related Publications:</div>
<div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin-left: 36pt; text-indent: -36pt;">Gladyshev, P. and A. Almansoori (2010). Reliable Acquisition of RAM dumps from Intel-based Apple Mac computers over FireWire. Second International Conference on Digital Forensics and Cyber Crime (ICDF2C). Abu Dhabi, UAE, ICST.</div><div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin-left: 36pt; text-indent: -36pt;">
</div><div class="MsoNormal" style="margin-left: 36pt; text-indent: -36pt;">Links:</div><div class="MsoNormal" style="margin-left: 36pt; text-indent: -36pt;"></div><ul><li>Publications</li><ul><li>http://www.springerlink.com/content/l5368587354m3724/</li></ul><li>Websites</li><ul><li>DigitalFIRE Goldfish Project Page</li><li>Goldfish on Foreniscs Wiki</li></ul></ul>
</div>

REAPER Preview

Project: Rapid Evidence Acquisition Project for Event Reconstruction (REAPER) Preview
<div class="p1">Purpose: A forensic boot CD that quickly and automatically extracts a preview of a suspect system</div><div class="p1">Status: Not active (superseded by the ATOM project)
License: GNU GPLv3</div><div class="p1">Developer(s): Joshua James</div><div class="p2">
</div><div class="p1">More information:</div><div class="p1"><div style="text-align: left;">A proof of concept has been created, but has not been maintained. The source is available via the REAPER Forensics project at Sourceforge.</div></div><div class="p2">
</div><div class="p1">REAPERPreview is a bootable USB/CD that automatically extracts a preview of images, searches for keywords (based on keyword lists), and conducts hash analysis using the suspect’s hardware. The focus of the project was on conducting common digital investigation tasks as fast as possible to help make informed decisions on-scene, at an airport (customs), or even before conducting a time-consuming full analysis in a laboratory.</div><div class="p2">
</div><div class="p1">The functionality of REAPERPreview has been incorporated into the easily-configurable ATOM framework.

Links:
<ul><li>Presentation in Sleuthkit and Open Source Digital Forensics Conference 2011</li><ul><li>http://www.basistech.com/about-us/events/open-source-forensics-conference/2011/presentations/</li></ul><li>UCD REAPER project page</li><li>REAPER Forensics Sourceforge project page</li></ul></div>