Digital Forensik PDF

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
Digital Forensic Trends and Future
Farhood Norouzizadeh Dezfoli, Ali Dehghantanha, Ramlan Mahmoud, Nor Fazlida Binti
Mohd Sani, Farid Daryabar
Faculty of Computer Science and Information Technology
University Putra Malaysia
{Farhood1990, farid0fx} @gmail.com
{alid, ramlan, fazlida} @fsktm.upm.edu.my
ABSTRACT looming on the horizon for both victims

and investigators. As computers become
Nowadays, rapid evolution of computers smaller, faster and cheaper, computers
and mobile phones has caused these are increasingly being embedded inside
devices to be used in criminal activities. other larger systems which allow
Providing appropriate and sufficient information to be created, stored,
security measures is a difficult job due to processed, analyzed and communicated
complexity of devices which makes in ways that are unpredicted. Once we
investigating crimes involving these gathered digital evidence from
devices even harder. Digital forensic is monolithic, stand-alone mainframes
the procedure of investigating computer whereas today we have PCs,
crimes in the cyber world. Many supercomputers, distributed client-server
researches have been done in this area to networks, laptops and smart phones, and
help forensic investigation to resolve LANs and WANs to convey information
existing challenges. This paper attempts across the world, each of which is a
to look into trends of applications of potential source of digital evidence.
digital forensics and security at hand in Evidences stored in a computer is not
various aspects and provide some unique with regard to relevancy and
estimations about future research trends materiality, but because it can be easily
in this area. duplicated and modified, often without
leaving any traces and is readily
KEYWORDS available to a miscreant using another
computer half a world away and hence,
Digital forensics, Image, Memory, should be constrained by evolving legal
Security, Identification, Recovery, standards and constraints to defend
Investigation, Intrusion, Validation. privacy issues.
In general, privacy means allowing or
1 INTRODUCTION disallowing access to information. The
code of ethics requires the forensics
Digital forensics process involves professionals to maintain the privacy of
collection, preservation, analysis and the client. In the event of proper
presentation of evidence from digital investigation of cases, depending on the
sources. With the rise of challenges in sensitivity of the issue and the
the field of forensic investigations, requirement of the result, the privacy of
problems that are more interesting are the client may need to be compromised.
48
But it is also possible the victim

organization might lose out the trust over This section identifies the limitation of
forensics team. Moreover there are this work and explains the procedure of
organizations where in any slight data collection.
leakage of the issue may attract huge
media attention resulting in endangering 2.1 Limitations of the Study
the reputation and finally the business of
organization.In such situations, privacy It is unlikely that this approach will
rights and law enforcement’s need to capture the true picture of privacy
search and seize digital evidence during protection in current digital forensic
digital forensic belong together.It may landscape, as they are delicate in each
also be possible that the forensics expert research specimen. The papers read are
may not share the information with any more interested to discuss exploiting
third party but takes the advantage of the security mechanism and framework
confidential information of the client rather than privacy protection
himself, which is also a case of violation techniques. The numbers of papers
of right to privacy. That is why, it is the provided are also too few to adequately
policy maker’s responsibility to see the sustain very significant research value.
impact of forensics in the broader Most of the papers reviewed are too
context of business goals and make the specific in their corresponding research
hard decisions that trade off forensics field and purpose; it is difficult to
capabilities with issues of privacy and, generalize the specimen into statistical
correspondingly, morale. data with higher accuracy. The research
Key strategies for digital forensics in nature and scenarios used cannot be fully
order to protect privacy are selective depended upon as they are not
revelation, strong audit and rule necessarily applicable in another similar
processing technologies. In the present scenario. Since the publications go
situation, the dilemmas are How to through a lengthy peer review process
monitor digital forensics while keeping that adds a long time lag to the
search information secret? How do we publication route, they are not so
keep private information from being responsive to the current security trends
improperly disclosed in the name of and issues. Hence, they tend to be a
forensics? following rather than a leading indicator
This paper comprises of 3 Sections and of information security trends. We also
will be presented as such: Section 2 realize that almost all specimens are
narrate the data collection procedure for from the Elsevier journal platform, and
this review as well as the limitations of thus there is a limitation on the
the collected data. Section 3 discusses all availability of more related research
the collected papers and analyses the publications in other sources. We also
result of each paper. Finally, section 4 identified another limitation, which is
concludes the paper and summarizes the the lack of graphical statistical data, as
overall development of technology in most of the papers researched do not
digital forensic. necessarily belong to statistically based
research. It is not practical to add
2 CURRENT TRENDS IN DIGITAL statistical assumptions depending on the
FORENSIC given articles only rather it has the
49
unavoidable possibility to divert the emphasized within the timeframe of a

accurate picture of the research. paper. At the same time, some keywords
are too generic and may not bring any
2.2 Data Collection Procedure significant research value unless paired
with other keywords.
In this research, a passive data collection Figure 1 summarizes the frequency of
procedure is executed in three phases the keywords in all the articles included
depending on 97 articles from 31 for this survey. It is rather evident that
journals. We focus on statistical analysis the current focus of forensics is now
based on trends not older than 2008 to more towards computer, multimedia and
obtain a view of recent interests in the network forensics with 31, 24 & 22
arena of digital forensics. A wide range papers focusing on those areas
of well-established journals is chosen respectively. 14 articles explaining
that have digital forensics as its primary present & future forensic tools and
focus fulfilling both academic & applications also receive significant
business purposes. focus, as these are the foundation of
many digital security solutions. With the
Phase 1: Keyword Analysis. The data rapid development of image processing
collection process started with keyword techniques, tampering with digital
analysis in order to identify the focus of images without leaving any obvious
each article studied. We found out that traces is becoming easier and thus,
the keywords used by authors do not image forensics evolved quickly during
necessarily reflect the picture of the last few years and has been studied
techniques and theories that are being in 12 papers.
Figure 1. Coverage of topics in journal papers
Phase 2: Topics Covered in the then grouped into broad category topics
Journals. The collected keywords were based on their representation to
50
accommodate most of the topics ‘mobile phone’ were both categorized as

identified in recent digital forensics, as memory forensics, but the former is
shown in table-1. For example, articles more suitable to computer forensics
containing keywords like image splicing whereas the latter is appropriate in
detection, edge detection, image mobile device forensics. The same
tampering, JPEG compression, image strategy applies to all the other broad
segmentation were grouped as image topics. All the topics that appear not to
forensics and fell into a broader category be part of any of the broad topics were
of multimedia forensics. Articles, categorized as other. This category
grouped in one category, can actually fit included topics like: Forensic
into multiple broader categories, such as Psychiatry, Microelectronics Reliability,
articles with paired-keyword ‘memory’ Evidence Validation and Anti-forensics
& ‘windows registry’ and ‘memory’ & Approaches to name just a few.
Table 1. Keyword categories.

Categories Computer Mobile Network Database Multimedia Cloud Other Total
Forensics Device Forensics Forensics Forensics Forensics
Forensics
Forensic 2 1 5 2 2 2 1 15
Investigation
Forensic Tools 9 2 1 2 14
and Applications
Image Forensics 12 12
Security 2 1 1 2 6
Mechanism
Memory 5 1 6
Forensics
Personal 1 1 1 2 5
Identification
File Forensics 5 5
Artificial 4 4
Intelligence
Information 3 1 4
Recovery
Video Analysis 1 2 3
Cybercrime 1 2 3
Legal 1 2 3
Compliance
Intrusion 2 2
Detection
Attack 1 1 2
Trace/Pattern
Analysis
E-mail 1 1 2
Investigation
Incidence 2 2
Response
Forensic vendors 2 2
Anti-forensic 2 2
Approaches
Network Data 1 1
Analysis
Data Integrity 1 1
USB Forensics 1 1
Evidence 1 1
Validation
51
Location 1 1
Analysis
36 5 18 2 22 3 11 97
Phase 3: Results Obtained from the involved in their investigations [98]. The
Journal. Individual analytic platform is result is shown in Figure 2.
conducted as a final data collection. This
is done by picking up a summary of each The most common digital forensic
paper and giving a brief explanation of investigation cases, 77.8% of overall
what the paper is trying to prove and cases, are those that deal with single
possible benefits from the publications. personal computer (PCs). Surprisingly,
the second-most common digital
2.3 Comparing Journal Result with forensic investigation cases, 55.6% of
Existing Survey-Reports overall cases, involve mobile media. The
third-most common digital forensic
A survey was conducted among the investigation cases, 44.4% of overall
experienced researchers and cases, involve networks, hacking, and
practitioners in the computer forensics multimedia. Only a small number of
field in 2008 during the Digital cases, i.e., 11.1% of overall cases, are
Forensics Research Workshop. Nine concerned with stenography and other
volunteers from the digital forensics sophisticated computer techniques. Note
practitioner group within the United that the total percentage is over 100%
States participated and were asked to because some cases may involve
describe the type of cases that are multiple devices. For example, a cell
phone, PDA, as well as desktop PCs,
laptops, etc. may be part of the same
case.
Figure 2. The percentage of Different digital forensics investigation cases [98]
52
node/computer, it also becomes a factor

of exposing company private data to any
attack. In peer-to-peer (P2P) F.I, the
3 DISCUSSION AND ANALYSIS OF analyst have to determine the
RESULTS configuration parameter; password,
username, log time, installation time and
Digital Forensic Investigation is a
etc [9]. They also advocate the
rapidly growing field involved in
LANGuard software application to
Information Technology era emergent. It
monitor P2P activities within the
indicates the numerous techniques how
network.
the crime in a computer system is
As mobilephones become more advance
handled which occupied from the very
nowadays, the more vulnerable they are
lowest part end user to the highest level.
to attack. More users of Smartphone are
In this paper, our summarization is based
doing the personal private activities
on every part of keywords mention in
through Smartphone; online banking
the Introduction section. We believe all
transaction or e-commerce. The misuse
the methods are not synchronous. We
of mobile application involves obtaining
compare all compiled methods which
and spreading confidential information,
have been used for ages ago to the
fraud, theft, money laundering,
newest techniques respectively. Part of
copyright infringement and indecent
the summary, we enclosed with the
image [6]. The author emphasizes the
future work that we believed would be
digital acquisition method on the
significantly important to the further
Subscriber Identity Module (SIM),
research onward.
memory card and flash memory by
3.1 Forensic Investigation applying bit-to-bit copy. On the other
hand, copying acquisition is also
In a computer system, Forensic discussed by the author in [80] using the
Investigation (F.I) is a practice to hash verification process. The author
establishing the evidence and facts to be proposes a new software Chain of
presented in court. It may involve in Custody (CoC) which is able to print,
multiple number of system layer. custody and transfer any piece of
Different network architecture would evidence recorded.
demand different F.I approach and During F.I. process, it is important to
different level of difficulties. In [7], the maintain the privacy of honest users
author discusses the issue that makes the while the system is under investigation.
F.I. in cloud computing system more In [47], the author proposes the
complex when it comes to the Enhanced-Respect Private Information
decentralized authority issue. The Not Abuser (E-RPINA) to provide
provider of cloud computing privacy of honest user yet accountability
differentiated by location and the to the attacker.
location and some of them will encrypt In cloud computing system, it potentially
the data before delivered to the public involves great data exposure to the
network. security threat and privacy breach. In
The usage of the peer-to-peer software addition, the users activity can be traced
may cause to complexity of F.I recovery. out using the audit trail process [51]. The
As it capable of searching and forensic analyst has to handle the
downloading files from or to any
53
information carefully or otherwise it only available for the law enforcement

might fall into the wrong hand. community. On the other hand, another
The data can be either software or great tool is used to render back the
hardware encrypted in order to keep it HTML file through the tcpdump
private and confidential. High demands program, which is known as PyFlag.
to protect user's personal data and files Any recorder network can be capture
led to the introduction of encrypted disk. and replicate the content. The same goes
In [86] the author reveals an open source to Flash Memory in the Smartphone, the
encryption software known as TruCrypt. application can be used to determine any
It is freely available and able to encrypt related application logs and multimedia
the whole partition contain of operating file upon a user [42]. The author
system file. develops a Mobile Internal Acquisition
Nowadays, it takes more consideration Tool (MIAT) in order to target the
upon attack prevention process and Symbian OS. However, because of the
technique. The monitoring and conflict issue regarding the user privacy
visualization of network activities are a information, the software is not to be
crucial mechanism within an released under open source license.
organization's network. In [66] the There are special forensic tool involves
author exposes the development of in different operating system (OS)
Enterprise Network Activities respectively. The introduction of
Visualizations (ENAVis) as an aid to Macintosh Evidence Gathering and
network administrator to manage and Analysis (MEGA) describes how the
monitor network activities. implementation of system analysis
Nevertheless, still the computer systems works in Mac OSX [72]. It has great
are potentially exposed to attack with the capabilities in manage and monitor the
minimal information given. It affects network and even can handle Mac
the privacy of user when suing the FileVault encrypted home directory.
encrypted traffic and believed they are Nevertheless in the Linux OS, the author
securely protected. In [97] the author in [92] mentioned about the uses of
demonstrates the attacking method on Forensic Automated Correlation Engine
Secure Shell (SSH) and Skype software. (FACE) as an image analyzer of the
Linux partition. It may obtain any
3.2 Forensic Tools and Applications personal information of victim for
forensic investigator or unauthorized
To run a F.I, the correct tools and personnel.
software play important role as aiding to
the efficiency and effectiveness of the 3.3 Image Forensic
investigation. As P2P is widely used for
sharing illicit material, the author Image analysis is used in image forensic
discusses a tool to extract information to expose the information using the
from binary evidence based on Java image support machine with decision
Object Serialization (JOS) as fusion techniques [4]. The author
implemented in P2P [67]. Based on the proposes a model that identifies the
JOS specification, personal information source model or device of an image by
about users can be extracted using a tool using the support vector machine
known as AScan. However, this tool approach along with decision fusion
54
techniques. The paper considers feature paradigm and an IR method based on the
selection algorithms as features in classical ICP algorithm proposed by Liu.
optimal subsets are generated in a series The paper reveals that the majority of
of inclusion and exclusion steps and the EIR methods following a parameter-
count based aggregation as the algorithm based approach achieve the best and the
of decision fusion. The algorithm selects most robust performance and the poor
the top λ features from 43 features in performance obtained by the matching-
order to get the highest identification based methods.
rate and the SVM trained model is built With the highly advanced application,
where test images is fed into the trained the forensic tool is able to differentiate
model to predict the camera source between the fake and real image. By
model. The flowchart of the model is using multi resolution decomposition
illustrated in Figure 3. and higher order local autocorrelations
(HLACs) image features are extracted
and determine if it is real or fake [23].
They are used and as by right of the
inner product lemma of higher order
autocorrelation, the feature extraction
and SVM are joined and the computation
complexity is decreased significantly.
The paper suggests Two dimensional
discrete wavelet transformation (2D-
DWT), a powerful multi resolution
analysis tool. The signal characteristics
in detail can be localized in different
position, orientation and scale and multi
resolution decomposition contains many
Figure 3. Flow Chart [4]
intrinsic characteristics of natural images
In [56] the author introduces image and fake images.
meta-description approach suitable for As Noise degradation causes failure to
different image inference applications blind forgery detection methods, in [9]
named as progressive randomization the author proposes a model that divides
(PR). This technique is based on a suspected image into different
perturbations on the values of the Least partitions with homogenous noise levels.
Significant Bits of images that makes it However, the authentic images also can
different from the state-of-the-art contain various isolated regions with
algorithms. very different variations, which make the
As the imaging analysis being enhanced, proposed method a supplement to other
[55] contributes reviewing the state-of- forgery detection methods rather than a
the-art image registration methods that standalone forgery detector. The
lays the foundations on evolutionary proposed method is not able to find the
computation and analyzes the 3D corrupted regions, when the noise
modelling of forensic objects. The paper degradation is very small (σ < 2). The
includes different evolutionary proposed method can be achieved by
approaches in order to represent the wide omitting the blocks merging step.
variety of techniques within the EC
55
In image analysis, the image can be The exposure to a new extraction

detected and located the duplicate algorithm as proposed by the author in
regions with rotation, using an efficient [25] is able to extract the block artifacts
and robust passive authentication grids (BAG) and then abnormal BAGs
method [64] .It uses circle block and the due to interpolate or concealing objects
Hu moments for detection and location. can be detected with a marking
In this method Gaussian pyramid is used procedure by copy–paste operations. The
for decomposition and to overcome the author suggests that with extracting
possible distortion caused by JPEG weak horizontal and vertical edges with
compression and noise contamination, periodicity of 8 separately and then
produced sub-image in low frequency is combining them the BAGs are found.
chosen. The sub-image is divided into The image tampering applications like
many circle blocks overlapping each image cropping, painting and copy-paste
other and from them the features of Hu operation can be detected by BAG using
moments are extracted. Here, the circle- mismatching phenomena.
block mode and the Hu moments are In order to detect image forgery, it does
able to eliminate the effect of rotation. not require any other prior information
We believe that the new rotation- about the image, for detecting image
invariant features should be constructed forgery [20]. This paper includes all the
directly on the circle region. The existing surveys and references that
corresponding robust detection method directly deal with blind image forensics.
will be investigated for other Nevertheless, this method only implies
intermediate processing such as resizing, that leaving the “ideal” lab conditions
cropping etc. and applying the existing methods to
In order to detect image splicing the real-life applications, higher rate of false
common form of image tampering, the positives are considered than reported.
author in [33] proposes an approximate Lack of automation is another drawback
run length based scheme. Proposed of existing methods. To localize the
scheme only computes run lengths on forgery, existing methods need to have
the edge pixels and what makes it better knowledge of various modification
is that splicing normally introduces extra regions containing some inconsistencies.
edges to the image. This method Many of the existing methods deals only
introduces to a threshold t. If the with JPEG and compression properties.
absolute value of the difference of two Ideally the method to prove the
neighboring pixels’ grayscale value is authenticity of a picture in legal
not greater than the threshold t, the two proceedings is not straightforward, an
pixels are considered as they are in an easier approach would be matching an
approximate run. We believe further image back to the type of device that last
research should be done on the modified it, either hardware or software.
fluctuation of grayscale values of [71] explains how quantization tables,
consecutive pixels that tends to be more which is generally used for JPEG
dramatic in an image with complex compression, can be used for image
texture. Hence makes the authentic source identification since it can identify
images and the spliced one less if images have been processed by
distinguishable. software or not, thus can benefit forensic
examiner to only consider the unaltered
56
ones from a large volume of given classifiers that distinguish between

pictures. For this, the author classified digital camera models. the paper
quantization tables into several identifies demosaicing artifacts
categories used by the JPEG images that associated with different camera-models.
vary by different camera models and By determining the differences in the
software program. A software library image formation pipeline, e.g.,
developed known as Calvin to identify processing techniques and component
the type of quantization tables used by technologies, the first method in this
the existing images that the library paper tries to detect the source camera-
contains. For excellent solution of image model of the image. Two methods
forensic, we are recommending that the namely Expectation–Maximization
knowledge of JPEG quantization table algorithm that analyzes the correlation of
combining with image factor EXIF data, each pixel value to its neighbors and
signature program or color signature for analysis of inter-pixel differences are
real skin may produce an excellent work used to detect and classify the traces of
of image analysis. interpolation operation in images.
The image of computer generated and Experiment proposes to feed the images
real image can be distinguished based on to the classifier to verify the consistency
human visual system. In [38] it of demosaicing artifacts. Hence, the final
describes a series of psychophysical decision is made by the classifier. It is
experiments that used images of varying expected that the use of combined
resolution, JPEG compression, and color method would eliminate some of the
to explore the ability of observers. From false-positives due to mismatch of the
the experiments conducted, it reveals reference pattern.
that the image is in fact photographic
when an observer believes it to be 3.4 Security Mechanism
photographic that can be expressed as
the following conditional probability, In [81], author confers the importance of
P (I = photo | R = photo) where R computer forensics as a standard for
denotes the user response and I the electronic crime investigations and the
image category. expertise required. As the computer
By replacing “photo” with “CG”, the forensic field is growing, the field of
conditional probability that an image is operation and the number and
CG if an observer says it is CG, complexity of the managed cases
P (I = CG | R = CG) determine required tools or equipments.
However, the accuracies reported in the Computer forensics, in this paper is
paper are a lower bound on human termed as mechanism of prevention,
performance, unlike time rendering compliance and assurance rather than
technologies; observer performance can investigation and response.
likely be improved. [26] proposes information hiding
To identify the source camera-model of techniques as an alternative to
a digital image, [99] utilizes traces of encryption. This paper uses the FAT file
demosaicing operation in digital cameras system as a proof-of-concept example of
and employing two methods and a covert communication medium. In
defining a set of image characteristics simple approach, the information to be
which are used as features in designing hidden is embedded in the arrangement
57
of the clusters of a file. In an alternative with the Symmetric-padding mode is the

approach, the distribution of the cover elementary concept of this paper. Fourier
file clusters can be used to create a transform (FFT) together with the output
covert channel. The approach proposed of Hash Algorithm 1 (SHA-1) forms a
is undetectable of encrypted or random strong image encryption setting
data. Moreover, using DWT gives advantage
[43] reveals the fact that Portable of the possibility of converting the
Document Format is not impervious document into compressed formats
from some privacy related issues. Two without losing details.
issues, how changes made to PDF [33] discusses the implementation of
documents handled and interactive robust watermarking with the EXIF
features of PDF, are investigated in this metadata of images and integrated error-
paper. This paper shows while trigger control codes for copyright protection.
events like opening or closing of The proposed algorithm is DCT-based
documents takes place, other programs watermarking techniques with necessary
might be executed or external link might modifications for integrating with the
be resolved without user awareness. BCH-protected EXIF metadata. For
[57] emphasis on building up of verification of the algorithm, attacks are
technological advancement for fraud. It performed by JPEG compression, low-
marks phone specially Smartphone as a pass filtering (LPF), and median filtering
modern threat to confidentiality. This (MF).
paper states that Smartphones have a These papers discuss methods and
‘dual personality’ - one that is loyal to algorithms to secure information and
the employer’s exchange server, VPN increase in digital privacy in sharing
and security systems, the other which information.
can operate on public WiFi, alternative
SIM cards and other seemingly 3.5 Memory Forensic
anonymous networks, as described in
Figure 4. Memory forensics examines the
information captured from memory at
the time the computer is seized. As less
focus has been paid to extracting
information from Windows drivers,
developing a methodology to minimize
the effort of analyzing these drivers. [17]
first describes a general methodology for
reverse code engineering of Windows
drivers’ memory structures. Proposed
process for reconnaissance and analysis
is shown in Figure 5.
Figure 4. The Dual Personality of Smart Phones
[57]
[42] proposes a highly robust protection
algorithm that is based on an information
hiding technique known as
Steganography. Embedding the secret
message in the first level 2D Haar DWT
58
Figure 6. System Overview [5]
[54] analyzes the pool allocation

Figure 5. Methodology for reversing drivers mechanism of the Microsoft Windows
[17] operating system. It describes a test
As modern Windows operating systems environment, which allows obtaining a
aggressively cache file data in memory. time series of physical memory images
Current forensic tools and techniques, and allocations from the non-paged pool.
however, do not take mapped-file [14] describes an algorithm to locate
information into account. paging structures in a memory image of
[49] describes a method for recovering an x86 platform running either Linux or
files mapped in memory and to link Windows XP that can be used to find
mapped- file information process data. It potential processes. The first pass of the
discusses three methods for recovering algorithm searches the potential page
files from memory-Allocated file- directory for kernel mappings. The
mapping structures; unallocated file- second pass of the algorithm inspects the
mapping structures and Unidentified file potential page directory by (0e767)
pages. entries.
[5] proposes an automated system to [90] exhibits technique that enables full
support the mobile phone’s live memory access to the registry data cached in
dynamic properties analysis on memory and shows that there are attacks
interactive based applications, as that cannot be detected without
depicted by Figure 6. The paper examining the registry in memory. To
describes the experiments and presents counter attacks, the paper recommends
the results on identifying the memory collecting registry data from both RAM
region of a process where the message and the hard drive.
exchange can be observed, and The papers propose and analyze methods
investigating the cached data and the and techniques to extract data hidden in
volatile evidence data persistency. memory and investigation of attacks
examining memory to strengthen digital
privacy of data.
3.6 Personal Identification
[58] proposes a recognition scheme,

different from traditional, starts with the
59
dynamic partition of the noise-free iris combination of dynamic fingerprinting

into disjoint regions from which MPEG- and spread spectrum data hiding.
7 color and shape descriptors are These papers present system and
extracted. techniques of personal identification for
[18] presents an automated system for the authentication information protection
shoe model identification from outsole and investigation of impersonation.
that can provide information in timely
manner impressions taken directly from 3.7 File Forenisc
suspect’s shoes. Once Maximally Stable
Extremal Region is identified as being As mentioned in [22], “in the file system
robust and having a high repeatability, it FAT-32 the route table entry with the
is detected as a match. After detection, file name will point to the first cluster of
the paper employs a feature descriptor the file, which in turn will point to the
Scale Invariant Feature Transform to next cluster and so on until the last
code the appearance or properties of the cluster of the file”. When a file is
local features. deleted, only the file’s entry is removed
[74] proposes a stochastic vision model from the table not the actual content that
based on a Markov Random Fields located in several clusters in the storage
(MRF). The model employs a skin device. It will recover the file from the
model and human affine-invariant unallocated space declared by the file
geometric descriptor. For skin detection, system. In this paper, the authors
the paper proposes the use of CIE-Lab mentioned that the main problem in to
due to its popularity in some real world recover a file in digital forensic is file
application domains. In addition to the carver still fail to recover a fragmented
CIELabcolor space, the proposed skin file. In [19], the author compared two
model employs texture, another low- published techniques to recover a
level. fragmented file, the Bifragment Gap
[73] suggests that in developing Carving (BGC) and Parallel Unique Path
technologies and internet era, it is (PUP) technique.
problematic to prove an individual that is The author discussed the process of
suspected of a crime based on information concealment in [15]. The
technology beyond doubt. The paper method described in this paper utilizes
looks for reasons that effected proof of the trash sector space (slack space in
identity and what makes it difficult for allocated sectors) and empty space
identifying a crime suspect. Diversity of (unallocated sectors) of MS Office files.
devices has put increasing pressure on an The author shows how to conceal
already limited resource. Malicious information into the file based on the
software usage and vulnerability of format. The author also demonstrates the
authentication of credentials made it detection of the concealed information in
difficult for forensic investigator to MS Word file. They create a C# program
determine who had breached a system. to detect the concealed information. The
[53] proposes Automated Impersonator program detects the concealed
Image Identification System (AIIIS) that information by analyzing the unknown
allows investigators to track down relationship in the file.
impersonator attackers. AIIIS uses a [37] discusses about the method to
perform forensic analysis. The issues
60
highlighted by the author discuss 3.8 Artificial Intelligence

whether visual analysis of a file in
forensic analysis is a new or old trend. The objective of the author in [82] is to
The article mainly discusses about how introduce an open source tool for
we can identify the content of a file by analyzing file systems that allow
looking into its graphical representation investigators to work on the same shared
and how much time it can reduce for cases reducing the workload and also
investigators who need to analyze a large expediting the results. GUI features,
number of files. The issues with privacy administrator options and main features
mentioned in this article is at a minimal of the system are discussed in the paper.
level if the method is used by authorized [69] discusses the applications of
persons. probabilistic graphical models and also
[87] highlights the importance of visual focuses on the class of optimization
forensics that may help investigator methods that use probabilistic graphical
identify the important files in their list of models to organize the search on a
evidences. The author describes how a search space. The paper proposes
single string embedded in an image only Estimation of distribution algorithms
because light differences in the image (EDAs) are evolutionary algorithms is
brightness that may cause an investigator based on the assumption that it is
to exclude the image for further forensic possible to build a probabilistic model of
analysis. The article also mentioned that the search space that can be used to
with the help of different color to guide the search for the optimum where
represent different behavior of http the construction of this probabilistic
session log file content, a forensic model is a crucial step.
investigator could easily identify the The discussion of [2] involves the
protocol used, destination and source of limitation of Classical forensic reporting
the packet. that provides only ‘‘identification’’ or
In [93], the authors investigate two types ‘‘exclusion/elimination’’ decisions and
of algorithm to predict the type of the way around solution of the limitations.
fragmented file. The authors also The analysis infers the identity of the
illustrate the results of implementation probe, but it gives the likelihood ratio for
of the two algorithms mentioned above. the two competing hypotheses. In
The paper demonstrates how the forensic engine likelihood ratio serves as
algorithms can be implemented as a an indicator of the discriminating power.
proof of concept and not as practical Thus, it can be used in assessing
application because there are some authentication performance.
aspect that need to consider to [95] describes the need for training in
implement the algorithm as practical digital forensics and briefly describes a
application. virtualized training platform for network
These papers help investigators with file defense and computer forensics, Cyber
forensics to face issues with digital Defense Trainer (CYDEST) as shown in
privacy. Figure 7.
61
together. The second method is using

parents and orphanage method which
recover the email based on the type of
file or software used, for example using
Microsoft Outlook. The email can be
recovered by looking at history of email
for a particular period. This is due to the
Windows method that delete the email
depends on the ‘flag’.
The second issue is to recover the
password protected account or system in
Figure 7. CYDEST Architecture [95] organization. Khawla et al discussed on
It uses virtual machines to provide the paper [53] how to generate
tactical level exercises for personnel individual- related electronic profile and
such as network administrators, first recover the password –protected account
responders, and digital forensics or system and save time consuming.
investigators. There are several methods that can be
These papers describe methods and used to recover the password. It can be a
techniques for virtualization of digital complex method like recovering from
forensics to help prevent cyber attack. Random Access Memory (RAM) or
even use the social engineering method.
3.9 Information Recovery Social engineering is proven to be an
effective method to gain the password
Information recovery is one of the upon a password-protected system or
important processes in digital forensics. machine. It utilizes the vulnerability of
Evidence of a crime may reside in a human factor to recover the password.
deleted email. So a proper technique The factor of an individual behavior also
should be used to recover the plays an important part in recovery
information back without changing the password. Some people are sharing the
original content of the email. As same password with their colleagues for
mentioned by (John Shaw et al) the different machine Password also can be
solution to recover the deleted email is recovered back by using software like
by expose reverse engineering on how PRTK, John theRipper, L0phtCrack,
the email was deleted. The email may be Cain & Abel and Paraben’s Decryption
manually deleted by the user or criminal Collection. All these software also can
to remove the evidences, or it might be used in brute attack.
happen in some cases that the database is The privacy issues related to the topic is
corrupted or hacked by unauthorized that the investigators who perform
personnel. To recover the removed information recovery shall not hold the
email, the recovery process will be interesting data, which is not relevant to
performed from vendor site that can the case for their own agenda. For
provide a backup plan, which is called as example, the recovered password, which
Cache Exchange mode. The data must has been used by the user, may be used
be synchronized to the server. The to access different machine or accounts
deleted email will remain as deleted mail that used the same password. If the
until someone tries to “up” it back, when password has been used for the purpose
the machines or servers get synchronize
62
other than evidence recovery, it may to provide the best result of the initial
violate the users’ privacy. investigation.
The papers mentioned in this topic
3.10 Video Analytics contain the related issues with privacy
regarding the structure of the hard disk.
There are many tools that can be applied The information about the structure may
to aid in the digital forensic analysis, be a copyrighted information which
whether it is a software tool or hardware should be available on the manufacturer
tool. Some manufacture like Samsung side only and not for other parties. The
providing the device like digital video history in the log file may reveal user
recorder (DVR) to perform an analysis activity that may be private to the user
in imaging digital forensic [48]. The and should be accessible by other
device designed with two separated hard person.
disk to perform particular recording and
testing. It is also for minimizing the error 3.11 Cybercrime
occurs during the video forensic
investigation. This device is able to The author describes the method of
compress the video recorded in the form Strategy of Triple-E (SeTO) in solving
of MPEG-4 format and store in the video trojan defense in cyber crime in [28]. It
file. Furthermore, it is capable to transfer is used to defend the computer from any
the video into a PC (Samsung 2005) in risk of trojan effects on any matters. The
real-time connection. trojans can be used to track the password
The investigation of video recorded can of a machine. The result used in the log
refer to the time and date stated on the history and kept on the server cannot be
image display. The primary and trusted to keep the best data or
secondary hard disks are divided into information. The computer/cyber/IT
three partitions. The first partition is forensic helps the examiner to
“ect” whixh is used to store event and investigate and undercover the data that
system log file. The second partition is may not be immediately obvious. The
“bin” directory which contains operating author express to use M-N method
system executable files. The third where M is the path, N is the period of
partition is “root” directory that is used login and logout. In evidential part, the
for bookkeeping files for example “. db” collected data must be handled with care
and “.eve” files. Therefore, the history so that it will not cause any problem in
of logged files will be recorded in hard the court. The company or organization
disks accordingly. In addition, Closed must have a well structured for
Circuit Television (CCTV) also an employment and email management.
effective way in providing an image for This may protect the company network
digital forensics investigation [59]. The from being attacked by intruders. If the
video data will be extracted before it can email is saved on the computer, then the
gain access to manufacturer’s email comes together with the header
application software. The image will be details (date, sender, subject &etc). If the
stored on the CCTV disk as well as emails are investigated as a disciplinary
digital video recorder. However, the measure, the organization/company
disk must not overload with data in order should abide by that law.
63
3.12 Legal Compliance through an email conversation regarding

a criminal activity. The forensic handler
Computer forensics investigation can gain the information about the event,
includes legal aspects of handling the people or organization involved, that
computer forensics as well as e-mail take a biggest evidence to bring to court.
forensic investigation. This is including It also involve of email recovery
the creation of law or act implementation method. Basically, there are two types
and the involvement of management in of technique, which is employed in
the relevance of computer forensic investigating email; content-based
investigation. In [10] the author has analysis and event-based analysis.
discussed regarding the implementation The content-based analysis requires the
of computer forensic and e-mail forensic examiner to read the content of e-mail
investigation in United State. Generally, and figure out the critical information
the aim of the computer forensic policy inside. It provides the rich information
is to protect the organization with the about the whole picture of crime. While
private data and the employee. the event-based analysis required the
A corporate computer policy should examiner to figure out about the time
ideally cover the installation of and date that the e-mail has been sent
unauthorized software within the from a person to another. It can provide
employee machines, including the digital the pattern collection of who are the
portable storage device and also the persons involved in the specific crime.
home use of the corporate network. The These papers are providing a discussion
IT Manager should implement the policy about the boundaries in the view of legal
precisely in order to allow or restrict aspect involved in a digital forensic area
which website can be accessed from that also relate to the privacy of the
internal network. There might be very users.
hard to control and manage the portable
storage device and home corporate 3.13 Intrusion Detection
network. However, the computer
forensic policy should cover this level of Even though wireless communications
application to ascertain the organization are good in providing mobile internet
parameter during any misuse. Moreover, access to the user, it is still vulnerable
the sensitive company information can and easily exposed to interception of
be at particular risk from home based eavesdropper along the way of
computer or any portable device. The information transmission. The security
author declared that the security of mechanism such as Wired Equivalent
home-based computer could be Privacy (WEP) and WiFi Protected
increased if the company policy might Access (WAP) are not sufficiently
include the appropriate rule and standard capable of providing a guaranteed
like; changing the password regularly, security in wireless communication. The
disable USB port and use the office tools like clock skew and click print are
machine to prevent spyware. able to provide the information of IP
In paper [11], it describes the legal addresses or websites that the user
actions towards an emails investigation browses the most. The user identity
approach. The email investigation including the Medium Access Control
activities gather all the information sent (MAC) and IP address are not
64
sufficiently protected if they are using 3.14 Attack Trace/Pattern Analysis

the wireless transmission medium. This
information are captured by using tools Collecting a huge amount of data can be
like Wireshark and tcpdump, while the a tough procedure for a cyber forensic
WiGLE.net tool is able to track the practitioner during the investigation. An
location of which the Access Point appropriate framework of data collection
device is logging from. is discussed in [50]. There are few
On the other hand, the network traffic methods to be implemented but one after
can be investigated through monitoring all is graph-based clustering. The
methodologies that are able to analyze experiment applied by placing the 44
and access to the network performance honeypot sensors in different locations
[12]. The monitoring mechanism can be using the different IP address. The
either in wired or wireless techniques. graph or result illustration is using the
The wired monitoring system is Symbolic Aggregate Approximation
connected to a sniffer, which illegally (SAX). Based on the graph, it showed
accesses the network through a wired that the attack came in small traffic
connection to any machine. It collects volume [53]. To be flexible in doing
the information of network traffic. analysis, the analyst plugs into the
Furthermore, the network can be machine with different application. The
monitored using the Simple Network more flexible the machine, the more
Management Protocol (SNMP) statistic. malicious attack can be investigated. The
In a wireless network, the monitoring framework mentioned in the paper
behavior is more sensitive to the includes a certain flexibility that allows
physical information. It is deployed with analysts to plug in different feature
portable mechanism, which is allowing vectors and appropriate similarity
users to access in mobile. The Access metrics to be used in the clustering step,
Point must be carefully organized with depending on the attack features they
appropriate authorization by the network might find relevant to investigate. The
administrator. In order to detect any contribution is being able to draw
unauthorized AP in the network, an knowledge out of honeynet data by
advanced monitoring fingerprint scheme discovering attack patterns via attack
is suggested in 4-tupple. Furthermore, trace similarity, rather than via a rigid
the misbehavior of MAC Layer can be signature.
detected using compromise the protocol The relationship between the topic and
parameter. In conclusion, network traffic privacy issues that can be concluded is
analysis can be diagnosed using the user that, the investigator must maintain the
fingerprinting technique. The intrusion ethical behavior while performing
detection system also might expose analysis of the patterns/traces in their
users’ private information traveling on collected data because some of the data
the network. In the hand of authorized contain private information that belongs
person the privacy issues is not severe as to another user and not the attacker.
if the system controlled by unethical
person. The unethical person might use 3.15 E-mail Investigation
the private information available in a
system that violates user’s privacy. In [56], the author described about the
method to recover the data or email lost
65
in the digital forensic investigation. The email message or up to workshop

fastest method is by using the reverse program. Besides that, they should
engineering from how the email is provide internal consultation regarding
deleted (the exchange server is the technical nature. From time to time,
corrupted, the laptop is purposely they are responsible to execute the
crashed). The evidence of lost file in computer forensic tasks throughout the
email said to be handled with care since digital evidence management process. In
the file can be very fragile. It is order to have up-to-date point of
important to establish the authenticity of vulnerabilities of hacking, the incident
an electronic file or email in the response team has to give support for
organization. An incident handler is able analysis of IT company and network
to discover the evidence that is ‘buried’ architecture [81].
within temporary files, replicated files, The incident response can be handled
swap files, other system-created files or using technological alternatives locally
in a computer’s unallocated space. The or remotely. The most important issue
task is performed thorough searches of during an investigation is the availability
storage media relating to previous of the media required. To resolve this
deleted or erased documents, parts of kind of problem, some IT vendor
documents or drafts of documents. Parts implemented the agent-based
of the document may consist of private architectural approach to allow access in
data which irrelevant to the crime. multiple level or authenticity, from a
Therefore, the investigator must most volatile data until to the most static
differentiate and prioritize the content to data [88]. For the small cost forensic
avoid any privacy issue. investigation, the remote forensic is
applicable without requiring the agent-
3.16 Incidence Response based analysis. The remote forensic cost
is so low and currently it is available in
Incident responder is the main body to ISCSI standard which allowing read-
recover the cyber forensic investigation only access toward the targeted machine.
of a company or organization. The level The most application medium to run the
of complexity relies on the size and remote-forensic is through VPN
nature of a company. In paper [78] it network. Some vendors develop the
discussed on the responsibilities of an interesting agent-based architectural
incident responder who may carry out solution to allowing the multiple
planning, preparing, management toward accesses to target machine. With highly
incident in network, system , mobile concern demand in today network
device or even in a cloud computing. security implementation, an organization
Planning and preparing involves drafting is hiring an incident responder to apply
the guideline and the development of the best evidence collection and
training programs. Incident responder is preservation practices. Therefore, the
the one who educating their internal income of the incident responders should
workers upon the security on the be justified with their responsibility to
network and regularly monitor whether avoid any illegal action like gathering
the workers are continuously following private data of the company or other
the network security rules and approach. employee that will lead to violation of
Educating might take throughout the the privacy issues.
66
3.19 Network Data Analysis

3.17 Forensic Vendors
Nowadays, the demand for IT gadget
The author describes about the become rapidly increasing. The issues of
similarities and differences between networking become crucial in providing
Private Investigation (PI) and Digital a connection between users. Besides
Investigation (DI). Generally, PI is a providing the unlimited access to
profession regulated by state, federal or internet application and able to
international law [79]. Both PI and DI communicate between each other, the
investigator have to follow the code of reliability of other IT gadget networking
ethic and technical guidelines. They also lies on how effective they can
required to have professional insurance. correspond to another device. In [45],
Performing an investigation also the communication among those gadgets
considered to be properly authorized by depends on lower-layer binary network
a legal organization background. The signature like socket and packet data
violation of a simple rule could result in structure. In order to carve the network,
legal liability. the open source forensic tool is
As an incident responder, they could be developed called as “scan_net”. On
asked to perform a sort of wiretapping, network ground truth data, the data is
eavesdropping and be specialized in securely erased and the Windows is
electronic surveillance program. A PI installed with a virgin copy of the OS.
and DI must maintain a behavior based The machine then connected to multiple
on integrity and ethic. Otherwise, they numbers of servers, run the file transfer
might break the privacy of the data that process and the packet entering and
should be handled by ethical people. leaving the network is monitored using
the promiscuous recorder. The tool
3.18 Anti-Forensic Approaches carves the network on a specific level
accordingly; IP address, Socket
The paper [89], discuss about the Structure, Windows and Ethernet level.
vulnerabilities involve in digital forensic On IP address carves, the potential IP
software. As widely marketed, the address will be checked either in TCP or
forensic software may lead to UDP protocol. Once it is possible, the
defenseless state which might expose the IP address checksum will be performed
collected information to the third party. in order to validate the correct IP
The level of vulnerabilities is unlimited address. On Socket Structure carving,
and can be exploited through software the correct socket and port will be
architecture, type of file, level of identified.
patching and etc. Thus, it is crucial to
practice the administrative and 3.20 Data Integrity
authentication policy in IT system. As
explained in [92] there will be no The popularity of cloud storage services
software is completely crash proof, as (CSS) grows rapidly in recent years. The
there will be an abnormality that cloud storage services provide lower
involves of disfigure the data. cost to the data owner and it does not
depend on a specific location for the data
owner to consider. The client or the data
67
owner also does not have to perform be bypassed. The paper, [27], explains
storage management process and on how to secure USB type, bypassing
maintenance. The key concern in [1] is plan, certification method and the
how to perform efficient audit services. implementation of tools for USB
The purpose of audit service is to check security. USB provides an IP address
on data integrity and its availability of tracking to allow only authentic user to
the outsourced data to the client when have access. The paper compared the
they need it. Because of this issue, the security method implemented by
Third Party Auditor (TPA) gain benefit manufacturer in providing a secure USB
from the situation. Some of the clients usage in different type of USB. In order
themselves are not formidable enough to to enhance the security in USB
perform the audit service on their own. application, some manufacturers
The cost of the audit service also caused implement USB controller demand. The
the data owner to hire TPA to perform tool mentioned in the paper can provide
the audit service. an image of data obtained in a user
The authors propose their cryptographic friendly interface and supply with the
interactive audit scheme in the paper. report of data received.
The proposed approach in the paper help As a conclusion, as the USB memory
to reduce the workload on the storage increases its capacity and capability, this
server as well as maintaining the means that it has greater opportunity in
capability to detect the server's abnormal providing information to digital
behavior at a higher probability rate as forensics. By applying these tools,
mentioned in the paper. The paper also unlimited evidence are potential to be
intends to cater the problem in privacy figured out. Privacy issues that can relate
issues in their proposed approach. In the to the USB forensics is that with the
paper, they try to preserve the privacy of usage of the tools, among the unlimited
the data in the cloud storage services as evidence that can be carved out of the
part of their proposed approach. In the USB storage, there might be private
approach, the TPA unable to derive the information that should not be accessed
user's data based on the information by unauthorized persons.
gathered during the audit service
processes that preserve the users’ 3.22 Evidence Validation
privacy.
In [7], the paper reveals the method
3.21 USB Forensic discussed by author to recover the lost
files in the cloud computing system.
Universal Serial Bus (USB) is widely Finding the evidence in cloud computing
used for their capacity and mobility system may be very complex. The public
capability. USB normally equipped with cloud computing system is a publicly
security function using the USB accessible remote interface for managing
controller command. Because the USB is and transferring data. Some organization
easily used, it tends to be used for USB will encrypt the data before transfer it to
memory – related crime. The USB cloud computing system. Unless a cloud
controller command provides computing application provides an audit
vulnerabilities during the user trail, it may be difficult to extract digital
certification process which allows it to evidence in an admissible manner from
68
such applications, and in some cases, The tool can also interpret the structure
there may be little evidence available to of the .cfg file to identify how many
extract. This might lead to either locations of each type are stored in
legislation requiring cloud computing the.cfg file, identify recent destinations
service providers to keep audit trails (or in the order they were entered, show
similar records of user activity), or that details of the last entered journey and
prosecution cases may need to be based identify the last recorded GPS fix. It will
upon evidence gained mainly from the carve out deleted.cfg files, if possible, so
user’s computer, rather than from providing context for the deleted
computing equipment within the cloud. locations. The process of carving the
So the process of evidence validating in files in the product might jeopardize
cloud computing is quite complex as users’ privacy. It is because it able
compared to the evidence validation in pinpoint where the user travel from
traditional computing. The investigation deleted .cfg files. When using the
done on cloud computing may relate to product for digital forensic analysis, any
the privacy issues of the other users in act that leads to the violation of users’
the cloud system. privacy must be avoided.
In addition there were several works on
3.23 Location Analysis malware investigation [99,100], analysis
of cloud and virtualized environments
The TomTom navigation system is [101-103], privacy issues that may arise
particularly divided into 3 main during forensics investigation[104-113],
segments; SD Card, internal hardware mobile device investigation [114-116],
device and flash memory [61]. The data Voice over IP (VoIP) forensics
can be saved in TomTom flash memory investigation [117], greening digital
and keep the data as history until the forensics process [118], SCADA
power been turned off. The data will be Systems [119] and securing forensic logs
saved in the setting.dat, temporary.iti [120].
and MapSetting.cfg file format. Besides
directly connecting to the satellite upon 4 CONCLUSION AND FUTURE
navigation purpose, the TomTom system RESEARCH
allows user to connect to computer using
USB port. However, there are limitation As we can see in this paper, more and
of memory that will be erased when the more tools are available or developed to
device is turned off. It will delete or facilitate the digital forensic
‘forget’ about the last destination visited investigators to acquire the digital
if the memory card is removed, the evidence from the devices. Some of the
battery is less or the USB connection tools are very powerful to extract the
from the device is disconnected. information from and reduce the
The new product released called as duration of evidence analysis. Besides
TomTology. It provides with huge the advancement in the digital forensic
capabilities which is not available investigation tools, the methodologies or
previously like, type of record, (home, techniques developed to obtain the
favorite, start of the last calculated route, information also become more
POI, location entered by address or by advanced.
lookup, as outlined earlier in this article).
69
One of the key factors of the situation is environment. It differs from traditional
contributed by the way computing computing system, where normally a
technology evolves. The rapid single user uses the device and the
development of computing devices application and user's data reside in their
requires new methods or tools to be used devices only. Unlike traditional
by the digital forensic investigators to computing environment the evidences or
obtain the evidences as a legally the data might not reside on single
acquired evidence to be presented in the device but may be scattered around
court. For example, as mentioned in [39] several devices. This requires the
the paper demonstrates the development investigator to be extra careful with the
of Mobile Internal Acquisition Tool data acquisition process because they
(MIAT). This tool executed from the might invade other users' private
removable memory card inserted into a information that resides in that type of
Smartphone. This tool works in a network. So with the complexity of
different method from traditional networking, computing environment and
evidence acquisition method, wherein the advancement of mobile devices, the
the traditional method some data cables digital forensic investigators also need
are required to transfer the evidence to be advanced in their tools and
from the investigated device to the methodologies to obtain the evidences
investigator's workstation. legally without affecting the user's
The advancement in communication privacy to the court.
device also contributes to the following As we discuss throughout this paper,
situation. Nowadays, mobile phones do there are many tools and methodologies
not only transfer voice and text message, newly developed to assist digital
they have become a multipurpose device forensic investigators in the digital
that can transfer multimedia files, evidence acquisition process and analyze
perform video streaming, internet the evidences. As we reviewed, some of
browsing and other operation that relates the tools used by digital forensic
to data transfer. Thanks to the investigators will be released under open
advancement in networking speed, the source license. It means that the tools are
user can transfer their data easily with available for public access. It comes to
their mobile device. Even though this is our mind that what if the tools fall into
a great situation for the user, it may lead the hand unethical person. How severe
them to the become a target of privacy the damage caused by the tools if the
invasion. Their personal data that reside tools was used for illegal purpose and
in their mobile are valueable and might how to control the distribution of the
attract unauthorized attacker to gain their tools if it is publicly available. These are
information for illegal purposes. As the the questions that we think that we need
computing technology evolves, the way study and able to provide the solutions
computer user use or transfer the data in or answers to in the future.
their environment also different from Apart from the above questions, we are
traditional computing system. also interested to continue with the
As discussed in [7-9], the digital research on effective method on privacy
evidence acquisition methodologies need education. As an initial step to reduce
to adapt the new environment like cloud the privacy issue, it is crucial to combat
computing and peer-to-peer networking the problems at the root level. The root
70
level solution is in our mind. Educating [7] M. Taylor, J. Haggerty, D. Gresty, and R.
the human mind to become an ethical Hegarty, "Digital evidence in cloud
computing systems," Computer Law &
person in their work is one of the key Security Review, vol. 26, pp. 304-308,
factors that we think will help to reduce 2010.
the issues in privacy. It is crucial to [8] M. Taylor, J. Haggerty, D. Gresty, and P.
educate different level of person not to Fergus, "Forensic investigation of peer-to-
invade into other person's private peer networks," Network Security, vol.
2010, pp. 12-15, 2010.
information and to educate on what to do [9] M. Taylor, J. Haggerty, D. Gresty, and T.
if they accidentally found that type of Berry, "Digital evidence from peer-to-peer
information. The method to educate networks," Computer Law & Security
people on privacy need to be effective Review, vol. 27, pp. 647-652, 2011.
enough, as we are human tends to [10] M. Taylor, J. Haggerty, and D. Gresty,
"The legal aspects of corporate computer
explore something new to us. So, usage policies," Computer Law & Security
regardless how powerful the above Review, vol. 26, pp. 72-76, 2010.
mentioned tools might evolve, in the [11] M. Taylor, J. Haggerty, and D. Gresty,
hand of ethical person, the privacy of "The legal aspects of corporate e-mail
related parties can be preserved if we investigations," Computer Law & Security
Review, vol. 25, pp. 372-376, 2009.
have successfully educated ourselves to [12] D. Takahashi, Y. Xiao, Y. Zhang, P.
not interfere with the information which Chatzimisios, and H.-H. Chen, "IEEE
is not for our eyes to see. 802.11 user fingerprinting and its
applications for intrusion detection,"
6 REFENCES Computers & Mathematics with
Applications, vol. 60, pp. 307-318, 2010.
[13] E. Serrano, A. Quirin, J. Botia, and O.
[1] Y. Zhu, H. Hu, G.-J.Ahn, and S. S. Yau, Cordón, "Debugging complex software
"Efficient audit service outsourcing for data systems by means of pathfinder networks,"
integrity in clouds," Journal of Systems and Information Sciences, vol. 180, pp. 561-
Software, vol. 85, pp. 1083-1095, 2012. 583, 2010.
[2] H. Wechsler, "Linguistics and face [14] K. Saur and J. B. Grizzard, "Locating ×86
recognition," Journal of Visual Languages paging structures in memory images,"
& Computing, vol. 20, pp. 145-155, 2009. Digital Investigation, vol. 7, pp. 28-37,
[3] S.-J. Wang, D.-Y.Kao, and F. F.-Y.Huang, 2010.
"Procedure guidance for Internet forensics [15] S. Rekhis and N. Boudriga, "Logic-based
coping with copyright arguments of client- approach for digital forensic investigation
server-based P2P models," Computer in communication Networks," Computers
Standards & Interfaces, vol. 31, pp. 795- & Security, vol. 30, pp. 376-396, 2011.
800, 2009. [16] V.-H. Pham and M. Dacier, "Honeypot
[4] M.-J. Tsai, C.-S.Wang, J. Liu, and J.-S.Yin, trace forensics: The observation viewpoint
"Using decision fusion of feature selection matters," Future Generation Computer
in digital forensics for camera source model Systems, vol. 27, pp. 539-546, 2011.
identification," Computer Standards & [17] M. Pavlou and N. M. Allinson, "Automated
Interfaces, vol. 34, pp. 292-304, 2012. encoding of footwear patterns for fast
[5] V. L. L. Thing, K.-Y.Ng, and E.-C.Chang, indexing," Image and Vision Computing,
"Live memory forensics of mobile phones," vol. 27, pp. 402-409, 2009.
Digital Investigation, vol. 7, Supplement, [18] B. Park, J. Park, and S. Lee, "Data
pp. S74-S82, 2010. concealment and detection in Microsoft
[6] M. Taylor, G. Hughes, J. Haggerty, D. Office 2007 files," Digital Investigation,
Gresty, and P. Almond, "Digital evidence vol. 5, pp. 104-114, 2009.
from mobile telephone applications," [19] A. Pal, H. T. Sencar, and N. Memon,
Computer Law & Security Review, vol. 28, "Detecting file fragmentation point using
pp. 335-339, 2012. sequential hypothesis testing," Digital
71
Investigation, vol. 5, Supplement, pp. S2- design for skull-face overlay in craniofacial
S13, 2008. superimposition," Expert Systems with
[20] J. S. Okolica and G. L. Peterson, "Windows Applications, vol. 39, pp. 1459-1473, 2012.
driver memory analysis: A reverse [32] H.-C. Huang and W.-C.Fang, "Metadata-
engineering methodology," Computers & based image watermarking for copyright
Security, vol. 30, pp. 770-779, 2011. protection," Simulation Modelling Practice
[21] B. Mahdian and S. Saic, "A bibliography and Theory, vol. 18, pp. 436-445, 2010.
on blind methods for identifying image [33] Z. He, W. Sun, W. Lu, and H. Lu, "Digital
forgery," Signal Processing: Image image splicing detection based on
Communication, vol. 25, pp. 389-399, approximate run length," Pattern
2010. Recognition Letters, vol. 32, pp. 1591-
[22] B. Mahdian and S. Saic, "Using noise 1597, 2011.
inconsistencies for blind image forensics," [34] L. Gómez-Miralles and J. Arnedo-Moreno,
Image and Vision Computing, vol. 27, pp. "Versatile iPad forensic acquisition using
1497-1503, 2009. the Apple Camera Connection Kit,"
[23] W. Lu, W. Sun, F.-L.Chung, and H. Lu, Computers & Mathematics with
"Revealing digital fakery using Applications, vol. 63, pp. 544-553, 2012.
multiresolution decomposition and higher [35] S. Geetha, N. Ishwarya, and N. Kamaraj,
order statistics," Engineering Applications "Evolving decision tree rule based system
of Artificial Intelligence, vol. 24, pp. 666- for audio stego anomalies detection based
672, 2011. on Hausdorff distance statistics,"
[24] N. Liao, S. Tian, and T. Wang, "Network Information Sciences, vol. 180, pp. 2540-
forensics based on fuzzy logic and expert 2559, 2010.
system," Computer Communications, vol. [36] S. Geetha, N. Ishwarya, and N. Kamaraj,
32, pp. 1881-1892, 2009. "Audio steganalysis with Hausdorff
[25] W. Li, Y. Yuan, and N. Yu, "Passive distance higher order statistics using a rule
detection of doctored JPEG image via block based decision tree paradigm," Expert
artifact grid extraction," Signal Processing, Systems with Applications, vol. 37, pp.
vol. 89, pp. 1821-1829, 2009. 7469-7482, 2010.
[26] H. Khan, M. Javed, S. A. Khayam, and F. [37] D. Forte, "Visual Forensics: new or old
Mirza, "Designing a cluster-based covert trend?," Computer Fraud & Security, vol.
channel to evade disk investigation and 2009, pp. 15-17, 2009.
forensics," Computers & Security, vol. 30, [38] H. Farid and M. J. Bravo, "Perceptual
pp. 35-49, 2011. discrimination of computer generated and
[27] T. Kavallaris and V. Katos, "On the photographic faces," Digital Investigation,
detection of pod slurping attacks," vol. 8, pp. 226-235, 2012.
Computers & Security, vol. 29, pp. 680- [39] A. Distefano and G. Me, "An overall
685, 2010. assessment of Mobile Internal Acquisition
[28] D.-Y. Kao, S.-J. Wang, and F. Fu-Yuan Tool," Digital Investigation, vol. 5,
Huang, "SoTE: Strategy of Triple-E on Supplement, pp. S121-S127, 2008.
solving Trojan defense in Cyber-crime [40] F. Cohen, "A method for forensic analysis
cases," Computer Law & Security Review, of control," Computers & Security, vol. 29,
vol. 26, pp. 52-60, 2010. pp. 891-902, 2010.
[29] D. Kahvedžić and T. Kechadi, "DIALOG: [41] Y.-K. Chung, W. K. Fung, and Y.-Q.Hu,
A framework for modeling, analysis and "Familial database search on two-person
reuse of digital forensic knowledge," mixture," Computational Statistics & Data
Digital Investigation, vol. 6, Supplement, Analysis, vol. 54, pp. 2046-2051, 2010.
pp. S23-S33, 2009. [42] A. Cheddad, J. Condell, K. Curran, and P.
[30] N. Jailani, N. F. M. Yatim, Y. Yahya, A. McKevitt, "A secure and improved self-
Patel, and M. Othman, "Secure and embedding algorithm to combat digital
auditable agent-based e-marketplace document forgery," Signal Processing, vol.
framework for mobile users," Computer 89, pp. 2324-2332, 2009.
Standards & Interfaces, vol. 30, pp. 237- [43] A. Castiglione, A. De Santis, and C.
252, 2008. Soriente, "Security and privacy issues in the
[31] O. Ibáñez, O. Cordón, S. Damas, and J. Portable Document Format," Journal of
Santamaría, "An advanced scatter search
72
Systems and Software, vol. 83, pp. 1813- Understanding, vol. 115, pp. 1340-1354,
1822, 2010. 2011.
[44] D. Byers and N. Shahmehri, "Contagious [56] A. Rocha and S. Goldenstein, "Progressive
errors: Understanding and avoiding issues randomization: Seeing the unseen,"
with imaging drives containing faulty Computer Vision and Image
sectors," Digital Investigation, vol. 5, pp. Understanding, vol. 114, pp. 349-362,
29-33, 2008. 2010.
[45] R. Beverly, S. Garfinkel, and G. Cardwell, [57] P. Ridley, "Outsmarting the smartphone
"Forensic carving of network packets and fraudsters," Network Security, vol. 2010,
associated data structures," Digital pp. 7-9, 2010.
Investigation, vol. 8, Supplement, pp. S78- [58] H. Proença and G. Santos, "Fusing color
S89, 2011. and shape descriptors in the recognition of
[46] G. Antoniou, L. Sterling, S. Gritzalis, and degraded iris images acquired at visible
P. Udaya, "Privacy and forensics wavelengths," Computer Vision and Image
investigation process: The ERPINA Understanding, vol. 116, pp. 167-178,
protocol," Computer Standards & 2012.
Interfaces, vol. 30, pp. 229-236, 2008. [59] N. R. Poole, Q. Zhou, and P. Abatis,
[47] A. Veremme, É. Lefevre, G. Morvan, D. "Analysis of CCTV digital video recorder
Dupont, and D. Jolly, "Evidential hard disk storage system," Digital
calibration process of multi-agent based Investigation, vol. 5, pp. 85-92, 2009.
system: An application to forensic [60] M. S. Olivier, "On metadata context in
entomology," Expert Systems with Database Forensics," Digital Investigation,
Applications, vol. 39, pp. 2361-2374, 2012. vol. 5, pp. 115-123, 2009.
[48] W. S. van Dongen, "Case study: Forensic [61] B. Nutter, "Pinpointing TomTom location
analysis of a Samsung digital video records: A forensic analysis," Digital
recorder," Digital Investigation, vol. 5, pp. Investigation, vol. 5, pp. 10-18, 2008.
19-28, 2008. [62] T. D. Morgan, "Recovering deleted data
[49] R. B. van Baar, W. Alink, and A. R. van from the Windows registry," Digital
Ballegooij, "Forensic memory analysis: Investigation, vol. 5, Supplement, pp. S33-
Files mapped in memory," Digital S41, 2008.
Investigation, vol. 5, Supplement, pp. S52- [63] S. Mansfield-Devine, "Fighting forensics,"
S57, 2008. Computer Fraud & Security, vol. 2010, pp.
[50] O. Thonnard and M. Dacier, "A framework 17-20, 2010.
for attack patterns' discovery in honeynet [64] G. Liu, J. Wang, S. Lian, and Z. Wang, "A
data," Digital Investigation, vol. 5, passive image authentication scheme for
Supplement, pp. S128-S139, 2008. detecting region-duplication forgery with
[51] M. Taylor, J. Haggerty, D. Gresty, and D. rotation," Journal of Network and
Lamb, "Forensic investigation of cloud Computer Applications, vol. 34, pp. 1557-
computing systems," Network Security, vol. 1565, 2011.
2011, pp. 4-10, 2011. [65] H.-Y. Lin and W.-C. Fan-Chiang,
[52] C. M. S. Steel and C.-T.Lu, "Impersonator "Reconstruction of shredded document
identification through dynamic based on image feature matching," Expert
fingerprinting," Digital Investigation, vol. Systems with Applications, vol. 39, pp.
5, pp. 60-70, 2008. 3324-3332, 2012.
[53] J. Shaw, "Speedy recovery: retrieving lost [66] Q. Liao, A. Blaich, D. VanBruggen, and A.
emails as part of an investigation," Striegel, "Managing networks through
Computer Fraud & Security, vol. 2011, pp. context: Graph visualization and
9-11, 2011. exploration," Computer Networks, vol. 54,
[54] A. Schuster, "The impact of Microsoft pp. 2809-2824, 2010.
Windows pool allocation strategies on [67] J. Lewthwaite and V. Smith, "Limewire
memory forensics," Digital Investigation, examinations," Digital Investigation, vol. 5,
vol. 5, Supplement, pp. S58-S64, 2008. Supplement, pp. S96-S104, 2008.
[55] J. Santamaría, O. Cordón, and S. Damas, [68] J. Lee, S. Un, and D. Hong, "High-speed
"A comparative study of state-of-the-art search using Tarari content processor in
evolutionary image registration methods for digital forensics," Digital Investigation, vol.
3D modeling," Computer Vision and Image 5, Supplement, pp. S91-S95, 2008.
73
[69] P. Larrañaga and S. Moral, "Probabilistic Alternative Advanced Interface for the
graphical models in artificial intelligence," Sleuth Kit”, Proceedings of the
Applied Soft Computing, vol. 11, pp. 1511- International Workshop on Computational
1528, 2011. Intelligence in Security for Information
[70] P. Kumar, S. Roy, and A. Mittal, "OS- Systems CISIS’08." vol. 53, E. Corchado,
Guard: on-site signature based framework R. Zunino, P. Gastaldo, and Á. Herrero,
for multimedia surveillance data Eds., ed: Springer Berlin / Heidelberg,
management," Multimedia Tools and 2009, pp. 27-34.
Applications, vol. 59, pp. 363-382, 2012. [83] D. Forte, "Preventing and investigating
[71] J. D. Kornblum, "Using JPEG quantization hacking by auditing web applications,"
tables to identify imagery processed by Network Security, vol. 2010, pp. 18-20,
software," Digital Investigation, vol. 5, 2010.
Supplement, pp. S21-S25, 2008. [84] D. Forte, "The death of MD5," Network
[72] R. A. Joyce, J. Powers, and F. Adelstein, Security, vol. 2009, pp. 18-20, 2009.
"MEGA: A tool for Mac OS X operating [85] D. Forte, "Are you court validated?,"
system and application forensics," Digital Network Security, vol. 2009, pp. 6-8, 2009.
Investigation, vol. 5, Supplement, pp. S83- [86] D. Forte, "Do encrypted disks spell the end
S90, 2008. of forensics?," Computer Fraud & Security,
[73] A. Jones and T. Martin, "Digital forensics vol. 2009, pp. 18-20, 2009.
and the issues of identity," Information [87] D. Forte, "Visual forensics in the field,"
Security Technical Report, vol. 15, pp. 67- Computer Fraud & Security, vol. 2009, pp.
71, 2010. 18-20, 2009.
[74] M. Islam, P. A. Watters, and J. Yearwood, [88] D. Forte, "Technological alternatives in
"Real-time detection of children’s skin on incident response," Network Security, vol.
social networking sites using Markov 2008, pp. 16-18, 2008.
random field modelling," Information [89] D. Forte, "Dealing with forensic software
Security Technical Report, vol. 16, pp. 51- vulnerabilities: is anti-forensics a real
58, 2011. danger?," Network Security, vol. 2008, pp.
[75] F. Iqbal, R. Hadjidj, B. C. M. Fung, and M. 18-20, 2008.
Debbabi, "A novel approach of mining [90] B. Dolan-Gavitt, "Forensic analysis of the
write-prints for authorship attribution in e- Windows registry in memory," Digital
mail forensics," Digital Investigation, vol. Investigation, vol. 5, Supplement, pp. S26-
5, Supplement, pp. S42-S51, 2008. S32, 2008.
[76] D. Horn, "Taking the right approach to [91] M. I. Cohen, "PyFlag – An advanced
digital forensics," Computer Fraud & network forensic framework," Digital
Security, vol. 2008, pp. 16-17, 2008. Investigation, vol. 5, Supplement, pp. S112-
[77] F. Fusco, M. Vlachos, and M. P. Stoecklin, S120, 2008.
"Real-time creation of bitmap indexes on [92] A. Case, A. Cristina, L. Marziale, G. G.
streaming network data," The VLDB Richard, and V. Roussev, "FACE:
Journal, vol. 21, pp. 287-307, 2012. Automated digital evidence discovery and
[78] D. V. Forte, "The responsibilities of an correlation," Digital Investigation, vol. 5,
incident responder," Network Security, vol. Supplement, pp. S65-S75, 2008.
2010, pp. 18-19, 2010. [93] W. C. Calhoun and D. Coles, "Predicting
[79] D. V. Forte, "Are you going to be a forensic the types of file fragments," Digital
examiner or a private investigator?," Investigation, vol. 5, Supplement, pp. S14-
Computer Fraud & Security, vol. 2010, pp. S20, 2008.
15-17, 2010. [94] Y. Cai, "Video intelligence workshop (VI-
[80] D. V. Forte, "Volatile data vs. data at rest: 2010)," Procedia Computer Science, vol. 1,
the requirements of digital forensics," p. 2509, 2010.
Network Security, vol. 2008, pp. 13-15, [95] S. Brueckner, D. Guaspari, F. Adelstein,
2008. and J. Weeks, "Automated computer
[81] D. V. Forte, "Computer forensics: Are you forensics training in a virtualized
qualified?," Computer Fraud & Security, environment," Digital Investigation, vol. 5,
vol. 2008, pp. 18-20, 2008. Supplement, pp. S105-S111, 2008.
[82] D. Forte, A. Cavallini, C. Maruti, L. Losio, [96] S. Bayram, H. T. Sencar, and N. Memon,
T. Orlandi, and M. Zambelli, "PTK: An "Classification of digital camera-models
74
based on demosaicing artifacts," Digital [107] A. Dehghantanha, R. Mahmod, N. I Udzir,

Investigation, vol. 5, pp. 49-59, 2008. Z.A. Zulkarnain, “User-centered Privacy
[97] R. Alshammari and A. N. Zincir-Heywood, and Trust Model in Cloud Computing
"Can encrypted traffic be identified without Systems,” Computer And Network
port numbers, IP addresses and payload Technology, pp. 326-332, 2009.
inspection?," Computer Networks, vol. 55, [108] A. Dehghantanha, “Xml-Based Privacy
pp. 1326-1350, 2011. Model in Pervasive Computing,” Master
[98] M. Tu, K. Cronin, D.Xu, S.Wira,"On the thesis- University Putra Malaysia 2008.
Development of Digital Forensics [109] C. Sagaran, A. Dehghantanha, R Ramli, “A
Curriculum", User-Centered Context-sensitive Privacy
http://www.dsu.edu/research/ia/documents/ Model in Pervasive Systems,”
[6]-On-the-development-of-Digital- Communication Software and Networks,
Forensics-Curriculum. pp. 78-82, 2010.
[99] F. Daryabar, A. Dehghantanha, HG. [110] A. Dehghantanha, N. Udzir, R. Mahmod,
Broujerdi, Investigation of Malware “Evaluating user-centered privacy model
Defence and Detection Techniques,” (UPM) in pervasive computing systems,”
International Journal of Digital Information Computational Intelligence in Security for
and Wireless Communications(IJDIWC), Information Systems, pp. 272-284, 2011.
volume 1, issue 3, pp. 645-650, 2012. [111] A. Dehghantanha, R. Mahmod, “UPM:
[100] F. Daryabar, A. Dehghantanha, NI. Udzir, User-Centered Privacy Model in Pervasive
“Investigation of bypassing malware Computing Systems,” Future Computer
defences and malware detections,” and Communication, pp. 65-70, 2009.
Conference on Information Assurance and [112] V.Ho, A.Dehghantanha, K.Shanmugam, “A
Security (IAS), pp. 173-178, 2011. Guideline to Enforce Data Protection and
[101] M. Damshenas, A. Dehghantanha, R. Privacy Digital Laws in Malaysia,”
Mahmoud, S. Bin Shamsuddin, “Forensics Computer Research and Development, pp.
investigation challenges in cloud 3-6, 2010.
computing environments,” Cyber Warfare [113] C Sagaran, A Dehghantanha, R Ramli, “A
and Digital Forensics (CyberSec), pp. 190- User-Centered Context-sensitive Privacy
194, 2012. Model in Pervasive Systems,”
[102] F. Daryabar, A. Dehghantanha, F. Norouzi, Communication Software and Networks,
F Mahmoodi, “Analysis of virtual honeynet pp. 78-82, 2010.
and VLAN-based virtual networks,” [114] S. Parvez, A. Dehghantanha, HG.
Science & Engineering Research Broujerdi, “Framework of digital forensics
(SHUSER), pp.73-70, 2011. for the Samsung Star Series phone,”
[103] S. H. Mohtasebi, A. Dehghantanha, Electronics Computer Technology
“Defusing the Hazards of Social Network (ICECT), Volume 2, pp. 264-267, 2011.
Services,” International Journal of Digital [115] S. H. Mohtasebi, A. Dehghantanha, H. G.
Information, pp. 504-515, 2012. Broujerdi, “Smartphone Forensics: A Case
[104] A. Aminnezhad, A.Dehghantanha, M.T. Study with Nokia E5-00 Mobile Phone,”
Abdullah, “A Survey on Privacy Issues in International Journal of Digital Information
Digital Forensics,” International Journal of and Wireless Communications
Cyber-Security and Digital Forensics (IJDIWC),volume 1, issue 3, pp. 651-655,
(IJCSDF)- Vol 1, Issue 4, pp. 311-323, 2012.
2013. [116] F. N. Dezfouli, A. Dehghantanha, R.
[105] A. Dehghantanha, N. I Udzir, R. Mahmod, Mahmoud ,”Volatile memory acquisition
“Towards a pervasive formal privacy using backup for forensic investigation,”
language,” Advanced Information Cyber Warfare and Digital Foresnsic, pp.
Networking and Applications Workshops 186-189, 2012
(WAINA), pp. 1085-1091, 2010. [117] M. Ibrahim, MT. Abdullah, A.
[106] A. Dehghantanha, R. Mahmod, N. I Udzir, Dehghantanha , “VoIP evidence model: A
“A XML based, User-centered Privacy new forensic method for investigating VoIP
Model in Pervasive Computing Systems,” malicious attacks,” Cyber Security, Cyber
International Journal of Computer Science Warfare and Digital Forensic , pp. 201-206,
and Networking Security, Vol.9, Issue 2, 2012.
pp.167-173, 2009.
75
[118] Y. TzeTzuen, A. Dehghantanha, A.

Seddon, “Greening Digital Forensics:
Opportunities and Challenges,” Signal
Processing and Information Technology,
pp. 114-119, 2012.
[119] F. Daryabar, A. Dehghantanha, N.I .Udzir,
N.Fazlida, S.b.Shamsuddin, “Towards
Secure Model for SCADA Systems,”
Cyber Security, Cyber Warfare and Digital
Forensic (CyberSec), pp. 60-64, 2012.
[120] N. Borhan, R. Mahmod, A.
Dehghantanha, “A Framework of TPM,
SVM and Boot Control for Securing
Forensic Logs,” International Journal of
Computer Application, volume 50, Issue
13, pp. 65-70, 2009.
76

Digital Forensik PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Digital Forensik PDF

Transféré par

Droits d'auteur :

Formats disponibles

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76

Digital Forensic Trends and Future

ABSTRACT looming on the horizon for both victims

But it is also possible the victim

unavoidable possibility to divert the emphasized within the timeframe of a

Figure 1. Coverage of topics in journal papers

accommodate most of the topics ‘mobile phone’ were both categorized as

Table 1. Keyword categories.

Figure 2. The percentage of Different digital forensics investigation cases [98]

node/computer, it also becomes a factor

information carefully or otherwise it only available for the law enforcement

In image analysis, the image can be The exposure to a new extraction

ones from a large volume of given classifiers that distinguish between

of the clusters of a file. In an alternative with the Symmetric-padding mode is the

Figure 6. System Overview [5]

[54] analyzes the pool allocation

3.6 Personal Identification

[58] proposes a recognition scheme,

dynamic partition of the noise-free iris combination of dynamic fingerprinting

highlighted by the author discuss 3.8 Artificial Intelligence

together. The second method is using

3.12 Legal Compliance through an email conversation regarding

sufficiently protected if they are using 3.14 Attack Trace/Pattern Analysis

in the digital forensic investigation. The email message or up to workshop

3.19 Network Data Analysis

based on demosaicing artifacts," Digital [107] A. Dehghantanha, R. Mahmod, N. I Udzir,

[118] Y. TzeTzuen, A. Dehghantanha, A.

Vous aimerez peut-être aussi