Académique Documents
Professionnel Documents
Culture Documents
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
Farhood Norouzizadeh Dezfoli, Ali Dehghantanha, Ramlan Mahmoud, Nor Fazlida Binti
Mohd Sani, Farid Daryabar
Faculty of Computer Science and Information Technology
University Putra Malaysia
{Farhood1990, farid0fx} @gmail.com
{alid, ramlan, fazlida} @fsktm.upm.edu.my
48
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
49
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
Phase 2: Topics Covered in the then grouped into broad category topics
Journals. The collected keywords were based on their representation to
50
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
51
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
Location 1 1
Analysis
36 5 18 2 22 3 11 97
Phase 3: Results Obtained from the involved in their investigations [98]. The
Journal. Individual analytic platform is result is shown in Figure 2.
conducted as a final data collection. This
is done by picking up a summary of each The most common digital forensic
paper and giving a brief explanation of investigation cases, 77.8% of overall
what the paper is trying to prove and cases, are those that deal with single
possible benefits from the publications. personal computer (PCs). Surprisingly,
the second-most common digital
2.3 Comparing Journal Result with forensic investigation cases, 55.6% of
Existing Survey-Reports overall cases, involve mobile media. The
third-most common digital forensic
A survey was conducted among the investigation cases, 44.4% of overall
experienced researchers and cases, involve networks, hacking, and
practitioners in the computer forensics multimedia. Only a small number of
field in 2008 during the Digital cases, i.e., 11.1% of overall cases, are
Forensics Research Workshop. Nine concerned with stenography and other
volunteers from the digital forensics sophisticated computer techniques. Note
practitioner group within the United that the total percentage is over 100%
States participated and were asked to because some cases may involve
describe the type of cases that are multiple devices. For example, a cell
phone, PDA, as well as desktop PCs,
laptops, etc. may be part of the same
case.
52
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
53
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
54
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
techniques. The paper considers feature paradigm and an IR method based on the
selection algorithms as features in classical ICP algorithm proposed by Liu.
optimal subsets are generated in a series The paper reveals that the majority of
of inclusion and exclusion steps and the EIR methods following a parameter-
count based aggregation as the algorithm based approach achieve the best and the
of decision fusion. The algorithm selects most robust performance and the poor
the top λ features from 43 features in performance obtained by the matching-
order to get the highest identification based methods.
rate and the SVM trained model is built With the highly advanced application,
where test images is fed into the trained the forensic tool is able to differentiate
model to predict the camera source between the fake and real image. By
model. The flowchart of the model is using multi resolution decomposition
illustrated in Figure 3. and higher order local autocorrelations
(HLACs) image features are extracted
and determine if it is real or fake [23].
They are used and as by right of the
inner product lemma of higher order
autocorrelation, the feature extraction
and SVM are joined and the computation
complexity is decreased significantly.
The paper suggests Two dimensional
discrete wavelet transformation (2D-
DWT), a powerful multi resolution
analysis tool. The signal characteristics
in detail can be localized in different
position, orientation and scale and multi
resolution decomposition contains many
Figure 3. Flow Chart [4]
intrinsic characteristics of natural images
In [56] the author introduces image and fake images.
meta-description approach suitable for As Noise degradation causes failure to
different image inference applications blind forgery detection methods, in [9]
named as progressive randomization the author proposes a model that divides
(PR). This technique is based on a suspected image into different
perturbations on the values of the Least partitions with homogenous noise levels.
Significant Bits of images that makes it However, the authentic images also can
different from the state-of-the-art contain various isolated regions with
algorithms. very different variations, which make the
As the imaging analysis being enhanced, proposed method a supplement to other
[55] contributes reviewing the state-of- forgery detection methods rather than a
the-art image registration methods that standalone forgery detector. The
lays the foundations on evolutionary proposed method is not able to find the
computation and analyzes the 3D corrupted regions, when the noise
modelling of forensic objects. The paper degradation is very small (σ < 2). The
includes different evolutionary proposed method can be achieved by
approaches in order to represent the wide omitting the blocks merging step.
variety of techniques within the EC
55
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
56
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
57
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
58
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
59
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
60
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
61
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
62
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
other than evidence recovery, it may to provide the best result of the initial
violate the users’ privacy. investigation.
The papers mentioned in this topic
3.10 Video Analytics contain the related issues with privacy
regarding the structure of the hard disk.
There are many tools that can be applied The information about the structure may
to aid in the digital forensic analysis, be a copyrighted information which
whether it is a software tool or hardware should be available on the manufacturer
tool. Some manufacture like Samsung side only and not for other parties. The
providing the device like digital video history in the log file may reveal user
recorder (DVR) to perform an analysis activity that may be private to the user
in imaging digital forensic [48]. The and should be accessible by other
device designed with two separated hard person.
disk to perform particular recording and
testing. It is also for minimizing the error 3.11 Cybercrime
occurs during the video forensic
investigation. This device is able to The author describes the method of
compress the video recorded in the form Strategy of Triple-E (SeTO) in solving
of MPEG-4 format and store in the video trojan defense in cyber crime in [28]. It
file. Furthermore, it is capable to transfer is used to defend the computer from any
the video into a PC (Samsung 2005) in risk of trojan effects on any matters. The
real-time connection. trojans can be used to track the password
The investigation of video recorded can of a machine. The result used in the log
refer to the time and date stated on the history and kept on the server cannot be
image display. The primary and trusted to keep the best data or
secondary hard disks are divided into information. The computer/cyber/IT
three partitions. The first partition is forensic helps the examiner to
“ect” whixh is used to store event and investigate and undercover the data that
system log file. The second partition is may not be immediately obvious. The
“bin” directory which contains operating author express to use M-N method
system executable files. The third where M is the path, N is the period of
partition is “root” directory that is used login and logout. In evidential part, the
for bookkeeping files for example “. db” collected data must be handled with care
and “.eve” files. Therefore, the history so that it will not cause any problem in
of logged files will be recorded in hard the court. The company or organization
disks accordingly. In addition, Closed must have a well structured for
Circuit Television (CCTV) also an employment and email management.
effective way in providing an image for This may protect the company network
digital forensics investigation [59]. The from being attacked by intruders. If the
video data will be extracted before it can email is saved on the computer, then the
gain access to manufacturer’s email comes together with the header
application software. The image will be details (date, sender, subject &etc). If the
stored on the CCTV disk as well as emails are investigated as a disciplinary
digital video recorder. However, the measure, the organization/company
disk must not overload with data in order should abide by that law.
63
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
64
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
65
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
66
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
67
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
owner also does not have to perform be bypassed. The paper, [27], explains
storage management process and on how to secure USB type, bypassing
maintenance. The key concern in [1] is plan, certification method and the
how to perform efficient audit services. implementation of tools for USB
The purpose of audit service is to check security. USB provides an IP address
on data integrity and its availability of tracking to allow only authentic user to
the outsourced data to the client when have access. The paper compared the
they need it. Because of this issue, the security method implemented by
Third Party Auditor (TPA) gain benefit manufacturer in providing a secure USB
from the situation. Some of the clients usage in different type of USB. In order
themselves are not formidable enough to to enhance the security in USB
perform the audit service on their own. application, some manufacturers
The cost of the audit service also caused implement USB controller demand. The
the data owner to hire TPA to perform tool mentioned in the paper can provide
the audit service. an image of data obtained in a user
The authors propose their cryptographic friendly interface and supply with the
interactive audit scheme in the paper. report of data received.
The proposed approach in the paper help As a conclusion, as the USB memory
to reduce the workload on the storage increases its capacity and capability, this
server as well as maintaining the means that it has greater opportunity in
capability to detect the server's abnormal providing information to digital
behavior at a higher probability rate as forensics. By applying these tools,
mentioned in the paper. The paper also unlimited evidence are potential to be
intends to cater the problem in privacy figured out. Privacy issues that can relate
issues in their proposed approach. In the to the USB forensics is that with the
paper, they try to preserve the privacy of usage of the tools, among the unlimited
the data in the cloud storage services as evidence that can be carved out of the
part of their proposed approach. In the USB storage, there might be private
approach, the TPA unable to derive the information that should not be accessed
user's data based on the information by unauthorized persons.
gathered during the audit service
processes that preserve the users’ 3.22 Evidence Validation
privacy.
In [7], the paper reveals the method
3.21 USB Forensic discussed by author to recover the lost
files in the cloud computing system.
Universal Serial Bus (USB) is widely Finding the evidence in cloud computing
used for their capacity and mobility system may be very complex. The public
capability. USB normally equipped with cloud computing system is a publicly
security function using the USB accessible remote interface for managing
controller command. Because the USB is and transferring data. Some organization
easily used, it tends to be used for USB will encrypt the data before transfer it to
memory – related crime. The USB cloud computing system. Unless a cloud
controller command provides computing application provides an audit
vulnerabilities during the user trail, it may be difficult to extract digital
certification process which allows it to evidence in an admissible manner from
68
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
such applications, and in some cases, The tool can also interpret the structure
there may be little evidence available to of the .cfg file to identify how many
extract. This might lead to either locations of each type are stored in
legislation requiring cloud computing the.cfg file, identify recent destinations
service providers to keep audit trails (or in the order they were entered, show
similar records of user activity), or that details of the last entered journey and
prosecution cases may need to be based identify the last recorded GPS fix. It will
upon evidence gained mainly from the carve out deleted.cfg files, if possible, so
user’s computer, rather than from providing context for the deleted
computing equipment within the cloud. locations. The process of carving the
So the process of evidence validating in files in the product might jeopardize
cloud computing is quite complex as users’ privacy. It is because it able
compared to the evidence validation in pinpoint where the user travel from
traditional computing. The investigation deleted .cfg files. When using the
done on cloud computing may relate to product for digital forensic analysis, any
the privacy issues of the other users in act that leads to the violation of users’
the cloud system. privacy must be avoided.
In addition there were several works on
3.23 Location Analysis malware investigation [99,100], analysis
of cloud and virtualized environments
The TomTom navigation system is [101-103], privacy issues that may arise
particularly divided into 3 main during forensics investigation[104-113],
segments; SD Card, internal hardware mobile device investigation [114-116],
device and flash memory [61]. The data Voice over IP (VoIP) forensics
can be saved in TomTom flash memory investigation [117], greening digital
and keep the data as history until the forensics process [118], SCADA
power been turned off. The data will be Systems [119] and securing forensic logs
saved in the setting.dat, temporary.iti [120].
and MapSetting.cfg file format. Besides
directly connecting to the satellite upon 4 CONCLUSION AND FUTURE
navigation purpose, the TomTom system RESEARCH
allows user to connect to computer using
USB port. However, there are limitation As we can see in this paper, more and
of memory that will be erased when the more tools are available or developed to
device is turned off. It will delete or facilitate the digital forensic
‘forget’ about the last destination visited investigators to acquire the digital
if the memory card is removed, the evidence from the devices. Some of the
battery is less or the USB connection tools are very powerful to extract the
from the device is disconnected. information from and reduce the
The new product released called as duration of evidence analysis. Besides
TomTology. It provides with huge the advancement in the digital forensic
capabilities which is not available investigation tools, the methodologies or
previously like, type of record, (home, techniques developed to obtain the
favorite, start of the last calculated route, information also become more
POI, location entered by address or by advanced.
lookup, as outlined earlier in this article).
69
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
One of the key factors of the situation is environment. It differs from traditional
contributed by the way computing computing system, where normally a
technology evolves. The rapid single user uses the device and the
development of computing devices application and user's data reside in their
requires new methods or tools to be used devices only. Unlike traditional
by the digital forensic investigators to computing environment the evidences or
obtain the evidences as a legally the data might not reside on single
acquired evidence to be presented in the device but may be scattered around
court. For example, as mentioned in [39] several devices. This requires the
the paper demonstrates the development investigator to be extra careful with the
of Mobile Internal Acquisition Tool data acquisition process because they
(MIAT). This tool executed from the might invade other users' private
removable memory card inserted into a information that resides in that type of
Smartphone. This tool works in a network. So with the complexity of
different method from traditional networking, computing environment and
evidence acquisition method, wherein the advancement of mobile devices, the
the traditional method some data cables digital forensic investigators also need
are required to transfer the evidence to be advanced in their tools and
from the investigated device to the methodologies to obtain the evidences
investigator's workstation. legally without affecting the user's
The advancement in communication privacy to the court.
device also contributes to the following As we discuss throughout this paper,
situation. Nowadays, mobile phones do there are many tools and methodologies
not only transfer voice and text message, newly developed to assist digital
they have become a multipurpose device forensic investigators in the digital
that can transfer multimedia files, evidence acquisition process and analyze
perform video streaming, internet the evidences. As we reviewed, some of
browsing and other operation that relates the tools used by digital forensic
to data transfer. Thanks to the investigators will be released under open
advancement in networking speed, the source license. It means that the tools are
user can transfer their data easily with available for public access. It comes to
their mobile device. Even though this is our mind that what if the tools fall into
a great situation for the user, it may lead the hand unethical person. How severe
them to the become a target of privacy the damage caused by the tools if the
invasion. Their personal data that reside tools was used for illegal purpose and
in their mobile are valueable and might how to control the distribution of the
attract unauthorized attacker to gain their tools if it is publicly available. These are
information for illegal purposes. As the the questions that we think that we need
computing technology evolves, the way study and able to provide the solutions
computer user use or transfer the data in or answers to in the future.
their environment also different from Apart from the above questions, we are
traditional computing system. also interested to continue with the
As discussed in [7-9], the digital research on effective method on privacy
evidence acquisition methodologies need education. As an initial step to reduce
to adapt the new environment like cloud the privacy issue, it is crucial to combat
computing and peer-to-peer networking the problems at the root level. The root
70
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
level solution is in our mind. Educating [7] M. Taylor, J. Haggerty, D. Gresty, and R.
the human mind to become an ethical Hegarty, "Digital evidence in cloud
computing systems," Computer Law &
person in their work is one of the key Security Review, vol. 26, pp. 304-308,
factors that we think will help to reduce 2010.
the issues in privacy. It is crucial to [8] M. Taylor, J. Haggerty, D. Gresty, and P.
educate different level of person not to Fergus, "Forensic investigation of peer-to-
invade into other person's private peer networks," Network Security, vol.
2010, pp. 12-15, 2010.
information and to educate on what to do [9] M. Taylor, J. Haggerty, D. Gresty, and T.
if they accidentally found that type of Berry, "Digital evidence from peer-to-peer
information. The method to educate networks," Computer Law & Security
people on privacy need to be effective Review, vol. 27, pp. 647-652, 2011.
enough, as we are human tends to [10] M. Taylor, J. Haggerty, and D. Gresty,
"The legal aspects of corporate computer
explore something new to us. So, usage policies," Computer Law & Security
regardless how powerful the above Review, vol. 26, pp. 72-76, 2010.
mentioned tools might evolve, in the [11] M. Taylor, J. Haggerty, and D. Gresty,
hand of ethical person, the privacy of "The legal aspects of corporate e-mail
related parties can be preserved if we investigations," Computer Law & Security
Review, vol. 25, pp. 372-376, 2009.
have successfully educated ourselves to [12] D. Takahashi, Y. Xiao, Y. Zhang, P.
not interfere with the information which Chatzimisios, and H.-H. Chen, "IEEE
is not for our eyes to see. 802.11 user fingerprinting and its
applications for intrusion detection,"
6 REFENCES Computers & Mathematics with
Applications, vol. 60, pp. 307-318, 2010.
[13] E. Serrano, A. Quirin, J. Botia, and O.
[1] Y. Zhu, H. Hu, G.-J.Ahn, and S. S. Yau, Cordón, "Debugging complex software
"Efficient audit service outsourcing for data systems by means of pathfinder networks,"
integrity in clouds," Journal of Systems and Information Sciences, vol. 180, pp. 561-
Software, vol. 85, pp. 1083-1095, 2012. 583, 2010.
[2] H. Wechsler, "Linguistics and face [14] K. Saur and J. B. Grizzard, "Locating ×86
recognition," Journal of Visual Languages paging structures in memory images,"
& Computing, vol. 20, pp. 145-155, 2009. Digital Investigation, vol. 7, pp. 28-37,
[3] S.-J. Wang, D.-Y.Kao, and F. F.-Y.Huang, 2010.
"Procedure guidance for Internet forensics [15] S. Rekhis and N. Boudriga, "Logic-based
coping with copyright arguments of client- approach for digital forensic investigation
server-based P2P models," Computer in communication Networks," Computers
Standards & Interfaces, vol. 31, pp. 795- & Security, vol. 30, pp. 376-396, 2011.
800, 2009. [16] V.-H. Pham and M. Dacier, "Honeypot
[4] M.-J. Tsai, C.-S.Wang, J. Liu, and J.-S.Yin, trace forensics: The observation viewpoint
"Using decision fusion of feature selection matters," Future Generation Computer
in digital forensics for camera source model Systems, vol. 27, pp. 539-546, 2011.
identification," Computer Standards & [17] M. Pavlou and N. M. Allinson, "Automated
Interfaces, vol. 34, pp. 292-304, 2012. encoding of footwear patterns for fast
[5] V. L. L. Thing, K.-Y.Ng, and E.-C.Chang, indexing," Image and Vision Computing,
"Live memory forensics of mobile phones," vol. 27, pp. 402-409, 2009.
Digital Investigation, vol. 7, Supplement, [18] B. Park, J. Park, and S. Lee, "Data
pp. S74-S82, 2010. concealment and detection in Microsoft
[6] M. Taylor, G. Hughes, J. Haggerty, D. Office 2007 files," Digital Investigation,
Gresty, and P. Almond, "Digital evidence vol. 5, pp. 104-114, 2009.
from mobile telephone applications," [19] A. Pal, H. T. Sencar, and N. Memon,
Computer Law & Security Review, vol. 28, "Detecting file fragmentation point using
pp. 335-339, 2012. sequential hypothesis testing," Digital
71
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
Investigation, vol. 5, Supplement, pp. S2- design for skull-face overlay in craniofacial
S13, 2008. superimposition," Expert Systems with
[20] J. S. Okolica and G. L. Peterson, "Windows Applications, vol. 39, pp. 1459-1473, 2012.
driver memory analysis: A reverse [32] H.-C. Huang and W.-C.Fang, "Metadata-
engineering methodology," Computers & based image watermarking for copyright
Security, vol. 30, pp. 770-779, 2011. protection," Simulation Modelling Practice
[21] B. Mahdian and S. Saic, "A bibliography and Theory, vol. 18, pp. 436-445, 2010.
on blind methods for identifying image [33] Z. He, W. Sun, W. Lu, and H. Lu, "Digital
forgery," Signal Processing: Image image splicing detection based on
Communication, vol. 25, pp. 389-399, approximate run length," Pattern
2010. Recognition Letters, vol. 32, pp. 1591-
[22] B. Mahdian and S. Saic, "Using noise 1597, 2011.
inconsistencies for blind image forensics," [34] L. Gómez-Miralles and J. Arnedo-Moreno,
Image and Vision Computing, vol. 27, pp. "Versatile iPad forensic acquisition using
1497-1503, 2009. the Apple Camera Connection Kit,"
[23] W. Lu, W. Sun, F.-L.Chung, and H. Lu, Computers & Mathematics with
"Revealing digital fakery using Applications, vol. 63, pp. 544-553, 2012.
multiresolution decomposition and higher [35] S. Geetha, N. Ishwarya, and N. Kamaraj,
order statistics," Engineering Applications "Evolving decision tree rule based system
of Artificial Intelligence, vol. 24, pp. 666- for audio stego anomalies detection based
672, 2011. on Hausdorff distance statistics,"
[24] N. Liao, S. Tian, and T. Wang, "Network Information Sciences, vol. 180, pp. 2540-
forensics based on fuzzy logic and expert 2559, 2010.
system," Computer Communications, vol. [36] S. Geetha, N. Ishwarya, and N. Kamaraj,
32, pp. 1881-1892, 2009. "Audio steganalysis with Hausdorff
[25] W. Li, Y. Yuan, and N. Yu, "Passive distance higher order statistics using a rule
detection of doctored JPEG image via block based decision tree paradigm," Expert
artifact grid extraction," Signal Processing, Systems with Applications, vol. 37, pp.
vol. 89, pp. 1821-1829, 2009. 7469-7482, 2010.
[26] H. Khan, M. Javed, S. A. Khayam, and F. [37] D. Forte, "Visual Forensics: new or old
Mirza, "Designing a cluster-based covert trend?," Computer Fraud & Security, vol.
channel to evade disk investigation and 2009, pp. 15-17, 2009.
forensics," Computers & Security, vol. 30, [38] H. Farid and M. J. Bravo, "Perceptual
pp. 35-49, 2011. discrimination of computer generated and
[27] T. Kavallaris and V. Katos, "On the photographic faces," Digital Investigation,
detection of pod slurping attacks," vol. 8, pp. 226-235, 2012.
Computers & Security, vol. 29, pp. 680- [39] A. Distefano and G. Me, "An overall
685, 2010. assessment of Mobile Internal Acquisition
[28] D.-Y. Kao, S.-J. Wang, and F. Fu-Yuan Tool," Digital Investigation, vol. 5,
Huang, "SoTE: Strategy of Triple-E on Supplement, pp. S121-S127, 2008.
solving Trojan defense in Cyber-crime [40] F. Cohen, "A method for forensic analysis
cases," Computer Law & Security Review, of control," Computers & Security, vol. 29,
vol. 26, pp. 52-60, 2010. pp. 891-902, 2010.
[29] D. Kahvedžić and T. Kechadi, "DIALOG: [41] Y.-K. Chung, W. K. Fung, and Y.-Q.Hu,
A framework for modeling, analysis and "Familial database search on two-person
reuse of digital forensic knowledge," mixture," Computational Statistics & Data
Digital Investigation, vol. 6, Supplement, Analysis, vol. 54, pp. 2046-2051, 2010.
pp. S23-S33, 2009. [42] A. Cheddad, J. Condell, K. Curran, and P.
[30] N. Jailani, N. F. M. Yatim, Y. Yahya, A. McKevitt, "A secure and improved self-
Patel, and M. Othman, "Secure and embedding algorithm to combat digital
auditable agent-based e-marketplace document forgery," Signal Processing, vol.
framework for mobile users," Computer 89, pp. 2324-2332, 2009.
Standards & Interfaces, vol. 30, pp. 237- [43] A. Castiglione, A. De Santis, and C.
252, 2008. Soriente, "Security and privacy issues in the
[31] O. Ibáñez, O. Cordón, S. Damas, and J. Portable Document Format," Journal of
Santamaría, "An advanced scatter search
72
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
Systems and Software, vol. 83, pp. 1813- Understanding, vol. 115, pp. 1340-1354,
1822, 2010. 2011.
[44] D. Byers and N. Shahmehri, "Contagious [56] A. Rocha and S. Goldenstein, "Progressive
errors: Understanding and avoiding issues randomization: Seeing the unseen,"
with imaging drives containing faulty Computer Vision and Image
sectors," Digital Investigation, vol. 5, pp. Understanding, vol. 114, pp. 349-362,
29-33, 2008. 2010.
[45] R. Beverly, S. Garfinkel, and G. Cardwell, [57] P. Ridley, "Outsmarting the smartphone
"Forensic carving of network packets and fraudsters," Network Security, vol. 2010,
associated data structures," Digital pp. 7-9, 2010.
Investigation, vol. 8, Supplement, pp. S78- [58] H. Proença and G. Santos, "Fusing color
S89, 2011. and shape descriptors in the recognition of
[46] G. Antoniou, L. Sterling, S. Gritzalis, and degraded iris images acquired at visible
P. Udaya, "Privacy and forensics wavelengths," Computer Vision and Image
investigation process: The ERPINA Understanding, vol. 116, pp. 167-178,
protocol," Computer Standards & 2012.
Interfaces, vol. 30, pp. 229-236, 2008. [59] N. R. Poole, Q. Zhou, and P. Abatis,
[47] A. Veremme, É. Lefevre, G. Morvan, D. "Analysis of CCTV digital video recorder
Dupont, and D. Jolly, "Evidential hard disk storage system," Digital
calibration process of multi-agent based Investigation, vol. 5, pp. 85-92, 2009.
system: An application to forensic [60] M. S. Olivier, "On metadata context in
entomology," Expert Systems with Database Forensics," Digital Investigation,
Applications, vol. 39, pp. 2361-2374, 2012. vol. 5, pp. 115-123, 2009.
[48] W. S. van Dongen, "Case study: Forensic [61] B. Nutter, "Pinpointing TomTom location
analysis of a Samsung digital video records: A forensic analysis," Digital
recorder," Digital Investigation, vol. 5, pp. Investigation, vol. 5, pp. 10-18, 2008.
19-28, 2008. [62] T. D. Morgan, "Recovering deleted data
[49] R. B. van Baar, W. Alink, and A. R. van from the Windows registry," Digital
Ballegooij, "Forensic memory analysis: Investigation, vol. 5, Supplement, pp. S33-
Files mapped in memory," Digital S41, 2008.
Investigation, vol. 5, Supplement, pp. S52- [63] S. Mansfield-Devine, "Fighting forensics,"
S57, 2008. Computer Fraud & Security, vol. 2010, pp.
[50] O. Thonnard and M. Dacier, "A framework 17-20, 2010.
for attack patterns' discovery in honeynet [64] G. Liu, J. Wang, S. Lian, and Z. Wang, "A
data," Digital Investigation, vol. 5, passive image authentication scheme for
Supplement, pp. S128-S139, 2008. detecting region-duplication forgery with
[51] M. Taylor, J. Haggerty, D. Gresty, and D. rotation," Journal of Network and
Lamb, "Forensic investigation of cloud Computer Applications, vol. 34, pp. 1557-
computing systems," Network Security, vol. 1565, 2011.
2011, pp. 4-10, 2011. [65] H.-Y. Lin and W.-C. Fan-Chiang,
[52] C. M. S. Steel and C.-T.Lu, "Impersonator "Reconstruction of shredded document
identification through dynamic based on image feature matching," Expert
fingerprinting," Digital Investigation, vol. Systems with Applications, vol. 39, pp.
5, pp. 60-70, 2008. 3324-3332, 2012.
[53] J. Shaw, "Speedy recovery: retrieving lost [66] Q. Liao, A. Blaich, D. VanBruggen, and A.
emails as part of an investigation," Striegel, "Managing networks through
Computer Fraud & Security, vol. 2011, pp. context: Graph visualization and
9-11, 2011. exploration," Computer Networks, vol. 54,
[54] A. Schuster, "The impact of Microsoft pp. 2809-2824, 2010.
Windows pool allocation strategies on [67] J. Lewthwaite and V. Smith, "Limewire
memory forensics," Digital Investigation, examinations," Digital Investigation, vol. 5,
vol. 5, Supplement, pp. S58-S64, 2008. Supplement, pp. S96-S104, 2008.
[55] J. Santamaría, O. Cordón, and S. Damas, [68] J. Lee, S. Un, and D. Hong, "High-speed
"A comparative study of state-of-the-art search using Tarari content processor in
evolutionary image registration methods for digital forensics," Digital Investigation, vol.
3D modeling," Computer Vision and Image 5, Supplement, pp. S91-S95, 2008.
73
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
[69] P. Larrañaga and S. Moral, "Probabilistic Alternative Advanced Interface for the
graphical models in artificial intelligence," Sleuth Kit”, Proceedings of the
Applied Soft Computing, vol. 11, pp. 1511- International Workshop on Computational
1528, 2011. Intelligence in Security for Information
[70] P. Kumar, S. Roy, and A. Mittal, "OS- Systems CISIS’08." vol. 53, E. Corchado,
Guard: on-site signature based framework R. Zunino, P. Gastaldo, and Á. Herrero,
for multimedia surveillance data Eds., ed: Springer Berlin / Heidelberg,
management," Multimedia Tools and 2009, pp. 27-34.
Applications, vol. 59, pp. 363-382, 2012. [83] D. Forte, "Preventing and investigating
[71] J. D. Kornblum, "Using JPEG quantization hacking by auditing web applications,"
tables to identify imagery processed by Network Security, vol. 2010, pp. 18-20,
software," Digital Investigation, vol. 5, 2010.
Supplement, pp. S21-S25, 2008. [84] D. Forte, "The death of MD5," Network
[72] R. A. Joyce, J. Powers, and F. Adelstein, Security, vol. 2009, pp. 18-20, 2009.
"MEGA: A tool for Mac OS X operating [85] D. Forte, "Are you court validated?,"
system and application forensics," Digital Network Security, vol. 2009, pp. 6-8, 2009.
Investigation, vol. 5, Supplement, pp. S83- [86] D. Forte, "Do encrypted disks spell the end
S90, 2008. of forensics?," Computer Fraud & Security,
[73] A. Jones and T. Martin, "Digital forensics vol. 2009, pp. 18-20, 2009.
and the issues of identity," Information [87] D. Forte, "Visual forensics in the field,"
Security Technical Report, vol. 15, pp. 67- Computer Fraud & Security, vol. 2009, pp.
71, 2010. 18-20, 2009.
[74] M. Islam, P. A. Watters, and J. Yearwood, [88] D. Forte, "Technological alternatives in
"Real-time detection of children’s skin on incident response," Network Security, vol.
social networking sites using Markov 2008, pp. 16-18, 2008.
random field modelling," Information [89] D. Forte, "Dealing with forensic software
Security Technical Report, vol. 16, pp. 51- vulnerabilities: is anti-forensics a real
58, 2011. danger?," Network Security, vol. 2008, pp.
[75] F. Iqbal, R. Hadjidj, B. C. M. Fung, and M. 18-20, 2008.
Debbabi, "A novel approach of mining [90] B. Dolan-Gavitt, "Forensic analysis of the
write-prints for authorship attribution in e- Windows registry in memory," Digital
mail forensics," Digital Investigation, vol. Investigation, vol. 5, Supplement, pp. S26-
5, Supplement, pp. S42-S51, 2008. S32, 2008.
[76] D. Horn, "Taking the right approach to [91] M. I. Cohen, "PyFlag – An advanced
digital forensics," Computer Fraud & network forensic framework," Digital
Security, vol. 2008, pp. 16-17, 2008. Investigation, vol. 5, Supplement, pp. S112-
[77] F. Fusco, M. Vlachos, and M. P. Stoecklin, S120, 2008.
"Real-time creation of bitmap indexes on [92] A. Case, A. Cristina, L. Marziale, G. G.
streaming network data," The VLDB Richard, and V. Roussev, "FACE:
Journal, vol. 21, pp. 287-307, 2012. Automated digital evidence discovery and
[78] D. V. Forte, "The responsibilities of an correlation," Digital Investigation, vol. 5,
incident responder," Network Security, vol. Supplement, pp. S65-S75, 2008.
2010, pp. 18-19, 2010. [93] W. C. Calhoun and D. Coles, "Predicting
[79] D. V. Forte, "Are you going to be a forensic the types of file fragments," Digital
examiner or a private investigator?," Investigation, vol. 5, Supplement, pp. S14-
Computer Fraud & Security, vol. 2010, pp. S20, 2008.
15-17, 2010. [94] Y. Cai, "Video intelligence workshop (VI-
[80] D. V. Forte, "Volatile data vs. data at rest: 2010)," Procedia Computer Science, vol. 1,
the requirements of digital forensics," p. 2509, 2010.
Network Security, vol. 2008, pp. 13-15, [95] S. Brueckner, D. Guaspari, F. Adelstein,
2008. and J. Weeks, "Automated computer
[81] D. V. Forte, "Computer forensics: Are you forensics training in a virtualized
qualified?," Computer Fraud & Security, environment," Digital Investigation, vol. 5,
vol. 2008, pp. 18-20, 2008. Supplement, pp. S105-S111, 2008.
[82] D. Forte, A. Cavallini, C. Maruti, L. Losio, [96] S. Bayram, H. T. Sencar, and N. Memon,
T. Orlandi, and M. Zambelli, "PTK: An "Classification of digital camera-models
74
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
75
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)
76