1. | Dreier, Lisa Marie; Vanini, Céline; Hargreaves, Christopher J.; Breitinger, Frank; Freiling, Felix Beyond timestamps: Integrating implicit timing information into digital forensic timelines (Journal Article) In: Forensic Science International: Digital Investigation, vol. 49, pp. 301755, 2024, ISSN: 2666-2817, (DFRWS USA 2024 - Selected Papers from the 24th Annual Digital Forensics Research Conference USA). @article{DREIER2024301755, Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical ``flat'' timeline is thereby extended into a ``rich'' partial order, which we call hyper timeline. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering. |
2. | Vanini, Céline; Hargreaves, Christopher J.; Beek, Harm; Breitinger, Frank Was the clock correct? Exploring timestamp interpretation through time anchors for digital forensic event reconstruction (Journal Article) In: Forensic Science International: Digital Investigation, vol. 49, pp. 301759, 2024, ISSN: 2666-2817, (DFRWS USA 2024 - Selected Papers from the 24th Annual Digital Forensics Research Conference USA). @article{VANINI2024301759, Timestamps and their correct interpretation play a crucial role in digital forensic investigations, particularly when the objective is to establish a timeline of events a.k.a. event reconstruction. However, the way these timestamps are generated heavily depends on an internal clock, or `system time', from which many are derived. Consequently, when this system time is skewed due to tampering, natural clock drift, or system malfunctions, recorded timestamps will not reflect the actual times the (real-world) events occurred. This raises the question of how to validate the correctness of the system clock when recording timestamps and, if found incorrect, how to determine system clock skew. To address this problem, this paper defines several important concepts such as time anchors, anchoring events, non-anchoring events and time anomalies which can be used to determine if the system time was correct. Using two examples - a Google search and a file creation - and comparing correct and skewed versions of the same set of performed actions, we illustrate the use and potential benefits of time anchors to demonstrate the correctness of the system clock for event reconstruction. |
3. | Michelet, Gaëtan; Breitinger, Frank ChatGPT, Llama, can you write my report? An experiment on assisted digital forensics reports written using (local) large language models (Journal Article) In: Forensic Science International: Digital Investigation, vol. 48, pp. 301683, 2024, ISSN: 2666-2817, (DFRWS EU 2024 - Selected Papers from the 11th Annual Digital Forensics Research Conference Europe). @article{MICHELET2024301683, Generative AIs, especially Large Language Models (LLMs) such as ChatGPT or Llama, have advanced significantly, positioning them as valuable tools for digital forensics. While initial studies have explored the potential of ChatGPT in the context of investigations, the question of to what extent LLMs can assist the forensic report writing process remains unresolved. To answer the question, this article first examines forensic reports with the goal of generalization (e.g., finding the `average structure' of a report). We then evaluate the strengths and limitations of LLMs for generating the different parts of the forensic report using a case study. This work thus provides valuable insights into the automation of report writing, a critical facet of digital forensics investigations. We conclude that combined with thorough proofreading and corrections, LLMs may assist practitioners during the report writing process but at this point cannot replace them. |
4. | Breitinger, Frank; Hilgert, Jan-Niclas; Hargreaves, Christopher; Sheppard, John; Overdorf, Rebekah; Scanlon, Mark DFRWS EU 10-year review and future directions in Digital Forensic Research (Journal Article) In: Forensic Science International: Digital Investigation, vol. 48, pp. 301685, 2024, ISSN: 2666-2817, (DFRWS EU 2024 - Selected Papers from the 11th Annual Digital Forensics Research Conference Europe). @article{BREITINGER2024301685, Conducting a systematic literature review and comprehensive analysis, this paper surveys all 135 peer-reviewed articles published at the Digital Forensics Research Conference Europe (DFRWS EU) spanning the decade since its inaugural running (2014–2023). This comprehensive study of DFRWS EU articles encompasses sub-disciplines such as digital forensic science, device forensics, techniques and fundamentals, artefact forensics, multimedia forensics, memory forensics, and network forensics. Quantitative analysis of the articles' co-authorships, geographical spread and citation metrics are outlined. The analysis presented offers insights into the evolution of digital forensic research efforts over these ten years and informs some identified future research directions. |
5. | Mombelli, Samuele; Lyle, James R.; Breitinger, Frank FAIRness in digital forensics datasets' metadata – and how to improve it (Journal Article) In: Forensic Science International: Digital Investigation, vol. 48, pp. 301681, 2024, ISSN: 2666-2817, (DFRWS EU 2024 - Selected Papers from the 11th Annual Digital Forensics Research Conference Europe). @article{MOMBELLI2024301681, The availability of research data (datasets) and compliance with FAIR principles—Findability, Accessibility, Interoperability, and Reusability—is critical to progressing digital forensics. This study evaluates metadata completeness and assesses the alignment with the FAIR principles using all 212 datasets from NIST's Computer Forensic Reference DataSet Portal (CFReDS). The findings underscore deficiencies in metadata quality and FAIR compliance, emphasizing the need for improved data management standards. Based on our critical review, we then propose and discuss various approaches to improve the status quo. |
6. | Scanlon, Mark; Breitinger, Frank; Hargreaves, Christopher; Hilgert, Jan-Niclas; Sheppard, John ChatGPT for digital forensic investigation: The good, the bad, and the unknown (Journal Article) In: Forensic Science International: Digital Investigation, vol. 46, pp. 301609, 2023, ISSN: 2666-2817, (Best Paper Award). @article{SCANLON2023301609, The disruptive application of ChatGPT (GPT-3.5, GPT-4) to a variety of domains has become a topic of much discussion in the scientific community and society at large. Large Language Models (LLMs), e.g., BERT, Bard, Generative Pre-trained Transformers (GPTs), LLaMA, etc., have the ability to take instructions, or prompts, from users and generate answers and solutions based on very large volumes of text-based training data. This paper assesses the impact and potential impact of ChatGPT on the field of digital forensics, specifically looking at its latest pre-trained LLM, GPT-4. A series of experiments are conducted to assess its capability across several digital forensic use cases including artefact understanding, evidence searching, code generation, anomaly detection, incident response, and education. Across these topics, its strengths and risks are outlined and a number of general conclusions are drawn. Overall this paper concludes that while there are some potential low-risk applications of ChatGPT within digital forensics, many are either unsuitable at present, since the evidence would need to be uploaded to the service, or they require sufficient knowledge of the topic being asked of the tool to identify incorrect assumptions, inaccuracies, and mistakes. However, to an appropriately knowledgeable user, it could act as a useful supporting tool in some circumstances. |
7. | Göbel, Thomas; Baier, Harald; Breitinger, Frank Data for Digital Forensics: Why a Discussion on `How Realistic is Synthetic Data' is Dispensable (Journal Article) In: Digital Threats: Research and Practice, 2023, ISSN: 2692-1626, (Presented at the 12th International Conference on IT Security Incident Management IT Forensics (IMF)). @article{10.1145/3609863, Digital forensics depends on data sets for various purposes like concept evaluation, educational training, and tool validation. Researchers have gathered such data sets into repositories and created data simulation frameworks for producing large amounts of data. Synthetic data often face skepticism due to its perceived deviation from real-world data, raising doubts about its realism. This paper addresses this concern, arguing that there is no definitive answer. We focus on four common digital forensic use cases that rely on data. Through these, we elucidate the specifications and prerequisites of data sets within their respective contexts. Our discourse uncovers that both real-world and synthetic data are indispensable for advancing digital forensic science, software, tools, and the competence of practitioners. Additionally, we provide an overview of available data set repositories and data generation frameworks, contributing to the ongoing dialogue on digital forensic data sets’ utility. |
8. | Ottmann, Jenny; Cengiz, Üsame; Breitinger, Frank; Freiling, Felix As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency (Proceedings Article) In: Proceedings of the Digital Forensics Research Conference USA (DFRWS USA), 2023. @inproceedings{OUBF2023, Memory dumps that are acquired while the system is running often contain inconsistencies like page smearing which hamper the analysis. One possibility to avoid inconsistencies is to pause the system during the acquisition and take an instantaneous memory dump. While this is possible for virtual machines, most systems cannot be frozen and thus the ideal dump can only be quasi-instantaneous, i.e., consistent despite the system running. In this article, we introduce a method allowing us to measure quasi-instantaneous consistency and show both, theoretically, and practically, that our method is valid but that in reality, dumps can be but usually are not quasi-instantaneously consistent. For the assessment, we run a pivot program enabling the evaluation of quasi-instantaneous consistency for its heap and allowing us to pinpoint where exactly inconsistencies occurred. |
9. | Breitinger, Frank; Jotterand, Alexandre Sharing datasets for digital forensic: A novel taxonomy and legal concerns (Journal Article) In: Forensic Science International: Digital Investigation, vol. 45, pp. 301562, 2023, ISSN: 2666-2817. @article{BREITINGER2023301562, During the last few years, there have been numerous changes concerning datasets for digital forensics like the development of data generation frameworks or the newly released CFReDS website by NIST. In addition, it becomes mandatory (e.g., by funding agencies) to share datasets and publish them in a manner that they can be found and processed. The core of this article is a novel taxonomy that should be used to structure the data commonly used in the domain, complementing the existing methods. Based on the taxonomy, we discuss that it is not always necessary to release the dataset, e.g., in the case of random data. In addition, we address the legal aspects of sharing data. Lastly, as a minor contribution, we provide a separation of the terms structured, semi-structured, and unstructured data where there is currently no consent in the community. |
10. | Michelet, Gaëtan; Breitinger, Frank; Horsman, Graeme Automation for digital forensics: Towards a definition for the community (Journal Article) In: Forensic Science International, vol. 349, pp. 111769, 2023, ISSN: 0379-0738. @article{MICHELET2023111769, Automation is crucial for managing the increasing volume of digital evidence. However, the absence of a clear foundation comprising a definition, classification, and common terminology has led to a fragmented landscape where diverse interpretations of automation exist. This resembles the wild west: some consider keyword searches or file carving as automation while others do not. We, therefore, reviewed automation literature (in the domain of digital forensics and other domains), performed three practitioner interviews, and discussed the topic with domain experts from academia. On this basis, we propose a definition and then showcase several considerations concerning automation for digital forensics, e.g., what we classify as no/basic automation or full automation (autonomous). We conclude that it requires these foundational discussions to promote and progress the discipline through a common understanding. |
11. | Schneider, Johannes; Breitinger, Frank Towards AI forensics: Did the artificial intelligence system do it? (Journal Article) In: Journal of Information Security and Applications, vol. 76, pp. 103517, 2023, ISSN: 2214-2126. @article{schneider2023towards, Artificial intelligence (AI) makes decisions impacting our daily lives in an increasingly autonomous manner. Their actions might cause accidents, harm, or, more generally, violate regulations. Determining whether an AI caused a specific event and, if so, what triggered the AI's action, are key forensic questions. We provide a conceptualization of the problems and strategies for forensic investigation. We focus on AI that is potentially ``malicious by design'' and gray box analysis. Our evaluation using convolutional neural networks illustrates challenges and ideas for identifying malicious AI. |
12. | Breitinger, Frank; Zhang, Xiaolu; Quick, Darren A forensic analysis of rclone and rclone's prospects for digital forensic investigations of cloud storage (Journal Article) In: Forensic Science International: Digital Investigation, vol. 43, pp. 301443, 2022, ISSN: 2666-2817, (bf Best Paper Award). @article{breitinger2023rclone, Organizations and end users are moving their data into the cloud and trust Cloud Storage Providers (CSP) such as pCloud, Dropbox, or Backblaze. Given their popularity, it is likely that forensic examiners encounter one or more online storage types that they will have to acquire and analyze during an investigation. To access cloud storage, CSPs provide web-interfaces, proprietary software solutions (e.g., Dropbox client for Windows) as well as APIs allowing third-party access. One of these third-party applications is rclone which is an open-source tool to access many common CSPs through a command line interface. In this article, we look at rclone from two perspectives: First, we perform a forensic analysis on rclone and discuss aspects such as password recovery of the configuration file, encryption, and JA3 fingerprints. Second, we discuss rclone as a prospect to be a forensic tool which includes its read-only mount feature and sample cases. Under the circumstances tested, rclone is suitable for forensic practitioners as it is open-source, documented, and includes some essential functionality frequently needed but practitioners need to be aware of the caveats. |
13. | Göbel, Thomas; Uhlig, Frieder; Baier, Harald; Breitinger, Frank FRASHER – A framework for automated evaluation of similarity hashing (Journal Article) In: Forensic Science International: Digital Investigation, vol. 42, no. 2022-, pp. 301407, 2022, ISSN: 2666-2817, (Proceedings of the Twenty-Second Annual DFRWS USA). @article{Goebel2022Frasher, A challenge for digital forensic investigations is dealing with large amounts of data that need to be processed. Approximate matching (AM), a.k.a. similarity hashing or fuzzy hashing, plays a pivotal role in solving this challenge. Many algorithms have been proposed over the years such as ssdeep, sdhash, MRSH-v2, or TLSH, which can be used for similarity assessment, clustering of different artifacts, or finding fragments and embedded objects. To assess the differences between these implementations (e.g., in terms of runtime efficiency, fragment detection, or resistance against obfuscation attacks), a testing framework is indispensable and the core of this article. The proposed framework is called FRASHER (referring to a predecessor FRASH from 2013) and provides an up-to-date view on the problem of evaluating AM algorithms with respect to both the conceptual and the practical aspects. Consequently, we present and discuss relevant test case scenarios as well as release and demonstrate our framework allowing a comprehensive evaluation of AM algorithms. Compared to its predecessor, we adapt it to a modern environment providing better modularity and usability as well as more thorough testing cases. |
14. | AlDaajeh, Saleh; Saleous, Heba; Alrabaee, Saed; Barka, Ezedin; Breitinger, Frank; Choo, Kim-Kwang Raymond The Role of National Cybersecurity Strategies on the Improvement of Cybersecurity Education (Journal Article) In: Computers & Security, pp. 102754, 2022, ISSN: 0167-4048. @article{ALDAAJEH2022102754, Digital information and telecommunication technologies have not only become essential to individuals' daily lives but also to a nation's sustained economic growth, societal well-being, critical infrastructure resilience, and national security. Consequently, the protection of a nation's cyber sovereignty from malicious acts is a major concern. This signifies the importance of cybersecurity education in facilitating the creation of a resilient cybersecurity ecosystem and in supporting cyber sovereignty. This study reviews a sample from world-leading countries National Cybersecurity Strategic Plans (NCSPs) and analyzes the associated existing cybersecurity education and training improvement initiatives. Furthermore, a proposal to adopt the Goal-Question-Outcomes(GQO)+Strategies paradigm into cybersecurity education and training programs curricula improvement to national cybersecurity strategic goals is presented. The proposal maps cybersecurity strategic goals to cybersecurity skills and competencies using the National Initiative for Cybersecurity Education (NICE) framework. The newly proposed cybersecurity education and training programs' curricula learning outcomes were generated from the GQO+Strategies paradigm based on the three major cybersecurity strategic goals: Development of secure digital and information technology infrastructure and services, defending from sophisticated cyber threats, and enrichment of individuals' cybersecurity maturity and awareness. It is highly recommended that cybersecurity university program administrators utilize the proposed GQO+Strategies to align their program's curriculum to NCSP. Hence, closing the gap that exists with the relevant skills and sustain national cybersecurity workforces. |
15. | Ottmann, Jenny; Breitinger, Frank; Freiling, Felix Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic Computing (Proceedings Article) In: Proceedings of the Digital Forensics Research Conference Europe (DFRWS EU), 2022. @inproceedings{OBF2022, The acquisition of data from main memory or from hard disk storage is usually one of the first steps in a forensic investigation. We revisit the discussion on quality criteria for ``forensically sound'' acquisition of such storage and propose a new way to capture the intent to acquire an instantaneous snapshot from a single target system. The idea of our definition is to allow a certain flexibility into when individual portions of memory are acquired, but at the same time require being consistent with causality (i.e., cause/effect relations). Our concept is much stronger than the original notion of atomicity defined by Vömel and Freiling (2012) but still attainable using copy-on-write mechanisms. As a minor result, we also fix a conceptual problem within the original definition of integrity. |
16. | Coates, Peter; Breitinger, Frank Identifying document similarity using a fast estimation of the Levenshtein Distance based on compression and signatures (Proceedings Article) In: Proceedings of the Digital Forensics Research Conference Europe (DFRWS EU), 2022. @inproceedings{CB2022, Identifying document similarity has many applications, e.g., source code analysis or plagiarism detection. However, identifying similarities is not trivial and can be time complex. For instance, the Levenshtein Distance is a common metric to define the similarity between two documents but has quadratic runtime which makes it impractical for large documents where large starts with a few hundred kilobytes. In this paper, we present a novel concept that allows estimating the Levenshtein Distance: the algorithm first compresses documents to signatures (similar to hash values) using a user-defined compression ratio. Signatures can then be compared against each other (some constrains apply) where the outcome is the estimated Levenshtein Distance. Our evaluation shows promising results in terms of runtime efficiency and accuracy. In addition, we introduce a significance score allowing examiners to set a threshold and identify related documents. |
17. | Huck, Jan; Breitinger, Frank Wake Up Digital Forensics' Community and Help Combating Ransomware (Journal Article) In: IEEE Security & Privacy, no. 01, pp. 2-11, 2022, ISSN: 1558-4046. @article{huck2022wake, To combat ransomware, organizations, literature, and research efforts focus on technical measures and neglect procedural countermeasures. We argue that detailed case studies and best practices need to be shared to allow companies to adapt their strategies to be better prepared. |
18. | Wu, Tina; Breitinger, Frank; Niemann, Stephen IoT network traffic analysis: Opportunities and challenges for forensic investigators? (Journal Article) In: Forensic Science International: Digital Investigation, vol. 38, pp. 301123, 2021, ISSN: 2666-2817. @article{WU2021301123, As IoT devices become more incorporated into our daily lives, their always on approach makes them an ideal source of evidence. While these devices should use encryption to protect sensitive information, in reality this is not always the case e.g. some expose sensitive data like credentials in cleartext. In this paper, we have conducted an extensive analysis on the communications channels of 32 IoT consumer devices. Our experiments consisted of four main parts; first we carried out a port scan to determine if any ports can be exploited and thus gain remote access. Second, we looked at whether any of the devices used encryption and if not what type of content was exposed. Third, we used the network traffic `metadata' to identify the destination the data terminated. Finally, we examined the communication between the mobile app and the cloud to see if it can be easily exploited using a proxy server. Our findings show that the majority of devices have remote access unavailable. We found the Shannon entropy test a useful pre-test in identifying unencrypted content. Although many devices encrypted their data, we found several in particular smart cameras would send data in cleartext when they detected motion or during updates. We found the majority of data transverses to the US and stored on Amazon servers with most devices contacting multiple destination. Lastly, we discovered many of the IoT device's mobile apps can be easily exploited using a HTTP Proxy. |
19. | Zhang, Xiaolu; Breitinger, Frank; Luechinger, Engelbert; O'Shaughnessy, Stephen Android application forensics: A survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations (Journal Article) In: Forensic Science International: Digital Investigation, vol. 39, pp. 301285, 2021, ISSN: 2666-2817. @article{Zhang2021android, Android obfuscation techniques include not only classic code obfuscation techniques that were adapted to Android, but also obfuscation methods that target the Android platform specifically. This work examines the status-quo of Android obfuscation, obfuscation detection and deobfuscation. Specifically, it first summarizes obfuscation approaches that are commonly used by app developers for code optimization, to protect their software against code theft and code tampering but are also frequently misused by malware developers to circumvent anti-malware products. Secondly, the article focuses on obfuscation detection techniques and presents various available tools and current research. Thirdly, deobfuscation (which aims at reinstating the original state before obfuscation) is discussed followed by a brief discussion how this impacts forensic investigation. We conclude that although obfuscation is widely used in Android app development (benign and malicious), available tools and the practices on how to deal with obfuscation are not standardized, and so are inherently lacking from a forensic standpoint. |
20. | Hranický, Radek; Breitinger, Frank; Ryšavý, Ondřej; Sheppard, John; Schaedler, Florin; Morgenstern, Holger; Malik, Simon What do incident response practitioners need to know? A skillmap for the years ahead (Journal Article) In: Forensic Science International: Digital Investigation, vol. 37, pp. 301184, 2021, ISSN: 2666-2817. @article{hranicky2021what, Digital forensics incident response (DFIR) specialists are expected to possess multidisciplinary skills including expert knowledge of computer-related principles and technology. On the other hand, recent studies suggest that existing training and study programs may not fully address the needs of future DFIR professionals. To reveal possible gaps in practitioners education and identify the most needed skills, we built a skillmap for DFIR where we followed a threefold approach: (1) an online survey among DFIR experts; (2) a review of training programs; and (3) an analysis of job listings on LinkedIn. Each source was first analyzed on its own and the findings were merged into a DFIR skillmap which is the main contribution of this article. The results show that network forensics and incident handling are the most demanded domains of skills. While these are covered by existing courses the newly desired skills, in particular, cloud forensics and encrypted data, need to get more space in training and education. We hope that this article provides educators with information on ways to improve in the years ahead. |
21. | O'Shaughnessy, Stephen; Breitinger, Frank Malware family classification via efficient Huffman features (Journal Article) In: Forensic Science International: Digital Investigation, vol. 37, pp. 301192, 2021, ISSN: 2666-2817. @article{OShaughnessy2021malware, As malware evolves and becomes more complex, researchers strive to develop detection and classification schemes that abstract away from the internal intricacies of binary code to represent malware without the need for architectural knowledge or invasive analysis procedures. Such approaches can reduce the complexities of feature generation and simplify the analysis process. In this paper, we present efficient Huffman features (eHf), a novel compression-based approach to feature construction, based on Huffman encoding, where malware features are represented in a compact format, without the need for intrusive reverse-engineering or dynamic analysis processes. We demonstrate the viability of eHf as a solution for classifying malware into their respective families on a large malware corpus of 15 k samples, indicative of the current threat landscape. We evaluate eHf against current compression-based alternatives and show that our method is comparable or superior for classification accuracy, while exhibiting considerably greater runtime efficiency. Finally we demonstrate that eHf is resilient against code reordering obfuscation. |
22. | Martín-Pérez, Miguel; Rodríguez, Ricardo J.; Breitinger, Frank Bringing order to approximate matching: Classification and attacks on similarity digest algorithms (Journal Article) In: Forensic Science International: Digital Investigation, pp. 301120, 2021, ISSN: 2666-2817. @article{martinperez2021bringing, Fuzzy hashing or similarity hashing (a.k.a. bytewise approximate matching) converts digital artifacts into an intermediate representation to allow an efficient (fast) identification of similar objects, e.g., for blacklisting. They gained a lot of popularity over the past decade with new algorithms being developed and released to the digital forensics community. When releasing algorithms (e.g., as part of a scientific article), they are frequently compared with other algorithms to outline the benefits and sometimes also the weaknesses of the proposed approach. However, given the wide variety of algorithms and approaches, it is impossible to provide direct comparisons with all existing algorithms. In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons. Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations. |
23. | Pluskal, Jan; Breitinger, Frank; Ryšavý, Ondřej Netfox detective: A novel open-source network forensics analysis tool (Journal Article) In: Forensic Science International: Digital Investigation, vol. 35, pp. 301019, 2020, ISSN: 2666-2817. @article{pluskal2020netfox, Network forensics is a major sub-discipline of digital forensics which becomes more and more important in an age where everything is connected. In order to cope with the amounts of data and other challenges within networks, practitioners require powerful tools that support them. In this paper, we highlight a novel open-source network forensic tool named – Netfox Detective – that outperforms existing tools such as Wireshark or NetworkMiner in certain areas. For instance, it provides a heuristically based engine for traffic processing that can be easily extended. Using robust parsers (we are not solely relying on the RFC description but use heuristics), our application tolerates malformed or missing conversation segments. Besides outlining the tool's architecture and basic processing concepts, we also explain how it can be extended. Lastly, a comparison with other similar tools is presented as well as a real-world scenario is discussed. |
24. | Breitinger, Frank; Tully-Doyle, Ryan; Przyborski, Kristen; Beck, Lauren; Harichandran, Ronald S. First year students' experience in a Cyber World course – an evaluation (Journal Article) In: Education and Information Technologies, 2020, ISBN: 1573-7608. @article{Breitinger2020, Although cybersecurity is a major present concern, it is not a required subject in University. In response, we developed Cyber World which introduces students to eight highly important cybersecurity topics (primarily taught by none cybersecurity experts). We embedded it into our critical thinking Common Course (core curriculum) which is a team-taught first-year experience required for all students. Cyber World was first taught in Fall 2018 to a cohort of over 150 students from various majors at the University of New Haven. This article presents the evaluation of our Fall taught course. In detail, we compare the performance of Cyber World students to other Common Course sections that ran in parallel and conclude that despite the higher workload students performed equally well. Furthermore, we assess the students' development throughout the course with respect to their cybersecurity knowledge where our results indicate a significant gain of knowledge. Note, this article also presents the idea and topics of Cyber World; however a detailed explanation has been released previously. |
25. | Wu, Tina; Breitinger, Frank; O'Shaughnessy, Stephen Digital forensic tools: Recent advances and enhancing the status quo (Journal Article) In: Forensic Science International: Digital Investigation, vol. 34, pp. 300999, 2020, ISSN: 2666-2817. @article{WBS20, Publications in the digital forensics domain frequently come with tools – a small piece of functional software. These tools are often released to the public for others to reproduce results or use them for their own purposes. However, there has been no study on the tools to understand better what is available and what is missing. For this paper we analyzed almost 800 articles from pertinent venues from 2014 to 2019 to answer the following three questions (1) what tools (i.e., in which domains of digital forensics): have been released; (2) are they still available, maintained, and documented; and (3) are there possibilities to enhance the status quo? We found 62 different tools which we categorized according to digital forensics subfields. Only 33 of these tools were found to be publicly available, the majority of these were not maintained after development. In order to enhance the status quo, one recommendation is a centralized repository specifically for tested tools. This will require tool researchers (developers) to spend more time on code documentation and preferably develop plugins instead of stand-alone tools. |
26. | Palmbach, David; Breitinger, Frank Artifacts for detecting timestamp manipulation in NTFS on Windows and their reliability (Journal Article) In: Forensic Science International: Digital Investigation, vol. 32, pp. 300920, 2020, ISSN: 2666-2817. @article{PB20, Timestamps have proven to be an expedient source of evidence for examiners in the reconstruction of computer crimes. Consequently, active adversaries and malware have implemented timestomping techniques (i.e., mechanisms to alter timestamps) to hide their traces. Previous research on detecting timestamp manipulation primarily focused on two artifacts: the $MFT as well as the records in the $LogFile. In this paper, we present a new use of four existing windows artifacts – the $USNjrnl, link files, prefetch files, and Windows event logs – that can provide valuable information during investigations and diversify the artifacts available to examiners. These artifacts contain either information about executed programs or additional timestamps which, when inconsistencies occur, can be used to prove timestamp forgery. Furthermore, we examine the reliability of artifacts being used to detect timestamp manipulation, i.e., testing their ability to retain information against users actively trying to alter or delete them. Based on our findings we conclude that none of the artifacts analyzed can withstand active exploitation. |
27. | Moia, Vitor Hugo Galhardo; Breitinger, Frank; Henriques, Marco Aurélio Amaral The impact of excluding common blocks for approximate matching (Journal Article) In: Computers & Security, vol. 89, pp. 101676, 2019, ISSN: 0167-4048. @article{MOIA2020101676, Approximate matching functions allow the identification of similarity (bytewise level) in a very efficient way, by creating and comparing compact representations of objects (a.k.a digests). However, many similarity matches occur due to common data that repeats over many different files and consist of inner structure, header and footer information, color tables, font specifications, etc.; data created by applications and not generated by users. Most of the times, this sort of information is less relevant from an investigator perspective and should be avoided. In this work, we show how the common data can be identified and filtered out by using approximate matching, as well as how they are spread over different file types and their frequency. We assess the impact on similarity when removing it (i.e., in the number of matches) and the effects on performance. Our results show that for a small price on performance, a reduction about 87% on the number of matches can be achieved when removing such data. |
28. | Breitinger, Frank; Tully-Doyle, Ryan; Hassenfeldt, Courtney A survey on smartphone user's security choices, awareness and education (Journal Article) In: Computers & Security, vol. 88, pp. 101647, 2019, ISSN: 0167-4048. @article{BTH20, Smartphones contain a significant amount of personal data. Additionally, they are always in the user's possession, which allows them to be abused for tracking (e.g., GPS, Bluetooth or WiFi tracking). In order to not reveal private information, smartphone users should secure their devices by setting lock screen protection, using third party security applications, and choosing appropriate security settings (often, default settings are inadequate). In this paper, we mount a survey to explore user choices, awareness and education with respect to cybersecurity. In comparison with prior work, we take the user's cybersecurity familiarity into consideration in the analysis of user practices as well as have a strong focus on the younger generations, Y and Z. Our survey findings suggest that most users have appropriate lock screen settings to protect their phones from physical access; however, they disregard other security best practices, e.g., not using a VPN when connecting to a public WiFi or turning off unused features (regardless of level of expertise). Compared to desktop computers, smartphones are less secured and fewer third party security products are installed. |
29. | Moia, Vitor Hugo Galhardo; Breitinger, Frank; Henriques, Marco Aurélio Amaral Understanding the effects of removing common blocks on Approximate Matching scores under different scenarios for digital forensic investigations (Proceedings Article) In: XIX Brazilian Symposium on information and computational systems security, Brazilian Computer Society (SBC) SÃpounds o Paulo-SP, Brazil 2019, (bf Best Paper Award). @inproceedings{MBH19, Finding similarity in digital forensics investigations can be assisted with the use of Approximate Matching (AM) functions. These algorithms create small and compact representations of objects (similar to hashes) which can be compared to identify similarity. However, often results are biased due to common blocks (data structures found in many different files regardless of content). In this paper, we evaluate the precision and recall metrics for AM functions when removing common blocks. In detail, we analyze how the similarity score changes and impacts different investigation scenarios. Results show that many irrelevant matches can be filtered out and that a new interpretation of the score allows a better similarity detection. |
30. | Wu, Tina; Breitinger, Frank; Baggili, Ibrahim IoT Ignorance is Digital Forensics Research Bliss: A Survey to Understand IoT Forensics Definitions, Challenges and Future Research Directions (Proceedings Article) In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 46:1–46:15, ACM, Canterbury, CA, United Kingdom, 2019, ISBN: 978-1-4503-7164-3. @inproceedings{WBB19, |
31. | Casey, Peter; Lindsay-Decusati, Rebecca; Baggili, Ibrahim; Breitinger, Frank Inception: Virtual Space in Memory Space in Real Space – Memory Forensics of Immersive Virtual Reality with the HTC Vive (Journal Article) In: Digital Investigation, vol. 29, pp. S13 - S21, 2019, ISSN: 1742-2876. @article{CASEY2019S13, Virtual Reality (VR) has become a reality. With the technology's increased use cases, comes its misuse. Malware affecting the Virtual Environment (VE) may prevent an investigator from ascertaining virtual information from a physical scene, or from traditional ``dead'' analysis. Following the trend of anti-forensics, evidence of an attack may only be found in memory, along with many other volatile data points. Our work provides the primary account for the memory forensics of Immersive VR systems, and in specific the HTC Vive. Our approach is capable of reconstituting artifacts from memory that are relevant to the VE, and is also capable of reconstructing a visualization of the room setup a VR player was immersed into. In specific, we demonstrate that the VE, location, state and class of VR devices can be extracted from memory. Our work resulted in the first open source VR memory forensics plugin for the Volatility Framework. We discuss our findings, and our replicable approach that may be used in future memory forensics research. |
32. | Przyborski, Kristen; Breitinger, Frank; Beck, Lauren; Harichandran, Ronald S. `Cyber World' as a Theme for a University-wide First-year Common Course (Proceedings Article) In: 2019 ASEE Annual Conference & Exposition, ASEE Conferences, Tampa, Florida, 2019, (urlhttps://peer.asee.org/31923). @inproceedings{Przyborski2019, |
33. | Liebler, Lorenz; Schmitt, Patrick; Baier, Harald; Breitinger, Frank On efficiency of artifact lookup strategies in digital forensics (Journal Article) In: Digital Investigation, vol. 28, pp. S116 - S125, 2019, ISSN: 1742-2876. @article{LSB19, In recent years different strategies have been proposed to handle the problem of ever-growing digital forensic databases. One concept to deal with this data overload is data reduction, which essentially means to separate the wheat from the chaff, e.g., to filter in forensically relevant data. A prominent technique in the context of data reduction are hash-based solutions. Data reduction is achieved because hash values (of possibly large data input) are much smaller than the original input. Today's approaches of storing hash-based data fragments reach from large scale multithreaded databases to simple Bloom filter representations. One main focus was put on the field of approximate matching, where sorting is a problem due to the fuzzy nature of the approximate hashes. A crucial step during digital forensic analysis is to achieve fast query times during lookup (e.g., against a blacklist), especially in the scope of small or ordinary resource availability. However, a comparison of different database and lookup approaches is considerably hard, as most techniques partially differ in considered use-case and integrated features, respectively. In this work we discuss, reassess and extend three widespread lookup strategies suitable for storing hash-based fragments: (1) Hashdatabase for hash-based carving (hashdb), (2) hierarchical Bloom filter trees (hbft) and (3) flat hash maps (fhmap). We outline the capabilities of the different approaches, integrate new extensions, discuss possible features and perform a detailed evaluation with a special focus on runtime efficiency. Our results reveal major advantages for fhmap in case of runtime performance and applicability. hbft showed a comparable runtime efficiency in case of lookups, but hbft suffers from pitfalls with respect to extensibility and maintenance. Finally, hashdb performs worst in case of a single core environment in all evaluation scenarios. However, hashdb is the only candidate which offers full parallelization capabilities, transactional features, and a Single-level storage. |
34. | Ricci, Joseph; Baggili, Ibrahim; Breitinger, Frank Blockchain-Based Distributed Cloud Storage Digital Forensics: Where's the Beef? (Journal Article) In: IEEE Security & is Privacy, vol. 17, no. 1, pp. 34-42, 2019, ISSN: 1540-7993. @article{RBB19, The current state of the art in digital forensics has primarily focused on the acquisition of data from cloud storage. Here, we present a new challenge in digital forensics: blockchain-based distributed cloud storage, using STORJ as a technology example. |
35. | Debinski, Mark; Breitinger, Frank; Mohan, Parvathy Timeline2GUI: A Log2Timeline CSV parser and training scenarios (Journal Article) In: Digital Investigation, vol. 28, pp. 34 - 43, 2018, ISSN: 1742-2876. @article{Debinski2018, Crimes involving digital evidence are getting more complex due to the increasing storage capacities and utilization of devices. Event reconstruction (i.e., understanding the timeline) is an essential step for investigators to understand a case where a prominent tool is Log2Timeline (a tool that creates super timelines which is a combination of several log files and events throughout a system). While these timelines provide great evidence and help to understand a case, they are complex and require tools as well as training scenarios. In this paper we present Timeline2GUI an easy-to-use python implementation to analyze CSV log files create by Log2Timeline. Additionally, we present three training scenarios – beginner, intermediate and advanced – to practice timeline analysis skills as well as familiarity with visualization tools. Lastly, we provide a comprehensive overview of tools. |
36. | Breitinger, Frank; Baggili, Ibrahim (Ed.) Springer International Publishing, 2018, ISBN: 978-3-030-05486-1. @book{breitinger2019digital, |
37. | Haigh, Trevor; Breitinger, Frank; Baggili, Ibrahim If I Had a Million Cryptos: Cryptowallet Application Analysis and a Trojan Proof-of-Concept (Proceedings Article) In: Breitinger, Frank; Baggili, Ibrahim (Ed.): Digital Forensics and Cyber Crime, pp. 45–65, Springer International Publishing, Cham, 2018, ISBN: 978-3-030-05487-8, (bf Best Paper Award). @inproceedings{HBB19, Cryptocurrencies have gained wide adoption by enthusiasts and investors. In this work, we examine seven different Android cryptowallet applications for forensic artifacts, but we also assess their security against tampering and reverse engineering. Some of the biggest benefits of cryptocurrency is its security and relative anonymity. For this reason it is vital that wallet applications share the same properties. Our work, however, indicates that this is not the case. Five of the seven applications we tested do not implement basic security measures against reverse engineering. Three of the applications stored sensitive information, like wallet private keys, insecurely and one was able to be decrypted with some effort. One of the applications did not require root access to retrieve the data. We were also able to implement a proof-of-concept trojan which exemplifies how a malicious actor may exploit the lack of security in these applications and exfiltrate user data and cryptocurrency. |
38. | Schmicker, Robert; Breitinger, Frank; Baggili, Ibrahim AndroParse - An Android Feature Extraction Framework and Dataset (Proceedings Article) In: Breitinger, Frank; Baggili, Ibrahim (Ed.): Digital Forensics and Cyber Crime, pp. 66–88, Springer International Publishing, Cham, 2018, ISBN: 978-3-030-05487-8. @inproceedings{SBB19, Android malware has become a major challenge. As a consequence, practitioners and researchers spend a significant time analyzing Android applications (APK). A common procedure (especially for data scientists) is to extract features such as permissions, APIs or strings which can then be analyzed. Current state of the art tools have three major issues: (1) a single tool cannot extract all the significant features used by scientists and practitioners (2) Current tools are not designed to be extensible and (3) Existing parsers can be timely as they are not runtime efficient or scalable. Therefore, this work presents AndroParse which is an open-source Android parser written in Golang that currently extracts the four most common features: Permissions, APIs, Strings and Intents. AndroParse outputs JSON files as they can easily be used by most major programming languages. Constructing the parser allowed us to create an extensive feature dataset which can be accessed by our independent REST API. Our dataset currently has 67,703 benign and 46,683 malicious APK samples. |
39. | Luciano, Laoise; Baggili, Ibrahim; Topor, Mateusz; Casey, Peter; Breitinger, Frank Digital Forensics in the Next Five Years (Proceedings Article) In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 46:1–46:14, ACM, Hamburg, Germany, 2018, ISBN: 978-1-4503-6448-5. @inproceedings{LBT18, Cyber forensics has encountered major obstacles over the last decade and is at a crossroads. This paper presents data that was obtained during the National Workshop on Redefining Cyber Forensics (NWRCF) on May 23-24, 2017 supported by the National Science Foundation and organized by the University of New Haven. Qualitative and quantitative data were analyzed from twenty-four cyber forensics expert panel members. This work identified important themes that need to be addressed by the community, focusing on (1) where the domain currently is; (2) where it needs to go and; (3) steps needed to improve it. Furthermore, based on the results, we articulate (1) the biggest anticipated challenges the domain will face in the next five years; (2) the most important cyber forensics research opportunities in the next five years and; (3) the most important job-ready skills that need to be addressed by higher education curricula over the next five years. Lastly, we present the key issues and recommendations deliberated by the expert panel. Overall results indicated that a more active and coherent group needs to be formed in the cyber forensics community, with opportunities for continuous reassessment and improvement processes in place. |
40. | Grajeda, Cinthya; Sanchez, Laura; Baggili, Ibrahim; Clark, Devon; Breitinger, Frank Experience constructing the Artifact Genome Project (AGP): Managing the domain's knowledge one artifact at a time (Journal Article) In: Digital Investigation, vol. 26, pp. S47 - S58, 2018, ISSN: 1742-2876. @article{GSB18, While various tools have been created to assist the digital forensics community with acquiring, processing, and organizing evidence and indicating the existence of artifacts, very few attempts have been made to establish a centralized system for archiving artifacts. The Artifact Genome Project (AGP) has aimed to create the largest vetted and freely available digital forensics repository for Curated Forensic Artifacts (CuFAs). This paper details the experience of building, implementing, and maintaining such a system by sharing design decisions, lessons learned, and future work. We also discuss the impact of AGP in both the professional and academic realms of digital forensics. Our work shows promise in the digital forensics academic community to champion the effort in curating digital forensic artifacts by integrating AGP into courses, research endeavors, and collaborative projects. |
41. | Ricci, Joseph; Breitinger, Frank; Baggili, Ibrahim Survey results on adults and cybersecurity education (Journal Article) In: Education and Information Technologies, pp. 1–19, 2018, ISSN: 1360-2357. @article{ricci2018survey, Cyberattacks and identity theft are common problems nowadays where researchers often say that humans are the weakest link the security chain. Therefore, this survey focused on analyzing the interest for adults for `cyber threat eduction seminars', e.g., how to project themselves and their loved ones. Specifically, we asked questions to understand a possible audience, willingness for paying / time commitment, or fields of interest as well as background and previous training experience. The survey was conducted in late 2016 and taken by 233 participants. The results show that many are worried about cyber threats and about their children exploring the online domain. However, seminars do not seem to be a priority as many individuals were only willing to spend 1-1.5h on seminars. |
42. | Liebler, Lorenz; Breitinger, Frank mrsh-mem: Approximate Matching on Raw Memory Dumps (Proceedings Article) In: 2018 11th International Conference on IT Security Incident Management IT Forensics (IMF), pp. 47-64, 2018. @inproceedings{LB18, This paper presents the fusion of two subdomains of digital forensics: (1) raw memory analysis and (2) approximate matching. Specifically, this paper describes a prototype implementation named MRSH-MEM that allows to compare hard drive images as well as memory dumps and therefore can answer the question if a particular program (installed on a hard drive) is currently running / loaded in memory. To answer this question, we only require both dumps or access to a public repository which provides the binaries to be tested. For our prototype, we modified an existing approximate matching algorithm named MRSH-NET and combined it with approxis, an approximate disassembler. Recent literature claims that approximate matching techniques are slow and hardly applicable to the field of memory forensics. Especially legitimate changes to executables in memory caused by the loader itself prevent the application of current bytewise approximate matching techniques. Our approach lowers the impact of modified code in memory and shows a good computational performance. During our experiments, we show how an investigator can leverage meaningful insights by combining data gained from a hard disk image and raw memory dumps with a practicability runtime performance. Lastly, our current implementation will be integrable into the Volatility memory forensics framework and we introduce new possibilities for providing data driven cross validation functions. Our current proof of concept implementation supports Linux based raw memory dumps. |
43. | Knieriem, Brandon; Zhang, Xiaolu; Levine, Philip; Breitinger, Frank; Baggili, Ibrahim An Overview of the Usage of Default Passwords (Proceedings Article) In: Matoušek, Petr; Schmiedecker, Martin (Ed.): Digital Forensics and Cyber Crime, pp. 195–203, Springer International Publishing, Cham, 2018, ISBN: 978-3-319-73697-6. @inproceedings{KZL18, The recent Mirai botnet attack demonstrated the danger of using default passwords and showed it is still a major problem. In this study we investigated several common applications and their password policies. Specifically, we analyzed if these applications: (1) have default passwords or (2) allow the user to set a weak password (i.e., they do not properly enforce a password policy). Our study shows that default passwords are still a significant problem: 61% of applications inspected initially used a default or blank password. When changing the password, 58% allowed a blank password, 35% allowed a weak password of 1 character. |
44. | Lillis, David; Breitinger, Frank; Scanlon, Mark Expediting MRSH-v2 Approximate Matching with Hierarchical Bloom Filter Trees (Proceedings Article) In: Matoušek, Petr; Schmiedecker, Martin (Ed.): Digital Forensics and Cyber Crime, pp. 144–157, Springer International Publishing, Cham, 2018, ISBN: 978-3-319-73697-6, (bf Best Paper Award). @inproceedings{LBS18, Perhaps the most common task encountered by digital forensic investigators consists of searching through a seized device for pertinent data. Frequently, an investigator will be in possession of a collection of ``known-illegal'' files (e.g. a collection of child pornographic images) and will seek to find whether copies of these are stored on the seized drive. Traditional hash matching techniques can efficiently find files that precisely match. However, these will fail in the case of merged files, embedded files, partial files, or if a file has been changed in any way. |
45. | Meffert, Christopher; Clark, Devon; Baggili, Ibrahim; Breitinger, Frank Forensic State Acquisition from Internet of Things (FSAIoT): A General Framework and Practical Approach for IoT Forensics Through IoT Device State Acquisition (Proceedings Article) In: Proceedings of the 12th International Conference on Availability, Reliability and Security, pp. 56:1–56:11, ACM, Reggio Calabria, Italy, 2017, ISBN: 978-1-4503-5257-4. @inproceedings{MCBB17, IoT device forensics is a difficult problem given that manufactured IoT devices are not standardized, many store little to no historical data, and are always connected; making them extremely volatile. The goal of this paper was to address these challenges by presenting a primary account for a general framework and practical approach we term Forensic State Acquisition from Internet of Things (FSAIoT). We argue that by leveraging the acquisition of the state of IoT devices (e.g. if an IoT lock is open or locked), it becomes possible to paint a clear picture of events that have occurred. To this end, FSAIoT consists of a centralized Forensic State Acquisition Controller (FSAC) employed in three state collection modes: controller to IoT device, controller to cloud, and controller to controller. We present a proof of concept implementation using openHAB – a device agnostic open source IoT device controller – and self-created scripts, to resemble a FSAC implementation. Our proof of concept employed an Insteon IP Camera as a controller to device test, an Insteon Hub as a controller to controller test, and a nest thermostat for a a controller to cloud test. Our findings show that it is possible to practically pull forensically relevant state data from IoT devices. Future work and open research problems are shared. |
46. | Grajeda, Cinthya; Breitinger, Frank; Baggili, Ibrahim Availability of datasets for digital forensics – And what is missing (Journal Article) In: Digital Investigation, vol. 22, Supplement, pp. S94 - S105, 2017, ISSN: 1742-2876. @article{MBB17a, This paper targets two main goals. First, we want to provide an overview of available datasets that can be used by researchers and where to find them. Second, we want to stress the importance of sharing datasets to allow researchers to replicate results and improve the state of the art. To answer the first goal, we analyzed 715 peer-reviewed research articles from 2010 to 2015 with focus and relevance to digital forensics to see what datasets are available and focused on three major aspects: (1) the origin of the dataset (e.g., real world vs. synthetic), (2) if datasets were released by researchers and (3) the types of datasets that exist. Additionally, we broadened our results to include the outcome of online search results. We also discuss what we think is missing. Overall, our results show that the majority of datasets are experiment generated (56.4%) followed by real world data (36.7%). On the other hand, 54.4% of the articles use existing datasets while the rest created their own. In the latter case, only 3.8% actually released their datasets. Finally, we conclude that there are many datasets for use out there but finding them can be challenging. |
47. | Denton, George; Karpisek, Filip; Breitinger, Frank; Baggili, Ibrahim Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30 (Journal Article) In: Digital Investigation, vol. 22, Supplement, pp. S26 - S38, 2017, ISSN: 1742-2876. @article{DKBB17, Abstract Programmable Logic Controllers (PLCs) are common components implemented across many industries such as manufacturing, water management, travel, aerospace and hospitals to name a few. Given their broad deployment in critical systems, they became and still are a common target for cyber attacks; the most prominent one being Stuxnet. Often PLCs (especially older ones) are only protected by an outer line of defense (e.g., a firewall) but once an attacker gains access to the system or the network, there might not be any other defense layers. In this scenario, a forensic investigator should not rely on the existing software as it might have been compromised. Therefore, we reverse engineered the GE-SRTP network protocol using a GE Fanuc Series 90-30 PLC and provide two major contributions: We first describe the Service Request Transport protocol (GE-SRTP) which was invented by General Electric (GE) and is used by many of their Ethernet connected controllers. Note, to the best of our knowledge, prior to this work, no publicly available documentation on the protocol was available affording users' security by obscurity. Second, based on our understanding of the protocol, we implemented a software application that allows direct network-based communication with the PLC (no intermediate server is needed). While the tool's forensic mode is harmless and only allows for reading registers, we discovered that one can manipulate/write to the registers in its default configuration, e.g., turn off the PLC, or manipulate the items/processes it controls. |
48. | Clark, Devon R.; Meffert, Christopher; Baggili, Ibrahim; Breitinger, Frank DROP (DRone Open source Parser) your drone: Forensic analysis of the DJI Phantom III (Journal Article) In: Digital Investigation, vol. 22, Supplement, pp. S3 - S14, 2017, ISSN: 1742-2876. @article{CMBB17, Abstract The DJI Phantom III drone has already been used for malicious activities (to drop bombs, remote surveillance and plane watching) in 2016 and 2017. At the time of writing, DJI was the drone manufacturer with the largest market share. Our work presents the primary thorough forensic analysis of the DJI Phantom III drone, and the primary account for proprietary file structures stored by the examined drone. It also presents the forensically sound open source tool DRone Open source Parser (DROP) that parses proprietary DAT files extracted from the drone's nonvolatile internal storage. These DAT files are encrypted and encoded. The work also shares preliminary findings on TXT files, which are also proprietary, encrypted, encoded, files found on the mobile device controlling the drone. These files provided a slew of data such as GPS locations, battery, flight time, etc. By extracting data from the controlling mobile device, and the drone, we were able to correlate data and link the user to a specific device based on extracted metadata. Furthermore, results showed that the best mechanism to forensically acquire data from the tested drone is to manually extract the SD card by disassembling the drone. Our findings illustrated that the drone should not be turned on as turning it on changes data on the drone by creating a new DAT file, but may also delete stored data if the drone's internal storage is full. |
49. | Zhang, Xiaolu; Baggili, Ibrahim; Breitinger, Frank Breaking into the vault: privacy, security and forensic analysis of android vault applications (Journal Article) In: Computers & Security, vol. 70, pp. 516 - 531, 2017, ISSN: 0167-4048. @article{ZBB17, Abstract In this work we share the first account for the forensic analysis, security and privacy of Android vault applications. Vaults are designed to be privacy enhancing as they allow users to hide personal data but may also be misused to hide incriminating files. Our work has already helped law enforcement in the state of Connecticut to reconstruct 66 incriminating images and 18 videos in a single criminal case. We present case studies and results from analyzing 18 Android vault applications (accounting for nearly 220 million downloads from the Google Play store) by reverse engineering them and examining the forensic artifacts they produce. Our results showed that Image 1 obfuscated their code and Image 2 applications used native libraries hindering the reverse engineering process of these applications. However, we still recovered data from the applications without root access to the Android device as we were able to ascertain hidden data on the device without rooting for Image 3 of the applications. Image 4 of the vault applications were found to not encrypt photos they stored, and Image 5 were found to not encrypt videos. Image 6 of the applications were found to store passwords in cleartext. We were able to also implement a swap attack on Image 7 applications where we achieved unauthorized access to the data by swapping the files that contained the password with a self-created one. In some cases, our findings illustrate unfavorable security implementations of privacy enhancing applications, but also showcase practical mechanisms for investigators to gain access to data of evidentiary value. In essence, we broke into the vaults. |
50. | Moore, Jason; Baggili, Ibrahim; Breitinger, Frank Find Me If You Can: Mobile GPS Mapping Applications Forensics Analysis & SNAVP The Open Source, Modular, Extensible Parser (Journal Article) In: Journal of Digital Forensics, Security and Law (JDFSL), vol. 12, no. 1, pp. 7, 2017. @article{MBB17, |
All publications by year
1. | Beyond timestamps: Integrating implicit timing information into digital forensic timelines (Journal Article) In: Forensic Science International: Digital Investigation, vol. 49, pp. 301755, 2024, ISSN: 2666-2817, (DFRWS USA 2024 - Selected Papers from the 24th Annual Digital Forensics Research Conference USA). |
2. | Was the clock correct? Exploring timestamp interpretation through time anchors for digital forensic event reconstruction (Journal Article) In: Forensic Science International: Digital Investigation, vol. 49, pp. 301759, 2024, ISSN: 2666-2817, (DFRWS USA 2024 - Selected Papers from the 24th Annual Digital Forensics Research Conference USA). |
3. | ChatGPT, Llama, can you write my report? An experiment on assisted digital forensics reports written using (local) large language models (Journal Article) In: Forensic Science International: Digital Investigation, vol. 48, pp. 301683, 2024, ISSN: 2666-2817, (DFRWS EU 2024 - Selected Papers from the 11th Annual Digital Forensics Research Conference Europe). |
4. | DFRWS EU 10-year review and future directions in Digital Forensic Research (Journal Article) In: Forensic Science International: Digital Investigation, vol. 48, pp. 301685, 2024, ISSN: 2666-2817, (DFRWS EU 2024 - Selected Papers from the 11th Annual Digital Forensics Research Conference Europe). |
5. | FAIRness in digital forensics datasets' metadata – and how to improve it (Journal Article) In: Forensic Science International: Digital Investigation, vol. 48, pp. 301681, 2024, ISSN: 2666-2817, (DFRWS EU 2024 - Selected Papers from the 11th Annual Digital Forensics Research Conference Europe). |
6. | ChatGPT for digital forensic investigation: The good, the bad, and the unknown (Journal Article) In: Forensic Science International: Digital Investigation, vol. 46, pp. 301609, 2023, ISSN: 2666-2817, (Best Paper Award). |
7. | Data for Digital Forensics: Why a Discussion on `How Realistic is Synthetic Data' is Dispensable (Journal Article) In: Digital Threats: Research and Practice, 2023, ISSN: 2692-1626, (Presented at the 12th International Conference on IT Security Incident Management IT Forensics (IMF)). |
8. | As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency (Proceedings Article) In: Proceedings of the Digital Forensics Research Conference USA (DFRWS USA), 2023. |
9. | Sharing datasets for digital forensic: A novel taxonomy and legal concerns (Journal Article) In: Forensic Science International: Digital Investigation, vol. 45, pp. 301562, 2023, ISSN: 2666-2817. |
10. | Automation for digital forensics: Towards a definition for the community (Journal Article) In: Forensic Science International, vol. 349, pp. 111769, 2023, ISSN: 0379-0738. |
11. | Towards AI forensics: Did the artificial intelligence system do it? (Journal Article) In: Journal of Information Security and Applications, vol. 76, pp. 103517, 2023, ISSN: 2214-2126. |
12. | A forensic analysis of rclone and rclone's prospects for digital forensic investigations of cloud storage (Journal Article) In: Forensic Science International: Digital Investigation, vol. 43, pp. 301443, 2022, ISSN: 2666-2817, (bf Best Paper Award). |
13. | FRASHER – A framework for automated evaluation of similarity hashing (Journal Article) In: Forensic Science International: Digital Investigation, vol. 42, no. 2022-, pp. 301407, 2022, ISSN: 2666-2817, (Proceedings of the Twenty-Second Annual DFRWS USA). |
14. | The Role of National Cybersecurity Strategies on the Improvement of Cybersecurity Education (Journal Article) In: Computers & Security, pp. 102754, 2022, ISSN: 0167-4048. |
15. | Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic Computing (Proceedings Article) In: Proceedings of the Digital Forensics Research Conference Europe (DFRWS EU), 2022. |
16. | Identifying document similarity using a fast estimation of the Levenshtein Distance based on compression and signatures (Proceedings Article) In: Proceedings of the Digital Forensics Research Conference Europe (DFRWS EU), 2022. |
17. | Wake Up Digital Forensics' Community and Help Combating Ransomware (Journal Article) In: IEEE Security & Privacy, no. 01, pp. 2-11, 2022, ISSN: 1558-4046. |
18. | IoT network traffic analysis: Opportunities and challenges for forensic investigators? (Journal Article) In: Forensic Science International: Digital Investigation, vol. 38, pp. 301123, 2021, ISSN: 2666-2817. |
19. | Android application forensics: A survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations (Journal Article) In: Forensic Science International: Digital Investigation, vol. 39, pp. 301285, 2021, ISSN: 2666-2817. |
20. | What do incident response practitioners need to know? A skillmap for the years ahead (Journal Article) In: Forensic Science International: Digital Investigation, vol. 37, pp. 301184, 2021, ISSN: 2666-2817. |
21. | Malware family classification via efficient Huffman features (Journal Article) In: Forensic Science International: Digital Investigation, vol. 37, pp. 301192, 2021, ISSN: 2666-2817. |
22. | Bringing order to approximate matching: Classification and attacks on similarity digest algorithms (Journal Article) In: Forensic Science International: Digital Investigation, pp. 301120, 2021, ISSN: 2666-2817. |
23. | Netfox detective: A novel open-source network forensics analysis tool (Journal Article) In: Forensic Science International: Digital Investigation, vol. 35, pp. 301019, 2020, ISSN: 2666-2817. |
24. | First year students' experience in a Cyber World course – an evaluation (Journal Article) In: Education and Information Technologies, 2020, ISBN: 1573-7608. |
25. | Digital forensic tools: Recent advances and enhancing the status quo (Journal Article) In: Forensic Science International: Digital Investigation, vol. 34, pp. 300999, 2020, ISSN: 2666-2817. |
26. | Artifacts for detecting timestamp manipulation in NTFS on Windows and their reliability (Journal Article) In: Forensic Science International: Digital Investigation, vol. 32, pp. 300920, 2020, ISSN: 2666-2817. |
27. | The impact of excluding common blocks for approximate matching (Journal Article) In: Computers & Security, vol. 89, pp. 101676, 2019, ISSN: 0167-4048. |
28. | A survey on smartphone user's security choices, awareness and education (Journal Article) In: Computers & Security, vol. 88, pp. 101647, 2019, ISSN: 0167-4048. |
29. | Understanding the effects of removing common blocks on Approximate Matching scores under different scenarios for digital forensic investigations (Proceedings Article) In: XIX Brazilian Symposium on information and computational systems security, Brazilian Computer Society (SBC) SÃpounds o Paulo-SP, Brazil 2019, (bf Best Paper Award). |
30. | IoT Ignorance is Digital Forensics Research Bliss: A Survey to Understand IoT Forensics Definitions, Challenges and Future Research Directions (Proceedings Article) In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 46:1–46:15, ACM, Canterbury, CA, United Kingdom, 2019, ISBN: 978-1-4503-7164-3. |
31. | Inception: Virtual Space in Memory Space in Real Space – Memory Forensics of Immersive Virtual Reality with the HTC Vive (Journal Article) In: Digital Investigation, vol. 29, pp. S13 - S21, 2019, ISSN: 1742-2876. |
32. | `Cyber World' as a Theme for a University-wide First-year Common Course (Proceedings Article) In: 2019 ASEE Annual Conference & Exposition, ASEE Conferences, Tampa, Florida, 2019, (urlhttps://peer.asee.org/31923). |
33. | On efficiency of artifact lookup strategies in digital forensics (Journal Article) In: Digital Investigation, vol. 28, pp. S116 - S125, 2019, ISSN: 1742-2876. |
34. | Blockchain-Based Distributed Cloud Storage Digital Forensics: Where's the Beef? (Journal Article) In: IEEE Security & is Privacy, vol. 17, no. 1, pp. 34-42, 2019, ISSN: 1540-7993. |
35. | Timeline2GUI: A Log2Timeline CSV parser and training scenarios (Journal Article) In: Digital Investigation, vol. 28, pp. 34 - 43, 2018, ISSN: 1742-2876. |
36. | Springer International Publishing, 2018, ISBN: 978-3-030-05486-1. |
37. | If I Had a Million Cryptos: Cryptowallet Application Analysis and a Trojan Proof-of-Concept (Proceedings Article) In: Breitinger, Frank; Baggili, Ibrahim (Ed.): Digital Forensics and Cyber Crime, pp. 45–65, Springer International Publishing, Cham, 2018, ISBN: 978-3-030-05487-8, (bf Best Paper Award). |
38. | AndroParse - An Android Feature Extraction Framework and Dataset (Proceedings Article) In: Breitinger, Frank; Baggili, Ibrahim (Ed.): Digital Forensics and Cyber Crime, pp. 66–88, Springer International Publishing, Cham, 2018, ISBN: 978-3-030-05487-8. |
39. | Digital Forensics in the Next Five Years (Proceedings Article) In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 46:1–46:14, ACM, Hamburg, Germany, 2018, ISBN: 978-1-4503-6448-5. |
40. | Experience constructing the Artifact Genome Project (AGP): Managing the domain's knowledge one artifact at a time (Journal Article) In: Digital Investigation, vol. 26, pp. S47 - S58, 2018, ISSN: 1742-2876. |
41. | Survey results on adults and cybersecurity education (Journal Article) In: Education and Information Technologies, pp. 1–19, 2018, ISSN: 1360-2357. |
42. | mrsh-mem: Approximate Matching on Raw Memory Dumps (Proceedings Article) In: 2018 11th International Conference on IT Security Incident Management IT Forensics (IMF), pp. 47-64, 2018. |
43. | An Overview of the Usage of Default Passwords (Proceedings Article) In: Matoušek, Petr; Schmiedecker, Martin (Ed.): Digital Forensics and Cyber Crime, pp. 195–203, Springer International Publishing, Cham, 2018, ISBN: 978-3-319-73697-6. |
44. | Expediting MRSH-v2 Approximate Matching with Hierarchical Bloom Filter Trees (Proceedings Article) In: Matoušek, Petr; Schmiedecker, Martin (Ed.): Digital Forensics and Cyber Crime, pp. 144–157, Springer International Publishing, Cham, 2018, ISBN: 978-3-319-73697-6, (bf Best Paper Award). |
45. | Forensic State Acquisition from Internet of Things (FSAIoT): A General Framework and Practical Approach for IoT Forensics Through IoT Device State Acquisition (Proceedings Article) In: Proceedings of the 12th International Conference on Availability, Reliability and Security, pp. 56:1–56:11, ACM, Reggio Calabria, Italy, 2017, ISBN: 978-1-4503-5257-4. |
46. | Availability of datasets for digital forensics – And what is missing (Journal Article) In: Digital Investigation, vol. 22, Supplement, pp. S94 - S105, 2017, ISSN: 1742-2876. |
47. | Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30 (Journal Article) In: Digital Investigation, vol. 22, Supplement, pp. S26 - S38, 2017, ISSN: 1742-2876. |
48. | DROP (DRone Open source Parser) your drone: Forensic analysis of the DJI Phantom III (Journal Article) In: Digital Investigation, vol. 22, Supplement, pp. S3 - S14, 2017, ISSN: 1742-2876. |
49. | Breaking into the vault: privacy, security and forensic analysis of android vault applications (Journal Article) In: Computers & Security, vol. 70, pp. 516 - 531, 2017, ISSN: 0167-4048. |
50. | Find Me If You Can: Mobile GPS Mapping Applications Forensics Analysis & SNAVP The Open Source, Modular, Extensible Parser (Journal Article) In: Journal of Digital Forensics, Security and Law (JDFSL), vol. 12, no. 1, pp. 7, 2017. |