Marco Mattiucci

Articoli Scientifici su Digital Forensics ed argomenti attinenti

Phishing ed argomenti correlati

Item #01

Articolo: "Are the Con Artists Back? A Preliminary Analysis of Modern Phone Frauds"
Autore: Federico Maggi Dipartimento di Elettronica e Informazione Politecnico di Milano Milano, Italy
Abstract: Phishing is the practice of eliciting a person’s confidential information such as name, date of birth or credit card details. Typically, the phishers use simple technologies (e.g., e-mailing) to spread social engineering attacks with the goal of persuading a large amount of victims into voluntarily disclose sensitive data. Phishing based on e-mail and web technologies is certainly the most popular form. It has indeed received ample attention and some mitigation measures have been implemented. In this paper we describe our study on vishing (voice phishing), a form of phishing where the scammers exploit the phone channel to ask for sensitive information, rather than sending e-mails and cloning trustworthy websites. In some sense, the traditional a-l´a-Mitnick phone scams are streamlined by attackers using techniques that are typical of modern, email- based phishing. We detail our analysis of an embryonic, real-world database of vishing attacks reported by victims through a publicly-available web application that we build for this purpose. The vishing activity that we registered in our preliminary analysis is targeted against the U.S. customers. According to our samples, we analyzed to what extent the criminals rely on automated responders to streamline the vishing campaigns. In addition, we analyzed the content of the conversations and found that words such as “credit”, “press” (a key) or “account” are fairly popular. In addition, we describe the data collection infrastructure and motivate why gathering data about vishing is more difficult than for regular e-mail phishing.
File in formato PDF: http://home.dei.polimi.it/fmaggi/vishing.pdf

IISFA Member Book(s)

Item #01

Raccolta di articoli: IISFA Member Book 2009
Autore: IISFA members, curato da G. Costabile, A. Attanasio
Abstract: Collana di articoli inerenti svariati argomenti del digital forensics fatta da membri dell'IISFA soprattutto per i membri dell'associazione. Sicuramente di valido ausilio e riferimento per operatori del diritto e per i tecnici che operano nel campo dell'information forensics.
Formato cartaceo (sito IISFA)

Virtual Computer Forensics

Item #01

Articolo: "RETI VIRTUALI DI PC ED APPLICAZIONI NEL COMPUTER FORENSICS"
Autore: Elisabetta Avagnano - neo-assistente di laboratorio del Reparto Tecnologie Informatiche dell'Arma dei CC
Abstract: Emulazione, virtualizzazione ed analisi forense di reperti digitali sono concetti e metodi sempre più vicini tra loro. La Virtual Computer Forensics, di cui si parla nell'articolo, costituisce un'importante frontiera del digital forensics dalla quale, presto, non sarà più possibile prescindere. Gli strumenti descritti nell'articolo sono alla portata della maggioranza dei tecnici e quindi il documento risulta essere una valida introduzione all'argomento.
File in formato PDF: EAvagnano.art.01.v1.0.pdf

GPS Forensics

Item #01

Articolo: "SPERIMENTAZIONE DI UN METODO DI ANALISI FORENSE DEL DISPOSITIVO DI NAVIGAZIONE SATELLITARE TOMTOM"
Autore: Clara Maria Colombini - specialista informatico e consulente tecnico
Abstract: Il presente lavoro verte sulla ricerca di una procedura di analisi forense sui dispositivi di navigazione satellitare TOMTOM, sui quali è possibile rinvenire dati estremamente utili ai fini investigativi. Il punto centrale della sperimentazione è stata la ricerca di una procedura di realizzazione dell’immagine forense della memoria interna che sia “ripetibile”, e cioè che consenta di ottenere, dal medesimo dispositivo, una identica immagine forense, a distanza di tempo, per eventuali analisi successive o di controparte.
File in formato PDF: CMColombini.art.01.v1.0.pdf

Sicurezza dei sistemi

Item #01

Articolo: "Valutazione del Piano per la Sicurezza della Carta dello Studente attraverso la social network analysis "
Autore: Giuseppe Specchio - specialista di investigazioni tecnico scientifiche nel settore informatico dell'Arma dei Carabinieri
Abstract: In questo articolo, presentato all'esame di Sicurezza Informatica e Cooperazione del corso di Laurea Specialistica in Informatica dell'Università di Roma – Tor Vergata, si tratta dell'utilizzo dello strumento delle Social Network, quale valido ausilio alternativo alla modellazione di architetture di Sistemi Informatici Cooperativi ed alla successiva valutazione dei rispettivi Piani per la Sicurezza attraverso la Social Network Analysis.
File in formato PDF: GSpecchio.art.02.v1.0

 

Data remanence & Data wiping

Item #04

Articolo: "A Guide to Understanding Data Remanence in Automated Information Systems"
Autore: NCSC-TG-025 - Library No. 5-236,082 Version-2 - National Computer Security Center.
Abstract:The National Computer Security Center is issuing A Guide to Understanding Data Remanence in Automated Information Systems as part of the "Rainbow Series" of documents our Technical Guidelines Program produces. In the Rainbow Series, we discuss in detail the features of the Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD) and provide guidance for meeting each requirement.
File in formato PDF: Articolo

Item #03

Articolo: "Data Remanence in Flash Memory Devices"
Autore: Sergei Skorobogatov - University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom - sps32@cl.cam.ac.uk.
Abstract:Data remanence is the residual physical representation of data that has been erased or overwritten. In non-volatile programmable devices, such as UV EPROM, EEPROM or Flash, bits are stored as charge in the floating gate of a transistor. After each erase operation, some of this charge remains. Security protection in microcontrollers and smartcards with EEPROM/Flash memories is based on the assumption that information from the memory disappears completely after erasing. While microcontroller manufacturers successfully hardened already their designs against a range of attacks, they still have a common problem with data remanence in floating-gate transistors. Even after an erase operation, the transistor does not return fully to its initial state, thereby allowing the attacker to distinguish between previously programmed and not programmed transistors, and thus restore information from erased memory. The research in this direction is summarised here and it is shown how much information can be extracted from some microcontrollers after their memory has been ‘erased’.
File in formato PDF: Articolo

Item #02

Articolo: "Forensic Analysis"
Autore: Wietse Venema - wietse@porcupine.org - IBM T.J. Watson Research Center, Hawthorne, NY, USA.
Abstract:In this paper I will present lessons learned about persistence of information in file systems and in main memory of modern computers. This is work in progress; the work on main memory was not presented before. The results are based on measurements of a variety of UNIX and Linux systems, but are expected to be valid for other modern operating systems as well.
File in formato PDF: Articolo

Item #01

Articolo: "Lest We Remember: Cold Boot Attacks on Encryption Keys"
Autore: J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny - Princeton University - Electronic Frontier Foundation - Wind River Systems February 21, 2008.
Abstract: Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.
File in formato PDF: Articolo

Mobile & PDA Forensics

Item #07

Articolo: "iPod Forensics"
Autore: Christopher V. Marsico, Marcus K. Rogers, Purdue University - Cyber Forensics Lab Department of Computer Technology Purdue University
Abstract: The iPod is one of the most popular digital music devices in today’s marketplace. The newest versions of the iPod have become more PDA/storage like than ever before. With this new functionality the iPod has recently found its way into the criminal world. With the continued growth of the digital music device market, the iPod’s use in criminal activity will only continue to increase. This paper discusses some of the features of the iPod and how a criminal could use them. A literature review found little or no documentation or discussion on the forensic analysis of the iPod or similar devices. Therefore, this research outlines what should be considered when an iPod is found at the crime scene, and offers a critical analysis of some common forensic tools and their ability to collect and analyze data from an iPod. Suggestions for future research are also provided.
File in formato PDF: Articolo

Item #06

Articolo: "TULP2G – An Open Source Forensic Software Framework for Acquiring and Decoding Data Stored in Electronic Devices"
Autore: Jeroen van den Bos and Ronald van der Knijff - Netherlands Forensic Institute
Abstract: TULP2G is a forensic software framework for acquiring and decoding data stored in electronic devices. The framework consists of a layered architecture with communication, protocol, conversion, and export plug-ins to acquire, decode, and report evidence in customizable layouts. All acquired data is stored in an XML formatted evidence file along with information for auditing purposes. XML files can also be used to customize the framework with different user interface languages. A profile mechanism is built in to save and load framework configuration settings for common investigations. Conversion and export plug-ins can also be used to decode data acquired with other data acquisition methods. TULP2G is implemented in C# using .NET1.1 and released under a BSD license.
File in formato PDF: Articolo

Item #05

Articolo: "Forensics and SIM cards: an Overview"
Autore: Fabio Casadei, Antonio Savoldi, Paolo Gubian - University of Brescia
Abstract: In this paper, we present an open source tool for data objects extraction from SIM and USIM cards which is capable of extracting all observable memory and all the non-standard files that are found in every SIM card. First, a description of the tool from a digital forensics perspective will be provided. Then, the technological background of the tool will be sketched. After that, the core algorithms will be described and explained. Then, motivations for the choice of an XML format for output will be given and the format described. In conclusion, the possible lines of evolution will be presented.
File in formato PDF: Articolo

Item #04

Articolo (tesi): "Forensic Analysis of Mobile Phones"
Autore: Paul McCarthy
Abstract: This thesis attempts to provide an overview of the methods commonly used to acquire data from mobile phones in a forensic manner. Limitations and issues inherent in software based data acquisition are discussed, as is the legal admissibility of information acquired using these methods. By doing so, the need to verify the methods currently in use is highlighted.
File in formato PDF: Articolo

Item #03

Articolo: "PDA Forensic Tools: An Overview and Analysis"
Autore: NISTIR 7100 - National Institute of Standards and Technology Interagency Report
Abstract: Digital handheld devices, such as Personal Digital Assistants (PDAs), are becoming more affordable and commonplace in the workplace. They provide highly mobile data storage in addition to computational and networking capabilities for managing appointments and contact information, reviewing documents, communicating via electronic mail, and performing other tasks. Individuals can store and process personal and sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As digital technology evolves, the capabilities of these devices also continues to improve rapidly, taking advantage of new forms of removable media, faster processors that consume less power, touch screens with higher pixel resolution, and other components designed specifically for mobile devices. When handheld devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of information present on the device. This report gives an overview of current forensic software, designed for acquisition, analysis, reporting of data discovered on PDAs, and an understanding of their capabilities and limitations.
File in formato PDF: Articolo

Item #02

Articolo: "Guidelines on Cell Phone Forensics"
Autore: Recommendations of the National Institute of Standards and Technology - Special Publication 800-101
Abstract: The objective of the guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with cell phones, and to prepare forensic specialists to contend with new circumstances involving cell phones, when they arise. The guide is not all-inclusive nor is it prescribing how law enforcement and incident response communities handle mobile devices during investigations or incidents. However, from the principles outlined and other information provided, organizations should nevertheless find the guide helpful in setting policies and procedures. This publication should not be construed as legal advice. Organizations should use this guide as a starting point for developing a forensic capability in conjunction with extensive guidance provided by legal advisors, officials, and management.
File in formato PDF: Articolo

Item #01

Articolo: "Forensic Analysis of the Contents of Nokia Mobile Phones"
Autore: Williamson, B Apeldoorn, P Cheam, B McDonald, M School of Computer and Information Science Edith Cowan University Perth, Western Australia
Abstract: Acquiring information from a mobile phone is now an important issue in many criminal investigations. Mobile phones can contain large amounts of information which can be of use in an investigation. These include typical mobile device data including SMS, phone records and calendar and diary entries. As the difference between a PDA and a mobile phone is now blurred, the data that can reside on a mobile phone is somewhat endless. This report focuses on the performance of different mobile phone forensic software devices, and reports the findings. All aspects of the different software pieces will be reported, as well as what the investigators extract from the phones. The ability of different software tools to produce certain hash algorithm sums will be analysed, as well as the forensic methods used to extract the information. This area is one which will gain momentum in the future, hence any advances made in the field is an advantage to upcoming studies.
File in formato PDF: Articolo

Live Digital Forensics

Item #01

Articolo: "Freeware Live Forensics tools evaluation and operation tips"
Autore: Ricci IEONG, Principal Consultant, eWalker Consulting Ltd
Abstract: Highlighted by a digital forensics investigation specialists from FBI in DFRWS 2006, live forensics investigations already become one of the most important procedures in digital forensics investigations. Many digital forensics investigation product companies have already joint the battlefield in developing their only live forensics tools. However, similar to the development trend in traditional digital forensics, evaluation criteria for Live Digital Forensics could only be standardized after operating procedures being standardized. One way to standardize the Live Digital Forensics Investigation procedure is to define the investigation objectives around the core digital forensics principles. Through the use of FORZA framework, a more legal and investigation oriented live digital forensics investigation procedures have been outlined. Based on the FORZA based procedure, a set of operation best practices, operational tips and evaluation criteria was derived. Using the derived criteria, various free Live Forensics toolkits including Windows Forensics Toolchest (WFT), Incident Response Collection Report (IRCR), First Responders Evidence Disk (FRED) and Computer Online Forensic Evidence (COFEE) were evaluated and reported in this paper.
File in formato PDF: Articolo

Internet Forensics

Item #01

Articolo: "Google Desktop as a Source of Digital Evidence"
Autore: Benjamin Turnbull, University of South Australia Barry Blundell, South Australia Police Jill Slay, University of South Australia
Abstract: This paper discusses the emerging trend of Personal Desktop Searching utilities on desktop computers, and how the information cached and stored with these systems can be retrieved and analysed, even after the original document has been removed. Focusing on the free Google Desktop application, this paper first analyses how the program operates, the processes involved, files created and altered, and methods on retrieving this data without corrupting the contents. Whilst some discussion is specific to the Google Desktop application, other discussion is applicable to the several other, similar available applications. The limitations of extracting data from Google Desktop and other desktop searching utilities are also discussed, along with possibilities for future research to ensure that the repositories of information that these programs store may be forensically analysed.
File in formato PDF: Articolo

Distributed Forensics

Item #02

Articolo: "Breaking the Performance Wall: The Case for Distributed Digital Forensics"
Autore: Vassil Roussev, Golden G. Richard III - Department of Computer Science University of New Orleans New Orleans, LA 70148
Abstract: In this paper, we make the case for distributed digital forensic (DDF) tools and provide several real-world examples where traditional investigative tools executing on a single workstation have clearly reached their limits, severely hampering timely processing of digital evidence. Based on our observations about the typical tasks carried out in the in-vestigative process, we outline a set of system requirements for DDF software. Next, we propose a lightweight distributed framework designed to meet these requirements and describe an early prototype implementation of it. Finally, we present some performance comparisons of single- versus multiple-machine implementations of several typical tasks and describe some more sophisticated forensics analysis techniques, which will be en-abled by a transition to DDF tools.
File in formato PDF: Articolo

Item #01

Articolo: "ForNet: A Distributed Forensics Network"
Autore: Kulesh Shanmugasundaram, Nasir Memon, Anubhav Savant, and Herve Bronnimann kulesh, anubhav - Department of Computer and Information Science Polytechnic University Brooklyn, NY 11201
USA
Abstract: This paper introduces ForNet, a distributed network logging mechanism to aid digital forensics over wide area networks. We describe the need for such a system, review related work, present the architecture of the system, and discuss key research issues.
File in formato PDF: Articolo

Persistenza dei dati in memoria

Item #08

Articolo: "Data Remanence in Semiconductor Devices"
Autore: Peter Gutmann - IBM T.J.Watson Research Center
Abstract: A paper published in 1996 examined the problems involved in truly deleting data from magnetic storage media and also made a mention of the fact that similar problems affect data held in semiconductor memory. This work extends the brief coverage of this area given in the earlier paper by providing the technical background information necessary to understand remanence issues in semiconductor devices. Data remanence problems affect not only obvious areas such as RAM and non-volatile memory cells but can also occur in other areas of the device through hot-carrier effects (which change the characteristics of the semiconductors in the device), electromigration (which physically alter the device itself), and various other effects which are examined alongside the more obvious memory-cell remanence problems. The paper concludes with some design and device usage guidelines which can be useful in reducing remanence effects.
File in formato PDF: Articolo

Item #07

Articolo: "Low temperature data remanence in static RAM"
Autore: Sergei Skorobogatov - 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/
Abstract: Security processors typically store secret key material in static RAM, from which power is removed if the device is tampered with. It is commonly believed that, at temperatures below −20°C, the contents of SRAM can be ‘frozen’; therefore, many devices treat temperatures below this threshold as tampering events. We have done some experiments to establish the temperature dependency of data retention time in modern SRAM devices. Our experiments show that the conventional wisdom no longer holds.
File in formato PDF: Articolo

Item #06

Articolo (tesi): "Computer Forensics: The Persistence of Data in Physical Memory"
Autore: Jason Michael Solomon - Bachelor of Computer Science (Honours)
Abstract: Computer Forensics is concerned with the use of computer investigation and analysis techniques in order to determine and collect potential legal evidence suitable for presentation in court. The purpose of the research presented in this thesis is to gain an insight into how long data persists within physical memory and to draw a conclusion as to whether it is worthwhile developing a methodology and dedicated tools for the forensic investigation of physical memory.
File in formato PDF: Articolo

Item #05

Articolo: "Secure Deletion of Data from Magnetic and Solid-State Memory"
Autore: Peter Gutmann - Department of Computer Science University of Auckland
Abstract: With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.
File in formato PDF: Articolo

Item #04

Articolo: "Forensic Discovery" - Chapter 7: Persistence of deleted file information
Autore: D. Farmer, W. Venema
Abstract: Computers delete files frequently. Sometimes this happens on explicit request by a user. Often, information is deleted implicitly when an application discards some temporary file for its own internal use. Examples of such implicit file deletion activity are text editor temporary files, files with intermediate results from program compilers, and files in web browser caches. As you use a computer system you unwittingly leave behind a trail of deleted information...
File in formato PDF: Articolo

Item #03

Articolo: "Guidelines for Media Sanitization" - NIST Special Publication 800-88
Autore: Recommendations of the National Institute of Standards and Technology
Abstract: This guide will assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information. It does not, and cannot, specifically address all known types of media; however, the described sanitization decision process can be applied universally. It should also be noted that Title 40 USC advises system owners and custodians that excess equipment is “Educationally useful” and “Federal equipment is a vital national resource.” Wherever possible, excess equipment and media should be made available to schools and non-profit organizations to the extent permitted by law.
File in formato PDF: Articolo

Item #02

Articolo: "Data Remanence in Flash Memory Devices"
Autore: Sergei Skorobogatov - University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom sps32@cl.cam.ac.uk
Abstract: Data remanence is the residual physical representation of data that has been erased or overwritten. In non-volatile programmable devices, such as UV EPROM, EEPROM or Flash, bits are stored as charge in the floating gate of a transistor. After each erase operation, some of this charge remains. Security protection in microcontrollers and smartcards with EEPROM/Flash memories is based on the assumption that information from the memory disappears completely after erasing. While microcontroller manufacturers successfully hardened already their designs against a range of attacks, they still have a common problem with data remanence in floating-gate transistors. Even after an erase operation, the transistor does not return fully to its initial state, thereby allowing the attacker to distinguish between previously programmed and not programmed transistors, and thus restore information from erased memory. The research in this direction is summarised here and it is shown how much information can be extracted from some microcontrollers after their memory has been ‘erased’.
File in formato PDF: Articolo

Item #01

Articolo: "A Guide to Understanding Data Remanence in Automated Information Systems"
Autore: National Computer Security Center
Abstract: The National Computer Security Center is issuing A Guide to Understanding Data Remanence in Automated Information Systems as part of the "Rainbow Series" of documents our Technical Guidelines Program produces. In the Rainbow Series, we discuss in detail the features of the Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD) and provide guidance for meeting each requirement. The National Computer Security Center, through its Trusted Product Evaluation Program, evaluates the security features of commercially-produced computer systems. Together, these programs ensure that organizations are capable of protecting their important data with trusted computer systems. While data remanence is not a directly evaluated criterion of trusted computing systems, it is an issue critical to the safeguarding of information used by trusted computing systems.
File in formato PDF: Articolo

Anti-Forensics

Item #05

Articolo: "Digital Anti-Forensics: Emerging trends in data transformation techniques"
Autore: Christian S.J. Peron & Michael Legary - Seccuris Labs
Abstract: This paper explores two questions: What methods can be used to deceive someone who is in an investigative role into trusting an object
which has been exploited? What kind of impact does operating system and application run-time linking have on live investigations? After
experimenting with dynamic object dependencies and kernel modules in the UNIX environment, it is the opinion of the authors that run-time linking can be exploited to alter the execution of otherwise trusted objects. This can be accomplished without having to modify the
objects themselves. If an investigator trusts an inherently un-trusted object, it can result in the possible misdirection of a digital investigation.
File in formato PDF: Articolo

Item #04

Articolo: "Counter-Forensic Tools: Analysis and Data Recovery"
Autore: M. Geyger - Carnegie Mellon University
Abstract: This paper details the analysis of 13 commercial counter-forensic tools, examining operational shortfalls that can permit the recovery of significant evidentiary data. The research also isolates filesystem fingerprints generated when these tools are used, which
can identify the tool, demonstrate its actual use and, in many cases, provide insight into the extent and time of its use.
File in formato PDF: Articolo

Item #03

Articolo: "Evaluating Commercial Counter-Forensic Tools "
Autore: M. Geyger - Carnegie Mellon University
Abstract: In this paper, we review the performance of six counter-forensic tools and highlight operational shortfalls that could permit the recovery of significant evidentiary data. In addition, each tool creates a distinct operational fingerprint that an analyst may use to identify the application used and, thus, guide the search for residual data. These
operational fingerprints may also help demonstrate the use of a tool in cases where such action has legal ramifications.
File in formato PDF: Articolo

Item #02

Articolo: "Counter Forensics Privacy Tools - A forensic evaluation "
Autore: M. Geyger, L.F. Cranor,
Abstract: In this paper we use forensics tools and techniques to evaluate the effectiveness of six counter forensics software packages...
File in formato PDF: Articolo

Item #01

Articolo: "Arriving at an anti-forensics consensus: Examining how to
define and control the anti-forensics problem"
Autore: Ryan Harris - CERIAS, Purdue University, West Lafayette, IN 47907, USA
Abstract: There are no general frameworks with which we may analyze the anti-forensics situation. Solving anti-forensic issues requires that we create a consensus view of the problem itself. This paper attempts to arrive at a standardized method of addressing anti-forensics by defining
the term, categorizing the anti-forensics techniques and outlining general guidelines to protect forensic integrity.
File in formato PDF: Articolo

Privacy & Proprietà intellettuale

Item #01

Articolo: "La Proprietà Intellettuale nella società dell'informazione"
Autore: Stefano Monfreda - specialista di investigazioni tecnico scientifiche nel settore informatico dell'Arma dei Carabinieri
Abstract: L'articolo propone il quadro normativo vigente in relazione alla tutela del diritto d'autore approfondendo alcune delle sue implicazioni nel campo dell'Infomation Technology.
File in formato PDF: SMonfreda.art.01.v1.0

Computer Forensics

Item #11

Articolo: "Selective and intelligent imaging using digital
evidence bags"
Autore: Philip Turner - QinetiQ, Digital Investigation Services, Trusted Information Management Department, St. Andrews Road, Malvern, Worcestershire WR14 3PS, UK.
Abstract: This paper defines what selective imaging is, and the types of selective imaging that can be performed. This is contrasted with intelligent imaging and the additional capabilities that have to be built into an imager for it to be ‘intelligent’. A selective information capture scenario is demonstrated using the digital evidence bag (DEB) storage format. A DEB is a universal container for digital evidence from any source that allows the provenance to be recorded and continuity to be maintained throughout the life of the investigation. The paper concludes by defining the ‘ultimate test’ for an intelligent and selective imager approach.
File in formato PDF: Articolo

Item #10

Articolo: "Unification of Digital Evidence from Disparate Sources
(Digital Evidence Bags)"
Autore: Philip Turner - QinetiQ, Digital Investigation Services, Trusted Information Management Department, St. Andrews Road, Malvern, Worcestershire WR14 3PS, UK.
Abstract: This paper outlines a new approach to the acquisition and processing of digital evidence obtained from disparate digital devices and sources. To date the capture of digital based evidence has always been in its entirety from the source devic e and different methods and containers (file types) are used for different types of digital device (e.g. computer, PDA, mobile phone). This paper defines a new approach called a Digital Evidence Bag (DEB) that is a universal container for the capture of digital evidence. Furthermore, the Digital Evidence Bag concept could be used to permit the streamlining of data capture and allow multiple sources of evidence to be processed in a multiprocessor distributed environment and thereby maximizing the use of available processing power. The approach described in this paper allows for the first time the forensic process to be extended beyond the traditional static forensic capture of evidence into the real-time ‘live’ capture of evidence. In addition to this the Digital Evidence Bag can be used to provide an audit trail of processes performed upon the evidence as well as integrated integrity checking.
File in formato PDF: Articolo

Item #09

Articolo: "What is Forensic Computing?"
Autore: Rodney McKemmish
Abstract: This paper provides an overview of the new law enforcement field of forensic computing. It is an abridged version of a report prepared by the author during his Donald Mackay Churchill Fellowship. Its publication here reflects the Australian Institute of Criminology’s continuing role in informing policy makers and the public about complex criminal activity.
File in formato PDF: Articolo

Item #08

Articolo: "Exchangeable Image file Format (ExIF)"
Autore: Christopher L. T. Brown
Abstract: The Japanese Electronic Industry Development Association (JEIDA) created a standard for the storage of camera and image metadata in JPEG and TIFF files. Most digital camera manufacturers have implemented this standard and now store camera metadata along with the digital image. This metadata can potentially provide vital evidence to investigators such as when the picture was taken, what camera was used in capturing the image and in some cases, who took the image or where the image was captured.
File in formato PDF: Articolo

Item #07

Articolo: "Hidden Disk Areas: HPA and DCO"
Autore: Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers - Purdue University
Abstract: This paper focuses on certain manufacturer hidden areas of a hard disk, specifically Host Protected Areas (HPA) and Device Configuration Overlays (DCO). These areas can be problematic for computer forensic investigators, since many of the common industry tools cannot detect the presence of the HPA and DCO. A review of the ATA specifications and recent white papers indicate that these areas can be accessed, modified, and written to by end users using specific open source and freely available tools, allowing data to be stored and/or hidden in these areas. This greatly increases the risk that image acquisitions may not be a true copy of the physical drive in question. This also could result in the obfuscation of data, leading to incomplete or erroneous investigative conclusions. The paper provides an introduction to these commonly used manufacturer areas and discusses their implication to the computer forensics investigative process. Suggestions for future study and testing are also provided.
File in formato PDF: Articolo

Item #06

Articolo: "Secure Audit Logs to Support Computer Forensics"
Autore: Bruce Schneier John Kelsey - Counterpane Systems, 101 East Minnehaha Parkway, Minneapolis, MN 55419
Abstract: In many real-world applications, sensitive informa-
tion must be kept in log les on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will
gain little or no information from the log les and to limit his ability to corrupt the log les. We describe a computationally cheap method for making all log entries generated prior to the logging machine's com-
promise impossible for the attacker to read, and also impossible to undetectably modify or destroy..
File in formato PDF: Articolo

Item #05

Articolo: "The Linux Kernel and the Forensic Acquisition of Hard Disks with an Odd Number of Sectors"
Autore: Jesse D. Kornblum - research@jessekornblum.com
Abstract: No official version of the Linux kernel, up through and including version 2.4, allowed a user land process to access the last sector of a hard disk or hard disk partition with an odd number of sectors. Although the inability to access this last sector did not affect normal operation of the system, it did prevent the complete forensic acquisition of such a disk. The author repeats an earlier experiment to verify the issue in version 2.4 of the kernel and then shows that the issue has been resolved in version 2.6. Systems using version 2.6 of the Linux kernel can completely forensically acquire disks or partitions with an odd number of sectors..
File in formato PDF: Articolo

Item #04

Articolo: "Using Extended File Information (EXIF) File Headers
in Digital Evidence Analysis"
Autore: Special Agent Paul Alvarez - Air Force Office of Special Investigations, Computer Investigations and Operations
Abstract: An obstacle in any Child Pornography (CP) investigation is the investigator’s ability to determine whether the pictures in question have been altered. Because of the court ruling in Ashcroft v. Free Speech, many agents are asked on the stand if they can prove the pictures they recovered were altered in any way. If the picture doesn’t match any known CP hashes, then it can be very difficult to prove they are untouched. One way an investigator may be able determine if a picture is authentic is through extraction of metadata. In the case of digital pictures, they may contain EXIF headers that can help the investigator to verify the authenticity of a picture.
File in formato PDF: Articolo

Item #03

Articolo: "Forensic feature extraction and cross-drive analysis"
Autore: Simson L. Garfinkel - Center for Research on Computation and Society, Harvard University, Cambridge, MA 02139, USA
Abstract: This paper introduces Forensic Feature Extraction (FFE) and Cross-Drive Analysis (CDA), two new approaches for analyzing large data sets of disk images and other forensic data. FFE uses a variety of lexigraphic techniques for extracting information from bulk data; CDA uses statistical techniques for correlating this information within a single disk image and across multiple disk images. An architecture for these techniques is presented that consists of five discrete steps: imaging, feature extraction, first-order cross-drive analysis, cross-drive correlation, and report generation. CDA was used to analyze 750 images of
drives acquired on the secondary market; it automatically identified drives containing a high concentration of confidential financial records as well as clusters of drives that came from the same organization. FFE and CDA are promising techniques for prioritizing work and automatically identifying members of social networks under investigation. We believe it is likely to have other uses as well.
File in formato PDF: Articolo

Item #02

Articolo: "Identificazione della tipologia di un file mediante analisi spettrografica 2D"
Autore: Giuseppe Finizia - specialista di investigazioni tecnico scientifiche nel settore informatico dell'Arma dei Carabinieri
Abstract: L'articolo propone un approccio frequentistico alla risoluzione del problema di identificare il tipo di file durante l'analisi forense prescindendo dai suoi descrittori evidenti quali, ad esempio, l'estensione in ambiente Win. Vengono presentati i risultati dell'applicazione di uno specifico software realizzato dall'autore e si discute degli sviluppi futuri che potrà avere la ricerca sulla identificazione dei "misnamed file".
File in formato PDF: GFinizia.art.01.v1.0a

Item #01

Articolo: "Thumbs.db Forensic Analysis"
Autore: Davide Numelli - specialista di investigazioni tecnico scientifiche nel settore informatico dell'Arma dei Carabinieri
Abstract: L'articolo tratta dell'impiego investigativo e forense dei file thumbs.db in relazione alla ricerca di immagini costituenti fonti di prova. Riporta esempi, tool e peculiarità della gestione di questi file che risultano di estrema importanza dal punto di vista delle analisi tecniche di laboratorio.
File in formato PDF: DNumelli.art.01.v.1.0

Crittazione, Steganografia, File/Data hiding

Item #03

Articolo: "Basi di Crittografia: dal modello matematico a quello informatico"
Autore: Giuseppe Specchio - specialista di investigazioni tecnico scientifiche nel settore informatico dell'Arma dei Carabinieri
Abstract: Questo lavoro propone un'opera implementativa di alcuni algoritmi crittografici studiati dall'autore durante il corso di Algebra 1 della laurea specialistica in Informatica dell'Università Tor Vergata di Roma. Si cerca un effettivo riscontro tra i modelli matematici approfonditi ed il loro concreto utilizzo nel contesto informatico. A tale proposito sono stati riportati gli applicativi specifici, realizzati in linguaggio di programmazione Java secondo il pattern MVC2 (in modo tale da poterne sfruttare il loro massimo riuso in altri contesti) atti ad implementare e testare la citata teoria.
File in formato PDF: GSpecchio.art.01.v1.0

Item #02

Articolo: "Data Hiding in Journaling File Systems"
Autore: Knut Eckstein, Marko Jahnke
Abstract: Data hiding is one technique by which system perpetrators store information while reducing the risk of being detected by system administrators. The first major section of this article structures and compares existing data hiding methods for UNIX file systems in terms of usability and countermeasures. It discusses variant techniques related to advanced file systems. The second section proposes a new technique that stores substantial amounts of data inside journaling file systems in a robust fashion with low detectability, which is demonstrated by means of a proof-of-concept implementation for the ext3 journaling file system.
File in formato PDF: Articolo

Item #01

Articolo: "Steganografia: descrizione ed implementazione di un algoritmo"
Autore: Raffaele Olivieri - specialista di investigazioni tecnico scientifiche nel settore informatico dell'Arma dei Carabinieri
Abstract: L'articolo introduce con semplicità a teorie e classificazioni delle tecniche steganografiche più note proponendo un esempio di implementazione software di un algoritmo steganografico di base mediante linguaggio C.
File in formato PDF: ROlivieri.art.01.v1.3(20071024)