Concepts of Digital Evidence and Digital Forensics

Get Complete Project Material File(s) Now! »

Absence of Evidence and Exchange of Evidence

Due to the ubiquitous nature of digital evidence, it is often rare to find a crime that does not have some related data that are stored or transmitted with a computer system. These data can be the evidence required for a prosecution1, or it may be used to support other evidence or get more information during an investigation. However, even when no data can be found, it is important to remember an axiom from forensic science that states that, “the absence of evidence is not the evidence of absence”[57]. For example, if no evidence could be found on a computer to determine whether or not it accessed a particular web page, it does not mean that the computer was not used to access the site. It is important to base all assertions on solid supporting evidence and not on an absence of evidence [29]. Thus, it is necessary for an investigator to find corroborating evidence [27] that clearly demonstrates the falsity or truth of a claim when the required evidence cannot be found.
The principle underlying the process of finding corroborating evidence is a principle that is usually applied in a physical crime scene which is known as Locard’s exchange principle, that contact between two items will result in an exchange of matter between them [34]. That is, there will always be some trace evidence with every interaction even though it may not be easily detected. For example, hair, fiber or fingerprints from a criminal are often found at a physical crime scene. According to Casey [29] and Carrier [22], this principle applies in both the physical and digital realms because the same effect often occurs in a digital crime scene. The data entering or leaving a computer leave traces of digital evidence. The principle can also provide link between the physical crime scene and the digital crime scene as shown in figure 2.1 [29]. For example, in a case involving email harassment, the act of sending messages over a web-based email service can leave traces such as files and links on the sender’s hard disk and/or web browser as well as some date-time related information.

Attribution

Attribution refers to the question of who or what caused certain effects on a piece of digital evidence [80, 33]. To identify the relationships between events, suspects and victims in a digital environment, one of the techniques used is to represent the digital environment as a finite state automaton. The states of the automaton represent places where the suspect has been, email or IP addresses he has accessed, telephone numbers called, and so on. The objective of the automaton is to establish connections between the states, and thus enabling an investigator to get an overview of an incident and locate sources of digital evidence that may be initially unknown. Examples of analysis tools
used to connect events during investigation include NetMap [99] and Analyst Netbook [73]. In many situations there is a relatively small number of inputs, program interactions or events that make up the finite state automaton, thus allowing the easy construction of the automaton for attribution purpose. However, a problem arises when the complexity of the automaton is too high for a precise modelling of connections between states of the automaton [43].
Other techniques that can be used for attribution include simulation of the events, use of complexity argument, and the use of redundant information that may be available from the environment. For example, the information retrieved from a CCTV camera may be useful in asserting who was in an office at a particular time. These techniques often provide an independent support for hypotheses made about the attribution of some events to someone. Although the purpose of authentication mechanisms (for example, biometric devices, file ownership and/or authorship and passwords) is to confirm an identification, it is also often used as a basis for attribution and the certainty of the attribution relies on the additional or corroborating evidence that can be found. Cohen [40] explains in more detail, the concept of attribution, mechanisms used, their limits and the complexity issues with tools used for attribution.

READ  ELECTRODIALYSISIN PRACTICE 

Database Forensics

Over the years, database systems have become a core component of many computing systems in our society and are used to store critical and sensitive information relating to an organization or her clients. Unfortunately, the increase in the usage of databases to store volumes of information has led to an increase in the number of attacks directed towards databases and the rate at which databases are manipulated to facilitate crimes [55]. Several security breaches have been reported in the recent years, many of which involve the theft of personal data or financial information stored within a database. The fact that many organizations combine several databases onto fewer database servers in order to cut costs and simplify their management [59] also compounds this problem and presents databases as prime targets for attackers. However, even when a database is
not the target of an attack, information relevant to an investigation are usually found in databases and can be retrieved to facilitate such investigations. As such, databases have become of interest in finding artifacts that may assist in solving various kinds of investigations [55].
Examples of organizations that have been targets of some of the largest security breaches in history include CardSystems and TJ Maxx. CardSystems experienced a security breach that allowed the exposure of 200,000 credit card numbers and the TJ Maxx breach led to the exposure of over 45 million credit and debit card numbers [59]. These incidents reflect the enormous amount of information that may be lost from a single attack on a database system. Another example is where an unauthorized user (or an authorized user with illegal motives) gains access to an organization’s database and modifies their production database server (for example, by changing order dates, delivery address or production prices), resulting in erroneous product shipment and financial loss to the company [58]. It is also possible that a database was not manipulated to commit a crime but the database contains information that may be used to resolve the crime. For example, in a situation where every access into a building is stored in a database, investigating a murder case in which there was no break-in may require querying the database to know who was in the building at the time. A forensic analysis of the database may also be required if the database was manipulated to hide certain information.

1 Introduction
1.1 Motivation
1.2 Problem Statement
1.3 Scope of the Research
1.4 Methodology
1.5 Terminology
1.6 Thesis Layout
1.7 Contribution of the Thesis
1.8 Summary
2 Concepts of Digital Evidence and Digital Forensics
2.1 A Brief History of Digital Forensics
2.2 Nature of Digital Evidence
2.3 Investigative Process for Digital Forensics
2.4 Examination and Analysis
2.5 Summary
3 Database Systems
3.1 Concepts of Database Systems
3.2 Characteristics of Database Systems
3.3 Other Advantages of Database Systems
3.4 Logging in Databases
3.5 Database Models
3.6 Relational Data Model and Relational Algebra
3.7 Summary
4 Concepts of Database Forensics
4.1 Database Forensics
4.2 Dimensions of Database Forensics
4.3 Database Forensics Process
4.4 Database Forensics Tools
4.5 Challenges in Database Forensics
4.6 Summary
5 Database Reconstruction Algorithm
5.1 Database Forensics Reconstruction
5.2 Inverse Relational Algebra
5.3 Relational Algebra Log and Value Blocks
5.4 Concept of Database Reconstruction
5.5 Database Reconstruction Algorithm
5.6 Summary
6 Correctness Proof of Algorithm
6.1 Partial Correctness
6.2 Total Correctness
6.3 Summary
7 Completeness of Reconstructed Data
7.1 Limitation of the Reconstruction Algorithm
7.2 Absence of Evidence
7.3 Reconstruction from Interaction
7.4 Reconstruction Through Iteration
7.5 Summary
8 Reconstruction of a Database Schema
8.1 Compromising a Database Schema
8.2 Schema Reconstruction
8.3 Summary
9 Effectiveness of Database logs in Reconstruction
9.1 Default Log
9.2 Ideal Log Settings
9.3 Database Forensics Reconstruction Dimensions and Log Files
9.4 Summary
10 Conclusion 
10.1 Thesis Summary
10.2 Main Contributions
10.3 Future Research

GET THE COMPLETE PROJECT

Related Posts