Research

35 results - showing 21 - 35
1 2
January 02, 2022

The SQLite database engine is one of the most widely used database formats, where its use can be found in countless areas such as web browsers, instant messengers, all smartphones, Mac computers, Windows 10 computers, also automotive infotainment systems, and surprisingly also found in smart television sets and cable boxes [1]. The utilization of SQLite databases across a wide spectrum of so many mediums, is due to its performance, reliability, portability, simplicity and accessibility of data. SQLite can be used as on disk application file format [2], or as an SQLite Archive (where the SQLite Archive is similar to a ZIP file or archive or Tarball) [3].

January 02, 2022

Windows 10 introduced a new event log of vital importance for both digital forensic examiners and incident responders. The new Partition/Diagnostic event log is found at C:\Windows\System32\winevt\Logs\ Microsoft-Windows-Partition%4Diagnostic.evtx. We are not the first ones to analyze this artifact, in pursue of extracting and interpreting its valuable information. Harlan Carvey [1], Jason Hale [2][3], forensixchange [4] and Costas K. [5] have all analyzed and shed light into what can be stored in this event log.

January 02, 2022

The purpose of this paper is to document testing to determine whether X-Ways Forensics Evidence File Containers are a verifiable option for the purpose of creating custom data images from a digital device.

November 27, 2021

The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions. Conformance with each assertion tested by a given test case is evaluated by examining Log File Highlights box of the test report summary.

November 27, 2021

The tool acquired the source drives accurately except for acquiring a drive with faulty sectors. However, several tool anomalies were observed:

In one distributed version of MacQuisition 2.2 SHA1 acquisition hashes on the PowerPC architecture are computed incorrectly (DA–06–FW).

The last hash in a series of block hashes may be omitted (DA–06–SATA28, DA– 08–SATA28, DA–08–SATA28–INTEL, DA–09, and DA–09–INTEL).

Acquisition hashes may be computed incorrectly (DA–06–SATA48, DA–06– SATA48–INTEL, and DA–08–SATA48).

Block hashes may be computed incorrectly (DA–06–FW, DA–06–FW–INTEL, DA–06–USB, DA–06–USB–INTEL, DA–09, DA–09–INTEL, DA–09–134, and DA–09–134–INTEL).

The ranges of data over which block hashes are computed are logged inaccurately (DA–06–FW, DA–06–FW–INTEL, DA–06–SATA28, DA–06–USB, DA–06– USB–INTEL, DA–08–DCO, DA–08–SATA28, DA–08–SATA28–INTEL, DA– 09, DA–09–INTEL, DA–09–134, and DA–09–134–INTEL).

Log files are incomplete when acquisitions are written to devices with insufficient space (DA–12).

The sectors hidden by a device configuration overlay (DCO) or host protected area (HPA) are not acquired (DA–08–DCO, DA–08–SATA28, DA–08– SATA28–INTEL, and DA–08–SATA48).

Data is not skipped as directed by the skip parameter (DA–07–PART).

Good sectors in the same block as a faulty sector are not acquired, and other data is written in their place (DA–09, DA–09–INTEL, DA–09–134, and DA–09–134– INTEL).

November 27, 2021

Tool met expectations for different imaging scenarios successfully.

November 27, 2021

The tool met expectations for the different imaging scenarios tested.

November 27, 2021

Results are as expected.
In test FT-DI-05-NTFS when EnCase was used to acquire an NTFS partition, the acquisition hashes created by EnCase did not match the reference hashes for the partition. However, when the image file was rehashed omitting the partition slack, test FT-DI-05-NTFS-2, the hash matched the reference hash for the acquired NTFS file system. These findings show that EnCase acquired the file system and its contents completely, but not the partition slack. This should be noted if using EnCase to acquire an NTFS partition.

November 27, 2021

The tool met expectations for different imaging scenarios successfully. One notable finding was observed. When a partition with an NTFS file system was acquired (test FT-DI-05-NTFS), the acquisition hashes created by EnCase did not match the reference hashes for the partition. However, when the image file was rehashed omitting the partition slack, the hash matched the reference hash for the acquired NTFS file system. EnCase acquired the file system and its contents completely, but not the partition slack.

November 27, 2021

IXImager is a bootable forensics imaging and analysis system that runs from CD-ROM or flash media. When acquiring a hard drive with 35 known faulty sectors, the tool wrote forensically benign content to the image in place of the faulty sectors. The tool acquired all visible and hidden sectors completely and accurately from the test media. For more test result details see section 5.

November 27, 2021

FDAS Fast Disk Acquisition System from CyanLine is a portable all in one acquisition tool. Connect a source drive to the unit and then it transfers the image directly to storage media internal to the device. FDAS also provides source drive write blocking. Except for the following anomalies, the tool acquired the test media completely and accurately.

When a drive with faulty sectors was imaged (test cases DA-09-option1 & DA09-option2) the tool failed to completely acquire all readable sectors near the location of the faulty sectors. Option 1 tries to skip around faulty sectors and omitted 422 readable sectors. Option 2 retries reading faulty sectors (at the expense of slower acquisition speed) and omitted 10 readable sectors.

The tool failed to acquire sectors in a hidden area of a hard drive (test cases DA08-DCO, DA-08-ATA28 & DA-08-ATA48).

November 26, 2021

Federated Testing Suite for Disk Imaging

November 26, 2021

Best practices in digital forensics demand the use of write-blockers when creating forensic
images of digital media, and this has been a core tenet of computer forensics training for
decades. The practice is so ingrained that the integrity of images created without a write-blocker
are immediately suspect. This paper describes a research framework that compares forensic
images acquired with and without utilizing write-blockers in order to understand the extent of
the differences, if any, in the resultant forensic copies. We specifically address whether
differences are superficial or evidentiary, and we discuss the impact of admitting evidence
acquired without write blocking. The experiments compare the changes made to a hard drive
and flash drive when imaged and examined with a Windows-based forensics workstation.

November 26, 2021

In order to examine the biasability (impact of contextual information) and reliability (consistency) of
digital forensic observations, interpretations, and conclusions, 53 digital forensics (DF) examiners analysed
the same evidence file. For biasability, some DF examiners were provided with contextual information
suggesting guilt or innocence, while a control group received no contextual information. As per
biasability, the results showed that the DF examiners' observations were affected by the biasing
contextual information. As per reliability, the results showed low reliability between DF examiners in
observations, interpretations, and conclusions. For improving DF work, as well as for transparency, it is
important to study and assess the biasability and reliability of their decision making.
© 2021 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND
license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

35 results - showing 21 - 35
1 2