Prior Publisher
The Association of Digital Forensics, Security and Law (ADFSL)
Abstract
While cybercrime proliferates – becoming more complex and surreptitious on the Internet – the tools and techniques used in performing digital investigations are still largely lagging behind, effectively slowing down law enforcement agencies at large. Real-time remote acquisition of digital evidence over the Internet is still an elusive ideal in the combat against cybercrime. In this paper we briefly describe the architecture of a comprehensive proactive digital investigation system that is termed as the Live Evidence Information Aggregator (LEIA). This system aims at collecting digital evidence from potentially any device in real time over the Internet. Particular focus is made on the importance of the efficiency of the network communication in the evidence acquisition phase, in order to retrieve potentially evidentiary information remotely and with immediacy. Through a proof of concept implementation, we demonstrate the live, remote evidence capturing capabilities of such a system on small scale devices, highlighting the necessity for better throughput and availability envisioned through the use of Peer-to-Peer overlays.
References
AccessData. (2014). AccessData FTK ADEnterprise. Retrieved December 4, 2014, from http://accessdata.com/solutions/digitalforensics/ad-enterprise
Alink, W., Bhoedjang, R. A. F., Boncz, P. A., & de Vries, A. P. (2006). XIRAF - XMLbased indexing and querying for digital forensics. Digital Investigation, 3, 50–58. doi:10.1016/j.diin.2006.06.016
Almulhem, A., & Traore, I. (2005). Experience with Engineering a Network Forensics System. Proceedings of the 2005 international conference on Information Networking. Convergence in Broadband and Mobile Networking. Korea: Springer Berlin Heidelberg.
Case, A., Cristina, A., Marziale, L., Richard, G. G., & Roussev, V. (2008). FACE: Automated digital evidence discovery and correlation. Digital Investigation, 5, S65– S75. doi:10.1016/j.diin.2008.05.008
CDESF Working Group. (2006). Standardizing digital evidence storage. Communications of the ACM. doi:10.1145/1113034.1113071
Cohen, B. (2003). Incentives build robustness in BitTorrent. Workshop on Economics of Peer-to-Peer Systems. Retrieved from http://www.ittc.ku.edu/~niehaus/classes/7 50-s06/documents/BT-description.pdf
Cohen, M., Garfinkel, S., & Schatz, B. (2009). Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow. Digital Investigation, 6, S57–S68. doi:10.1016/j.diin.2009.06.010
Cohen, M. I., Bilby, D., & Caronni, G. (2011). Distributed forensics and incident response in the enterprise. In Digital Investigation (Vol. 8, pp. S101–S110). Elsevier Ltd. doi:10.1016/j.diin.2011.05.012
Davis, M., Manes, G., & Shenoi, S. (2005). A network-based architecture for storing digital evidence. Advances in Digital Forensics: IFIP International Conference on Digital Forensics, 194, 33–42. doi:10.1007/0-387-31163-7_3
Dean, J., & Ghemawat, S. (2008). MapReduce : Simplified Data Processing on Large Clusters. Communications of the ACM, 51(1), 1–13. doi:10.1145/1327452.1327492
Dosis, S., Homem, I., & Popov, O. (2013). Semantic Representation and Integration of Digital Evidence. Procedia Computer Science, 22, 1266–1275. doi:10.1016/j.procs.2013.09.214
Garfinkel, S. L. (2006). AFF : A New Format for Storing Hard Drive Images. Association for Computing Machinery. Communications of the ACM, 49(2), 85–87.
Guidance Software. (2014). Encase Enterprise. Retrieved December 4, 2014, from https://www.guidancesoftware.com/produc ts/Pages/encase-enterprise/overview.aspx
Homem, I. (2013). LEIA : The Live Evidence Information Aggregator A Scalable Distributed Hypervisor-based Peer-2-Peer Aggregator of Information for Cyber- Law Enforcement. KTH - The Royal Insitute of Technology.
Homem, I., Dosis, S., & Popov, O. (2013). LEIA: The Live Evidence Information Aggregator: Towards efficient cyber-law enforcement. In World Congress on Internet Security (WorldCIS-2013) (pp. 156–161). London. doi:10.1109/WorldCIS.2013.6751038
Jelasity, M., Voulgaris, S., Guerraoui, R., Kermarrec, A.-M., & Steen, M. van. (2007). Gossip-based peer sampling. ACM Transactions on Computer Systems (TOCS), 25(3), 1–36. Retrieved from http://dl.acm.org/citation.cfm?id=1275520
Kahvedžić, D., & Kechadi, T. (2009). DIALOG: A framework for modeling, analysis and reuse of digital forensic knowledge. Digital Investigation, 6, S23– S33. doi:10.1016/j.diin.2009.06.014
Kaspersky Lab. (2014). The Regin Platform: Nation-State Ownage of GSM Networks.
Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 10(2), 129–137. doi:10.1016/j.diin.2013.03.002
Leu, F.-Y. L. F.-Y., & Yang, T.-Y. Y. T.-Y. (2003). A host-based real-time intrusion detection system with data mining and forensic techniques. IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings., (Mid). doi:10.1109/CCST.2003.1297623
Moser, A., & Cohen, M. I. (2013). Hunting in the enterprise: Forensic triage and incident response. Digital Investigation, 10(2), 89– 98. doi:10.1016/j.diin.2013.03.003
National Institute of Standards and Technology. (2004). Digital data acquisition tool specification. Draft for Comments. Retrieved from http://www.cftt.nist.gov/Pub-Draft-1- DDA-Require.pdf
Palmer, G. (2001). A Road Map for Digital Forensic Research. In Proceedings of the Digital Forensic Research Workshop, 2001. Uttica, New York.
Raghavan, S., Clark, A., & Mohay, G. (2009). FIA: an open forensic integration architecture for composing digital evidence. Forensics in Telecommunications, Information and Multimedia: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 8, 83–94. Retrieved from http://link.springer.com/chapter/10.1007/9 78-3-642-02312-5_10
Redding, S. (2005). Using Peer-to-Peer Technology for Network Forensics. Advances in Digital Forensics: IFIP International Federation for Information Processing, 194, 141–152. doi:10.1007/0- 387-31163-7_12
Ren, W., & Jin, H. (2005). Distributed agentbased real time network intrusion forensics system architecture design. In Proceedings - International Conference on Advanced Information Networking and Applications, AINA (Vol. 1, pp. 177–182). Ieee. doi:10.1109/AINA.2005.164
Roussev, V., & Richard III, G. G. (2004). Breaking the Performance Wall: The Case for Distributed Digital Forensics. Digital Forensics Research Workshop, 1–16.
Sacha, J., Dowling, J., Cunningham, R., & Meier, R. (2006). Discovery of stable peers in a self-organising peer-to-peer gradient topology. In International Conference on Distributed Applications and Interoperable Systems (DAIS) (pp. 70–83). Retrieved from http://link.springer.com/chapter/10.1007/1 1773887_6
Scanlon, M., Farina, J., Khac, N. A. Le, & Kechadi, T. (2014). Leveraging Decentralization to Extend the Digital Evidence Acquisition Window : Case Study on BitTorrent Sync. Journal of Digital Forensics Security and Law, 9(December), 85–99.
Scanlon, M., & Kechadi, M. T. (2010). Online acquisition of digital forensic evidence. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering (Vol. 31 LNICST, pp. 122–131). doi:10.1007/978-3- 642-11534-9_12
Schatz, B., & Clark, A. (2006). An open architecture for digital evidence integration. In AusCERT Asia Pacific Information Technology Security Conference (pp. 15–29). Gold Coast, Queensland. Retrieved from http://eprints.qut.edu.au/21119/
Scientific Working Group on Digital Evidence (SWGDE). (2006). Data integrity within computer forensics. Retrieved from https://www.swgde.org/documents/Current Documents/2006-04-12
SWGDE Data Integrity Within Computer Forensics v1.0 Shields, C., Frieder, O., & Maloof, M. (2011). A system for the proactive, continuous, and efficient collection of digital forensic evidence. In Digital Investigation (Vol. 8, pp. S3–S13). Elsevier Ltd. doi:10.1016/j.diin.2011.05.002
Shvachko, K., Kuang, H., Radia, S., & Chansler, R. (2010). The Hadoop Distributed File System. 2010 IEEE 26th Symposium on Mass Storage Systems and Technologies (MSST), 1–10. doi:10.1109/MSST.2010.5496972
sKyWIper Analysis Team. (2012). Skywiper (a.K.a Flame a.K.a Flamer): a Complex Malware for Targeted Attacks (Vol. 05). Budapest. Retrieved from http://www.crysys.hu/skywiper/skywiper.p df\npapers2://publication/uuid/1A396077- EBAB-47F8-A363-162BDAF34247
Stone-Gross, B. (2012). The Lifecycle of Peerto-Peer ( Gameover ) ZeuS. Retrieved from http://www.secureworks.com/cyberthreatintelligence/threats/The_Lifecycle_of_Pee r_to_Peer_Gameover_ZeuS/
Van Baar, R. B., van Beek, H. M. a., & van Eijk, E. J. (2014). Digital Forensics as a Service: A game changer. Digital Investigation, 11, S54–S62. doi:10.1016/j.diin.2014.03.007
Yu, J., Ramana Reddy, Y. V., Selliah, S., Reddy, S., Bharadwaj, V., & Kankanahalli, S. (2005). TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation. Advanced Engineering Informatics, 19(2), 93–101. doi:10.1016/j.aei.2005.05.004
Zonouz, S., Joshi, K., & Sanders, W. (2011). Floguard: cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. In Computer Safety, Reliability, and … (pp. 338–354). Naples, Italy: Springer-Verlag, Berlin, Heidelberg. doi:10.1007/978-3-642-24270-0_25
Recommended Citation
Homem, Irvin and Dosis, Spyridon
(2015)
"On the Network Performance of Digital Evidence Acquisition of Small Scale Devices over Public Networks,"
Journal of Digital Forensics, Security and Law: Vol. 10
, Article 3.
DOI: https://doi.org/10.15394/jdfsl.2015.1205
Available at:
https://commons.erau.edu/jdfsl/vol10/iss3/3
Included in
Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, Information Security Commons