“Adding to the discussion of forensic analysis of entertainment devices, Matt Davies from SYTECH followed Roeloffs’ talk with a first look at the forensic analysis of a Sony PlayStation 4. It was possible to retrieve a great deal of information from the machine Davies analysed, he explained, but one of the challenges for future investigations will be that Sony is increasingly storing user data on the PlayStation Network rather than on the actual device.”
This article is a recap of some of the main highlights of the Digital Forensics Research Workshop (DFRWS) held in Dublin from the 23rd – 26th of March 2015. Over the next few weeks Forensic Focus will also be bringing you a number of interviews and research updates from the conference.
DFRWS began with a series of workshops held at the Hilton Double Tree in Dublin. Frédéric Baguelin and Solal Jacob from Arxsys demonstrated Digital Forensics Framework and provided exercises for the attendees, who were able to perform a full forensic analysis of a provided disk image. The workshop covered several areas including Skype and SQLite analysis, antivirus scanning, bookmarking, tagging and reporting.
Upstairs in the meeting rooms, Michael Cohen from Google discussed the recently released Rekall platform, and how to use it for memory analysis in forensic investigations. An overview of memory analysis as a topic for study was also given, and the whole workshop was conducted as an interactive, hands-on tutorial, allowing participants to experience how Rekall can be used in live cases.
Day two began with a keynote address from Troels Oerting, the former Head of European Crime at Europol, who set the tone for much of the rest of the conference when he discussed the need for international collaboration between academics, law enforcement agents and corporations.
Oerting spoke about the need to create applications and platforms that can perform three tasks: (1) protecting people’s privacy, (2) creating security, and (3) being convenient for members of the general public to use. Step (3) is particularly difficult; many of the publicly available privacy protection tools are cumbersome and difficult for the average user to operate.
The following talk was another keynote address, this time from Chris Ashton, the Director of Spectrum Engineering at Inmarsat. The talk covered the search for MH370, the Malaysian Airlines flight which disappeared in March 2014.
Ashton described how GPS satellites are used to track a plane’s location and how the radio waves that the plane uses to communicate with the satellite can help investigators to present a set of position arcs. These arcs can then be used to determine the path the aeroplane is taking, assuming that the start position is known, that the craft is travelling at a specific speed, and that it has not made several untracked manoeuvres.
The problem with this method is that a number of assumptions have to be made in order for search teams to be able to begin looking for a missing craft; it is equally possible for a plane to have gone in a different direction, as long as it is travelling away from the last point at which it communicated with the satellite.
Throughout the keynote address, attendees were updated on how the search for MH370 has been conducted so far, and what the next steps will be in the ongoing inquiry.
The remainder of the day focused on a series of sessions in which papers were presented, including a piece of research by David Gugelmann et al on traffic aggregation and visualisation forensics, which won the ‘Best Paper’ prize at Wednesday night’s dinner.
Other highlights included Son Dinh discussing spam campaign detection and characterisation using w-shingling and the Jaccard coefficient. Certain challenges were addressed, such as spammers using obfuscation techniques to prevent themselves from being detected.
One theme that kept coming up during the conference was the need for cyberpsychology to be more widely recognised and for social scientists to work together with forensic analysts and digital forensic researchers in order to better analyse cybercrimes. Phil Penrose from Police Scotland elaborated on this theme when he discussed the psychological impact of being suspected of a crime, such as having indecent images of children on a machine. The average time between the seizure of equipment and forensic analysis is three months, but it can take up to three years. During this time, suspects must live with the consequences of their friends and neighbours knowing what they are suspected of, and not all of them are ultimately found guilty.
Graeme Horsman demonstrated how to find evidence of mobile phone usage by a driver when investigating road traffic accidents, including how to find traces of passive activity such as re-reading a message or scrolling through a Twitter feed. iPhones and Android devices were covered, with suggestions for future research into Blackberries and other devices.
Tor forensics on Windows machines was the next topic of discussion, with Mattia Epifani from RealityNet talking about how pagefile and hiberfil can uncover evidence of browsing activities. Forensic Focus interviewed Mattia about his talk; you can read the interview here.
The final session of Tuesday focused on memory and malware analysis and began with Michael Cohen discussing how to effectively conduct memory analysis by emulating the way in which code looks at memory. Paria Shirani brought the day to a close with a presentation of SIGMA: a model-driven graph-traces matching approach for identifying reused functions in binary code.
Wednesday began with David-Olivier Jacquet-Chiffelle discussing fraud in forensic science and what can be done both to identify and to combat it. The overlaps between digital forensics and the other forensic sciences were discussed, and how real-world traces can be duplicated in the digital world. “The virtual world is a concept of the mind – an abstraction to something that is purely material” said Jacquet-Chiffelle, arguing that there is no such thing as a true distinction between “virtual” and “real” reality.
A broad vision and unifying language, as is the case in physics and mathematics, are needed if digital forensics is to become a true forensic science and perform its function both in criminal cases and in the furthering of knowledge.
Following the keynote, Mark Roeloffs gave a demonstration of smart TV forensics, looking at digital traces left on a Samsung smart television and how they can be used in criminal investigations. There was particular attention given to the possibility for pictures and multimedia files being displayed on a smart TV – if you enter a suspect’s home and there does not appear to be a computer present, it is important to remember that the smart TV may be being used in lieu of a PC or laptop.
Adding to the discussion of forensic analysis of entertainment devices, Matt Davies from Sytech followed Roeloffs’ talk with a first look at the forensic analysis of a Sony Playstation 4. It was possible to retrieve a great deal of information from the machine Davies analysed, he explained, but one of the challenges for future investigations will be that Sony is increasingly storing user data on the Playstation Network rather than on the actual device.
The next part of the programme was a panel discussion about forensic tool validation, which covered several thorny topics including how misinterpretation of a few bytes of data can result in significant implications for a suspect, and how forensic tool validation is often a luxury that, in reality, law enforcement officers cannot afford if they want to close a case.
Philipp Amann’s talk in the afternoon followed on nicely from this discussion, as it focused on how to design digital investigation laboratories for robustness and resilience. Amann spoke about staff turnover and knowledge drain as two of the predominant problems, something which was highlighted by the research he presented which showed that 50% of digital forensic examiners working in law enforcement leave within the first five years.
Thursday’s programme began with Jean-Dominique Nollet from the European Cybercrime Centre discussing data analytics in cybercrime. Once again, the need for collaboration was addressed, not only between professionals and academics in digital forensics itself, but also across other disciplines, particularly the social sciences.
There are also challenges surrounding public perception which must be dealt with, and the social sciences could be a big help in this respect. In particular, arguments for accessing data for forensic investigations whilst respecting the privacy concerns of members of the public is of the utmost importance if forensic examiners are to be able to do their jobs effectively.
The differences between the ways in which service providers deal with digital investigations compared with traditional investigations was also a topic for discussion. Telephone networks are happy to cooperate with law enforcement agencies where necessary and warranted, but internet service providers and those who create applications for public use are not always so ready to cooperate.
The remainder of Thursday was devoted to discussions of big data forensics, with panels speaking about challenges with triage in investigations that contain huge amounts of data to be analysed within a short time frame. Both the technical and the public perception sides of the challenge were discussed, with most members agreeing that there are legitimate public concerns regarding privacy but that these need to be addressed in a sensible and sensitive manner in order to allow investigations to proceed.
The day concluded with breakout groups over lunch, with each group being given a different topic that had been discussed during the conference. Everyone then reconvened to present their conclusions and talk about possibilities for future research.
One of the most notable elements of DFRWS as a conference is its organisers’ determination to ensure that attendees have a good time and get the most they can for their registration fee. Nightly entertainment was arranged for all attendees, which included a Viking Splash Tour of Dublin to show people around the city; a visit to The Barge, one of Dublin’s landmark pubs overlooking the canal; a forensic rodeo in which attendees were split into teams over dinner and given a forensic challenge to solve; and a final evening meal at a tapas restaurant for those who were interested in discussing future DFRWS events.