Research Publications ~ 2016

Enhancing Analysis and Research note taking in digital forensics using video capture software

C. Evans, R. West, N. Gartner, W. Barton, S. Al Amri and S. Morris

Abstract

Audio-visual methods are currently well-established in the field of education (Goldman et al, 2009). The application of these methods could be used by researchers and digital analysts as means of capturing data and as means of communicating research or investigative outcomes (Lemke, 2009). A video recording provides a complete record of the actions undertaken where nuances can be subsequently captured, reviewed and analysed (Knoblauch et al 2006). This analysis may provide information about steps taken that would have been lost in the immediacy of the situation, allowing analysts and researchers to focus on their task, without, without worrying they may miss important data.

The combination of contemporaneous note taking and the use of video capture software throughout the experimental process provides redundancy by providing two separate interpretations of the actions (Sinfield, 2008). There is a potential of reducing the time of experimentation as researchers can review their videos and carefully write comprehensive notes about the details of an experimentation (Jewitt et al., 2009), i.e. software versions and experimental set up. Undertaking this review process after the experimentation process is beneficial as it allows the researcher to look through all of the steps taken, document actions that they may not have realized they had performed and determine their effects on the results.

Video is also a powerful and durable medium for communication which can facilitate the inclusion of participants in research and analysis (McDermott and Goldman, 2007). The use of recordings can provide an easy to follow process to explain the work undertaken, and reduces the risk of misunderstandings and falsification of documents. With good quality capture and editing software becoming accessible to users without specialist training (Cascade, 2012), the possibility of utilising recording software to collect data, review experimental process and communicate the experimental or analytical outcomes should be explored.

This research paper maps the scope and use of video for data collection, describes the qualities and features of the video software Ashampoo Snap 9 as a research tool for collecting data and outlines some of the potentials of video, as well as the challenges and considerations that it raises for digital research and it’s use for Digital Forensic case work.

Full paper available on request

Reference

Evans, C; West, R; Gartner, N; Barton, W; Al Amri, S;.Morris, S; (2016) "Enhancing Analysis and Research note taking in digital forensics using video capture software", Proceedings from 5th Cyberforensics, Cranfield University, UK

Forensic Implications of the Intel Compute Stick

C. Frewin, S. Morris

Abstract

Mobile computing is not a new phenonomen, small portable computing devices have been around for over 10 years (Poslad 2009). The development of these devices has become increasingly sophisticated, they now contain the component parts of a computer instead of just the files for an operating system that is bootable using a host machine (Microsoft 2012). The Intel Compute Stick is one such device and can be connected to a television or monitor via the HDMI port commonly found on the rear of these display devices, inside it contains all the components a typical desktop or laptop PC would have and is capable of running the popular Windows operating systems along with Linux (Intel 2016)

The Intel Compute Stick’s small size and portability make it ideal for covert usage in a variety of scenarios, for example offenders could pass the device between themselves to view unlawful content or exchange covert communications. This paper evaluates the forensic implications of this technology and examines what it is, asks how it can reliably be forensically imaged and examines some of the interactions that take place between the device and the environment in which it is used.

The purpose of this is to provide investigators with greater understanding of how these types of devices can be examined and what types of artefacts can be recovered from them. It also seeks to demonstrate to first responders how the devices could potentially be overlooked in the evidence identification stage of the crime scene examination.

Full paper available on request

Reference

Frewin, C;.Morris, S; (2016) "Forensic Implications of the Intel Compute Stick", Proceedings from 5th Cyberforensics, Cranfield University, UK

Forensic Artefacts Found Whilst Using Pokémon Go On A iOS Device

M. Hadgkiss, S. Morris

Abstract

Since its release on July 6, Pokemon Go has secured millions of mobile users on both iOS and android platforms. Pokémon Go is an augmented reality application that relies on a mobile device’s location in order to capture, battle and train virtual characters. It has become the most downloaded game ever, and daily users have exceeded Facebook and Twitter. Therefore highlighting the significant amount of users this application has.

Due to this mass popularity and the games short existence many issues and concerns have been discovered with Pokémon Go. Before gameplay can commence users have to agree to very open and intrusive privacy policy terms. Allowing access to most smartphone device features, including the devices location and camera. Meaning constant data can be recorded whilst the application is being used. This begins to question the safety and security of the device. There has also been implications when launching Pokémon Go through a pre-existing Google account. In some cases for iOS users full access to the Google account used to set up Pokémon Go was granted. Therefore highlighting the need for digital forensic research on this application.

Experiments are primarily focused on simulating actual game play. Therefore will begin with the creation of the Pokémon account by logging in through a Google account. Then progressing to catching various different Pokémon and collecting from many Pokéstops on the iPhone SE. The experiments have been conducted at different locations.

The Pokémon Go forensic artefacts that have been acquired are discussed and evaluated in the results section.

Full paper available on request

Reference

Hadgkiss, M; Morris, S; (2016) "Forensic Artefacts Found Whilst Using Pokémon Go On A iOS Device", Proceedings from 5th Cyberforensics, Cranfield University, UK

Investigating the Cloud: Amazon EC2 Client

Z. Mustafa, P. Nobles, A. Maddison Warren, S. Morris

Abstract

Cloud forensics is the application of digital investigation processes in the Cloud with the aim of extracting evidence that can be used in the court of law. Traditional digital forensics and Cloud forensics differ on many levels especially in terms of access to evidence. In Cloud computing, data are stored remotely and users have limited control over the Cloud infrastructure and where data are stored. This poses a problem to digital investigation. To access information on a Cloud user, the investigator may require the cooperation of the Cloud Service Provider (CSP). This has potential challenges such as jurisdiction, integrity of information from the CSP and privacy of other cloud users using the same CSP.

Part of the solution to this challenge is to investigate the Cloud user in the form of examining the user’s device. This may provide some information that can be used as evidence, also it may be used to establish a link between a user and a public Cloud. The evidence can be used by the investigator to request further information on the user from the CSP.

This paper focuses on the potential sources of evidence left behind by a cloud user on a computer that has been used to access the Amazon Elastic Compute Cloud (EC2). It describes how a user can create a Windows instance using EC2 account and how to connect to the instance using Remote Desktop Protocol (RDP). It identifies the sources of evidence and discusses the artefacts found. These can help forensic investigators narrow down the search area which in turn will reduce evidence identification time. Also the limitations of this research would identify areas that need further research.

Full paper available on request

Reference

Mustafa, Z; Nobles, P; Maddison Warren, A; Morris, S; (2016) "Investigating the Cloud: Amazon EC2 Client", Proceedings from 5th Cyberforensics, Cranfield University, UK

Analysis and recovery of Android Wear geo-location forensic artefacts using Google Fit

G. Seba, S. Morris

Abstract

Recovery and interpretation of geo-location data stored on Android wearable devices such as smartwatches is an emerging field of contemporary mobile forensics. This data can include not just GPS coordinates such as latitude, longitude and altitude, but also precise timestamps associated with specific geographical coordinates. Given the growing use of fitness tracking apps on smartwatches that uses the embedded GPS sensor of the device, these data can be very useful in a forensic investigation.

In this paper we present how Google Fit structures geo-location data, where it is stored on the smartwatch, how it is encoded and how synchronization and interaction with a paired phone impacts on the storage of geo-location data on the wearable device. Our research found that deleting all Google Fit history does not delete the GPS coordinates stored on the smartwatch. By the contrary, new records containing geo-location data are appended to the list of old, supposedly deleted records.

Furthermore, we present a method of automating the extraction and decoding of Google Fit geo-location data from an Android smartwatch that generates a Keyhole Markup Language (KML) file, which can be then loaded into Google Earth to visualise the GPS coordinates as routes with associated timestamps.

Full paper available on request

Reference

Seba, G; Morris, S; (2016) "Analysis and recovery of Android Wear geo-location forensic artefacts using Google Fit", Proceedings from 5th Cyberforensics, Cranfield University, UK

Image