From the Editor-in-Chief - Journal of Digital Forensics, Security and

Transcription

Volume 7, Number 3
2012
Journal of Digital Forensics, Security and Law, Vol. 7(3)
Volume 7, Number 3 (2012)
Editorial Board
Editor-in-Chief
Gary C. Kessler
Embry-Riddle Aeronautical
University
Florida, USA
Section Editors
Digital Forensics
Gregg Gunsch
Defiance College
Ohio, USA
Scott Inch
Bloomsburg University
Pennsylvania, USA
Cyber Law
Erin Kenneally
Univ. of California San Diego
California, USA
Nigel Wilson
The University of Adelaide
South Australia, Australia
Information Security
David Dampier
Mississippi State University
Mississippi, USA
Daniel P. Manson
Cal Poly Pomona
California, USA
Science of Digital Forensics
Fred Cohen
California Sciences Institute
California, USA
Simson Garfinkel
Naval Postgraduate School
California, USA
Book Review
Jigang Liu
Metropolitan State University
Minnesota, USA
Associate Editor-in-Chief
Marcus K. Rogers
Purdue University
Indiana, USA
Technology Corner
Nick V. Flor
University of New Mexico
New Mexico, USA
Regional Editors
Australia
Craig Valli
Edith Cowan University
Western Australia, Australia
Europe/UK
Denis Edgar-Neville
Canterbury Christ Church Univ.
Canterbury, UK
Latin America
Pedro Luís Próspero Sanchez
University of Sao Paulo
Sao Paulo, Brazil
Mid-East and Africa
Andrew Jones
Khalifa Univ of Science,
Technology & Research
Sharjah, United Arab Emirates
Mid-East/Israel
Eli Weintraub
Afeka Tel Aviv Academic College
of Engineering
Tel Aviv, Israel
Ibrahim Baggili
Zayed University
Abu Dhabi, United Arab Emirates
David P. Biros
Oklahoma State University
Oklahoma, USA
Philip Craiger
Daytona State College
Florida, USA
Glenn S. Dardick
Longwood University
Virginia, USA
Fred C. Kerr
Consultant
California, USA
Linda K. Lau
Longwood University
Virginia, USA
Wei Ren
Chinese Univ. of Geosciences
Wuhan, China
Jill Slay
Univ. of South Australia
South Australia, Australia
Editorial Board
Il-Yeol Song
Drexel University
Pennsylvania, USA
John W. Bagby
The Pennsylvania State Univ.
Pennsylvania, USA
Bernd Carsten Stahl
De Montfort University
Leicester, UK
Copyright © 2012 ADFSL, the Association of Digital Forensics, Security and Law. Permission to make digital or
printed copies of all or any part of this journal is granted without fee for personal or classroom use only and
provided that such copies are not made or distributed for profit or commercial use. All copies must be accompanied
by this copyright notice and a full citation. Permission from the Editor is required to make digital or printed copies
of all or any part of this journal for-profit or commercial use. Permission requests should be sent to Editor, JDFSL,
1642 Horsepen Hills Road, Maidens, Virginia 23102 or emailed to [email protected].
ISSN 1558-7215
1
Call for Papers
The Journal of Digital Forensics, Security and Law has an open call for papers
in, or related to, the following subject areas:
1) Digital Forensics Curriculum
7) Digital Forensics Case Studies
2) Cyber Law Curriculum
8) Cyber Law Case Studies
3) Information Assurance Curriculum
9) Information Assurance Case Studies
4) Digital Forensics Teaching Methods
10) Digital Forensics and Information
Technology
5) Cyber Law Teaching Methods
11) Law and Information Technology
6) Information Assurance Teaching
Methods
12) Information Assurance and
Information Technology
Guide for Submission of Manuscripts
Manuscripts should be submitted through the JDFSL online system in Word
format using the following link: http://www.jdfsl.org/submission.asp. If the
paper has been presented previously at a conference or other professional
meeting, this fact, the date, and the sponsoring organization should be given in
a footnote on the first page. Articles published in or under consideration for
other journals should not be submitted. Enhanced versions of book chapters
can be considered. Authors need to seek permission from the book publishers
for such publications. Papers awaiting presentation or already presented at
conferences must be significantly revised (ideally, taking advantage of
feedback received at the conference) in order to receive any consideration.
Funding sources should be acknowledged in the "Acknowledgements" section.
The copyright of all material published in JDFSL is held by the Association of
Digital Forensics, Security and Law (ADFSL). The author must complete and
return the copyright agreement before publication. The copyright agreement
may be found at http://www.jdfsl.org/copyrighttransfer.pdf.
Additional information regarding the format of submissions may be found on
the JDFSL website at http://www.jdfsl.org/authorinstructions.htm.
2
Contents
Call for Papers ...................................................................................... 2
Guide for Submission of Manuscripts ................................................ 2
From the Editor-in-Chief ..................................................................... 4
The Science of Digital Forensics: Analysis of Digital Traces ............ 5
Fred Cohen
On the Development of a Digital Forensics Curriculum ................. 13
Manghui Tu, Dianxiang Xu, Samsuddin Wira, Cristian Balan, &
Kyle Cronin
Automatic Crash Recovery: Internet Explorer's Black Box .......... 33
John Moran & Douglas Orr
Extraction of Electronic Evidence From VoIP: Identification
& Analysis of Digital Speech .............................................................. 55
David Irwin, Arek Dadej, & Jill Slay
To License or Not to License Updated: An Examination of State
Statutes Regarding Private Investigators and Digital Examiners .... 83
Thomas Lonardo, Doug White, & Alan Rea
Book Review: Dispute Resolution and e-Discovery
(Garrie & Griver) .............................................................................. 111
Milton Luoma
Subscription Information.................................................................. 115
Announcements and Upcoming Events ........................................... 117
3
From the Editor-in-Chief
Welcome to the third issue of Volume 7. We continue with our regular
columns. The Digital Forensics as Science column contains a new installment
by Fred Cohen about information physics. Milton Luoma provides a review of
a book about e-discovery and conflict resolution. While slightly off the topic of
computer forensics, the book touches on these two related -- but different -legal problems. Finally, Nick Flor has part 2 of his Technology Corner article
on automated data extraction using Facebook. And, of course, we have four
peer-reviewed papers in this issue.
The first paper, "On the Development of a Digital Forensics Curriculum" (Tu,
Xu, Wira, Balan, & Cronin), is a broad overview of the development of digital
forensics curricula over the last ten years. The paper also reports on a survey
about what tools are being used by practitioners and in the classroom.
"Automatic Crash Recovery: Internet Explorer's Black Box" (Moran & Orr)
provides a detailed examination of IE's Web history contents. This paper pays
particular attention to IE's Automatic Crash Recovery feature, a source of a
great deal of information that is generally unknown to most users (meaning that
they don't attempt to delete its contents) and to many computer forensic
examiners (meaning that they don't look there for evidence).
The third paper, "Extraction of Electronic Evidence From VoIP: Identification
& Analysis of Digital Speech" (Irwin, Dadej, & Slay), describes software
intellectual property and methods with which one can determine whether a
particular Android application is using code pirated from another app. The
Android's Java virtual machine architecture enables rapid app development but
also allows straightforward ways to analyze -- and reverse engineer -- those
apps.
Our final paper, "To License or Not to License Updated: An Examination of
State Statutes Regarding Private Investigators and Digital Examiners"
(Lonardo, White, & Rea), is an up-to-date glimpse of the status of state statutes
requiring digital forensic examiners to be licensed as private investigators in
order to practice. This issue is perhaps one of the most pressing for
practitioners in our field.
We continue to actively solicit academic and practitioner papers and, in
particular, look for papers with an international perspective. As always, we
welcome feedback and comments about the Journal.
Gary C. Kessler, Ph.D., CCE, CISSP
[email protected]
4
Column:
Analysis of Digital Traces
Fred Cohen
In part 1 of this series (Cohen, 2011a), Analysis of digital traces is a
foundational process by which the examiner, typically using computer software
tools, comes to understand and answer basic questions regarding digital traces.
“Input sequences to digital systems produce outputs and state changes as a
function of the previous state. To the extent that the state or outputs produce
stored and/or captured bit sequences, these form traces of the event sequences
that caused them. Thus the definition of a trace may be stated as: "A set of bit
sequences produced from the execution of a finite state machine." (FSM)”1
Starting with a bag-of-bits
As a fundamental, when handed some set of digital evidence, it is a good
working assumption that the examiner doesn't know what it is other than the
fact that it is a trace or traces. This is sometimes called a “bag of bits” to
indicate that, other than the fact that it is comprised of bits, the examiner really
knows nothing more about it.
In cases where the examiner also performed collection, the details of the
collection process may also be known, and so forth. The examiner may also
rely on statements, paperwork, claims, and all manner of other things to put the
bag of bits into context, but at the start of the examination, anything outside of
the personal knowledge of the examiner2 should be treated as speculative and
subject to refutation. Analysis is largely about performing computations on the
bag of bits and related information to produce analytical products and derived
traces. These products are then used to interpret, attribute, reconstruct, present,
and otherwise work with the evidence to other examiners, lawyers, triers of
fact, etc. But in order to do this, something about the bag of bits must support
or refute hypotheses about what it contains.
Redundancy within and between the bag of bits
Redundancy is inherent in human and current computer language, it is
fundamental to the notion of syntax and the ability to differentiate legitimate
1
2
F. Cohen, “Digital Forensic Evidence Examination”, 4th ed. 2012. Chapter 5 is used without
further citation throughout this column and should be referred to for a more in-depth review
of the subject matter.
Note that knowledge is not the same as the other elements of the required basis for expertise
in US courts; experience, training, skills, and education. Personal knowledge in this case is
intended to imply only things the examiner did and saw.
5
from illegitimate syntax, and without redundancy, reliability3 cannot be
assured. Fortunately, there is a great deal of redundancy in most digital traces.
This redundancy comes in two general forms; internal redundancy (within) and
external redundancy (between).
Internal redundancy is present within the internal structure of bit sequences
within the bag of bits. For example, if the bag of bits contains a sequence of
bits produced by a particular global positioning system (GPS) receiver, it might
use the GPX format4 which uses and XML schema5 and includes the name of
the vendor and sequences of points in 4-dimensional space-time. Internal
redundancy comes in syntactic requirements of the language and the specific
implementation of the device. GPX, “tags” such as “<time>” and “</time>”
surround ASCII text indicated in a format “YYYY-MM-DDTHH:mm:ssZ”. If
content includes a sequence “<time> 2012-05-10T17:35:23Z</time>” an
examiner should readily determine it as inconsistent with the internal format of
these files, a type C (internal) inconsistency6, and doubt the reliability of the
record. In this case, is that there is no “ “ (space) between tags and content in
the implementation.7 Thus a header indicating the GPS type combined with the
syntax is internally inconsistent.
External redundancy, also called “between” records, relates to external
information. For example, we can determine that GPS systems did not exist in
1901 and that therefore, any record indicating a date and time of that era would
be inconsistent with the external records. A date indicating “1901-23-49...”
would be of the correct format but externally inconsistent, a type D
inconsistency, and an examiner should readily doubt its reliability.
Thus, the examiner uses analysis methods to examine traces in light of the
redundant nature of such traces to confirm or refute hypotheses about the
content in context. In effect, the examiner uses analysis to place content in
context and turn the bag of bits into one or more hypothesized meaningful
expressions in a syntax associated with mechanisms that produce such
sequences. In addition, the examiner uses analysis to exclude hypothesized
event sequences and contexts based on type C and D consistency.
Turning the bag of bits into meaningful content in context
The manner in which examiners typically proceed short cuts this, in that they
typically start with assumptions and, unless the assumptions are obviously and
dramatically violated, continue under them, even in the face of increasing
3
4
5
6
7
Reliability relates to the extent to which it reflects the reality it purports.
See: http://en.wikipedia.org/wiki/GPS_eXchange_Format
See: http://www.w3.org/XML/Schema
Details of Type C and D in “Digital Forensic Evidence Examination” I.b.i.d.
e.g., GPX file produced by a Garmin Oregon 400t hand-held GPS unit.
6
evidence to the contrary.
For example, using a tool like EnCase™,8 an examiner might load a “disk
image”9 and start “analysis”. EnCase might identify the disk image as
containing a region with a Windows™ NTFS file system partition based on the
content of the first 512 bytes of the disk image, assuming that region of the
image to be a “partition table”, and attempt to analyze that region of the disk as
if it were such a file system. As long as this process seems to produce sensible
results, the examiner will typically ignore all other possibilities, and proceed on
that basis. The tool uses designer assumptions to do an analysis, interpret the
results of that analysis, and present those interpretations under the set of
assumptions provided by the designer and the user, typically doing so
implicitly rather than explicitly. The user typically sees only the presentation of
interpreted analysis results, and if desired, can drill down into the presentation
of interpreted bases in traces for those results.
An example of a misinterpretation based on analytical assumptions presented
to an examiner by EnCase10 was the presentation of a date and time indicating
writing a document in the middle of the Atlantic ocean when in fact it could not
have been produced there.11 In this particular case, erroneous interpretation and
representation was the result of a shift in time zones between daylight savings
and standard times between the date used by the examiner and present at the
beginning of the records under examination and the dates associated with the
specific file under examination. In the same case, automated analysis also
ignored the second of pairs of date and time stamps within files where there
were differences between those dates and times indicative of different time
bases in different systems.
All current tools that perform automated analysis, interpretation, and
presentation, produce these sorts of results, and it is the job of the modern
examiner to understand this. In particular, it is important for the examiner to
understand the specifics of the analytical process, examine the results of
analysis against the original traces and methods used, and recognize
inconsistencies leading to false interpretation and presentation. Just because
these sorts of faulty assumptions and mechanisms are present in these tools,
doesn't make the results invalid. It does, however, put the onus on the examiner
to understand the limits of their tools.
8
This is one of the most popular and commonly used tools in digital forensics today and is
produced by Guidance Software.
9 Typically a representation of the bit sequence found on a disk drive or partition within a disk
drive.
10 There is no intent to disparage this product as opposed to others, it is only a popular example.
11 United States v. Bayly, et. al., United States District Court, Southern District of Texas, case
no. Cr. No. H-03-363.
7
Analytical methods
There are a relatively small number of well understood, published, and peer
reviewed analytical methods used in digital forensics today. The generally fall
into a set of areas outlined here, and differ between structured (i.e., following
specific rules for syntax and typically produced by fully automated
mechanisms based on digital data) and unstructured (i.e., the result of
codification of naturally occurring phenomena into digital representations, such
a digital photographs or sound recordings) content.
Feature and characteristic detection and analysis
Based on assumptions and hypotheses regarding the bag of bits, and subject to
refutation at any time, traces are parsed into syntactic structures and the
particular elements within those structures. This is a finitely recursive process
of identifying a context (i.e., characteristic), identifying content (i.e., features)
within that context, and then treating the content as context for further feature
and characteristic detection and analysis. For structured content, characteristics
like the document type and its syntax form the context for identifying features
like combinations of words used within it and
types of spelling errors, if any. In the unstructured content arena, characteristics
like the arrangement of pixels in a two dimensional grid contained within a
graphical image are treated as context for extracting and analyzing features,
such as areas that look like eyes, tables, or grass.
Recursively, sentences and may be analyzed for language, syntax, spelling,
sentence structure, word usage, and so forth. And eyes in a picture may be
analyzed as for presence within a face, number and placement, eye color, and
so forth. The resulting recursive structures may be further analyzed for
consistency with internal or external records, such as whether any people have
5 eyes, or when capitalization is normally used.
Symbol set identification
Part and parcel of the analysis process is the assumption and validation of
symbol sets. For example, XML is generally composed of ASCII character
sets, excluding select byte codes and forcing other byte codes (e.g., the code for
“<”) to be used only in specific ways and in specific places. Identifying symbol
sets is vital to parsing and to differentiating internal and external consistencies.
Structured and unstructured content are generated from and analyzed to
produce symbolic representations. The symbol sets of representations act to
define and restrict the analytical framework, and inconsistencies with the
analytical framework above base rates are strong indicators of an error in
assumptions or hypotheses of the analysis process.
Trace typing
Based on symbol set identification, trace typing is done to identify the specific
type of the trace. Typically, this can exist at many levels, such as determining
8
that content is consistent with ASCII text, in a line-oriented format with fields
separated by commas, containing fixed and variable length fields, etc. This can
be used to hypothesize about the mechanisms associated with the trace, for
example, if the trace is typed to a particular version of a particular device. This
may then be used to perform other analysis under the assumptions regarding
the operation of the mechanisms known to produce these types of traces.
Parsers, search methods, and related mechanisms
Search is one of the mainstays of digital forensic analysis. In its essence, search
looks for patterns within bit sequences. Well known and longstanding methods
for computerized search have been studied over many years and they are
applied to look for exact sequence matches and regular expressions. Other sorts
of search are far more rare, but in the broad sense, parsers may also be used for
search. In this case, finite state machines (FSMs) are run against sequences of
bits to identify symbol structures within the syntax assumed for parsing. They
typically produce parse trees that are then analyzed further to identify content
of interest, or elements are placed in databases for subsequent searching and
analysis.
Normalization and derived traces
Rather than trying to specify all ways in which the same content may be
expressed, normalization is used to translate traces into derived traces that
reflect a standardized form of the content. For example, all ASCII coded
characters may be mapped into lower case characters so that searches may
proceed regardless of the case of the lettering. Similarly, “Jim”, “James”,
“Jimmy”, “Jimbo”, and “[email protected]” might be mapped into
“James” as normalization and placed into a derived trace so that searches for
the named individual will find all of those forms. Time and dates may all be
translated into YYYY-MM-DDTHH:mm:ss.dddd format, while multiple
spaces, tabs or other whitespace separators may be translated into a single
space. The list goes on and depends on notions of equivalence or similarity in
syntax and semantics.
Similarity analysis and related methods
Similarity analysis is based on some definition of relationships between traces.
The relationship is codified in a metric which is then measured between
different traces. The result of applying the metric is then used to establish
similarity relative to that metric. For example, two email messages may be
similar in size if they contain the same number of bits. Multiple relationship
metrics may be applied to establish a set of factors that are similar between sets
of bit sequences, so that groups of traces are identified as similar or dissimilar
to a level with respect to the defined relationship metric.
Time sequencing, travel patterns, and related methods
Analysis of time, movement, and event sequencing is particularly interesting in
digital forensics because of the desire to establish what happened when and the
9
availability of a very rich set of records relating time at varying precision and
accuracy. While timestamps may record time and date to the second or
millisecond, the basis for those times relative to events at issue are somewhat
more dubious. For example, an accurate record of the execution of a program
to the nearest second is commonly available, but the process of execution may
have lasted for a period of minutes, hours, or days. Understanding what the
timestamp actually reflects in terms of that execution may not be provided by
the timestamp. Most analysis today simply sorts by time and providers the
ordered list of identified records, but this is often misleading in terms of the
actual event sequence or relevance. Time sequences are often used to establish
travel patterns, such as the use of sequences of credit card transactions at
different retail outlets being used to establish that the person using the credit
card went from place to place or was or was not capable of being at a particular
place at a particular time. But analysis is not attribution.
Anchor events
Anchor events are events external to the traces that can act to tie down traces to
externalities. For example, if a message contains bit sequences that are
typically associated external systems, events in those external systems may be
used to anchor the events asserted to be related to the records reflected in the
traces. Traces produced by electronic mail processes typically include
sequences bits that include “Received:” headers reflecting timestamps added by
mail transfer agents in the path from origination to destination. By finding
records of other messages passing through the same external MTAs in the same
time frame, and when those records' timestamps are independently determined
reliable (e.g., by the examiner having operated the systems that allow
timestamps to be validated as reliable), those anchor events provide external
context that can be used in analysis.
Building sieves and counting things
Many examinations involve producing counts of various things. For example, a
count of how many times a particular telephone number appeared in a log of
calls made by a suspect might be relevant to establishing that a relationship
existed between two parties or their phone numbers. Many other things are
counted in analysis, and this is an area where computers are particularly useful
and reliable, if properly applied. In order to count things, computers typically
sieve in or out the things of interest or non-interest, leaving the sieved portion
of traces to be counted. For example, to find the number of times two phone
numbers communicated to each other when the individuals associated with
those phone numbers were known to be in different cities, a sieve might be
produced to extract relevant phone records and the results counted. Note that
such a sieve is not typically available off-hand, and that the examiner is
typically called upon to build such a sieve. Once build, many examiners share
the details of their methods with others and thus build up a library of partial
solutions to analytical problems that they reuse or alter for another purpose
10
over time.
Presentation and human cognitive analysis
The human visual cortex and brain is far better at rapidly detecting certain
classes of patterns than computers. As a result, one of the most common
analytical techniques is to produce a graphical image reflective of a set of
traces relative to a context and have the examiner identify things of interest to
the matter at hand. An example of this is in the analysis of graphical depictions
of patterns of communications between groups, where people very quickly
identify “key players” once the data is presented in an amenable manner.
Similarly, when experts examine things like email headers, they rapidly detect
things that “just don't look right”, and can often explain them once seen. After
this has been done a number of times, there is a tendency for someone to come
up with automation to perform such analysis, and the automation of the
analysis area largely grows by turning human cognitive methods into
automated programs to perform the same or similar functions without the
dependency on human judgment, and with repeatability and scalability that far
exceeds what people can do.
Traceability to original traces.
A final critical factor in analysis is that analytical results are normally traceable
directly to the specific traces associated with those results. Thus, unlike
programs that merely sort times, a forensic analysis of times associated with
traces will ultimately have to be able to be shown to relate the sorted times to
the traces used to producing those times. Thus derived traces need to link back
to their origins, normalization requires association with the original traces that
were normalized, and so forth.
A final comment
This description of analysis and its methods is not comprehensive, but it may
be a reasonable starting point. To the extent that many things are missed in this
description, other works attempt to be more comprehensive.1 But this is a
growing and evolving field, and more is better when it comes to identifying
methods that have been applied, studied, tested, and published. As always, we
welcome your expansion of the art and science and our lists of elements of
those.
In our ongoing efforts to define and detail the science and art of digital
forensics, standard terminology and common understandings have been found
to be an important and largely unfulfilled need.12 But findings also indicate that
by starting to use common words we produce common understandings and
consensus around the issues of the emerging science. By describing the field as
12 F. Cohen, “Update on the State of the Science of Digital Evidence Examination”, Conference
on Digital Forensics, Security, and the Law, 2012
11
a whole, and in this short piece the elements of analysis, we hope to bring
about a unified language and understanding of the field that will help the
emerging science to form and the practitioners of the art to communicate and
operate as scientists.
But consensus does not come from me telling you what to think or how to say
it. It comes from increasing numbers of members of the field adopting common
definitions, terminology, and methodology, applying it themselves, and
demanding it of others. This is up to you as my readers to decide. As always,
feedback helps, and we welcome it. Add your voice to the consensus by
responding to this editorial with your views.
12
On the Development of a Digital Forensics
Curriculum
Manghui Tu1
Department of Computer Information Technology and Graphics
Purdue University Calumet
Dianxiang Xu
College of Business and Information Systems
Dakota State University, USA
Samsuddin Wira
Department of Public Service
Malaysia
Cristian Balan
Computer and Digital Forensic Program
Champlain College
Kyle Cronin
College of Business and Information Systems
Dakota State University, USA
Abstract
Computer Crime and computer related incidents continue their prevalence and
frequency, resulting in losses approaching billions of dollars. To fight against
these crimes and frauds, it is urgent to develop digital forensics education
programs to train a suitable workforce that can effectively investigate computer
crimes and incidents. There is presently no standard to guide the design of digital
forensics curriculum for an academic program. In this research, previous work on
digital forensics curriculum design and existing education programs are
thoroughly investigated. Both digital forensics educators and practitioners were
surveyed and results were analyzed to determine the industry and law
enforcement need for skills and knowledge for their digital forensic examiners.
Based on the survey results and the topics that make up certificate programs in
digital forensics, topics that are desired in digital forensics courses are identified.
Finally, based on the research findings, six digital forensics courses and required
1
Corresponding author. Tel: +1 219 989 3253,
Email: [email protected]
13
topics are proposed to be offered in both undergraduate and graduate digital
forensics programs.
Keywords: Digital Forensics, curriculum, survey, undergraduate program,
graduate program
1. INTRODUCTION
With continuing advances of computer and Internet technology, the use of digital
devices has become embedded in our business and personal lives (Rogers, 2003;
Rogers & Seigfried, 2004). For example, communication using email and online
chat has become ubiquitous. Businesses and organizations use computer systems
and the Internet for e-commerce, business communication, and internal
management. Society is very dependent on computers and Internet technologies
such that the Internet infrastructure has become the foundation of
communications, banking, healthcare, transportation, warfare, etc. (Berghel, 2003;
Huebner, Ben, & Ruan, 2008; NIPC, 2003). With the high impact on our society,
the computing infrastructure has become the target of criminals, fraudsters, and
terrorisms (Berghel, 2003; Huebner et al., 2008; NIPC, 2003; Wolf, 2009). In
recent years, many criminals employ computers and computer programs to
commit sophisticated financial frauds (Singleton, Singleton, Bologna, &
Lindquist, 2006), and more and more hackers attack the computing infrastructure
for various reasons (CERT, 2003, 2006; Huebner et al., 2008; Kessler &
Haggerty, 2008; Kessler & Schirling, 2006; Rogers, 2004; Wolf, 2009).
Computer crime and computer related incidents continue their prevalence and
frequency (CERT, 2003, 2006) and result in billions of dollars in losses
(Singleton et al., 2006), which introduces the urgency to build a suitable
workforce to contain, prevent and prosecute these crimes, frauds, and attacks by
effectively conducting digital investigations (Yasinsac, Erbacher, Marks, Pollitt,
& Sommer, 2003). However, computer and Internet technologies are very
complex and dynamic, which require digital forensic practitioners to have
appropriate knowledge and a wide set of skills (Carlton, 2007; Yasinsac et al.,
2003). The U.S. Government Accountability Office (GAO) reported that there are
many challenges in fighting against computer crimes and attacks. Some examples
include the lack of mechanisms to detect and report cyber-crimes, the lack of
education or training standards to ensure adequate analytical and technical
capabilities for law enforcement and the lack of guidelines to implement
information security practices and raise awareness (Carlton, 2007; Wolf, 2009).
Key to addressing such challenges is a comprehensive forensics education,
development of better forensic techniques for forensics practitioners and
improvement of forensics and security awareness for user.
The computer forensics community is very concerned with the lack of education
and training standards for its industry (Huebner et al., 2008; Kessler & Schirling,
2006; Rogers, 2004; Yasinsac et al., 2003). Until now, only a few efforts have
been devoted to the development of digital forensics program guidelines (FEPAC,
14
2008; Huebner et al., 2008; NIST, 2007; Rogers, 2004; Yasinsac et al., 2003).
The American Academy of Forensics Science (AAFS) has provided guidelines
for forensic science education and training that was developed by the Forensic
Science Education Programs Accreditation Commission in 2008 (FEPAC). These
works only give general guideline on digital forensic education and training, such
as the number of credits needed, the core forensics topics that should be taught,
etc. The National Institute of Standards and Technology (NIST) also published
guidelines for forensic science education and training that was developed by West
Virginia University Forensics Science Initiative (NIST, 2007; West Virginia,
2007). NIST gave general guidelines for program development as well as detailed
topics for digital forensics curriculum design. One such example is the student
learning in 24 proposed courses amounting to 57 credit hours that includes sample
topics (West Virginia, 2007).This work can be an excellent guide for educational
program development. However, it would be too expensive for education and
training institutes to design an educational program strictly following these
recommendations; 24 courses is a substantial amount in an academic program.
Actually, none of the existing educational and training programs have
implemented such large number of courses in digital forensics. A recently revised
program at Champlain College is comprised of 11 digital forensics courses, which
is one of the more in-depth curriculums in an undergraduate program. There are
some other guidelines for computer related program development. The IEEE and
ACM communities provide great recommendations for computer related program
design and curriculum development, but very little on addressing the computer
forensics program and its curriculum (Liu, 2006). In the past few years, many
more universities and colleges started offering courses and even developing
programs in computer forensics (Gottschalk, Liu, Dathan, Fitzgerald, & Stein,
2005; Huebner et al., 2008; Kessler & Haggerty, 2008; Kessler & Schirling, 2006;
Lang, 1999; Liu, 2006; Troell, Pan, & Stackpole, 2003). Unfortunately, due to the
lack of standards, the quality of some these academic courses are suspect (Rogers,
2004).
There are a few research works addressing the computer forensics curriculum
design (Berghel, 2003; Gottschalk et al., 2005; Kessler & Schirling, 2006; Liu,
2006; Rogers, 2004; Yasinsac, 2002; Yasinsac et al., 2003). Most of these
programs in higher education contain general and survey courses on digital
forensics topics (Gottschalk et al., 2005; Kessler & Schirling, 2006), others have
modules or topics in computer courses (Yasinsac et al., 2003) and few have a full,
in-depth digital forensics curriculum to support an expanded program (Kessler &
Schirling, 2006; Peterson, Raines & Baldwin, 2007). Some of the research works
recommend courses that should be offered in digital forensic education or training
programs (Kessler & Schirling, 2006; Liu, 2006). These research works describe
the design of digital forensics courses but do not clearly outline specific learning
modules that should be embedded in digital forensics curriculum. Hence, we feel
it is necessary to conduct a survey of the digital forensics education programs in
15
the U.S. in order to develop a more detailed curriculum for digital forensics. The
work in West Virginia (2007) provides detailed topics for digital forensics
curriculum design; however, the large number of courses in digital forensics
makes it difficult to implement in a college program. Therefore, there is an urgent
need to identify what digital forensics topics are most needed, and then attempt to
create guidelines with a highly compact digital forensics curriculum.
Due to its multidisciplinary nature, digital forensics deals with the arrests,
investigations, seizures, preservation, and storage of physical digital devices and
objects. As such, digital forensics education is composed of large set of topics
(Berghel, 2003; Yasinsac et al., 2003). The objective in this research is to identify
the most important topics that should be part of digital forensics courses as
viewed by both practitioners and academics. For example, some programs focus
on free and open source tools (FOSS), while forensics practitioners in public
sectors prefer commercial software tools that have been accepted in the industry
(Sam Houston State University, 2009). This point introduces the questions on
what tools should be used in the academic classroom, and what skill levels should
the students have with these tools. The average cyber-crime perpetrator tends to
lack technical skills beyond that of a typical end user, however, hackers may
commit a crime using sophisticated computer and Internet techniques (Berghel,
2003; Sam Houston State University, 2009; Yasinsac, 2002; Yasinsac et al.,
2003). This leads to questions about the additional topics that should be covered
beyond the general forensics skills. Do future digital forensics practitioners need
to know the hacking methodologies and approaches? Should an ethical hacking
course be part of a digital forensic program? These and other topics should be
carefully discussed and examined to ensure that future graduates of digital
forensic programs and training are adequately prepared for this constantly
changing professional field.
In this research, some of the existing works on digital forensics curriculum design
will be first discussed. Then, a survey is presented on courses offered by the
existing digital forensic programs, as evident from an analysis of course catalogs
and syllabuses. After that, we present the results of a survey of digital forensics
educators and practitioners and the analysis of the different sets of questions and
responses that were collected. The results of this survey were analyzed to support
the proposed course modules. The main contribution of the research is to provide
a list of modules for digital forensics courses and to identify digital forensics
analysis tools and software to be used in the laboratory environment in
preparation for professional work in the field.
2. RELATED WORK
Yasinsac et al. (2003) proposed a model for digital forensics education and
training. Their model illustrated digital forensics training based on the role of
digital forensics practitioner. Their model divides digital forensics practitioners
into four roles, namely, Computer Network Forensics Technician, Computer
16
Network Forensics Policy Maker, Computer Network Forensics Professional, and
Computer Network Forensics Researcher. The topics that are part of the education
program are fundamentally different than a training program. An education
program focuses on theory and knowledge, while a training program focuses
more on practical skills and application. The authors of the model argue that an
undergraduate program can ideally integrate topics that are found in both
education and training programs. (Troell et al., 2003) describes the development
of an undergraduate and graduate course in computer forensics. The
undergraduate course introduces the student to the basic tools and procedures of
the field. The graduate course has the above undergraduate course as a
prerequisite and discusses advanced issues related to analysis and presentation of
evidence, as well as the customization and integration of available tools into
standard operating procedures. It does not give a detailed guide on the specific
topics, especially the practical use of tools, and skills that would fit into the
forensics education programs. The High Tech Crime Consortium (HTCC)
proposed an online certification program, which demonstrates the perspectives or
competencies required of a graduate of a computer forensics program (Lang,
1999). Two programming courses, security concepts, system administration, web
publishing, and two courses in computer forensics were recommended. Its main
focus was on topics of network and security, and students are not expected to
learn practical skills and tools. Erbacher and Swart (2007) pointed out the need to
integrate training and education topics in computer forensics education programs,
but its main focus is on the managerial or administrative aspect of digital
forensics.
Other research works focus on the implementation of the computer
forensics curriculum (Huebner et al., 2008; Kessler & Haggerty, 2008;
Kessler & Schirling, 2006; Liu, 2006; Wassenaar, Woo, & Wu, 2009). Liu
(2006) describes the design of the computer forensics undergraduate
program at Metropolitan State University. Their curriculum is made up of
forensics laws and criminal justice topics and has a solid foundation in
computer technologies. Huebner et al. (2008) summarize the computer
forensic courses developed in Australia, however, a detailed computer
forensics curriculum and the topics covered in these programs were not
given. Kessler & Haggerty (2008) focus on the online delivery of a
computer forensics program in forensics management, while Kessler &
Schirling (2006) give a very detailed description of the computer forensics
curriculum, which focuses largely on the legal procedures. Wassenaar et al.
(2009) gives an overview of a computer forensics certificate program and
listed a series of courses included in the program, but failed to provide
details on computer forensics topics and module in these courses.
17
3. EXISTING AND PROPOSED DIGITAL FORENSICS COURSES
Champlain College was one of the first colleges to provide a comprehensive
computer forensics program (Kessler & Schirling, 2006). The Champlain
program offers a broad range of courses related to computer forensics, such as
criminal justice, basic computer science courses, and some core computer
forensics courses. The two computer forensic courses (Computer Forensics I and
II) focus on the investigation of digital data following legal rules of evidence and
forensics investigation procedures. Advanced topics such as anti-forensics and
networks forensics are introduced in the anti-forensics course along with network
security topics that are introduced in the network security course. Due to the
success of Champlain College undergraduate program, they moved one step
ahead by offering a Master’s degree program (Kessler & Haggerty, 2008; Kessler
& Schirling, 2006). This program concentrates on digital forensics investigation
management and has a limited number of courses that include practical or handson training on computer technology. Prominent digital forensics education
programs have been developed at other universities such as Metropolitan State
University (Liu, 2006), Sam Houston State University (2009), Bloomsburg
University of Pennsylvania, University of Central Florida (Craiger, Ponte,
Whitcomb, Pollitt, & Eaglin, 2007; UCF, 2010), and University of Rhode Island
(URI, 2012). These programs offer courses covering basic digital forensics
investigation topics. Some of these programs offer some unique courses. Sam
Houston State University (2009) offers an excellent course on hardware forensics
and file system forensics that cover different types of digital media, such as cell
phones, and uses basic digital forensics tools such as hex editor. Bloomsburg
University of Pennsylvania offers courses focusing on topics of various file
systems and searching for evidence in windows environment, as well as a course
focusing on forensics analysis of small digital media, such as cell phone, PDAs,
etc. At Bloomsburg, the primary tool for forensics analysis is Encase. The
University of Rhode Island probably offers the most comprehensive courses in
digital forensics. They focus on forensics tools practices, network forensics,
enterprise computer server forensics, and research topics in digital forensics. The
University of Central Florida offers a unique course on forensics practice which
focuses on legal procedures of data acquisition, and a special track that gives the
student courtroom experience. There are numerous educational digital forensics
programs developed throughout the United States that offer many courses
covering various topics, but each with a different focus.
Many state laws in the United States require computer forensic expert witnesses
and private investigators to have a professional certification or a private
investigator's license (Barbara, 2009). A group of professionals from academia
met with the aim to change the state requirements by providing guidance for
higher learning institutions to develop a neutral digital forensics program that
does not rely on any vendor’s products. As a result, a model for digital forensics
programs at four different levels (i.e., associate degree, baccalaureate degree,
18
graduate degree, and academic certificate) was developed (West Virginia, 2007).
This group proposed that a baccalaureate program should consist of general
education, computing and information science core, forensics science core, other
additional required courses, digital forensics laboratory and additional upper
division digital forensics courses, These upper division courses consist of
advanced digital forensics, technical electives, and university level electives open
to all students (West Virginia, 2007). They suggested that each of the technical
subjects must be accompanied by one-hour labs to practice the procedures and
skill they learned from class lectures. The purpose of this lab is to provide
students with hands-on experience in digital forensics (West Virginia, 2007).
4. SURVEY RESULTS
In order to determine the technical skills computer forensics practitioners should
possess and the tools that should be taught in digital forensics courses, digital
forensics practitioners in both public and private sectors were surveyed, each
group with a different set of questions.
Digital forensics educators were asked what analysis tools they used in their
digital forensics program and were questioned on their willingness to collaborate
with digital forensics practitioners for education purposes. Additionally, they were
surveyed on their reasons for not collaborating with digital forensics practitioners
for education purposes. The survey also asked their opinion in improving digital
forensics education. These survey questions were sent out to universities/colleges
with computer forensic programs.
Digital forensics practitioners were queried on the involvement of their
organization in digital forensics, the type of organization that they are
representing, the type of digital forensics investigations they conduct in house,
most frequent operating systems found in their investigation, digital forensics
analysis tools used, and the willingness to collaborate with a college or university
for education purposes. Similarly, the survey also asked digital forensics
practitioners’ opinion in improving digital forensics education. The survey was
conducted among the participants of 2008 Digital Forensics Research Workshop,
being that they were experienced researchers and practitioners in the computer
forensics field.
In this section, we will discuss the findings of the survey that has been conducted
among both digital forensics practitioners and colleges or universities that offer a
digital forensics program. Seventeen volunteers from a variety of colleges and
universities along with nine volunteers from the digital forensics practitioner
group within the United States participated in this survey. Among them, 67% of
digital forensics practitioner respondents have less than 10 years of experience
with digital forensics. The highest number of respondents was from the digital
forensics practitioners group, of which 44.4% was from corporation or private
companies. The next largest group of respondents was from law enforcement
agencies and non-government organizations at 22.2%. Meanwhile, 11.1% of
19
digital forensics practitioners were from government agencies and there were no
respondents from private investigation.
Figure 1 – Digital forensics analysis tools usage
20
Figure 1 shows the usage of popular digital forensics tools by both digital
forensics practitioners and digital forensics educators. In this figure, both 94.1%
of digital forensics educator and 66.7% of digital forensics practitioners use
EnCase as their main digital forensics acquisition and analysis tool and they seem
to be the most widely used tool for both educators and practitioners. The secondmost widely used tool is FTK, as 70.6% of digital forensics educators use it and
56.6% of digital forensics practitioners use it. Some other tools, such as WinHex,
HELIX, md5sum and MOBILedit! Forensic are also widely used by digital
forensics practitioners, but they seem to be rarely used by educators. Other tools
that are not used by digital forensics educators but are used by some digital
forensics practitioners are iLook and SMART, PTK, CellDEK, VideoFOCUS,
dTective, ClearID, dVelepor and Magnifi. Meanwhile, the tools that are not used
by digital forensics practitioners, but used by digital forensics educators, are
Foremost, pyFLAG, and OUTGUESS.
Also, in this survey, digital forensics practitioners were asked to describe the type
of cases that are involved in their investigations. The result is shown in Figure 2.
The most common digital forensic investigation cases, 77.8% of overall cases, are
those that deal with single personal computer (PCs). Surprisingly, the secondmost common digital forensic investigation cases, 55.6% of overall cases, involve
mobile media. The third-most common digital forensic investigation cases, 44.4%
of overall cases, involve networks, hacking, and multimedia. Only a small number
of cases, i.e., 11.1% of overall cases, are concerned with stenography and other
sophisticated computer techniques. Note that the total percentage is over 100%
due to the fact that some cases may involve multiple devices. For example, a cell
phone, PDA, as well as desktop PCs, laptops, etc may be part of the same case.
90.00%
80.00%
77.80%
70.00%
55.60%
60.00%
50.00%
44.40%
44.40%
40.00%
30.00%
20.00%
11.10%
11.10%
Stegnography
Others
10.00%
0.00%
Computer
Forensic
Network
Forensics
Mobile
Forensics
Multimedia
Forensics
Figure 2 –The percentages of different digital forensics investigation cases
21
Furthermore, digital forensics practitioners were also asked to indicate what types
of operating systems were encountered in their recent investigations and the
results are shown in Figure 3. It is not surprising that 100% of digital forensics
practitioners responded that the Windows operating environment was part of their
investigations. It is followed by Mac OS and Sun Solaris with 55.56%, Linux and
FreeBSD with 44.44%, and UNIX and other operating systems with 22.22%. We
did not expect Sun Solaris to command such a high percentage as it is not
prominently taught in education and training programs. This might be an
indication of an important oversight by both education and training programs.
Figure 3 Operating System involved in investigations
To find how close the industry and related organizations can work together with
academia for digital forensics education, the willingness to conduct collaborative
work for the two entities (e.g., digital forensics educators and practitioners) were
surveyed. The survey results are shown in Figure 4.
Figure 4 – The willingness of digital forensics educators and digital forensics
practitioners to work together in the development of digital forensics education
22
Answer Options
(a)
Budget
Security
No networking (contacts)
Lack of experience
lecturers
Response
Percent
100.0%
0.0%
0.0%
0.0%
Answer Options
(b)
Budget
Security issues
No networking (contacts)
No time to participate
Response
Percent
0.0%
50.0%
0.0%
50.0%
Figure 5. Digital forensics educators’ (a) practitioners’ (b) reasons for not
collaborating with each other
It is not surprising that 93.8% of digital forensics educators and 77.8% of digital
forensics practitioners are willing to cooperate in the development of digital
forensics education programs. The most predominant reason or concern why
digital forensic educators (6.3% of digital forensics educators) would not (or
cannot) work with digital forensics practitioners in the near future is related to the
budget (Figure 5a).
Meanwhile, the reasons that 22.2% of digital forensics practitioners are not
willing to collaborate with educators revolve around security issues and time to
devote to the collaboration. In certain cases collaboration with educators is simply
irrelevant to their scope of work (Figure 5b). It has been discussed in the digital
forensics community that a close collaboration between industry, government
agencies, and educational institutes would be beneficial to every party. Within
such collaborative infrastructure, faculty members and researchers will
collaboratively have a better knowledge of what is needed for the forensic
community. Students will have a stronger learning motivation associated with the
application of what they have learned to real world scenarios. The industry and
government agencies will have a better channel to recruit forensics examiners to
staff their laboratories and incidents response teams.
5. PROPOSED DIGITAL FORENSICS MODULES
As indicated by Figure 1, it is not difficult to notice that most of the digital
forensic practitioners either use Encase or FTK as digital forensics examination
tool in their investigations, and this is easily explained by the large market share
that these two commercial products command.. Aside from these two tools,
WinHex, HELIX, md5sum and MOBILedit! were selected as frequently used
digital forensics analysis. To examine cell phones, MOBILedit! is one of the most
frequently used tools for analysis. In addition, HELIX is becoming popular
among digital forensics practitioners and digital forensics educators. One of the
reasons for its popularity is the fact that HELIX is a complete digital forensics
analysis tool that has a large set of programs and plug-ins that are required for
digital investigation. Based on the survey results, there is an indication that a
digital forensic practitioner should be proficient in using most popular tools, such
as FTK and Encase. Thus, it is beneficial to have students graduating from
23
forensic programs to have ample training on these tools. Moreover, a heavy
module on forensic tools, which focuses on FTK and Encase, and covers Helix,
WinHex, and other open source tools, should be built into forensic courses. The
Technical Working Group for Education and Training in Digital Forensics
recommends that a designated computer forensics lab should be designed to
provide equipment and software to train student on the practical skills (West
Virginia, 2007), especially using the popular digital forensic tools presented in our
results.
Digital forensics requires an investigator to have ample knowledge on a variety of
operating systems. As shown in Figure 3, almost all operating systems were part
of investigations carried on by digital forensics practitioners, such as Windows,
which was the most common, followed by Unix/Linux and Mac OS. Based on
practitioners’ experience, Windows machines are the most common in the
investigative caseload, while Unix/Linux comprises about 20% of the overall
systems (Pogue, 2008). This indicates that a variety of operating systems should
be addressed in digital forensics curriculum, but the focus should be primarily on
Windows, with a secondary focus on Unix/Linux and Macintosh. Even though
theoretically, it is desirable to teach as many operating systems as possible,
unfortunately, there are limited resources available in educational programs,
including time, equipment, and faculty resource. Due to the rapid development of
learning tools available, student or digital forensics practitioners would be able to
learn from external sources, such as the Internet, conferences and vendor specific
training. While not part of the survey, it is our opinion that the use of virtual
machines has minimized the need for multiple hardware platforms and has made
access to multiple Operating Systems in the classroom more affordable.
Most white-collar crimes in the public sector deal with single machines. The
counter-investigative skills involved are not beyond typical end users (Berghel,
2003). However, there are substantially increasing numbers of cases dealing with
networks, protocols/devices, and Internet applications as observed from the
survey results shown in Figure 2. Furthermore, there are many incidents in the
private sector that go unreported due to various reasons (Berghel, 2003; Rogers,
2004). Many of these incidents deal with adversaries that have a set of skills that
are well beyond that of normal end users. These skills deal with a variety of
protocols/software to include end user applications, operating systems, networks,
and Internet. To effectively and efficiently investigate these criminal cases and
their perpetrators, to find relevant evidence, digital forensic practitioners need to
have a more elaborate set of knowledge and skills, which introduce the discipline
of network/internet forensics. Until now, there are very few education programs
that offer such training, and no consensus exists as to the tools and topics that
should be covered in education courses to address network/internet forensics. To
successfully investigate Internet crimes, students need to understand the
fundamental mechanisms, methodologies, and approaches employed by these
sophisticated criminals while committing such crimes, as well as possible
24
countermeasures organizations and companies can use to defend themselves.
Based on the above observations, network forensics related courses need to cover
a large amount of topics, such as operating systems, network and internet
protocols, malwares, devices, applications, network hacking methodology and
techniques as well as countermeasures and security mechanisms.
With the advances in computer and Internet technology, mobile computing has
become more and more popular. A large number of mobile devices are available
and have been used to play music and store photos, contacts, and files or even
play movies (Kiley, Shinbara, & Rogers, 2007). Tools such as XRY, Cellebrite,
and Oxygen can be used for logical extraction from mobile devices, while the
tools such as XACT and Cellebrite PA can be used for physical extraction of data
from mobile devices. Some of the tools, such as Paraben Device Seizure, can be
used for both physical and logical extraction from mobile devices, but each has its
limitations as each mobile vendor uses their own operating system. The
popularity and ubiquity of mobile devices continue to grow in every corner of our
personal and business lives, and also in modern cybercrimes (Kiley et al., 2007).
The survey indicates that more than half of the cases included mobile devices.
Additionally, due to vast difference in configurations and settings among mobile
devices, digital forensics practitioners need to have ample exposure to mobile
devices. It is important to include a module in computer forensics curriculum that
addresses mobile forensics topics, such as wireless Local Area Network (WLAN),
Personal Digital Assistant (PDA), iPod, iPhone, Blackberry, etc.
There seems to be a great deal of concern on how to train students to meet both
the industry and law enforcement needs (Liu, 2006). There are multiple
approaches to address this issue; the proposed approach is to collaborate with
digital forensics practitioners from both industry and law enforcement
community. Based on the survey results, more than 75% of digital forensics
educators and digital forensics investigators agreed to cooperate in the
development of a digital forensics program at universities or colleges. The reasons
why forensics practitioners and educators resist collaboration include budget,
security reasons, time, and lack of applicability to their scope of work. It is
unrealistic to have digital forensic practitioners devote a large block of time to the
development of educational programs and these road blocks include budgetary
and scheduling constraints. It is imperative that coursework in digital forensics
should incorporate the experience and ideas from the industry and law
enforcement. Appropriate courses that can be fit into this category are
professional project, internships and/ or courtroom experience. Further research
should explore the relationship between students completing professional projects
and internships and the students competiveness in the job market once they
graduate. Anecdotal data indicates that students completing internships in the field
obtain relevant employment within six months of graduation, more so than
students that did not undergo an internship.
25
The Professional Project course should be a research project which requires the
application of the knowledge, techniques, methodology, and skills learned from
other digital forensics courses. Topics could be either from academia or from
industry. The survey result indicates that multimedia forensic analysis has been
conducted by digital forensics practitioners, which requires the use of a suite of
tools including VideoFOCUS, dTective, ClearID DAC, dVeleloper and Magnifi
Spotlight. Several research issues on multimedia forensics exists which need to be
undertaken to improve the efficiency and accuracy of the results. Another
important topic is the deployment of a honeypot which has been recently used for
cyber security protection and network forensic investigation (Spitzner, 2003), due
to its cost effectiveness and usefulness for security and forensic education and
research. Other important topics include malware forensics analysis, social
computing forensics (for example, forensics investigation on Facebook,
MySpace, Twitter, Blogosphere, etc.), accounting and financial fraud detection
and investigation. Furthermore, evidence should be presented in a in a clear,
concise, professional way so that audiences in a courtroom, such as a jury, judge,
and attorneys, can easily understand it. The Courtroom Experience course is an
application of the knowledge, skills, and methodology learned from all the
courses in the education program, including forensic law, criminal justice,
communication, digital forensics investigation, and other computer courses. In a
mock courtroom, judges and attorneys from industry and law enforcement can
participate, and the cases may be a simulation of real world scenarios. In a mock
trial course, the students can apply what they have learned and gain real world
experiences.
Another approach to collaborate with industry and law enforcement is to
incorporate topics emphasized in certification programs into the curriculum
design of educational programs. There are many certification programs available,
including EC Council’s CHFI (Compute Hacking and Forensic Investigator
Certification), AccessData’s ACE (AccessData Computer Examiner), Guidance
Software’s EnCE (Encase Certified Examiner), CCE (Certified Computer
Examiner) administrated by the International Society of Forensic Computer
Examiners, CIFI (Certified Information Forensic Investigator) offered by
International Information Systems Forensic Association, CFCE (Certified
Forensic Computer Examiner) managed by the International Association of
Computer Investigative Specialists, DFCP and DFCA Certifications managed by
DFCB (Digital Forensic Certificate Board), and GCFA (GIAC Certified
Forensics Analysts) managed by SANS. Some common topics were identified
from these certification programs that would be appropriate for an education
program. Modules from CHFI, CCE, ACE, and EnCE could be included in both
graduate and undergraduate curriculum. As a matter of fact, AccessData offers its
training material to colleges that sign up for their educational bundle and have two
faculty members that are ACE certified.
26
Courses and topics
Digital Forensics
Fundamentals
Digital forensic investigation procedures, private regulations and
public law issues, Windows FAT and NTFS, *nix and Mac File
Systems, open and commercial forensic tools (Encase, FTK),
evidence acquisition, preserving, analysis, report, and
presentation.
Advanced
Computer
Forensics
Advanced features of forensics tools (search, KFF Management,
encryption and decryption, data carving), windows registry,
memory analysis, advanced file system analysis (deleted and
hidden data, metadata, temporary file, unknown\executable file
analysis), applied decryption
Network/
Internet Forensics
Internet and Network security, ethical hacking, network traffic
analysis, log analysis, web attack and DOS investigation, Email
forensics, internet application forensics, social computing
forensics (social networks/Web2.0), malware analysis
Mobile Digital
Forensics
Wireless security and attacks, wireless track and investigation,
cell phone, IPhone, IPod, PDA, Blackberry, etc.
Professional
Project on Digital
Forensics
Integrate existing knowledge and skills in digital forensics and
conduct research to understand advanced cyber-crime
methodologies and techniques and research on advanced digital
forensics investigation and analysis techniques (honeynet, etc)
Courtroom
Experience
Work with digital forensic practitioners from public/ private
sectors on a mock case, integrating knowledge and skills from
forensics law, criminal justice, forensic psychology, and digital
forensics fields, and present in a mock courtroom
Figure 6 –Proposed Digital Forensics courses.
Based on the survey results, the following six courses are proposed as the core
digital forensics topics for digital forensics education programs: 1) Digital
Forensics Fundamentals, 2) Advanced Computer Forensics, 3) Network/Internet
Forensics, 4) Mobile Digital Forensics, 5) Digital Forensics Professional Project
and Courtroom Experience. These courses could be designed to fit both
undergraduate and graduate programs with minor adjustments. For example, the
professional project could be optional for undergraduate studies but it could be
required by graduate programs. Another example would be mobile forensics
being required by undergraduate programs but it could be optional for graduate
studies. The detailed topics for each course are shown in Figure 6. Note that in
this paper, only those courses related to computer technology are discussed. The
coursework in criminal justice and forensic law are not discussed here as they
have been discussed in many other publications (Gottschalk et al., 2005; Huebner
et al., 2008; Kessler & Schirling, 2006; Liu, 2006; Rogers, 2004).
The above courses and modules have been recently implemented at Champlain
27
College in the Computer and Digital Forensics Program Curriculum in 2011
(Champlain College, 2011). For example, the topics defined in Digital Forensics
Fundamentals are implemented in FOR 320 (File System Forensics) and FOR
340 (Operating System Forensics), the topics defined in Advanced Computer
Forensics are implemented in FOR 430 (Advanced Practice in Digital
Investigations), the topics defined in Mobile Digital Forensics are implemented in
FOR 310 (Mobile Device Forensics), the topics defined in Professional Project on
Digital Forensics are implemented in FOR 490 (Computer Forensics Internship),
the topics defined in Network and Internet Forensics is implemented in FOR 270
(Anti-Forensics & Network Forensics) and FOR 420 (E-Discovery and Data
Analytics), and the topics defined in Courtroom Experience are implemented in
CRJ 480 (Crime Scene Investigation) and CCC 410 (Capstone).
6. CONCLUSION
This research investigated digital forensics curriculum design and existing
education programs, which provides a list of computer forensics courses in
general, but without much indication on what topics should be included and what
tools should be taught. To determine the set of knowledge, methodology and
skills that the industry and law enforcement require, both digital forensics
educators and practitioners were surveyed and the results were analyzed. The
most prevalent tools in use are commercial tools, such as Encase and FTK, and
most cases deal with Windows operating systems, followed by Unix/Linux and
Macintosh. Also, most digital forensics educators and practitioners are willing to
collaborate to develop digital forensics educational programs, but most
organizations are limited by budget and time availability. Based on the identified
digital forensics topics, courses that support the industry and law enforcement
needs are recommended. Specifically, courses that simulate real world digital
forensics investigation are designed to enhance the collaboration with digital
forensics practitioners from industry and law enforcement sectors.
Based on our findings, some future research directions are recommended. First, to
provide flexibility and cost-effectiveness, as well as improve enrollment, we
would like to investigate the issues and approaches to design online security and
forensic courses. The online courses should have access to all the commercial and
open source tools similar to on-campus learning environment, and the solution
should be well scaled and flexible to adapt to the rapid changing computer and
forensics technologies. Second, the design of both undergraduate and graduate
digital forensics programs should be explored on how to incorporate with those
existing computer and network security programs. Clear delineation between
information security and digital forensics, especially when discussing network
forensics, does not appear to exist. There is evidence to suggest that students can
benefit professionally from information assurance skills and knowledge when
undertaking network forensics incidents. Third, it is recommended to integrate a
large portion of the business management and business information systems
28
component into the digital forensics program design, since fraud and other whitecollar crimes are significant threats to businesses. Such interdisciplinary
curriculum design and education fit the mission of many business programs and
can be incorporated in criminal justice, information systems, and computer
science programs at other colleges and universities.
7. REFERENCES
Barbara, J.J. (2009). The Case Against PI Licensing for Digital Forensic
Examiners. Forensics Magazine, 6(2), 23-29.
Berghel, H. (2003). The discipline of Internet forensics. Communications of the
ACM, 46(8), 15-20.
Brueckner, S., Guaspari, D., Adelstein, F., & Weeks, J. (2008) Automated
computer forensics training in a virtualized environment. Journal of Digital
Investigation, 5(2008), S105-S111.
Carlton, G.H. (2007). A grounded theory approach to identifying and
measuring forensic data acquisition tasks. Journal of Digital Forensics, Security
and Law, 2(1), 35-56.
CERT. (2003). CERT statistics. Retrieved from http://www.cert.org/stats/
CERT. (2006). CERT statistics. Retrieved from http://www.cert.org/stats/
Champlain College. (2011). Computer & Digital Forensics Major. Retrieved
from
http://www.champlain.edu/Undergraduate-Studies/Majors-andPrograms/Computer-and-Digital-Forensics.html.
Craiger, P., Ponte, L., Whitcomb, C., Pollitt, M., & Eaglin, R. (2007). Master's
Degree in Digital Forensics. In Proceedings of the 40th Hawaii International
Conference on System Sciences.
Erbacher, R.F., & Swart, R. (2007) Computer Forensics: Education and
Training.
Retrieved
from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.97.6123&rep=rep
1&type=pdf
FEPAC. (2008). America Academy of Forensics Science. Forensics science
education programs accreditation commission, accreditation standards.
Retrieved
from
http://aafs.org/sites/default
/files/pdf/FEPACStandards072410DRAFT.pdf
Gottschalk, L., Liu, J., Dathan, B., Fitzgerald S., & Stein, M. (2005). Computer
29
Forensics Programs in Higher Education: A Preliminary Study. Metropolitan
State University. In Proceedings of the 36th SIGCSE Technical Symposium on
Computer Science Education.
Huebner, E., Ben, D., & Ruan, C. (2008). Computer Forensics Tertiary
Education in Australia. 2008 IEEE International conference on computer
Science and Software Engineering. Dec 12-14, 2008.
Kessler, G.C. (2007). Online Education in Computer and Digital Forensics: A
Case Study. In Proceedings of the 40th Hawaii International Conference on
Systems Sciences (HICSS 40), Jan 3-6, 2007, Hawaii, USA.
Kessler, G.C. & Haggerty, D. (2008). Pedagogy and Overview of a Graduate
Program in Digital Investigation Management. In Proceedings of the 41st
Hawaii International Conference on System Sciences.
Kessler, G.C. & Schirling, M.E. (2006) The Design of Undergraduate Degree
Program in Computer & Digital Forensics. Journal of Digital Forensics, Security
& Law, 1(3), 37-50.
Kiley, M., Shinbara, T., & Rogers, M. K. (2007). IPod Forensics Update.
International Journal of Digital Evidence, 6(1), 1-9.
Lang, D. (1999). Design and Development of a Distance Education Paradigm
for Training Computer Forensics Examiners: A Limited Review of Literature.
Retrieved from http://www.computerteacher.org/CFLR.htm
Liu, J. (2006). Developing an innovative baccalaureate program in computer
forensics. In Proceedings of the 36th ASEE/IEEE Frontiers in Education
Conference. October 28–31, 2006, San Diego, CA.
NIPC. (2003). National Infrastructure Protection Center white paper -- Risk
Management: An Essential Guide to Protecting Critical Assets. Retrieved from
http://www.nipc.gov/publications/ nipcpub/newnipcpub.htm
NIST. (2007). National Institute of Standards and Technology (NIST). Education
and Training in Digital Evidence: A Guide for Law Enforcement, Educational
Institutions, and Students. Gaithersburg, MD: NIST, Technical Working Group
for Education -- Digital Evidence.
Peterson, G.L., Raines, R.A., & Baldwin, R.O. (2007). Graduate Digital Forensics
Education at the Air Force Institute of Technology. In Proceedings of the 40th
30
Annual Hawaii International Conference on System Sciences (HICSS’07).15301605/07. Jan 3-6, 2007, Hawaii, USA
Pogue, C., Altheide, C., & Haverkos, T. (2008). Unix and Linux Forensics
Analysis DVD Toolkit. Syngress.
Rogers, M.K. (2003). The role of criminal profiling in computer forensic
investigations. Journal of Computer Security, 22(4), 292-298.
Rogers, M.K. & Seigfried, K. (2004). The future of computer forensics: A needs
analysis survey. Journal of Computer and Security, 23, 12-16.
Sam Houston State University. (2009). The Digital Forensics undergraduate
program. Department of Computer
Science. Retrieved from
http://www.shsu.edu/catalog/df.html#df390
Singleton, T.W., Singleton, A.J., Bologna, G.J., & Lindquist, R.J. (2006). Fraud
Auditing and Forensics Accounting, 3rd ed. John Wiley & Sons, Inc.
Spitzner, L. (2003). The Honeynet Project: Trapping the hackers. IEEE Security
and Privacy, 1(2), 15-23.
SWGIT. (2004). Scientific Working Groups on Digital Evidence and Imaging
Technology. SWGDE/SWGIT Guidelines & Recommendation for Training in
Digital Multimedia Evidence. Version 1.
Taylor, C., Endicott-Popovsky, B., & Philips, A. (2007, April). Forensic
Education: Assessment and Measures of Excellence. IEEE ADFE. 155-165.
Troell, L., Pan, Y., & Stackpole, B. (2003). Forensic Course Development. In
Proceedings of the Conference on Information Technology Curriculum 4 (CITC4
‘03) (Lafayette, IN, October 16-18, 2003). 265-269.
UCF. (2010). Master of Science in Forensic Program. University of Central
Florida. Retrieved from http://msdf.ucf.edu/curriculum.html
URI. (2012). Digital Forensics Programs. The University of Rhode Island.
Retrieved from http://forensics.cs.uri.edu/courses.php
Wassenaar, D., Woo, D., & Wu. P. (2009). A Certificate Program in Computer
Forensics. Journal of Computing Science in College, 24(1), 158-167.
West Virginia University. (2007). West Virginia University Forensic Science
Initiative. Technical Working Group for Education and Training in Digital
Forensics.
31
Wolf, U. (2009). Cyber-Crime: Law Enforcement Must Keep Pace With TechSavvy Criminals. Retrieved from http://www.govtech.com/dc/articles/575223
Yasinsac, A. (2002). Information Security Curricula in Computer Science
Departments: Theory and Practice. The George Washington University Journal
of Information Security, 1(2) 1-9.
Yasinsac, A., Erbacher, R.F., Marks, D.G., Pollitt, M.M., & Sommer, P.M.
(2003). Computer Forensics Education. IEEE Security & Privacy, 1(4), 15-23.
32
Automatic Crash Recovery:
Internet Explorer's black box
John Moran
County of Cumberland
Portland, Maine
[email protected]
Dr. Douglas Orr
Special Investigations Unit
Spokane Police Department
Spokane, Washington
[email protected]
Abstract
A good portion of today's investigations include, at least in part, an examination
of the user's web history. Although it has lost ground over the past several years,
Microsoft's Internet Explorer still accounts for a large portion of the web browser
market share. Most users are now aware that Internet Explorer will save
browsing history, user names, passwords and form history. Consequently some
users seek to eliminate these artifacts, leaving behind less evidence for examiners
to discover during investigations. However, most users, and probably a good
portion of examiners are unaware Automatic Crash Recovery can leave a gold
mine of recent browsing history in spite of the users attempts to delete historical
artifacts. As investigators, we must continually be looking for new sources of
evidence; Automatic Crash Recovery is it.
Keywords: Automatic Crash Recovery, ACR, Internet Explorer, IE8, IE9,
Browsing history, RecoverRS, Compound files.
1. INTRODUCTION TO AUTOMATIC CRASH RECOVERY
In order to understand the potential value of Automatic Crash Recovery to
investigators, some background in to what exactly Automatic Crash Recovery
does is required. According to Microsoft, "Automatic Crash Recovery (ACR) is a
feature of Windows® Internet Explorer® 8 that can help to prevent the loss of
work and productivity in the unlikely event of the browser crashing or hanging"
(Microsoft, 2008, p. 3). From the user's perspective, ACR is what provides the
option to 'Restore Session' when Internet Explorer closes improperly. Providing
this functionality requires Internet Explorer to store numerous pieces of
information about the history of the browsing session.
ACR can be disabled by going to 'Tools' -> 'Internet Options' -> 'Advanced' and
unchecking "Enable automatic crash recovery" in the 'Browsing' section.
33
Interestingly, research shows that even with ACR disabled, Internet Explorer will
continue to store information for its use. Similarly, research shows that even with
InPrivate Browsing enabled, ACR artifacts will still be created.
Several common "cleaning" utilities were tested and not a single utility removed
the files created by ACR. It appears that there is currently no way to prevent
Internet Explorer from creating ACR artifacts and furthermore that the only
reliable way for a user to remove ACR artifacts is to manually delete and
overwrite them after each session.
2. ARTIFACTS CREATED BY ACR
The files of interest created by ACR are initially written to the
C:\Users\<user>\AppData\Local\Microsoft\Internet
Explorer\Recovery\Active
directory in Windows 7 or the C:\Documents and Settings\<user>\Local
Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active directory
in Windows XP.
Internet Explorer creates two types of files in this directory. The first type uses
the naming convention 'RecoveryStore.{<GUID>}.dat' and is created when
Internet Explorer is first executed. Referred to from this point on as the "recovery
store file," only one such file is created regardless of the number of tabs or
windows opened by the user (except when using InPrivate Browsing a second
recovery store file is created for the InPrivate Browsing session). The second
type created uses the naming convention '{<GUID>}.dat'. One of these files is
created when Internet Explorer is first executed and one additional file is created
for each additional tab or window that is opened. These files will be referred to
from this point on as the "tab data files." The globally unique identifiers (GUIDs)
created for both the recovery store files and the tab data files are in hexadecimal
and display as ########-####-####-############. The format of these GUIDs
as well as the information they contain is explained in greater detail in the
following section.
When Internet Explorer is closed by the user, the recovery store file and the tab
data files are removed from their existing locations and recreated in the
Explorer\Recovery\Last
Active directory in Windows 7 or the C:\Documents and Settings\<user>\Local
Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active
directory in Windows XP with new GUIDs. Any GUIDs stored within the
recovery store files and tab data files are also updated unless otherwise noted.
One registry value that may be of interest during an investigation is
HKCU\Software\Microsoft\Internet Explorer\Recovery\AutoRecover.
A
DWORD value of 0x00000000 indicates that ACR is enabled; a DWORD value
of 0x00000002 indicates that ACR is disabled. As mentioned previously, ACR
files will be created even when this value is set to 0x00000002, however this
value may be an indication the user was attempting to hide their browsing
34
activities.
Another registry key that may be of interest is HKCU\Software\Microsoft\Internet
Explorer\Recovery\Active. When Internet Explorer is executed and the recovery
store file is created, a new DWORD value is created in this key using the GUID
of the recovery store file as the name and 0x00000000 as the value. For example,
if the recovery store file created was RecoveryStore.{3519D794-44E1-11E08CA1-005056C00008}.dat, a new DWORD value named {3519D794-44E111E0-8CA1-005056C00008} would be added to the key. When Internet Explorer
is closed properly, this value is deleted from the key. This key appears to be what
Internet Explorer checks to see if there are previous browsing sessions that can be
recovered;
manually
adding
previous
ACR
files
to
the
directory and adding the GUID of the recovery store file to this registry key
caused Internet Explorer to offer to restore the browsing session from the previous
ACR files.
Two other registry keys seen in Windows 7 environments are
HKCU\Software\Microsoft\Internet Explorer\Recovery\AdminActive, which
contains the GUID of the recovery store file currently open in Internet Explorer
when run as Administrator and HKCU\Software\Microsoft\Internet
Explorer\Recovery\PendingDelete, which contains the GUIDs of the tab data files
currently being used by Internet Explorer.
3. ANALYSIS OF ACR FILES
By the very nature of their function, ACR files must store several key pieces of
information that can be of use to investigators, such as dates, times, and browsing
history that might be otherwise unavailable through other means. In order to get
the most from ACR artifacts and more importantly be able to articulate the
method by which these artifacts are created and the process of recovering these
artifacts, the next several sections will detail the file format and where key
evidence may lie.
3.1 GUID Format
The GUID itself can provide some important information and is important to
mention, most notably the date and time the file was created. The first eight bytes
of the GUID contain the date/time the file was created, or in other words, the
date/time Internet Explorer was opened or closed (in the case of a recovery store
file) or the date/time an individual tab was opened or closed (in the case of a tab
data file). The date/time is stored as the number of 100 nanoseconds since
October 15, 1582 in little endian; a very similar format to the filetime format,
which begins January 1, 1601.
In order to calculate the date/time from the GUID, we must extract the first eight
bytes from the GUID, then change the byte order from little endian to big endian.
The first 4 bits of the big endian value represents the version number and are not
35
part of the date/time and we should ignore them. We should then subtract
0x146BF33E42C000 (5,748,192,000,000,000) to account for the difference in
epochs and convert the resulting value to filetime (Parsonage, 2010). A sample
calculation can be seen in Figure 1.
Tab data file name:
Extract first 8 bytes:
Convert to big endian:
Drop the 1st 4 bits:
Subtract 146BF33E42C000:
Convert to FileTime:
6E165296-3930-11E0-8FE9-000C29EF1366
6E165296-3930-11E0
0x11E039306E165296
0x01E039306E165296
0x1CBCD3D2FD39296 (129422676989285014)
Tuesday, February 15, 2011 1:21:39 PM UTC
Figure 1 (Sample Date/Time Calculation from Tab Data File)
The last six bytes of the GUID contain a node ID that may also be of interest
depending on the nature of the investigation. In most cases, the node ID will be
one of the available IEEE 802 medium access control (MAC) addresses on the
system. Yet in other instances, a random ID may be used (Leach, Mealling, &
Salz, 2005). The remaining two bytes of the GUID not previously mentioned
make up the variant and sequence numbers that are of no value in the examination
to these particular files.
3.2 ACR File Format
Both the recovery store file and the tab data files are stored in a format called the
compound file binary file format file, which will henceforth be referred to simply
as a compound file. These files may also be referred to as object linking and
embedding (OLE) compound files. Although some level knowledge regarding
the compound file format is necessary when discussing carving these files from
unallocated space, a complete explanation of the compound file format is beyond
the scope of this paper. In fact, a complete explanation of the compound file
format has already been issued by Microsoft (2012a), titled [MS-CFB]:
Compound File Binary File Format. Fortunately, a basic understanding of the
compound file format will suffice for examination of these files.
Like many other files, compound files have a common header that can be used to
locate and identify these files in unallocated space (discussed below). However,
that is where the similarities with other common file formats end. A compound
file functions very much like a File Allocation Table (FAT) file system on a disk;
it contains a FAT, which tracks all sectors in the file, as well as directory entries
and folder- and file-like structures. The folders in a compound file are referred to
as storages and the files are referred to as streams. Like any other file system, a
storage can contain other storages or streams. A stream however cannot contain a
storage.
There is one other important structure within the compound file - the property set.
Unlike a stream that can contain Unicode text of any length, a property set
36
follows a strict format. Once again, a thorough explanation of property sets is
well beyond the scope of this paper. However, Microsoft has come to the rescue
again with a complete explanation of property sets titled [MS-OLEPS]: Object
Linking and Embedding (OLE) Property Set Data Structures (Microsoft, 2012b).
For the purposes of examining ACR files, it is important to know that property
sets contain one or more properties with a unique numeric identifier, a value type
(such as date [VT_DATE], four-byte unsigned integer [VT_UI4] or Unicode
string [VT_LPWSTR]) and a value.
Making sense of compound files in their raw hexadecimal form can be a daunting
task, even with an expert knowledge of the compound file format. While it is
possible to identify some text from the file, it is very difficult to attribute context
without a great deal of time and effort. Thankfully, there are numerous tools
capable of reading the compound file. Several forensics suites, such as the
Forensic Toolkit (FTK) and EnCase, are capable of reading the compound file.
There are also several free utilities available that will read compound files with
varying success. Another product available for reading these files is the
Compound
File
Explorer
(CFX)
by
CoCo
Systems
Ltd.
(http://www.coco.co.uk/developers/CFX.html). CFX is not free but well worth
the price of 20 GBP. Unlike most programs, CFX is capable of reading not only
the text streams in compound files but also the property sets in an easy to read
format. Tools such as CFX are key to the examination of ACR artifacts as they
present the information inside the compound file in a much easier to understand
way and add a measure of context.
3.3 The Recovery Store File
The recovery store file contains basic information about the browsing session.
Only one recovery store file is created by Internet Explorer regardless of the
number of tabs or windows the user opens. The one exception to this is when
InPrivate browsing is used; when a user selects InPrivate browsing, a new
window with the InPrivate Browsing logo opens, and a second recovery store file
is created in the \Active directory. If both the original window and the InPrivate
browsing window remain open, both recovery store files will remain in the
\Active folder. Opening additional InPrivate browsing windows will not create
additional recovery store files.
At a minimum, each recovery store file contains three streams: the 'TS#' stream
(where # is an integer starting at 0, discussed in greater detail in the next section),
the 'FrameList' stream and the '{0B00252A-8D48-4D0B-7B79887F2B96}'
stream. A fourth stream, the 'ClosedTabList' stream, may also be present in some
recovery store files (Figure 2). The purpose of these streams and the data
commonly stored within are described below.
37
Figure 2 (Recovery Store File Streams as Viewed in CFX)
3.3. 1 The 'TS#' Stream
A 'TS#' stream is created for each tab or window opened by the user. The
numbering for the 'TS#' stream starts at 0 and, in most cases, increments by 1 for
each new tab or window that is opened by the user, although in a few cases,
numbers appeared to be skipped. The 'TS#' stream contains a list of the GUIDs of
the tabs or windows that are currently open (or were if the entire session has been
closed). The GUIDs are broken in to four sections and are displayed as
########-####-####-############. Figure 3 shows four 16-byte GUIDs that
were open in the last browsing session.
Figure 3 (Sample 'TS0' Stream from Recovery Store File)
The first eight bytes of each GUID are stored in little endian in a group of four
bytes, two bytes and two bytes while the last eight bytes of the GUID are stored in
big endian. In order to associate the data in the 'TS#' stream with tab data files
found on the system, some translation needs to occur. For example, the first
GUID shown in Figure 3 is displayed in the TS0 stream as 0xEF 50 89 E8 BA 12
E0 11 86 80 00 50 56 C0 00 08; which translates to 0xE8 89 50 EF 12 BA 11 E0
86 80 00 50 56 C0 00 08. Therefore, the file '{E88950EF-12BA-11E0-8680005056C00008}.dat' should be associated with this recovery store file.
3.3.2
The 'FrameList' Stream
The format of the 'FrameList' stream is not entirely understood. Each open
window is represented by 12 bytes of data in three 4-byte chunks. The first four
bytes indicates the window number, shared with the # in the 'TS#' stream. The
second four bytes were 0x00000001 in each circumstance. The final four bytes of
the first window entry varied between test platforms, whereas the final four bytes
of each subsequent window entry remained 0x00000004 across all platforms.
These final four bytes of the first window entry may be 0x50000085 on one
38
computer, while they may be 0x00000005 on another computer under the same
circumstances. While this changed between platforms, the final four bytes
remained the same in most circumstances throughout recovery store files per
computer.
It is possible to detect the use of InPrivate browsing through the 'FrameList'
stream by examining the least significant bit of the last 4 bytes of the first window
entry. When InPrivate browsing is used, 0x40 (64) is added to the least
significant bit. For example, if the last 4 bytes of the first window entry are
0x50000085 (Figure 4), the last four bytes of the first window entry will be
0x500000C5 when InPrivate browsing is used (Figure 5). The 'FrameList' stream
created by Internet Explorer 9 Beta also appears to include the GUID of the
currently active tab for each window (Figures 6-7).
00 00 00 00 01 00 00 00 85 00 00 50
Figure 4 (FrameList Stream with Single Window from Internet Explorer 8)
00 00 00 00 01 00 00 00 C5 00 00 50
Figure 5 (FrameList Stream with Single Window from Internet Explorer 8
InPrivate Browsing)
00
01
04
04
00
00
00
00
00
00
00
00
00
00
00
00
01
04
03
01
00
00
00
00
00
00
00
00
00
00
00
00
85
02
01
04
00
00
00
00
00
00
00
00
50 01 00 00 00
00 01 00 00 00
00 04 00 00 00
00
Figure 6 (FrameList Stream with Multiple Windows from Internet Explorer 8)
00
A5
01
8B
04
56
00
45
00
CF
00
C0
00
E0
00
00
00
00
00
11
00
50
00
08
01
8B
04
56
E6
00
CF
00
C0
8A
00
00
00
00
09
00
50
00
08
DE
05
56
FB
02
A5
00
C0
92
00
45
00
00
4E
00
E0
10
08
D7
00
11
68
01
A5
01
8B
A5
00
45
00
CF
87
00
E0
00
00
CF
00
11
00
50
Figure 7 (FrameList Stream from Internet Explorer 9)
3.3.3
The 'ClosedTabList' Stream
The 'ClosedTabList' stream contains a list of the GUIDs for the tabs used in the
browsing session, but were closed prior to closing the entire window. These
GUIDs are stored in the same format as those stored in the 'TS#' stream. Even
when a tab closed, the associated tab data file remains on the system until the user
39
exits Internet Explorer (Figure 8).
Figure 8 (Sample 'ClosedTabList' Stream from Recovery Store File)
3.3.4
The '{0B00252A-8D48-4D0B-7B79887F2B96}' Stream
The '{0B00252A-8D48-4D0B-7B79887F2B96}' stream is a property set that
usually contains three properties (Figure 9).
The first common property value in this property set has a numeric ID of
0x00000002 and a type value of VT_UI4 (4-byte unsigned integer). The value of
this property is initially set to 0x00000005. When the browser crashes and the
files ACR files remain in the '\Active' folder, this value remains 0x00000005.
When the browser closes without process failure and the ACR files are moved to
the '\Last Active' folder, this value is 0x00000006.
The second common property value in this property set has a numeric ID of
0x00000003 and a type value of VT_CLSID (CLSID). This value should be the
same as the GUID of the recovery store file.
The final common property value in this property set has a numeric ID of
0x00000007 and a type value of VT_CLSID (CLSID). When the recovery store
file is first created, this value contains a value of the GUID of the recovery store
file minus a value of 2 to 4 in the least significant nibble (for example a value of
93E43B49-3931-11E0-8FE9-000C29EF1366 in 0x00000003 may show a value
of 93E43B46-3931-11E0-8FE9-000C29EF1366 in 0x00000007), meaning that
this GUID was created 200 to 400 nanoseconds earlier than the GUID used as the
file name.
As mentioned previously, when Internet Explorer is closed without process failure
by the user, the ACR files are removed from the '\Active' folder and recreated in
the '\Last Active' folder. When this occurs, the 0x00000003 value will reflect the
new GUID of the recovery store file, while the 0x00000007 value will reflect the
previous GUID of the recovery store file as it existed in the '\Active' folder. From
these two values, the date/time the browsing session was opened and the date/time
the browsing session was closed can be determined.
One other property ID of interest is 0x00000005. If present, 0x00000005 should
have a type value of VT_UI4 (4 byte unsigned integer). In testing, the only time
this value appeared in the recovery store files was when InPrivate browsing was
used and on each occasion, it contained a value of 0x00000001.
40
Figure 9 (The '{0B00252A-8D48-4D0B-7B79887F2B96}' Stream of a
Recovery Store File as Viewed in CFX)
3.4 The Tab Data Files
The tab data files contain more detailed information about the history of each tab
in a browsing session (Figure 10). As stated previously, one tab data file is
created for each tab that is opened within the browsing session. At a minimum,
each tab data file contains a minimum of two streams; the 'TravelLog' stream and
the '{0B00252A-8D48-4D0B-7B79887F2B96}' stream. Additional streams are
created for each page that is loaded within the tab and follow the naming
convention 'TL#' where the # is a unique number starting at 0 and incrementing
by 1 for each new page that is loaded. A 'TL#' stream is not always created until
the next page is loaded. This will be discussed in more detail below.
Figure 10 (Tab Data File Streams as Viewed in CFX)
3.4.1
The 'TL#' Stream
The 'TL#' stream contains detailed information about each page that is loaded
within the tab. The numbering for the 'TL#' stream starts at 0 and in most cases,
increments by 1 for each new tab that is opened by the user, although in a few
cases, numbers appeared to be skipped. A 'TL#' stream is not always immediately
created when a new page is opened within the tab. Consequently, one may
encounter a tab data file that contains one less 'TL#' stream than it appears it
should or none at all if only one page was opened. If a 'TL#' stream is not created
immediately, once the next page is loaded within the tab, a 'TL#' stream will be
created for the previous page. If no 'TL#' streams are present, the URL of the first
and only paged opened will still be stored in the property set within the
41
'{0B00252A-8D48-4D0B-7B79887F2B96}' stream discussed later.
The information stored in these streams varies among pages. At minimum, the
full URL and page title are stored at the beginning of the stream. Other data
stored inside this stream can include additional frames that are loaded within the
page, links to content within the page and default text within text boxes on the
page depending on the page content.
Viewing these streams in a hex editor, it is clear the streams contain a mix of
Unicode strings and binary data. However, it is the Unicode strings that should
interest us. The binary data may be a mix of information stored by Internet
Explorer, data stored as part of the compound file format, or slack space within
the compound file 'sector'. Because the Unicode and binary data are conflated, a
hex editor and CFX are not the most efficient means of examining these streams.
FTK does an excellent job of extracting the Unicode data when the stream is
viewed using the 'View Files in Filtered Text Format' option. A portion of a
sample 'TL#' stream viewed using FTK's 'Filtered Text Format' option can be seen
in Figure 11.
http://www.cnn.com/
CNN.com - Breaking News, U.S., World, Weather,
Entertainment & Video News
http://www.cnn.com/
http://www.cnn.com/
http://www.cnn.com/
http://www.cnn.com/
http://www.cnn.com/?fb_xd_fragment#?=&cb=f29c9ce8c7e4408&r
elation=parent&transport=fragment&frame=f23f6a82334bd84
#?=&cb=f29c9ce8c7e4408&relation=parent&transport=fragment&
frame=f23f6a82334bd84
http://www.cnn.com/
……
Figure 11
(Sample 'TL#' Stream Viewed Using FTK's 'Filtered Text Format' Option)
As shown in Figure 11, when viewed in this manner, the first line of the 'TL#'
stream contains the full URL of the website. The second line contains the title of
the website. Subsequent lines display additional information about page content
as described above.
One additional artifact of interest noted in the 'TL#' streams is the behavior of
Internet Explorer when a page is opened from a link on another page. In the
example below (Figure 12), the search term 'Forensic Focus' was used in Google
42
and the first search hit was opened in a new tab by right clicking and selecting
open in new tab. The URL http://www.google.com appears twice in the 'TL#'
stream
containing
the
information
for
the
tab
in
which
http://www.forensicfocus.com was opened. In addition, the full URL, including
the search term used in Google, also appears in the stream.
http://www.forensicfocus.com/
Digital Forensics - Digital Forensics, Computer Forensic
Training, eDiscovery
http://www.google.com/
http://www.google.com/#sclient=psy&hl=en&q=forensic+focus&
aq=0&aqi=g4go1&aql=f&oq=&pbx=1&bav=on.2,or.&fp=ce4eb09fec0d07a5
….
<a href="http://www.forensicfocus.com"
target="_blank"><img
src="http://www.forensicfocus.com/images/other/forensicfocus-button.gif" alt="Forensic Focus" border="0" /></a>
http://www.google.com/
Figure 12 (Sample 'TL#' Stream Opened in New Tab)
These artifacts also appear if the link is opened within the same tab. While the
location of this referring page information seems to vary slightly between pages,
the last Unicode string always appears to be the URL of the referring page when
the link is opened in a new tab, when appropriate.
3.3.5
The 'TravelLog' Stream
The 'TravelLog' stream contains the tabs back/forward information. Data is
stored as 4-byte integers in little endian that indicates the order the 'TL#'
information should be displayed in when the user uses Internet Explorer forward
or back options. For example, if the user had navigated to three websites in a
single tab, 'TL0', 'TL1', and 'TL2 streams should exist and the travel log may
appear as it does in Figure 13.
Figure 13 (Sample 'TravelLog' Stream as Viewed in CFX)
As shown in Figure 13, the proper order of the 'TL#' information is 0x00000000,
0x00000001, 0x00000002. If property ID 0x00000004 in the '{0B00252A-8D48-
43
4D0B-7B79887F2B96}' stream (discussed next) (which contains the currently
displayed page number) contained the value 0x00000001, the website from 'TL0'
would be displayed in Internet Explorer's 'Previous' menu. The website from
'TL1' would be displayed as Internet Explorer's current page while the website
from 'TL2' would be displayed in Internet Explorer's 'Next' menu.
3.3.6
The '{0B00252A-8D48-4D0B-7B79887F2B96}' Stream
The '{0B00252A-8D48-4D0B-7B79887F2B96}' stream is a property set with the
same GUID as that stored in the recovery store files that usually contains three
properties (Figure 14).
As with the recovery store files, the first common property value in this property
set has numeric ID of 0x00000002 and a type value of VT_UI4 (4 byte unsigned
integer). When the browser crashes and the files ACR files remain in the '\Active'
folder, this value is 0x00000005. When the browser closes without process
failure and the ACR files are moved to the '\Last Active' folder, this value is
0x00000006. The second common property value in this property set has
numeric ID of 0x00000003 and a type value of VT_LPWSTR (Unicode string).
This value should be the current URL of the tab. The final common property
value in this property set has numeric ID of 0x00000004 and a type value of
VT_UI4 (4 byte unsigned integer). This value should contain the number of the
active 'TL#' stream. For example, if the current tab is that stored under the 'TL3'
stream, property 0x00000004 should read 0x00000003. Other property IDs
(0x00000007 and 0x00000008) were also occasionally seen in testing and were
both a type value of VT_UI4 (4 byte unsigned integer). At this time their
significance is unknown.
Figure 14 (The '{0B00252A-8D48-4D0B-7B79887F2B96}' Stream of a Tab
Data File as Viewed in CFX)
4. FILES OPENED IN INTERNET EXPLORER
Although the most common use for Internet Explorer is web browsing, Internet
Explorer can also be used to view files on the local machine. Similar to web
browsing, opening files from the local machine causes Internet Explorer to create
recovery store and tab data files, although obviously the information stored within
varies between local files and web browsing.
44
One common example of such an action might be opening Multipurpose Internet
Mail Extension (MIME) Hypertext Markup Language (MHTML) (.mht) or web
archive files. MHTML files allow the user to save an entire web page and its
resources to a single file, which can then be accessed offline at a later date or sent
to another user. The .mht format is the default format using the 'Save as' function
in Internet Explorer.
Notable differences in the tab data file include property ID 0x00000003 in the
'{0B00252A-8D48-4D0B-7B79887F2B96}' stream, which will store the full path
of the file instead of the URL and the data stored in the 'TL#' stream for the tab in
which the .mht file was opened (Figure 15).
Users
Users
@shell32.dll,-21813
[[blinded]]
[[blinded]]
Desktop
Desktop
@shell32.dll,-21769
| Google.mht
Google.mht
Google
Users
Users
@shell32.dll,-21813
john
john
Desktop
Desktop
@shell32.dll,-21769
| Google.mht
Google.mht
mhtml:file://C:\Users\[[blinded]]\Desktop\Google.mht
file:///C:/Users/[[blinded]]/Desktop/Google.mht
mhtml:file://C:\Users\[[blinded]]\Desktop\Google.mht
…
Figure 15 (Sample 'TL#' Stream From .mht File)
As seen in Figure 15, the full path to the file, the page title and the user account
along with other information is stored in the 'TL#' stream.
Another instance in which a local file may be opened in Internet Explorer is when
Internet Explorer is used as an image viewer. As with .mht files, property ID
0x00000003 in the '{0B00252A-8D48-4D0B-7B79887F2B96}' stream will store
the full path of the file and the 'TL#' stream will contain information similar to
what is shows in Figure 15.
45
5. MALWARE
It is not uncommon for malware to open hidden Internet Explorer windows to
access malicious sites, open command and control channels or simply increase the
hit count of a website. On a test machine, we opened a hidden Internet Explorer
window to http://www.google.com using the VB code "Shell
Environ("programfiles")
&
"\Internet
Explorer\iexplore.exe
http://www.google.com",
vbHide".
Analysis
of
the
directory revealed the same artifacts were generated with the same content as
when an Internet Explorer window was opened to http://www.google.com in a
traditional manner.
Knowing how and where Internet Explorer stores and verifies ACR files also
presents an interesting mechanism for redirecting users to malicious websites. By
simply copying ACR files containing a malicious URL to the
directory
and
modifying
the
HKCU\Software\Microsoft\Internet
Explorer\Recovery\Active registry key, the user will be prompted to restore the
last browsing session to the malicious site.
6. DIFFERENCES BETWEEN INTERNET EXPLORER 8 AND 9
Very little has changed with Automatic Crash Recovery between Internet
Explorer 8 and 9. Perhaps the single largest change took place in the 'FrameList'
stream of the recovery store file. While the 'FrameList' stream in Internet
Explorer 8 only contained a list of the window numbers, the 'FrameList' stream in
Internet Explorer 9 also includes the GUIDs of the tab data file active for that
window (Figure 16).
Figure 16 (FrameList Stream from Internet Explorer 9)
The only other significant change took place in the '{0B00252A-8D48-4D0B7B79887F2B96}' stream of the recovery store and tab data files. While property
ID 0x00000002 was initially set to 0x00000005 in Internet Explorer 8 and only
reset to 0x00000006 when Internet Explorer was closed normally, this property
appears to be set to 0x00000006 at all times in Internet Explorer 9.
7. ACR FILES IN UNALLOCATED SPACE
46
Only the most recently closed session information will remain in the '\Last Active'
folder. Once a more recent session is closed properly, the corresponding ACR
files will be moved from the '\Active' folder to the '\Last Active' and the previous
ACR files in the '\Last Active' will be deleted. In order to obtain the most
evidence from ACR files, it is vitally important to be able to find and carve them
from unallocated space.
The file header for the compound file is 0xD0 CF 11 E0 A1 B1 1A E1
(Microsoft, 2012a). However since the compound file format is not unique to
ACR files, searching only for this header will likely create a large number of false
positives when searching unallocated space. Using other static fields in the file
header, it is possible reduce the number of false positives. Table 1 lists the static
fields following the file signature and their byte offset.
Table 1
Byte Offset
0x0008
0x0018
0x001A
0x001C
0x001E
0x0020
0x0022
0x0028
Name
Header CLSID
Minor Version
Major Version
Byte Order
Sector Size
Mini Stream Sector Size
Reserved
Number of Directory Sector
Value
0x0000000000000000
0x003E
0x0003
0xFFFE
0x0009
0x0006
0x000000000000
0x00000000
Using these static fields, we can build a search string of 0xD0 CF 11 E0 A1 B1
1A E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09
00 06 00 00 00 00 00 00 00 00 00 00 00. This 44-byte search pattern will reduce
false positives, but will still locate most compound files. In all files reviewed, the
first time the Unicode text 'http' appeared in the binary data was 2,500 to 3,500
bytes from the file header. The GUID of the ACR property sets, 0B00252A8D48-4D0B-7B79887F2B96, appears to be unique to these files and will also
help reduce false positives when searching.
Carving a compound file format file from unallocated space can be more
complicated and time consuming than other file types because of the random
nature of the file format and the fact that it does not contain a file footer.
However it is still possible to accomplish using information from the file header
and the file's FAT.
Sector 0x1C contains a 2-byte value indicating the sector size used in the
compound file. This value should always be 0x0009 indicating 512 bytes (Figure
17).3
47
Figure 17 (Sector Size)
Sector 0x2C contains a 4 byte value indicating the number of FAT sectors in the
file (Figure 18) (Microsoft, 2012a). Each 512-byte FAT sector can address up to
128 sectors within the file; since each sector is 512 bytes, each FAT sector
accounts for up to 65,536 bytes of a file. For example, if sector 0x2C's value is
0x0002, the file must be larger than 65,536 bytes and smaller than 131,073 bytes.
Figure 18 (Number of FAT Sectors)
Sector 0x4C contains a 4-byte value containing the sector number of the first FAT
sector (Figure 19) (Microsoft, 2012a). This can be converted to an offset by using
(sector number+1) x 512. In this case, the first FAT sector begins at (3+1) x 512
= 2048 or 0x800. Since it has already been determined that this file contains only
one FAT sector, the entire FAT must be located from 0x800 to 0x9FF (Figure
20).
Figure 19 (First FAT Sector Number)
Much like the FAT file system on storage media, the FAT of a compound file
contains a linked chain of sectors. Each 4-byte FAT entry will contain the next
sector in the chain or reserved value as seen in Table 2 (Microsoft, 2012a).
Value
0x00000000 – 0xFFFFFFF9
0xFFFFFFFA
0xFFFFFFFC
0xFFFFFFFD
0xFFFFFFFE
0xFFFFFFFF
Description
Next Sector in Chain
Max Regular Sector Number
DIFAT Sector
FAT Sector
End of Chain
Unallocated Sector
Table 2
48
To determine the total size of the file we should count the number of bytes from
the beginning of the FAT to the last allocated sector (Figure 20). The file size
must be the number of bytes from the beginning of the FAT to the last allocated
sector divided by 4 (because FAT each entry is four bytes), plus one (because the
header is not included in the FAT) multiplied by 512 (the sector size). In other
words, (Number of Bytes / 4 + 1) x 512.
Figure 20 (FAT)
In the example shows in Figure 21, there are 40 bytes from the beginning of the
FAT to the last allocated sector, which indicates there are nine allocated sectors in
this file we should add one additional sector to include the header and multiply by
512 bytes and the file size should be 5,120 bytes, which is confirmed by
Windows. With the total file size known it is now possible to carve the file from
unallocated space.
49
Figure 21 (Allocated Sectors)
If sector 0x2C indicates the file contains more than one FAT sector (Figure 22),
the Double-Indirect File Allocation Table (DIFAT) must be used (Figure 23).
The DIFAT is a directory of all the FAT sectors in the compound file and their
offsets (Microsoft, 2012a). Sector 0x4C, the 4-byte value containing the sector
number of the first FAT sector mentioned previously is actually DIFAT[0]. The
last 432 bytes of the 512-byte header contain DIFAT[1] through DIFAT[108]. In
the case of Active Crash Recovery files, no file should ever come close to
requiring 109 DIFAT entries.
Figure 22 (Multiple FAT Sectors)
Because of the nature of compound files, every sector addressed by a FAT sector
must be allocated before a new FAT sector is created. Accordingly, it is safe to
assume that each FAT entry in every FAT sector except the last accounts for a
fully allocated 512-byte sector within the file. For example, if sector 0x4C
indicates there are two FAT sectors, one must be completely allocated.
Therefore, the file contains at least 65,536 bytes ((512 / 4) x 512). The important
entry in the DIFAT when determining the complete file size is the last entry.
Since the header indicated this file contains two FAT sectors, the last entry should
be DIFAT[1], which can be confirmed by examining offset 0x50 (DIFAT[1]).
This contains a value of 0x0000003B and offset 0x54 (DIFAT[2]) indicates an
unused value of 0x0FFFFFFFF. 0x3B = 59; using the formula (sector number +
1) x 512, the second and final FAT sector should be located at offset 30,720 or
0x7800.
50
Figure 23 (DIFAT)
Once the last FAT sector has been located, calculating the file size the last FAT
sector is done in the same manner as it was with only one FAT sector. We should
count the number of bytes from the beginning of the last FAT sector to the last
allocated sector (Figure 24), divided by 4 (because FAT each entry is four bytes),
plus one (because the header is not included in the FAT) multiplied by 512 (the
sector size). In other words, (Allocated Sectors / 4 + 1) x 512.
Figure 24 (Second FAT Sector)
In the example shown in Figure 25, there are eight bytes from the beginning of the
last FAT sector to the last allocated sector, which indicates there are two allocated
sectors, accounting for 1,024 bytes of the file plus an additional 512 bytes for the
header for a total of 1,536 bytes. It was already determined that each prior FAT
sector accounts for 65,536 bytes. In this case, there was only one prior FAT
sector. So 65,536 bytes can be added to the 1,536 bytes of the last FAT sector
and header. The final total in this case is 67,072 bytes, which is confirmed by
Windows.
This process can be expressed using the formula (((Total Number of FAT Sectors
– 1) x 512 / 4) x 512) + ((Number of Bytes in the Last FAT Sector / 4 + 1) x 512).
51
Using the previous example, the equation would be (((2 – 1) x 512 / 4) x 512) +
((8 / 4 + 1) x 512) = 67,072 bytes.
Figure 25 (Second FAT Sector)
Since files carved from unallocated space will no longer be associated with
their file names (their GUIDs), it will not be possible to associate the tab data
files with their respective recovery store files.
8. RECOVERRS
Based on the research of Internet Explorer's Automatic Crash Recovery files, two
command line applications were developed called RipRS and ParseRS;
collectively, these tools are known as RecoverRS.
RipRS is designed to extract ACR files from a raw disk image using known
decimal offsets. A list of known offsets can be obtained by using the search string
discussed in the above section (titled 'ACR Files in Unallocated Space') using
programs such as EnCase or FTK. Using these known offsets, RipRS uses the
methodology discussed in the above section titled 'ACR Files in Unallocated
Space' to determine the compound file's size. RipRS first searches the compound
file for the GUID that is unique to ACR files then searches the ACR file for
strings unique to either recovery store files or tab data files to determine the file
type. Once RipRS has determined the ACR file type, the file is written to the
output directory using the naming convention RecoveryStore.{offset<offset>}.dat
or {offset<offset>}.dat for recovery store files and tab data files respectively.
ParseRS is designed to extract browsing information from ACR files; either those
found on the system or those carved from unallocated space by RipRS. As
mentioned previously, if ACR files are carved from unallocated space,
information linking the tab data files with their respective recovery store files and
some date/time information will be lost.
RecoverRS can be downloaded from http://www.jtmoran.com/tools.
9. CONCLUSION
While the information recovered from the Automatic Crash Recovery files may
not replace the bounty of information obtained from the cookies and the index.dat
files of Internet Explorer, it provides yet another tool for examiners to retrieve
valuable evidence. As the Automatic Crash Recovery files seem to be a lesser
known source of information, these files may provide valuable data when other
52
sources are not available as well as to supplement information found in other
locations.
REFERENCES
Leach, P., Mealling, M., & Salz, R. (2005, July). A Universally Unique IDentifier
(UUID) URN Namespace (RFC 4122). Internet Engineering Task Force.
Retrieved June 25, 2012, from http://www.ietf.org/rfc /rfc4122.txt
Microsoft Corporation. (2008, March). Automatic Crash Recovery: Windows
Internet Explorer 8 Beta 1 for Developers. Retrieved June 25, 2012, from
http://www.softwaretipspalace.com/whitepapers/microsoft
/Automatic%20Crash%20Recovery.pdf
Microsoft Corporation. (2012a, March 28). [MS-CFB]: Compound File Binary
File
Format.
Retrieved
June
25,
2012,
from
http://download.microsoft .com/download/a/e/6/ae6e4142-aa58-45c6-8dcfa657e5900cd3/[MS-CFB].pdf
Microsoft Corporation. (2012b, March 28). [MS-OLEPS]: Object Linking and
Embedding (OLE) Property Set Data Structures. Retrieved June 25, 2012, from
http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcfa657e5900cd3/[MS-OLEPS].pdf
Parsonage, H. (2010, July). The Meaning of LIFE. Retrieved June 29, 2012, from
http://computerforensics.parsonage.co.uk/downloads
/TheMeaningofLIFE.pdf
ABOUT THE AUTHORS
John Moran received his Bachelor's Degree in Computer Forensics from
Champlain College in 2011. He holds CFCE, EnCE, CCNA and CEH
certifications. John currently works for the County of Cumberland, Maine as a
Public Safety Software Specialist and is also a certified police officer.
Douglas A. Orr received his Ph.D from Washington State University in Criminal
Justice with a concentration in Political Psychology. He currently serves as an
adjunct professor with Chaplain College in their Master of Science Digital
Forensic Management Program. Dr. Orr is also a commissioned police detective
assigned to the Special Investigations Unit of the Spokane Police Department in
Spokane, Washington. He currently serves as their chief computer forensic
examiner.
53
54
EXTRACTION OF ELECTRONIC EVIDENCE
FROM VoIP: IDENTIFICATION & ANALYSIS
OF DIGITAL SPEECH
David Irwin
University of South Australia, Australia
[email protected]
Arek Dadej
[email protected]
Jill Slay
[email protected]
ABSTRACT
The Voice over Internet Protocol (VoIP) is increasing in popularity as a cost
effective and efficient means of making telephone calls via the Internet.
However, VoIP may also be an attractive method of communication to
criminals as their true identity may be hidden and voice and video
communications are encrypted as they are deployed across the Internet. This
produces a new set of challenges for forensic analysts compared with
traditional wire-tapping of the Public Switched Telephone Network (PSTN)
infrastructure, which is not applicable to VoIP. Therefore, other methods of
recovering electronic evidence from VoIP are required. This research
investigates the analysis and recovery of digitised human voice, which persists
in computer memory after a VoIP call.
This paper outlines the ongoing development of a software tool, the purpose
of which, determines how remnants of digitised human speech from a VoIP
call may be identified within a forensic memory capture based on how the
human voice is detected via a microphone and encoded to a digital format
using the sound card of a personal computer. This digital format is
unencrypted whist stored in Random Access Memory (RAM) before it is
passed to the VoIP application for encryption and transmission over the
Internet. Similarly, an incoming encrypted VoIP call is decrypted by the VoIP
application and passes through RAM unencrypted in order to be played via the
speaker output.
A series of controlled tests were undertaken whereby RAM captures were
analysed for remnants of digital audio after a VoIP audio call with known
55
conversation. The identification and analysis of digital audio from RAM
attempts to construct an automatic process for the identification and
subsequent reconstruction of the audio content of a VoIP call.
This research focuses on the analysis of RAM captures acquired using XWays Forensics software. This research topic, guided by a Law Enforcement
Agency, uses X-Ways Forensics to simulate a RAM capture which is achieved
covertly on a target machine without the user's knowledge, via the Internet,
during or after a VoIP call has taken place. The authors assume no knowledge
of the technique implemented to recover the covert RAM capture and are
asked to base their analysis on a memory capture supplied in the format of a
file with a ‘.txt’ extension. The methods of analysis described herein are
independent of the acquisition method applied to RAM capture.
The goal of this research is to develop automated software that may be applied
to a RAM capture to identify fragments of audio persisting in RAM after a
VoIP call has been terminated, using time domain and signal processing
technique, frequency domain analysis. Once individual segments of audio
have been identified, the feasibility of reproducing audio from a VoIP call
may be determined.
Keywords:
Computer forensics, digital evidence, electronic evidence,
Voice over Internet Protocol, VoIP, Random Access Memory, RAM, Fast
Fourier Transform, Frequency Domain analysis
1. INTRODUCTION
Voice over Internet Protocol technology, called VoIP, is an attractive
alternative to the Public Switched Telephone Network (PSTN) which may be
appealing to criminals, because of (1) VoIP being a global telephony service,
in which it is difficult to verify the user’s personal identification (2), the
security of placing such calls, as many implementations use strong encryption
to secure both the voice payload and control messages, and (3) monitoring or
tracing such VoIP calls being difficult since conventional methods such as
wire-tapping are not applicable to VoIP calls. Therefore, other methods of
recovering evidence and information from voice over IP protocol are required.
It is essential that forensic computing researchers devise methods to allow law
enforcement agencies to overcome some of the aspects of this method of
telephony that are advantageous to criminals.
This research aims to develop automated software that may be applied to a
RAM capture to identify fragments of audio persisting in RAM after a VoIP
call has been terminated. An algorithm searches the RAM capture to identify
audio like samples displaying a symmetrical pattern similar to human voice.
Digital signal processing techniques are then applied to the suspected audio
fragments for analysis in the frequency domain looking at the power spectrum
of each sample. An introduction to digital signal processing techniques for
56
forensic investigators is briefly discussed in section 3.
Voice over Internet Protocol Stack
This introduction provides an overview of the VoIP related protocols for the
reader unfamiliar with this technology. VoIP is not a single protocol in itself
but rather a collection of a number of co-existing protocols for the
encapsulation and transport of voice packets over the Internet, referred to as
the protocol stack.
The Internet Protocol (IP) (Postel, 1981) is responsible for providing the
internet addresses in its internet header allowing packets to be routed from
their source to a destination IP address. The IP header format is shown in
Figure1.
Figure 1 – IP packet header format
The User Datagram Protocol (UDP) (Postel, 1980) is an unreliable transport
protocol because it does not guarantee delivery of packets. However, due to its
simplicity and ability to transmit packets immediately after they have been
created, UDP is well suited to the requirements of VoIP. A single packet may
be measured in the order of 10s of milliseconds of audio and the human ear
will not be able to detect the loss of packets until the threshold of human
audibility is reached, an order of several 100 milliseconds. The UDP header
format is shown in Figure 2.
Figure 2 – IP/UDP stack showing the UDP packet header format
57
The research undertaken in this paper involves a series of experiments using
the VoIP application Skype (2009) which makes use of the above mentioned
protocols for Internet audio communications. To understand how human audio
is converted to a packetised digital format contained within the payload of the
IP packet, we briefly outline the common techniques employed in pulse code
modulation (PCM). PCM is the technique whereby a digital value is assigned
to the analogue value of a short sample of human audio.
1.2 Pulse Code Modulation
PCM is a technique used to digitally represent sampled analogue signals, to
produce digital audio in computers and digital telephone systems. The
frequency at which the analogue signal is sampled is termed the sampling rate,
the number of times per second that a sample is taken. The quality of the
sampled audio is determined by the sampling rate and the number of bits
assigned to represent the digitised sample. The higher the number of bits the
greater the accuracy of the digital representation of the analogue signal, often
referred to as the bit-depth.
Figure 3 demonstrates the digital representation of an analogue signal, in
which the magnitude of the analogue signal is sampled regularly at uniform
intervals, with each sample being assigned to the nearest value within a range
of digital steps, referred to as quantisation.
Bits
Time
Figure 3 – 4-bit quantisation of an analogue signal
The original analogue signal, in this instance a sinusoid, depicted as the red
curve, is sampled at regular intervals in time. The corresponding value for the
58
4-bit PCM quantisation is determined by using an imaginary vertical line on
the time axis until it intersects the sinusoid and reading the digital value
pointed at on the 'bits' axis with an imaginary horizontal line. The PCM value
for the sample shown in the figure is '1101'.
A technique called companding, commonly deployed in digital telephony
systems is the act of applying compression to the analogue input signal before
passing through the analogue-to-digital converter. Figure 4a shows an
analogue signal prior to compression whereas Figure 4b shows the
compressed signal.
After compression, the analogue signal is digitised for transmission in a
suitable format for VoIP applications. After the signal is transmitted across the
Internet and received at the destination, it needs to be expanded to its original
form.
The
International
Telecommunication
Union
Telecommunication
Standardization Sector (ITU-T) proposed recommendations on speech coding
to standardise interoperability between telecommunications carriers resulted in
the G.711 codec (ITU-T G7.11, 1972), which defines two main compression
algorithms, A-law (Europe) and µ-law (U.S.A.). The choice of codec will be
determined by the VoIP application if it is proprietary or may be chosen by
the user from a list.
original signal
1.2
1
0.8
0.6
0.4
0.2
-2E-16
-0.2 0
-0.4
-0.6
-0.8
-1
10
20
30
Figure 4a – Original signal
59
40
A-law compressed
1.2
1
0.8
0.6
0.4
0.2
0
-0.2
-0.4 0
-0.6
-0.8
-1
20
40
Figure 4b – After compressing
1.3 Defining Digital Forensics
Digital forensics as d e f i n e d b y Beebe, Clark, Deitrich, Ko and Ko (2011)
i s the extraction of data from digital devices (e.g. personal computers,
mobile phones, digital cameras, networking devices, web/file/email servers
etc.) to reconstruct events, confirm or refute allegations of criminal activities
and/or obtain intelligence information. Additionally, Yasinsac and Manzano
(2001) define the digital forensic domain stating that digital forensics
involves the analysis of electronic devices for the purpose of discovery and
retrieval of information regarding the criminal use of technology.
Within Australia, McKemmish (1999) defines digital forensic investigations
with the use of a four-phase model to describe digital forensic investigations is
widely cited and considered seminal research within the domain of digital
forensics. The phases are defined as the Identification, Preservation, Analysis
and Presentation (IPAP) of digital evidence.
The results of activities performed upon digital evidence in order to retrieve
information must be legally acceptable f or court proceedings. The legal
requirements of digital forensics defined by Civie and Civie (1998) states:
‘The pursuit of knowledge by uncovering elemental evidence
extracted from a computer in a manner suitable for court
proceedings.‛
Therefore the combination of both legal and technical requirements is required
to demonstrate in court proceedings the phases of the digital forensics
investigation, analysis and results in a manner acceptable in a court of law.
Carrier (2003) introduces a scientific approach to the definition of digital
forensics methods stating:
‘The use of scientifically derived and proven methods toward
the preservation, collection, validation, identification, analysis,
60
interpretation, documentation and presentation of digital evidence
derived from digital sources for the purpose of facilitating or
furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to
planned operations.‛
To this end, the research and development of the software tool described
herein for the analysis and recovery of fragmented audio from a VoIP call
cannot be referred to as ‘forensic’ based on the definitions above at this time.
However, this paper will outline the achievements and worthiness of this
software tool so far and its suitability as a tool to assist forensic investigators
in the analysis of captured memory.
1.4 Memory Acquisition
Traditional forensics memory capture takes place whilst the forensic
investigator is on-site, and performs the physical memory capture from the
target machine to the investigator’s destination disk/image file system. The
difference between ‘dead’ and ‘live’ acquisition is described below.
 Dead Acquisition
–
Occurs when the data from a suspect system is copied
without the assistance of the suspect operating system.
–
Historically, the term ‘dead’ refers to the state of only
the operating system, so a dead acquisition can use the
hardware from the suspect system as long as it is booted
from a trusted CD or floppy.
 Live Acquisition
–
Where the suspect operating system is still running and
being used to copy data.
–
Acquisition tool needs to be able to access ‘open’ files
(files in use)
–
Beneficial in circumstances where an encrypted data
volume is mounted
61
–
On a compromised system, there is the risk that the
attacker has modified the operating system or other
software to provide false data during acquisition.
Imaging a computer's hard disk can be a lengthy process. During the
acquisition process, if the forensic investigator saves the data to a file, he/she
will have the choice of what format the image will be e.g.

A raw image contains only the data from the source device. Easy
to compare the image with the source data.

An embedded image contains data from the source device and
additional descriptive data about the acquisition. User inputted
data, hash values, dates & times

Some tools will create a raw image and save the additional
descriptive data to a separate file.
As most forensic tools support raw images, the raw image it is the most
flexible format. A freely available utility for most operating systems called
‘dd’ (The Open Group, 2010) can make exact copies of memory that are
suitable for forensic analysis without the need to own commercial forensic
software packages.
1.5 Why RAM Acquisition?
Digital forensics tools play a vital role in reliably extracting information for
analysis and presentation for industrial or legal purposes. These tools are
typically used to investigate computer crimes, by identifying evidence that can
be of probative value in a court of law. Digital forensics tools are rapidly
becoming a substantial part of investigations all over the world, in both the
law enforcement and private sector domains (Hibishi, Vidor, & Cranor, 2011).
Efficient examination of digital evidence would not be possible without the
use of digital forensic tools. While an understanding of the scientifically
derived processes and the volatility of digital evidence is required by analysis
teams and technicians, it is not feasible to interpret the volumes of evidence
required for investigation on a given case manually. Both expert witnesses
and digital forensic practitioners are reliant on a set of tools for interpreting
digital evidence and to help bridge the gap of understanding between the
technical details of digital technologies and the evidence presented to a jury
in court (Schatz, 2007). Due to the vast and complex variety of devices
required for analysis by digital forensics teams, there exist many different
tools suited to handling each. These tools perform different roles including
acquisition, examination and analysis.
62
The use of RAM captures is more easily explained in terms of the increasing
sources of digital evidence complexity and the technological advancements in
the volume size of storage media. Digital evidence complexity, the vast array
of different digital evidence sources, each with their own ways of storing data
and retrieving data increases the difficulty of forensic investigation. Similarly
the volume of digital evidence, i.e. the amount of digital evidence required
for practitioners of digital forensics to preserve, analyse and present in a
given case is increasing exponentially. It is both a difficult and time
consuming process to search and comprehend large quantities of digital
evidence. These issues are supported by key researchers within the domain as
pertinent issues for study (Casey, Gordon, & Leeson, 2005; Mohay, 2005).
This may impact court proceedings due to increased case backlogs and the
inability for digital forensic investigation teams to complete cases in a
reasonable period.
The current tools and techniques used to analyse digital evidence are not
scaling and adapting to the increased data volume or complex array of devices
now required for analysis with manual analysis remaining commonplace
throughout the digital forensics industry.
The Windows Forensics Analysis Tool Kit (Carvey, 2007) discusses remote
response methodology, whereby a series of commands may be executed
against a system across a network using a Windows batch file comprising the
name or IP address of the target system and the username/password logon
credentials. The batch file contains executable code, which can be copied to
and run on the target system with the corresponding output saved in a file on
the target machine. The only limitation to perform analysis of the target
machine is the ability to remotely login to the target system via the network.
This research introduces novel techniques and approaches with respect to the
analysis of captured memory, required to address the key issues above
resulting in Law Enforcement choosing ‘live’ RAM capture to minimise the
complexity and volume of data to be analysed.
1.6 X-Ways Forensics
This focus of this research is on the analysis of the contents of RAM captures
and as such it does not investigate memory acquisition techniques. No Law
Enforcement Agency supplied RAM captures from a target machine, thus
requiring the researchers to simulate a RAM capture, using X-Ways
Forensics, computer forensics software, as shown in Figure 5.
The option exists to capture an individual running process and the RAM
allocated to that process e.g. VoIP application Skype, expanded in Figure 5b.
However, to maintain the same conditions for each capture, the entire physical
memory is captured, as show in Figure 5a.
The X Ways Forensics RAM editor allows one to examine the physical
63
RAM/main memory and the logical memory of a process (i.e. a program that
is being executed) where all memory pages committed to a process are
presented in a continuous block. If one selects one of the listed processes, one
may access either the so-called primary memory or the entire memory of this
process, or one of the loaded modules.
The primary memory is used by programs for nearly all purposes. Usually it
also contains the main module of a process (the EXE file), the stack; and the
heap. The “entire memory” contains the whole logical memory of a process
including the part of memory that is shared among all processes, except
system modules.
Figure 5a – Entire RAM physical memory.
64
Figure 5b – Individual RAM processes e.g. Skype
When one opens the local physical RAM, processes will be listed in the
directory browser, even hidden processes, with their timestamps and process
IDs, and their own respective memory address spaces can be individually
viewed with pages concatenated in correct logical order as seen by each
process.
The purpose of this research is not to use the powerful capability of the XWays Forensics RAM editor to reverse engineer captures and identify running
processes, shown in Figure 6.
65
Figure 6– Byte offsets within a RAM capture for modules and objects.
2 METHODOLOGY & EXPERIMENTS
This research approach draws on the strengths of both quantitative and
qualitative research approaches. This research focuses on outcomes that are of
practical use, the creation of knowledge that advances digital forensics based
on tangible and measurable results. This research strives for objectivity and
measurability via controlled experiments using algorithms developed to
pattern recognise human speech.
2.1 Baseline Experiments
X-Ways Forensics software was installed on the target Windows XP virtual
machine initiating the VoIP call, and the capture taken after the VoIP call was
terminated and the VoIP application closed down. The amount of RAM
captured is 512MB. However, to reduce the possibility of false positives,
identifying suspect audio fragments, which in fact are not audio and false
negatives, failing to identify audio which is indeed fragments of suspect
audio, the experiment shown in Table 1 was implemented.
Table 1 – Initial results from RAM capture analysis.
RAM
Capture
1
2
3
Detection Method
Expected outcome
Visual inspection
Visual inspection
Visual inspection
No audio
No audio
No audio
66
Actual
outcome
Sinusoids
Sinusoids
Sinusoids
Byte
size
4096
4096
4096
Segments
24
24
24
The initial analysis technique involved displaying the byte values of RAM
graphically, and visually inspecting the RAM contents. This is a time
consuming process but produced some unexpected results. No audio was
introduced to the system, however, a sinusoidal pattern with an amplitude
offset was detected, in all three RAM captures tested and was repeatable. The
authors believe this to be the Windows XP sound that is played at system start
up shown in Figure 7.
Figure 7 – Windows XP signature audio at start up.
The audio segments found resembled those shown in Figure 8b whereas
Figure 8a displays the similar sinusoid with no amplitude offset. This initial
technique of creating baseline knowledge of the RAM contents before
introducing known audio fragments and a VoIP call is essential.
Direct current voltage (dc) is an electronics term to identify an offsetting of a
signal from zero. This offset may be implemented in hardware such as a sound
card.
67
Sinusoidal signal
6
4
2
0
0
2000
4000
6000
-2
-4
-6
Figure 8a – A sinusoidal signal.
Sinusoidal signal - dc offset
6
4
2
0
0
2000
4000
6000
-2
-4
-6
Figure 8b – A sinusoidal signal with amplitude offset.
2.1 Introduce Known Audio
The next round of experiments involved introducing a known audio pattern
into the RAM contents, still without the introduction of a VoIP call at this
time. The audio signal has been selected from the TIMIT Corpus (Garofolo,
68
Lamel, Fisher, Fiscus, Pallett, Dahlgren, & Zue, 1993) which provides speech
data for acoustic phonetic studies. These are 16-bit, 16 KHz time aligned
speech waveforms i.e. the byte locations within the waveform have been
identified for each uttered word and the phonemes that constitute that word.
The chosen phonetic sentence known as ‘LDC93S1W’ is single channel PCM.
Five samples of audio extracted from the phonetic sentence, each 3000 bytes
in size, were randomly inserted into a RAM capture using X-Ways hex editor.
An example of one segment of the known audio is shown in Figure 9.
Symmetrical nature of human voice
800
600
400
200
0
-200
0
200
400
600
800
1000
1200
1400
-400
-600
-800
Figure 9 – An audio extract from the known phonetic sentence inserted into
RAM.
This experiment was repeated three times, each with a different ordering of
the known audio and its location within the RAM capture. The results are
shown in Table 2.
Table 2 – The insertion of known audio pattern into RAM captures.
RAM
Capture
Detection
Method
1
Automatic
algorithm
Automatic
algorithm
Automatic
algorithm
2
3
Known
audio
sequence
ABCDE
Expected
outcome
Actual
outcome
Byte
size
Segments
audio
ABCDE
3000
5
CAEBD
audio
CAEBD
3000
5
DCEAB
audio
DCEAB
3000
5
This set of experiments involved the detection of known audio segments
69
implanted into the RAM capture to test and develop an algorithm that detects
the features of human audio. The inserted audio segments were all detected in
the order in which they were inserted into the RAM capture.
2.2 Introduce VoIP Call
The following experiments consisted of using VoIP application Skype to make
a VoIP call to the Skype sound test service. The call was then terminated and a
RAM capture performed on the computer initiating the VoIP call using XWays Forensics (2009). This was then repeated after the lapse of a 24-hour
period whereby the laptop on which the RAM capture was performed, was
powered down to allow the RAM contents to dissipate.
Audio analysis tool, ESection (2010) was also used as the basis for the starting
point in audio signal identification whilst performing VoIP calls. The VoIP
calls were initiated and the RAM captured from inside a virtual machine (VM)
using VMware (2009). The amount of RAM that is subsequently captured and
analysed in the VM may be reduced The ESection software is operated
externally to the virtual machine whilst running on the host machine
supporting the virtual machine. This prevents the identification of audio
within the RAM capture inside the virtual machine from being confused with
the audio input at the microphone captured using ESection. Therefore all
ESection audio captures saved on the host do not appear in the VM RAM
capture
The ESection capture allows us to further develop an algorithm based on the
properties of the captured audio, magnitude and symmetry to identify the type
of signal that should be searched for within the VM RAM capture as shown
below in Figure 10.
16-bit Sinusoidal signal
10000
5000
0
0
200
400
600
800
1000
-5000
-10000
Figure 10 – Initial signed sinusoidal signal (x-axis: No. of samples, y-axis:
Amplitude)
70
Several of the sinusoidal-like signals observed are believed to form part of the
VoIP application dialling tones and not human speech. This is later confirmed
by frequency domain analysis in Section 3.
The ESection capture allows us to develop an algorithm based on the
properties of the captured audio, magnitude and symmetry to identify the type
of signal that should be searched for within the VM RAM capture as shown
below in Figure 11.
Figure 11 – ESection audio capture (x-axis: No. of samples, y-axis: Amplitude)
This allows one to focus on the specific attributes of human speech within the
ESection captured signal in order to implement an algorithm which can
automatically search a block of computer memory. By close inspection of the
properties of captured human speech such as changes in amplitude and
symmetry, one can construct an algorithm that will exclude signals which do
not show the typical attributes of digitised human speech such as symmetry
and repetition of the waveform.
The use of virtual machines allows a much smaller amount of virtual RAM to
be captured e.g. 512MB as opposed to the order of Giga bytes. This may
decrease the amount of human speech captured from the VoIP call but the
purpose of this research is to demonstrate that suspected audio fragments may
be human speech identified from analysis of a memory capture. The
individual components of identified audio tend to be typically 4096 bytes in
length and as such will require a sequence of these audio fragments to be
reconstructed to form one continuous piece of human speech to form playable
audio.
71
Suspected audio samples of digitised human speech are fragmented throughout
the physical memory due to virtual address translation by the operating system
shown below in Figure 12. The virtual address pages are linked to a page table
entry (PTE) highlighted by the dashed line. The PTE contains the mapping
from the virtual address to the physical address. This diagram highlights how
three consecutive virtual pages of digitised human speech are mapped to three
non-consecutive pages in the physical memory (Solomon & Russinovich,
2005).
Figure 12 – x86 Virtual address translation
2.3 X-Ways Analysis
The virtual machine consisted of a Windows XP operating system with the
Skype VoIP application downloaded within it. A VoIP call to the Skype sound
Test Service was made then the call was terminated. X-Ways forensic
software, installed within the virtual machine, was used to capture the 512MB
of RAM. Whilst the call was being made, ESection audio capture software
72
was also started on the host to record the audio input.
This experimental setup allowed for the search of RAM as outlined above, in
addition to this, the RAM was opened in the X-Ways hexadecimal editor and
specific keywords were searched for e.g. Sound Test Service. Figure 13a
shows an extract from the hexadecimal editor for search string ‘sound test
service’, providing 237 hits.
Figure 13a – X-Ways search hit for 'sound test service'
The bytes immediately following the ‘sound test service’ string were plotted
and produced an audio signal extract as shown in Figure 13b.
Figure 13b – 4096 bytes immediately following search string (x-axis: No. of
samples, y-axis: Amplitude)
Using known Skype caller id as a search string also allows the call
information attributed to the VoIP call to be extracted as shown below in
Figure 13c, such as the caller identities in raw xml format, call initiator and
timestamps. This is using X-Ways hex editor to view the captured RAM and
perform string searches. Not only does the software tool search for audio
fragments, it can retrieve information related to the VoIP call.
73
“RT INTO Messages
(id,is_permanent,convo_id,chatname,author,from_dispname,gu
id,dialog_partner,timestamp,type,sending_status,body_xml,i
dentities,reason,participant_count,chatmsg_type,chatmsg_st
atus,body_is_rawxml,pk_id,call_guid)
VALUES
(164,0,30,'#david_t_irwin/$echo123;b4f208bd4c2c737c',
'david_t_irwin','davidirwin',x'61b6a47d0ab0894bca8bdb65
8307051d9bb9f2e42e126198a1aaeca2f68658fa','echo123',130590
1540,30,2,
'<partlist alt="">
<part
identity="david_t_irwin"><name>davidirwin</name></part>
<part identity="echo123"><name>Echo / Sound Test
Service</name></part>
</partlist>',
'echo123','',2,18,2,1,1160776592,'f1676bd45b6963ef2522d976d59b361
9');”
Figure 13c – X-Ways extract of Skype VoIP call setup to Sound Test Service
The use of a programmed search algorithm is more efficient than a visible
search. A number of possible segments of human speech have been identified
based on amplitude and symmetry and displayed on a single graph for the user
to visually inspect for the difference between a pure or amplitude-modulated
sinusoidal trace and that typical of human speech. This reduces the search
space of a RAM capture to a single point of investigative analysis but none the
less still requires human intervention in the form of visual inspection. Table 3
indicates the number of suspect audio fragments detected from each VoIP call.
Table 3 – VoIP call to Skype Test Call Centre made from inside virtual
machine.
RAM
Capture
1
2
3
Detection
Method
Automatic algorithm
Automatic algorithm
Automatic algorithm
VoIP
Call
Skype
Skype
Skype
Expected
outcome
dialing tone,
automated voice
&
caller’s voice
74
Actual
outcome
sinusoids &
suspect
human voice
Byte
size
4096
4096
4096
Segments
48
46
53
It would not be an unreasonable question to ask 'why use the capture of
memory for the purpose of obtaining audio, why not just capture the
microphone input or speaker output directly'?
The capture of computer memory allows information to be retrieved including
specific information relating to the use of VoIP applications, such as call
identifiers, user names, date and timestamps, the captured information may
subsequently be used to testify to the authenticity of such a call having been
made.
The test of a known audio dissected into five segments of equal audio length
and inserted into the RAM capture as outlined in 2.1 yielded all five segments
being detected. Five segments are easily re-assembled into its original form
visually. However, the amount of audio segments recovered from the VoIP
call are significant and potentially three distinct sources, the VoIP application
dialling tone, the automated answering of the call to the Skype test sound
service and the caller.
Dialling tones are easily identified using a signal processing technique called
frequency domain analysis. A brief introduction to digital signal processing is
discussed in section three however the removal of dialling tone still requires
two separate call stream to be identified. This requires an additional algorithm
to interrogate the start and ending bytes of each segment retrieved and attempt
to find another once with which matches to form two separate streams of
continuous audio.
Similarly, one may ask the question “why focus on a RAM capture, without
extending the search to a hard disk(s) as the contents of RAM are continually
being swapped out from virtual memory to physical memory stored on the
hard disk(s). The answer is simple; it wasn’t within the remit of the Law
Enforcement Agency to require analysis of anything other than a perceived
RAM capture represented as a file with a ‘.txt’ extension. However, the
analysis techniques described in this research are easily extended to include
analysis of the hard disk(s) and information and files related to the transfer of
virtual memory pages to a physical location.
3. INTRODUCTION TO DIGITAL SIGNAL PROCESSING
Although information stored in RAM is paged in Windows operating systems,
the information within each page e.g. a fragment of human speech is ordered
sequentially in time. Therefore all research until now has taken place in the
time domain with graphical plots of signal samples on the y-axis appear as
how they are digitised in time in memory. The main research theme is to
demonstrate the ongoing development of an automatic audio search
functionality to identify the fragments of human speech.
Having identified a series of signal components from the RAM capture which
exhibit a symmetrical pattern (Figure 13b) based on simple characteristics of
75
human speech displayed in Figures 9 and 11, one can further remove
composite sinusoidal signals unrelated to human speech by processing the
sampling values through a Fast Fourier Transform (FFT) and viewing the
result in the frequency domain.
A FFT is itself an algorithm for calculating the Discrete Fourier Transform
(DFT) which decomposes a sequence of values, in this case, amplitudes of
suspected audio fragments into components of different frequencies.
For the purpose of drawing comparison, how do other files such as word
documents or excel worksheets appear when graphically displayed in the time
domain. The technique employed displaying the file on 50 graphs where each
graph displays 4096 byes. Each graph has a different starting point within the
file, e.g. graph 1 (top row, 1st column) starts at 0 bytes and displays the first
4096 bytes and graph 2 (top row, 2nd column) starts at 1/50th of the file length
and displays the next 4096 bytes. This process is repeated for the fifty graphs,
and with one click of a button, all graphs advance 4096 bytes. The word
document shown in Figure 14 was visually inspected and contained no
similarities to composite sinusoids or audio fragments.
Figure 14 – Visual display of byte values for a word document.
Based on the above visual inspection, no audio-like byte segments are
detected and subsequently would not be passed to the frequency domain for
analysis. Note that the document tested and one you are reading are the same
document.
Similarly for an excel document, the document tested was the one containing
76
the power spectrum plots and sinusoids and suspected audio fragments. Once
again a visual inspection of the file contents displayed as a graphical plot of
the bytes making up the file revealed no audio like fragments.
The visual inspection of graphical memory displayed in Figure 14 was
laborious and the first step in searching for audio like fragments to determine
their properties for automatic algorithm development.
3.1 Power Spectrum Analysis in the Frequency Domain
For the purpose of this research, the programming code for the FFT has been
extracted (and manipulated to suit) from Audacity (2011), a free crossplatform audio editor developed by a team of software developers, translators,
documentation writers. The Audacity application contains the function “Plot
Spectrum”, which analyses a section of audio and converts it to a graph of
frequencies against amplitudes using the FFT algorithm to provide a value for
each narrow band of frequencies that represents how much of those
frequencies are present. This research is based upon the code contained in the
Audacity “Plot Spectrum” function to analyse the portions of RAM capture,
which are suspected of being fragments of audio.
The term, aliasing, is used to describe the effect of different signals becoming
indistinguishable from each other. To counter the effect of aliasing, the FFT is
used in conjunction with a Hann Window function, to process the suspected
audio fragments in the time domain. The code for the Hann Window function
is also extracted from Audacity, which allows a smaller subset of the
suspected audio to be analysed, just as the name infers, applying an
overlapping window, which traverses the original FFT input to produce the
corresponding frequency domain output.
The composite sinusoidal signal shown in Figure 10 produces a frequency
domain plot as shown in Figure 15, highlighting its composition from more
than one frequency. A periodic sinusoid would display as a single frequency
component in the frequency domain.
77
Sinusoidal Power Spectrum
6E+11
5E+11
4E+11
3E+11
2E+11
1E+11
0
0
1000
2000
3000
4000
5000
6000
7000
8000
Figure 15 - Frequency domain analysis (x-axis: Frequency (Hz), y-axis: Raw
amplitude)
The FFT transforms the time domain signal into a frequency domain
representation of that signal. It generates a description of the distribution of
the energy in the signal as a function of frequency. The vocal range of human
speech varies from approximately 70 Hz to 7 KHz. However, most of the
information conveyed in human speech does not exceed 4 KHz.
The modelling of human speech and the pronunciation of vowels, shown
below in Figure 16 indicates that the majority of the energy is concentrated
below 4 KHz.
Three different vocal tract shapes are shown corresponding, from top to
bottom, to the vowels "ah" (/a/), "ee" (/i/), and "oo" (/u/). Plotted in the same
graph for each tract shape is the spectrum. Note all three vowels have
differing spectra due to the different vocal tract shapes. A variety of methods
are being used to explore this mapping (Kawato, 1989; Saltzman, Munhall,
1989; Jordan, 1990).
Nyquist’s theorem states that the sampling frequency must be at least twice as
high as the highest input frequency (4 KHz) thus a sampling frequency of 8
KHz will allow the digitised voice to correctly represent the original signal. A
pure sinusoid in the frequency domain will appear as a single spike, whereas
the signal shown has 2 spikes at similar frequencies (440 Hz and 485 Hz) and
also have a mirror image of itself (7515 Hz and 7560 Hz), with even
symmetry around the centre point of half the sampling frequency, 4 KHz.
78
Figure 16 – Energy distribution versus frequency of human speech.
The phenomenon of reflection around the point of half the sampling frequency
for periodic signals is counteracted by the software via automatically
removing the part of the spectrum for frequencies exceeding half of the
sampling frequency. The resulting spectrum can now be compared against
frequency domain plots of sections of human speech where most of the energy
is concentrated below 4 KHz e.g. as shown in Figure 17. Signals that do not
fall within the range of pattern representing human speech can therefore be
removed.
Power Spectrum of section of human speech
1.5E+09
1E+09
500000000
0
0
1000
2000
3000
4000
5000
6000
7000
8000
Figure 17 - Frequency domain analysis of speech (x-axis: Frequency (Hz), yaxis: Raw amplitude)
79
The resulting collection of signals that remain after the removal of non-speech
signals based on both time domain and frequency domain analysis are
believed to be fragments of human speech which have been digitised after
processing by the sound card.
4. CONCLUSIONS & FUTURE WORK
The techniques described in this research have been applied only to RAM
captures. The RAM captures discussed in experimental setup have been
forensically acquired using X-Ways Forensics. The research has aimed to
introduce novel techniques for the analysis of physical memory such as
graphical visualisation (albeit time consuming) and the development of
automatic algorithms to identify possible audio fragments based on their
symmetrical appearance.
The use of visual inspection aimed to review the full RAM capture visually to
avoid developing an algorithm that would detect false positives and omit false
negatives. This was aided by the introduction of known segments into the
RAM capture out with a VoIP call to test the detection properties of the
algorithms.
The use of digital signal processing techniques to view possible audio
fragments in the frequency domain is also novel. However, this research is
ongoing to develop further algorithms that will inspect the leading and trailing
edges of the suspect audio fragments to see if they can be joined together to
identify different call streams and form continuous segments of audio.
Once segments of continuous audio have been reconstructed, it is anticipated
that they would provide a high degree of probability that a particular
individual has had access to a specific computer and made a VoIP call by
matching their voice against the recovered audio from memory.
5. ACKNOWLEDGEMENTS
The authors would like to acknowledge the support of the Australian Research
Council in this work via Linkage Grant LP0989890 and additional scholarship
contributions from the Australian Federal Police.
REFERENCES
Audacity (2011, June 19). Audacity application downloaded. Retrieved from
http://http://audacity/sourceforge.net
Beebe, N.L., Clark, J.G., Deitrich, G.B., Ko, M.S., & Ko, D. (2011,
November). Post-retrieval search hit clustering to improve information
retrieval effectiveness: Two digital forensics case studies. Decision Support
Systems, 51(4), 732-744.
Carrier, B. (2003, Winter). Defining Digital Forensic Examination and
80
Analysis Tools Using Abstraction Layers. The International Journal of Digital
Evidence,
1(4).
Retrieved
from
http://www.digitalevidence.org/papers/ijde_define.pdf
Carvey, H. (2007). Windows Forensic Analysis DVD Toolkit. Burlington, MA:
Syngress Publishing.
Casey, E., Gordon, G., & Leeson, L. (2005, February). Origins and Progress.
Digital Investigation, 2(1), 1-2.
Civie, V, & Civie, R. (1998). Future Technologies from Trends in Computer
Forensic Science. Presented at the Forensic Science in Trial - Seventh Report
of Sessions, London: House of Commons.
ESection (2010, November 5). ESection application downloaded. Retrieved
from http://www.phon.ucl.ac.uk/resources/sfs/esection
European Telecommunications Standards Institute (ETSI). (2001).
Telecommunication Security - Lawful Interception - Issues on IP Interception.
TR 101 944 V1.1.2.
Garofolo, J. S., Lamel, L.F., Fisher, W.M., Fiscus, J.G., Pallett, D.S., Dahlgren,
N.L., & Zue, V. (1993). TIMIT Acoustic-Phonetic Continuous Speech Corpus,
Linguistics Data Consortium.
Hibishi, H., Vidor, T., & Cranor, L. (2011). Usability of Forensics Tools: A
User Study. In Proceedings of the 2011 Sixth International Conference on IT
Security Incident Management and IT Forensics (IMF), pp. 81-91.
Hornig, C. (1984). A Standard for the Transmission of IP Datagrams over
Ethernet Networks. IETF RFC 894.
Jordan, M. (1990). Motor learning and degrees of freedom problem. In M.
Jeannerod (Ed.), Attention and Performance XIII, pp. 221-229 (Hillsdale, NJ:
Erlbaum).
Kawato, M. (1989). Motor theory of speech perception. In Proceedings of the
8th Symposium on Future Electron Devices, pp. 141-150.
Keller, E. (1994). Fundamentals of Speech Synthesis and Speech Recognition.
Chichester: John Wiley & Sons.
McKemmish, R. (June 1999). What is Forensic Computing? The Australian
Institute of Criminology.
Mohay, G. (2005). Technical Challenges and Directions for Digital Forensics.
In Proceedings of the First International Workshop on Systematic Approaches
81
to Digital Forensic Engineering (SADFE), Washington, D.C.
Pirani, G. (1990). Advanced Algorithms and Architectures for Speech
Understanding. London: Springer-Verlag.
Postel, J. (1980). User Datagram Protocol. IETF RFC 768.
Postel, J. (1981). Internet Protocol. IETF RFC 791.
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J.,
Sparks, R., Handley, M., & Schooler, E. (2002). SIP: Session Initiation
Protocol. IETF RFC 3261.
Saltzman, E.L., & Munhall, K.G. (1989). A dynamic approach to gestural
patterning in speech production. Ecological Psychology, 1(4), 333-382.
Schatz, B. (2007). Digital Evidence: Representation and Assurance.
Information Security Institute, Queensland University of Technology.
Schulzrinne, H., Casner, S., Frederick, R., & Jacobson, V. (2003). RTP: A
Transport Protocol for Real-Time Applications. IETF RFC 3550.
Solomon, D., & Russinovich, M. (2005). Microsoft Windows Internals, 4th ed.
Seattle, WA: Microsoft Press.
Skype. (2009, August 22). Skype application downloaded. Retrieved from
http://www.skype.com
The
Open
Group.
(2010).
DD.
Retrieved
http://pubs.opengroup.org/onlinepubs/009604499 /utilities/dd.html
from
VmWare. (2009, July 15). VM Workstation application downloaded. Retrieved
from http://www.vmware.com
X-Ways Forensics. (2009, July 18). X-Ways
downloaded. Retrieved from http:// www.x-ways.net
Forensics
application
Yasinsac, A, Manzano, Y. (June 2001). "Policies to enhance computer and
network forensics," IEEE Workshop on Information Assurance and Security.
82
TO LICENSE OR NOT TO LICENSE
UPDATED: AN EXAMINATION OF STATE
STATUTES REGARDING PRIVATE
INVESTIGATORS AND DIGITAL EXAMINERS
Thomas Lonardo
Gabelli College of Business
Roger Williams University
One Old Ferry Road
Bristol, RI 02809
Phone: 401-254-3580
E-mail: [email protected]
Doug White
FANS Center, School of Justice Studies
Roger Williams University
One Old Ferry Road
Bristol, RI 02809
Phone: 401-254-3165
Alan Rea
Haworth College of Business
Western Michigan University
1903 West Michigan Avenue
Kalamazoo, MI 49008-5412
Phone: 269-387-1444
E-mail [email protected]
ABSTRACT
In this update to the 2009 year's study, the authors examine statutes that regulate,
license, and enforce investigative functions in each US state. After identification
and review of Private Investigator licensing requirements, the authors find that
very few state statutes explicitly differentiate between Private Investigators and
Digital Examiners, but do see a trend of more states making some distinction. The
authors contacted all state regulatory agencies where statutory language was not
explicit, and as a result, set forth the various state approaches to professional
Digital Examiner licensing. As was the case in the previous two iterations of this
research, the authors conclude that states must differentiate between Private
83
Investigator and Digital Examiner licensing requirements and oversight.
Keywords: Digital Examiner, Computer Forensics, State Statutes, Private
Investigator, Licensing Requirements
1. INTRODUCTION
1.1 Historical Background
In the United States (US), state statutes set the guidelines for identification,
oversight, and licensing of various investigative functions. Many years ago some
states passed legislation to manage commercial police and security specialists
who undertook roles similar to officers of the court, but neither no longer, nor
ever had, held badges. In most statutes these individuals are identified as Private
Detectives, Private Investigators (PI), or security officers.
However, these state statutes were defined in a period when not all areas of highly
technical investigation, such as Digital Examiners and Computer Forensics
existed. Hence, we see confusion among state statutes and the role of these new
investigative professionals. For example, many statutes commonly define all
investigators as "someone who attempts to prove the truth or falsity of a
statement." Unfortunately, this language is so broad that it provides the
opportunity for the inclusion of virtually any investigative profession, including
Digital Examiners (DE), who routinely examines systems and media to provide
investigative evidence. This situation is problematic for all involved. Some states,
such as Texas, have gone so far as to interpret investigation to include computer
technicians and computer repair personnel (Kramer, 2009). This situation may
complicate and prevent individuals from working, as they may not be able to
obtain the license given the requirements of that state.
Many organizations continue to address this disconnect between statutes and new
forms of digital and computer forensic investigation. The American Bar
Association issued an opinion in which they specifically urge states to realize that
Digital Forensics, and by extension Digital Examiners, is a separate field.
Moreover, they argue that DEs and other similar technical investigative
professions, such as penetration testers, should not be required to obtain a PI
license (ABA, 2009). In our previous studies (Lonardo, White, & Rea, 2008,
2009) we reported that state legislatures appeared to be providing additional
attention to this issue due to the controversy surrounding licensing. Since our last
review in 2009, there has been some movement in those states who have reported
that no license is required and those who report a license is required. Georgia has
codified the licensing requirement for Digital Examiners under their PI statue as
did Maine (although Maine's statue is somewhat contradictory as discussed in
Section 2.4). South Carolina attempted to amend and Virginia amended statutes to
exclude Digital Examiners under their respective statues. Illinois issued an
opinion letter (dated 7-12-10) stating no PI license is required.
84
1.2 Addressing the Situation
In our original paper (Lonardo et al., 2008), we examined how each state, as well
as Washington DC, interpreted and implemented Digital Examiner licensing. We
found that the licensing requirements can create a conflation between DE
activities and PI licensing requirements that may be detrimental to both if not
correctly interpreted and implemented. In the requirements we routinely
discovered interpretations of language permitting any sort of security task (e.g.,
Penetration Testing) to be part of the PI realm. As has been mentioned earlier,
some states have gone beyond this standard to begin including other areas as well.
Moreover, there are diverse requirements. In some states there are no licensing
requirements for Private Investigators; while in others, the profession is governed
by statute and or regulatory bodies charged with the oversight and licensing. In
some statutes, requirements are implicitly defined; in others the role of DE and PI
is either conflated or distinguished. And in other statutes there is no guidance
whatsoever. These disparities cause confusion and hinder attempts to identify and
license qualified professionals.
It must be granted that Digital Examiner is a relatively new profession, but we
have found that many states determine how the profession is regulated.
Unfortunately, many states default to their PI licensing boards to do so. This is a
matter of procedure since it allows them to combine all professional investigative
licensing requirements. We see many repercussions to this decision resulting,
such as the lawsuit filed in Texas by computer repair technicians who claim that
this prevents them from being able to work since they cannot obtain the license
based on the diverging requirements of the two professions (Rife, 2007).
In this paper, we update our original (Lonardo et al., 2008) study that provided the
first set of responses from the state boards and discuss changes from our followup paper (Lonardo et al., 2009). We first review statutes for amendments and
changes, analyze and interpret existing regulations, then discuss results of our
third round of requests from state agencies for statute interpretations. We caution
that we do not offer legal advice to practitioners; however, we do offer a starting
point from which practitioners can make informed decisions about licensing in
their state and take action accordingly. Moreover, we must stress that state
legalization and statutes are continually changing because of new legal
interpretations and other changes in agency perspectives. Subsequent research
will follow as we track the evolution of state licensing statutes. Moreover, we
have created a Twitter feed called pilaws (White, Lonardo, & Rea, 2012) to
provide interim updates during the course of the year between paper updates. We
encourage interested parties to follow and contribute.
2. METHODOLOGY
2.1 STUDY APPROACH
To retain consistency, we use our original definition of a Digital Examiner as a
85
means of posing questions to the states:
A Digital Examiner deals with the extracting, gathering and analyzing
data from a computer or computers, networks, and other digital
media with subsequent preparation of reports and opinions on this
media for evidentiary or other stated purposes such as data/digital
security, audit, or assessment. (Lonardo et al., 2008)
We also use all of the reviewed state statutes from our 2009 paper (Lonardo et al.,
2009) as a starting point for this research. The state statutes were first examined
for any legislative updates including those states where there was no apparent
licensing requirement for the Private Investigators as noted in Lonardo et al.
(2008, 2009). Additionally, the statutes were then scrutinized to determine
whether the PI licensing statutes were contained in the typical "business
regulation" statutory titles as found in the vast majority of states. Unless the
statute clearly exempted the DE from a licensing requirement or there was no
apparent PI licensing requirement at all, the appropriate regulatory body was
contacted by email, postal mail, or a follow up by phone if the mail-based
methods were not successful in obtaining a response. Those groups that had
indicated a response to the 2009 paper were asked if there was a change in the
position from the preceding year and those who had not responded previously
were sent the full inquiry letter found in Figure 1.
Dear ________________
I am researching the requirements of various Private
Investigator/Detective licensing requirements relating to
Digital/Computer Forensic Examiners. I reviewed the ______ statute;
however, I did not see any exclusion in the statute relating to whether a
Private Investigator/Detective license is required for Digital/Computer
Forensic Examiners. The role and activities of a Digital/Computer
Forensic Examiner may include:




Acquiring data from a computer
Examining that data and opine on content
Processing that data to obtain information to answer questions
Processing that data to prepare it as evidence
In short, the activities of a Digital/Computer Forensic Examiner deals
with the extracting, gathering and analyzing data from a computer or
computers and preparing reports on the same. For example, if a
government agency or private concern hires a digital examiner to
86
determine if the information on a computer was used for fraudulent or
inappropriate purposes, the examiner will extract the information from
a computer or computers and make an assessment to that end.
I would greatly appreciate it if you could let me know
1) What the position of the State of ______ is relating to the question as
to whether a Private Investigator/Detective license is required for the
aforementioned activities of a Digital/Computer Forensic Examiner
2) If a rule or regulation exists covering this area
3) If this issue has been settled by a hearing of the Licensing Board could
you please send me the official decision/position of the Board.
Figure 1
All requests were sent via email when this was possible which allowed for ease of
contact, simplification of analysis, and a record of the provided response.
Inquiries were conducted from July 2010 to June 2011 because many legislative
sessions conclude in April or May and resume in September or October. Our
survey time frame situates itself as best suited to the analysis with regards to
likely changes in the state statutes.
It is worth noting that each state manages these regulating bodies in differing
ways and thus we use the term "regulatory body" as a means to describe the
various entities (e.g. Protective Services Board, Department of Public Safety,
etc.).
As per our previous research (Lonardo et al., 2008, 2009), when we advocated an
opinion, we based it solely on the language contained in the state's code. For
example, if a state used language, such as "to prove the truth or falsity of a
statement," or "performing investigations for the court," or similar language, we
classified our opinion as "likely required." Other states used strong exclusionary
language without being specific, such as "exceptions include engineers and
scientists." When we encountered this language that implies scientific
investigation, we classified our opinion as "likely not required."
As in the past, all of the opinions are subjective and based on our reading of
present state codes and the continuation of those opinions from the 2008 and 2009
papers. As our study demonstrates, state regulatory bodies have varying opinions;
language is subject to varying interpretations and in cases where we did not
receive responses from state officials, our opinion should be taken in the same
context.
2.2 Examination of Language Used
Lonardo et al. (2008, 2009) provides a review of the language that is typical of the
87
various states. Still we pose some brief samples here to illustrate the challenges
faced when determining a particular state statute application to the licensing
question. Figure 2 provides an illustration from Arizona:
The Arizona Statute Title 32 § 2410 defines a Private Investigator:
"Private investigator" means a person other than an insurance adjuster or
an on-duty peace officer as defined in section 1-215 who, for any
consideration, engages in business or accepts employment to:
(a) Furnish, agree to make or make any investigation for the
purpose of obtaining information with reference to:
(i) Crime or wrongs done or threatened against the United
States or any state or territory of the United States.
(ii) The identity, habits, conduct, movements,
whereabouts, affiliations, associations, transactions,
reputation or character of any person or group of persons.
(iii) The credibility of witnesses or other persons.
(iv) The whereabouts of missing persons, owners of
abandoned property or escheated property or heirs to
estates.
(v) The location or recovery of lost or stolen property.
(vi) The causes and origin of, or responsibility for, a fire,
libel, slander, a loss, an accident, damage or an injury to
real or personal property.
(b) Secure evidence to be used before investigating committees or
boards of award or arbitration or in the trial of civil or criminal
cases and the preparation therefor.
(c) Investigate threats of violence and provide the service of
protection of individuals from serious bodily harm or death.
Figure 2: Arizona Statute Title 32 § 2410
A similar set of language is found in Texas as is seen in Figure 3:
88
Sec. 1702.104. INVESTIGATIONS COMPANY.
(a) A person acts as an investigations company for the purposes of this
chapter if the person:
(1) engages in the business of obtaining or furnishing, or accepts
employment to obtain or furnish, information related to:
(A) crime or wrongs done or threatened against a state or
the United States;
(B) the identity, habits, business, occupation, knowledge,
efficiency, loyalty, movement, location, affiliations,
associations, transactions, acts, reputation, or character of a
person;
(C) the location, disposition, or recovery of lost or stolen
property; or
(D) the cause or responsibility for a fire, libel, loss, accident,
damage, or injury to a person or to property;
Figure 3: Texas Occupations Code Title 10 § 1702.104 (a) excerpt
As noted earlier in our discussion, Texas has extended this code to include
specifics regarding Computer Technology as seen in Figure 4. This has caused
some contention from computer-based business owners and technicians.
(b) For purposes of Subsection (a)(1), obtaining or furnishing information
includes information obtained or furnished through the review and analysis
of, and the investigation into the content of, computer-based data not
available to the public.
Figure 4: Texas Occupations Code Title 10 § 1702.104(b)
The Connecticut statute under Chapter 534 Sec. 29-152u (4) defines a PI in
almost the same terms as the Arizona statute:
"Private detective" means any person engaged in the business of, or
advertising as engaged in the business of (A) investigating crimes or civil
wrongs, (B) investigating the location, disposition or recovery of property, (C)
investigating the cause of accidents, fire damage or injuries to persons or to
property, except persons performing bona fide engineering services, (D)
providing the personal protection of individuals, (E) conducting surveillance
activity, (F) conducting background investigations, or (G) securing evidence
to be used before a court, board, officer or investigation committee;
Figure 5: Connecticut statute under Chapter 534 Sec. 29-152u (4)
89
However, under Connecticut's statutory language, the regulator we contacted
noted that a PI license--and by extension a Digital Examiner--is not required. We
have found that this open-ended interpretation has resulted in many states
interpreting the Digital Examiner role and profession disparately and
inconsistently.
Vague language and diverse interpretation is still the norm, such as with the
language used to determine licensing requirements in Nebraska's statute (Neb.
Rev. Stat. § 71-3201):
(6) Private detective shall mean any individual who as a sole
proprietor engages in the
private detective business without the assistance of any employee;
(8) Private detective business shall mean and include any private
business engaged in by any person defined in subdivision (4) of this
section who advertises or holds himself or herself out to the public,
in any manner, as being engaged in the secret service or private
policing business;
Figure 6: Nebraska Rev. Stat. § 71-3201
Under Nebraska's statute a private detective is one who is "engaged in the secret
service or private policing business." However, neither the functionality of
Arizona's nor Connecticut's statutes is incorporated into the language of the
Nebraska statute. Thus, in Nebraska's opinion, a license is not required.
However, we did find that Nebraska's Chapter 1 § 002 of the "Rules &
Regulations for Private Detective, Plain Clothes Investigators and Private
Detective Agencies" does explain the profession's functionality in greater detail
even though it is not as specific as others we examined:
002. Secret service or private policing business shall mean and
include: general investigative work; non-uniformed security services;
surveillance services; location of missing persons; and background
checks.
Figure 7: Nebraska Chapter 1 § 002
2.3 Exemptions in the Language
We must point out that a number of the state statutes did not need interpretation
because they listed exemptions to the PI licensing requirement. Most, if not all, of
90
these exemptions would exclude a Digital Examiner from PI licensing
requirements, but perhaps not from other professional licensing requirements
(e.g., State Bar Exam) or certification (e.g., CPA). However 21 of the states that
reflect either a license is, or is not required, is based on the appropriate regulatory
body's opinion and thus the PI statute is silent on whether it applies to Digital
Examiners. The exemptions typically included:










Persons under the regular employment of an employer where there is
a bona fide employer-employee relationship;
An officer or employee of the United States, the state where the
public employee is employed, or a political subdivision of the state;
The business of obtaining and furnishing information as to the
financial standing, rating, and credit responsibility of persons or as to
the personal habits and financial responsibility of applicants for
insurance, indemnity bonds, or commercial credit;
A charitable philanthropic society or association;
An attorney admitted to practice in the state in performing his or her
duties as an attorney at law;
A collection agency or finance company licensed to do business under
the laws of this state or any employee of a collection agency or
finance company while performing within the scope of their duties;
Claims adjusters of insurance companies;
A professional engineer acting within the scope of his or her licensed
professional practice who does not perform investigative services;
A certified public accountant acting within the scope of his or her
licensed professional practice who does not perform investigative
services;
Bail agents.
The state of Virginia went further in 2011 by codifying the exemption language to
be more explicit and certain. Prior statutory review reflected an exemption from
the PI licensing requirement through interpretation of the then existing exemption
language that stated that the provisions of the article did not apply to:
17. Any certified forensic scientist employed as an expert witness for
the purpose of possibly testifying as an expert witness" (emphasis
added)
The code was amended retaining the above exemption but also adding:
29. Any individual engaged in (i) computer or digital forensic services
as defined in § 9.1-138 or in the acquisition, review, or analysis of
digital or computer-based information, in order to obtain or furnish
91
information for evidentiary purposes or to provide expert testimony
before a court, or (ii) network or system vulnerability testing,
including network scans and risk assessment and analysis of
computers connected to a network.
In a similar fashion to the requirements, the exemptions follow no particular
pattern but do in some cases exclude practitioners either directly or indirectly.
Moreover, we are seeing a new trend in what we have termed "limited
exclusions."
2.4 Limited Exclusions
Cases where we have identified "Limited Exclusions" involve those regulatory
opinions that add some guidance but needs further clarification. For example,
New Hampshire has rendered an opinion that a license is not required "as long as
it is strictly the examination of evidence."
This opinion leaves the reader to wonder what exactly "examination of evidence"
means in the context of a digital examiner's function. Would this include
retrieving the information from the computer or storage device (i.e., external hard
drive or thumb drive) in order to examine evidence? We are currently awaiting a
response to this inquiry.
Another example of a "limited Exclusion" is seen in the 2009 board meeting
minutes for the Nevada Private Investigators Licensing Board that exempts
licensing if the DE engages solely in "data retrieval." However, the question then
becomes how is this reconciled with the language of the statute? Would a DE be
permitted to retrieve data but not secure it without running afoul of the statute,
NRS 648.012 (4):
…any person who for any consideration engages in business or
accepts employment to furnish, or agrees to make or makes any
investigation for the purpose of obtaining, information with reference
to:
Securing evidence to be used before any court, board, officer or
investigating committee;
Finally, Maine has somewhat clouded the waters. Previously, Maine did not
require licensing, but in 2011 has conflated the role of Private Investigator and
Digital Examiner with statue 8103(4)(A) that now requires PI licensing for any
collected evidence, "including evidence derived through computer forensics"
(emphasis added). However, Maine's statue does provide an exception in
8104(2)(L) for
92
A person acting within the scope of the person's professional
practice to analyze facts, evidence or other data for the purposes of
supplying expert testimony in a legal proceeding; [2011, c. 366, §26
(NEW).] (emphasis added)
In other words, one needs to be licensed to collect evidence, but not to analyze it
and present it. This is a troubling distinction. For now, we are classifying this as
"license required."
3. DISCUSSION OF FINDINGS
3.1 INITIAL REVIEW
As noted above, we began our review by reexamining the state statutes from the
previous year. We list all the statues in Table 1.
Table 1: State Statutes
State
Statute
Alabama
No Requirement
Alaska
No Requirement
Arizona
Chap. 24 - 32 – 2401
Arkansas
17-40
California
7520 State Law
Colorado
12-58.5-104
Connecticut
Chap. 534 Sec 29
Delaware
24 – 1301
District of Columbia
Division VIII Title 47
Florida
Title 32 Chap. 493
Georgia
Title 43 - Chap. 38
Hawaii
HRS Chap. 463
Idaho
No Requirement
93
Illinois
225 ILCS 447 Art 5-10.1.2
Indiana
IC 25-30
Iowa
IC Chap. 80A
Kansas
Chap. 75 - 7b
Kentucky
KRS 329A
Louisiana
LA RS:37 3500
Maine
8103(4)(A), 8104(2)(L)
Maryland
Title 13-101
Massachusetts
Title XX 147 s22
Michigan
Chap. 338.822
Minnesota
326.338
Mississippi
NA
Missouri
NA
Montana
37-60-105
Nebraska
72-3201
Nevada
648.012
New Hampshire
106-F
New Jersey
45:19-9
New Mexico
61 Article 27B
New York
Article 7 Sec 71
North Carolina
74C-3(b)
North Dakota
43-30
94
Ohio
4749.01
Oklahoma
Title 59 - 42a-1750
Oregon
703.401, 405, 407, 411
Pennsylvania
Unknown
Rhode Island
Chap. 5-5
South Carolina
Title 40 Chap. 18
South Dakota
No Requirement
Tennessee
Title 62 Chap. 26 223
Texas
1702.104
Utah
53-9-102
Vermont
Title 26 Chap. 59
Virginia
9-1-138; 9-1-140
Washington
18.165.10
West Virginia
30-18
Wisconsin
440.26
Wyoming
No Requirement
3.2 Summary of Responses
After we reviewed the statutes, we began a new round of inquiries to the states as
per our methodology. The response categories ranged from "No License
Required," "License Required," "Under Review," "No Response," "No Opinion"
and "License required with limiting circumstances."
For example, the District of Columbia requires a physical presence in DC in order
to require a license. However, if the computer or data is originally obtained in DC,
but the examination of the evidence is conducted in a state not requiring a license,
a DC license is not required.
95
In Nevada, the board opined that "The Board did not license data recovery, but
what was done with that information would require an investigators license." This
would then exclude imaging but would cover examination. Wisconsin and
California have taken a similar position to Nevada. We expect states to make
more distinctions such as these are they begin to understand the differences
between PI and DE.
Colorado recently (July 2012) distinguished between "licensed private
investigator" and "private investigator" with the former requiring a license. When
we examined this distinction within the context of our paper we determined the
only thing this does is allow a title of "Licensed Private Investigator" under a
voluntary program with certain requirements and a $320 fee. It doesn't affect
Digital Examiners/Computer Forensic professionals. However, this may be one
step towards mandatory licensing in the future. The statute has a sunset clause
and expires in 2016, so this is definitely one we must monitor because this may
lead to more confusion than clarity.
Voluntary license-title protection-penalty 12-58.5-104. 1(b)
b) Nothing in this article requires a private investigator engaging in private
investigations in this state to obtain a license under this article, but a private
investigator who is not so licensed shall not refer to himself or herself as a
"licensed private investigator".
In South Carolina, a proposed statute change would have permitted a licensing
exception for DEs and thereby added another state that recognized the necessary
distinction between roles. However, on June 18, 2012, the governor vetoed the
exception. South Carolina remains a state that requires the licensing of DEs.
Unfortunately, one major change between 2009 and this current study is reflected
in the response rate. In 2009, we received "no response" from only three (3)
states. This study however reflects six (6) states that failed to generate a follow-up
response of some kind. However, five (5) of the "no responses" were from states
previously rendering an opinion of "No License Required," whereas one (1) has
never responded to any survey requests.
Table 2 provides linkages to the state statutes with the Title and Part of the statute
that directly refers to this study.
Table 2: State Statutes and Links
State
Belief
Alabama
No PI Licensing
Requirement
Alaska
No PI Licensing
Statute
96
Website
Requirement
Arizona
Not specific but
statements
Chap. 24
- 32 2401
http://www.azleg.state.az.us/FormatDocume
nt.asp?inDoc=/ars/32/02401.htm&Title=32&D
ocType=ARS
Arkansas
Not Specific but
statements
17-40
http://www.arkleg.state.ar.us/bureau/Publica
tions/Arkansas%20Code/Title%2017.pdf
California
Not Specific but
statements
7520
State
Law
http://www.leginfo.ca.gov/cgibin/displaycode?section=bpc&group=0700108000&file=7520-7539
Colorado
Voluntary PI if
use "licensed"
in title
12-58.5104.1(b)
http://www.michie.com/colorado/lpext.dll/co
code/1/17f02/1ab8a/1d2ed/1ed47/1ed7a?f=t
emplates&fn=documentframe.htm&q=private%20investigator&x=Adv
anced&2.0#LPHit1
Connecticut
Not Specific but
statements
Chap.
534 Sec.
29
http://www.cga.ct.gov/2005/pub/Chap534.ht
m#Sec29-153.htm
Delaware
PI but excludes
CCE
24 1301
http://delcode.delaware.gov/title24/c013/ind
ex.shtml
District of
Columbia
Seems to
require but
unknown
Division
VIII Title
47
Florida
Not Specific but
statements
Title 32
Chap.
493
http://www.flsenate.gov/Statutes/index.cfm?
App_mode=Display_Statute&URL=Ch0493/titl
0493.htm
Georgia
Not Specific but
statements
Title 43
– Chap.
38
http://www.lexisnexis.com/hottopics/gacode/Default.asp
Hawaii
May imply as it
states all
investigation
HRS
Chap.
463
http://hawaii.gov/dcca/pvl/hrs/hrs_pvl_463.p
df/view
97
Idaho
No PI Licensing
Requirement
Illinois
Includes
"electronics" in
the definition of
investigation.
225 ILCS
447 Art
5-10.1.2
http://ilga.gov/legislation/ilcs/ilcs5.asp?ActID
=2474&ChapAct=225%A0ILCS%A0447%2F&Ch
apterID=24&ChapterName=PROFESSIONS+AN
D+OCCUPATIONS&ActName=Private+Detectiv
e%2C+Private+Alarm%2C+Private+Security%2
C+and+Locksmith+Act+of+2004%2E
Indiana
Not Specific but
statements
IC 25-30
http://www.in.gov/legislative/ic/code/title25/
ar30/ch1.html
Iowa
Not Specific but
statements
IC Chap.
80A
http://www.dps.state.ia.us/asd/pi/pi80a03co
de.pdf
Kansas
Not Specific but
statements
Chap. 75
- 7b
http://www.kslegislature.org/legsrvstatutes/index.do
Kentucky
Not Specific but
statements
KRS
329A
http://www.lrc.state.ky.us/KRS/329A00/CHAP
TER.HTM
Louisiana
Excludes
technical
experts
LA RS:37
3500
http://www.lsbpie.com/pilaw_4_02.pdf
Maine
Not Specific but
statements
8103(4)(
A),
8104(2)(
L)
http://www.mainelegislature.org/legis/st
atutes/32/title32sec8103-A.html
http://www.mainelegislature.org/legis/st
atutes/32/title32sec8104.html
Maryland
Not Specific but
statements
Title 13101
http://michie.lexisnexis.com/maryland/lpext.
dll/mdcode/1564/227a?fn=documentframe.htm&f=templates&2.0#
Massachusett
s
Not Specific but
statements
Title XX
147 s22
http://www.mass.gov/legis/laws/mgl/gl-147toc.htm
Michigan
Not Specific but
statements
Chap.
338.822
http://www.legislature.mi.gov/(S(543gjn45g1
xwihrunhpsds45))/mileg.aspx?page=getObject
98
&objectName=mcl-Act-285-of-1965
Minnesota
Not Specific but
statements
Mississippi
Not Specific but statements
Missouri
Not
Specific
but
stateme
nts
326.338
http://www.dps.state.mn.us/pdb/Resources/
PDPA_Minnesota_Statutes.pdf
XXII 324.1100
http://www.moga.mo.gov/statutes/chapters/c
hap324.htm
Montana
Not Specific but
statements
37-60
http://data.opi.state.mt.us/bills/mca_toc/37_
60_1.htm
Nebraska
Should not
apply unless
you advertise as
private
detective
72-3201
http://www.sos.state.ne.us/rules-andregs/regsearch/Rules/Secretary_of_State/Titl
e-435.pdf
Nevada
Not Specific but
statements
648.012
http://www.leg.state.nv.us/NRS/NRS648.html#NRS648Sec006
New
Hampshire
Not Specific but
crime
statement
106-F
http://www.gencourt.state.nh.us/rsa/html/vii
/106-f/106-f-mrg.htm
New Jersey
Not Specific but
statements
45:19-9
http://www.state.nj.us/njsp/about/pdf/06010
6_amendedstat.pdf
New Mexico
Not Specific but
statements
61
Article
27B
http://www.conwaygreene.com/nmsu/lpext.
dll/nmsa1978/9b0/1d78b/1ef8f/1f105?f=tem
plates&fn=document-frame.htm&2.0
New York
Not Specific but
statements
Article 7
Sec 71
http://www.dos.state.ny.us/lcns/lawbooks/pi
beawgpa.html
North
Carolina
Excluded
Indirectly
74C-3
http://www.ncleg.net/EnactedLegislation/Stat
utes/HTML/ByChapter/Chapter_74C.html
99
North Dakota
Excluded
43-30
http://www.legis.nd.gov/cencode/t43c30.pdf
Ohio
Not Specific but
statements
4749.01
http://codes.ohio.gov/orc/4749
Oklahoma
Not Specific but
statements
Title 59 42a1750
http://www.oscn.net/applications/oscn/Deliv
erDocument.asp?CiteID=96644
Oregon
Not Specific but
statements
703.4
http://www.leg.state.or.us/ors/703.html
Pennsylvania
License is required in some counties.
Rhode Island
Not Specific but
statements
Chap. 55
http://www.rilin.state.ri.us/Statutes/Title5/55/INDEX.HTM
South
Carolina
Not Specific but
statements
Title 40
Chap. 18
http://www.scstatehouse.net/code/t40c018.h
tm
South Dakota
No PI Licensing
Requirement
Tennessee
Not Specific but
statements
Title 62
Chap. 26
223
http://michie.lexisnexis.com/tennessee/lpe
xt.dll/tncode/24296/24fbc/24fc3/25044?f=
templates&fn=documentframe.htm&2.0#JD_62-26-223
Texas
Specifically
includes CF
1702.10
4
http://www.statutes.legis.state.tx.us/Docs/O
C/htm/OC.1702.htm
Utah
Not Specific but
statements
53-9-102
http://le.utah.gov/UtahCode/getCodeSection
?code=53-9-102
Vermont
Not Specific but
statements
Title 26
Chap. 59
http://www.leg.state.vt.us/statutes/fullchapt
er.cfm?Title=26&Chapter=059
Virginia
Specifically
excludes
forensics
examiners
9-1-138
http://leg1.state.va.us/cgibin/legp504.exe?000+cod+9.1-138
100
Washington
Specifically
excludes
forensics
examiners
18.165.1
0
http://apps.leg.wa.gov/RCW/default.aspx?cit
e=18.165.010
West Virginia
Not Specific but
strong language
30-18
http://www.legis.state.wv.us/WVCODE/Code.
cfm?chap=30&art=18
Wisconsin
No Specific
language at all
but focused on
advertising as
private
detective
440.26
http://www.legis.state.wi.us/statutes/Stat044
0.pdf
Wyoming
No PI Licensing
Req.
3.3 Explanation of Data
During the time frame of July 2010 to June 2011, we solicited responses from the
various states using our established methods. The data is presented in tables based
upon several factors. In some cases, the state has a statute that requires the license
or does not require the license. In other cases, the opinion of the governing
regulatory body was used based on their response to our inquiry. In all cases, we
have attempted to provide an informational resource for practitioners but again
must caution that both opinion and statute are dynamic and can change rapidly.
Thus, as ever, the practitioner should use caution and contact a licensed attorney
or the state licensing board before conducting forensics examinations in any given
locale.
The data is presented as follows:





States that require a PI license and specifically address DEs by statute.
(Table 3)
States that require a PI license, but do not specifically address DEs.
There is an opinion issued that includes DEs. (Table 4)
States that require a PI license, but do not specifically include DEs.
There is a present opinion issued that excludes DEs. (Table 5)
States that require a PI license and specifically exclude DEs by statute.
(Table 6)
States that do not require a PI license by statute. (Table 7)
101



States that require a PI license but have limited exclusions for DE
(Table 8)
States that did not respond to our inquiry (Table 9)
States that issues a response of no opinion (Table 10)

Table 3: States that require a PI License and specifically include DEs by
statute
State
Requires PI for DE
Statute
ME
Yes
8103(4)(A),
8104(2)(L)
MI
Yes
Chap. 338.822
OR
Yes
703.401,405,407,411
TX
Yes
TC 1702.104
102
Table 4: States that require a PI license, but do not specifically address DEs.
There is an opinion issued that includes DEs.
State
Opinion
AR
License Required
AZ
License Required
CA
Licensed Required *
DC
License Required *
GA
License Required
HI
License Required
IA
License Required
LA
License Required *
MD
License Required
MO
License Required
NM
License Required
NV
License Required *
NY
License Required
SC
License Required
WI
License Required
WV
License Required
*Indicates a state that indicated some limited exclusions (see Table 8).
103
Table 5: States that require a PI license, but do not specifically include DEs.
There is a present opinion issued that excludes DEs.
State
Opinion
CO
12-58.5-104 (Required if use the
term "licensed")
CT
No License Required
KS
No License Required
UT
No License Required
Table 6: States that require a PI license and specifically exclude DEs by
statute.
State
Statute
DE
DSC 24 – 1301
MT
37-60-105
NC
74C-3(b)
ND
NDSC 43-30
NE
Rev. Stat. 72-3201
RI
RSC Chap 5-5
VA
VSC 9-1-138; 9-1-140
WA
WSC 18.165.10
104
Table 7: States that do not require a PI license at all.
State
Requirement
AL
None
AK
None
ID
None
IL
None
MS
None
PA
May be required by county
SD
None
WY
None
Table 8: States indicating a limited exclusion but otherwise requiring a license
State
Exclusion
CA
Via Phone Interview, written or
verbal inquiries would require PI but
working only on a computer would
not. (continued opinion)
DC
Work not being physically done in
DC would not require a license.
LA
37:3500.8(a)(iv) excludes technical
experts
NV
Licensing board minutes indicate
retrieval is not licensed but analysis
requires license
105
Unfortunately, in the latest round of queries six (6) states—up from three (3)
the previous year-- did not reply to email, mail, or telephone contact
attempts. When applicable, we have noted each state's response from our
2009 survey; however, we have removed these states from other tables as
their exact status could not be determined. We will add additional inquiry
opportunities for these states in the upcoming survey. The six (6) nonresponding states and our opinion are listed below in Table 9.
Table 9: States with Unknown Status
State
Status
Our Opinion
FL
Previous Response
No License
Requirement. Opinion
excludes DEs.
MA
No Response
Hearsay indicates
required
NH
Previous Response
No License
includes DEs.
OH
Previous Response
No License
excludes DEs.
OK
Previous Response
No License
excludes DEs.
VT
Previous Response
No License
excludes DEs.
106
Of states that did respond, five (5) declined to render an opinion on DE licensing
requirements (Table 10):
Table 10: States that issued a response of No Opinion
State
Response
Our Opinion
IN
No Opinion
Only if you advertise as a PI
KY
No Opinion
Implies any sort of investigation
requires a license.
MN
No Opinion
May be required
NJ
Indicated it was
under review
Waiting for review
TN
No Opinion
May be required
3.4 Initial Analysis
Our review of the 50 states and the District of Columbia indicates that four (4)
states require DEs to have a license (Table 3). Sixteen (16) additional states have
issued opinions that their statute would require a PI license to operate in that state
(Table 4). Four (4) of those states indicated there were some limited exclusions to
this opinion (Table 8). Four (4) states issued opinions that DEs are excluded
(Table 5). Eight (8) states exclude DEs by statute (Table 6). Eight (8) states
require no licensing of PIs or DEs (Table 7). The remaining states either did not
respond (Table 9) to this year's survey or issued a no opinion on the matter
(Table 10) for a total of eleven (11) states.
4. RECOMMENDATIONS
We would argue that it is not in the best interests of Digital Examiners, nor is it in
the best interest of citizens, that DEs be licensed as Private Investigators. This is
not to say that states should not license Digital Examiners, but rather should
separate the two specializations into their respective parts. Digital Examiners have
a specific role in investigations that does not overlap with those duties normally
performed by Private Investigators. Conversely, the implication that PIs are
capable of conducting DE investigations because they are licensed is harmful to
all concerned.
Upon review of the requirements in various states it is often the case that PI
licensing requires thousands of hours of apprenticeship as a PI or a law
enforcement background. Neither of these skill sets necessarily intersects with
that of DE. This prevents Digital Examiners from doing their job and thus denies
107
citizens and organizations access to these individuals in those states or deprives
those individuals of the right to work in those states.
These two investigative specializations rarely, if ever, converge. Thus, we
recommend that states approach their regulation, licensing, and enforcement of
Digital Examiners and Private Investigators as follows:
1) Adopt a clear definition of Digital Examiners.
2) Adopt a clear definition of Private Investigators.
3) Review certifications and determine which certifications are
recognized by that state for the role of DEs.
4) Create a license for DE that is not governed by the PI board of the
state. PI boards do not necessarily understand what is involved in
DE practice. This board should be comprised of DE certified
citizens holding vendor neutral certifications that include ethics
policy and review, as well as regular recertification (e.g., Certified
Computer Examiner type certifications [ISFCE, 2009]).
5) Barring the above, states should exclude DE from the requirement
of a PI license much as they do forensic accountants, engineers,
and others as per Rhode Island, Delaware, and others listed in
Table 6.
5. CONCLUSION
We strongly encourage state constituents and practitioners to initiate action with
their legislatures to implement the five (5) steps outlined above as well as to
review professional recommendations such as ABA 301 (2009). Digital
Examiners would, of course, be the best coalition to advocate for these changes.
However, we would advocate a series of targeted educational materials first be
made to inform DEs of their particular state's regulations and licensing because
only a small fraction know whether PI licenses are obtainable, desirable, or
relevant to their profession (White & Micheletti, 2008). We also encourage
Computer Forensic and other technology-related organizations to advocate for
state regulatory and licensing changes.
Ultimately, we would argue that it is best to exclude Digital Examiners from an
established Private Investigator licensing requirement, and rely on other
professional certifications, such as the Certified Computer Examiner (ISFCE,
2012) or the GCFA (SANS, 2012). This ensures that citizens, state governments,
and businesses have access to the most ethical and qualified individuals to
conduct their forensics examinations and manage digital evidence.
6. REFERENCES
Addo Enterprises, Inc. (2009). PI State Licensing Requirements. Safety
Basement. Retrieved from
http://www.safetybasement.com/category_s/377.htm
108
American Bar Association (ABA). (2009). Section of Science and Technology
Law, 301. Retrieved from
http://www.abanet.org/leadership/2008/annual/recommendations/ThreeHundre
dOne.doc
International Society of Forensic Computer Examiners (ISFCE) (2012).
Certified Computer Examiner. Retrieved from http://www.certified-computerexaminer.com/
Kramer, J. (2009). Texas Government-mandated Computer Repair License
Does
Not
Compute.
Institute
for
Justice.
Retrieved
from
http://www.ij.org/index.php?option=com_content&task=view&id=2189
&Itemid=129
Lonardo, T., White, D., & Rea, A. (2008). To License or Not to License: An
Examination of State Statutes Regarding Private Investigators and Digital
Examiners. The Journal of Digital Forensics, Security, and Law. 3(3).
Lonardo, T., White, D., & Rea, A. (2009). To License or Not to License
Revisited: An Examination of State Statutes Regarding Private Investigators
and Digital Examiners. The Journal of Digital Forensics, Security, and Law,
4(3).
Mesis, J. (2011). Private Investigator License Requirements by State. Private
Investigator Magazine. Retrieved from
http://www.pimagazine.com/links_Licensing.htm
Rife vs. Texas Private Security Board. (2007). cTex. Occ. Code § 1702.381
SANS. (2012). GIAC Certified Forensics Analyst. Retrieved from
http://www.giac.org/certifications /security/gcfa.php
White, D., Lonardo, T., & Rea, A. (2012). pilaws. http://twitter.com/pilaws
White, D., & Micheletti, C. (2008). Annual Survey of CCE Results. In
Proceedings of the Decision Sciences Institute Conference. Baltimore, MD.
November.
109
110
BOOK REVIEWS
Jigang Liu
Editor
Metropolitan State University
St. Paul, MN 55106
[email protected]
If you have any suggestions on books for review, or you would like to write a
book review for us, or you have any comments and concerns on the book reviews
published on this column, please feel free to send an email to Jigang Liu at
[email protected].
BOOK REVIEW
Garrie, D.B., & Griver, Y.M., Eds. (2012). Dispute Resolution and e-Discovery.
Thomson Reuters Westlaw, 570 pages, ISBN-13: 9780314604484, US$149.00.
Reviewed by Milton Luoma, JD, ([email protected])
As is apparent from its title, this book tackles two very current and difficult legal
issues – electronic discovery and dispute resolution. The authors tie the two legal
concepts together in an effort to provide litigants and practitioners a less
expensive and less time consuming alternative than is typically the case with
traditional litigation and court proceedings. By including electronic discovery in
the discussions, the authors recognize the importance and significance of
electronic discovery in mediation and arbitration as it is in traditional litigation.
The book consists of 11 chapters, each written by a different author who is an
expert in the area of the particular chapter. In addition, there are 45 appendices
that include all of the outside sources a professional would need – everything
from arbitration protocols, sample court orders, to the electronic rules for the
London Court of International Arbitration.
The book is easy to read and comprehend, but it is written for the professionals
who work in the area of electronic discovery, attorneys, forensic experts, as well
as mediators and arbitrators. The book begins with a discussion and definition of
electronic discovery followed by an explanation of Federal Rules of Civil
Procedure, and finally, dispute resolution options. The chapters give tips and
suggestions for the professional throughout the book.
In civil litigation a party and his or her attorneys are required to come to meetand-confer proceedings prepared and ready to provide and request electronically
stored information (ESI). The reality of these meet-and-confer sessions is that
attorneys are often confused or unprepared. As a Craig Ball, an attorney and
111
forensic consultant, has stated that meet-and-confer sessions involve “two lawyers
who don’t trust each other negotiating matters neither understands.”
This book tackles the most difficult issues that arise in electronic discovery,
including costs and the burdens of e-discovery, key word searches, and
proportionality. The book then discusses the two most popular forms of dispute
resolution – mediation and arbitration. The authors discuss the benefits and issues
involved in both mediation and arbitration and compare the two. The authors
conclude that many e-discovery problems can be avoided through dispute
resolution. With the complexity and costs associated with e-discovery, the
alternatives of mediation or arbitration are much more appealing.
In mediation, the goal of the mediator, or third-party neutral, is to resolve the case
or issue on terms all parties can accept. The authors point out that to settle issues
in e-discovery, the mediator must be able to address issues that are not directly
related to the merits of the case. The author gives the example that in pursuing a
claim in a lawsuit the cost of pursuing the claim or the risk or losing at trial may
play a part in the decisions of litigation. A party may decide to drop all or a
portion of the case for reasons other than the merits of the case. Daniel Gelb, one
of the authors of this book, wrote “… mediation is a productive means to
determine whether e-discovery should function as a quantifiable in reaching
settlement or whether it is collateral to the dispute and risks of being improperly
leveraged to drive up costs.” This chapter by Gelb has a list of 25 issues that can
be addressed in mediation. They range from what experts should be retained to
the method and type of electronically stored information to be provided.
Gelb further points out that mediation demands creative use of technology to cut
costs and time. Lack of understanding of the e-discovery process is one of the
stumbling blocks to the process and that mediation can help that process. In
addition, Gelb suggests tools to review in determining whether mediation would
help litigants in the e-discovery area.
This book has numerous tips for the practitioner, including suggestions for
keyword searches and agreement in mediation. The author tells the mediator and
parties once they have agreed upon the keywords to use that the parties should use
sampling to see if these keywords are adequate and do not produce too little or too
much information before finalizing the agreement.
Then, as another suggestion, the book explores the use of arbitration in ediscovery. In arbitration the parties choose a neutral fact finder. Unlike
mediation where the parties must come to an agreement, in arbitration the
arbitrator listens to the testimony, evidence and arguments of the parties, and
reviews their arguments and information, and then makes the final decision. The
parties can agree that the arbitration is either binding or nonbinding in nature. If
the parties decide the arbitrator’s decision is nonbinding then they can bring
motions to the court to reargue their e-discovery issues. The chapters on
arbitration discuss strategies litigants can use in difficult areas in e-discovery,
112
such as preservation, proportionality, cost allocation, search terms and privilege.
One suggestion is that the parties can agree or one party can convince the
arbitrator to limit certain areas of e-discovery.
The book also discusses the use of a Special Master, the process of selecting
Special Masters and final reports. In the chapter concerning the use of the Special
Master, the author discusses several case studies. One case study shows how the
Special Master may be appointed to determine whether parties have complied
with court orders to provide ESI. The book also discussed the potential
minefields and dispute resolution strategies for the practitioner. They include
forms of ESI production, key word searches, scope and proportionality in ediscovery, and cost allocation. The author of this section, Maura Grossman, has
given the reader some key take-away points to help in these difficult areas.
This book thoroughly covers all the relevant topics and choices in this area of ediscovery and alternate dispute resolution. Most of the major cases in this area
are listed mainly in the footnotes. The book also contains a glossary and index.
The only criticism this reviewer has is that more case studies showing the success
of the methodology in mediation and arbitration would help illustrate the authors’
points. Further, it would be helpful if the authors had done a cost analysis
comparing and contrasting the use of alternate dispute resolution in lieu of court
litigation. However, throughout the book the authors give tips to the professional,
make key points and give helpful suggestions while providing alternate actions
for litigants. Electronic discovery is an area in which litigants can be sanctioned
for provided too much information, too little information, or providing
information in the wrong format. This book is a helpful resource for the
professional to guide them to methods that may save time, money, and stress.
113
114
Subscription Information
The Journal of Digital Forensics, Security and Law (JDFSL) is a publication of
the Association of Digital Forensics, Security and Law (ADFSL). The Journal
is published on a non-profit basis. In the spirit of the JDFSL mission,
individual subscriptions are discounted. However, we do encourage you to
recommend the journal to your library for wider dissemination.
The journal is published in both print and electronic form under the following
ISSN's:
ISSN: 1558-7215 (print)
ISSN: 1558-7223 (online)
Subscription rates for the journal are as follows:
Institutional - Print & Online: $395 (4 issues)
Institutional - Online only:
$295 (4 issues)
Individual
- Print & Online: $80 (4 issues)
Individual
- Online only:
$25 (4 issues)
Subscription requests may be made to the ADFSL.
The offices of the Association of Digital Forensics, Security and Law
(ADFSL) are at the following address:
Association of Digital Forensics, Security and Law
1642 Horsepen Hills Road
Maidens, Virginia 23102
Tel: 804-402-9239
Fax: 804-680-3038
Website: http://www.adfsl.org
115
116
Announcements and Upcoming Events
The ADFSL 2013 Conference on
Digital Forensics, Security and Law
Richmond, Virginia USA
June 10-12, 2013
http://www.digitalforensics-conference.org
============================================================
The ADFSL 2013 Conference on Digital Forensics, Security and Law will be
hosted by Longwood University and held at the Wyndham Crossings Hotel in
Richmond, Virginia on 10-12 of June 2013.
The ADFSL Conference on Digital Forensics, Security and Law is a unique and
innovative event. It is managed by the Association of Digital Forensics,
Security and Law (ADFSL).
The conference focuses on the current and expanding role of digital forensics
within investigations and the courts as well as its important role within cyber
security - both national as well as corporate. Topics not only include
technology and evidence, but also are very much focused on how to prepare
students for careers in digital forensics. Curriculum is a very important topic
and the new DoD initiative on certification and Centers of Academic Excellence
will be very important areas of discourse.
Conference submissions are double blind refereed and provide a forum for
high quality research, communication and debate on the subject of digital
forensics and directly related fields.
117
AA# 53-2-114 & 53-2-115
Two Professors in Digital Forensics. Full time tenure track at Assistant or Associate level
beginning Fall 2012. The Department of Mathematics, Computer Science and Statistics at
Bloomsburg University of Pennsylvania seeks two individuals to work in its Digital Forensics
major. Since its beginning, the Digital Forensics program at Bloomsburg has continually grown
in the number of courses offered, the number of students enrolled and the accomplishments of
its faculty. The Department seeks faculty who can help this program to continue to advance.
Applicants with a background in any computing field will be considered. Applicants with a
forensics, security or networks background are most appropriate. An earned Ph.D. or
doctorate from an accredited institution by August 24, 2013 is required, however ABD may be
considered with a one year contingency contract. A demonstrated ability to work with diverse
populations is preferred.
Successful candidates will be expected to teach existing courses in the digital forensics major
and to develop new courses in digital forensics. The normal teaching load is four courses per
semester. They will also advise digital forensics majors. Professional growth through scholarly
activities along with departmental and university service are required.
Prior to a final offer of employment, the selected candidate will be required to submit to a
background check including, but not limited to, employment verification, educational and other
credential verification, and criminal background check. Finalists for this position must
communicate well and successfully complete an interview process and teaching demonstration,
as judged by the department faculty. Recommendation by the majority of the regular, full-time
departmental faculty is necessary for appointment.
A complete application consists of a cover letter, résumé, unofficial graduate transcripts, a
statement of teaching experience and philosophy, a statement of research interests and plans
for scholarly growth, and three letters of recommendation. Application materials may be
submitted via email. References for finalists will be telephoned. Review of complete
applications will be ongoing. Those received by 4:30 PM, EST, January 4, 2013 will be assured
consideration; however the positions will remain open until filled.
Bloomsburg University encourages applications from historically under-represented individuals,
women, veterans and persons with disabilities and is an AA/EEO employer.
Completing this search is contingent upon available funding.
Send application materials to
Digital Forensics Search Committee
Department of Mathematics, Computer Science and Statistics
Bloomsburg University of Pennsylvania
400 East Second Street
Bloomsburg, PA 17815
Email applications should be sent to [email protected] with the subject line Digital Forensics
Position.
Bloomsburg University of Pennsylvania encourages applications from historically underrepresented individuals, women, veterans, and persons with disabilities and is
an AA/EEO Employer.
118
Champlain College
Dean, Division of Information Technology and Sciences
Champlain College, a private, independent, entrepreneurial, teaching institution that is considered a national
leader in educating today’s students to become skilled practitioners, effective professionals and global citizens,
seeks an innovative and accomplished academic leader to become its next dean of the Division of Information
Technology and Sciences (ITS).
Founded in 1878, Champlain offers professionally focused master's, bachelor's and associate's degree programs
and professional certificates on campus, online and abroad. The college enrolls over 2,100 undergraduate and
440 graduate students in a diverse array of leading edge programs. Champlain’s reputation for a transformative
educational experience earned it a coveted spot in The Princeton Review’s “The Best 376 Colleges: 2012
Edition.” Annually, editors at U.S. News and World Report rank it in the top tier of Regional Colleges in the
North and named it a “Top Up-and-Coming School” in 2010. In the 2013 edition of U.S. News’ “America’s Best
Colleges”, the college ranked in the top 15 Regional Colleges in the North.
This past year, Champlain experienced an increase of 70 percent in the number of applicants to the college
resulting in an incoming Class of 2016 that numbered more than 600. The average SAT combined score of
enrolled freshmen was 32 points higher than in 2011.
Located in idyllic Burlington, Vermont, perennially ranked as one of America’s most exciting small cities, the
campus enjoys views of New York’s Adirondack Mountains from its picturesque setting overlooking Lake
Champlain. Champlain’s campus is beautiful, well-maintained and engineered for sustainability. Its new student
welcome and admissions center is one of three buildings in Vermont to achieve LEED Platinum Certification, the
highest green certification obtainable. In April, The Princeton Review recognized Champlain College as one of
322 Green Colleges for its commitment to sustainability throughout campus.
Champlain is accredited by the New England Association of Schools and Colleges.
The college seeks a dean for its Division of Information Technology and Sciences (ITS), an accomplished,
energetic and engaging academic leader, committed to innovative curriculum and student success, with the
ability to inspire and motivate faculty. Qualified candidates will possess a doctorate or an equivalent terminal
degree in a relevant discipline, an outstanding portfolio of teaching, research or practice, and service that will
warrant appointment to the rank of full professor. This is an exceptional opportunity for individuals with the
drive, skill and administrative expertise to bring creative leadership to the organization and to play a meaningful
role in shaping its future.
Reporting to the provost, the dean will serve as the chief academic and administrative leader of the ITS division,
working in close collaboration with the provost, senior administrators and other deans to pursue common
interests in support of the college’s overall institutional priorities. The dean will be responsible for articulating a
clear vision and developing a strategy, through engaged dialogue with the faculty within the division, to identify
priorities and appropriate directions for future growth, innovation and change. The new dean will focus on
enhancing the overall excellence of the division, including ensuring the continued academic success of students
and placing a high priority on the recruitment and retention of a distinguished faculty at all levels, promoting
excellence as well as diversity in all its programs. The ITS division is comprised of 18 full-time faculty and enrolls
387 students, 112 of whom are entering freshmen in 2012.
Additional information about the Division of Information Technology and Sciences can be found at:
http://www.champlain.edu/undergraduate-studies/majors-and-programs/academic-divisions/division-ofinformation-technology-and-sciences-x14423.html
Nominations, expressions of interest and applications are invited. Review of candidates will begin immediately
and will continue until the position is filled, with the goal that the new dean will take office in July, 2013. To apply,
please submit via email a letter of interest, a current curriculum vita and the names of five references (who will
not be contacted without permission) to: [email protected].
Word or pdf documents preferred. All correspondence will be treated as confidential. Inquiries by phone for the
search for the Dean of Information Technology and Sciences should be directed to Champlain’s Witt/Kieffer
consultants, Jane Courson at (508) 257-0109 or Mary Elizabeth Taylor at (212) 686-2676.
Champlain College is an affirmative action/equal opportunity employer, and it seeks candidates who are
committed to the highest standards of scholarship and professional activities and to the development of a campus
climate that supports equality and diversity.
119
120
Journal of Digital Forensics, Security and Law
Volume 7, Number 3
2012
Contents
Call for Papers ............................................................................................................ 2
Guide for Submission of Manuscripts ...................................................................... 2
From the Editor-in-Chief ......................................................................................... 4
The Science of Digital Forensics: Analysis of Digital Traces ................................ 5
Fred Cohen
On the Development of a Digital Forensics Curriculum ..................................... 13
Manghui Tu, Dianxiang Xu, Samsuddin Wira, Cristian Balan, & Kyle Cronin
Automatic Crash Recovery: Internet Explorer's Black Box .............................. 33
John Moran & Douglas Orr
Extraction of Electronic Evidence From VoIP: Identification & Analysis of
Digital Speech .......................................................................................................... 55
David Irwin, Arek Dadej, & Jill Slay
To License or Not to License Updated: An Examination of State Statutes
Regarding Private Investigators and Digital Examiners ..................................... 83
Thomas Lonardo, Doug White, & Alan Rea
Book Review: Dispute Resolution and e-Discovery (Garrie & Griver) ............. 111
Milton Luoma
Subscription Information ..................................................................................... 115
Announcements and Upcoming Events .............................................................. 117

From the Editor-in-Chief - Journal of Digital Forensics, Security and

Transcription

Similar documents

e-discovery seminar - MS

slides

Digital forensics - Simson Garfinkel

Issue 6 – 9th October 2015

department of communication

Microbial forensics- past, present and future

MTS Attends Media Day Tour of Navy`s New Robotics Lab

Computer Forensics

Implementation of a Prototype for Automated Event Sequence