Automated or Manual Examination?

Transcription

Proceedings of the
Conference on
Digital Forensics,
Security, and Law
2012
Richmond, Virginia
May 30-31
Richmond, Virginia
May 30-31, 2012
Conference Chair
Glenn S. Dardick
Longwood University
Virginia, USA
Association of Digital Forensics, Security and Law
Copyright © 2012 ADFSL, the Association of Digital Forensics, Security and Law. Permission to make digital or printed
copies of all or any part of this journal is granted without fee for personal or classroom use only and provided that such
copies are not made or distributed for profit or commercial use. All copies must be accompanied by this copyright notice
and a full citation. Permission from the ADFSL is required to make digital or printed copies of all or any part of this journal
for-profit or commercial use. Permission requests should be sent to Dr. Glenn S. Dardick, Association of Digital Forensics,
Security and Law, 1642 Horsepen Hills Road, Maidens, Virginia 23102 or emailed to [email protected].
ISSN 1931-7379
ADFSL Conference on Digital Forensics, Security and Law, 2012
Sponsors
2
Contents
Committee ................................................................................................................................................ 4
Schedule ................................................................................................................................................... 5
Update on the State of the Science of Digital Evidence Examination ................................................. 7
Fred Cohen*
A Proposal for Incorporating Programming Blunder as Important Evidence in
Abstraction-Filtration-Comparison Test ............................................................................................ 19
P. Vinod Bhattathiripad*
The Xbox 360 and Steganography: How Criminals and Terrorists could be “Going Dark” ......... 33
Ashley Podhradsky*, Rob D’Ovidio and Cindy Casey
Double-Compressed JPEG Detection in a Steganalysis System ........................................................ 53
Jennifer L. Davidson* and Pooja Parajape
Toward Alignment between Communities of Practice and Knowledge-Based Decision
Support ................................................................................................................................................... 79
Jason Nichols*, David Biros* and Mark Weiser
A Fuzzy Hashing Approach Based on Random Sequences and Hamming Distance ...................... 89
Frank Breitinger* and Harald Baier
Cloud Forensics Investigation: Tracing Infringing Sharing of Copyrighted Content in Cloud .. 101
Yi-Jun He, Echo P. Zhang*, Lucas C.K. Hui, Siu Ming Yiu* and K.P. Chow
iPad2 Logical Acquisition: Automated or Manual Examination? .................................................. 113
Somaya Ali*, Sumaya AlHosani*, Farah AlZarooni and Ibrahim Baggili
Multi-Parameter Sensitivity Analysis of a Bayesian Network from a Digital Forensic
Investigation......................................................................................................................................... 129
Richard E. Overill, Echo P. Zhang* and Kam-Pui Chow
Facilitating Forensics in the Mobile Millennium Through Proactive Enterprise Security .......... 141
Andrew R. Scholnick*
A Case Study of the Challenges of Cyber Forensics Analysis of Digital Evidence in a
Child Pornography Trial .................................................................................................................... 155
Richard Boddington*
After Five Years of E-Discovery Missteps: Sanctions or Safe Harbor? ......................................... 173
Milton Luoma* and Vicki Luoma*
Digital Evidence Education in Schools of Law ................................................................................. 183
Aaron Alva* and Barbara Endicott-Popovsky
Pathway into a Security Professional: A new Cyber Security and Forensic Computing
Curriculum .......................................................................................................................................... 193
Elena Sitnikova* and Jill Slay
* Author Presenting and/or Attending
3
Conference Committee
The 2012 ADFSL Conference on Digital Forensics, Security and Law is pleased to have the following
members of the conference committee.
Glenn Dardick
[email protected]
General chair
Longwood University
Virginia
USA
John Bagby
[email protected]
The Pennsylvania State
University
Pennsylvania
USA
Nick Vincent Flor
[email protected]
University of New Mexico
New Mexico
USA
Jigang Liu
[email protected]
Metropolitan State University
Minnesota
USA
Diane Barrett
[email protected]
University of Advanced
Technology, Arizona
USA
Felix Freiling
[email protected]
University of Erlangen
Nürnberg
Germany
John Riley
[email protected]
Bloomsburg University
Pennsylvania
USA
David Biros
[email protected]
Oklahoma State University
Oklahoma
USA
Simson Garfinkel
[email protected]
Naval Postgraduate School
Monterey, CA
USA
Pedro Luis Prospero Sanchez
[email protected]
University of Sao Paulo
Sao Paulo
Brazil
Mohamed Chawki
[email protected]
University of Aix-Marseille III
France
Andy Jones
[email protected]
Khalifa University
UAE
Jill Slay
[email protected]
Polytechnic of Namibia
Windhoek
Namibia
Fred Cohen
[email protected]
California Sciences Institute
Livermore, CA
USA
Gregg Gunsch
[email protected]
Defiance College
Ohio
USA
Eli Weintraub
[email protected]
Afeka Tel Aviv Academic College
of Engineering
Israel
David Dampier
[email protected]
Mississippi State University
Mississippi
USA
Gary Kessler
[email protected]
Gary Kessler Associates
Vermont
USA
Craig Valli
[email protected]
Edith Cowan University
Western Australia
Australia
Denis Edgar-Nevill
denis.edgar-nevill@
canterbury.ac.uk
Canterbury Christ Church
University
UK
Ki Jung Lee
[email protected]
Drexel University
Pennsylvania
USA
4
Schedule
Wednesday, May 30
 07:30 AM CONTINENTAL BREAKFAST
 07:30 AM On-site Registration
 08:30 AM Introductions
 Glenn S. Dardick, Conference Chair and Director of the ADFSL
 08:40 AM Welcome
 Paul Barrett, Dean of the College of Business and Economics at
Longwood University
 08:50 AM Papers/Presentation Session I
 Fred Cohen, USA: Update on the State of the Science of Digital
Evidence Examination
 P. Vinod Bhattathiripad, India: A Proposal for Incorporating
Programming Blunder as Important Evidence in AbstractionFiltration-Comparison Test
 10:10 AM BREAK
 10:30 AM Papers/Presentation Session II
 Ashley L. Podhradsky, USA: The Xbox 360 and Steganography: How
Criminals and Terrorists Could Be “Going Dark”
 Jennifer Davidson, USA: Double-Compressed JPEG Detection in a
Steganalysis System
 Jason Nichols and David Biros, USA: Toward Alignment Between
Communities of Proactive and Knowledge-Based Decision Support
 12:30 PM LUNCH (provided)
 01:15 PM Keynote
 Mohamed Chawki, Senior Judge at the Council of State, Egypt and
Founder-Chairman of the International Association of Cybercrime
Prevention (AILCC) in Paris - "IT and Regime Change"
 01:45 PM Papers/Presentation Session III
 Frank Breitinger, Germany: A Fuzzy Hashing Approach based on
Random Sequences and Hamming Distance
 03:00 PM BREAK
 03:20 PM Papers/Presentation Session IV
 Echo P. Zhang and Siu Ming Yiu, China: Cloud Forensics Investigation:
Tracing Infringing Sharing of Copyrighted Content in the Cloud
 Somaya Ali AlWejdani and Sumaya AbdulAziz AlHosani, UAE iPad2
logical acquisition: Automated or Manual Examination?
 04:40 PM Conference Close for Day
5
Schedule
Thursday, May 31
 07:30 AM CONTINENTAL BREAKFAST
 07:30 AM On-site Registration
 08:30 AM Papers/Presentation Session I
 Paul Poroshin, US Branch Vice-President, Group-IB, Russia: The
Analysis of the 2011 Russian Cybercrime Scene
 Gareth Davies, UK: NAND Memory Technology Forensics
 10:15 AM BREAK
 10:30 AM Papers/Presentation Session II
 Ping Zhang, China: Multi-Parameter Sensitivity Analysis of a Bayesian
Network From a Digital Forensic Investigation
 Andrew Scholnick, USA: Facilitating Forensics in the Mobile
Millennium Through Proactive Enterprise Security
 12:30 PM LUNCH (provided)
 01:15 PM Keynote Speech
 Nigel Wilson, Senior Lecturer at the University of Adelaide Law School
in Australia - "Digital Experts – Why is Effective Communication So
Important to Both the Admissibility and Persuasiveness of Expert
Opinion?"
 01:45 PM Papers/Presentation Session III
 Richard Boddington, Australia: A Case Study of the Challenges of
Cyber Forensics Analysis of Digital Evidence in a Child Pornography
Trial
 Milton Luoma and Vicki Luoma, USA: After Five Years of E-Discovery
Missteps: Sanctions or Safe Harbor?
 03:00 PM BREAK
 03:20 PM Papers/Presentation Session IV
 Aaron Alva, USA: Digital Evidence Education in Schools of Law
 Elena Sitnikova, Australia: Pathway into a Security Professional: A
New Cyber Security and Forensic Computing Curriculum
 04:40 PM Conference Close
6
UPDATE ON THE STATE OF THE SCIENCE OF DIGITAL
EVIDENCE EXAMINATION
Fred Cohen
CEO, Fred Cohen & Associates
President, California Sciences Institute
ABSTRACT
This paper updates previous work on the level of consensus in foundational elements of digital
evidence examination. Significant consensus is found present only after definitions are made explicit,
suggesting that, while there is a scientific agreement around some of the basic notions identified, the
use of a common language is lacking.
Keywords:
Digital forensics examination, terminology, scientific methodology, testability,
validation, classification, scientific consensus
1. INTRODUCTION AND BACKGROUND
There have been increasing calls for scientific approaches and formal methods, (e.g.,
[1][2][3][4][5][6]), and at least one study has shown that, in the relatively mature area of evidence
collection, there is a lack of agreement among and between the technical and legal community about
what constitutes proper process. [7] The National Institute of Standards and Technology has
performed testing on limited sorts of tools used in digital forensics, including substantial efforts
related to evidence collection technologies, and it has found that the tools have substantial limitations
about which the user and examiner must be aware if reliable tool usage and results are to be assured.
[8]
In an earlier paper seeking to understanding the state of the science in digital evidence examination
(i.e., analysis, interpretation, attribution, reconstruction, and aspects of presentation),[26] results
suggested a lack of consensus and a lack of common language usage. A major question remained as to
whether the lack of consensus stemmed from the language differences or the lack of a common body
of agreed-upon knowledge. This paper updates the results from that previous work by using a survey
to try to differentiate between these two possibilities. In the context of the legal mandates of the US
Federal Rules of Evidence [9] and relevant case law, this helps to clarify the extent to which expert
testimony may be relied upon.
1.1 The rules and rulings of the courts
The US Federal Rules of Evidence (FRE) [9], rulings in the Daubert case[10], and in the Frye case
[11], express the most commonly applied standards with respect to issues of expert witnesses (FRE
Rules 701-706). Digital forensic evidence is normally introduced by expert witnesses except in cases
where non-experts can bring clarity to non-scientific issues by stating what they observed or did.
According to the FRE [9], only expert witnesses can address issues based on scientific, technical, or
other specialized knowledge. A witness qualified as an expert by knowledge, skill, experience,
training, or education, may testify in the form of an opinion or otherwise, if (1) the testimony is based
on sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3)
the witness has applied the principles and methods reliably to the facts of the case. If facts are
reasonably relied upon by experts in forming opinions or inferences, the facts need not be admissible
for the opinion or inference to be admitted; however, the expert may in any event be required to
disclose the underlying facts or data on cross-examination.
The Daubert standard [10] essentially allows the use of accepted methods of analysis that reliably and
accurately reflect the data they rely on. The Frye standard [11] is basically: (1) whether or not the
7
findings presented are generally accepted within the relevant field; and (2) whether they are beyond
the general knowledge of the jurors. In both cases, there is a fundamental reliance on scientific
methodology properly applied.
The requirements for the use of scientific evidence through expert opinion in the United States and
throughout the world are based on principles and specific rulings that dictate, in essence, that the
evidence be (1) beyond the normal knowledge of non-experts, (2) based on a scientific methodology
that is testable, (3) characterized in specific terms with regard to reliability and rates of error, (4) that
the tools used be properly tested and calibrated, and (5) that the scientific methodology is properly
applied by the expert as demonstrated by the information provided by the expert.[9][10][11][12]
Failures to meet these requirements are, in some cases, spectacular. For example, in the Madrid
bombing case, where the US FBI declared that a fingerprint from the scene demonstrated the presence
of an Oregon attorney. However, that attorney, after having been arrested, was clearly demonstrated to
have been on the other side of the world at the time in question. [13] The side effect is that fingerprints
are now challenged as scientific evidence around the World. [24]
1.2 The foundations of science
Science is based on the notion of testability. In particular, and without limit, a scientific theory must be
testable in the sense that an independent individual who is reasonably skilled in the relevant arts
should be able to test the theory by performing experiments that, if they produced certain outcomes,
would refute the theory. Once refuted, such a theory is no longer considered a valid scientific theory,
and must be abandoned, hopefully in favor of a different theory that meets the evidence, at least in
circumstances where the refutation applies. A statement about a universal principle can be disproven
by a single refutation, but any number of confirmations can not prove it to be universally true. [14]
In order to make scientific statements regarding digital evidence, there are some deeper issues that
may have to be addressed. In particular, there has to be some underlying common language that allows
the scientists to communicate both the theories and experiments, a defined and agreed upon set of
methods for carrying out experiments and interpreting their outcomes (i.e., a methodology), and a
predefined set of outcomes with a standard way of interpreting them (i.e., a system of measurement)
against which to measure tests. These ultimately have to come to be accepted in the scientific
community as a consensus.
One way to test for science is to examine peer reviewed literature to determine if these things are
present. This was undertaken in a 2011 study [26] which suggested a lack of common language and a
subsequent proposal to move toward a common language based on archival science.[27] One way to
test for consensus is to poll individuals actively participating in a field (e.g., those who testify as
expert witnesses and authors publishing in relevant peer reviewed publications) regarding their
understandings to see whether and to what extent there is a consensus in that community. This method
is used across fields [15][16][17], with >86% agreement and <5% disagreement for climatologist
consensus regarding the question “Do you think human activity is a significant contributing factor in
changing mean global temperatures?” in one survey. [18]
1.3 The previous study being updated
In the previous study of consensus in digital forensics evidence examination, which we quote liberally
from with permission in this section,[25] results suggested a lack of consensus surrounding a series of
basic statements:
1
Digital Evidence consists only of sequences of bits.
2
The physics of digital information is different from that of the physical world.
3
Digital evidence is finite in granularity in both space and time.
4
It is possible to observe digital information without altering it.
8
5
It is possible to duplicate digital information without removing it.
6
Digital evidence is trace evidence.
7
Digital evidence is not transfer evidence.
8
Digital evidence is latent in nature.
9
Computational complexity limits digital forensic analysis.
10 Theories of digital forensic evidence form a physics.
11 The fundamental theorem of digital forensics is "What is inconsistent is not true".
These statements were evaluated by survey participants against a scale of “I disagree.”, “I don't
know.”, and “I agree.”, and participants were solicited from the members of the Digital Forensics
Certification Board (DFCB), individuals who have authored or co-authored a paper or attended the
International Federation of Information Processing (IFIP) working group 11.9 (digital forensics)
conference over the last three years in Kyoto, Orlando, and Hong Kong, members of a Bay Area
chapter of the High Tech Crime Investigators Association (HTCIA), and a group of largely university
researchers at an NSF-sponsored event. Control questions were used to control for random guessing
and consensus around other areas of science and untrue statements of fact.
Analysis was undertaken to identify responses exceeding 86% consensus (i.e., that for global climate
change among climatologists), not exceeding 5% non-consensus for refutation, and failing to refute
the null hypothesis. Consensus margin of error calculations were done per the t-test by computing the
margin of error for 86% and 5% consensus based on the number of respondents and size of the
population with a Web-based calculator.[22] Similar calculations were done using the confidence
interval for one proportion and sample size for one proportion, and they produced similar results.[23]
It was identified that the scale applied (3-valued instead of a Likert scale) leads to an inability to
validate the statistical characteristics using common methods.
No agreement reached 86% confidence levels or were within the margin of error (.77), and only a
control question, #4 (∑a/N=.68), #5 (∑a/N=.75), and #9 (∑a/N=.64) (N=54) exceeded random
levels of agreement. For disagreement, (N=28) only the same and one other control question, #5
(∑d/N=.14), and #9 (∑d/N=.10) were within the margin of error of not refuting consensus by
disagreement (.05+.09=.14) levels. Only #1 (∑d/N=.53) and #11 (∑d/N=.50) were within random
levels of refutation of consensus from disagreements. In summary, only #5 and #9 are viable
candidates for overall community consensus of any sort, and those at levels of only 75% and 64%
consensus respectively.[25]
The previous effort also involved a literature survey. 125 reviews of 95 unique published articles (31%
redundant reviews) were undertaken. Of these, 34% are conference papers, 25% journal articles, 18%
workshop papers, 8% book chapters, and 10% others. Publications surveyed included, without limit,
IFIP (4), IEEE (16), ACM (6), HTCIA (3), Digital Investigation (30), doctoral dissertations (2), books,
and other similar sources. A reasonable estimate is that there were less than 500 peer reviewed papers
at that time that speak directly to the issues at hand. Results from examining 95 of those papers, which
represent 19% of the total corpus, produces a 95% confidence level with a 9% margin of error. Of
these reviews, 88% have no identified common language defined, 82% have no identified scientific
concepts or basis identified, 76% have no identified testability criteria or testing identified, 75% have
no identified validation identified, while 59% identify a methodology.
Internal consistency of these results was checked by testing redundant reviews to determine how often
reviewers disagreed as to the “none” designation. Out of 20 redundant reviews (40 reviews, 2 each of
20 papers), inconsistencies were found for Science (3/20 = 15%), Physics (0/20 = 0%), Testability
(4/20 = 20%), Validation (1/20 = 5%), and Language (1/20 = 5%). This indicates an aggregate error
9
rate of 9/100 = 9% of entries in which reviewers disagreed about the absence of these indicators of
scientific basis.
2. THE PRESENT STUDY
In order to differentiate between the problems associated with a lack of common terminology,
language use, and methodological issues in the field, a short study was undertaken to try to
differentiate actual consensus from linguistic issues. To do this, we created a survey that defines each
term and measures agreement with the definition, and then tells the participant to assume the definition
and evaluate the statement.
2.1 The survey methodology
As in the previous study, surveys were performed using the “SurveyMonkey” Web site. No identityrelated data was collected or retained, although the survey mechanism prevents individuals from
taking the survey from the same computer more than once unless they act to circumvent the
mechanism. No accounting was taken to try to identify individuals who may have taken the survey as
members of more than one group because the group overlap is relatively small. The new survey was
introduced as follows:
“This is a survey designed to identify, to a first approximation, whether or not there is
a consensus in the scientific community with regard to some of the basic principles of
the examination of digital forensic evidence.
This survey is NOT about the physical realization of that evidence and NOT about the
media in which it is stored, processed, or transported. It is ONLY about the bits.
Please read carefully before answering.
For each numbered definition, review the definition and example(s) and indicate
the extent to which you agree or disagree with the definition. For each follow-up,
assume that the definition above it is correct, and respond to the statement in
light of that definition, indicating the extent to which you agree or disagree with
it.
Following the instructions, the questions are provided in a format approximately as in Figure 1:
Strongly
disagree
Disagree
Don't agree
or disagree
Agree
Strongly
Agree
1: Definition: ...
ʘ
ʘ
ʘ
ʘ
ʘ
Assuming the definition as the basis for your answer ...
ʘ
ʘ
ʘ
ʘ
ʘ
2: Definition: ...
ʘ
ʘ
ʘ
ʘ
ʘ
Figure 1 – The survey appearance
The set of questions and statements in the survey were as follows:
1: Definition: Digital forensics (as opposed to computer forensics) deals with sequences of bits
and their use in legal actions (as opposed to attack detection or other similar areas). Example:
A law suit or criminal charges with digital evidence will normally involve digital forensics. Do
you agree with this definition?
Assuming this definition as the basis for your answer, respond to the following statement:
Digital evidence is only sequences of bits.
10
2: Definition: Finite granularity means that, at the end of the day, you can only get so small,
and no smaller. Finite granularity in space means that there is a minimum size (i.e., the bit)
and finite granularity in time means that there is a minimum time unit (i.e., the number of bits
that represent a time unit, or alternatively, the maximum clock speed of the mechanisms
generating the bits). Example: At the level of digital evidence, as described earlier, no matter
how much of it you have, there is no unit of that evidence smaller than a bit, and no matter has
much precision measurements are made by, the times associated with those bits cannot be
infinitesimally small. Do you agree with this definition?
3: Definition: Observation of digital information means to be able to determine what binary
value each bit of the information has, while alteration is the changing of a bit value to the other
bit value (digital information by definition only has two different values for bits). Example: At
the level of digital evidence, when reading bits from a disk, the bits on the disk are observed
by the mechanisms of the disk drive. When writing to a disk, some of the bits on the disk may
be altered. Do you agree with this definition?
Assuming this definition as the basis for your answer, respond to the following statement: It is
normally possible to observe digital information without altering it.
4: Definition: Duplication of digital information means to make an exact copy of the bit
sequences comprising the digital information. Removal of digital information means to make
alterations so that the original information (i.e., bit sequence) is no longer present where it
originally was present before. Example: A duplicate of the bit sequence 1 0 1 will also be the
bit sequence 1 0 1. The removal of the bit sequence 1 0 1 from a location would mean that the
bit sequence at that location was no longer 1 0 1. Do you agree with this definition?
Assuming this definition as the basis for your answer, respond to the following statement: It is
normally possible to duplicate digital information without removing it.
5: Definition: Trace evidence is evidence that is produced as the result of a process, so that
the presence of the evidence is consistent with the execution of the process. Example: When
a pen writes on paper, the indentations in the paper resulting from the writing are traces of the
process of writing. Similarly, when a computer program produces bit sequences that are
stored on a disk, the bit sequences are traces of the execution of the computer program that
produced them. Do you agree with this definition?
Digital evidence is normally trace evidence.
6: Definition: Transfer is a concept in which two objects coming into contact with each other
each leaves something of itself with the other. Example: When a shirt rubs up against a sharp
object, some shards from the object may get transfered to the shirt while some fibers from the
shirt may get transferred to the sharp object. Do you agree with this definition?
Digital evidence is normally not transfer evidence.
7: Definition: Latent evidence is evidence that cannot be directly observed by human senses.
Example: DNA evidence is normally latent evidence in that the DNA has to be processed by a
mechanism to produce a result that can be examined by human senses. Do you agree with
this definition?
11
Digital evidence is normally latent in nature.
8: Definition: Computational complexity is the number of low-level computing operations
required in order to perform an algorithm which processes information. Example: It takes more
computer time to determine the best possible route from house to house throughout a city that
to find any route that passes by all of those same houses. Do you agree with this definition?
9: Definition: A physics is a set of mathematical equations or other rules in context for
describing and predicting behaviors of a system. Example: In the physical world, is is thought
to be impossible to observe anything without altering it, because the act of observation alters
the thing observed, and the physical world has no limits to granularity of space or time, so that
no matter how small something is, there is always something smaller. Similarly, the physics of
digital information, if you agree to statements above to that effect, is such that it is possible to
observe bits without altering them, make an exact duplicate without altering the original, and
so forth. Do you agree with this definition?
Assuming this definition as the basis for your answer, respond to the following statement: The
physics of digital information is different than that of the physical world.
10: Definition: Consistency between two or more things means that each is the way you would
expect it to be if the other ones are the way you observe them to be. Example: If you see a
black box and someone else viewing the same object under the same conditions states that it
is a white sphere, your observation is inconsistent with their statement. Similarly, if a sworn
statement states that a particular file was created at 10AM on a particular day in a particular
place, and the metadata for the file indicates that the same file was created at a different time
on a different day, the sworn statement is inconsistent with the metadata. Do you agree with
this definition?
Assuming this definition as the basis for your answer, respond to the following statement: As a
fundamental of digital forensics, what is inconsistent is not true. (or in other words, the
inconsistent things cannot all be true)
These correspond to questions 1, 3-11 of the previous survey, question 2 being removed because of the
confusion surrounding it in discussions following the previous survey.
2.2 The raw data
The raw data from the survey is shown in Figure 2. Numbered (gray) columns correspond to
definitions with the level of agreement to statements in the unnumbered (white) columns to their right.
Rows represent responses, with responses 22-24 from the DFCB group and 1-21 from the IFIP group.
At the bottom of the table there are two rows with responses from 2 other groups (Ignore 1 and Ignore
2), one response per group. The data from these groups was not included in the analysis because we
could not adequately characterize these groups in terms of size or expertise, could not assure that they
were independent of the DFCB and IFIP groups, and the number of samples is so small that no
independent meaningful statistics can reasonably be gleaned. We will comment on their potential
impact later.
In this table, 2 is “strongly disagree”, -1 is “disagree”, 0 is “don't agree or disagree”, 1 is “agree”, and
2 is “strongly agree”. In this table, a non-answer is treated as a “0”. At the end of the table (black
background) are rows with calculations across columns (within responses or pairs of responses). LD is
the level of disagreement between a definition and the relevant statement. That is, the number of
12
instances where respondents agree (disagree) with the definition and disagree (agree) with the related
statement (i.e., -1 or -2 for the definition and 1 or 2 for the statement or vice versa). A lower level of
disagreement indicates a stronger correlation between the view of the definition and the view of the
corresponding statement. “Agree” and “Disagree” are rows representing the number of responses
agreeing (>0) and disagreeing (<0) respectively. Columns D, A, and DD represent the number of
disagreements, agreements, and definition disagreements, respectively, for each respondent.
1
1
-1
2
3
2
3
0
-1
-1
-1
-1
1
-1
-1
-1
-2
0
0
-1
1
1
1
-2
-1
1
1
4
-1
-1
0
-1
-1
1
2
2
-2
5
1
2
2
2
2
1
2
1
6
0
-2
0
1
1
-1
-2
-2
2
-1
7
1
-1
0
1
1
-1
-1
0
1
8
-2
-2
0
0
1
1
1
9
0
-1
-1
-1
2
2
-1
1
2
10
1
-1
1
1
1
1
1
11
2
2
2
2
2
12
1
0
1
1
-1
2
-1
13
2
2
2
2
2
2
14
2
-1
2
2
15
1
1
1
1
2
1
16
2
2
2
2
17
0
0
18
-1
1
1
2
19
-2
-2
20
21
-2
1
22
23
Disagree
-1
1
1
-1
-2
-2
6
-1
Agree
-1
5
1
24
-1
4
-1
7
8
-1
-1
-2
1
1
1
-1
-2
0
2
-2
2
0
2
2
-2
2
2
1
1
1
1
2
1
1
2
2
2
2
2
-2
1
1
2
2
2
1
0
0
1
1
0
1
2
2
1
1
-2
0
1
1
2
1
-2
-2
9
-2
2
1
1
1
-1
0
-2
-2
-2
2
1
-2
2
2
2
2
2
-2
2
0
0
1
1
2
1
1
1
1
2
1
2
1
-1
-1
1
2
2
2
0
-1
1
2
2
1
2
2
2
-1
2
0
1
0
0
1
-1
2
2
2
2
1
2
1
1
2
2
2
2
-1
1
1
1
1
1
0
1
1
1
0
2
1
1
1
1
1
1
1
0
0
2
2
2
2
2
10
D
-2
-1
1
1
1
-1
-2
-2
-2
-2
2
2
2
1
-2
1
1
1
1
2
2
1
1
1
2
2
2
-1
1
1
2
2
-1
2
0
0
1
0
2
-1
1
1
-2
1
1
1
1
2
2
15
4
8
-1
7
13
4
-2
14
2
7
-2
11
8
3
0
0
0
17
0
1
-1
9
8
2
-1
1
-1
5
12
1
1
1
1
1
2
16
1
1
1
2
1
4
15
2
1
1
1
1
3
17
1
2
2
2
2
2
0
20
0
1
-1
1
1
0
6
11
5
1
2
1
2
2
2
0
20
0
2
1
-1
-1
1
1
1
5
15
1
0
0
0
1
1
1
1
0
10
0
2
2
2
2
2
2
2
1
1
19
0
1
1
0
0
0
1
0
1
0
0
11
0
-1
2
1
2
2
0
2
1
2
3
16
1
1
1
1
1
0
1
1
1
1
3
16
1
1
1
1
1
1
0
1
0
1
0
3
12
1
1
-1
1
1
1
2
1
2
1
1
1
19
0
1
1
0
0
1
0
1
1
-1
1
-1
2
13
0
2
2
2
2
2
2
2
2
2
2
2
2
18
1
0
20
0
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1
12
11
12
16
20
16
15
17
22
14
18
14
19
18
19
16
19
16
20
14
9
11
2
4
4
6
7
4
2
7
4
7
2
3
2
3
4
6
3
6
LD
8
2
2
5
A DD
5
4
3
3
6
328
96
5
Ignore 1
-1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
19
1
Ignore 2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
0
-1
1
1
1
1
1
19
0
Figure 2 - Data collected from the combined surveys
2.3 Analysis of survey results
This analysis covers the collection undertaken from the IFIP (N=21) and DFCB (N=3) groups, for a
total population of 24 respondents. As depicted above, -2 is “strongly disagree”, -1 is “disagree”, 0 is
“don't agree or disagree”, 1 is “agree”, and 2 is “strongly agree”. N is the number of respondents
expressing an opinion (either agree or disagree), μ is the mean, and σ the standard deviation. Treating
negative answers (-1, -2) as rejections of the asserted definition or statement (D=disagree), and
positive answers (1 and 2) as affirmations of the asserted definition or statement (A=agree), we present
13
the ratio of agreement (A/N) and disagreement (D/N) out of all respondents indicating a preference.
The margin of error for 95% confidence for the identified sample sizes (from 17 to 24 out of a total
estimated population of 250) is indicated under the column labeled M.[22] The C column indicates
consensus above the margin of error for agreements (A) or disagreement (D) and is contains a “-”
when no such consensus levels were found.
#
1
2
3
4
5
6
7
8
9
10
1
2
N
μ
σ
-2
-1
0
M
C
4
5
3
6
6
21 .21
1.44
9
12 .43
.57
.21
-
Definition
6
5
2
6
5
22 -.04
1.51
11 11 .50
.50
.20
-
Only sequences of bits.
0
2
7
7
8
17 .88
.97
2
15 .12
.88
.23
A Definition
0
4
4
7
9
20 .88
1.09
4
16 .20
.80
.22
A Finite granularity space and time.
0
4
0
12
8
24 1.0
1
4
20 .17
.83
.20
A Definition
2
4
2
8
8
22 .66
1.31
6
16 .27
.73
.20
A Can observe bits w/out alteration.
3
4
2
9
6
22 .46
1.35
7
15 .32
.68
.20
-
1
3
3
8
9
21 .88
1.17
4
17 .19
.81
.21
A Can duplicate without removal.
0
2
0
11
11 24 1.29
.84
2
22 .08
.92
.20
A Definition
3
4
3
8
6
1.35
7
14 .33
.67
.21
-
0
4
2
8
10 22 1
1.08
4
18 .18
.82
.20
A Definition
2
5
3
8
6
1.29
7
14 .33
.67
.21
-
0
2
3
8
11 21 1.17
.94
2
19 .10
.90
.21
A Definition
3
0
3
11
7
1.22
3
18 .14
.86
.21
A Digital evidence latent.
2
0
3
9
10 21 1.04
1.14
2
19 .10
.90
.21
A Definition
1
2
5
6
10 19 .92
1.15
3
16 .16
.84
.22
A Computational complexity limits.
2
2
1
14
5
23 .75
1.13
4
19 .17
.83
.20
A Definition
4
2
2
8
8
22 .58
1.44
6
16 .27
.73
.20
A Digital != real world physics.
1
2
1
14
7
24 .96
1.02
3
21 .14
.86
.20
A Definition
2
4
5
9
4
19 .38
1.18
6
13 .32
.68
.22
-
21 .42
21 .46
21 .79
D
A
D/N
A/N
Issue
Definition
Digital evidence trace evidence.
Digital evidence not transfer.
What is inconsistent is not true.
Figure 3 – Analysis of Consensus
Consensus above the margin of error from random is present for agreement with statements #2 (.80),
#3 (.73), #4 (.81), #7 (.86), #8 (.84) and #9 (.73). This may be reasonably interpreted as indicating that
for the full sample of the two organizations combined, there is a 95% chance that agreement would be
above the margin of error from random for these 6 statements. In addition, agreement to #7 and #8 are
within the margin of error of the 86% level of consensus seen among climatologists for global climate
change.[18] That is, consensus was shown for:
It is normally possible to observe digital information without altering it.
14
It is normally possible to duplicate digital information without removing it.
Digital evidence is normally latent in nature.
The physics of digital information is different than that of the physical world.
And consensus was NOT shown for:
Digital evidence is only sequences of bits.
Digital evidence is normally trace evidence.
Digital evidence is normally not transfer evidence.
As a fundamental of digital forensics, what is inconsistent is not true. (or in other words, the
inconsistent things cannot all be true)
A more important point is that consensus above the margin of error is present for 6 statements in the
present study, whereas without the use of definitions in the survey, only two (corresponding to items
#4 and #8 in this survey) were above consensus.[25] In addition, consensus levels are higher (#4 went
from .74 to .81 and #8 went from .64 to .84) when definitions were included.
It appears that a significant source of lack of consensus in the previous study was related to the lack of
common language and agreed upon terminology in the field also identified in that study.[25]
Definitional disagreements are also worthy of commentary. While a few respondents (i.e., #1, #3, and
#12) indicated disagreement or strong disagreement to at least half (5/10) of the definitions, only the
definitions of what constitutes digital evidence (#1) and what constitutes duplication (#4) fail to reach
consensus above random levels (8/10 definitions are at consensus levels above random). Definitions
#2(.88), #5(.92), #7(.90), #8(.90) and #10(.86) (5/10) meet or exceed the 86% level of agreement for
global climate change. There appears to be substantial disagreement regarding what constitutes digital
evidence, and this is reflected in much of the methodological literature in the field. The lack of
consensus levels for the definition of duplication is less clear based on the literature.
Analysis shows that of the 96 total disagreements, 49 of them (51%) stem from 4 respondents (#1, #3,
#4, and #6). Without these respondents, consensus levels would be far higher. In addition, the two
samples not included add only 2 disagreements, one of which is the definitional disagreement over
what constitutes digital evidence, and the other a disagreement to statement 8. Adding these results in
would drive consensus higher for all but statement 8 (which would go from 84% to 81%). None of
these changes would result in moving non-consensus statements outside of the margin of error for
randomness.
The internal level of disagreement (LD) between agreement on definitions and related statements is
also of interest. Despite the lack of consensus around Definition #1, 8/24 respondents indicated
different agreement to the definition than the statement. This suggests that respondents were able, as a
group, to overcome differences in views on definitions to express views on statements in the context
of the definitions provided. Among the 4 respondents constituting 51% of the disagreements, 2 of the
4 gave different answers to the statement than to the definition, again suggesting their ability to
differentiate between their disagreement with the definitions and their agreement/disagreement with
the statements. Looking at this more closely, only respondents #3, #8, and #23 always disagreed with
statements when disagreeing with definitions. The skew of results toward “Agree” largely invalidates
such an analysis regarding agreements, where 6 respondents agreed to all of the statements and
definitions. Only respondent #11 had all identical answers. (strongly agree), indicating that
respondents, as a whole, considered to some level their responses to each question.
3. COMMENTS FROM REVIEWERS
The review process yielded the following residual comments/questions which I address here.
15
Reviewers seemed to comment on two basic issues; what the paper was about, and statistical issues.
The reviewers seemed to think that the paper was about the use of language and not a consensus
around science. Comments included:
“the research sought people's opinions on generally accepted terminology in the field
of digital forensics.”, “the [authors] claim that use of terminology is somehow a
measure of science.”, “I think it is a bridge too far to suggest that there is no science
(testability) without common terminology used by those in the discipline. ...”, “I think
fundamentally that this paper has examined legal terminology, not underpinning
science ...”
This represents a misunderstanding of the purpose of the research and paper. Quoting from the
abstract: “This paper updates previous work on the level of consensus in foundational elements of
digital evidence examination. Significant consensus is found present only after definitions are made
explicit, suggesting that, while there is a scientific agreement around some of the basic notions
identified, the use of a common language is lacking.” The purpose was to mitigate the differences in
use of language which were suspected as a partial cause of the lack of consensus identified in the
previous paper. The question being addressed was whether the lack of identified consensus in prior
research was due to an actual lack of agreement on the content or on differences in use of the
language. This paper suggests that there is a lack of common definition that must be compensated for
in order to measure consensus in this field, and that there is more consensus than previously thought.
The statistical question identifies correctly that 24 respondents is a seemingly small sample size. This
is addressed by computing the margin of error for that sample size out of the total population, in this
case estimated at 250. As such, this sample represents almost 10% of the total population and is
proportionally a very large sample size compared to most statistical studies. Full details are provided
so the reader can do further analysis and evaluate the actual responses using any desired method. The
larger statistical problem is that the respondents are self-selected from the larger population, all of
whom were notified of the study. We know of no way to compensate for this limitation through
analysis and have no means to force compliance or expectation of gaining adequate samples from
random polling.
4. SUMMARY, CONCLUSIONS, AND FURTHER WORK
It appears that this study confirms the hypothesis that the lack of consensus suggested in the previous
study was due, at least in part, to a lack of common definitions and language in the digital forensics
community. This study suggests that consensus is substantially present in many of the fundamental
areas that are foundational to the acceptance of such evidence in legal proceedings. Clarity around
definitions appears to be necessary for the field of digital forensics to reach levels of consensus present
in other areas of science.
5. REFERENCES
[1] R. Leigland and A. Krings, "A Formalization of Digital Forensics", International Journal of Digital
Evidence, Fall 2004, Volume 3, Issue 2.
[2] Ryan Hankins, T Uehara, and J Liu, "A Comparative Study of Forensic Science and Computer
Forensics", 2009 Third IEEE International Conference on Secure Software Integration and Reliability
Improvement.
[3] Committee on Identifying the Needs of the Forensic Sciences Community, "Strengthening
Forensic Science in the United States: A Path Forward", ISBN: 978-0-309-13130-8, 254 pages,
(2009).; Committee on Applied and Theoretical Statistics, National Research Council.
[4] Scientific Working Group on Digital Evidence (SWGDE) Position on the National Research
Council Report to Congress - Strengthening Forensic Science in the United States: A Path Forward
16
[5] S Garfinkel, P. Farrella, V Roussev, G Dinolt, "Bringing science to digital forensics with
standardized forensic corpora", Digital Investigation 6 (2009) S2-S11
[6] M. Pollitt, "Applying Traditional Forensic Taxonomy to Digital Forensics", Advances in Digital
Forensics IV, IFIP TC11.9 Conference Proceedings, 2009.
[7] G. Carlton and R. Worthley, "An evaluation of agreement and conflict among computer forensics
experts", Proceedings of the 42nd Hawaii International Conference on System Sciences, 2009
[8] NIST, "Computer Forensics Tool Testing (CFTT) Project", http://www.cftt.nist.gov/
[9] The Federal Rules of Evidence, Section 702.
[10] Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579, 125 L. Ed. 2d 469, 113 S. Ct. 2786
(1993).
[11] Frye v. United States, 293 F 1013 D.C. Cir, 1923
[12] Reference Manual on Scientific Evidence - Second Edition - Federal Judicial Center, available at
http://air.fjc.gov/public/fjcweb.nsf/pages/16
[13] U.S. Department of Justice, “A Review of the FBI’s Handling of the Brandon Mayfield Case”,
unclassified executive summary, January 2006. (http://www.justice.gov/oig/special/s0601/exec.pdf)
[14] K. Popper, The Logic of Scientific Discovery (1959), Hutchins and Company, London. ISBN10:
0415278449.
[15] J. Jones and D. Hunter, “Qualitative Research: Consensus methods for medical and health
services research”, Volume 311, Number 7001, BMJ 1995; 311 : 376 (5 August 1995).
[16] Karin D. Knorr, “The Nature of Scientific Consensus and the Case of the Social Sciences”, in
Karin D. Knorr, Karin Knorr-Cetina, Hermann Strässer, Hans-Georg Zilian, “Determinants and
controls of scientific development”, Institut für Höhere Studien und Wissenschaftliche Forschung
(Vienna, Austria), pp 227-256, 1975.
[17] A. Fink, J. Kosecoff, M. Chassin, and R. Brook, “Consensus Methods: Characteristics and
Guidelines for Use”, AJPH September 1984, Vol. 74, No. 9.
[18] Margaret R. K. Zimmerman, “The Consensus on the Consensus: An Opinion Survey of Earth
Scientists on Global Climate Change”, Dissertation, 2008.
[19] North Eastern Forensics Exchange, Georgetown University, 8/13 – 8/14, 2010.
[20] Forensics Data Base is available at http://calsci.org/ under the “FDB” menu selection.
[21] Edmond Locard and D. J. Larson, “The Analysis of Dust Traces” (in 3 parts), The American
Journal of Police Science, V1 #4, 1930.
[22] A calculator from http://www.raosoft.com/samplesize.html was used to perform this calculation,
based on the Z value method, which is imprecise at sample sizes under 30, but close enough for the
purposes applied.
[23] Lenth, R. V. (2006-9). Java Applets for Power and Sample Size [Computer software]. Retrieved
2010-09-27 from http://www.stat.uiowa.edu/~rlenth/Power.
[24] Cole, Simon A. “Out of the Daubert Fire and Into the Frying Pan? Self-validation, meta-expertise,
and the admissibility of Latent Print Evidence in Frye Jurisdictions”, Minn. Journal of Law, Science,
and Technology, V9#2, pp 453-541, 2008.
[25] Bar-Anan, Yoav; Wilson, Timothy D.; Hassin, Ran R., “Inaccurate self-knowledge formation as a
result of automatic behavior.”, J. of Experimental Social Psychology, V46, #6, pp 884-895, 2010
17
[26] F. Cohen, J. Lowrie, and C. Preston, “The State of the Science of Digital Evidence Examination”,
IFIP TC11, Jan 2011.
[27] F. Cohen, “Putting the Science in Digital Forensics“, Journal of Digital Forensics, Security and
Law, Vol. 6(1) 7 Column 1, July, 2011.
18
A PROPOSAL FOR INCORPORATING PROGRAMMING
BLUNDER AS IMPORTANT EVIDENCE IN ABSTRACTIONFILTRATION-COMPARISON TEST1
P. Vinod Bhattathiripad
Cyber Forensic Consultant
Polpaya Mana, Thiruthiyad
Calicut-673004
Kerala, India
Telephone: +91-495-2720522, +91-94470-60066 (m)
E-mail: [email protected]; [email protected]
ABSTRACT
This paper investigates an unexplored concept in Cyber Forensics, namely, a Programming Blunder.
Programming Blunder is identified as a variable or a code segment or a field in a database table, which
is hardly used or executed in the context of the application or the user’s functionality. Blunder genes
can be found in many parts of any program. It is the contention of this paper that this phenomenon of
blunders needs to be studied systematically from its very genetic origins to their surface realizations in
contrast to bugs and flaws, especially in view of their importance in software copyright infringement
forensics. Some suggestions as to their applicability and functional importance for cyber forensics are
also given including the vital need and a way to incorporate programming blunders into AbstractionFiltration-Comparison test, the official software copyright infringement investigation procedure of US
judiciary
Keywords: Bug, error, blunder, genes, software piracy, software copyright, software copyright
infringement, software piracy forensics, AFC, idea-expression dichotomy
1. INTRODUCTION
A programming flaw occasionally survives in well tested and implemented software. It can surface in
the form of a variable or a code segment or a field in a database table, which is hardly used or
executed in the context of the application or the user’s functionality. Such a flaw in design can be
called a Programming Blunder2 (Bhattathiripad and Baboo, 2009, 2011). The term programming
blunder has already been casually used (in many publications, for instance, in (McConnell, S., 1996))
to denote bad practices in programming.
The phenomenon of blunder needs to be specifically contrasted with a programming error, as unlike an
error, the blunder is most unlikely to cause problems during the execution. Ideally, all blunders (like
all errors) in software should be and are routinely removed at the various quality control stages of the
software development. Even if it (unfortunately) makes through all quality control stages, there is
again a slim chance for it be detected and removed at the implementation stage. Even so, occasionally,
a few programming blunders may survive all these stages of software development and may finally
appear unattended (or unnoticed) in the implemented software. Despite their apparent status as
1
This paper is an enhanced form of the paper “Software Piracy Forensics: Programming Blunder as an important
evidence” that was accepted as a short paper (but not presented) in the Third ICST International Conference on Digital
Forensics and Cyber Crime, Dublin, Ireland, 26 - 28 October, 2011. Also, this paper contains points extracted from the
author’s Ph D thesis “Judiciary-friendly software piracy forensics with POSAR”.
2
This type of programming flaw has been christened as “Programming Blunder” because the very existence of it (in a welltested and implemented program) is a mark of blunder-like weaknesses of the respective programmer / quality engineer. The
naming is done from the forensic perspective of such programming flaws.
19
harmless vestiges of inattentive vetting, these blunders do provide an important service to the cyber
forensic expert. They can form an important basis for providing evidence in case of an allegation and
ensuing investigation of copyright infringement of such software. It is this increased cyber forensic
importance (despite their being less important in areas such as software engineering and software
testing) that underscore the need to specifically understand and study them, not just in the cyber
forensic perspective but right from their definitional aspects.
2. OBJECTIVES OF THIS PAPER
Spafford and Weeber (1992) have already anticipated the importance of (blunder-like) execution paths
as cyber forensic evidence in “providing clues to the author (of the suspect / alleged program)” and
this anticipation is the point of departure for of this study. The emergent concept of programming
blunders (in this paper) is a natural outcome of a specific study of all such execution paths in the
3
context of software piracy . The objectives of this paper can be set thus: (1) to thoroughly investigate
the phenomenon of blunders in detail and by doing so attempt to denotationally concretize and define
the term “programming blunder”; (2) to discretely identify the study of programming blunders as
different from other software bugs and (3) to discuss the cyber forensic importance of programming
blunders in the investigation of an allegedly pirated (copyright infringed) software.
3. DEFINING THE TERM PROGRAMMING BLUNDER
The term programming blunder has already been introduced and identified (but not properly defined)
in some previous publications (Bhattathiripad and Baboo, 2009; 2011). Additionally, without using the
term “Programming Blunder”, Spafford and Weeber (1992) have already mentioned certain execution
paths (as said above) of a code that “cannot be executed”.
A common factor found when analyzing student programs and also when
analyzing some malicious code is the presence of code that cannot be executed.
The code is present either as a feature that was never fully enabled, or is
present as code that was present for debugging and not removed. This is
different from code that is present but not executed because of an error in a
logic condition—it is code that is fully functional, but never referenced by any
execution path. The manner in which it is elided leaves the code intact, and
may provide some clue to the manner in which the program was developed.
(Spafford and Weeber, 1992)
By taking a cue from Spafford and Weeber, can one define programming blunder as “any execution
path in the program that need not and so will not be executed during the lifetime of the program on
any execution platform”? Possibly not, because, such a definition has an inherent limitation in that it
considers only inoperative statements (non-executed path) in the program. It overlooks and excludes
those operative statements (executed paths) which are very much still present there but are not
necessary for the successful functioning of the program. That means, it excludes those statements
which may have been executed at some stage of the program but are not necessary for producing the
final result. In other words, it does not consider those operative statements which are incoherently,
redundantly and/or dysfunctionally appearing in the text of the program and/or which may have been
executed at some stage but are hardly used in the user’s functionality (or to arrive at the final results).
So, programming blunders turn out to be a lot more than what Spafford and Weeber had suggested.
Like Spafford and Weeber (1992), several other researchers also have already mentioned
programming flaws of this genre (without using the term programming blunder) and studied their
importance in software testing, author identification and other software forensic areas. For instance,
3
In this article, the term ‘piracy’ refers to the piracy of a copyrighted software.
20
through a recent comprehensive paper4 (Hayes and Offutt, 2010), Jane Huffman Hayes and Jeff Offutt
examine (among other things) whether lint5 (a static analyzer that detects poor programming practices
such as variables that are defined but not used) for a program can be used to identify the author or a
small set of potential authors of the program. So, the notion of a programming blunder may not
entirely be new. Nevertheless, none of the previous publications (where the concept of programming
blunder was used in the research related to software testing, author identification and other software
forensic areas) have tried to seriously explore the concept in some detail in an effort to denotationally
concretize / crystallize the term programming blunder, and so differentiate it from other programming
bugs and finally, study its forensic importance. This is the reason for setting the primary objective of
this paper, viz. to thoroughly investigate the phenomenon of blunders in detail and by doing so attempt
to concretize and define the term “programming blunder”.
Even though the existing definitions of “programming blunders” subsume execution paths of a code
that “cannot be executed” (Spafford and Weeber, 1992) and variables that are defined but not used
(Hayes and Offutt, 2010), a more cautious definition employed in this study is:
A programming blunder found (in well tested, implemented and allegedly
pirated software) can be defined as a variable in a program or a program code
segment or a field in a database table which is hardly executed in the context of
the application and/or is unnecessary for the user’s functionality
(Bhattathiripad and Baboo, 2009).
This definition subsumes not only the execution paths of a code that “cannot be executed” and
variables that are defined but not used but also unnecessary non-execution paths (like comment lines
and blocked execution paths).
A blunder in a program gains significance during the piracy forensics (or copyright infringement
forensics) of the program (see below).
4. GENETIC ORIGIN OF PROGRAMMING BLUNDERS
A proper investigation of blunder, like that of any organism, should ideally start with a look into its
genetic origin. Blunder genes6 (or genes of programming blunders) are those elements in the program
that can often form the basis for (the existence or surfacing of) a programming blunder. Blunder genes
can be traceable to many parts of the program like a variable, class, object, procedure, function, or
field (in a database table structure). A blunder gene is developmentally (and perhaps philologically)
different from a blunder just as an embryo can be from the baby. While every blunder gene has
significance in software engineering research, a blunder has additional forensic significance. What the
programmer leaves in the program is a blunder gene and this blunder gene can develop into and
surface as a blunder during the piracy forensic analysis (or copyright infringement forensic analysis).
What elements in the program can then form the genetic basis of a blunder? The simple answer is that
any item in (or a segment of) a program which is unnecessary or redundant to customer requirements
can form the genetic basis for a programming blunder. Such items can, however, surface in a program
in three different ways. In other words, programming blunders can be categorized in three ways
according to their genetic differences.
1. Any defined but-unused item (or a code segment) in a program.
4
A note of gratitude to the reviewers of the Third ICST International Conference on Digital Forensics and Cyber Crime, for
drawing my attention to this paper.
5
The UNIX utility lint that is commonly used to bring out flaws like programming blunders as compiler warnings.
6
My sincere gratitude to Dr. P. B. Nayar, Lincoln University, UK, for his valuable suggestions
21
2. Any defined item (in the program) which is further used for data-entry and calculation
but never used for the user’s functionality of a program.
3. Any blocked operative statement in a program.
Primarily, any defined but unused variable, class, object, procedure, function, or field (in a database
table structure) can appear as a programming blunder. Hence, any such defined, concrete, tangible
item (or a blunder gene) in the body of a program (or an external routine or data base as part of the
software) which was subsequently found unnecessary or irrelevant for the operation of the program /
software can evolve or materialize as a programming blunder during a forensic analysis of the
program. Thus, a programming blunder may be an item (or a segment of a program) that is well
defined at the beginning of an execution path in a program but is not part of the remaining stages of
the execution path (example: Processing stages, Reporting stages etc.) in the program. For instance,
the integer variable ‘a’ in the C-program given in Table-1 is a programming blunder as this variable
has not been used anywhere else in the program. This variable has no relevance in the operation (for
producing the intended output) of the program.
#include <stdio.h>
#include <conio.h>
main()
{
int a=0, b=2, c=0;
C=b*b;
printf(“The result is %d”, c);
getch()
}
Table 1. A defined but unused variable ‘a’ in a C-program
Secondly, any defined item (or the blunder gene) at the beginning of an execution path in a program)
which is further used for data-entry but never used in the remaining stages of the execution path in the
program, can also appear as a programming blunder during a forensic analysis of the program. Thus,
the integer variable ‘a’ in the C-program given in table 2 surfaces as a programming blunder as this
variable has been well defined and used for data entry but not used anywhere else in the program.
#include <stdio.h>
#include <conio.h>
main()
{
int a=0;
scanf("%d", &a); /* reading the value of a*/
printf("Hello, World");
getch();
}
Table 2. Unnecessary declaration and input statements in a C-program
Thirdly, a blocked operative statement (or a remarked operative programming statement), which is
practically an inoperative element of the program, can appear as a programming blunder. Thus, the
remark statement (or the blunder gene) /* int a; */ in the C-program given in table 3 can turn out to be
a programming blunder during a forensic analysis of the program as this statement need not be there in
the first place and does not justify its being there at all for long, unattended (unlike the other
programming remark /* This program prints Hello, World */ which has a purpose in the program).
22
#include <stdio.h>
#include <conio.h>
main()
{
/* This program prints “Hello, World” */
/*int a=0;*/
printf("Hello, World");
getch();
}
Table 3. A program in C-language
All the above suggest that, any defined variable, class, object, procedure, function, or field (in a
database table structure) in a program which has no relevance in the final output (user’s functionality)
of the (well-tested and implemented) program can manifest itself as a blunder during the copyright
infringement forensic analysis of the program.
5. COMMONALITIES AND SIMILARITIES AMONG PROGRAMMING BLUNDERS
Irrespective of their genetic origin, all programming blunders do share some features, properties,
attributes and characteristics. A programming blunder
1) is a concrete, tangible item in (or segment of) a program and not a process.
2) can be an execution path which got past the quality control stage, undetected.
3) does not affect the syntax or sometimes even the semantics of a program which makes
it hard to detect.
4) is not necessary to execute the program.
5) is not necessary for user’s functionality.
6) does not justify its being there at all.
7) is a matter related to the design pattern and programming pattern of the software.
6. ETIOLOGY OF PROGRAMMING BLUNDERS
The etiology of programming blunders can be discussed along three different weaknesses of the
programmer / quality engineer. Firstly, his/her inability to completely remove from the program those
elements that do not help meet customer requirements can be a cause for a blunder. Secondly, his/her
inattention to completely remove those statements that have been abandoned as a result of the
programmer’s afterthought can also be a cause for a blunder. Thirdly, his/her inattention to identify
and remove items that do not contribute to either strong coupling between modules or strong cohesion
within any module of the program can also be a cause for a blunder. These three different weaknesses
of the programmer / quality engineer can thus be reasons for programming blunders.
7. PROGRAMMING BLUNDERS JUXTAPOSED WITH SOFTWARE BUGS
The next objective of this paper is to identify the study of programming blunders as different and
discrete from that of other software bugs. Quite naturally, even experts in the software engineering
might need some convincing as to why programming blunders need or demand a distinct status as
against software bugs. There definitely does exist a need to be convincing because, the above
mentioned genetic origins, manifestations, features, properties, attributes, characteristics and etiology
of blunders may prima facie be identified with those of software bugs as well. Therefore, what makes
a programming blunder deserve a special consideration different from other software bugs?
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a
23
computer program or system that produces an incorrect or unexpected result, or causes it to behave in
unintended ways (IEEE610.12-1990, 1990). An error is “the difference between a computed,
observed, or measured value or condition and the true, specified, or theoretically correct value or
condition” (IEEE610.12-1990, 1990, p31). Other related terms in the computer science context are
fault, failure and mistake. A fault is “an incorrect step, process, or data definition in a computer
program” (IEEE610.12-1990, 1990, p31). A failure is “the [incorrect] result of a fault” (IEEE610.121990, 1990, p31) and mistake is “a human action that produces an incorrect result” (IEEE610.12-1990,
1990, p31). Most bugs arise from mistakes, errors, or faults made by people or flaws and failures in
either a program's source code or its design, and a few are caused by compilers producing incorrect
code7. A programming blunder (as defined at the beginning of the article) does not resemble a bug
either in raison d’être or function (see above). In other words, a software bug is different from a
programming blunder and this difference (which is significantly relevant for the forensic expert) may
look simple, but is by no means simplistic.
8. PROGRAMMING BLUNDERS AND THE IDEA-EXPRESSION DICHOTOMY
The idea-expression dichotomy (Newman, 1999) provides an excellent theoretical perspective to look
at and explain blunders. Any genuine idea which is properly expressed in the definition stage but
improperly (or not at all) expressed in the remaining stages (in a program) in a manner that does not
adversely affect the syntax (or sometimes even the semantics) of the program can become a
programming blunder. So, the integer variable ‘a’ in the C-program given in Table-2, for example,
when looked at in the idea-expression perspective, is a programming blunder. So, from the perspective
of the idea-expression dichotomy, programming blunder is a partly-made8 functional expression of an
idea. This clearly opens the door to linking blunders directly to copyright infringements of any
program because the idea-expression perspective is the basis of formulation of software copyright
laws in several countries (Hollaar, 2002; Newman, 1999).
Copyright laws of several countries (especially the US copyright laws) say that if there is only one
(exclusive) way of effectively expressing an idea, this idea and its expression tend to “merge”
(Walker, 1996, p83) and in such instances an idea is not protectable through copyright (Hollaar, 2002).
However, if the same idea can be realized through more than one expression, all such different
realizations are protected by copyright laws. Interestingly this means that the copyright of a program is
directly related to the concept of the merger between idea and expression and that when there is no
merger, the copyright of a program can extend to the blunders contained therein as well.
9. FORENSIC IMPORTANCE OF PROGRAMMING BLUNDERS
Despite their apparent functionally inactive and thus innocuous nature in a program, blunders, when
copyrighted, can be of great value / assistance to the cyber forensic expert. They provide evidence of
software copyright infringement and a discussion of this evidence is one of the prime objectives of this
article. On the forensic importance of programming blunders, Spafford and Weeber (1992) have noted
that:
Furthermore, it (a programming blunder) may contain references to variables
and code that was not included in working parts of the final program —
possibly providing clues to the author and to other sources of code used in this
program.
7
http://en.wikipedia.org/wiki/Software_bug visited on 6th Feb, 2011
By partly-made functional expression, what is meant or intended is an element which is defined, implemented but left
unused or inoperative in the remaining stages.
8
24
Since Spafford and Weeber (1992), a variety of experiments (for instance, Krsul (1994)) have been
performed on authorship analysis of source codes and copyright infringement establishment of
software. Also, at least half a dozen techniques and procedures (for instance, AFC (Hollaar, 2002),
SCAP (Frantzeskou, 2007) etc.) have been put forward for establishing authorship and copyright
infringement of software. However, none of them have taken cue from the above note of Spafford and
Weeber and considered programming blunders as evidence in the court.
Not all blunders are “substantial” in the copyright infringement forensic analysis. Blunders which can
provide direct (substantial) evidence to establish piracy (and thus, to establish copyright infringement)
or can provide probable, corroborative or supporting evidence are forensically important. The
repetition of programming blunders (even if these programming blunders are ‘generic’ by nature) in
both original9 and the pirated10 in identical contexts would be a serious indication of piracy. If, for
instance, a variable with a universally uncommon name ‘PXRN_CODE_AUCQ CHAR[6]’ is defined
in identical places of the identical procedures in the original11 as well as the pirated12 software, but
not used anywhere else (see the three categories of blunders, above), that is an instance of
programming blunder and such programming blunders attract/deserve forensic importance. The
forensic importance of blunders arises from the obvious fact that it is highly unlikely that two
programmers will blunder exactly in the same way, thus elevating the similarity into possible evidence
of piracy (See also Appendix-1).
While trying to establish a variable name or a code segment as a programming blunder, the expert
needs to confirm that it is (i) absent elsewhere in the original, (ii) present in the allegedly pirated
exactly in the same context as it was found in the original and (iii) absent elsewhere in the allegedly
pirated (Bhattathiripad & Baboo, 2010).
In the absence of other direct evidence of piracy, programming blunders can form the only basis for
the expert to convince the judiciary about the possibility of piracy.
9
Throughout this article, original means the version of the software that the complainant submits to the law enforcement
agency for software piracy forensics. This article presupposes that the law enforcement agency has satisfactorily verified the
legal aspects of the documentary evidence of copyright produced by the complainant and is convinced that the complainant is
the copyright holder of this version of the alleged software.
10
Throughout this article, pirated means the allegedly pirated software
25
Fig 1: The software copyright infringement forensic procedure of AFC13
13
Abstraction-Filtration-Comparison Analysis Guidelines for Expert Witnesses
http://web20.nixonpeabody.com/np20/np20wiki/Wiki%20Pages/Abstraction-FiltrationComparison%20Analysis%20Guidelines%20for%20Expert%20Witnesses.aspx
26
10. PROGRAMMING BLUNDERS AND THE AFC TEST
As things stand, it appears that forensic procedural protocols of software copyright infringement have
not fully recognized the importance of programming blunders. Nor have there been many attempts to
ensure their inclusion in the forensic expert’s repertoire. Programming blunders are very unlikely to be
detected, for instance, by the AFC test (see Appendix-3 and fig 1) which is the only judiciary-accepted
procedure for establishing software copyright infringement in the US. They are not detected or even
considered because during the abstraction of the program, only the functionally active parts (of the
program) will be considered for abstraction and used for further investigation (Hollaar, 2002, p86).
The functionally inactive parts (or those items are irrelevant for user’s functionality) like programming
blunders will not be considered for abstraction14. Moreover, abstraction may remove many individual
lines of code from consideration and so blunder genes as well as blunders may also get automatically
removed during the abstraction stage of AFC. In such case of unfortunate non-consideration, the
programming blunders will not be available for final comparison and this unavailability may make the
final results of AFC, incomplete and thus, unreliable. This is one of the fallibilities of AFC
(Bhattathiripad and Baboo, 2010) and can probably be a reason for the reluctance to use the AFC test
in the copyright infringement forensics of modern software (however, US judiciary continues to use
AFC test for software copyright infringement forensics15). Hence, this paper proposes that, along with
the AFC results, the evidence concerning the programming blunders, if any, should also be identified
and gathered separately by the expert by comparing the original with the pirated, before applying the
AFC test and reporting his/her the final findings and inferences to the court16. This paper also proposes
that the AFC test should be re-designed so as to ensure that possible evidence like programming
blunders are available for final comparison.
Before concluding, a note on what a judge expects from an AFC expert, would add value to the special
attention and consideration given to programming blunders. In any software comparison report, what
the judge would expect from the AFC expert is a set of details that help the court in arriving at a
decision on the copyrightable aspects of programming blunders. Jon O. Newman (1999), one of the
judges on the panel (in the 2nd circuit of U. S. judiciary) that received an amicus brief17 (concerning a
software copyright infringement case) indicates what he needs from expert witnesses in a trial (or in
the amicus brief) on an appeal involving software copyright infringement:
These professionals would be well advised not to tell me simply that the source code
is or is not protectable expression. Their opinion are relevant, but, as with all opinions,
what renders them persuasive is not the vehemence of their assertion and not even the
credentials of those asserting them; it is the cogency and persuasive force of the
reasons they give for their respective positions. These reasons had better relate to the
specifics of the computer field. For example, as Altai (United States Court of Appeals,
1992) indicates, even with its overly structured mode of analysis, it will be very
14
Because AFC test does allow for 'literal' similarities between two pieces of code, there is a general belief that AFC can
make available “literal” pieces like programming blunders (for example, variables that are defined but unused and execution
paths that “cannot be executed”) for final comparison. But in practice, AFC does not either abstract these “literal” pieces of
evidence or filter them out in the filtration stage and either way, these programming blunders like “literal” pieces are
unavailable for final comparison.
15
See United States District Court of Massachusetts (2010), Memorandum and Order, Civil Action number 07-12157 PBS,
Real View LLC. Vs. 20-20 Technologies, p.2
16
The ultimate decisions like whether these pieces of evidence (concerning programming blunders) (1) are useful or not; (2)
form direct or secondary evidence; and (3) are generic (and hence, non-copyrightable) by nature or not, come under judicial
matters and are subject to the provisions of the prevailing Evidence Act of the respective country. However, cyber forensic
report can remain suggestive on these three aspects and also on the (conclusive, corroborative, and supportive) nature of the
programming blunders found in the original and the pirated.
17
Amicus Brief of Computer Scientists, Harbor Solutions v. Applied Systems No. 97-7197 (2nd Circuit, 1998) at 8-9
(citations omitted)
27
important for me to know whether the essential function being performed by the
copyrighted program is a function that can be accomplished with a variety of source
codes, which will strengthen the case for protection, or, on the other hand, is a
function, capable of execution with very few variations in source code, or, variations
of such triviality as to be disregarded, in which event protection will be unlikely. For
me, this mode of analysis is essentially what in other contexts we call the merger
doctrine – the expression is said to have merged with the idea because the idea can be
expressed in such limited ways that protection of the plaintiff’s expression unduly
risks protecting the idea itself. (Newman, 1999)
So, what is expected in the case of programming blunders also is a set of details on the merger aspects
of the ideas and expressions contained in any programming blunder (This is because, as said earlier,).
In conclusion, the following facts emerge: it seems reasonable to state that any variable or a code
segment or a field in a database table, which is hardly used or executed in the context of the
application or the user’s functionality can form the basis of a programming blunder. The copyright of
the software can often extend to the blunders contained therein. Also, any programming blunder that
goes against the merger doctrine is copyrightable and repetition of it in another program can be a
serious indication of copyright infringement. As a result, programming blunders can greatly influence
the expert to give supportive evidence to his findings, thus indirectly contributing to the judge’s
decision. Because of this, identification and reporting of programming blunders need to be a part of
the copyright infringement investigation. Hence, procedures like the AFC test needs to be re-designed
so as to ensure that possible evidence like programming blunders are not filtered out.
11. REFERENCES
Bhattathiripad., P. V., and Baboo (2009), S. S., Software Piracy Forensics: Exploiting Nonautomated
and Judiciary-Friendly Technique', Journal of Digital Forensic Practice, 2:4, pages 175 — 182
Bhattathiripad., P. V., and Baboo (2011), S. S., Software Piracy Forensics: Impact and Implications of
post-piracy modifications, Conference on Digital Forensics, Security & Law, Richmond, USA
Bhattathiripad., P. V., and Baboo, S. S. (2010), Software Piracy Forensics: The need for further
developing AFC, 2nd International ICST Conference on Digital Forensics & Cyber Crime, 4-6
October 2010, Abu Dhabi, UAE
European Software Analysis Laboratory (2007), The “SIMILE Workshop”: Automating the detection
of counterfeit software, available at www.esalab.com
Frantzeskou, G., Stamatatos, E., Gritzalis, S., Chaski, C. E., and Howald, B. S. (2007), Identifying
Authorship by Byte-Level N-Grams: The Source Code Author Profile (SCAP) Method, International
Journal of Digital Evidence, 6, 1
Hayes, J. H., and Offutt, J. (2010), Recognizing authors: an examination of the consistent programmer
hypothesis, Software Testing, Verification & Reliability - STVR , vol. 20, no. 4, pp. 329-356
Hollaar L. A. (2002), Legal Protection Of Digital Information, BNA Books
IEEE610.12-1990 definition (1990), IEEE Standard Glossary of Software Engineering
Krsul, I., (1994), Identifying the author of a program, Technical Report, CSD-TR-94-030, Purdue
University, available at http://isis.poly.edu/kulesh/forensics/docs/krsul96authorship.pdf , visited
on 14th April, 2011
McConnell, S. (1996), Who cares about software construction?, Software, IEEE, Volume 13, Issue 1,
Jan 1996, p.127-128
Newman J. O. (1999), New Lyrics For An Old Melody, The Idea/Expression Dichotomy In The
Computer Age, 17, Cardozo Arts & Ent. Law Journal, p.691
28
Raysman R. and Brown P. (2006), Copyright Infringement of computer software and the Altai test,
New York Law Journal, Volume 235, No. 89
Spafford, E. H., and Weeber, S. A. (1992), Software forensics: Can we track the code back to its
authors?, Purdue Technical Report CSD–TR 92–010, SERC Technical Report SERC–TR 110–P,
Department of Computer Sciences, Purdue University
United States Court of Appeals (1992), Second Circuit, Computer Associates International, Inc. v.
Altai, Inc., 982 F.2d 693; 1992 U.S. App. LEXIS 33369; 119 A.L.R. Fed. 741; 92 Cal. Daily, Op.
Service 10213, January 9, 1992, Argued, December 17, 1992, Filed
United States District Court of Massachusetts (2010), Memorandum and Order, Civil Action number
07-12157 PBS, Real View LLC. Vs. 20-20 Technologies, p.2
Walker, J. (1996), "Protectable 'Nuggets': Drawing the Line Between Idea and Expression in computer
Program Copyright Protection", 44, Journal of the Copyright Society of USA, Vol 44, Issue 79
29
APPENDIX-1: SECONDARY OR INCONCLUSIVE PROGRAMMING BLUNDER GENES
Most genes of programming blunders can be conclusively identified. But, there are certain
elements in a program that may not have yet surfaced as blunders but are potentially prone to
surfacing later as programming blunders. Conversely, all ideas which are successfully
expressed but are superfluous to customer requirements also may not surface as a blunder
because such expressions (or a code segment) may affect the semantics of the program and
thus end up as an error at some point of time during the life time of the program (if not during
its pre-implementation testing stage). Any such code segment is basically a gene of an error
and not of a blunder. However, any such code segment in a time-tested program may
eventually form the basis of a blunder because such an item or a code segment does not justify
its being there at all for long unattended. But, such blunders are very difficult to be
conclusively identified and used.
APPENDIX-2: BUG REPEATED V. BLUNDER REPEATED
A bug repeated (in a pirated program) may be noticed during the functioning of the pirated.
Unlike a bug, a programming blunder repeated (in a pirated program, though noticeable)
would remain unnoticed during the functioning of the pirated. In the absence of a thorough
quality control round by the pirated (which is very likely), these programming blunders would
remain intact in the pirated and may turn into evidence of piracy.
30
APPENDIX-3: A NOTE ON ABSTRACTION-FILTRATION-COMPARISON TEST
AFC (Abstraction-Filtration-Comparison) test was primarily developed by Randall Davis
of the Massachusetts Institute of Technology for evaluating copyright infringement
claims involving computer software and used in the 1992 Computer Associates vs. Altai
case, in the court of appeal of the 2nd federal circuit in the United States (Walker, 1996).
Since 1992, AFC has been recognized as a legal precedent for evaluating copyright
infringement claims involving computer software in several appeal courts in the United
States, including the fourth, tenth, eleventh and federal circuit courts of appeals
(European Software Analysis Laboratory, 2007; Raysman & Brown, 2006; United States
District Court of Massachusetts, 2010). AFC is basically a manual comparison approach.
The theoretical framework of AFC not only makes possible the determination of “literal”
similarities between two pieces of code, but it also takes into account their functionality
to identify “substantial” similarities (Walker, 1996). In the AFC test, both the pirated as
well as the original software are put through three stages, namely, abstraction, filtration
and comparison. While other approaches (and the automated tools based on these
approaches) generally compare two software packages literally, without considering
globally common elements in the software, AFC, as the name indicates, first abstracts the
original as well as the allegedly pirated, then filters out the globally common elements in
them to zero in on two sets of comparable elements and finally compares these two sets
to bring out similarities or “nuggets” (Walker, 1996).
On the copyright aspects of the software, the AFC-test specifies three categories (more
aptly, levels) of exclusions, called doctrines (Walker, 1996). Firstly, if there is only one
way of effectively expressing an idea (a function), this idea and its expression tend
to “merge”. Since the idea itself would not be protectable, the expression of this idea
would also escape from the field of the copyright protection. Secondly, there is the
“scènes a faire” doctrine which excludes from the field of protection, any code that has
been made necessary by the technical environment or some external rules imposed on the
programmer. Thirdly, there are those elements that are in the public domain. These three
categories of elements in the software are filtered out of the original as well as the
allegedly pirated before arriving at the two set of comparable elements, mentioned above.
31
32
THE XBOX 360 AND STEGANOGRAPHY: HOW CRIMINALS
AND TERRORISTS COULD BE “GOING DARK”
Ashley Podhradsky
Drexel University
Rob D’Ovidio
Drexel University
Cindy Casey
Drexel University
ABSTRACT
Video game consoles have evolved from single-player embedded systems with rudimentary
processing and graphics capabilities to multipurpose devices that provide users with parallel
functionality to contemporary desktop and laptop computers. Besides offering video games with rich
graphics and multiuser network play, today's gaming consoles give users the ability to communicate
via email, video and text chat; transfer pictures, videos, and file;, and surf the World-Wide-Web.
These communication capabilities have, unfortunately, been exploited by people to plan and commit a
variety of criminal activities. In an attempt to cover the digital tracks of these unlawful undertakings,
anti-forensic techniques, such as steganography, may be utilized to hide or alter evidence. This paper
will explore how criminals and terrorists might be using the Xbox 360 to convey messages and files
using steganographic techniques. Specific attention will be paid to the "going dark" problem and the
disjoint between forensic capabilities for analyzing traditional computers and forensic capabilities for
analyzing video game consoles. Forensic approaches for examining Microsoft's Xbox 360 will be
detailed and the resulting evidentiary capabilities will be discussed.
Keywords: Digital Forensics, Xbox Gaming Console, Steganography, Terrorism, Cyber Crime
1. INTRODUCTION
The use of nontraditional computing devices as a means to access the internet and communicate with
one another has become increasingly popular [1]. People are not just going online through traditional
means with a PC anymore, they are now frequently using cell phones, smart phones, and gaming
consoles as well. Criminals and terrorists also rely on these technologies to communicate while
maintaining confidentiality and anonymity. When information-masking techniques are combined with
non-traditional communication devices, the chances of interception or discovery are significantly
reduced. Hiding information in plain site by altering image, text, or sound data has been going on for
centuries. Steganography, the discipline of concealing the fact that a message or some form of
communication exists, poses a major threat to our national security particularly when it is being
transmitted over exploitable communication channels [2].
2. STEGANOGRAPHY
Steganography is often confused with cryptography, the latter being the art of obscuring a message so
that it is meaningless to anyone except the person it is intended for [3]. Essentially, a cryptographic
message hides the meaning of a message, whereas steganography conceals the fact that a message
even exists [3]. The origin of the word steganography is Greek for steganos (στεγανός) which means
“covered” and graphia (γραφή), which means “writing” [4]. Unlike encryption, which scrambles or
encodes text, with steganography the text is inserted or hidden in another medium such as a
photograph, webpage, or audio file, called the carrier file. The goal of concealing the message is to
33
keep the communication a secret even though it is in plain view. IT security professionals refer to this
concept as security through obscurity. Unlike cryptography, where an encrypted channel sends a red
flag to digital investigators, steganography offers covert communication channels which typically go
unnoticed. .
Although today’s technologies provide a multiplicity of avenues in which to conceal messages,
steganography is not new [5]. In fact, the origins of steganography can be traced back to the ancient
Greek historian Herodotus (c. 484-c 425 B.C.) [6]. In his Histories, Herodotus describes how a secret
message was tattooed onto a slave’s head. Once the slave’s hair grew back, the message was
concealed, thus enabling him to travel through enemy territory without the communication being
discovered. Once the slave arrived at his destination, his head was shaved and the message read [6].
Another method of steganography described by Herodotus is a technique employed by the King of
Sparta when he needed to send covert messages to the Greeks. The message was written onto a
wooden tablet that was then covered with wax so that it appeared empty [7]. Perhaps the most wellknown form of steganography is invisible ink, which became popular during the Second World War.
Invisible ink can be synthetic, like the invisible ink pens many of us used to write secret messages
with as children, or organic, such as body fluids or lemon juice.
There are two primary methods of steganography. The first is referred to as insertion and involves
taking data from one file (the secret) and embedding it into another file (the host or carrier). With
insertion, the size of the image changes once the hidden message has been added [8].
The second form of steganography is called substitution. Here bits of the host file are replaced with
other bits of information. For example, in an 8-bit graphic file, the digits furthest to the left are
referred to as the Most Significant Digit (MSD), while the digits furthest to the right are the Least
Significant Digit (LSD). By replacing the LSD digits, the pixel will change the least. So a bit, which
might read 11110000, can be changed to 11110001, and the effect on the image will be minuscule - or
undetectable to the human eye [8].
Although this may initially sound complex, there is a plethora of tools available on the internet, many
of which are open-source or can be downloaded for a minimal investment or free trial, which makes
substitution steganography a relatively simple task.
3. INVISIBLE SECRETS
Invisible Secrets is an encryption and steganography tool which also provides an array of privacy
options such as erasing internet and computer traces, shredding data to avoid recovery, and locking
computer applications [9]. One of the key attributes of this software is that it affords individuals with
little or no experience the opportunity to utilize the ancient practice of steganography with minimal, if
any, difficulty. Invisible Secrets utilizes both encryption and steganography to create carrier files
which can only be read by the individual they are intended for. By employing cryptography to transfer
the key necessary to unlock the secret message as it traverses over an unsecure connection, potential
Man in the Middle attacks are thwarted.
The following images illustrate how a secret message can be hidden in a JPG photograph. The two
images look identical, however, a closer look shows that they differ in both size and hash value. Using
Invisible Secrets, a short text message was inserted into the photograph. Hidden messages are not just
limited to text - maps can also be embedded. For demonstration purposes, the message was not
encrypted or compressed. Had the message been compressed, the size differences between the two
images would be considerably less, making discovery more challenging.
34
Creating a hidden message using Invisible Secrets
Image 1 - Inserting the secret message into the photograph
35
Image 2 - Carrier image created
4. STEGANALYSIS
To the human eye, the two images (titled original and carrier) are identical. However, an initial
examination reveals that they differ in both size and hash value. Another way to determine if an image
has been altered is to compare the histograms of the photos in question. A histogram is a visual
impression or graph of the data distribution of an object obtained by mathematically calculating an
object’s density [10]. It is relevant to note that a histogram is dependent upon the bin size calculated
[11]. If calculated poorly, when the data is tabulated it could result in misleading or incomplete
information about the data [11]. Although this task is typically performed by a computer, variances
should be expected, and a histogram independent of other supporting evidence may not be sufficient
enough to determine if an image has been altered.
Image 3 - Original unaltered image
MD5 checksum 3e8d80d0e03324331215d83cba00caf8
Size 2.31 MB
36
Image 4 - Carrier image
MD5 checksum a463f9edbeeea630fb320671c5a65895
Size 4.62 MB
By comparing the histograms of the two image files using Adobe Photoshop Elements [12], an
apparent difference between the two is noted. Each histogram consists of precisely 256 invisible bars
which represent a different level of brightness in the image [13]. The higher the bar is on the graph, the
more pixels at that specific point [13]. When placed side by side, we can see that the smoothness,
where pixel values sit in relation to each instance of true color and shading transition occurs, is only
present in the original image file [14].
Image 5 - Examining the histogram of the image with Adobe Photoshop
Image 6 - Comparing the two histograms
A common tool used by digital examiners when analyzing suspected stenographic images is a hex
editor. Hex editors enable investigators to examine the raw data of a file at a very granular level. Using
37
WinHex Hexadecimal Editor [15], the two images were compared. The hexadecimal characters which
denote the beginning and end of a JPG file are “FF D8” and “FF D9” respectively [16]. Within a
matter of seconds we can see that data has been appended to the end of the carrier image file. Further
analysis showed that there was a considerable variance in byte values between the two files. Typically,
forensic examiners are not privy to both images for analysis. While there are some steganalysis tools
available, investigators usually have to rely on more complex methodologies such as looking for
embedded ASCII text, utilizing some type of classification or statistical algorithm such as quadratic
mirror filters or raw quick pairs, or developing a model of what the suspect image should look like
[17,18]. Not only do these techniques require advanced skill, but they are also time consuming and
costly.
Image 7 - Comparing the two images in WinHex
StegSpy is an open-source utility that searches for steganography signatures in files and the program
used to create the file [17]. StegSpy was initially developed to aid in the detection of hidden messages
following the terrorist attacks of September 11, 2001 [18]. According to the developer’s website,
StegSpy is capable of detecting the following steganography programs: Hiderman, JPHideand Seek,
Masker, JPegX, and Invisible Secrets [17]. Although the tool did detect the presence of a hidden
message in the carrier file, it identified the program used to create the file incorrectly.
In his thesis paper, “Using an Artificial Neural Network to Detect the Presence of Image
Steganography”, Aron Chandrababu tested several steganalysis tools, including StegSpy, to determine
their usefulness in detecting covert messages embedded in images. Chandrababu’s research concluded
that StegSpy was unreliable when used to examine a sample of 100 color images - 50 containing
embedded messages, and 50 containing no message at all [18]. Chandrababu’s experiment found that
StegSpy was only able to detect 8 of the 50 carrier images tested with the program [18]. Thus, the
probability that StegSpy is capable of revealing an image containing an embedded message is only
0.16, or 16%.
38
Image 8 -Examining carrier file with StepSpy V2.1
Steganalysis, regardless of the technique employed (human calculated or computer generated
algorithm), is an empirical process dependent upon two primary dynamics. First, the algorithm used,
and secondly, the model the dataset is being measured against [19]. A shift in any of these variables
can alter the results. An additional factor investigators must consider is the fact that technology is in
constant flux.
5. TERRORISM AND STEGANOGRAPHY
Shortly after the terrorist attacks in the United States on September 11, 2001, the Washington Post
reported that federal agents had gathered at least three years of intelligence confirming that Osama bin
Laden and members of al-Qa’ida had been communicating through embedded messages via email and
on web sites [20]. Although there was no definitive evidence proving that the terrorists used
steganography to plot the attacks of September 11th, it is highly probable [20].
With over 21 percent of the world’s population communicating by means of the internet, it should not
come as a surprise that terrorists also use the internet to communicate with each other, spread
propaganda, fund their activities, and recruit [21].
In the second issue of Technical Mujahid, a bimonthly digital training manual for Jihadis, section one, titled Covert Communications and Hiding
Secrets inside Images, discusses steganography techniques, specifically hiding messages in images
and audio files [22,23].
Unlike emails, which can be easily traced, steganography enables terrorists to communicate with each
other while maintaining anonymity. Security expert Bruce Schneier uses the analogy of a dead drop to
demonstrate exactly how steganography benefits terrorists [22]. A dead drop is a communication
technique used by accused Russian spy Robert Hanssen. Hanssen never directly communicated with
his Russian cohorts, but rather left messages, documents, or money in plastic bags under a bridge [22].
Chalk lines left in public places, in plain sight, would direct Hanssen where to collect or leave
packages [22]. Consequently, the parties communicating never had to meet or even know each other’s
identity. According to Schneier, dead drops “…can be used to facilitate completely anonymous,
asynchronous communications” [22]. So if we think of steganography as an electronic dead drop [22],
39
terrorist groups such as al-Qa’ida, Hezbollah, and Hamas are capable of communicating anonymously
and with no shortage of places to leave their virtual chalk lines.
6. CRIME AND THE XBOX 360
The use of nontraditional computing devices as a means to access the internet and communicate with
one another has become increasingly popular [1]. However, average users are not the only ones
reaping the benefits of these evolving technologies, so are the criminals. Gaming consoles, specifically
the Xbox 360, have become a favorite nontraditional computing medium, not only as an instrument to
perform illegal activities but as a target as well.
According to a recent FBI report, Bronx Blood gang members were communicating through Sony’s
PlayStation 3 gaming console while under house arrest [23]. Similar to the Xbox 360, the PS3
provides users with a multiplicity of services which facilitate communication such as chat, social
networking sites, instant messaging, multiplayer gaming, video downloading and sharing, and crossgame chat rooms [23].
New Jersey Regional Operations Intelligence’s Threat Analysis Program reported in September 2010
that as of June 2010 Mara Salvatrucha (MS-13) gang members were conducting criminal activities,
including ordering the murder of a witness, using Microsoft’s Xbox 360 and Sony’s PS3 [24]
Robert Lynch, a 20-year-old Michigan man, was arrested and charged in March 2011 of attempting to
accost school-aged girls for immoral purposes. Lynch used his Xbox 360 gaming console to meet,
befriend, and lure his young victims who were between 11 and 14 years of age [25].
In January 2011, 36-year old Rachel Ann Hicks, lied about her age to befriend under aged boys on
Xbox Live. Once she gained their trust, she sent them illicit photos of herself and X-rated movies.
The California resident drove from her home state to Maryland to molest one 13-year-old boy [26].
Gaming consoles enable gangs and terrorist organizations to communicate internationally while
avoiding detection by the Central Intelligence Agency (CIA) and National Security Agency/Central
Security Service (NSA/CSA) [27]. Defendants sentenced to house arrest, particularly sex offenders,
are often prohibited from using a computer to access the internet [30,31,32]. However, if gaming
consoles are not prohibited, the offender still has the capability of accessing the internet.
While many gaming consoles exist, Microsoft’s Xbox 360 is the most popular among American
consumers, selling over thirty-nine million consoles, six million more than their top competitor the
PS3 [28]. In October 2011, Microsoft announced plans for integrating their Xbox 360 gaming
dashboard with a pay television feature called Live TV. Live TV will enable Xbox Live users to
access Comcast and Verizon services directly from their gaming consoles [29]. With this rise in
popularity, the Xbox 360 has also become a popular medium for criminals. When Bill Gates first
announced his plans for the Xbox 360 gaming system in January 2000, at the International Electronic
Consumers Show in Las Vegas, some critics proclaimed that this new console was nothing more than
a “...PC in a black box [30].” These critics were not too far off the mark.
The Xbox 360 is not only similar to a personal computer - it is actually more powerful than most
average personal computers. The hardware and technical specifications found in today’s Xbox 360
console includes a detachable 250GB hard drive, an IBM customized power –PC based CPU
containing three symmetrical cores each capable of running 3.2 GHz, a 512 MB GDDR3 RAM (which
reduces the heat dispersal burden and is capable of transferring 4 bits of data per pin in 2 clock cycles
for increased throughput), and 700 MHz DDR (theoretically supplying a swift 1400 MB per second
maximum bandwidth) memory [31]
7. XBOX 360 IMAGE STEGANOGRAPHY
Using open-source game modification tools, the carrier image created earlier with Invisible Secrets,
and a USB 2.0 to SATA adaptor with a 50/60 Hz power supply cable, researchers tested the feasibility
40
of inserting a stenographic image into an Xbox 360 hard drive. The process was straightforward and
the results significant.
Modio, an open-source Xbox 360 modification tool popular with gamers because it enables users to
customize their console, was used to open the hard drive [32]. Once the drive was opened, theme
creator was selected. Theme creator allows users to create custom Xbox 360 dashboards themes. The
user interface supports four images, main, media library, game library, and system settings. The carrier
image was uploaded as the main image and the original, unaltered picture of the clouds, uploaded to
the media and game libraries, as well as the system settings. The theme was named Stego and saved to
the device.
Image 9 - Creating a dashboard theme in Modio using the carrier image created with Invisible Secrets
Image 10 -Saving the new theme to the hard drive
When the drive was reopened, our newly created theme, containing the carrier image complete with
secret message, was found in Partition 3 under Profile Storage/Skins. The file was then extracted to
the desktop and opened with wxPirs [33]. WxPirs is another open-source utility commonly used by
gamers seeking to modify their gaming consoles. It enables users to open PIRS, CON, and LIVE files
- commonly found on the Xbox 360 drive. When opened in wxPirs, the entire contents of the Stego
theme file can be viewed. Although the contents of the newly created theme file (wallpaper1) can also
41
be viewed in Modio by right-clicking Open in Resigner and selecting the General File Info tab,
opening the file in wxPirs reveals that the file was created in Modio, Knowing that a game
modification tool created the file could warrant further investigation. The carrier file, Wallpaper1, was
then extracted to the desktop and opened with Windows Photo Viewer. Although a MD5 checksum
showed that the hash value and file size had changed (MD5 0ea9f8bfa3f54fb214028f1e2f578b02, size
190 KB), when the image was opened with Invisible Secrets, our secret message remained intact and
unaltered. (Image 15)
Image 11 -Newly created Stego Theme saved to hard drive
Image 12 - Stego theme opened in wxPirs
Image 13 -Stego theme examined with Modio’s Resigner
42
Image 14 - Extracted image opened with Windows Photo Viewer - although checksum and size have
changed, no viewable differences are noticed
Image 15 -Wallpaper1 is then opened with Invisible Secrets to reveal the hidden message
8. VIDEO STEGANOGRAPHY
Although digital images are the most popular carriers due to their rapid proliferation and the excessive
numbers of bytes available for manipulation, messages can also be embedded in audio and video files,
programming and web codes, and even in network control protocols [34]. Because video files are
essentially a collection of audio sounds and images, many of the techniques used for image or audio
steganography can likewise be used to hide data in videos [35]. Furthermore, because a video is a
moving stream of images and sound, not only is there a vast area to work with, but the continual
motion makes detection extremely challenging [35]. By treating a digital video file as single frames,
rather than one continuous bit stream, data can be evenly dispersed into any number of frames or
images. By slightly altering the output images displayed on each video frame, when the video is
played back it should not be distorted or changed enough to be recognized by the human eye [36].
This approach provides a vast field of workspace and eliminates the need for compression. Although
this may involve utilizing techniques such as the Least Significant Bit (LSB), which can be tricky
when working with grey-scaled images [36], inserting a message into a video file does not require
expertise in video editing. There is a plethora of tools, many of which are right on the average desktop,
to assist in the process. Furthermore, if the host video is one that is assumed highly unlikely of being
altered, such as a proprietary video game trailer, it may possibly evade inspection altogether.
To demonstrate how this is possible, researchers extracted, altered, and then reinstated a proprietary
43
game trailer from an Xbox 360 hard drive using Modio and Windows Live Movie Maker. In partition
3, under contents/downloads, the file for Forza Motorsport 3 was located and opened in Modio’s
resigner (Image 16). Under the general info tab, the Forza Motorsport 3’s movie trailer was extracted
to the desktop (Image 17).
Image 16 – Forza Mothersport 3 opened in resigner
Image 17 – Forza Motorsport 3 game trailer exported to desktop
The trailer was opened from the desktop using Windows Video Maker. Several “secret messages”
were inserted throughout the video (Image 18), including names and locations. At the end of the video,
credits were added using the names of some of the game designers who spoke throughout the video,
and one secret message. The third “name” on the list, Semaine Suivante, isn’t a name at all but rather
French for “next week” (Image 19). The modified video was saved as Stego.wmv.
Image 18 – Name inserted in frame
44
Image 19 – Credits added with hidden message
Using resigner’s replace file option, the stenographic video, Stego.wmv, not only replaced the original
default.wmv, but retained the original file name and date (default.wmv, 11/22/2005) as well. This is
rather significant because it means that digital examiners investigating Xbox 360 hard drives may not
see any evidence that a file was altered (Image 20). Thus, a stenographic file could go undiscovered
unless the probable hundreds of proprietary files on the drive were extracted and examined one by one.
Because the forensic analysis of gaming consoles is in its infancy, the available tools and
methodologies investigators use to examine computers are not suitable for analyzing gaming consoles,
this is indeed problematic at best. When the new default.wmv is extracted and played on the desktop
or on a television screen, the secret messages are revealed (Image 21).
Image 20 – Stenographic file replaced original game trailer retaining the original file’s name
and creation date
45
Image 21 - Altered game trailer with hidden message, Semaine Suivante, revealed
9. LINGUISTIC STEGANOGRAPHY
The decision to use a French phrase in the previous example was deliberate. Although it may initially
present as somewhat simplistic, given the availability of so many user- friendly software programs and
complex stenographic techniques, the use of foreign languages is still a very valuable method of
hiding messages. The syntactical nature of any language can make the interpretation of a message
written in a foreign language challenging enough, but when that language is deliberately skewed to
conceal its true meaning, challenging may very well be an understatement [37].
Following the terrorist attacks of September 11, 2001, it became apparent that the Federal Bureau of
Investigation (FBI) and the Central Intelligence Agency (CIA) did not have language specialists
capable of interpreting vital documents that could have forewarned security experts about the planned
terrorist attacks [38]. Recognizing the significance of foreign languages as they pertain to security, the
Defense Language Institute Foreign Language Center (DLIFLC) was created on November 1, 1941,
upon America’s entry into world War II [39].
Today the DLIFLC educational and research institute provides linguistic training through intense
studies and cultural immersion to the Department of Defense (DoD) and other Federal Agencies [39].
Approximately forty languages are taught at DLIFLC including Arabic, Chinese, French, German,
Russian, Spanish, and Japanese [39]. Some examples of linguistic steganography include, but are not
limited to:




Use of Arabic letter points and extensions – A technique where the extensions of
pointed letters hold one bit and the un-pointed letters zero bits [40].
Format-based Methodologies – The physical formatting of text to provide space for
hiding information. May include insertion of spaces, non-displayed characters,
variations in font size, and deliberate misspellings [41].
Synonym Substitution – A common form of steganography where selected words
from the cover text are replaced with one of their synonyms as predetermined by the
encoding rules established [42].
Feature Specific Encoding – Encoding secret messages into formatted text through
the alteration of text attributes (i.e.: length, size) [43]
Because the Xbox 360 is an international gaming platform, it is not uncharacteristic to find multiple
languages on the hard drive. On the specific drive used for this project, two instances of foreign
languages, French and Dutch, were found upon examination. Both appear to be game character dialogs
46
and gaming instructions (Images 22, 23). From an investigative perspective, what is perplexing is that
these dialogs were the only part of the proprietary game files not encrypted or compressed. This
suggests that Microsoft may employ foreign languages as a security measure (security through
obscurity). Previous research found Spanish, French, and German in both the marketplace files and
networking files (i.e.: NAT) [44]. To date, researchers have recorded French, Spanish, Dutch, German
Russian, possibly Chinese Unicode in the Xbox 360 [44].
From a steganalysis perspective, this suggests that there is an abundance of proprietary files on the
hard drive where a message could be inserted using a foreign language in order to evade discovery.
Where digital investigators have traditionally looked for user data, this is no longer the case.
Proprietary files must also be diligently examined.
Image 22 – French dialog as viewed in FTK Imager
Image 23 – French translated to English using Google Translator
10. CONCLUSION
Steganography is concerned with secret communication, not indecipherable communication. Videos,
proprietary and redundant programming files, and audio and digital images are all potential carriers. In
47
the Art of War, Sun Tzu said that “The natural formation of the country is the soldier's best ally…”
[45]. However, when dealing with the Xbox 360, the topography is unknown.
The file data format used on the Xbox is FATX, which is an offshoot of the more familiar FAT32
found on older computers and storage devices [46]. Although the two possess similar format and file
data layouts, they are not the same. FATX does not contain the backup boot or file system information
sectors found in FAT32. The reasoning behind these variations in the file format is that the Xbox was
designed primarily for entertainment as opposed to productivity. Thus, redundancy and legacy are
apparently forfeited in order to increase the system’s speed. It is also relevant to note that the specific
Xbox 360 model, applied Microsoft updates, and condition of the drive all have an impact on what the
examiner may or may not find upon examination. This, combined with the veiled nature of
steganography, can make analysis very difficult.
11. RECOMMENDATIONS
The first thing the investigator should do upon receiving an Xbox 360 console is to record the 12-digit
serial number which is located on the back side of the console where the USB slots are located [47].
The examiner will need to push the oval-shaped USB door open in order to view this number [47].
Each console contains a unique serial number which corresponds to a serial number stored throughout
the drive. It is pertinent to record this number, as it not only identifies the system on Xbox Live but
could indicate if the drive has been changed [47]. However, because gamers frequently switch hard
drives in and out, these numbers may differ.
The SATA hard drive is housed securely within the detachable hard drive case inside a second
enclosure. To access the actual drive two torx wrenches, sizes 6 and 10, are required. The T6 wrench
is needed to remove the screws from the exterior housing. Three of the screws are easily visible, but
the forth screw is located beneath the Microsoft sticker (Image 24). Once this sticker has been
removed, the Xbox warranty is voided. A missing sticker could be indicative of a drive that has been
modified or tampered with.
Image 24: Removing Microsoft sticker reveals the fourth screw and indicates the drive has been
accessed
As technology evolves, so must the methodologies used by examiners. Although steganography dates
back to antiquity, digital steganalysis is a relatively new discipline which is in flux. Consequently, the
steganalysis of an Xbox drive is a long, slow, systematic process. It is difficult to identify structural
abnormalities or signs of manipulation in a digital environment which is still fundamentally undefined
[48]. Compounding this is the fact that there are no current reference guides or approved tools
available for forensically examining Xbox 360 drives.
48
12. REFERENCES
1. The Diffusion Group. TDG Releases New Report Examining Web Browsing from Top Consumer
Electronics Devices: No Keyboard, No Mouse, No Problem? The Diffusion Group Press Releases.
[Online]
9
8,
2001.
[Cited:
1
1,
2012.]
http://tdgresearch.com/blogs/pressreleases/archive/2011/09/19/tdg-releases-new-report-examining-web-browsing-from-top-consumerelectronics-devices-no-keyboard-no-mouse-no-problem.aspx.
2. Covert computer and network communications. Newman, Robert C. New York : ACM.
Proceedings of the 4th annual conference on Information security curriculum development . p. InfoSec
CD 2007.
3. On The Limits of Steganography. Ross J. Anderson, Fabien A.P. Petitcolas. 1998, IEEE Journal
of Selected Areas in Communications,, pp. 474-481.
4. Fridrich, Jessica. Steganography in Digital Media: Principles, Algorithms, and Applications.
Cambridge : Cambridge University Press, 2009.
5. Hide and Seek: An Introduction to Steganography. Honeyman, Niels Provo and Peter. 2003, IEEE
Security and Privacy , pp. 32-44.
6. Hempstalk, Kathryn. A Java Steganography Tool. Source Forge. [Online] 3 24, 2005. [Cited: 11
1, 2011.] http://diit.sourceforge.net/files/Proposal.pdf.
7. Strassler, Robert B. The Landmark Herodotus: The Histories. New York : Randmom House, 2009.
8. Frank Enfinger, Amelia Phillips, Bill Nelson, Christopher Steuart. Guide to Computer
Forensics and Investigations . Boston : Thomson Course Technology, 2005.
9. NeoByte Solutions. Invisible Secrets 4. Invisible Secrets . [Online] 2011. [Cited: 11 2, 2011.]
http://www.invisiblesecrets.com/.
10. Pearson, K. Contributions to the Mathematical Theory of Evolution. II. Skew Variation in
Homogeneous Material. Philosophical Trans-actions of the Royal Society of London. 1885-1887, pp.
186, 343–414.
11. Jenkinson, Mark. Histogram Bin Size . FMRIB Centre Research Facility . [Online] 5 10, 2000.
[Cited: 1 2, 2012.] http://www.fmrib.ox.ac.uk/analysis/techrep/tr00mj2/tr00mj2/node24.html.
12. Adobe . Elements Product Famility. Adobe . [Online] 2012. [Cited: 1 1, 2012.]
http://www.adobe.com/products/photoshop-elements.html.
13. Patterson, Steve. How To Read An Image Histogram In Photoshop. Adobe Photoshop Tutorials
and Training. [Online] 2012. [Cited: 1 2, 2012.] http://www.photoshopessentials.com/photoediting/histogram/.
14. Liu, Matthew Stamm and K. J. Ray. Blind Forensics of Contrast Enhancement in Digital Images
. Dept. of Electrical and Computer Engineering, University of Maryland,. [Online] 6 13, 2008. [Cited:
1 2, 2012.] http://www.ece.umd.edu/~mcstamm/Stamm_Liu%20-%20ICIP08.pdf.
15. X-Ways Software Technology. WinHex 16.3. WinHex: Computer Forensics & Data Recovery
Software Hex Editor & Disk Editor. [Online] 2012. [Cited: 1 2, 2012.] http://x-ways.net/winhex/.
16. Bill Nelson, Amelia Phillips, Christopher Steuart. Guide to Computer Forensics and
Investigations . Florence : Cencage, 2009.
17. spy-hunter.com. StegSpy. spy-hunter.com. [Online] 2009. [Cited: 1 3, 2012.] http://www.spyhunter.com/stegspy.
49
18. Chandrababu, Aron. Using an Artificial Neural Network to Detect The Presence of Image
Steganography. Thesis, The University of Akron. Akron, OH : s.n., 5 2009.
19. Ingemar Cox, Matthew Miller, Jeffrey Bloom, Jessica Fridrich, Ton Kalker. Digital
Watermarking and Steganography. Waltham : Morgan Kaufmann, 2007.
20. Ariana Eunjung Cha, Jonathan Krim. Terrorists' Online Methods Elusive . Washington Post.
[Online] 12 19, 2001. [Cited: 1 3, 2012.] http://www.washingtonpost.com/ac2/wpdyn?pagename=article&node=&contentId=A52687-2001Sep18.
21. Denning, Dorothy E. Terror‟s Web: How the Internet Is Transforming Terrorism. [book auth.]
Yvonne Jewkes and Majid Yar. Handbook on Internet Crime. Devon : Willan, 2009, pp. 194-214.
22. Schneier, Bruce. Terrorists and steganography. ZDNet. [Online] 9 24, 2001. [Cited: 1 4, 2012.]
http://www.zdnet.com/news/terrorists-and-steganography/116733.
23. Federal Bureau of Investigation. Situational Information Report, Criminal Tradecraft Alert.
New York : F.B.I., 2011.
24. NJ Regional Operations Intelligence Center . NJ ROIC Analysis Element, Threat Analysis
Program, AE201009‐839 . West Trenton : NJ ROIC , 2010.
25. FOX News. Police: Man Used Xbox to Lure Middle School Girls for Sex. FOX News. [Online] 3
29, 2011. [Cited: 1 2, 2012.] http://www.myfoxdetroit.com/dpp/news/local/police%3A-man-usedxbox-to-lure-middle-school-girls-for-sex-20110329-mr.
26. Mick, Jason. Woman Arrested For Molesting 13-Year-Old Xbox Friend. Daily TECH . [Online] 1
10,
2011.
[Cited:
1
2,
2012.]
http://www.dailytech.com/Woman+Arrested+For+Molesting+13YearOld+Xbox+Friend/article20615.
htm.
27. Storm, Darlene. Law Enforcement: Gangs, terrorists plot evil over Xbox and PS3.
Computerworld
.
[Online]
8
2,
2011.
[Cited:
1
3,
2012.]
http://blogs.computerworld.com/18725/law_enforcement_gangs_terrorists_plot_evil_over_xbox_and_
ps3.
28. Bloomberg Businessweek. Microsoft's Xbox Sales Beat Wii, PS3 in February on "BioShock".
Bloomsberg.com. [Online] 3 11, 2010. [Cited: 1 2, 2011.] http://www.businessweek.com/news/201003-11/microsoft-s-xbox-sales-beat-wii-ps3-in-february-on-bioshock-.html..
29. June, Laura. Microsoft announces Xbox Live TV partners including Verizon, HBO, and
Comcast. The Verge. [Online] 10 5, 2011. [Cited: 1 2, 2012.] http://www.xbox.com/enUS/Xbox360/Consoles.
30. Official Xbox Magazine staff. The Complete Hisotry of Xbox. CVG Gaming. [Online] 12 13,
2005. [Cited: 1 1, 2012.] http://www.computerandvideogames.com/article.php?id=131066.
31. Berardini, C. The Xbox 360 System Specifications. Team Xbox. [Online] 12 5, 2005. [Cited: 1 2,
2012.] http://hardware.teamxbox.com/articles/xbox/1144/The-Xbox-360-System-Specifications/p1.
32. Game-Tuts. Modio. Game-Tuts. [Online]
tuts.com/community/index.php?pageid=modio.
[Cited:
1
2,
2012.]
http://www.game-
33. Xbox-Scene. http://www.xbox-scene.com/xbox360-tools/wxPirs.php. Xbox-Scene. [Online] 2010.
[Cited: 1 2, 2012.] http://www.xbox-scene.com/xbox360-tools/wxPirs.php.
34. T. Morkel, J.H.P. Eloff, M.S. Olivier. An Overview of Steganography . University of Pretoria,
South Africa. [Online] 8 27, 2005. [Cited: 5 2012, 1.] http://martinolivier.com/open/stegoverview.pdf.
35. Steganography and steganalysis. Krenn, Robert. California : University of California , 2004.
Proceedings of IEEE Conference,. p. 143.
50
36. Hiding Data in Video File: An Overview. A.K. Al-Frajat, H.A. Jalab, Z.M. Kasirun, A.A.
Zaidan and B.B. Zaidan. 2010, Journal of Applied Sciences, pp. 1644-1649.
37. A Natural Language Steganography Technique for Text Hiding Using LSB's. Salman, Dr. Hana'a
M. 2004, English and Technology, Vol.26, No3, University of Technology, Baghdad, Iraq, p. 351.
38. Alfred Cumming, Todd Masse. Intelligence Reform Implementation at the Federal Bureau of
Investigation: Issues and Options for Congress. Washington : Congressional Research Service, The
Library of Congress, 2005.
39. Defense Language Institute . Foreign Language Center . Defense Language Institute . [Online]
2012. [Cited: 1 1, 2012.] http://www.dliflc.edu/index.html.
40. A Novel Arabic Text Steganography Method Using Letter Points and Extensions . Adnan AbdulAziz Gutub, and Manal Mohammad Fattani. 2007, World Academy of Science, Engineering and
Technology, pp. 28-31.
41. Bennett, Krista. Linguistic Steganography: Survey, Analysis, and Robustness Concerns for
Hiding Information in Text. West Lafayette : Purdue University, 2004.
42. Cuneyt M. Taskirana, Umut Topkarab, Mercan Topkarab, and Edward J. Delpc. Attacks on
Lexical Natural Language Steganography Systems. Indiana : School of Electrical and Computer
Engineering, Purdue University, 2006.
43. Dunbar, Bret. A Detailed Look at Steganographic Techniques and their use in an Open-Systems
Environment . SANS Institute InfoSec Reading Room . [Online] 1 18, 2002. [Cited: 1 7, 2012.]
http://www.sans.org/reading_room/whitepapers/covert/detailed-steganographic-techniques-opensystems-environment_677.
44. A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles. Dr. Ashley
Podhradsky, Dr. Rob D'Ovidio, Cindy Casey. Richmond : Digital Forensics, Security and Law ,
2011. ADFSL Conference.
45. Tzu, Sun. The Art Of War. New York : Tribeca, 2010.
46. Burkea, Paul K. Xbox Forensics. Journal of Digital Forensic Practice. [Online] 2006. [Cited: 12
22, 2011.] http://dx.doi.org/10.1080/15567280701417991.
47. Microsoft. How to find the Xbox 360 console serial number and console ID. Microsoft Support.
[Online] 7 27, 2010. [Cited: 1 7, 2012.] http://support.microsoft.com/kb/907615.
48. Gary Kessler. An Overview of Steganography for the Computer Forensics Examiner. Gary
Kessler
Associates.
[Online]
2011.
[Cited:
1
3,
2012.]
http://www.garykessler.net/library/fsc_stego.html.
49. Benchmarking steganographic and steganalysis techniques. Mehdi Kharrazi, Husrev T. Sencar,
Nasir Memon. San Jose : CA, 2005. EI SPIE .
50. Marcus, Ilana. Steganography Detection. University of Rhode Island . [Online] 2011. [Cited: 1 2,
2012.] http://www.uri.edu/personal2/imarcus/stegdetect.htm.
51. Bakier, Abdul Hameed. The New Issue of Technical Mujahid, a Training Manual for Jihadis. The
Jamestown
Foundation
.
[Online]
3
30,
2007.
[Cited:
1
2,
2012.]
http://www.jamestown.org/programs/gta/single/?tx_ttnews[tt_news]=1057&tx_ttnews[backPid]=182
&no_cache=1.
52. United States Court of Appeals, Ninth Circuit. UNITED STATES v. REARDEN. Los Angeles,
CA : s.n., 10 9, 2003.
53. STATE of North Dakota. State v Ehli . Bismarck, N.D. : s.n., 6 30, 2004.
54. State of Colorado. People vs. Harrison. 2 8, 2005.
51
52
DOUBLE-COMPRESSED JPEG DETECTION IN A
STEGANALYSIS SYSTEM
Jennifer L. Davidson
Department of Mathematics
Iowa State University, Ames, IA 50011
Phone: (515) 294-0302
Fax: (515) 294-5454
[email protected]
Pooja Parajape
Department of Electrical and Computer Engineering
Iowa State University, Ames, IA 50011
[email protected]
ABSTRACT
The detection of hidden messages in JPEG images is a growing concern. Current detection of JPEG
stego images must include detection of double compression: a JPEG image is double compressed if it
has been compressed with one quality factor, uncompressed, and then re-compressed with a different
quality factor. When detection of double compression is not included, erroneous detection rates are
very high. The main contribution of this paper is to present an efficient double-compression detection
algorithm that has relatively lower dimensionality of features and relatively lower computational time
for the detection part, than current comparative classifiers. We use a model-based approach for
creating features, using a subclass of Markov random fields called partially ordered Markov models
(POMMs) to modeling the phenomenon of the bit changes that occur in an image after an application
of steganography. We model as noise the embedding process, and create features to capture this noise
characteristic. We show that the nonparametric conditional probabilities that are modeled using a
POMM can work very well to distinguish between an image that has been double compressed and one
that has not, with lower overall computational cost. After double compression detection, we analyze
histogram patterns that identify the primary quality compression factor to classify the image as stego
or cover. The latter is an analytic approach that requires no classifier training. We compare our results
with another state-of-the-art double compression detector.
Keywords: steganalysis; steganography; JPEG; double compression; digital image forensics.
1. INTRODUCTION
Steganography is the practice of hiding a secret message or a payload in innocent objects such that the
very existence of the message is undetectable. The goal of steganography is to embed a secret payload
in a cover object in such a way that nobody apart from the sender and the receiver can detect the
presence of the payload. Steganalysis, on the other hand, deals with finding the presence of such
hidden message. Steganalysis can be categorized as passive or active. Passive steganalysis deals with
detecting the presence of embedded message. Active steganalysis seeks further information about the
secret message such as length, embedding algorithm used and actual content. Steganalysis identifies
the presence of such hidden messages in an image. Since JPEG is a compressed file format, it requires
lower bandwidth for transmission and lesser space for storage. Many embedding software for JPEG
such as Outguess, F5, and Jsteg are freely available on the Internet [1]. This makes JPEG a good
medium for steganography. Hence, we focus our attention on the steganalysis of JPEG images.
If a JPEG image is compressed twice, each time using a different compression factor or quantization
matrix, then the image is said to be double-compressed. Steganographic algorithms such as F5 [2] and
53
Outguess [3] can produce such double-compressed images during the process of embedding the
payload. Existence of double-compression thus suggests manipulation of the original image. Blind
steganalyzers built on the assumption of single-compressed images give misleading results for the
double-compressed images. In Table 1, we present a state-of-the-art stego classifier that has a very
accurate stego vs. cover detection rate [4], but applied to JPEG data that has been double compressed.
The quality factor for the JPEG images is 75%, and the amount of data embedded in the JPEG
coefficients are described in terms of bits per non zero (JPEG) coefficient, or bpnz. 0.05 designate that
roughly 5% of the available bits for embedding were used, a significantly small amount. 0.4 bpnz is
typically the maximum capacity available for embedding. Thus, Table 1 shows that the accuracies for
Canvass on JPEG images with no double compression, which are typically in the range of 40% to
100%, here are far less when double compressed images are fed into the Canvass stego detector that
was designed to detect images with no double compression, and in the range of 28%-75%. Thus, it is
clearly important to detect the presence of double-compression for satisfactory performance of stego
images. Detection of double-compression is a binary classification problem where a given image can
be classified as either single-compressed or double-compressed. A double-compression detector can
be thought of as a pre-classifier to multi-classifiers that detects a number of different steganographic
methods used for embedding the payload.
Table 1. Detection accuracy of the GUI software package Canvass applied to double
compressed JPEG data.
Percentage of Detection Accuracy of Canvass
SQF = 75
Cover
0.05 bpnz
45.39
0.1 bpnz
0.4 bpnz
Average
45.39
F5
Outguess
28.84
42.04
34.54
57.73
58.29
74.84
40.56
58.02
2. JPEG COMPRESSION, DOUBLE COMPRESSION, AND MODE HISTOGRAMS
JPEG stands for Joint Photographic Experts Group. It is a lossy compression algorithm that stores the
data in the form of quantized DCT coefficients. Figure 1 shows the process involved in JPEG
compression. Each 8x8 block in the original image has the Discrete Cosine Transform (DCT) applied,
then those real values are quantized into integer values using the quantization matrix; those integers
are scanned in a zig-zag order and the resulting string is entropy encoded using the Huffman coding.
The resulting file is then stored as a .jpg file.
Figure 1. JPEG Compression Process.
The DCT coefficients are given by bpq :
54
The DCT coefficients bpq are then quantized by dividing each value point-wise using a 8x8 matrix Q
followed by rounding to the nearest integer. Q is called the quantization matrix (QM). The quantized
DCT coefficients are given by
where [ ] denotes rounding to the nearest integer and 0 ≤ p, q ≤ 7. Each location (p,q) in the
quantization matrix refers to a unique frequency and is called a mode. The coefficients at mode (0,0)
are called DC coefficients and the coefficients at all the other modes are called AC coefficients.
Quantization is an irreversible lossy step. As we can see, division by larger quantization steps results
in more compressed data. JPEG standard allows 100 different quality factors. A quality factor is an
integer between 1 and 100, inclusive. The value 100 is for Qpq = 1 for 0 ≤ p,q ≤ 7 and it thus
corresponds to an uncompressed and highest quality image. Each quality factor is associated with a
unique quantization matrix that computes the quality factor at that compression rate. The quantized
DCT coefficients are then Huffman encoded for further compression of data. This step is lossless.
Next, we look at the effect of double-compression on the DCT coefficients of the JPEG image. A
JPEG image is double-compressed if it is compressed twice with different quantization matrices Q1
and Q2. In that case we have
b  Q1 
Eq. 1
Brs   rs1 * rs2 .
Q
Q
 rs  rs 
Here, Q1 is called the primary quantization matrix (PQM) and Q2 is called the secondary quantization
matrix (SQM). Figure 2 shows the double-compression process for a JPEG image. In this example, the
image is first compressed at a lower quality factor QF = 50, uncompressed and then recompressed at a
higher quality factor QF= 75. Note that a larger quality factor results in a quantization matrix with
smaller values. We observe that, depending on the values of the quantization steps in primary and
secondary quantization matrices, the histograms of the DCT coefficients exhibit different
characteristic patterns. These patterns are discussed later and are key to our efficient detectors.
55
Figure 2. JPEG Double Compression Process. First compression is at QF=50% and second
compression is at QF=75%.
When the Primary Quality Factor (PQF) is smaller than the Secondary Quality Factor (SQF), the
image is first coarsely quantized and then finely quantized such as in Figure 2. The quantized DCT
coefficients can thus take values only from the set 0, n, 2n, 3n,.. where n is determined from Eq. 1. The
histogram exhibits zeros at remaining points. The histogram in Figure 3(a) is from a single compressed
image, and in Figure 3(b) the histogram shows the characteristic zero pattern for a double-compressed
image. Here the primary quality factor is 63 and secondary quality factor is 75. The primary
quantization step for mode (2,2) is 9 whereas the secondary quantization step is 6. After the first
compression step, the de-quantized DCT coefficients can thus take values that are multiples of 9. After
the second compression that includes requantization with step size of 6 and rounding, the quantized
coefficients can take values only from the set 0, 2, 3, 4, 6, 8, 9, 11, .... . We notice that these values are
the rounded integer multiples of n = 9/6 = 1.5. As a result, zeros occur at locations 1, 4, 7, 10 and so
on. This is summarized in Figure 4. We exploit this characteristic to develop features to classify single
versus double-compressed images as well as cover versus stego images.
(a)
(b)
Figure 3. Histograms of quantized DCT coefficients for mode (2, 2) in (a) single-compressed image,
(b) double-compressed image with PQF < SQF
56
Figure 4. (a) Example of double-compressed coefficient values and (b) resulting zero patterns at mode
(2,2).
When the primary quality factor is greater than the secondary quality factor, the mode histograms of
the DCT coefficients exhibit peaks at certain places. The locations of these peaks vary according to the
combinations of primary and secondary quantization steps in a way similar to the previous case. By
experimentation on the image data, we determine that if there is 20% increase in the histogram values
(bin heights) followed by a drop in the values, it indicates a peak. The value 20% is chosen after a
series of trials and errors. Equation 1.4 also models this phenomenon. In Figure 5(a) and 5(b), we
present histograms to demonstrate this phenomenon. In this case, the Primary Quality Factor is 80 and
the Secondary Quality Factor is 75. The primary quantization step for mode (2,2) is 5 and the
secondary quantization step is 6. The dequantized coefficients after the first compression are thus
integer multiples of 5. After requantization with step 6, peaks occur at locations 3, 8 and 13 and so on.
These are indicated by the arrows in Figure 5(b). Figure 6 explains this phenomenon in detail. A peak
value occurs at bin value 3 after second compression because bin value 3 and 4 from the first
compression end up in bin values 3 after the second compression.
3. PATTERN CLASSIFICATION
Detection of double-compression is a binary classification problem where an input image is classified
as single-compressed or double-compressed. We propose to use a blind steganalyzer to solve this
classification problem. Generally, blind steganalyis is carried out by converting the input image to a
lower dimensional feature space. These features are then used to train a pattern classifier. Among
various pattern classification techniques, Support Vector Machines (SVMs) have proven to be very
powerful for the binary classification. SVMs use either linear or kernel-based supervised machine
learning algorithms. Linear SVMs are seldom suitable for real world data that is hard to separate
without error by a hyperplane. We next discuss the basic workings of an SVM.
57
(a)
(b)
Figure 5. Histograms of quantized DCT coefficients for mode (2,2) in (a) single-compressed image
(b) double-compressed image with PQF > SQF.
Figure 6. Example of double-compressed coefficient values and resulting peak patterns at mode (2,2).
Bins 3 and 4 (row 1) combine to produce bin 3 (row 3).
r
r
Consider a given set of training pairs (xi , y i ), i  1,2,...,k where x i  R n , n represents the number of
training data or features, and y ∈ (−1, 1)k represents the class. The SVMs require solution in the form
r
of a weight vector w i to the following optimization problem



58
Eq. 2
The training data are mapped into a higher dimensional space by function Φ. Then SVM finds a linear
separating hyperplane with the maximal margin of space between the hyperplane and data in the
higher dimensional space. In this case,
is called the kernel function whereas C > 0 is the penalty parameter of the error term ξ.
There are two distinct phases involved while using a SVM for classification. In the first phase, the
r
SVM is trained on the features extracted from a large number of images, that is, a weight vector w i is
found satisfying Eq. 2. In the second phase, the SVM is tested on the data which is previously unseen,
that is, a vector of data with unknown class is passed through the SVM and its class is output.

We next discuss the different steps involved in training the SVM. First, the input data is linearly
scaled
so that all the elements are in the range [-1, 1] or [0, 1]. The same scaling is used for both the training
and the testing data. This step is necessary to prevent the large feature values from dominating the
small values. Then, we choose a kernel function. We have various options for the kernel functions,
such as Gaussian, Radial Basis Function (RBF), Polynomial, Sigmoid etc. We use RBF kernel for all
the experiments. RBF kernel is the most suitable when the number of features is small and the data
needs to be mapped to higher dimensional space using non linear kernel. Also, the RBF kernel is
numerically less complex than polynomial and sigmoid kernels. It is given by:
where γ is the kernel parameter and the norm used is the Euclidean distance.
To run the code to implement the SVM, we used a standard SVM library in [5], which determines the
optimum values for the kernel parameters C and γ. Selection of the optimum values is done by
performing an exhaustive grid search on the predefined points. Cross validation is required to ensure
good performance of the detector on the unknown data. In v-fold cross-validation, the training data is
divided into v subsets of equal sample size and v-1 SVMs are created. Each SVM uses v-1 subsets for
training and the remaining subset is used as unknown test data. This gives the estimate of prediction
accuracy for the unknown data by averaging the accuracy values. Cross validation also prevents the
over-fitting problem resulting in better test accuracy [5]. In our experiments we use v = 5.
4. LITERATURE REVIEW
Double-compression in JPEG image almost always indicates image manipulation. An innocent image
with a certain quality factor can sometimes be saved at a different default quality factor, resulting in
double-compression of innocent image. In image forensics, double-compression is used to detect
image forgery. A doctored image may be created by pasting a small part of one image into another
image. If the quality factors of these two images are different, it results in double-compression of the
pasted region.
The embedding algorithms we used were F5, Jsteg-jpeg, JPHide and Seek, Outguess and StegHide.
These algorithms are easily accessible to many non-technical users, and available and easy to install
from code accessible on the internet. Other more recent algorithms including nsF5, MB, and YASS are
not considered here due to their more recent introduction and unfamiliarity outside the steganalysis
59
community.
In [6] Fridrich et al. proposed a targeted attack for JPEG images embedded using F5 steganographic
algorithm. The method mainly considered single-compressed images and was based on estimating the
cover histogram from the stego image and determining the relative number of modifications in the
histogram values. The authors also suggested a method to estimate the primary quantization steps
based on simulating the double-compression using all the candidate quantization matrices. However,
in [6], the authors assumed that the images are already known to be double-compressed. No method
was implemented for the double-compression detection. Lukas and Fridrich extended this idea in [7]
and proposed three methods for detection of primary quantization steps in double-compressed JPEG
images. Two of these methods were based on simulated double-compression as in [6]. The methods
were computationally intensive and did not lead to reliable results. The third method was based on
neural networks and it outperformed the first two methods. However, in the latter paper the authors
assumed that the double-compressed images were cover images only.
He et al. [8] proposed a scheme to detect doctored JPEG images based on double quantization effects
seen in the DCT coefficient histograms. The method used Bayesian approach for detecting doctored
blocks in the images. A support vector machine was trained on the four dimensional features that are
similar to Fisher discriminator in pattern recognition. This method is not efficient when a high quality
image is recompressed using a lower quality factor. Also, for more accurate formulation of the feature
vectors, the method needs the primary quality factor that cannot be estimated from the proposed
algorithm. In [9], M. Sorell developed a method to detect the primary quantization coefficients of
double-compressed images for forensic purposes. The method was used to detect re-quantization in
innocent JPEG images to identify the source of the images. Methods for detecting doctoring of JPEG
images, where a region undergoes double-compression after being cut and pasted into a larger image,
have been investigated in [8,9,10]. Although some of these methods lead to accurate detection of
double-compression, the application was for forensic purposes, not steganalysis. Since the embedding
process for steganography can change the image statistics significantly, application of these methods
for steganalysis might involve significant algorithmic modifications.
In [11], T. Pevny and J. Fridrich proposed a stego detector for both single and double- compressed
images. They used a neural network-based primary quantization step detector to detect doublecompression. Depending on the result of this detector, the image was sent to one of the two banks of
multi-classifiers designed for single and double-compressed images. The detection of doublecompression was based on the naive approach of comparing the primary and secondary quantization
steps and it led to inaccuracies in the detection. To overcome this, a separate double-compression
detector was designed in [12] and it was used as a pre-classifier to the stego detector. Instead of neural
networks, the authors used Support Vector Machines. The SVMs were trained on features based on
first order statistics of the mode histograms of quantized DCT coefficients. The primary quantization
step detection followed the double- compression detection. For each possible combination of primary
and secondary quantization steps, the authors use a separate SVM which led to a total of 159 SVMs.
This approach, while increasing accuracies, is very compute-intensive.
C. Chen et al. proposed similar machine learning based scheme for JPEG double-compression
detection [7] similar to [12]. The proposed 324 dimensional features were modeled using a Markov
process and transition probability matrices of 2D difference arrays of quantized DCT coefficients were
used to create the feature vectors. Then a support vector machine was trained on these features. The
method is discussed in detail in Section 6 and the results are compared with our detector. Chen’s
model is highly compute-intensive and we show that accuracies are lower than those resulting from
our approach. Pevny et. al created a complete multi-classifier for single and double-compressed
images [2] by combining all the modules from [10,12]. The double-compression detector was based on
histogram mode statistics. The primary quality step estimation was done by a bank of SVMs designed
for all the possible combinations of primary and secondary quality steps. Then two banks of multi-
60
classifiers were created for single-and double-compressed images. This model is also highly computeintensive.
On a related topic, in [17], the authors perform an extensive analysis of the errors introduced by initial
JPEG compression and double compression. The main difference is that they do not apply their
analysis to stegoimages, only to cover or innocent images. They investigate three different types of
forensics, one of which is determination of the primary standard JPEG quantization table in a doublecompressed JPEG image. Their detection schemes are based on sound and novel analysis of the
characteristics of the error that can occur during JPEG compression. The authors use a simple formula
and have relatively high detection accuracy, ranging from roughly 70 percent to 100 percent. The
method we implement gives ranges of roughly 50-100% accuracy, but for cover and stego images, the
latter embedded with a range of embedding rates, from 0.05 to 0.4 bpnz. See Figure 16 below. The
two detection schemes cannot be compared directly as different databases and image types (cover and
stego) were used in the two experiments. Other methods such as in [18], use models to characterize the
effects of rounding and recompression, but again do not use stego images in the analysis. Our methods
are applied to both cover and stego image data.
5. OUR APPROACH
The model proposed by Chen in [7] detected double compressed images, as did the model in [12]. The
main disadvantage we see is very heavy computational resource requirements. In [12], 15 SVMs are
required for steg vs. cover detection of single-compressed images, 159 additional SVMs are required
for primary quality steps estimation whereas 3 SVMs are required for steg vs. cover detection of
double-compressed images. Considering the time required for training and testing of each of these
SVMs and the computational resources at hand, we decided to create a different approach that would
minimize the number of SVMs required while maintaining accuracies, thus saving a lot of
computational time.
A major contribution of our approach towards time saving is achieved in the primary quality factor
estimation step. Instead of using SVM for each possible combination of primary and secondary quality
step as in [2], we use an analytical approach based on the signature patterns in the histograms. The
analytical method does not involve training and testing of SVM and is significantly less
computationally intensive.
We created a steganalyzer that (refer to Figure 7):
1. Classifies an image as single-compressed or double-compressed (Box 1).
2. Classifies a double-compressed image as cover or stego and estimate the primary quality
factor from the set of standard JPEG quality factors for further analysis of the image using
targeted attacks. [6,13]. (Box 2).
3. Classifies a single-compressed image as cover or stego (Box 3). (Note: Only QF = 75 case is
implemented in the current software.)
We assume three classes for double-compressed images: cover, F5 and Outguess. In practice, doublecompressed images can have any quality factor but we restrict the scope to secondary quality factors
75 and 80 that are the default quality factor for Outguess and F5 respectively.
In section 3.1, we propose the overall scheme for steganalysis of single and double-compressed
images. In section 3.2, we describe the image database used for training and testing various SVMs.
Section 3.3 gives detailed description of the features used for steganalysis whereas section 3.4 contains
a brief discussion about features used by the state-of-the-art double- compression detectors.
61
Figure 7. Our steganalyzer.
Figure 7 shows the complete flow of our steganalyzer. If the observed quality factor of the input image
is 75 or 80, there is a high probability of double-compression. This image is passed to the doublecompression detector. If the image is single-compressed at QF = 75, it is passed to the existing singlecompression steganalyzer software. If the image has QF  75 or QF  80, then we do not process it at
this time.
If the image is found to be double-compressed, it is further given to PQF splitter module. The PQF
splitter determines if the PQF of the image is less than or greater than its SQF and accordingly
classifies the image into two classes. This step helps in the further processing because it is observed
that the signature patterns in the histograms are different based on the relation between the PQF and
the SQF. Depending on this relation, two different approaches are followed. When the PQF is less
than the SQF, we use the analytical approach based on the histogram signature patterns to achieve
stego vs. cover classification. When the PQF is greater than the SQF, we use a multi-class SVM-based
pattern classifier.
6. IMAGE DATA
In this section, we describe the database used for all the experiments. This description is necessary
because the performance of a SVM-based classifier depends on the database used for training.
We use images from BOWS-2 database available from [7]. This database was created for the BOWS-2
contest. It consists of approximately 10000 grey-scale images in pgm format. The images are of
uniform size of 512x512 pixels. We divide the BOWS-2 database into two mutually exclusive sets of
equal size. One set is used for creating the training database and other set is used for creating the
testing database. This division allows use of test images that are previously not seen by the SVM. For
all the experiments, a total of 30000 images are used for training, 15000 of each class.
For single-compressed images, five steganographic algorithms are considered: F5, Jsteg, JP Hide and
Seek, Outguess and StegHide. For double-compressed images, only F5 and Outguess are considered
because we assume that these are the only algorithms that are likely to produce double-compressed
images. For all the embedding algorithms except Outguess, three embedding levels are used: 0.05
bpnz, 0.1 bpnz and 0.4 bpnz. Outguess fails to embed the payload at 0.4 bpnz. Hence the 0.2 bpnz
embedding rate is used in this case only. In this case, Bits Per Non-Zero ac coefficient (bpnz) is used
to describe the payload length. Each steganographic algorithm embeds a binary payload consisting of
a randomly generated bitstream into the quantized DCT coefficients array of the JPEG image.
In our experiments, we consider 33 primary quality factors in the set
S = {63, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92,
93, 94}.
Secondary quality factors are limited to 75 and 80. We ignore primary quality factors 64, 65, 66 and
67 because F5 and Outguess fail to embed the payload in the images with these quality factors.
62
7. FEATURES
There are a wide variety of features that have been used for pattern classification. Farid [14] used
features based on the linear prediction error of wavelet sub-band coefficients. In [15], features based
on quantized DCT coefficients were used for blind steganalysis. Shi et al. [16] used a Markov process
to model four directional differences between the neighboring quantized DCT coefficients to create
features. In all the methods, the idea is to use features that are sensitive to the changes introduced by
the embedding process. Such features contain the information that can effectively separate the classes
under consideration. We used the conditional probabilities that are from Partially Ordered Markov
Models (POMMs) for double-compression detection and steganalysis of single and doublecompressed images. POMMs exploit neighborhood dependencies amongst the quantized DCT
coefficients and have been successfully used for the forward and inverse texture modeling problem. In
order to improve the performance of the POMMs, we additionally use features based on the histogram
signature patterns. We next present the details of these features.
Markov random field models (MRFs) are a well-known stochastic model applied to many different
problems. In imaging problems, a MRF is defined in terms of local neighborhoods of pixels called
cliques that exhibit the probabilistic dependency in the imaging problem. There is an implicit
underlying graph when using a MRF. The neighborhoods of pixels for POMMs, however, have an
implicit underlying acyclic directed graph, which in turn is related mathematically to a partially
ordered set. We omit the details of the relation to partial orders, but now describe the basic POMM
model in terms of an acyclic directed graph.
Let a finite acyclic digraph (V, E) with corresponding poset (V, ≺). Here V = (V1,V2,..,Vk) is the set of
vertices and E is the set of directed edges given by E = {(i,j) : Vi,Vj ∈ V and (i,j) is an edge with tail on
i and head on j}. (V, E) is called acyclic when there does not exist a set of edges (i1, j1), (i2, j2), .., (ik,
jk) where
jn=in+1, n=1, 2, .., k
and jk =i1. Figure 8 shows an acyclic digraph. We notice
that there is no path of directed edges that start and end at the same vertex.
Figure 8. Example of an acyclic directed graph.
Definition 1: A set of elements V with a binary relation ≺ is said to have a partial order with respect to
≺ if:
1. a ≺ a, ∀a ∈ V (reflexivity)
2. a≺b,b≺c⇒a≺c(transitivity)
3. If a≺b and b≺a, then a=b(anti-symmetry).
In this case, (V, ≺) is called a partially ordered set or a poset.
Definition 2: For any B ∈ V, the cone of B is the set cone B = {C ∈ V : C ≺ B, C  B}.
Definition 3: For any B ∈ V, the adjacent lower neighbors of B are elements in C such that (C, B) is a
directed edge in (V, E). adj≺B = {C : (C, B) is a directed edge in (V, E)}.
63
Definition 4: Any B ∈ V is a minimal element if there is no element C ∈ V such that C ≺ B, that is,
there is no directed edge (C, B). Let L0 be the set of minimal elements in the poset.
Figure 9 explains these definitions pictorially.
With this background, we now proceed towards defining POMMs. Let P(A) be the discrete probability
for r.v. A and P(A|B) be the conditional probability of r.v A given another r.v. B. L0 is the set of
minimal elements in the poset.
Figure 9. Adjacent lower neighborhoods, cone sets, minimal set.
With this background, we now proceed towards defining POMMs. Let P(A) be the discrete probability
for r.v. A and P(A|B) be the conditional probability of r.v A given another r.v. B. L 0 is the set of
minimal elements in the poset.
Definition 5: Consider a finite acyclic digraph (V, E) of r.v.s with the corresponding poset (V,≺). For
B∈V, consider a set YB of r.v.s not related to B,YB ={C: B and C are not related}. Then (V, ≺) is
called a partially ordered Markov model (POMM) if for any B ∈ V \L0 and any subset UB ⊂ YB we
have
P(B | cone B,UB) = P(B | adj≺B)
In this case, the lower adjacent neighbors in B describe the Markovian property of the model.
Next, we are interested in using POMMs for modeling steganographic changes to image. For
steganalysis applications, we create features that the use directly the quantized DCT coefficient values
that are modeled by a POMM. We describe a general approach that lets the steganalyst use her
expertise to construct such a POMM. First, subsets of pixels are chosen that contain relative
information that may have changed after embedding a payload. Next, a function f from the set of
subsets to the real numbers is found that is used to quantify the change in values that occur after
embedding, and applied to each subset under consideration. Then, an acyclic directed graph is created
from the set of subsets and values in the range of f (vertices) and the binary relation describing the
function and its range (edges). The induced poset is constructed from this acyclic digraph, and a
POMM is created using this poset. This gives rise to the conditional probabilities P(B | adj ≺B) which
are used as features for steganalysis.
Let A be a MxN array of quantized DCT coefficients: A={A,ij :1≤i≤M,1≤j≤N}. Let Y = {Y1, Y2, .., Yt}
be a collections of subsets of r.v.s in A. Here, every Yi is a shift invariant ordered set. For example,
consider a case where Y1h = {A1,1, A1,2}, Y2h = {A1,2, A1,3}, and so on. Each Yih is a set containing two
pixels that are adjacent in the horizontal direction. Let Y h = {Y1h, Y2h, .., Ykh} contain all such sets of
r.v.s in the array A. Let f be the function f : Y → R where R is a set of real numbers defined by
f(y1,y2)=y1 −y2
64
f(Yih) = f(Aj,k, Aj,k+1) = Aj,k - Aj,k+1, for some indices i, j and k.
In this case, f(Yi) is the image of Yi under f and Yi is the pre-image of f(Yi). An acyclic digraph (V, E)
is created from the set of vertices V = Y ∪ f(Y ) and the set of edges E = {Ei} between an element of
the range from f and an element of Y. Thus, edge Ei = (f(Yi),Yi) has tail on image f(Yi) and head on
pre-image Yi . Thus (V, E) forms a function-subset or f-Y acyclic digraph. This acyclic digraph is used
to create a sequence of POMMs whose conditional probabilities are used as features. If f is a function
that exploits the dependency among the quantized DCT coefficients, then it is considered useful for
steganalysis. For such function f, P(Yi | f(Yi)), which is a frequency of occurrence of pre-image of
f(Yi), can be used to distinguish between cover and stego images. This is the motivation for using f-Y
acyclic digraphs.
Figure 10 shows the example of f-Y directed graphs we use for our features. There are two subsets
Y112 and Y249 shown which represent a portion of the quantized DCT coefficients array. Function f,
when applied to these subsets produces value of -1. So the probability P (3, 4 | (3 − 4)) measures the
frequency of occurrence of this pattern. A collection of all such conditional probabilities are captured
by the POMMs.
As mentioned above, function f = y1 − y2, where y1 and y2 are adjacent pixels, is a very useful feature
for steganalysis. The directional difference arrays created in this manner have been successfully used
in [7], [16]. We use this function f to create a series of POMMs, one in each of the horizontal, vertical,
diagonal, and minor diagonal (the reverse diagonal) directions. The conditional probabilities thus
obtained are averaged over a collection of POMMs.
For a rectangular array A of r.v.s we consider four directional subsets in horizontal, vertical, diagonal
and minor diagonal directions given by Yi,kh = {Ai,k, Ai,k+1}, Yi,kv = {Ai,k, Ai+1,k}, Yi,kd = {Ai,k, Ai+1,k+1},
and Yi,km = {Ai+1,k, Ai,k+1}. From the four sets Yh, Yv, Yd, Ym thus obtained, we create four acyclic
digraphs (V*,E*) where V* = (Y* ∪f(Y*)) and E* = {Ei* : Ei* = (f(Yi*), Yi*)}, and * ∈ {h, v, d, m}. For
each digraph, a POMM is defined by its conditional probability given by:
P*(Y* |f(Y*))= P*(Y*,f(Y*) / P*(f(Y*))
These probabilities are calculated from the histogram bins. The histograms are clipped between [-T,
T]. This not only avoids the sparse probability density function at the histogram ends, but also reduces
the number of computations and size of feature vector. Thus, we have -T ≤ Ai,j ≤ T. This limits the
values of P* to (2T + 1)2 in each direction. In our experiments, we use T = 3. We now define a matrix
F* of size (2T +1)×(2T +1):
F*(w,z)=P*(Y* |f(Y*))=P*(w,z|f(w−z)),
From these, a set of (2T + 1)2 features can then be defined as
Eq. 3
The POMMs are applied on the global array to capture intrablock dependencies and on the mode
arrays to capture interblock dependencies. These conditional probabilities are used to define our
features.
The intrablock features are defined on the set of global Q-DCT coefficients, on the entire array itself.
65
Eq. 3 is used to calculate the average values of the four directions. This produces (2T + 1)2 features.
Interblock features are defined on the mode arrays. 64 mode arrays are created from the 64 modes by
collecting all the Q-DCT values at each mode. Eq. 3 is then applied to each of the 64 arrays. Those
values are averaged over all 64 arrays, giving an additional (2T + 1)2 feature values.
We apply calibration to the image before extracting features. An image is calibrated by
decompressing to the spatial domain and then compressing it back after cropping by few pixels in both
directions in the spatial domain. This helps to create the features that are dependent on the data
embedded in the image rather than the image content itself [16]. For an image Io, we obtain a
calibrated image Ic. The intra and inter block POMMs are calculated for both Io and Ic. The final
feature vector F is obtained by taking the difference between F0 and Fc, F = (F0 - Fc)(w, z). We get a
total of 2(2T + 1)2 POMM features. For our experiments, we use threshold value T = 3. This results in
49 intrablock and 49 interblock features giving a total of 98 POMM features.
The second set of features is derived from the histogram patterns noted in the above section. As shown
above, when the primary quality factor is smaller than secondary quality factor, the mode histograms
of Q-DCT coefficients have zeros at some places. These zeros can be captured by looking at the
forward differences between histogram bin values. For a single-compressed image, the distribution of
DCT coefficients is ideally Gaussian. The forward differences are thus almost always small and
positive. For double-compressed images, the zeros can take the form of local minimum instead of
being exact zeros. So instead of finding absolute zeros, if the drop in the successive histogram values
is more that 75%, it is considered to indicate presence of a zero. For images with primary quality
factors less than the secondary quality factor, this approach is followed. For secondary quality factor
of 75, the primary quality factors under consideration are given by:
s ∈ S75 = {63,68,69,70,71,72,73}
The quality factor 74 is not taken into account because the quantization steps for the 9 lower modes we
use are identical to the quantization steps for quality factor 75. Thus images having primary quality
factor 74 and secondary quality factor 75 are considered as single-compressed for classification
purposes.
When the secondary quality factor is 80, there are 13 primary quality factors under consideration
which are given by:
s ∈ S80 = {63,68,69,70,71,72,73,74,75,76,77,78,79}
For any given image, we first inspect the first 22 bin values in the histograms of the nine low
frequency DCT coefficients. The nine low frequency modes are:
H = {(0, 1), (0, 2), (0, 3), (1, 0), (1, 1), (1, 2), (2, 0), (2, 1), (3, 1)}
The remaining modes are not considered because most of the quantized DCT coefficients have value
zero or close to zero. The histogram location k for mode m is represented by hm(k) where 0 < (m = i+j)
≤ 3; i and j are the coordinates of the location in each 8×8 block. Using the values from hm(k), we
create a 9 dimensional matrix Mˆ for the candidate image.

66
where 1≤m≤9 and 1 ≤ k ≤ 22, and  is the indicator function. Each value Mˆ (m,k) is a zero feature. The
matrix Mˆ is called the zero feature matrix. We use zero features for double-compression detection,
Primary quality factor estimation, and cover vs. stego detection when the primary quality factor is
smaller than the secondary quality factor.

We achieve highly accurate double-compression detection rate by combining the POMM features and
zero features. We observed that the accuracy of the double-compression detector improves
significantly when the zero features are added to the 98 POMM features. The zero features are
particularly effective when the primary quality factor of an image is lower than the secondary quality
factor. For a given input image, a 9 x 21 sized matrix Mˆ of the zero locations is created, and then each
matrix row of values are summed to produce 9 features. These features are appended to the 98 POMM
features and used to train the SVMs.
 in the histograms are generally distinctive for a given
We also observed that the signature patterns
combination of primary and secondary quality factors. We quantized the effect of this phenomenon for
estimating the primary quality factor of the image. For a given combination of primary and secondary
quality factors, we create standard matrices Mst, where t is the secondary quality factor. These matrices
capture the expected locations of zero-valued histogram bins. Thus, for primary quality factor s and
secondary quality factor t, s < t we define
All of the matrices Mst can be calculated beforehand and stored. To use these matrices to estimate the
primary quality factor of an unknown image that has already been detected as double compressed
whose secondary quality factor t is less than 75 (or 80), we calculate the matrix Mˆ for the unknown
image. Then we find the matrix Mst that is the “closest” to Mˆ from the standard set of matrices
already precalculated. The closest estimated standard matrix Mest is formed by minimizing the
absolute difference between each Mst and Mˆ :



We also observed that the dips in the histograms assume absolute zero value whereas for stego images,
the dips can be characterized by drop in the histogram values. We used this fact in the successful
detection of stego images.
Cover Vs. stego detection for PQF < SQF. The histogram zero patterns can also be used for stego
detection in images with PQF < SQF. It was stated earlier that the 75% drop in the histogram bin
values characterizes a zero for a double-compressed image. Ideally a zero bin should have value
exactly equal to zero but the statistics of the DCT coefficients changes due to the process of
embedding. In order to account for these changes, a 75% drop is considered to indicate a zero. For
double compressed cover images, the drop is 100% and the zero bins actually take zero value. For
double compressed stego images, we consider even a small drop in the bin value as a zero. This acts as
a distinguishing feature between cover and stego images. For all the standard matrices Mst from the
standard set Sstd, we count the number of absolute zero bins that are expected to occur for each
combination of PQF and SQF.
For an input image, first the PQF is estimated. For the estimated PQF, the expected count of zero bins
is obtained. From matrix Mˆ derived from an input image, we count the total number of absolute zero
values. If this count is matches exactly with the expected standard count, the image is a cover image;

67
otherwise it is a stego image.
In this case, classification is done using an analytical method as opposed to SVM-based detection. For
a given detector, set Sstd of standard matrices is created and stored beforehand. This method saves a lot
of time required in feature extraction and SVM training, and is also very accurate.
8. RESULTS
We compare our double compression detector with a state-of-the-art double-compression detector by
Chen et al [7]. In this method, nearest-neighbour differences in the vertical, horizontal, diagonal and
minor diagonal directions are calculated, resulting in a set of four 2-dimensional difference arrays. In
order to reduce the computations, these arrays are thresholded to values in between -4 and +4. The
difference arrays are modeled using a one-step Markov process characterized by a transition
probability matrix (TPM). This results in a 9 TPM matrix which leads to 324 features. These features
are used to train a support vector machine. See [7] for more details.
The authors assume that the double-compressed images are cover images only and the primary quality
factors considered are in the range 50 to 95 in steps of 5. The detection accuracies obtained are very
high. However, when the method is used for double-compressed stego images, the detection
accuracies drop. We compare this detector and our POMM based detector.
POMM detector. An unknown image is input to the steganalyzer. If the observed quality factor of the
image is 75 or 80, it is likely to be double-compressed. This image is passed on to the doublecompression detector (referred to as DCDetector). Two separate detectors are created for secondary
quality factors 75 and 80. Each detector is a binary classifier trained on 15000 single-compressed and
15000 double-compressed image data. For the first detector, the images with PQF 74 and 75 are
excluded whereas for the second detector, images with PQF 80 are excluded from the training
database. This is because the statistics of the images with PQF equal to SQF is the same as singlecompressed images. The stego images are further divided amongst the number of classes and
subdivided amongst three embedding levels. Double-compressed images are also divided equally
amongst the different primary quality factors.
For testing, we start with 1500 unique cover images at each PQF in the range 63 to 94. In case of F5
and outguess, we use 500 images at each of the three embedding levels, resulting in 1500 images at
each PQF.
Our double-compression detector uses combination of 98 POMM features and 9 zero features giving a
total of 107 features. A double-compression detector is required to have very low false positive rate.
False positive rate is the percentage of single-compressed test images that get classified as doublecompressed. If a single-compressed image is classified as double-compressed, it can be assigned to
only cover, F5 or outguess instead of six classes: cover, F5, jp hide & seek, jsteg, outguess and
steghide. This leads to classification errors. In Figure 11, we present the accuracy plots.
68
Figure 11. Accuracy of double-compression detectors on double-compressed cover [(a),(b)], F5
[(c),(d)] and outguess [(e),(f)] images.
69
The DCDetector gets very high accuracy for many of the values. In Figure 11, it can be seen that the
DCDetector can classify cover images accurately except for two cases. First case is when the PQF is
equal to or close to the SQF (74, 75 and 76 in the left column plots and 80 and 81 in the right column
plots) and second case is when PQF is greater than 90. PQF = 74 and SQF = 75 is a special case
because
the nine low frequency locations that we consider are identical for quality factors 74 and 75.
This makes it impossible to detect images with this combination of quality factors using only
this information. This is because when the PQF is very close to the SQF, the statistics of
double-compressed image is close to the corresponding single-compressed image. Also, for
PQF greater than 90, most of the quantization steps are equal to one due to which the effect of
double-compression is not obvious. This justifies the drop in
the detection accuracies in these two cases. A similar trend is observed in case of F5 and
outguess with respect to the PQF. Also, the detection accuracies drop when the embedding
level increases. For the cases mentioned above where the PQF is close to the SQF, if the
detector classifies the image as single-compressed, it is considered as a correct decision. In
order to determine the overall detection accuracy, we consider the average of true positive rate
for double-compressed test images and true negative rate for the single-compressed test
images.
In Table 2, we present the false positive rates. Except for F5 at 0.4 bpnz and outguess at 0.2
bpnz, the false positive rates are lower than 8% for SQF = 75. For SQF = 80, the false positive
rates are lower than corresponding cases of SQF = 75 by at least 0.5.
Table 2. False positive rates for cover and stego for the double compression detector.
We also implemented Chen’s double compression detector. In Figure 12, we give the percent false
posoitive rate for the three levels of embedding for the 5 embedding alrogithms for both Chen’s
detector and the POMM detector. In Figure 13, ew give the overall average detector accuracy rates.
These two figures show that Chen's detector has accuracies comparable to our POMM-based detector
for a limited number of PQFs. For most of the PQFs, the accuracies are lower than our detector.
Figure 12. False positive rates for Chen’s detector and POMM detector.
70
Figure 13. Overall average detector for Chen and POMM detectors.
To use the histogram information to its best use, we created an SVM that could distinguish between
the primary quantization matrix of double compressed images into two groups: greater than 75 (or 80)
and less than 75 (or 80). We call this the primary quantization factor splitter, PQF splitter. The PQF
splitter is accurate because the histogram signature patterns in the histograms of the quantized DCT
coefficients are different when the PQF is smaller than the SQF and when the PQF is greater than the
SQF. In order to decide which approach to take, it is necessary to find the relation between PQF and
SQF for a particular image. The PQF Splitter classifies an image based on whether the PQF is smaller
than or greater than the SQF. Two separate binary classifiers are created for SQF of 75 and 80. For
SQF = 75, there are 7 PQFs in the range below 75 (63, 68, .., 73) and 19 PQFs above 75 (76, 77,.., 94).
We use 15000 training images for each class. The images are further divided into cover, F5 and
outguess categories and then subdivided based on the PQF and embedding levels as well. In the same
way, a database is created for SQF = 80 case. In this case, there are 13 PQFS below 80 and 14 PQFs
above 80. So the division of images changes accordingly. The classification accuracies of the PQF
Splitters are shown in Figure 14. The plots on the left show accuracies for SQF = 75 and the plots on
the right show accuracies for SQF = 80 case.
Note that when the SQF = 75, Figure 14 shows the detection accuracies are almost always close to
100% over the entire range of PQFs for cover, F5 and outguess. When SQF = 80, the detection
accuracies for cover images are close to 100% over the entire range of PQFs. When SQF = 80, the
detection accuracies for F5 and outguess images drop when PQF is 79. In this case, the doublecompressed image is close to its single-compressed version. For PQFSplitter, the detection accuracies
do not vary with the embedding levels.
Cover vs. stego detector. Once the range of PQF is determined by the PQF splitter, we perform cover
Vs. stego detection. Depending on whether the PQF of an image is smaller or larger than SQF, we use
different methods for classification.
Cover Vs. stego detector for Primary Quality Factor < Secondary Quality Factor. When PQF of
an image is less than SQF, the analytical method is used. The method is based on the histogram
signature patterns. This approach saves time and computational resources required for the feature
extraction process and intensive training of support vector machines. Figure 15 shows the detection
accuracy for when the observed quality factor (SQF) is 75 (left column) and for when the observed
quality factor is 80 (right column). We observe that the detection accuracies are almost always close to
100% for F5 and outguess. For cover, the detection accuracies are close to 100%. When the PQF is
very close to SQF, there is a drop in the detection accuracy.
Cover Vs. stego classifier for Primary Quality Factor > Secondary Quality Factor. We tried three
different approaches for this multi-classification problem: Cover Vs. stego binary classifier,
multiclassifier, and majority vote classifier. Our results showed that the majority vote multiclassifier
worked the best. We summarize the results in Table 4.
71
Table 4. Confusion matrices for cover Vs. stego detection for PQF > SQF and (a) SQF = 75 and (b)
SQF = 80.
We summarize the results of cover Vs. stego detection for PQF > SQF case in the confusion matrix
given in Table 4. We pass test images of known class to the detector and calculate the probabilities of
both true and false detection. We observe that the detection accuracies for cover and outguess are
above 96%. For F5, 9.5% of the images get misclassified as cover when SQF is 75 and this
corresponds to the lowest detection accuracy. The low accuracies for F5 are due to the fact that F5
does not preserve the global statistics of the image. The artifacts of double-compression are thus lost
during the process of embedding.
At this point, we have cover Vs. stego detectors for both PQF < SQF and PQF > SQF case. We
determine the overall accuracy of the detector by averaging the accuracies of these two detectors over
all PQFs and all embedding levels. This gives us the cover Vs. stego detection accuracy of our
detector for double-compressed images. In Table 5, we compare these results with those obtained from
previous Canvass software. We can clearly see significant rise in the detection accuracies.
Table 5. Overall detection accuracy of (a) previous Canvass (b) our detector tested on doublecompressed images.
Primary Quality Factor Detector. The last step in the blind steganalysis is estimation of the primary
quality factor. It can be used to extract further information regarding the secret payload; although we
do not use it for further processing in this work. The signature zero patterns in the histograms are used
72
for the PQF detection. Separate detectors are created for SQF = 75 and SQF = 80 case. Figure 16
shows the detection accuracy plots. Again, the plots on the left represent SQF = 75 case and plots on
the right represent SQF = 80 case.
We first discuss the results when SQF = 75. These are shown in the left column of Figure 16. The
PQF detection accuracies for double-compressed cover images are almost always 100% when PQF <
SQF. In general, when PQF is less than the SQF, the zero patterns in the histograms are prominent.
This leads to high detection accuracies. Double-compressed F5 images with PQF 70 get misclassi_ed
as PQF = 71. Out of the nine low-frequency modes considered for the detection, the quantization
matrices for quality factors 70 and 71 vary for 2 modes. We do not detect PQF 89. This is because the
histogram patterns arising from the
combination of PQFs 88 and 89 with SQF 75 are identical. The quality factor 89 gets detected as 88.
Therefore we exclude it from the detection algorithm. In general, the detection accuracies are low
when PQF > SQF because the histogram patterns are not very prominent.
We now discuss the results for SQF = 80 case. These are shown in the right column of Figure 16.
Similar to the SQF = 75 case, the detection accuracies are close to 100% when PQF < SQF. PQF 75
gets detected as 74. This is because the values at nine-low frequency modes under consideration are
identical for these two quality factors. Therefore we exclude the quality factor 75. Similarly, for F5
and outguess, PQF 85 almost always gets detected as 84 and PQF 88 gets detected as 89. This explains
the drops in the detection accuracies for these PQFs. We do not detect PQFs 92 and 93. This is
because the histogram patterns arising from the combinations of PQFs 91, 92 and 93 with SQF 80 are
identical. The quality factors 92 and 93 get detected as 91. Therefore we exclude these quality factors
from the detection algorithm.
73
Figure 14. Accuracy of PQF Splitters on double-compressed Cover, F5 and Outguess images.
74
Figure 15. Accuracy of PQF Splitters on double-compressed Cover, F5 and Outguess images.
75
Figure 16. Accuracy of PQF detector.
76
9. CONLCUSIONS.
In this work, we created a complete steganalyzer system for single as well as double-compressed
images. We introduced a new statistical modeling tool to measure the changes caused by various
steganographic algorithms as well as by double-compression. We showed that the POMM features
perform better than the state-of-the-art double-compression detectors. We also proved the utility of
POMMs for solving variety of classification problems such as double-compression detection, PQF
splitting and cover Vs. stego detection.
We introduced analytical methods for cover Vs. stego detection and primary quality factor detection.
The methods are based on the signature patterns in the histograms of quantized DCT coefficients, as
opposed to the other SVM-based classification methods. Each SVM in our experiments is trained on
30000 image data and tested on approximately 1,35,000 image data for different cases. Creating each
SVM involves 1 day to extract the training features from 30000 images, 1.5 days of actual SVM
training and 2 days for testing. The SVMs-based approach [6] requires 1 SVM for double-compression
detector, 159 SVMs for primary quality
step estimation, 3 binary classifiers for stego detection of double-compressed images and 15 SVMs for
stego detection of single-compressed images. Thus a total of 178 SVMs are required. Our approach on
the other hand uses 1 SVM for double-compression detection, 1 for PQF splitting, 15 SVMs for
single-compressed stego detection and 3 SVMs for double-compressed stego detection, which gives a
total of 20 SVMs. These novel analytical methods thus save a large amount of time required for
feature extraction and intensive SVM training. The histogram pattern features were also used in
addition to POMMs to improve the detection accuracies of SVM-based classifiers.
We show that the detection scheme works better if a double-compression detector is used as a preclassifier. The detection accuracies for double-compressed images improve significantly compared to
the previous software. We also compare the performance of the various modules with those presented
in [12]. The POMM-based PQF detector has high detection accuracies for PQF < SQF. The
conditional probabilities given by POMMs describe the relations between inter and intrablock pixels
in a JPEG image. In the future, other functions could be investigated to describe other pixel
dependencies. Also, currently we limit the steganalysis of single-compressed images to quality factor
75 and that of double-compressed images to secondary quality factors of 75 and 80. But this novel
method for steganalysis of double-compressed data looks promising and could be generalized for any
combination of primary and secondary quality factors.
10. REFERENCES
1. Stegoarchive. Available online at http://www.stegoarchive.com
2. A. Westfeld. F5 A Steganographic Algorithm: High Capacity Despite Better Steganalysis.
Information Hiding, 4th International Workshop, I. S. Moskowitz, Ed. Pittsburgh, PA, USA, April
2001, pages 289-302.
3. N. Provos. Outguess: Universal Steganography. http://www.Outguess.org, August 1998.
4. Davidson, J., Jalan, J. Canvass - A Steganalysis forensic tool for JPEG images, 2010 ADFSL
Conference on Digital Forensics, Security and Law, St. Paul, MN, May 2010.
5. Chih-Chung Chang and Chih-Jen Lin. LIBSVM: a library for support vector machines. Software
available at http://www.csie.ntu.edu.tw/~cjlin/libsvm, 2001.
6. J. Fridrich, M. Goljan and D. Hogea. Steganalysis of JPEG Images: Breaking the F5 Algorithm. 5th
Information Hiding Workshop, Noordwijkerhout, The Netherlands, October 2002 , pages 310-323.
7. C. Chen, Y. Q. Shi, and W. Su. A machine learning based scheme for double JPEG compression
detection. Proceedings IEEE Int. Conf. Pattern Recognition, Tampa, FL. pages 8-11, 2008.
77
8. J. He, Z. Lin, L. Wang, X. Tang. Detecting doctored JPEG images via DCT coefficient analysis.
Proceedings of the 9th European Conference on Computer Vision, Lecture Notes in Computer
Sciences, vol. 3953, Springer, Berlin, pages 423-435, 2006.
9. M. Sorell. Conditions for e_ective detection and identification of primary quantization of requantized JPEG images. E-FORENSICS. 1st International ICST Conference on Forensic Applications
and Techniques in Telecommunications, Information and Multimedia. ICST, 2008.
10. Z. Lin, J. He, X. Tang, C. Tang. Fast, automatic and fine-grained tampered JPEG image detection
via DCT coefficient analysis. PR(42), No. 11, pages 2492-2501, November 2009.
11. J. Fridrich, T. Penvy. Determining the Stego Algorithm for JPEG Images, Special Issue of IEE
Proceedings-Information Security, 153(3), pp. 75-139, 2006.
12. T. Pevny and J. Fridrich. Detection of double-compression in JPEG images for applications in
steganography. IEEE Transactions on Information Forensics and Security, vol. 3, no. 2, pages 247258, June 2008.
13. J. Fridrich, M. Goljan and D. Hogea. Attacking the outguess. Proc. of the ACM Workshop on
Multimedia and Security, Juan-les-Pins, France, December 2002.
14. Siwei Lyu and Hany Farid. Detecting hidden messages using higher-order statistics and support
vector machines. Information Hiding, 5th International Workshop, IW 2002, volume 2578 of Lecture
Notes in Computer Science, pages 340354. Springer-Verlag, New York.
15. T. Pevny and J. Fridrich. Merging Markov and DCT features for multi-class JPEG steganalysis. In
Proceedings of SPIE, Electronic Imaging, Security, Steganography, and Watermarking of Multimedia
Contents IX, San Jose, CA, volume 6505, pages 0304, January 2007
16. Y. Q. Shi, C. Chen, and W. Chen. A Markov process based approach to effective attacking jpeg
steganography. In Proceedings of the 8th Information Hiding Workshop, volume 4437 of LNCS,
pages 249-264. Springer, 2006.
17. W. Luo, J. Huang, G. Qui. JPEG error analysis and its applications to digital image forensics.
IEEE Transactions on Information Forensics and Security, Vol. 5, No. 3, pages 480-491, Sep. 2010.
18. T. Gloe. Demystifying histograms of multi-quantised DCT coefficients. IEEE Conf. on
Multimedia and Expo (ICME), pages 1-6, 2011.
78
TOWARD ALIGNMENT BETWEEN COMMUNITIES OF
PRACTICE AND KNOWLEDGE-BASED DECISION
SUPPORT
Jason Nichols, David Biros, Mark Weiser
Management Science and Information Systems
Spears School of Business
Oklahoma State University
Stillwater, OK 74078
ABSTRACT
The National Repository of Digital Forensics Information (NRDFI) is a knowledge repository for law
enforcement digital forensics investigators (LEDFI). Over six years, the NRDFI has undertaken
significant design revisions in order to more closely align the architecture of the system with theory
addressing motivation to share knowledge and communication within ego-centric groups and
communities of practice. These revisions have been met with minimal change in usage patterns by
LEDFI community members, calling into question the applicability of relevant theory when the
domain for knowledge sharing activities expands beyond the confines of an individual organization to
a community of practice. When considered alongside an empirical study that demonstrated a lack of
generalizability for existing theory on motivators to share knowledge, a call for deeper investigation is
clear. In the current study, researchers apply grounded theory methodology through interviews with
members of the LEDFI community to discover aspects of community context that appear to position
communities of practice along a continuum between process focus and knowledge focus. Findings
suggest that these contextual categories impact a community’s willingness to participate in various
classes of knowledge support initiatives, and community positioning along these categories dictates
prescription for design of knowledge based decision support systems beyond that which can be found
in the current literature.
Keywords: grounded theory, decision support, communities of practice, knowledge management
1. INTRODUCTION
The Center for Telecommunications and Network Security (CTANS), a recognized National Security
Agency Center of Excellence in Information Assurance Education (CAEIAE), has been developing,
hosting, and continuously evolving web-based software to support law enforcement digital forensics
investigators (LEDFI) via access to forensics resources and communication channels for the past 6
years. The cornerstone of this initiative has been the National Repository of Digital Forensics
Information (NRDFI), a collaborative effort with the Defense Cyber Crime Center (DC3), which has
evolved into the Digital Forensics Investigator Link (DFILink) over the past two years. DFILink is
soon to receive additional innovations tailored to its LEDFI audience, and the manuscript herein is an
account of recent grounded theory research efforts targeting the LEDFI community in order to form a
baseline to match their needs with the resources and services contained within DFILink. More
broadly, the grounded theory that is emerging from this study highlights critical characteristics of
context for a knowledge-based decision support implementation that the current literature on
motivating knowledge sharing appears to be lacking. In order to motivate the need for this grounded
theory work, the following sub-sections briefly describe the theory-driven approaches to early NRDFI
design, the evolution from NRDFI to DFILink, and replication of a prior empirical study that
highlights the potential gap in theory as relates to motivators for knowledge sharing and actual system
use.
79
1.1. NRDFI
The development of the NRDFI was guided by the theory of the ego-centric group and how these
groups share knowledge and resources amongst one another in a community of practice (Jarvenpaa &
Majchrzak, 2005). Within an ego-centric community of practice, experts are identified through
interaction, knowledge remains primarily tacit, and informal communication mechanisms are used to
transfer this knowledge from one participant to the other. The informality of knowledge transfer in
this context can lead to local pockets of expertise as well as redundancy of effort across the broader
community as a whole. In response to these weaknesses, the NRDFI was developed as a hub for
knowledge transfer between local law enforcement communities. The NRDFI site was locked down
so that only members of law enforcement were able to access content, and members were provided the
ability to upload knowledge documents and tools that may have developed locally within their
community, so that the broader law enforcement community of practice could utilize their
contributions and reduce redundancy of efforts. The Defense Cyber Crime Center, a co-sponsor of the
NRDFI initiative, provided a wealth of knowledge documents and tools in order to seed the system
with content.
Response from the LEDFI community was positive, and membership to the NRDFI site quickly
jumped to over 1000 users. However, the usage pattern for these members was almost exclusively
unidirectional. LEDFI members would periodically log on, download a batch of tools and knowledge
documents, and then not log on again until the knowledge content on the site was extensively
refreshed. The mechanisms in place for local LEDFI communities to share their own knowledge and
tools sat largely unused. From here, CTANS began to explore the literature with regards to motivating
knowledge sharing, and began a re-design of NRDFI driven by the extant literature, and focused on
promoting sharing within the LEDFI community through the NRDFI.
1.2. Motivating Knowledge Sharing and the DFILink
DFILink is a redesign of NRDFI that shifts the focus of sharing within the community from formal
knowledge documents and tools to informal discussion and collaboration surrounding existing
documents and tools within the system. The same broad set of knowledge resources from NRDFI is
available through DFILink, however the ability to discuss these resources has been given equal
importance in the design of the system.
This shift in focus was driven primarily by two discoveries in the literature surrounding motivation for
knowledge sharing: First, the primary motivators for sharing knowledge are intrinsic in nature (i.e.
through positive feedback, a sense of community, and incremental praise). Second, these intrinsic
motivators are more effective when the overhead for making a contribution is low (Bock & Kim,
2002; Bock, Lee, Zmud, & Kim, 2005). These two discoveries were taken from what appears to be
the prevailing model in the literature for motivating knowledge sharing, and formed the backbone for a
redesign strategy that emphasized the social aspect of participating in a community of practice. The
ability to pose questions, make comments, and informally engage the community across all aspects of
the system and the resources contained therein was underscored in the resulting transition to DFILink.
Additionally, these informal communications mechanisms served to bring the system closer in
alignment to theory for how egocentric groups actually communicate (Fisher, 2005). In short,
DFILink was built to embody the best lessons from the literature with regards to motivating sharing
and supporting communication within a community of practice.
However, two years after the transition, usage patterns for DFILink mirror that of its predecessor
NRDFI. LEDFI members will log on to pull down resources, but rarely if ever upload and share their
own or utilize the informal communications channels embedded within the system. Design based
upon the prevailing theory surrounding motivating knowledge sharing within communities of practice
appears to have had little-to-no impact on sharing within the LEDFI community itself. Empirical
research performed by the investigators during the transition from NRDFI to DFILink further
80
highlights the potential gap in the literature between the theory of motivating knowledge sharing and
what can be observed in communities of practice such as LEDFI.
1.3. Re-examining Motivation to Share Knowledge
One of the preeminent works in the area of motivators to share knowledge examines the relative
importance of intrinsic versus extrinsic motivators in the context of a broad sampling of asian firms
(Bock, et al., 2005). The outcome of this study demonstrates that there is a strong link between
intrinsic motivation and intention to share knowledge, and extrinsic motivators can actually serve as a
demotivational factor in the long run. The literature has used this study as a foundation for further
work (e.g. Chiu, Hsu, & Wang, 2006; Hsu, Ju, Yen, & Chang, 2007; Kankanhalli, Bernard, & W.,
2005), and the notion that intrinsic motivators drive the sharing of knowledge is widely held within the
domain. The transition from NRDFI to DFILink adhered to this principle through the incorporation of
social mechanisms for positive feedback and contribution through informal communications. Still, we
were interested in the generalizability of the prior study to the context of egocentric groups and, more
broadly, distributed communities of practice such as LEDFI. A replication of the study was performed
with a sample of LEDFI members, and the results called into question the findings of the earlier work
(Hass, et al., 2009).
In a community of practice such as LEDFI, the link between intrinsic motivation and intention to share
knowledge was observed to be significantly weaker, and bordering on non-existent. Interestingly,
while the link between extrinsic motivators and intention to share was no longer significantly negative
as in the previous study, it too remained tenuous at best. In short, when the commonly accepted model
of motivation to share knowledge was applied to the LEDFI community, neither intrinsic nor extrinsic
motivators appeared to provide strong support for what would drive an LEDFI member to share their
knowledge.
With this in mind, and coupled with the observation of stagnant usage patterns throughout the theorydriven transition from NRDFI to DFILink, the investigators noted a potential gap in the literature as
relates to theory regarding willingness to share knowledge in a distributed community of practice.
What follows is an account of the first round of grounded theory research regarding this gap, initial
findings from interviews and a focus group with a sample of the LEDFI community, and a discussion
of resulting prescription for knowledge-based decision support systems targeting communities of this
nature.
2. METHODOLOGY
The investigators selected grounded theory, a specifically qualitative approach, based upon their
experience applying the results of existing quantitative studies to the design of DFILink and meeting
minimal success in their objectives, as well as the discovery of contradictory findings when applying
an accepted quantitative model to the context of the LEDFI community. Grounded theory is markedly
process-driven in its focus (Strauss & Corbin, 1998), and avoids a priori assumptions regarding the
processes underlying the phenomena of interest. This is in contrast to a deductive quantitative
approach, and is appropriate in scenarios where the accepted theory in a domain is unable to
adequately capture behaviors of practitioners in the field. The process-focus of grounded theory
allows the researcher to examine directly what occurs in practice, and the inductive nature of the
methodology supports contributions to existing theory that can more adequately capture and explain
behavior in the field.
Interviews were carried out at the 2012 Department of Defense Cyber Crimes Conference in Atlanta,
in order to purposefully sample members of the LEDFI community of various positions within their
respective departments. Our initial five interview subjects spanned the range of positions from direct
forensics investigators to mid-level forensic lab managers to higher-level departmental management.
Early interviews were purposefully unstructured and open ended, focusing on the identification of
patterns in process for applying knowledge in order to complete digital forensics tasks. Nightly
81
coding of interview notes took place in accordance with guidelines for grounded theory (Glaser,
1978), which followed the pattern of initial “open coding” to first identify key concepts or dimensions
(referred to as categories), and subsequent “selective coding” once uniformities in the interview notes
were revealed.
As the resulting categories became saturated, interviews became more tightly structured in order to
explore these categories further, until no new properties emerged from additional investigation. A
total of 20 interviews were conducted in this first round of investigation, which is within guidelines for
the volume of interviews recommended to begin to answer research questions through grounded
theory (McCracken, 1988). Subsequently, a summary of the findings and resulting implications for
practice was shared with a focus group comprised of an additional 10 LEDFI members. Glaser (1978,
1992, 2001) emphasizes the following criteria for assessing rigor and validity of grounded theory
studies: fit, relevance, workability, modifiability, parsimony and scope. Table 1 is provided as a
summary of the investigators’ effort within this framework (in line with similar grounded theory
studies e.g. Mello, Stank, & Esper, 2008).
Table 1. An assessment of rigor for grounded theory
Criteria
Definition
Evidence
Fit
Do the findings match the
conditions within the domain
under investigation?

Findings were drawn based on patterns across
all interviews

Initial theory and implications were presented
and validated by a focus group of community
members
Does the outcome contribute to
solving a real problem in
practice? Do the results
contribute to existing theory
through a broader
understanding?

Findings from the study directly impact the
evolution of an existing artifact within the
community, in a fashion validated by
community members.

Continuing research seeks to position these
findings within the knowledge management,
decision support, and task/technology fit
domains.
Do the findings directly
address what is happening
within the domain?

Early theory derived from interviews was
shared and confirmed by participants of the
study.
Modifiability Can contradictions be included
in the emerging theory through
modification?

The emergent categories from this first round
of inquiry will tested and augmented as
necessary through continuing theoretical
sampling and data collection.
Parsimony
Is the theory limited to a
minimum of categories needed
to explain the phenomenon?

Selective coding was applied to the opencoded data in order to reduce the number of
categories while maintaining explanatory
coverage across all cases in the study.
Scope
Is the theory flexible enough to 
provide insight into a variety of
situations?
Scope for the categories discovered in this
first round of data collection will be
examined through continuing theoretical
sampling of a broader range of communities
of practice.
Relevance
Workability
82
3. FINDINGS
An analysis of the data collected from the interviews revealed three critical categories that impact the
way in which a LEDFI member is willing to participate in knowledge sharing activities: organizational
structure, task complexity, and workload. These characteristics were a recurring theme across the
interviews conducted, and revealed themselves as key aspects driving the processes and mechanisms
LEDFI members selected when either gathering or sharing knowledge within the community. Across
each category, the impact of the category on selection of knowledge sharing mechanisms was
explored. Each category is addressed individually below. The result is a reliance on local knowledge
silos and existing informal communications mechanisms almost exclusively within the community of
practice.
3.1. Organizational Structure
LEDFI members exist in a rigid organizational context. From the interviews, this exposes itself in a
number of different ways. First, due to the legal requirements surrounding the validity of their work,
investigators are encouraged to maintain an autonomous core of knowledge and tools within their own
departments. These knowledge cores are the first targets of inquiry when performing an activity that
requires support. Introduction of external sources for knowledge and tools often requires the approval
of organizational management, and is frequently limited to knowledge gathering rather than
knowledge sharing. Further, there are frequently strict guidelines regarding the sharing of internally
developed resources, which limits the participation of members in formal external knowledge sharing
efforts.
Members within this rigid organizational context prefer to offer support to their community colleagues
individually, informally, and on a case-by-case basis. While the community as a whole recognizes the
potential for inefficiency in this approach, members are often constrained by the rigidity of their
organizational boundaries and procedures from availing their knowledge cores to the broader LEDFI
community in general. If identified as an expert and approached individually, however, they are likely
to be willing to share their expertise with an LEDFI colleague on a one-to-one basis.
3.2. Task Complexity
Subjects uniformly identified an 80-20 rule with respect to the complexity of the tasks they perform.
80% of the time, their tasks are routine and require little to no knowledge support for completion. The
other 20% of their tasks require knowledge support, but that support can be achieved through access to
their department’s internal knowledge core or through informal requests to the broader community by
utilizing existing communication channels. They recognize that there may exist better tools and
solutions than what they can find within their own knowledge cores or through informal requests for
assistance, but the relatively low frequency for which they require external assistance acts as a
disincentive for exploring, becoming familiar with, and investing time on external formal knowledge
repositories. They identify a trade-off between the time and effort required to become familiar with
and actively use these external resources, and the amount of time and effort such familiarity would
potentially save them in their daily operations. For them, considering how little they find themselves
in need of knowledge support, the tradeoff does not favor active involvement in external formal
knowledge repositories.
3.3. Workload
The vast majority of subjects interviewed reported a significant backlog of work within their
department. Following the 80-20 rule identified regarding their tasks, this translated for the subjects
into heavy time pressure to apply their existing expertise towards routine tasks as quickly as possible
in order to work down the backlog. When facing a task that requires knowledge support, this time
pressure influences their preference to use existing informal and asynchronous communications
83
channels to seek assistance, as they can then move on to backlogged routine tasks while they wait for a
response. In essence, the backlog of work they often face means that, even if they wanted to become
active members of an external knowledge community and gain expertise to the resources available
therein, they are forced to repurpose the time that this would take as time to continue working down
their backlog of routine tasks while they wait for informal support.
A profile of the LEDFI community across these categories is presented in figure 1. Through the
interviews performed, these categories emerged as the primary influence within the community over
how knowledge is shared and discovered amongst participants. Based upon their positioning along
these categories, LEDFI members exhibit a strong preference for locally developed knowledge cores
and existing informal communication channels when seeking support. Virtually all subjects noted
listservs as the external communication channel of choice when seeking support from the broader
community. They also recognized and were willing to accept the potential for inefficiency in
knowledge discovery through this communications channel. For them, the tradeoff in effort required
to become active users in a more structured knowledge management approach did not support the
potential gains in process improvement for their infrequent knowledge-intensive tasks. Put simply,
they recognize there may be valuable resources available externally. However, due to their rigid
organizational structure, relatively routine tasks, and heightened workload, they are willing to forego
these resources in favor of support mechanisms that fold seamlessly into their existing workflow.
Figure 1. LEDFI Community Profile
4. DISCUSSION
4.1. Implications for Theory
This first round of data collection supports a broader research objective to identify and examine
communities of practice that vary along the discovered categories of structure, complexity, and
workload. Based on findings from our work with LEDFI, it is proposed that communities of practice
experience contextual pressures related to knowledge sharing that set them apart from communities
within a formal organizational boundary. For communities of practice, the link between intrinsic
reward and active knowledge sharing may be moderated by the communities’ positioning along these
three contextual dimensions. Additional evidence of this moderation affect will serve to broaden the
organizational climate construct in the motivation literature to include external influences, rather than
84
the current internal focus on fairness, affiliation, and innovativeness (Bock, et al., 2005). Our
continued efforts will seek to expand the predominant model on motivation to share knowledge, so
that the model fits in the context of communities of practice as well as in the context of individual
organizations.
Further, the work done here suggests that a community’s position along these dimensions may dictate
the degree to which knowledge management efforts must either conform to existing workflows and
processes within the community, or are free to influence the workflows and processes themselves.
This tradeoff is represented in figure 2. Continued work to explore this tradeoff within a broader set
of diverse communities of practice seeks to contribute to the literature related to task/technology fit
(Goodhue, 1995; Goodhue & Thompson, 1995). We find partial alignment with existing research in
this domain that maps task characteristics to appropriate technology support mechanisms (Zigurs &
Buckland, 1998). However, rather than focus on the capabilities availed through the technology, we
will continue to focus on the tradeoff between technology support that can achieve the greatest
hypothetical advantage, and technology support that will actually be used. In some ways, then, we are
looking to broaden the focus from task/technology fit to community/technology fit. The initial finding
here is that the best knowledge management option is not the one with the greatest performance
potential, but the one that will actually be used.
Figure 2. Tradeoff between process vs. knowledge focused support
For example, NRDFI and DFILink were designed to offer a tight integration between resource
discovery and the sharing of knowledge related to these resources by way of community involvement
within the site itself. Through this tight coupling of centralized discovery and sharing, formal
knowledge resources can be surrounded by informal, community-driven knowledge that incrementally
increases the value of the resource over time. However, the potential benefit of this tightly coupled
architecture assumes that community participants are willing to integrate use of the knowledge
repository within their existing workflows. As we have discovered here, LEDFI simply is not. The
result is a powerful knowledge management solution, engineered within the guidelines of best practice
from the literature, recognized by the community as a source of valuable content, that by in large sits
on the shelf unused. What the LEDFI community has shared with us on this issue is that rigid
organizational structure, an abundance of routine tasks, and a heavy workload all contribute to a
context where knowledge support must be folded into existing workflows if it is to be utilized. This
seamless mapping into existing workflows takes priority over the relative power of the knowledge
management capabilities available. In other words, the best knowledge management solution is the
one that gets used.
85
4.2. Implications for Practice
While we continue to explore the categories that influence communities of practice along the processcentric/knowledge-centric continuum, the message is clear for a process-centric community such as
LEDFI: seamless integration of knowledge support into existing workflows and communications
channels is a requirement for knowledge discovery and use. Therefore, primary methods of
communication within the community must be identified, and knowledge management technology
must evolve to take an active role within these communications channels. For the LEDFI community,
listservs represent a primary form of communication when members seek assistance outside of their
organization. Taking cues from agent-based decision support research (Bui & Lee, 1999), the next
evolution of DFILink will be the development of a listserv agent that matches requests from users on
the listserv to resources that may prove useful. A sequence diagram for listserv agent interaction is
presented below in figure 3.
Figure 3. Sequence for user/agent interaction via listservs
The DFILink listserv agent will be designed so that it can subscribe and contribute to not only a
specific DFILink listserv, but also any partnering listserv from the LEDFI community that wishes to
participate. The agent will monitor traffic on the listservs, and respond with resource matches based
on the content of the initial question posted. As the conversation thread continues, the agent will
continue to monitor traffic so that, if any listserv member would like to interact further with the agent,
a short list of hash-tag command options are at their disposal and can be sent as a reply to the listserv
itself. For instance, if a participant would like to see additional resource matches, they can reply with
“#more”, and the agent will perform an additional search based on not only the text from the original
posting, but all subsequent postings in the email thread. Further, these email threads will be
maintained as resources within DFILink and the agent will potentially include them as matches to
future inquiries. In this fashion, the primary communications channel for the community is
86
strengthened by the inclusion of relevant knowledge resources, maintains a long-term memory of tacit
knowledge transfer, and does not require any adaptation of existing workflows and processes on the
part of the community members.
5. CONCLUSION
Theory regarding motivation for knowledge sharing appears to lack fit in the context of communities
of practice. The research presented here applied a grounded theory methodology in the examination of
one such community: law enforcement digital forensics investigators. The results point towards three
community characteristics, organizational rigidity, task complexity, and participant workload, as
determinants for a community’s preference between process-centric versus knowledge-centric decision
support. Continuing research will explore the impact of these characteristics within a broader set of
communities of practice, with the aim to contribute to broader theory for motivation to share
knowledge as well as task/technology fit in the context of a community of practice. However, the
findings of this study directly impact the design of successful knowledge-based decision support
technologies for communities that share the LEDFI profile. Technologies must integrate seamlessly
into existing community workflows and processes, even at the expense of greater knowledge
management capability. For a process-centric community, knowledge management capabilities will
be ignored otherwise.
6. REFERENCES
Bock, G., & Kim, Y. (2002). Breaking the Myths of Rewards: An Exploratory Study of Attitudes
About Knowledge-Sharing. Information Resources Management Journal, 15(2), 14.
Bock, G., Lee, J., Zmud, R., & Kim, Y. (2005). Behavioral Intention Formation in Knowledge
Sharing: Examining the Roles of Extrinsic Motivators, Social-Psychological Forces, and
Organizational Climate. MIS Quarterly, 29(1), 87.
Bui, T., & Lee, J. (1999). An Agent-Based Framework for Building Decision Support Systems.
Decision Support Systems, 25(3), 225.
Chiu, C., Hsu, M., & Wang, E. (2006). Understanding Knowledge Sharing in Virtual Communities:
An Integration of Social Capital and Social Cognitive Theories. Decision Support Systems, 42(3),
1872.
Fisher, D. (2005). Using Egocentric Networks to Understand Communication. Internet Computing,
IEEE, 9(5), 20.
Glaser, B. (1978). Theoretical Sensitivity: Advances in the Methodology of Grounded Theory. Mill
Valley, CA: The Sociology Press.
Glaser, B. (1992). Basics of Grounded Theory Analysis. Mill Valley, CA.: Sociology Press.
Glaser, B. (2001). The Grounded Theory Perspective: Conceptualization Contrasted with Description.
Mill Valley, CA.: Sociology Press.
Goodhue, D. (1995). Understanding User Evaluations of Information Systems. Management Science,
41(12), 1827.
Goodhue, D., & Thompson, R. (1995). Task-Technology Fit and Individual Performance. MIS
Quarterly, 19(2), 213.
Hass, M., Nichols, J., Biros, D., Weiser, M., Burkman, J., & Thomas, J. (2009). Motivating
Knowledge Sharing in Diverse Organizational Contexts: An Argument for Reopening the Intrinsic vs.
Extrinsic Debate. Paper presented at the AMCIS 2009 Proceedings.
Hsu, M., Ju, T., Yen, C., & Chang, C. (2007). Knowledge Sharing Behavior in Virtual Communities:
The Relationship Between Trust, Self-Efficacy, and Outcome Expectations. International Journal of
Human-Computer Studies, 65(2), 153.
87
Jarvenpaa, S., & Majchrzak, A. (2005). Developing Individuals' Transactive Memories of their EgoCentric Networks to Mitigate Risks of Knowledge Sharing: The Case of Professionals Protecting
CyberSecurity. Paper presented at the Proceedings of the Twenty-Sixth International Conference on
Information Systems.
Kankanhalli, A., Bernard, C., & W., K.-K. (2005). Contributing Knowledge to Electronic Knowledge
Repositories: An Emperical Investigation. MIS Quarterly, 29(1), 113.
McCracken, G. (1988). The Long Interview. Thousand Oaks, CA.: Sage Publications.
Mello, J., Stank, T., & Esper, T. (2008). A Model of Logistics Outsourcing Strategy. Transportation
Journal, 47(4), 21.
Strauss, A., & Corbin, J. (1998). Basics of Qualitative Research: Techniques and Procedures for
Developing Grounded Theory. Thousand Oaks, CA: Sage Publications.
Zigurs, I., & Buckland, B. (1998). A Theory of Task/Technology Fit and Group Support Systems
Effectiveness. MIS Quarterly, 22(3), 313.
88
A FUZZY HASHING APPROACH BASED ON RANDOM
SEQUENCES AND HAMMING DISTANCE
Frank Breitinger & Harald Baier
Center for Advanced Security Research Darmstadt (CASED) and
Department of Computer Science, Hochschule Darmstadt,
Mornewegstr. 32, D – 64293 Darmstadt, Germany,
Mail: {frank.breitinger, harald.baier}@cased.de
ABSTRACT
Hash functions are well-known methods in computer science to map arbitrary large input to bit strings
of a fixed length that serve as unique input identifier/fingerprints. A key property of cryptographic
hash functions is that even if only one bit of the input is changed the output behaves pseudo randomly
and therefore similar files cannot be identified. However, in the area of computer forensics it is also
necessary to find similar files (e.g. different versions of a file), wherefore we need a similarity
preserving hash function also called fuzzy hash function.
In this paper we present a new approach for fuzzy hashing called bbHash. It is based on the idea to
‘rebuild’ an input as good as possible using a fixed set of randomly chosen byte sequences called
building blocks of byte length l (e.g. l= 128 ). The proceeding is as follows: slide through the input
byte-by-byte, read out the current input byte sequence of length l , and compute the Hamming
distances of all building blocks against the current input byte sequence. Each building block with
Hamming distance smaller than a certain threshold contributes the file’s bbHash. We discuss (dis)advantages of our bbHash to further fuzzy hash approaches. A key property of bbHash is that it is the
first fuzzy hashing approach based on a comparison to external data structures.
Keywords: Fuzzy hashing, similarity preserving hash function, similarity digests, Hamming distance,
computer forensics.
1. INTRODUCTION
The distribution and usage of electronic devices increased over the recent years. Traditional books,
photos, letters and LPs became ebooks, digital photos, email and mp3. This transformation also
influences the capacity of todays storage media ([Walter, 2005]) that changed from a few megabyte to
terabytes. Users are able to archive all their information on one simple hard disk instead of several
cardboard boxes on the garret. This convenience for consumers complicates computer forensic
investigations (e.g. by the Federal Bureau of Investigation), because the investigator has to cope with
an information overload: A search for relevant files resembles no longer to find a needle in a haystack,
but more a needle in a hay-hill.
The crucial task to solve this data overcharge is to distinguish relevant from non-relevant information.
In most of the cases an automated preprocessing is used, which tries to filter out some irrelevant data
and reduces the amount of data an investigator has to look at by hand. As of today the best practice of
this preprocessing is quite simple: Hash each file of the evidence storage medium, compare the
resulting hash value (also called fingerprint or signature) against a given set of fingerprints, and put it
in one of the three categories: known-to-be-good, known-to-be-bad, and unknown files. For instance,
unmodified files of a common operating system (e.g. Windows, Linux) or binaries of a wide-spread
application like a browser are said to be known-to-be-good and need not be inspected within an
investigation. The most common set/database of such non-relevant files is the Reference Data Set
(RDS) within the National Software Reference Library (NSRL, [NIST, 2011]) maintained by the US
89
National Institute of Standards and Technology (NIST)1.
Normally cryptographic hash functions are used for this purpose, which have one key property:
Regardless how many bits changes between two inputs (e.g. 1 bit or 100 bits), the output behaves
pseudo randomly. However, in the area of computer forensics it is also convenient to find similar files
(e.g. different versions of a file), wherefore we need a similarity preserving hash function also called
fuzzy hash function.
It is important to understand that in contrast to cryptographic hash functions, there is currently no
sharp understanding of the defining properties of a fuzzy hash function. We will address this topic in
Sec. 2, but we emphasize that the output of a fuzzy hash function need not be of fixed length.
In general we consider two different levels for generating similarity hashes. On the one hand there is
the byte level which works independently of the file type and is very fast as we need not interpret the
input. On the other hand there is the semantic level which tries to interpret a file and is mostly used for
multimedia content, i.e. images, videos, audio. In this paper we only consider the first class. As
explained in Sec. 2 all existing approaches from the first class come with drawbacks with respect to
security and efficiency, respectively.
In this paper we present a new fuzzy hashing technique that is based on the idea of data deduplication
(e.g. [Maddodi et al., 2010, Sec. II]) and eigenfaces (e.g. [Turk and Pentland, 1991, Sec. 2]).
Deduplication is a backup scheme for saving files efficiently. Instead of saving files as a whole, it
makes use of small pieces. If two files share a common piece, it is only saved once, but referenced for
both files. Eigenfaces are a similar approach. They are used in biometrics for face recognition.
Roughly speaking, if we have a set of N eigenfaces, then any face can be represented by a
combination of these standard faces. Eigenfaces resemble to the well-known method in linear algebra
to represent each vector of a vector space by a linear combination of the basis vectors.
Our approach uses a fixed set of random byte sequences called building blocks. In this paper we
denote the number of building blocks by N . The length in bytes of a building block is denoted by l .
It shall be ‘short’ compared to the file size (e.g. l= 128 ). To find the optimal representation of a
given file by the set of building blocks, we slide through the input file byte-by-byte, read out the
current input byte sequence of length l , and compute the Hamming distances of all building blocks
against the current input byte sequence. If the building block with the smallest Hamming distance is
smaller than a certain threshold, too, its index contributes to the file’s bbHash.
Besides similarity of files we are also able to match back parts of files to its origin, which could arise
due to file fragmentation and deletion.
1.1 Contribution and Organization of this Paper
Similarity preserving hash functions on the byte level are a rather new area in computer forensics and
get more and more important due to the increasing amount of data. Currently the most popular
approach is implemented in the software package ssdeep ([Kornblum, 2006]). However, ssdeep can be
exploited very easily ([Baier and Breitinger, 2011]). Our approach bbHash is more robust against an
active adversary. With respect to the length of the hash value our approach is superior to sdhash
([Roussev, 2009, Roussev, 2010]), which generates hash values of about 2.6% to 3.3% of the input,
while our bbHash similarity digest only comprises 0.5% of the input size. Additionally, sdhash has a
coverage of only about 80% of the input, while our approach is designed to cover the whole input.
Additionally, in contrast to ssdeep and sdhash, our similarity digest computation is based on a
comparison to external data structures, the building blocks. The building blocks are randomly chosen
1. NIST points out that the term known-to-be-good depends on national laws. Therefore, NIST calls files within the RDS
non-relevant. However, the RDS does not contain any illicit data.
90
static byte blocks being independent of the processed input. Although this implies a computational
drawback compared to other fuzzy hashing approaches, we consider this as a security benefit as
bbHash stronger withstands active anti-blacklisting.
The rest of the paper is organized as follows: In the subsequent Sec. 1.2 we introduce the notation used
in this paper. Then in Sec. 2 we introduce the related work. The core of this paper is given in Sec. 3
where we present our algorithm bbHash. We give a first analysis of our implementation in Sec. 4. Sec.
5 concludes our paper and gives an overview of future work.
1.2 Notation and Terms used in this Paper
In this paper, we make use of the following notation and terms:










A building block is a randomly chosen byte sequence to rebuild files.
N denotes the number of different building blocks used in our approach. We make use
of the default value N = 16 .
For 0≤ k ≤ N we refer to the k -th building block as bb k .
l denotes the length of a building block in bytes. Throughout this paper we assume a
default value of l= 128 .
l bit denotes the length of a building block in bits. In this paper we assume a default
value of l bit = 8⋅ 128= 1024 .
L f denotes the length of an input (file) in bytes.
bbHash denotes our new proposed fuzzy hash function on base of building blocks.
BS denotes a byte string of length l : BS = B0 B1 B 2 ... B l− 1 .
BS i denotes a byte string of length l starting at offset byte i within the input file:
BS i = Bi Bi+ 1 Bi+ 2 ... B i+ l − 1 .
t denotes the threshold value. t is an integer with 0≤ t≤ l bit .
2. FOUNDATIONS AND RELATED WORK
According to [Menezes et al., 1997] hash functions have two basic properties, compression and ease of
computation. In this case compression means that regardless the length of the input, the output has a
fixed length. This is why the term Fuzzy Hashing might be a little bit confusing and similarity digest is
more appropriate – most of the similarity preserving algorithms do not output a fixed sized hash value.
Despite this fact we call a variable-sized compression function hf a fuzzy hash function if two similar
inputs yield similar outputs.
The first fuzzy hashing approach on the byte level was proposed by Kornblum in 2006 [Kornblum,
2006], which is called context-triggered piecewise hashing, abbreviated as CTPH. Kornblum’s CTPH
is based on a spam detection algorithm of Andrew Tridgell [Tridgell, 2002]. The main idea is to
compute cryptographic hashes not over the whole file, but over parts of the file, which are called
chunks. The end of each chunk is determined by a pseudo-random function that is based on a current
context of 7 bytes. In recent years, Kornblum’s approach was examined carefully and several papers
had been published.
[Chen and Wang, 2008, Roussev et al., 2007, Seo et al., 2009] find ways to improve the existing
implementation called ssdeep with respect to both efficiency and security. On the other side [Baier and
Breitinger, 2011, Breitinger, 2011] show attacks against CTPH with respect to blacklisting and
whitelisting and also some improvements for the pseudo random function.
[Roussev, 2009, Roussev, 2010] present a similarity digest hash function sdhash, where the idea is “to
select multiple characteristic (invariant) features from the data object and compare them with features
selected from other objects”. He uses multiple unique 64-byte features selected on the basis of their
entropy. In other words files are similar if the have the same features/byte-sequences. [Sadowski and
91
Levin, 2007] explains a tool called Simhash which is another approach for fuzzy hashing “based on
counting the occurrences of certain binary strings within a file”. As we denote a similarity preserving
hash function a fuzzy hash function, we rate ssdeep, sdhash and Simhash as possible implementations
for fuzzy hashing.
[Roussev et al., 2006] comes with a tool called md5bloom where “the goal is to pick from a set of
forensic images the one(s) that are most like (or perhaps most unlike) a particular target”. In addition,
it can be used for object versioning detection. The idea is to hash each hard disk block and insert the
fingerprints into a Bloom filter. Hard disks are similar if their Bloom filters are similar.
3. A NEW FUZZY HASHING SCHEME BASED ON BUILDING BLOCKS
In this section, we explain our fuzzy hashing approach bbHash. First, in Sec. 3.1 we describe the
generation of the building blocks followed by the algorithm details in Sec. 3.2. Finally, Sec. 3.3
describes how to compare two bbHash similarity digests.
bbHash aims at the following paradigm:
1. Full coverage: Every byte of the input file is expected to be within at least one offset
of the input file, for which a building block is triggered to contribute to the bbHash.
This behavior is very common for hash functions: each byte influences the hash value.
2. Variable-sized length: The length of a file’s bbHash is proportional to the length of the
original file. This is in contrast to classical hash functions. However, it ensures to be
able to store sufficiently information about the input to have good similarity
preserving properties of bbHash.
3.1 Building Blocks
We first turn to the set of building blocks. Their number is denoted by N . In our current
implementation we decided to set the default value to N = 16 . Then we can index each building
block by a unique hex digit 0,1 ,2... f (half a byte), therefore we have the building blocks
bb0 , bb 1 ,... bb16− 1 . This index is later used within the bbHash to uniquely reference a certain
building block.
The length of a building block in bytes is referred to by l and influences the following two aspects:
1. A growing l decreases the speed performance as the Hamming distance is computed
at each offset i for l bytes.
2. An increased l shortens the length of the hash value as there should be a trigger
sequence every l bytes approximately (depending on the threshold t ).
Due to run time efficiency reasons we decided to use a ‘short’ building block size compared to the file
size. Currently we make use of l= 128 .
The generation of the building blocks is given in Fig. 1. We use the rand() function to fill an array of
unsigned integers. Hence, all building blocks are stored in one array whereby the boundaries can be
determined by using their size. As rand() uses the same seed each time, it is a deterministic generation
process. Using a fixed set of building blocks is comparable to the use of a fixed initialization vector
(IV) of well-known hash functions like SHA-1. A sample building block is given in Fig. 2.
92
Fig. 1. Generation of the building blocks
Fig. 2: Building block with index 0
3.2 Our Algorithm bbHash
In this section we give a detailed description of our fuzzy hash function bbHash. It works as follows:
To find the optimal representation of a given file by the set of building blocks, we slide through the
input file byte-by-byte, read out the current input byte sequence of length l , and compute the
Hamming distances of all building blocks against the current input byte sequence. If the building block
with the smallest Hamming distance is smaller than a certain threshold, too, its index contributes to the
file’s bbHash.
We write L f for the length of the input file in bytes. The pseudocode of our algorithm bbHash is
given in Algorithm 1. It proceeds as follows for each offset i within the input file, 0≤ i≤ L f − 1− l :
If BS i denotes the byte sequence of length l starting at the i -th byte of the input, then the algorithm
computes the N Hamming distances of BS i to all N building blocks: hd k ,i = HD(bbk , BS i ) is
the Hamming distance of the two parameters bb k and BS i , 0≤ k < N . As the Hamming distance is
the number of different bits, we have 0≤ hd k , i ≤ 8⋅ l . In Sec. 3.1 we defined the default length of a
building block in bytes to be 128, i.e. we assume l= 128 . As an example HD (bb2, BS 100 ) returns
the Hamming distance of the building block bb 2 and the bytes B100 to B 227 of the input. In other
words the algorithm slides through the input, byte-by-byte, and computes the Hamming distance at
each offset for all N building blocks like it is given in Fig. 3.
The bbHash value is formed by the ordered indicies of triggered building blocks. In order to
trigger a building block to contribute to the bbHash, it has to fulfill two further conditions:
1. For a given i (fixed offset), we only make use of the closest building block, i.e. we
are looking for the index k with the smallest Hamming distance hd k ,i .
93
2. This smallest hd k ,i also needs to be smaller than a certain threshold t .
Each BS i that fulfills both conditions will be called a trigger sequence. To create the final bbHash
hash value, we concatenate all indicies k of all triggered building blocks (in case we have two
triggered building blocks for BS i , only the smallest index k is chosen).
94
Fig. 3: Workflow of the Algorithm
In Sec. 3.1 we’ve already motivated why the choices l= 128 and N = 16 are appropriate for our
approach. In what follows we explain how to choose a fitting threshold t . Our first paradigm in the
introduction to Sec. 3 states full coverage, i.e. every byte of the input file is expected to be within at
least one offset of the input file, for which a building block is triggered to contribute to the bbHash.
Thus we expect to trigger every l -th byte, i.e. every 128-th byte. In order to have some overlap, we
decrease the statistical expectation to trigger at every 100-th byte.
For our theoretic considerations we assume a uniform probability distribution on the input file blocks
of byte length l . Let d be a non-negative integer (the distance) and P (hd k ,i = d ) denote the
probability, that the Hamming distance of our building block k at offset i of the input file is equal to
d.
1. We first consider the case d = 0 , i.e. the building block and the input block coincide.
l
1024
Then we simply have P (hd k ,i = 0)= 0.5 = 0.5 .
bit
(ld ) possibilities to find an input file block of Hamming distance
l
⋅ 0.5 = 1024 ⋅ 0.5
d to bb . Thus P (hd = d )= ( )
(d ) .
d
2. For d ≥ 0 we have
k
bit
k ,i
bit
l bit
1024
3. Finally, the probability to receive a Hamming distance smaller than t for bb k is
The binomial coefficients in Eq. (1) are large integers and we make use of the computer
algebra system LiDIA2 to evaluate Eq. (1) (LiDIA is a C++-library maintained by the
Technical University of Darmstadt).
2. http://www.cdc.informatik.tu-darmstadt.de/TI/LiDIA/ ; visited 05.09.2011
95
Let p t denote the probability that at least one of the N buildings blocks satisfies Eq. (1), i.e. we
trigger our input file and find a contribution to our bbHash. This may easily computed by the opposite
N
probability that none of the building blocks triggers, that is pt = 1− (1− p 1) . As explained above
we aim at pt = 0.01 . Thus we have to find a threshold t with
Now we use our LiDIA-computations of Eq. (1) to identify a threshold of t= 461 . An example hash
value of a 68,650 byte (≈ 70 kbyte) JPG image is given in Fig. 4. Overall the hash value consists of
693 digits which is 346.5 bytes and therefore approximately 0.5% of the input.
3.3 Hash Value Comparison
This paper focuses on the hash value generation and not on its comparison. Currently there are two
approaches from existing fuzzy hash functions which could be also usable for bbHash:


Roussev uses Bloom filters where the similarity can be identified by generating the
Hamming distance.
Kornblum uses the weighted edit distance to compare the similarity of two hash
values.
Fig. 4: bbHash of a 68,650 byte JPG-Image
Both approaches may easily be adopted to be used for bbHash.
4. ANALYSIS OF BBHASH
In this section we analyze different aspects of our approach. The length of the hash values and how
can it be influenced by different parameters is presented in Sec. 4.1. Our current choices yield a
bbHash of length 0.5% of the input size. This is an improvement by a factor 6.5 compared to sdhash,
where for practical data the similarity digest comprises 3.3% of the input size. Next, in Sec. 4.2 we
discuss the applicability of bbHash depending on the file size of the input. An important topic in
96
computer forensics is the identification of segments of files, which is addressed in Sec. 4.3. The run
time performance is shown in Sec. 4.4. At least we have a look at attacks and compare our approach
against existing ones. We show that bbHash is more robust against an active adversary compared to
ssdeep.
4.1 Hash Value Length
The hash value length depends on three different properties: the file size L f , the threshold t and the
building block length l . If we expect that both other parameters are fixed, then
 a larger L f will increase the hash value length as the input is supposed to have more
trigger sequences.
 a higher t will increase the hash value length as more BS i will have a Hamming
distance lower than the threshold t .
 a large l will decrease the performance and the hash value length3.
In order to have full coverage our aim is to have a final hash value where every input byte influences
the final hash value. Due to performance reasons we’ve decided for a building block length of
l= 128 byte. As we set the threshold to t= 461 , the final hash value length nearly results in
L f /100 digits whereby every 100 digit has half a byte length. Thus the final hash value is
approximately 0.5% of the original file size.
Compared to the existing approach sdhash where “the space requirements for the generated similarity
digests do not exceed 2.6% of the source data” [Roussev, 2010], it is quite short. However, for real
data sdhash generates similarity digests of 3.3% of the input size.
Besides these two main aspects the file type may also influence the hash value length. We expect that
random byte strings will have more trigger sequences. Therefore we think that compressed file formats
like ZIP, JPG or PDF have very random byte strings and thus yield a bbHash of 0.5% of the input size.
This relation may differ significantly when processing TXT, BMP or DOC formats as they are less
random.
4.2 Applicability of bbHash Depending on the File Size
Our first prototype is very restricted in terms of the input file size and will not work reliable for small
files. Files smaller than the building blocks’ length l cannot have a trigger sequence and cannot be
hashed. To receive some trigger sequences the input file should be at least 5000 bytes, which results in
5000− l− 1 possible trigger sequences. On the other side large files result in very long hashes
wherefore we recommend to process files smaller than a couple of megabytes.
By changing the threshold t , it is possible to influence the hash value length. We envisage to
customize this parameter depending on the input size which will be a future topic.
4.3 Detection of Segments of Files
A file segment is a part of a file, which could be the result of fragmentation and deletion. For instance,
if a fragmented file is deleted but not overwritten, then we can find a byte sequence, but do not know
anything about the original file. Our approach allows to compare hashes of those pieces against hash
values of complete files. Depending on the fragment size, ssdeep is not able to detect fragments
(roughly ssdeep may only fragments being at least about half the size of the original file size).
Fig. 5 simulates the aforementioned scenario. We first copy a middle segment of 20000 byte from the
3. Remember, we would like to have a triggering in approximately every l-th byte and therefore we have to adjust t.
97
JPG image from Fig. 4 using dd. We then compute the hash value of this segment. If we compare this
hash value against Fig. 44 (starting line 4), we recognize that they are completely identical. Thus we
can identify short segments as a part of its origin.
Fig. 5: Hash value of a segment. The bbHash of the whole file is listed in Fig. 4.
4.4 Run Time Performance
The run time performance is the main drawback of bbHash which is quite slow compared to other
approaches. ssdeep needs about 0.15 seconds for processing a 10MiB file where bbHash needs about
117 seconds for the same file. This is due to the use of building blocks as external comparison data
structures and the computation of their Hamming distance to the currently processed input byte
sequence. Recall that at each position i we have to build the Hamming distance of 16 building blocks
each with a length of 1024 bits. To receive the Hamming distance we XOR both sequences and count
the amount of remaining ones (bitcount( bb k ⊕ BS i )). To speed up the counting process, we
16
precomputed the amount of ones for all sequences from 0 to 2 − 1 Bits. Thus we can lookup each
l
1024
bit
16-Bit-sequence with a complexity of O (1) . But since we have N⋅ 16 = 16⋅ 16 = 1024 lookups
at each processed byte of the input it is quite slow.
Although the processing in its first implementation is quite slow which results from a straight forward
programming, this problem is often discussed in literature and there are several issues for
improvements. For instance [Amir et al., 2000] states that their algorithm finds all locations where the
t log t) . Compared against our algorithm which needs
pattern has at most t errors in time O ( L f √
time O ( L f ⋅ l) that’s a great improvement. As we make use of N building blocks, we have to
multiply both run time estimations by N . For a next version we will focus on improving the run time
performance.
4.5 Attacks
This section is focusing on attacks with respect to both forensic issues blacklisting and whitelisting.
From an attacker’s point of view anti-blacklisting/anti-whitelisting can be used to hide information
and increase the amount of work for investigators.
Anti-blacklisting means that an active adversary manipulates a file in a way that fuzzy hashing will not
identify the files as similar – the hash values are too different. We rate an attack as successful if a
human observer cannot see a change between the original and manipulated version (the files
4. We rearranged the output by hand to make an identification easier.
98
look/work as expected). If a file was manipulated successfully then it would not be identified as a
known- to-be-bad file and will be categorized as unknown file.
The most obvious idea is to change the triggering whereby the scope of each change depends on the
Hamming distance. For instance, at position i the Hamming distance is 450, then an active adversary
has two possibilities:
1. He needs to change at least 11 bits in this segment to overcome the threshold t and kick out
this trigger sequence from the final hash.
2. He needs to manipulate it in a way that another bb has a closer Hamming distance.
In a worst case each building block has a Hamming distance of 460 and a ‘one-bit- change’ is enough
to manipulate the triggering. In this case an active adversary approximately needs to change L f /100
bits, one bit for each position i . Actually a lot of 100 more changes needs to be done as there are also
positions where the Hamming distance is much lower than 460. This is an improvement compared to
sdHash where it is enough to change exactly one bit in every identified feature. Compared to
Kornblum’s ssdeep this is also a great improvement as [Baier and Breitinger, 2011] states that in most
of the cases 10 changes are enough to receive a non-match.
Our improvement is mainly due to the fact that in contrast to ssdeep and sdhash we do not rely on
internal triggering, but on external. However, the use of building blocks results in the bad run time
performance as discussed in Sec. 4.4.
Anti-whitelisting means that an active adversary uses a hash value from a whitelist (hashes of knownto-be-good files) and manipulates a file (normally a known-to-be-bad file) that its hash value will be
similar to one on the whitelist. Again we rate an attack as successful if a human observer couldn’t see
a change between the original and manipulated version (the files look/work as expected).
In general this approach is not preimage-resistance as it is possible to create files for a given signature:
generate valid trigger sequences for each building block and add some zero-strings in between. The
manipulation of a specific file to a given hash value should also be possible but will result in an
useless file. In a first step an active adversary has to remove all existing trigger sequences (result in
approximately L f /100 ). Second, he needs to 100 imitate the triggering behavior of the white-listed
file which will cause a lot of more changes.
5. CONCLUSION & FUTURE WORK
We have discussed in the paper at hand a new approach for fuzzy hashing. Our main contribution is a
tool called bbHash that is more robust against anti- blacklisting than ssdeep and sdHash due to the use
of external building blocks. The final signature has about 0.5% of the original file size, is not fixed and
can be adjusted by several parameters. This allows us to compare very small parts of a file against its
origin which could arise due to file fragmentation and deletion.
In general there are two next steps. On the one side the run time performance needs to be improved
wherefore we will use existing approaches (e.g. given in [Amir et al., 2000]). On the other side we
have to do a security analysis for our approach to give more details about possible attacks. Knowing
attacks also allows further improvements of bbHash.
6. ACKNOWLEDGEMENTS
This work was partly supported by the German Federal Ministry of Education and Research (project
OpenC3S) and the EU (integrated project FIDELITY, grant number 284862).
99
7. REFERENCES
[Amir et al., 2000] Amir, A., Lewenstein, M., and Porat, E. (2000). Faster algorithms for string
matching with k mismatches. In 11th annual ACM-SIAM symposium on Discrete algorithms, SODA
’00, pages 794–803, Philadelphia, PA, USA. Society for Industrial and Applied Mathematics.
[Baier and Breitinger, 2011] Baier, H. and Breitinger, F. (2011). Security Aspects of Piecewise
Hashing in Computer Forensics. IT Security Incident Management & IT Forensics, pages 21–36.
[Breitinger, 2011] Breitinger, F. (2011). Security Aspects of Fuzzy Hashing. Master’s thesis,
Hochschule Darmstadt.
[Chen and Wang, 2008] Chen, L. and Wang, G. (2008). An Efficient Piecewise Hashing Method for
Computer Forensics. Workshop on Knowledge Discovery and Data Mining, pages 635–638.
[Kornblum, 2006] Kornblum, J. (2006). Identifying almost identical files using context triggered
piecewise hashing. In Digital Investigation, volume 3S, pages 91–97.
[Maddodi et al., 2010] Maddodi, S., Attigeri, G., and Karunakar, A. (2010). Data Dedu- plication
Techniques and Analysis. In Emerging Trends in Engineering and Technology (ICETET), pages 664–
668.
[Menezes et al., 1997] Menezes, A., Oorschot, P., and Vanstone, S. (1997). Handbook of Applied
Cryptography. CRC Press.
[NIST, 2011] NIST (2011). National Software Reference Library. [Roussev, 2009] Roussev, V.
(2009). Building a Better Similarity Trap with Statistically Improbable Features. 42nd Hawaii
International Conference on System Sciences, 0:1– 10.
[Roussev, 2010] Roussev, V. (2010). Data fingerprinting with similarity digests. Internation
Federation for Information Processing, 337/2010:207–226.
[Roussev et al., 2006] Roussev, V., Chen, Y., Bourg, T., and Rechard, G. G. (2006). md5bloom:
Forensic filesystem hashing revisited. Digital Investigation 3S, pages 82– 90.
[Roussev et al., 2007] Roussev, V., Richard, G. G., and Marziale, L. (2007). Multi-resolution
similarity hashing. Digital Investigation 4S, pages 105–113.
[Sadowski and Levin, 2007] Sadowski, C. and Levin, G. (2007). Simhash: Hash-based similarity
detection. http://simhash.googlecode.com/svn/ trunk/paper/SimHashWithBib.pdf.
[Seo et al., 2009] Seo, K., Lim, K., Choi, J., Chang, K., and Lee, S. (2009). Detecting Similar Files
Based on Hash and Statistical Analysis for Digital Forensic Investigation. Computer Science and its
Applications (CSA ’09), pages 1–6.
[Tridgell, 2002] Tridgell, A. (2012). Spamsum. Readme.
http://samba.org/ftp/unpacked/junkcode/spamsum/README, 03.01.2012
[Turk and Pentland, 1991] Turk, M. and Pentland, A. (1991). Face recognition using eigenfaces. In
Computer Vision and Pattern Recognition, 1991. IEEE, pages 586 –591.
[Walter, 2005] Walter, C. (2012). Kryder’s law,
http://www.scientificamerican.com/article.cfm?id=kryders-law&ref=sciam, 18.01.2012
100
CLOUD FORENSICS INVESTIGATION: TRACING
INFRINGING SHARING OF COPYRIGHTED CONTENT IN
CLOUD
Yi-Jun He, Echo P. Zhang, Lucas C.K. Hui, Siu Ming Yiu, K.P. Chow
Department of Computer Science, The University of Hong Kong
Phone: +852-22415725; Fax: +852-25598447;
E-mail:{yjhe, pzhang2, hui, smyiu, chow}@cs.hku.hk
ABSTRACT
Cloud Computing is becoming a significant technology trend nowadays, but its abrupt rise also creates
a brand new front for cybercrime investigation with various challenges. One of the challenges is to
track down infringing sharing of copyrighted content in cloud. To solve this problem, we study a
typical type of content sharing technologies in cloud computing, analyze the challenges that the new
technologies bring to forensics, formalize a procedure to get digital evidences and obtain analytical
results based on the evidences to track down illegal uploader. Furthermore, we propose a reasoning
model based on the probability distribution in a Bayesian Network to evaluate the analytical result of
forensics examinations. The proposed method can accurately and scientifically track down the origin
infringing content uploader and owner.
Keywords: cloud forensics, peer to peer, file sharing, tracking, CloudFront
1. INTRODUCTION
With broadband Internet connection and with P2P programs such as Gnutella, FrostWire, BearShare,
BitTorrent, and eMule, it takes very little effort for someone to download songs, movies, or computer
games. But nowadays, people make use of it to share copyrighted files, or even images of child sexual
exploitation. Since October 2009, over 300,000 unique installations of Gnutella have been observed
sharing known child pornography in the US. Thus, many research works have been focused on
criminal investigations of the trafficking of digital contraband on Peer-to-Peer (P2P) file sharing
networks (Chow et al. 2009, Ieong et al. 2009, Ieong et al. 2010, Liberatore et al. 2010).
Recently, cloud computing has been dramatically developed and will soon become the dominant IT
environment. It is a new computing platform where thousands of users around the world can access to
a shared pool of computing resources (e.g., storage, applications, services, etc.) without having to
download or install everything on their own computers, and only requires a minimal management
effort from the service provider. Several big service providers, Amazon, Apple, Google, etc. start to
provide content sharing services in cloud which can offer the file sharing functionalities like what P2P
networks can offer. With the cloud environment, file sharing becomes more convenient and efficient,
since sharing can be done through web browser without requiring software installation, and cloud
provides strong computation power and fast transmitting speed. Thus it is possible that cloud based
content sharing will substitute the existing file sharing programs one day.
1.1 Can Existing Investigative Models be Applied to Cloud Computing?
Before cloud computing emerging, most forensics investigation models are built on P2P networks.
When cloud based infringing content sharing happens, can existing investigative model for analyzing
P2P network be applied to analyze cloud based file sharing network? The answer is NO, because
cloud content sharing systems differentiate from P2P sharing systems in the following aspects:
1. Cloud Computing provides storage capacity at dedicate, and data is automatically
geographically dispersed on edge servers on the cloud; while P2P file sharing systems support
the trading of storage capacity between a network of ’peers’.
101
2. Typically, Cloud file sharing systems operate in a centralized fashion that end user is directed
to an edge server that is near them to get data based on a complex load balancing process; but
P2P services operate in a decentralized way that nodes on the Internet cooperate in an overlay
network consisting of peers, where each peer is both a consumer and a producer of data and
gets different piece of data from other peers.
3. Further, cloud file sharing services are paid services, where the user pays, for instance, per
amount of data kept in storage and the amount of network traffic generated to upload or
download files. Contrary to cloud storage services, P2P file sharing systems are typically not
subscription based, but rather depend on group members that are part of a peer network to
trade resources, primarily disk capacity and network bandwidth.
1.2 Contributions
This is the first paper providing accurate investigations of such content sharing networks in cloud. We
analyze the functionality a typical cloud content sharing system: CloudFront, formalize an
investigation procedure, and build an analysis model on it. Our research can help investigators:
1.
2.
3.
4.
Confidently state from where and how various forms of evidences are acquired in cloud;
Understand the relative strength of each evidence;
Validate that evidences from the fruits of a search warrant;
Assess the accuracy of the investigation result based on the evidences obtained using a
Bayesian network.
In section 2, we give an overview of related works. In section 3, we introduce the background of the
content sharing system. In section 4, we simulate the crime, and describe the investigation process. In
section 5, we propose a Bayesian Network based model to obtain analytical results based on the
evidences. In section 6, we analyze the proposed model in several aspects. Finally, we conclude the
whole paper.
2. RELATED WORK
Many works have been proposed to solve security and privacy problems in the cloud field (Angin et
al. 2010, Bertino et al. 2009, He et al. 2012). They focus on aspects for protecting user privacy and
anonymous authentication. Works (Wang et al. 2010, Wang et al. 2011) improve data security in
cloud using crypto technologies.
Also, traditional computer forensics have already had many works published on how to establish
principles and guidelines to retrieve digital evidence (Grance et al. 2006). Works (Aitken et al. 2004,
Kwan et al. 2007) show how to formulate hypotheses from evidence and evaluate the hypotheses’
likelihood for the sake of legal arguments in court. In addition, the aspects of forensics in tracking
infringing files sharing in P2P networks have been addressed by several works (Chow et al. 2009,
Ieong et al. 2009, Ieong et al. 2010, Liberatore et al. 2010).
In contrast with the maturity of research on cloud security and privacy and traditional computer
forensics, the research on forensic investigations in cloud computing are relatively immature. To the
best of knowledge, our paper is the first work addressing the problem of tracking infringing sharing of
copyrighted content in the cloud. There are other works (Birk et al. 2011, Marty 2011, Zafarullah et al.
2011) discussing the issues of forensic investigations in cloud, but (Marty 2011, Zafarullah et al.
2011) focus on how to log the data needed for forensic investigations, (Birk et al. 2011) gives an
overview on forensic investigations issues without providing concrete solutions or investigation
model.
3. BACKGROUND
In this section, we provide a technical overview of a content sharing system: CloudFront, which is a
typical cloud based content sharing network.
102
Amazon CloudFront (Amazon 2012) is a web service for content delivery. It delivers your content
through a worldwide network of edge locations. End users are routed to the nearest edge location, so
content is delivered with the best possible performance.
A CloudFront network is made up of four types of entities:

Objects are the files that the file owner wants CloudFront to deliver. This typically
includes web pages, images, and digital media files, but can be anything that can be
served over HTTP or a version of RTMP.

Origin Server is the location where you store the original, definitive version of your
objects.

Distribution is a link between your origin server and a domain name that CloudFront
automatically assigns. If your origin is an Amazon S3 bucket, you use this new
domain name in place of standard Amazon S3 references. For example,
http://mybucket.s3.amazonaws.com/image.jpg would instead be
http://somedomainname.cloudfront.net/image.jpg.

Edge location is a geographical site where CloudFront caches copies of your objects.
When an end user requests one of your objects, CloudFront decides which edge
location is best able to serve the request. If the edge location doesn’t have a copy,
CloudFront goes to the origin server and puts a copy of the object in the edge
location.
To share a file using CloudFront, the file owner first makes and publishes a distribution. The process
is shown in Figure 1 and it includes:
1. Register an account on the origin server, and place objects in the origin server and make them
publicly readable.
2. Create CloudFront distribution and get the distribution’s domain name that CloudFront
assigns. Example distribution ID: EDFDVBD632BHDS5, and Example domain name:
d604721fxaaqy9.cloudfront.net. The distribution ID will not necessarily match the domain
name.
3. Create the URLs that end users will use to get the objects and include them as needed in any
web application or website. Example URL:
http://d604721fxaaqy9.cloudfront.net/videos/video.mp4.
Fig. 1. The working protocol of Amazon CloudFront.
103
To download a shared file from CloudFront, the end user needs to do the following steps. For
simplicity, we assume the end user resides in Hong Kong.
1. After clicking the URL from the web application or website, CloudFront determines which
edge location would be best to serve the object. In this case, it is the Hong Kong location.
2. If the Hong Kong edge location doesn’t have a copy of video.mp4, CloudFront goes to the
origin server and puts a copy of video.mp4 in the Hong Kong edge location.
3. The Hong Kong edge location then serves video.mp4 to the end user and then serves any other
requests for that file at the Hong Kong location.
4. Later, video.mp4 expires, and CloudFront deletes video.mp4 from the Hong Kong location.
CloudFront doesn’t put a new copy of video.mp4 in the Hong Kong location until an end user
requests video.mp4 again and CloudFront determines the Hong Kong location should serve the
image.
4. INVESTIGATION PROCESS
The objective of investigation is to obtain evidences through observation of data from the Internet and
other possible parties, such as service providers or seized devices. In this section, we discuss
techniques and methods for collecting evidences from Amazon CloudFront.
As the cloud based content sharing is new, we do not have a real case in Hong Kong to study. Thus we
have to suppose there is a crime and simulate the whole crime process based on the most common and
regular criminal behaviors, and find out what evidences the criminal may leave. Our paper gives a
good guidance for collecting evidences if a real case happens in the future.
In this part, we simulate a suspect intends to share infringing files using Amazon CloudFront. A
general case is that the suspect has a movie in his computer and wants to share the movie publicly. The
suspect needs to do following steps:
1. Subscribe to Amazon CloudFront service, providing email address, user name and credit card
information to service provider.
2. Register an origin server, providing email address and user name to the server administrator.
3. Upload infringing files from local disk to the origin server. This step may involve installing a
FTP/FTPS/SFTP client software in order to do the uploading.
4. Login Amazon CloudFront to create a distribution for the infringing file. The distribution is
the URL link to the file in the CloudFront network.
5. Register a forum, and publish the distribution to the forum. When end users click the
distribution, CloudFront will retrieve the files from the nearest edge location.
Once such an illegal sharing happens, we can follow the guidance below to track the suspect:
First, we can trace the suspect file link uploader’s IP address through four steps (Ei represents
evidence i):
1. E1: The suspect posted the distribution, the posted message is found.
2. E2: The suspect has a forum account and he is logged in. So, the suspect’s forum account is
found.
3. E3: The IP address must be recorded by the forum. Check with the forum administrator for the
IP address of the user who created the posts.
4. E4: Check with Internet Service Providers for the assignment record of IP address to get its
subscribed user.
Through the above four steps, we are only sure that the suspect has posted a link on the forum, but not
sure about whether it is the same suspect who created the link. Thus the second step is to check with
104
the CloudFront provider for four issues:
1. E5: The suspect has an Amazon CloudFront account, and logged in the CloudFront with the
tracked IP address.
2. E6: The origin server domain name is found under the suspect’s CloudFront account.
3. E7: The infringing file distribution creation record is found under the suspect’s CloudFront
account.
4. E8: The registered credit card holder of that CloudFront account is the suspect.
The third step is to check with the origin server administrator that the suspect is the infringing file
owner. The evidences include
1. E9: The suspect has an origin server account, and logged in the origin server with the tracked
IP address.
2. E10: The infringing file exists under the suspect origin server account.
The last step is to find out the devices that the suspect used to do the infringing file sharing. The
evidences include
1. E11: Hash value of the infringing file matches that of the file existing on the suspect’s devices
(including Tablet PC, Laptop, Desktop Computer or Mobile Phone).
2. E12: A FTP/FTPS/SFTP client software is installed on the devices.
3. E13: Origin server connection record is found in FTP/FTPS/SFTP client software.
4. E14: Infringing file transmission record is found in FTP/FTPS/SFTP client software.
5. E15: Cookie of the Origin server is found on the devices.
6. E16: Internet history record on Origin server is available.
7. E17: URL of Origin server is stored in the web browser.
8. E18: The distribution origin name is the origin server.
9. E19: Credit card charge record of CloudFront is found.
10. E20: Cookie of the CloudFront website is found.
11. E21: CloudFront service log-in record is found.
12. E22: Distribution creation record is found.
13. E23: Removing the file in origin server will affect the distribution validity.
14. E24: Web browser software is available on the devices.
15. E25: Internet connection is available.
16. E26: Internet history record on publishing forum is found.
17. E27: The distribution link posted on the forum is as the same as what is created in CloudFront.
18. E28: Cookie of the publishing forum is found.
5. THE PROPOSED MODEL FOR ANALYZING EVIDENCES
In this part, we construct a Bayesian model to analyze the evidences found above and calculate the
probability of guilt. We begin the construction with the set up of the top-most hypothesis, which is
Hypothesis H: “The suspect is the origin file owner and the uploader”
Usually, this hypothesis represents the main argument that the investigator wants to determine. It is the
root node. It is an ancestor of every other node in the Bayesian Network, hence its state’s probabilities
are unconditional. To support the root hypothesis, sub-hypotheses may be added to the Bayesian
Network, since they are useful for adjusting the model to a more clearly structured graph. As show in
Table 1, in the CloudFront model, four sub-hypotheses are created for the root node and four sub-subhypotheses are created for the hypothesis H4.
105
Table 1. Hypotheses with CloudFront
H1
H2
H3
H4
H4-1
H4-2
H4-3
H4-4
The suspect posted a link to the forums.
The suspect created the link using CloudFront.
The suspect is the file owner.
The seized devices (including Tablet PC, Laptop, Desktop Computer, Mobile Phone)
have been used as the initial sharing machine to share infringing file on Internet.
Has the pirated file uploaded from the seized devices to the origin server?
Has the distribution on the origin server been created using CloudFront?
Has the connection between the seized devices and the CloudFront been maintained?
Has the distribution been posted to newsgroup forum for publishing?
The built Bayesian model is shown in Figure 2:
Fig. 2. Bayesian Network Diagram for Amazon CloudFront.
5.1 How To Use the Model for Assessment
Initialization Take the Bayesian network model for Amazon CloudFront as an example. The possible
states of all evidences are:“Yes, No, Uncertain”. All hypotheses are set to be “Unobserved” when
there is no observation made to any evidence. The initial prior probability P(H) is set to be Yes:
0.3333, No: 0.3333, Uncertain: 0.3333. The initial conditional probability value of each evidence is set
as shown in Figure 3. Take E9 as an example, we assign an initial value of 0.85 for the situation when
H3 and E9 are both “Yes”. That means when the suspect is the file owner, the chance that the suspect
has an origin server account, and logged in the origin server with the tracked IP address is 85%. The
resulting posterior probability P(Hi) and P(Hij), that is the certainty of Hi and Hij based on the
initialized probability values of evidences, should be evenly distributed amongst their states, as show
in Table 2.
106
Fig. 3. The Initial Conditional Probabilities.
Table 2. Bayesian Network Initial Posterior Probability
Hypotheses
H1
H2
H3
H4
H4-1
H4-2
H4-3
H4-4
Initial Posterior Probability
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Yes: 0.3333, No: 0.3333, Uncertain: 0.3333
Assessment In the investigation process, if an evidence Ei is found, then the state of that evidence
should be changed to “Yes”, and the prior probability P(Ei) should be set to 1. On the other hand, if
the evidence is not found, then the state of that evidence should be changed to “No” or “Uncertain”. If
“No”, the prior probability of that evidence should be 0; if “Uncertain”, the prior probability of that
evidence should be set subjectively between 0-1. If we assume all evidences are found, and switch all
the entailing evidences to state “Yes”, the propagated probability values of the hypotheses are shown
in Table 3. According to the Bayesian Network calculation, the posterior probability of H at state
“Yes” reaches the highest value 99.8819% under this circumstance, which means that there is a
maximum chance of 99.8819% that the suspect is the origin file owner and uploader.
Table 3. Propagated Probability Values of the Hypothesis
Hypotheses
H
H1
H2
H3
H4
H4−1
H4−2
H4−3
H4−4
Posterior probability when all evidences are found
Yes: 0.998819, No: 0.00118103, Uncertain: 0
Yes: 0.999823, No: 0.000177368, Uncertain: 0
Yes: 0.999823, No: 0.000177368, Uncertain: 0
Yes: 0.994364, No: 0.00563629, Uncertain: 0
Yes: 0.998967, No: 0.00103306, Uncertain: 0
Yes: 0.999999, No: 9.7077e-007, Uncertain: 0
Yes: 0.999994, No: 5.50123e-006, Uncertain: 0
Yes: 0.849277, No: 0.150723, Uncertain: 0
Yes: 0.999025, No: 0.000975118, Uncertain: 0
107
However, in reality, some evidences may not be found, so we should correspondingly amend the
absent evidences states from “Yes” to “No”. For example, we assume the evidences E17, E10, E7 are not
found, thus we change the states of them from “Yes” to “No”. As a result, the posterior probability of
H at state “Yes” will be reduced from 99.8819% to 99.3379%. The result shows that the posterior
probability of H would be reduced if some evidences are absent.
We used the software “MSBNx” (Microsoft, 2001) to calculate the probability of the hypotheses. The
above analysis result of the root hypothesis tells the judge the probability that a hypothesis is true. In
our experiment, if all evidences are found, the probability would be more than 99%. The numerical
result is a good scientific reference to the judge. If real cases happen, investigators can use this model
to evaluate the digital forensics findings, and adjust the evidences found, thus get a quantitive
probability of the crime.
6. ANALYSIS OF THE MODEL
Though Bayesian Network has been used for a while in security and forensics, our analysis below
shows that its construction and usage in cloud has its own characteristics.
6.1 Difficulties in Building the Model
Following the guidances in section 4, it is not difficult to find out the origin file link uploader and file
owner. However, the nature of the cloud causes some difficulties when following our guidances to do
investigation.

First, in the cloud environment, file sharing is centrally controlled. Inevitably,
investigators need assistance from cloud service providers (SPs), such as Amazon, in
order to lock-in the suspect fast. However, many of the cloud SPs are international
organizations, so there are a number of restrictions placed on connecting evidences
from foreign organizations. Some of these restrictions are the decision of the foreign
Government, while others are the result of international organizations being unwilling
to leak customers information. Thus, one may wonder if the cloud SPs do not
collaborate with forensics investigators, does the model still work?

Fortunately, the following evaluation result of our model shows that, it is still possible
to track the suspect with a high probability even without the help from the cloud SP.
If without the help of cloud SP, E5...E8 would be absent. Thus, we set the states of
E5...E8 to be “No”, and keep the states of other evidences to be “Yes”. As a result,
P(H2) is dramatically reduced to 0.53%, and P(H) is reduced from 99.8819% to
96.38%. The result shows that, though the cloud SP is an important third party to
provide valuable evidences, its absence would not affect much of the final result when
other evidences are all found.

The second difficulty is that the suspect can use mobile phones or other persons’
computers to upload the files. Also, cloud computing allows using web based
technology, which makes content sharing easy from any device that supports a web
browser. As a result, investigators may not be able to get any evidence if just
investigate suspect’s personal computers, or may miss some important evidences
existing in other devices. Thus it expands the scope of the investigation. For example,
when finding the evidences supporting H4 in our model, investigators must investigate
all devices with browsers, including Tablet PC, laptop, desktop computer, mobile
phone.
108
6.2 Sensitive Data Analysis
From the model, we can find some evidences which will have the greatest impact or the minimal
impact to the result, and some evidences which have the most interconnection with other evidences.
1. As show in Figure 3, if P(Ei|Hj) which is the initial posterior probability of each evidence Ei
caused by the hypothesis Hj is the same, for example, P(E1|H1) = P(E9|H3) = 0.85, then E9 and
E10 would have the most significant effect to the posterior probability of H. For example, if we
change the state of E9 from “Yes” to “No”, the P(H) will be reduced from 99.8819% to
99.43%. If changing any other evidence such as E1, the P(H) will be reduced from 99.8819%
to 99.86%.
2. If adopting the same initial posterior probability above, then E24 and E25 have the minimal
impact to P(H). If we change the state of E24 from “Yes” to “No”, the P(H) will be reduced
from 99.8819% to 99.8818%.
3. The hypothesis H4 is in a diverging connection with H4−1, H4−2, H4−3, H4−4, and H4−1 is in a
diverging connection with E11...E17, hence, provided the states of H4−1 and H4 are
unobservable, change in E11...E17 will also change the probability values of H4−1 and H4. When
H4−1 or H4 changes, the likelihood of E11...E17 will change also.
4. Similarly, since H, H4, H4−1 and E11 are in serial connection, hence change in E11 will also
propagate the variation to H if H4 and H4−1 remain unobservable.
5. Nodes E24 and E25 are common nodes for hypotheses H4−2, H4−3, H4−4. In other words, there is
a converging connection to E24 and E25 from hypothesis nodes H4−2, H4−3, H4−4. According to
the rules of probability propagation for converging connection in Bayesian network, when the
states of E24 and E25 are known, the probabilities of H4−2, H4−3, H4−4 will influence each other.
Therefore, change in the state of E24 or E25 will change the probability of these three
hypotheses. Further, since H4−1, H4−2, H4−3, H4−4 are in divergent connection with parent
hypothesis H4, hence changes in H4−2, H4−3, H4−4 will also influence the probability of H4−1.
6.3 Initial Probability Assignment
As show in Table 2 and Figure 3, for simplicity, in the initialization phase of assessment, we set the
initial prior probability P(H) to be Yes: 0.3333, No: 0.3333, Uncertain: 0.3333, and set the initial
posterior probability of each evidence Ei caused by the hypothesis Hj to be the same, such as P(E1|H1)
= P(E9|H3) =0.85. However, in reality, the assignment of initial prior probability and initial posterior
probability may not be like this. Such assignments often rely on subjective personal belief which is
affected by professional experience and knowledge. Also individual digital forensic examiner’s belief
may not represent the general and acceptable view in the forensic discipline. Thus, the assignment
needs to be done among a group of forensic specialists. In order to help investigators to perform a
more accurate assignment of the initial probability, we first classify the evidences into two levels in
section 6.4.
6.4 Critical Evidence Set of Evidences
The investigation found out 28 evidences. Each of them will affect P(H) in varying degrees. Thus we
classify the evidences into two levels, L0, L1 due to the degree of importance to H. L0 is the lowest
degree and L1 is the highest degree. The higher the more important. Please note that such
classification needs intensive understanding of each evidence, and it needs to be done by a group of
forensic specialists.


L1: E1, E3, E5, E7, E10, E11, E18, E22, E23, E27
L0: E2, E4, E6, E8, E9, E12, E13, E14, E15, E16, E17, E19, E24, E20, E21, E25, E26, E28
According to the critical set classification, we define the following 7 deductions, which helps
investigators to understand the logic relation among the evidences, and provides a basic knowledge to
investigators when assigning initial posterior probabilities to each evidence.
109
1. If E1 and E3 are found, H1 would have a high probability to be true, no matter E2 or E4 is found
or not.
2. If E5 and E7 are found, H2 would have a high probability to be true, no matter E6 or E8 is found
or not.
3. If E10 is found, H3 would have a high probability to be true, no matter E9 is found or not.
4. If E11 is found, H4−1 would have a high probability to be true, no matter E12, E13, E14, E15, E16
or E17 is found or not.
5. If E18, E22, E23 are found, H4−2 would have a high probability to be true, no matter E19, E20, E21,
E24 or E25 is found or not.
6. If E23 is found, H4−3 would have a high probability to be true, no matter E24 or E25 is found or
not.
7. If E27 is found, H4−4 would have a high probability to be true, no matter E24, E25, E26, or E28 is
found or not.
Take deduction 1 as an example, it means that if the posted distribution and the poster’s IP address are
found, it is most likely that the suspect posted a distribution with this IP address. The existence of E2
or E4 will not affect much of the probability of H1. The basis of making such a deduction is that some
forums support anonymous posting or unregistered user posting, so E2 may not exist even if E1 and E3
are found; also the IP subscriber may not be the suspect because he can use public network for
posting, so E4 may not exist. Thus E2 and E4 are just supplementary evidences for H1, but not the
critical ones. Finally, according to deduction 1, investigators should assign higher initial probabilities
to E1 and E3, and lower posterior probabilities to E2 and E4. The exact posterior probabilities should be
carefully decided among specialists. Here, we just give an example to demonstrate the importance of
initialization.
Fig. 4. The Different Initial Posterior Probability to Elements in L1 and L0.
Example: We assign each L1 element the same posterior probabilities as E1 show in Figure 4, and
assign each L0 element the same posterior probabilities as E2 show in Figure 4. To prove deduction 1,
we set four situations as show in Table 4. We found that if E1 and E3 are found, and E2 and E4 are not
found, P(H1) is 0.9498, which is not much different from situation 1; but if E1 and E3 are not found,
and E2 and E4 are found, P(H1) is just 0.0935. Thus, it proves the deduction 1. Similarly, if we assume
all evidences in L1 are found and all evidences in L0 are not found, P(H) is 0.9935, which is still a
high value; but if all evidences in L1 are not found and all evidences in L0 are found, P(H) is only
0.0937. Thus is proves the importance of L1 evidences.
Table 4. The Impact of Critical Data
Situations E1, E3 E2,E4
1
Yes
Yes
2
No
No
3
Yes
No
4
No
Yes
P(H1)
0.9907
0.0180
0.9498
0.0935
6.5 Other Cloud Content Sharing Networks
Actually there exist many other cloud content sharing networks, such as Seagate FreeAgent GoFlex
Net Media Sharing (Engines), which represents the technologies that are hardware assisted, and
110
supports transforming user’s storage device into personal cloud storage. In such GoFlex network, there
is no such origin server in CloudFront, but investigators need to investigate the user’s storage device
such as USB storage instead, because origin files exist in the USB storage. Other than that,
investigators can follow investigation process of CloudFront to find other evidences in GoFlex, and
build the Bayesian Network model.
7. CONCLUSION
Performing forensic to crime based on cloud content sharing network is new. We analyzed a typical
cloud content sharing network, and proposed guidances to track the origin file uploader and owner if
illegal sharing happens in such network. A Bayesian Network model is also built (section 5) for
analyzing the collected evidences to obtain a scientific evaluation result of the probability of a crime.
Analyses of model construction difficulties, initialization, sensitive data and critical data set are done.
One interesting result we found is that though the cloud SP is an important third party for providing
valuable evidences, its absence would not affect much of the probability of tracking the suspect when
other evidences are all found. If following the proposed guidances, there would be a chance of more
than 99% to track the origin file uploader and owner.
ACKNOWLEDGEMENTS
The work described in this paper was partially supported by the General Research Fund from the
Research Grants Council of the Hong Kong Special Administrative Region, China (Project No. RGC
GRF HKU 713009E), the NSFC/RGC Joint Research Scheme (Project No. N\_HKU 722/09), HKU
Seed Fundings for Applied Research 201102160014, and HKU Seed Fundings for Basic Research
201011159162 and 200911159149.
REFERENCES
C.G.G. Aitken and F. Taroni (2004), Statistics and the evaluation of evidence for forensic scientists,
John Wiley.
Amazon (2012), ‘Amazon cloudfront’, http://aws.amazon.com/cloudfront/, Accessed in April, 2012.
P. Angin, B. K. Bhargava, R. Ranchal, N. Singh, M. Linderman, L. B. Othmane, and L. Lilien (2010).
‘An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing’. 29 th IEEE
Symposium on Reliable Distributed Systems (SRDS). October 31 - November 3. New Delhi, Punjab,
India.
E. Bertino, F. Paci, R. Ferrini, and N. Shang (2009), “Privacy-preserving Digital Identity Management
for Cloud Computing”, IEEE Data Engineering Bulletin, Vol 32(Issue 1): Page 21–27.
D. Birk and C. Wegener (2011), ‘Technical issues of forensic investigations in cloud computing
environments’. IEEE Sixth International Workshop on Systematic Approaches to Digital Forensic
Engineering (SADFE). May 26. Oakland, CA, USA.
Yi-Jun He, Sherman S. M. Chow, Lucas C.K. Hui, S.M. Yiu (2012), ‘SPICE – Simple PrivacyPreserving Identity-Management for Cloud Environment’, 10th International Conference on Applied
Cryptography and Network Security (ACNS), June, Singapore.
K. P. Chow, R. Ieong, M. Kwan, P. Lai, F. Law, H. Tse, and K. Tse (2009), ‘Security analysis of foxy
peer-to-peer file sharing tool’. HKU Technical Report TR-2008-09.
C. Engines. ‘Pogoplug’, http://www.pogoplug.com/. Accessed in April, 2012.
R. S. C. Ieong, P. K. Y. Lai, K. P. Chow, M. Y. K. Kwan, and F. Y. W. Law (2010). ‘Identifying first
seeders in foxy peer-to-peer networks. 6th IFIP International Conference on Digital Forensics. January
4-6. Hong Kong, China.
111
R. S. C. Ieong, P. K. Y. Lai, K. P. Chow, F. Y. W. Law, M. Y. K. Kwan, and K. Tse (2009). ‘A model
for foxy peer-to-peer network investigations’. 5th IFIP WG 11.9 International Conference on Digital
Forensics. January 26-28. Orlando, Florida, USA.
M. Y. Kwan, K. Chow, F. Y. Law, and P. K. Lai (2007), ‘Computer forensics using Bayesian network:
A case study’. http://www.cs.hku.hk/research/techreps/document/ TR-2007-12.pdf.
M. Liberatore, B. N. Levine, and C. Shields (2010). ‘Strengthening forensic investigations of child
pornography on P2P networks’. Proceedings of the 2010 ACM Conference on Emerging Networking
Experiments and Technology (CoNEXT). November 30 - December 03. Philadelphia, PA, USA.
R. Marty (2011). ‘Cloud application logging for forensics’. 26th ACM Symposium On Applied
Computing (SAC). March 21 – 24. TaiChung, Taiwan.
Microsoft (2001). ‘Microsoft bayesian network editor’.
us/um/redmond/groups/adapt /msbnx/. Accessed in April, 2012.
http://research.microsoft.com/en-
K. K. T. Grance, S. Chevalier and H. Dang (2006), ‘Guide to computer and network data analysis:
Applying forensic techniques to incident response’. National Institute of Standards and Technology.
C. Wang, Q. Wang, K. Ren, and W. Lou (2010). ‘Privacy-preserving public auditing for data storage
security in cloud computing’. The 29th IEEE International Conference on Computer Communications
(INFOCOM). March 15-19. San Diego, CA, USA.
Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li (2011), ‘Enabling public auditability and data dynamics
for storage security in cloud computing’. IEEE Transactions on Parallel and Distributed Systems,
22(5): Page 847–859.
Zafarullah, F. Anwar, and Z. Anwar (2011). ‘Digital forensics for eucalyptus’. 9th International
Conference on Frontier of Information Technology (FIT). December 19-21. Islamabad, Pakistan.
112
iPAD2 LOGICAL ACQUISITION: AUTOMATED OR
MANUAL EXAMINATION?
Somaya Ali
Sumaya AlHosani
Farah AlZarooni
Ibrahim Baggili
[email protected]
P.O. Box 144426
Abu Dhabi
U.A.E
[email protected]
P.O. Box 144426
Abu Dhabi
U.A.E
[email protected]
P.O. Box 144426
Abu Dhabi
U.A.E
[email protected]
P.O. Box 144534
Abu Dhabi
U.A.E
Advanced Cyber Forensics Research Laboratory
Zayed University
ABSTRACT
Due to their usage increase worldwide, iPads are on the path of becoming key sources of digital
evidence in criminal investigations. This research investigated the logical backup acquisition and
examination of the iPad2 device using the Apple iTunes backup utility while manually examining the
backup data (manual examination) and automatically parsing the backup data (Lantern software automated examination). The results indicate that a manual examination of the logical backup
structure from iTunes reveals more digital evidence, especially if installed application data is required
for an investigation. However, the researchers note that if a quick triage is needed of an iOS device,
then automated tools provide a faster method for obtaining digital evidence from an iOS device. The
results also illustrate that the file names in the backup folders have changed between iOS 3 and iOS 4.
Lastly, the authors note the need for an extensible software framework for future automated logical
iPad examination tools.
Keywords: iPad, forensics, logical backup, iOS, manual examination.
1. INTRODUCTION
The popularity of the iPad continues to rise. Consumers are attracted to its unique features, such as
increased storage capacity, user-friendliness, and the incorporation of an interactive touch screen. It is
considered to be more personal than a laptop and more advanced than a mobile phone (Miles, January
27, 2010). The rapid distribution of tablets to businesses and individual utilization is primarily due to
the Apple iPad device (Pilley, October 8, 2010). When Apple first released the iPad, they targeted
consumer sectors rather than business sectors. Their advertisements and marketing campaigns
reflected this strategy. However, the iPad is currently being adopted by an extensive scope of
consumers, ranging from children to executives. It is also employed in unconventional settings, like in
the hands of restaurant waiters as they take your order, or in boutique windows showcasing
promotional material (Geyer & Felske, 2011).
Since 2010, more than 25 million iPads have been sold in the US (KrollOntrack, 2011). Furthermore,
70% of the iPad2 buyers were new to the iPad world and 47% purchased a 3G model. This
demonstrates that not only are more buyers attracted to the iPad, but that consumers are looking for
always-connected iPad devices (Elmer-DeWitt, March 13, 2011). Due to the ubiquity of these devices,
criminals are starting to target iPad users, thereby committing a wider range of crimes (Pilley, October
8, 2010). Hence, digital forensic scientists need to focus on investigating these emerging devices.
Fortunately, new digital forensic tools and methods are being developed by researchers and private
corporations to help law enforcement officers forensically examine iPads, despite the challenging fact
that the iPad technology is continuously changing (Pilley, October 8, 2010).
2. RESEARCH QUESTIONS
This research focused on logical forensic methods for examining iPad devices. This research intended
113
on answering the following questions:

What is the difference between using automated logical analysis of the backup files
versus using a manual approach?

What data is saved in the backup folder of an iPad2?

Where is the data saved and how can it be extracted?

What is the difference between the backup structure of the old iOS and the new iOS?
3. BACKGROUND
3.1. iPad
On January 27, 2010, the late CEO of Apple, Steve Jobs, announced the launch of a new tablet device
called iPad. On March 2, 2011, the second generation iPad2 was launched. Users could enjoy features
such as browsing the Internet, watching videos, viewing photos, and listening to music (Apple,
2011a).
With two cameras, high definition (HD) video recording capabilities, a dual core A5 chip, extended
battery life, WiFi Internet connectivity, third generation (3G) mini SIM card, an endless variety of
applications, and a thin and light design, the iPad2 stormed the technology market and created a new
era in the tablet world (Apple, 2011b). The iPad2 was released with the new version of Apple’s
operating system, iOS 4.3 (Halliday, March 2, 2011).
The following section explores the iOS file system in more detail.
3.1.1. The iOS File System
In 2008, Apple released iOS – an operating system for the iPhone, iPod, and iPad. This did not trouble
forensic investigators since the iOS used on the iPad was the same as that of the iPhone. Therefore, at
the time, no further studies were required, as they had been previously performed for the iPhone and
iPod touch. In April 2010, Apple took a major step by releasing iOS 4 which introduced further
notable features, such as multitasking, gaming features, video possibilities, and others (Morrissey,
2010).
Being familiar with all the features and having a good understanding of the Apple ecosystem was a
fundamental requirement for establishing a solid understanding of iOS forensics (Morrissey, 2010).
The iOS is a mini version of the OS X, which uses a modification of the Mac OS X kernel and its
development is based on Xcode and Cocoa (Morrissey, 2010). iOS is composed of four main
components; Cocoa Touch, Media, Core Services, and the OS X kernel. The first component, Cocoa
Touch, provides the technological infrastructure to employ the applications’ visual interface (Hoog &
Strzempka, 2011). The second component, Media, contains graphics, audio and video technologies
consisting of OpenAL, video playback, image files formats, quartz, core animation, and OpenGL
(Morrissey, 2010). According to Hoog & Strzempka (2011), the third component, Core Services,
delivers the primary system services for applications such as networking, SQLite databases, core
location, and threads. The OS X kernel which is the fourth component, delivers low level networking,
peripheral access, and memory management/file system handling (Hoog & Strzempka, 2011). It
consists of TCP/IP, sockets, power management, file system, and security (Morrissey, 2010).
Morrissey (2010) stated that the Hierarchical File System (HFS) was developed by Apple in order to
support the increased storage requirements of people. HFS formatted disks at the physical level are in
512 byte blocks, which is identical to Windows based sectors. An HFS system has two kinds of
blocks, logical blocks and allocation blocks (Morrissey, 2010). The logical blocks are numbered from
the first to the last on a given volume. They are static and are 512 bytes in size, just as the physical
blocks. On the other hand, allocation blocks are used by the HFS system to reduce fragmentation.
114
They are collections of logical blocks joined together as clusters (Morrissey, 2010).
The HFS file system manages files by using balanced tree (B*tree), which is a catalog file system that
uses a catalog file and extents overflows in its organization scheme (Morrissey, 2010). B*trees consist
of nodes that are assembled together in a linear manner. This linear method increases the data access
speed by continuously balancing the extents when data is deleted or added. The HFS file system gives
a unique number (catalog ID number) for every file that is created, and increases by one each time a
file is added. The numbering of the catalog ID is tracked by the HFS volume header (Morrissey,
2010).
Figure 1. Structure of HFS+ file system
Adapted from IOS Forensic Analysis: for iPhone, iPad and iPod Touch, by Morrissey, S, 2010: Apress. Copyright 2010 © by Sean Morrissey
Figure 1 illustrates the structure of an HFS+ file system as illustrated by Morrissey (2010). The boot
blocks retain the first 1024 bytes. The subsequent 1024 bytes are retained for the volume header as
well as the last 1024 bytes of the HFS volume, which is reserved as a backup volume header. The
volume header stores information about the structure of the HFS volume. Next is the allocation file
which traces the allocation blocks that the file system is using. The following is the extents overflow
file which traces all the allocation blocks that belong to a file’s data forks. A list of all extents used by
a file and the connected blocks in the proper order is stored in this file.
The catalog file stores the volume files and folders' information that are in a hierarchical system of
nodes. There is a header node, an index node, leaf nodes, and map nodes. The attributes file is reserved
for future use of data forks, and the start up file is designed to boot a system which does not have a
built-in ROM support. The space after start up file is used by the file system for saving and tracking all
the data in a volume. The alternate volume header, as mentioned previously, is where the backup of
the volume header is retained. Disk repair is the main purpose for the alternate volume header. Finally,
the last chunk of HFS file system structure are the 512 bytes, which are reserved (Morrissey, 2010).
The file system for Apple portable devices is HFSX, but has one main difference from the HFS+. The
difference is that the HFSX is case sensitive, thereby allowing the file system to distinguish between
115
two files that have the exact identical name. For instance, both test.doc and Test.doc can be created on
the HFSX file system (Morrissey, 2010).
According to Cellebrite (2011), two partitions are included in the Apple devices. The first partition is
the system partition, which is about 1 GB. The iOS and basic applications are stored in the first
partition (Gómez-Miralles & Arnedo-Moreno, 2011). Although encryption may be enabled on the
iDevice, the system partition is not encrypted (Cellebrite, July 3, 2011). However, the second partition
is the one of interest, as it holds all the user data that can have evidentiary value. This partition
includes all the photos, messages, GPS, videos, and other data that is generated by the user (Cellebrite,
July 3, 2011). Extracting the protected files can be a challenge if encryption is enabled (Cellebrite,
2011).
3.1.2 Related Work
A paper by Luis Gómez-Miralles and Joan Arnedo-Moreno explored the method of obtaining a
forensic image of the iPad using a Camera Connection Kit. The advantage of their method was the
ability to decrease time by attaching an external hard disk to the iPad using a USB connection. Their
method consisted of two parts. The first part was setting up the device by jailbreaking it. The second
part was to acquire a forensic image, by connecting Apple’s Camera Connection Kit, which was used
to mount the USB hard drive. Next, was to obtain a forensic image using the dd command (GómezMiralles & Arnedo-Moreno, 2011).
Another research study by Mona Bader and Ibrahim Baggili, explored the forensic processing of the
third generation of Apple iPhone 3GS 2.2.1 by using the Apple iTunes backup utility to retrieve a
logical backup. Their research showed that the Backup folder with its backup files contains data that
has evidentiary value, as the iPhone file system saves the data in binary lists and database files.
Additionally, their results showed that XML format plist files are used to store device configuration,
status, and application settings. Bader and Baggili (2010) stated that the backed up files from the
iPhone contain information that could have evidentiary significance such as text messages, email
messages, and GPS locations. The manual examination introduced in this paper is an extension of their
work to the iPad2 device.
4. DESIGN – METHODS AND PROCEDURES
The methodology in this research takes into consideration the Computer Forensics Tool Testing
guidelines established by the National Institute of Standards and Technology (NIST) (NIST, 2003). At
a high level, the authors followed the following procedures:
1. Certain scenarios were entered onto three iPad2 devices
2. The devices were backed up (logically acquired)
3. The backup folders were then parsed using automated forensic tools and manually
4. The results were compared
After the scenario was created, the iPad2 was geared up for logical acquisition. The specifications of
the devices used in the acquisition process are listed in Table 1. Then, the forensic tools were chosen
to perform the logical acquisition. After reviewing some of the available tools' specifications and their
ability to support iPad logical data extraction, Katana Forensic Lantern was chosen.
116
Table 1. Hardware Specifications
Device
Forensic Workstation
iPad
Specification
MacBook Pro
Mac OS X
Version 10.6.8
Processor: 2.26 GHz Intel Core 2 Duo
Memory: 2 GB 1067 MHz DDR3
iPad 3G + WiFi
Storage: 64 GB
iOS: 4.10.01
Table 2. Software Specifications
Software
Katana Forensic
Lantern
iTunes
iPhone Backup
Extractor
PlistEdit Pro
SQLite Database
Browser
Google Earth
Details
Version 2.0 operatable on:
Minimum of Intel based Mac OS X 10.6 with preferably 4GB
memory
Downloaded from: http://katanaforensics.com/
iTunes 10 version 10.4.1 (10)
Version 3.0.8
Downloaded from:
www.iphonebackupextractor.com
Version 1.7 (1.7)
Downloaded from:
http://www.fatcatsoftware.com/plisteditpro/
Version 1.3
Downloaded from: http://sqlitebrowser.sourceforge.net
Version 6.0.3.2197
Downloaded from:
http://www.google.com/earth/download/ge/agree.html
Logical Acquisition Approach
Logical backups contain a vast amount of data that includes all sorts of evidence (Bader & Baggili,
2010). They are able to connect many dots, in any case, by providing further information about the
computer that was previously used to synchronize the iDevice, and the owner of the device, including
his/her interests and whereabouts (Bader & Baggili, 2010).
The logical backup was captured through the iTunes utility using a Mac OS X version 10.6.8. The
system utilizes Apple’s synchronization protocol in order to have all of the iDevice's data copied to the
forensic workstation (Bader & Baggili, 2010).
It is important to note that any automatically initiated backup on iTunes may contaminate the iDevice
by transferring data from the forensic workstation to the iDevice as a part of the synchronization
(Bader & Baggili, 2010). This was noted, and steered clear of, prior to connecting the iPad to the
forensic workstation by disabling the synchronization option in iTunes.
The logical backup folder was parsed using different methods: first, by using Katana Forensic Lantern.
This software directly acquires the backup from the iDevice – provided that the automatic
synchronization with iTunes is turned off; second, by using the iPhone Backup Extractor tool that
117
presents the backup data in a more visually appealing form than the original data; and third, through a
manual examination of the backup folder.
Other software and tools were required to manually investigate the backup data such as the SQLite
Database browser, PlistEdit Pro, and TextEdit as mentioned in Table 2. In order to prepare the iPad2
and backup data, a scenario was created on the iPad, by adding notes, email accounts, address book
entries, photos (taken with the location option being On and Off), calendar entries and bookmarks.
Then, the backup process was initiated using Mac OS X version 10.6.8 through iTunes version 10.4.1
(10). More specifications are included in Tables 1 and 2.
It must be noted that all the tests were conducted under forensically acceptable conditions, thereby
avoiding any illegal access to the device through jailbreaking, especially since the main objective was
to not contaminate the original data stored on the iPad2. According to Kruse & Heiser (2002), there
are four key phases to follow in computer forensics processes, which are, access, acquire (logical),
analyse, and report. These steps were followed in this research.
4.1. Instruments
4.1.1. Katana Forensic Lantern
Lantern is one of the iOS forensic solutions currently available on the market, developed by Katana
Forensics. It is well known for its low cost, yet fast and effective results. It enables acquiring the
logical portion of three different iOS devices: iPhones, iPads and iPod Touch (Morrissey, 2010). After
the device is connected to the forensic computer, Lantern backs up the files and allows the
examination of data while it is still processing. Timeline analysis and geographic data features are also
supported (KatanaForensics, 2011b).
The software has an intuitive user interface. It is as simple as opening a new case, entering the case
and evidence details, and then acquiring the device (KatanaForensics, 2011b). The maximum time for
acquiring the iDevice ranges between 5 to 30 minutes, depending on the size of the device (Morrissey,
2010).
4.1.2. iTunes
Media player, digital media organizer, and iPhone/iPod/iPad content manager, are the features that the
iTunes application offers since its introduction in 2001. It also connects to the iTunes Store and
enables online content purchases (Apple, 2011c).
iTunes operates on both iOS and Windows, and is available for download, with no charges, through
Apple’s portal. It is primarily used to maintain media, applications, books, and content purchases, and
are all synchronized with the owner's Apple devices. It creates backups of all the settings and media of
the connected devices such as iPods, iPhones and iPads. These backups restore the captured settings
and details of the devices (Apple, 2011c).
4.1.3. iPhone Backup Extractor
iPhone Backup Extractor is a freely available tool that can parse data from the iPhone’s backup folder
(ReincubateLtd, 2011). According to Morrissey (2010), it has the ability to convert the backup folder
into CSV, VCard, or ICAL formats, so they can be easily viewed. It can also convert Keyhole Markup
Language (KML) files for use with Google Earth if any location data is included. KML is an XML
markup language used by map-related software for marking maps (Goldberg & Castro, 2008).
Although iPhone Backup Extractor it is not considered to be a forensic tool, it provides means for
examiners to analyse backup folders (Morrissey, 2010).
4.2. Data Collection and Analysis
4.2.1. Katana Forensic Lantern
When the acquisition process was complete, the following extracted data was shown:
118
Device Information: It provided general information about the device being acquired such as device
name, type, model, serial number, and software version.
Contacts: This pane showed the phone book saved on the iDevice. It also showed all the related data
to a contact in one single screen.
Notes: Thoughts, ideas, points, lists, and many more things can be typed in this application and may
be used as evidence in an investigation.
Calendar: The calendar may include a great sum of information. It may contain appointments, events,
notes, and important dates synchronized from many different devices and applications used by the
user. Lantern’s software parses all the data and alerts if they are occurring (Morrissey, 2010).
Internet: Considering the nature of the investigation being carried on, this section is of great
importance. Lantern provides a clear list of all Internet bookmarks, displayed pages, and browsing
history from the web surfing program on the iPad, which is Safari.
Gmail: This pane shows all the registered email accounts on the iPad. In this case, the tested device
had a Gmail account set up, and all related emails, their contents, sender and receiver related
information were displayed.
Dictionary: Each time text is typed on the iPad, it is logged and saved, and can be acquired during the
investigation. Those entries can appear from texts typed into the device and are ordered in the dynamic
dictionary file.
Maps: iPad users may record maps and routes into their handheld devices. All those details are parsed
and can be exported to Google Maps to show more graphical details and more specific locations.
Those details, in turn, can be exported to Google Earth so they can be plotted on a map.
WiFi: Shows a chronological order of all the WiFi connections attempted using the iPad, SSID,
BSSID, and the security of that connection. This can be useful in capturing the access points the
device was connected to.
Photos: This pane may be one of the most important panes for the investigator due to the richness of
the information that it offers. All images taken with the built-in camera include Exchangeable Image
File Format (EXIF) and embedded geographical data (KatanaForensics, 2011b). Those images can be
identified using Lantern and are also clearly viewed within the program itself. Lantern can extract the
geographical data from EXIF so that the location can be easily plotted on Google Maps, illustrating
where the photo was taken (Morrissey, 2010).
Google Earth: Interesting data was found within the Exif associated photos taken using the built-in
camera of the iPad. If the location service is on, it records the longitude and latitude of the exact
location of where the photo was taken, along with other details about the camera type, aperture value,
and many more related data. This data may be exported into a .kmz format, which then could be
opened using Google Earth and show its exact location on the map.
Report: Lantern provides an option of exporting all the acquired data into html format. This
summarizes all the panes and their related data into one page – which is easier to navigate through. It
also provides the source file from which the data was extracted.
Third Party Applications: Although Lantern was of a great assistance in examining the evidence on
iDevices, it did not provide significant details about third party applications installed on the iPad. Yet,
it was possible to manually navigate through the exported report and find some related data to those
applications.
4.2.2. iPhone Backup Extractor
iPhone Backup Extractor is not intended to serve as a forensics tool (Morrissey, 2010). It essentially
parses the extracted backup folder into useful folders and file formats that, in turn, make it easier for
119
the examiner to go through (ReincubateLtd, 2011). Moreover, it parses the data in a more organized
way and sorts it neatly e.g. .plist, .sqlite3, & .db files (Morrissey, 2010). iPhone Backup Extractor is
not complicated and does not need any special knowledge to run and use (ReincubateLtd, 2011).
The following descriptions are files of interest extracted using the iPhone Backup Extractor:
Keychain-backup.plist: This file contains important tables such as the genp and inet. The tables
contain accounts, their encrypted passwords, and related services (Bader & Baggili, 2010).
Library: This folder contains most of the important data that can be found within the backup, such as
the saved entries in the Address Book (and the related images to each entry), Calendar, Keyboard
entries, Notes, Safari and more. The files are in .sqlite3 format and .db or .plist.
Media: Media folder parses the photos and their data into their relative folders.
Ocspcache.sqlite3: This database seems to include the digital certificates.
SystemConfiguration: This folder shows a collection of PList files that contain data about networks
the device is connected to, their preferences, and the power management details.
TrustStore.sqlite3: This database contains the CA certificates that the iPad trusts. The CA certificates
are used for security credentials and message encryption by using public keys (SearchSecurity.com,
2011).
Com.facebook.Facebook: This backup folder holds all the data related to the facebook account
associated with the iPad under investigation. A database of all the facebook friends’ networks can also
be found in .db format.
Dynamic-text.dat file (Dictionary): Any text entered in the iPad is logged into a file called dynamictext.dat. This file can be of a great help to the investigator due to the insight it provides about the
suspects usage of the device. It can potentially direct the whole investigation into the proper path by
providing solid facts.
com.skype.Skype: Skype provides video calls, screen sharing, and many more features. It can
potentially reveal a lot about the suspect's personality and provide corroborating evidence. The
database contains many tables such as Accounts, CallMembers and ChatMembers.
com.apple.ibooks: This database mainly holds details about all electronic books and .pdf files added
to the iBook application. It shows plenty of interesting related details such as the title of the item, the
author, and the categories. This could provide further details about the personality of the suspects and
their interests.
Com.linkedin.Linkedin.plist: This PList file holds details of the Linkedin account used on the
iDevice. It mainly shows general user profile details such as user name, job title, associated twitter
accounts, pictures, and a link to the user profile and photo URL.
4.2.3. Manual Examination of iTunes Backup Folder:
A manual examination of the iTunes backup folder was conducted without using any automated tools
to parse the files. The backup folder contained more than 2000 files. These files consisted of different
kinds of files, such as PLists, SQL databases, images, HTML files, and more.
As a part of the backup folder, three main PList files were generated; Info.plist, Status.plist, and
Manifest.plist. In Manifest.plist, a metadata file identifies the .mddata and .mdinfo files. The
Status.plist file holds the status of the backup, i.e. if it was completed successfully, and the date and
time of the backup.
Another file contained within the backup folder was the Info.plist. This plist file holds details about
the backup and other information regarding the iDevice (GitHub, 2011). Other files found in the
backup folder are Manifest.mbdb and Manifest.mbdx. These are binary index files that contain the
120
names and paths of the files in the backup (LeMere, 2010). It also contains the real names of the files
representing the random strings in the backup folder (Ley, 2011). The .mbdb file holds the data of the
original files, and the .mbdx contains pointers to those files in the .mbdb file as well as the hex file
names included within the backup folder (ROYVANRIJN, April 21, 2011). Furthermore, the .mbdb
also contains a file header which holds the version number of mbdx and the number of records present
in the mbdx file (LeMere, 2010).
The following is the list of some of the files of interest found using the manual examination method:
Dynamic Dictionary: Found in 0b68edc697a550c9b977b77cd012fa9a0557dfcb.
iBooks:
The
SQLite
database
of
1c955dc79317ef8679a99f24697666bf9e4a9de6.
iBooks
is
contained
within
the
file
Skype: Many files related to the Skype application were found and examined – most of which were
text files containing encrypted data, except the user names involved in the video calls were in clear
text. In addition, a SQLite database was found with relevant data to the calls carried out, the duration,
involved usernames, and language used. The SQLite DB had the following name:
a6414be1fc3678b0ea60492a47d866db3a6d4818 file and its related Plist file had the following name:
5c7504d4b4aa4395d7b3651bc0d523de121c3159. It was also found that the hash value of the
application was not constant amongst multiple tested devices.
Bookmarks:
Bookmarks
database
is
contained
within
the
file
named
d1f062e2da26192a6625d968274bfda8d07821e4 and contains many different tables within its database
with data related to the bookmark URL and the title of each link.
Notes: Contains details about the notes saved on the device. The SHA-1 value is
ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
Twitter: Twitter data was in PList format and contained the usernames and content of tweets
exchanged amongst them. The related SHA-1 values for the twitter application files were as follows:
1ae8b59701a8ef5a48a50add6818148c9cbed566
2ba214fcde984bbc5ea2b48acd151b61b651c1c8
4eb24cb35ff5209d08774a6d2db4c98a0449a9ff
7a0c2551ecd6f950316f55d0591f8b4922910721
71127e4db8d3d73d8871473f09c16695a1a2532c
c5dc95a1b0c31173c455605e58bffcca83d8b864
Connection WiFi: The file 3ea0280c7d1bd352397fc658b2328a7f3b1243b in all three tested iPads
contained related data to the WiFi and network connections.
Gmail Contacts List: An interesting finding of the manual examination was a SQLite database file
containing email accounts, names, and mobile numbers of the registered Gmail account on the iPad.
The findings contained information that was not initially entered for each contact in the list but was
synchronized with a Blackberry device Address Book of the owner.
The Gmail account is set up on the Blackberry and is synchronized with the device’s contact list. All
contacts' mobile numbers were found in the backup folder since that Gmail account was also set up on
the iPad under examination. This could lead an investigator to find a suspect's contact numbers, so
long as they were mainly saved on his/her mobile device.
Linkedin:
The
relative
PList
file
to
this
application
is
named
9c404eb0aa691005cdbd1e97ca74685c334f3635 and provides details such as the first name, last name,
user name, profile URL, and the job title.
121
Calendar: The calendar contains two relative files in the backup folder, a SQLite database and PList.
The former is saved under 2041457d5fe04d39d0ab481178355df6781e6858 and the latter under
d351344f01cbe4900c9e981d1fb7ea5614e7c2e5.
Keychain: This file was found in 51a4616e576dd33cd2abadfea874eb8ff246bf0e and contains genp,
cert, inet, and keys tables. These tables provide more data about the accounts registered on the device
along with their relative passwords and details.
Table 3. Backup files and their relative applications
Backup
Keychain
WiFi Connections
File Type
PList
PList
PList
SQLite
PList
PList
PList
SQLite
PList
PList
SQLite
PList
PList
SQLite
PList
PList
Backup File
51a4616e576dd33cd2abadfea874eb8ff246bf0e
3ea0280c7d1bd352397fc658b2328a7f3b1243b
ade0340f576ee14793c607073bd7e8e409af07a8
0b68edc697a550c9b977b77cd012fa9a0557dfcb
1c955dc79317ef8679a99f24697666bf9e4a9de6
51fca3a3004e8f8e08f37a0a5ac3d7512274ee24
1ae8b59701a8ef5a48a50add6818148c9cbed566
2ba214fcde984bbc5ea2b48acd151b61b651c1c8
4eb24cb35ff5209d08774a6d2db4c98a0449a9ff
7a0c2551ecd6f950316f55d0591f8b4922910721
71127e4db8d3d73d8871473f09c16695a1a2532c
c5dc95a1b0c31173c455605e58bffcca83d8b864
9c404eb0aa691005cdbd1e97ca74685c334f3635
d1f062e2da26192a6625d968274bfda8d07821e4
5f0a990d1c729a8b20627e18929960fc94f3ee6b
5fd03a33c2a31106503589573045150c740721dd
06af93e6265bf32205de534582c3e8b8b3b5ee9e
19cb8d89a179d13e45320f9f3965c7ea7454b10d
36eb88809db6179b2fda77099cefce12792f0889
52c03edfc4da9eba398684afb69ba503a2709667
ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
06642c767b9d974f12af8d72212b766709ba08fe
59445c4fae86445d6326f08d3c3bcf7b60ac54d3
2041457d5fe04d39d0ab481178355df6781e6858
d351344f01cbe4900c9e981d1fb7ea5614e7c2e5
9281049ff1d27f1129c0bd17a95c863350e6f5a2
Dynamic Dictionary
iBooks
Text
SQLite
PList
PList
PList
SQLite
PList
SQLite
a2d4e045244686a6366a266ba9f7ef88e747fe4b
bedec6d42efe57123676bfa31e98ab68b713195f
d00b419a7c5cbffd19f429d69aff468291d53b00
f936b60c64de096db559922b70a23faa8db75dbd
Twitter
LinkedIn
Bookmarks
Google+
Mail Accounts
Airplane Mode
Browser History
Keyboard options
Notes
Last Sleep
Audio Player details
Calendar
Safari Active
Documents
Mailbox details
Photos
Dropbox
Ocsp
4.3. Challenges
Generally, investigators may face challenges no matter what device is being examined. However,
since criminals continue to develop novel methods to cover their tracks, digital forensics has to
constantly evolve with many technologies being introduced to defend against those harmful attacks
(Husain, Baggili, & Sridhar, 2011).
122
A challenge that can be faced in a case is a locked iPad device. Since this is a user entered PIN, there
are no default codes provided in the user manual providing an investigator with a limited number of
attempts to try different passwords. As a security precaution offered by Apple on all iDevices,
multiple unsuccessful attempts may lead to erasing all data on the device.
Examiners should consider the following when a locked iDevice is being investigated (Apple,
September 22, 2011):

Repeatedly entering the wrong password on the iDevice will lead it to being disabled for a
certain period of time, starting with 1 minute. The more the unsuccessful attempts, the longer
the disabled interval will be.

Too many unsuccessful attempts will lead to not being able to gain access to the iDevice until
it is connected to the computer it was originally synchronized with.

The user may have configured the device to erase itself after a certain number of consecutive
unsuccessful attempts.
There are many ways to obtain the PIN of a locked device during an investigation (Punja & Mislan,
2008):

Using common PIN numbers, such as the last 4 digits of the owner’s phone number, the year
of birth, or any other related PIN that is found during the investigation.

Obtaining it directly from the owner.

Brute force attack (but may be inapplicable in case of having a limited number of attempts).
Few software vendors claim now to provide features that take the investigation further by decrypting
the forensic images captured and obtaining the passcode within 20-40 minutes depending on the
passcode complexity through brute-force. Katana Forensics provides a complimentary application to
their original Lantern program that images iOS devices. Since the complimentary software was
released after the completion of this experiment, the newly added features were not tested.
Another software, Elcomsoft iOS Forensic Toolkit, provides similar features to Lantern Lite. The
former has iOS 4.x and iOS 5 Passcode Recovery. This forensic tool also performs a brute-force
attack, even for complex passcodes. It also obtains the encryption keys from the iDevice.
Another challenge is the differences in the iPhone backup structures depending on the installed iOS
version. Since the early versions of the Apple firmware, there have been changes in the backup
formats and structures. It started with .mdbackup files to .mddata and .mdinfo in the 3G iPhone and
iOS 3.0. The former file type contained data related to the phone, where the latter held the respective
metadata (Morrissey, 2010).
Once iOS 4.0 was released, a new backup structure was introduced. The hashed filenames still held
the data but without the .mddata and .mdinfo extensions (Morrissey, 2010). Instead, everything was
stored in manifest.mbdb. This database contains the full path and filenames, and could be viewed
using TextEdit (Hoog & Strzempka, 2011).
5. SUMMARY OF FINDINGS
We share below the summary of our findings from performing this research. A comparative summary
is also provided in Table 4.
Katana Forensic Lantern:

Provides detailed, neat, and well organized results.

Exports the output into an html file that is very easy to scroll and navigate through.

Easy to export photos and WiFi connections data into a .kmz file that views their locations on
123
the map using Google Earth.

Limits previewing data related to third party applications in the main results window. But it is
possible to navigate for third party details manually in the extracted reports from the tool
itself.

Requires third party applications to view PList and SQLite files.
iPhone Backup Extractor:

Organizes the backup folder into sub folders, separating third party applications from the iOS
files, which contains most of the iDevice related data.

Some files found using this tool were not captured through backup folder manual examination
such as TrustStore.sqlite3.

The output does not transmit the files to their related files in the backup folders and their
related SHA-1 file names.

It is not considered as a forensics tool.
Manual Examination:

Provides a lot of data which could be considered both good and bad. It is good
because the logical backup data is not missed if fully examined. It could be
considered bad because it is messy, randomly spread, and cumbersome to manually
examine since the Backup folders contain thousands of files.

Provides more digital evidence than other built-in applications installed on the device
like Twitter, Skype and Linkedin. Evidence includes user interactions with the
application, such as chat details, private messages sent/received, usernames and the
date/time stamps associated with these digital evidence.

Some of the databases found through manual examination contained information
synchronized between the user’s handheld mobile phone and the email address set up
on the iDevice. This can be of great relevance to certain investigations.

If certain installed application evidence is needed for an investigation, then this is the
most appropriate method for an investigator to use.
Differences between iOS 3 and iOS 4:
Previously conducted research on the backup folder of the iOS resulted in relating the backup files to
certain file names in SHA-1 hash values. It proved that those SHA-1 values were constant amongst
certain applications in any backup folder, which made it easier to fetch the desired data directly from
the backup folder without the need to go through each and every file.
This research revealed some changes to the iOS backup structure and illustrated how some of those
related SHA-1 values have changed across some applications as shown in Table 5.
124
Table 4. Comparison between the tools
Cost
Logical Acquisition
Physical Acquisition
Automated
Built-in Image Viewer
Built-in Text Viewer
Deleted Data
Recovery
File Sorting
Third-party
applications data (e.g.
twitter, LinkedIn,
Skype, etc…)
Report Export
(HTML)
Katana Forensic
iPhone Backup
Lantern
Extractor
Government Rate
Free Edition
$599.00
Registered
Corporate Rate
$34.95
$699.00
Data Acquisition
Yes
Yes
*Released Post
No
Experiment
Analysis
Yes
No
Yes
No
Yes
No
No
No
Manual Examination
Free
Yes
No
No
No
No
No
Yes
Partial
Yes
Partial
No
Yes
Yes
No
No
Table 5. iOS 4 backup files compared to iOS 3 backup files
Backup
Notes
File
Type
iOS 4.10.01
iOS 3.1.2
Match?
SQLite
ca3bc056d4da0bbf88b5fb3be2
54f3b7147e639c
52c03edfc4da9eba398684afb6
9ba503a2709667
2041457d5fe04d39d0ab48117
8355df6781e6858
d351344f01cbe4900c9e981d1f
b7ea5614e7c2e5
d1f062e2da26192a6625d9682
74bfda8d07821e4
5d04e8e7049cdf56df0bf82482
0cddb1db08a8e2
01e25a02a0fccbd18df66862ad
23a2784b0fe534
bdadf7ce9d86a2b33c9ba65373
11538f48e03996
ca3bc056d4da0bbf88b5fb3be2
54f3b7147e639c
N/A
Yes
PList
SQLite
Calendar
PList
SQLite
Bookmarks
PList
SQLite
History
PList
125
N/A
2041457d5fe04d39d0ab48117
8355df6781e6858.mddata
N/A
N/A
N/A
N/A
04cc352fd9943f7c0c3f0781d4
834fa137775761.mddata
N/A
No
1d6740792a2b845f4c1e6220c
43906d7f0afe8ab.mddata
Yes
N/A
No
6. CONCLUSION
In sum, automated tools provide instant and visual evidentiary data from investigated iPads. Each
automated tool has different capabilities; therefore different sets of results can be obtained from each
tool. However, the manual examination provides more thorough and detailed evidentiary data from
investigated iPads. This research points out that forensic software developers need to advance the
capabilities of their automated tools. A robust technology that is capable of easing the manual
examination process is needed. Overall, the authors propose that if a quick triage of an iOS device is
needed, then an automated tool would suffice. However, if a more thorough examination is needed,
especially if unique installed application data is needed, then the manual examination process should
be utilized.
7. FUTURE WORK
On April 12, 2011, AccessData released the “Mobile Phone Examiner Plus (MPE +),” which is a
standalone cell phone forensics application (AcessData, April 12, 2011). The main feature of this
software solution is its ability to obtain the physical image of the iPad, iPhone and iPod Touch without
jailbreaking the iOS device (AccessData, 2011). Another software application that supports the
physical acquisition of iOS devices is the Lantern Light Physical Imager, which was due to be released
in mid October 2011 (KatanaForensics, 2011a). These tools should be tested in order to assure that
they are operating as required (Baggili, Mislan, & Rogers, 2007). Further studies should attempt to
examine the error rates in the forensic tools used when examining iOS devices. Lastly, this research
points to the direction of creating an extensible software framework for examining digital evidence on
iOS devices. This framework should allow the forensic software to continuously be updated with
backup file signatures depending on the version of the iOS. It should also allow the software to update
signatures of backup files for newly released iOS applications.
REFERENCES
AccessData. (2011). MPE+ MOBILE FORENSICS SOFTWARE SUPPORTS 3500+ PHONES,
INCLUDING IPHONE®, IPAD®, ANDROID™ AND BLACKBERRY® DEVICES, from
http://accessdata.com/products/computer-forensics/mobile-phone-examiner
AcessData. (April 12, 2011). ACCESSDATA RELEASES MOBILE PHONE EXAMINER PLUS 4.2
with PHYSICAL IMAGING SUPPORT FOR IPHONE®, IPAD® AND IPOD TOUCH® DEVICES.
Apple. (2011a). Apple Launches iPad 2, from http://www.apple.com/pr/library/2011/03/02AppleLaunches-iPad-2.html
Apple. (2011b). iPad Technical Specification from http://www.apple.com/ipad/specs/
Apple. (2011c). iTunes, from http://www.apple.com/itunes/
Apple. (September 22, 2011). iOS: Wrong passcode results in red disabled screen, from
http://support.apple.com/kb/ht1212
Bader, M., & Baggili, I. (2010). iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup
Utility. SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, 4(1).
Baggili, I. M., Mislan, R., & Rogers, M. (2007). Mobile Phone Forensics Tool Testing: A Database
Driven Approach. International Journal of Digital Evidence, 6(2).
Cellebrite. (July 3, 2011). Cellebrite Physical Extraction Manual for iPhone & iPad.
126
Elmer-DeWitt, P. (March 13, 2011). Piper Jaffray: iPad 2 totally sold out, 70% to new buyers, Cable
News Network. Retrieved from http://tech.fortune.cnn.com/2011/03/13/piper-jaffray-ipad-2-totallysold-out-70-to-new-buyers/
Gómez-Miralles, L., & Arnedo-Moreno, J. (2011). Universal, fast method for iPad forensics imaging
via USB adapter. Paper presented at the 2011 Fifth International Conference on Innovative Mobile
and Internet Services in Ubiquitous Computing, Korea
Geyer, M., & Felske, F. (2011). Consumer toy or corporate tool: the iPad enters the workplace.
interactions, 18(4), 45-49. doi: 10.1145/1978822.1978832
GitHub. (2011). mdbackup-organiser, from https://github.com/echoz/mdbackup-organiser
Goldberg, K. H., & Castro, E. (2008). XML: Peachpit Press.
Halliday, J. (March 2, 2011). iPad 2 launch: live coverage of Apple's announcement. Retrieved from
http://www.guardian.co.uk/technology/2011/mar/02/ipad-2-launch-apple-announcement-live
Hoog, A., & Strzempka, K. (2011). IPhone and IOS Forensics: Investigation, Analysis and Mobile
Security for Apple IPhone, IPad and IOS Devices: Elsevier Science.
Husain, M. I., Baggili, I., & Sridhar, R. (2011). A Simple Cost-Effective Framework for iPhone
Forensic Analysis. Paper presented at the Digital Forensics and Cyber Crime: Second International
ICST
Conference
(October
4-6,
2010)
Abu
Dhabi,
United
Arab
Emirates.
http://books.google.ae/books?id=fiDXuEHFLhQC
KatanaForensics. (2011a). Lantern Light, from http://katanaforensics.com/forensics/lantern-lite/
KatanaForensics. (2011b). Lantern Version 2.0, from http://katanaforensics.com/forensics/lantern-v20/
KrollOntrack. (2011). Tablet Forensics – A Look at the Apple iPad®, from
http://www.krollontrack.com/resource-library/legal-articles/imi/tablet-forensics-a-look-at-the-appleipad/?utm_source=Newsletter&utm_medium=Email&utm_campaign=IMISept2011&utm_content=image
LeMere, B. (2010). Logical Backup Method, from
http://dev.iosforensics.org/acquisition/acquisition_logical_method.html
Ley, S. (2011). Processing iPhone / iPod Touch Backup Files on a Computer from
http://www.appleexaminer.com/iPhoneiPad/iPhoneBackup/iPhoneBackup.html
Miles, S. (January 27, 2010). Apple tablet unveiled as the iPad, Pocket-lint Retrieved from
http://www.pocket-lint.com/news/31084/steve-jobs-launches-ipad-apple-tablet
Morrissey, S. (2010). IOS Forensic Analysis: for IPhone, IPad and IPod Touch: Apress.
NIST. (2003). CFTT Methodology Overview, from
http://www.cftt.nist.gov/Methodology_Overview.htm
Pilley, J. (October 8, 2010). iPad and Smartphone Digital Forensics, from
http://www.articleslash.net/Computers-and-Technology/Computer-Forensics/578641__iPad-andSmartphone-Digital-Forensics.html
Punja, S. G., & Mislan, R. P. (2008). Mobile Device Analysis. SMALL SCALE DIGITAL DEVICE
FORENSICS JOURNAL, 2(1).
ReincubateLtd. (2011). iPhone Backup Extractor, from www.iphonebackupextractor.com
ROYVANRIJN. (April 21, 2011). Reading iPhone GPS data from backup (with Java), from
http://www.redcode.nl/blog/2011/04/reading-iphone-gps-data-from-backup-with-java/
127
SearchSecurity.com. (2011). certificate authority (CA), from
http://searchsecurity.techtarget.com/definition/certificate-authority
128
MULTI-PARAMETER SENSITIVITY ANALYSIS OF A
BAYESIAN NETWORK FROM A DIGITAL FORENSIC
INVESTIGATION
Richard E. Overill
Department of Informatics
King’s College London
Strand, London WC2R 2LS, UK
+442078482833
+442078482588
[email protected]
Echo P. Zhang
Department of Computer Science
University of Hong Kong
Pokfulam Road, Hong Kong
+85222417525
+85225998477
[email protected]
Kam-Pui Chow
Department of Computer Science
University of Hong Kong
Pokfulam Road, Hong Kong
+85228592191
+85225998477
[email protected]
ABSTRACT
A multi-parameter sensitivity analysis of a Bayesian network (BN) used in the digital forensic
investigation of the Yahoo! email case has been performed using the principle of ‘steepest gradient’ in
the parameter space of the conditional probabilities. This procedure delivers a more reliable result for
the dependence of the posterior probability of the BN on the values used to populate the conditional
probability tables (CPTs) of the BN. As such, this work extends our previous studies using singleparameter sensitivity analyses of BNs, with the overall aim of more deeply understanding the
indicative use of BNs within the digital forensic and prosecutorial processes. In particular, we find that
while our previous conclusions regarding the Yahoo! email case are generally validated by the results
of the multi-parameter sensitivity analysis, the utility of performing the latter analysis as a means of
verifying the structure and form adopted for the Bayesian network should not be underestimated.
Keywords: Bayesian network; digital forensics; multi-parameter sensitivity analysis; steepest
gradient.
1. INTRODUCTION
The use of Bayesian networks (BNs) to assist in digital forensic investigations of e-crimes is
continuing to increase [Kwan, 2008; Kwan, 2010; Kwan, 2011] since they offer a valuable means of
reasoning about the relationship between the recovered (or expected) digital evidential traces and the
129
forensic sub-hypotheses that explain how the suspected e-crime was committed [Kwan, 2008].
One of the principal difficulties encountered in constructing BNs is to know what conditional
probability values are appropriate for populating the conditional probability tables (CPTs) that are
found at each node of the BN. These values can be estimated by means of a survey questionnaire of a
group of experienced experts [Kwan , 2008] but as such they are always open to challenge. There are
also a number of alternative methods for estimating CPT values, including reasoning from historical
databases, but none are entirely exempt from the potential criticism of lacking quantitative rigour. In
these circumstances it is important to know how sensitive the posterior output of the BN is to the
numerical values of these parameters. If the degree of sensitivity can be shown to be low then the
precise values adopted for these parameters is not critical to the stability of the posterior output of the
BN.
In this paper we generalize the concept of sensitivity value introduced by Renooij and van der Gaag
[Renooij, 2004] to a multi-parameter space and adapt the concept of steepest gradient from the domain
of numerical optimization to define a local multi-parameter sensitivity value in the region of the
chosen parameter set. This metric defines the steepest gradient at the chosen point in the parameter
space, which is a direct measure of the local multi-parameter sensitivity of the BN. It should be
emphasised that in this work we are not aiming to optimize either the conditional probabilities or the
posterior output of the BN as was the case with the multi-parameter optimization scheme of Chan and
Darwiche [Chan, 2004]; our objective here is to measure the stability of the latter with respect to
simultaneous small variations of the former by determining the steepest local gradient in the multiparameter space.
2. SENSITIVITY ANALYSIS
A number of types of BN sensitivity analysis have been proposed. The most straightforward, although
tedious, is the direct manipulation method which involves the iterative variation of one parameter at a
time, keeping all the others fixed. This single-parameter approach was used to demonstrate the low
sensitivity of the BitTorrent BN in [Overill, 2010]. Three somewhat more sophisticated approaches to
single-parameter sensitivity analysis, namely, bounding sensitivity analysis, sensitivity value analysis
and vertex likelihood analysis were proposed in [Renooij, 2004], and were each applied to the Yahoo!
Email BN to demonstrate its low sensitivity in [Kwan, 2011]. However, a valid criticism of each of
these single-parameter approaches is that the effect of simultaneous variation of the parameters is not
considered. The multi-parameter sensitivity analysis scheme proposed in [Chan, 2004] requires the
determination of kth-order partial derivatives with an associated computational complexity of
O(n
in order to perform a k-way sensitivity analysis on a BN of tree-width w with n
parameters where F(Xi) is the size of CPT i. In order to develop a computationally tractable approach
to local multi-parameter BN sensitivity analysis, we have generalized the original concept of the
single-parameter sensitivity value [Renooij, 2004] to multi-parameter space and then applied the
steepest gradient approach from numerical optimization to produce a metric for the local (or
instantaneous) multi-parameter sensitivity value at the selected point in parameter space.
3. YAHOO! CASE (HONG KONG)
3.1 Background of Yahoo! Case (Hong Kong)
On April 20, 2004, Chinese journalist Shi Tao used his private Yahoo! email account and sent a brief
of Number 11 document which was released by the Chinese government that day, to an overseas web
site called Asia Democracy Foundation. When the Chinese government found it out, Beijing State
Security Bureau requested the e-mail service provider, Yahoo! Holdings (Hong Kong) to provide
details of the sender’s personal information, like identifying information, login times, and e-mail
contents. According to Article 45 of the PRC Criminal Procedure Law (“Article 45”), Yahoo! Holding
(Hong Kong) was legally obliged to comply with the demand. Mr. Shi was accused with the crime of
130
“providing state secrets to foreign entities.” After the course of investigation, Mr. Shi was convicted
and sentenced to ten years in prison in 2005 [Case No. 29, 2005].
In [Cap.486, 2007], it mentioned that:
“In the verdict (the “Verdict”) delivered by the People’s Court on 27 April 2005, it stated that Mr.
Shi had on 20 April 2004 at approximately 11:32 p.m. leaked information to “an overseas hostile
element, taking advantage of the fact that he was working overtime alone in his office to connect
to the internet through his phone line and used his personal email account ([email protected]) to send his notes. He also used the alias ‘198964’ as the name of the
provider …”. The Verdict reported the evidence gathered to prove the commission of the offence
which included the following: “Account holder information furnished by Yahoo! Holdings (Hong
Kong) Ltd., which confirms that for IP address 218.76.8.21 at 11:32:17 p.m. on April 20, 2004,
the corresponding user information was as follows: user telephone number: 0731-4376362 located
at the Contemporary Business News office in Hunan; address: 2F, Building 88, Jianxing New
Village, Kaifu District, Changsha.”
3.2 Digital Evidence in Yahoo! Case (Hong Kong)
From the above verdict, we can tell that the information provided by Yahoo! Holdings (Hong Kong)
Ltd. is taken as the digital evidences in the court. Since we utilize a Bayesian Network as our analysis
model, we have to construct a Hypothesis-Evidence system. In this case, the main (or root) hypothesis
is:
Hypothesis H0: “The seized computer has been used to send the material document as an
email attachment via a Yahoo! Web mail account”
Under the main hypothesis, we have six sub-hypotheses and their corresponding evidences which are
listed below:
Table 1 Sub-hypothesis H1: Linkage between the
material document and the suspect’s computer.
ID
Description
DE1
The subject document exists
in the computer
DE2
The “Last Access Time” of
the subject file lags behind
the IP address assignment
time by the ISP
Digital
DE3
The “Last Access Time” of
the subject file lags behind
or closes to the sent time of
the Yahoo! email
Digital
suspect and his computer.
Evidence
Type
ID
Digital
PE1
The suspect was in physical
possession of the computer
Physical
DE4
Files in the computer reveals
the identity of the suspect
Digital
131
Description
Evidence
Type
suspect and the ISP
ID
Description
DE5
The ISP subscription details
(including the assigned IP
address) matches the
suspect’s particulars
suspect and Yahoo! email account
ID
Evidence
Type
Digital
computer and the ISP
ID
Description
DE7
Configuration setting of the
ISP Internet account is
found in the computer
Digital
DE8
Log data confirms that the
computer was powered up
at the time when the email
was sent
Digital
DE9
Web browsing program
(e.g. Internet Explorer) or
email user agent program
(e.g. Outlook) is found
activated at the time the
email was sent
Digital
DE10
Log data reveals the
assigned IP address and the
assignment time by the ISP
to the computer
Digital
DE11
ISP confirms the
assignment of the IP
address to the suspect’s
account
Digital
DE6
Description
Evidence
Type
The subscription details
(including the IP address
that sent the email) of the
Yahoo! email account
matches the suspect’s
particulars
Digital
computer and Yahoo! email account
Evidence
Type
ID
Description
DE12
Internet history logs reveal
the access of the Yahoo!
email account by the
computer
Digital
DE13
Internet cached files reveal
the subject document has
been sent as an attachment
via the Yahoo! email
account
Digital
DE14
Yahoo! confirms the IP
address of the Yahoo!
email with the attached
document
Digital
Evidence
Type
3.3 CPT values for Sub-Hypothesis and Evidence in Yahoo! Case (Hong Kong)
Before we set up the Bayesian Network, we have to obtain the CPT values of sub-hypothesis and
evidence. In this study, all of the probability values are assigned by subjective beliefs based on expert
professional opinion and experience in digital forensic analysis [Kwan, 2011]. From Table-7, we can
132
see there are two states for hypothesis H0 – “yes” and “no”, and also for sub-hypotheses H1 to H6. For
the CPT values between sub-hypothesis and evidence, there are still two states for each sub-hypothesis
– “yes” and “no”, but three states for each evidence – “yes”, “no” and “uncertain”. State “uncertain”
means the evidence cannot be concluded to be either positive (“yes”) or negative (“no”) after
examination of the evidence.
Table 7 Likelihood value for sub-hypothesis H1 to H6 given hypothesis H
H1, H5, H6
H2, H3, H4
State
“yes”
“no”
“yes”
“no”
H = “yes”
0.65
0.35
0.8
0.2
H = “no”
0.35
0.65
0.2
0.8
Table 8 Conditional probability values for DE1 to DE3 given
sub-hypothesis H1
DE1
Table 9 Conditional probability values
for DE4 given sub-hypothesis H2
DE4
DE2, DE3
State
yes
no
u
yes
no
u
State
yes
no
u
H1 = yes
0.85
0.15
0
0.8
0.15
0.05
H2 = yes
0.75
0.2
0.05
H1 = no
0.15
0.85
0
0.15
0.8
0.05
H2 = no
0.2
0.75
0.05
Table 10 Conditional probability values for DE5
given sub-hypothesis H3
Table 11 Conditional probability values for DE6
given sub-hypothesis H4
DE6
DE5
State
yes
no
u
State
yes
no
u
H3 = yes
0.7
0.25
0.05
H4 = yes
0.1
0.85
0.05
H3 = no
0.25
0.7
0.05
H4 = no
0.05
0.9
0.05
Table 12 Conditional probability values for DE7 to DE11 given sub-hypothesis H5
DE7, DE8, DE10
DE9, DE11
State
yes
no
u
yes
no
u
H5 = yes
0.7
0.25
0.05
0.8
0.15
0.05
H5 = no
0.25
0.7
0.05
0.15
0.8
0.05
133
Table 13 Conditional probability values for DE12 to DE14 given sub-hypothesis H6
DE12, DE13
DE14
State
yes
no
u
yes
no
u
H6 = yes
0.7
0.25
0.05
0.8
0.15
0.05
H6 = no
0.25
0.7
0.05
0.15
0.8
0.05
4. LOCAL MULTI-PARAMETER SENSITIVITY VALUE
4.1 Conditional Independence
Before we proceed with the multi-parameter sensitivity value, we have to discuss the relationship
between each sub-hypothesis and its set of evidences. In the Yahoo! case, the connections between
sub-hypothesis and evidences belong to the class of diverging connections in a Bayesian network
[Taroni, 2006] (see Figure 1). In a diverging connection model, E1 and E2 are conditionally
independent given H. This means that: (1) with the knowledge of H, the state of E1 does not change
the belief about the possible states of E2.
; (2) without the
knowledge of H, the state of E1 provides information about the possible states of E2.
H
E2
E1
Figure 1: Diverging Connection Bayesian Network
In general, we cannot conclude that E1 and E2 are also conditionally independent given . However,
for some special cases, if there are only two possible (mutually complementary) values for H, H={H1,
H2}, then given “H=H1”, E1 and E2 are conditionally independent, while, given “H=H2”, E1 and E2 are
also conditionally independent. Hence we can conclude that E1 and E2 are also conditionally
independent given .
4.2 Multi-Parameter Sensitivity Value
Under the standard assumption of proportional co-variation [Renooij, 2004] the theorems
characterizing the algebraic structure of marginal probabilities [Castillo, 1997] permit the singleparameter sensitivity function of [Renooij, 2004] to be generalized to the multi-parameter case as
follows:
If the parameters are given by x = (x1, …, xn) then the sensitivity function F is given by the multilinear quotient:
The components of the gradient vector are given by:
134
The multi-parameter sensitivity value is the value of the steepest gradient at the point x and is given by
the Euclidean norm of the gradient vector
:
This last result follows from the first order Taylor expansion of F:
(4)
In principle the multi-linear forms in the numerator and the denominator of F are both of order n and
contain 2n terms leading to expressions for each
containing 22n terms in both numerator and
denominator. However, this analysis does not take into account the conditional dependencies implied
by the structure of the BN. If the BN can be represented as a set of m sub-hypotheses Hj (j=1, m), each
of which is conditionally dependent on a disjoint subset Ei (i=1, n) containing nj (j=1,m) of the set of n
evidential traces, so that
, then the total number of parameters is given by
,
but each Hj is conditionally dependent only upon its own subset of nj evidential traces. This is known
as the local Markov property of the BN. Although the conditional probabilities associated with subhypothesis Hj will influence those associated with sub-hypothesis Hk (j≠k) via the process of
Bayesian inference propagation through the network [Kwan, 2008], to a reasonable first
approximation the sensitivity values for each sub-hypothesis may be evaluated by disregarding these
indirect effects. Then, for the sub-hypotheses
is a multi-linear quotient of order m, while for the
evidential traces associated with sub-hypothesis Hj
is a multi-linear quotient of order nj. The
Markov factorisation of the BN thus substantially reduces the number of terms involved in the
expressions for
and
. Nevertheless a symbolic algebraic manipulation program, such as
MatLab [MathWorks, 2011], is required to perform the differentiations and computations reliably for a
BN representing a real-world situation such as the Yahoo! email case.
In order to derive the coefficients of the multinomial quotient for
formula for the likelihood conditional probability is:
we proceed as follows. Bayes’
Considering the conjunctive combination of the evidential traces {E1, E2, …, En}, (5) transforms into:
Then we obtain the multi-parameter posterior probability as:
Here,
As mentioned in Section 4.1, given H, E1, E2, …, En are conditionally independent of each other.
Therefore,
According to the definition of conditional independence, we cannot in general assume that E1, E2, …,
135
En are conditionally independent of each other under . However, in the specific Yahoo! email case,
there are only two possible (mutually complementary) states for each hypothesis. Therefore, we also
have:
Denoting
,
, …,
by x1, x2, … xn, and
by c1, c2, … cn, we obtain the multi-parameter Sensitivity Function as:
As
an
un-biased
pre-condition,
it is usual to
, so (11) simplifies to:
take
,
the
prior
, …,
probabilities
as:
When finding the sensitivity value of the posterior of the root node H0, it is necessary to use a variant
of (3), namely, the weighted Euclidean norm of the sensitivity values of the individual sub-hypotheses:
where
is the multi-parameter sensitivity value of sub-hypothesis is the multi-parameter
sensitivity value of sub-hypothesis j as given by (3), reflecting the different contributions of the
individual sub-hypotheses to the posterior of H0.
5. RESULTS AND DISCUSSION
In Table 14 the multi-parameter sensitivity values for each sub-hypothesis of BN for the Yahoo! case
[Kwan, 2011] are set out and compared with the corresponding single-parameter sensitivity values
from [Kwan, 2011]. Before proceeding to discuss these results, however, it should be mentioned at
this point that while validating the MatLab code for the multi-parameter sensitivity values, a number
of numerical discrepancies were noted when reproducing the previously reported single-parameter
sensitivity values ([Kwan, 2011], Table 4). All but one of these discrepancies are not numerically
significant in terms of the conclusions drawn; however, in the case of digital evidential trace DE6 the
correct sensitivity value is actually 2.222, not 0.045, which implies that the effect of DE 6 on the
posterior of H4 should be significant. This revised result brings the single-parameter sensitivity value
for DE6 into line with the vertex proximity value for DE6 ([Kwan, 2011], Table 5) which indicated that
the posterior of H4 is indeed sensitive to variations in DE6, thereby resolving the apparent
disagreement between the two sensitivity metrics for the case of DE 6 noted in [Kwan, 2011]. The
corrected results for the single-parameter sensitivity values are given in Table 14 below. However, a
review of sub-hypothesis H4 reveals that it is not critical to the prosecution case since its associated
evidence DE6 is only weakly tied into the case; the fact that Mr Shi registered with Yahoo! for a
webmail account at some time in the past cannot be assigned a high probative value and this is
reflected in the ‘non-diagonal’ structure of the corresponding CPT (see Table 11), unlike all the other
CPTs in this BN.
It is reasonable to interpret the significance of a sensitivity value by comparing it with unity [Renooij,
2004; Kwan, 2011]; a value below unity implies a lack of sensitivity to small changes in the associated
conditional probability parameters, and vice versa. In other words, a sensitivity value less than unity
implies that the response of the BN is smaller than the applied perturbation. It cannot be assumed that
single-parameter sensitivity values as computed in [Kwan, 2011] are necessarily either smaller or
136
larger than the corresponding multi-parameter sensitivity values computed here, since the form of the
sensitivity function being used is not identical. In the Yahoo! email case, three of the sub-hypotheses,
namely H2, H3 and H4, are associated with only a single evidential trace so each of their sensitivity
values is unchanged in the multi-parameter analysis. Of the three remaining sub-hypotheses, H1 and H6
both have three associated evidential traces whereas H5 has five.
Table 14: Single- and multi-parameter sensitivity values for H1 – H6 of the Yahoo! email case
Digital
Evidence
Single-parameter
Sensitivity value
Component j
of Multiparameter
Sensitivity value
DE1
0.1500
0.0125
DE2
0.1662
0.0134
DE3
0.1662
0.0134
H2
DE4
0.2216
0.2216
0.2216
H3
DE5
0.2770
0.2770
0.2770
H4
DE6
2.2222
2.2222
2.2222
DE7
0.2770
0.0051
DE8
0.2770
0.0051
DE9
0.1662
0.0045
DE10
0.2770
0.0051
DE11
0.1662
0.0045
DE12
0.2770
0.0565
DE13
0.2770
0.0565
DE14
0.1662
0.0494
Sub-hypothesis
H1
H5
H6
Multi-parameter
Sensitivity value
0.0225
0.0110
0.0939
From Table 14 it will be noted that, with the exception of the somewhat anomalous case of H4
discussed earlier, the largest multi-parameter sensitivity value is an order of magnitude smaller than
the smallest of the single-parameter sensitivity values reported previously [Kwan, 2011]. This finding
is at first sight somewhat surprising in that it might be expected that permitting many parameters to
vary simultaneously would produce the opportunity for greater sensitivity values to be found.
However, it must be remembered that, unlike the case of classical numerical optimization, the
parameters of the BN are not completely independent due to the conditional independence referred to
in Section 4.1 as well as the interdependence produced by the propagation of belief (posterior
probabilities) through the BN [Kwan, 2008]. In certain circumstances, these forms of co-variance can
result in smaller multi-parameter sensitivity values than might otherwise have been anticipated, as
explained below.
In Table 15 we give the single- and multi-parameter sensitivity values for the root node H0. The multiparameter sensitivity value is computed using the weighted Euclidean norm given in (12).
137
Table 15: Single- and multi-parameter sensitivity values for H0 of the Yahoo! email case
Root
hypothesis
H0
Subhypothesis
Singleparameter
Sensitivity
value
Component
of
Multiparameter
Sensitivity
value
H1
0.3500
0.0064
0.0225
H2
0.2000
0.0030
0.2216
H3
0.2000
0.0030
0.2770
H4
0.2000
0.0030
2.2222
H5
0.3500
0.0037
0.0110
H6
0.3500
0.0037
0.0939
Weight of
Component
Multiparameter
Sensitivity
value
0.0052
The multi-parameter sensitivity results in Tables 14 and 15 raise a number of important issues for
discussion. Firstly, it appears that a multi-parameter sensitivity analysis should be performed in every
case in which a BN is used to reason about digital evidence. Since a multi-parameter sensitivity
analysis can often yield substantially different sensitivity values from a single-parameter sensitivity
analysis, it is necessary to assess the sensitivity of the posterior output of the BN as rigorously as
possible before putting forward forensic conclusions based on that BN. In the present Yahoo! email
case we found consistently smaller multi-parameter sensitivity values than the corresponding singleparameter results, but further investigations have shown that this is by no means a universal trend. By
creating CPTs with different ratios of ‘diagonal’ to ‘off-diagonal’ values we have been able to explore
the circumstances under which the multi-parameter sensitivity analysis is likely to yield larger values
than the corresponding single-parameter analysis. Table 16 offers a few such examples. In particular
we find that when the structure of one or more CPT tables deviates significantly from the typical
‘diagonal’ form, as was the case with H4-DE6 here, then the single- and multi-parameter sensitivity
values will increase towards and quite possibly exceed unity. This observation can be understood as
follows: A typically ‘diagonal’ CPT signifies that the truth or falsehood of the sub-hypothesis strongly
predicts the presence or absence of the associated evidence; they are logically tightly-coupled, which
is a highly desirable property. An anomalously ‘non-diagonal’ CPT, however, signals that there is
little correlation between the truth of the sub-hypothesis and the presence or absence of the evidence.
In other words, the evidence is a very poor indicator of the truth of the sub-hypothesis, and does not
discriminate effectively. This manifests itself as a steep gradient on the associated CPT parameters’
hyper-surface indicating the direction of a ‘better’ choice of parameters. Similarly, a combination of
‘diagonal’ and ‘non-diagonal’ CPTs associated with the same sub-hypothesis can create a numerical
tension or balance between the belief reinforcing effects propagated by the former and the belief
weakening effects propagated by the latter, resulting in an increased sensitivity value.
Secondly, the above observations lead us to propose that single- and multi-parameter sensitivity
analyses can be effectively employed to test an existing BN for logical consistency between its subhypotheses and their associated evidences, through the CPT values. If the single- or multi-parameter
sensitivity analysis results suggest that the BN’s posterior output is sensitive to the values of one of
more of the BN’s CPTs, it is necessary to review those CPT values critically with a view to possibly
revising them, after which the single- or multi-parameter sensitivity analysis should be repeated. It
should be noted, however, that this is not equivalent to optimizing the posterior output BN with
138
respect to the CPT values. Rather, it is using the sensitivity analysis to highlight possible issues in the
process by which the original CPT values were generated. If repeated reviews of the CPT values do
not lead to a stable posterior output from the BN, this would suggest that the structure of the BN or of
the underlying sub-hypotheses and their associated evidential traces concerning the way in which the
digital crime was committed, may be faulty and require revision. We recall that this was the case with
H4-DE6 in the present study. Note, in particular, that the single-parameter sensitivity results in Table
16 would not necessarily cause concern, while the corresponding multi-parameter results clearly
indicate a serious sensitivity problem. Hence we contend that in general single-parameter sensitivity
analyses are not sufficient in and of themselves and we recommend that multi-parameter sensitivity
analyses should be undertaken as a matter of course.
A final, and more general, consideration is whether there are any special characteristics of digital
forensic analysis which would dictate that the requirements of a sensitivity analysis should differ from
traditional forensics. Because digital forensics is a much more recent discipline than most of
traditional forensics there has been less time for it to establish a corpus of verified knowledge and a
‘track record’ of demonstrably sound methodologies. This means that digital forensics needs to strive
to establish itself as a mature scientific and engineering discipline, and routinely performing sensitivity
analyses is one means of helping to achieve this goal. Indeed, it may result in the analytical methods of
traditional forensics being required to proceed in a similar fashion in order to avoid the imputation of
‘reasonable doubt’ by wily defence lawyers.
Table 16: Some examples of other CPT values yielding large multi-parameter sensitivity values
Subhypothesis
H1
H2
Singleparameter
Sensitivity
value
Digital
Evidence
DE1
0.7
0.3
0.300
DE2
0.3
0.7
0.300
DE3
0.3
0.65
0.7202
DE4
0.7
0.25
0.2770
DE5
0.6
0.3
0.3704
DE6
0.3
0.65
0.7202
DE7
0.4
0.55
0.6094
Multiparameter
Sensitivity value
2.4448
1.8680
6. CONCLUSIONS
In this paper we have described a multi-parameter sensitivity analysis on the BN from the Yahoo!
email case. . As a result of the present analysis, it can be concluded that one the Yahoo! email subhypotheses (H4) exhibits a significant degree of single- and multi-parameter sensitivity and hence its
associated evidence and conditional probabilities should be reviewed. That review indicated that while
the CPT was in fact quite accurate, it represented a poor choice of evidence and sub-hypothesis which
should either be discarded or revised.
More generally, we have shown that the definition and computation of local multi-parameter
sensitivity values is made feasible for BNs describing real-world digital crimes by the use of a
symbolic algebra system such as Matlab [MathWorks, 2011] to evaluate the steepest gradient
analytically.
Finally, we should reiterate that the principal aim of this work is to devise a metric to assess the
139
instantaneous (or local) stability of a BN with respect to the values chosen to populate its CPTs. The
value of such a metric is that it enables the digital forensic examiner to know whether or not the set of
conditional probabilities chosen to populate the CPTs of the BN lies on a flat or a steep part of the
hyper-surface in parameter space. The problem of attempting to find local (or global) optima on the
parametric hyper-surface of a BN is a separate issue which has been addressed elsewhere [CD04].
ACKNOWLEDGEMENT
The work described in this paper was partially supported by the General Research Fund from the
Research Grants Council of the Hong Kong Special Administrative Region, China (Project No. RGC
GRF HKU 713009E), the NSFC/RGC Joint Research Scheme (Project No. N_HKU 722/09), HKU
Seed Fundings for Applied Research 201102160014, and HKU Seed Fundings for Basic Research
201011159162 and 200911159149.
REFERENCES
Castillo, E., Gutierrez, J.M. and Hadi, A.S. (1997), “Sensitivity Analysis in Discrete Bayesian
Networks”, IEEE Trans. Systems, Man & Cybernetics, Pt. A, 27 (4) 412 – 423.
Chan, H. and Darwiche, A., (2004) ‘Sensitivity Analysis in Bayesian Networks: From Single to
Multiple Parameters’, 20th Conference. on Uncertainty in Artificial Intelligence, July 7-11, Banff,
Canada
Report published under Section 48(2) of the Personal Data (Privacy) Ordinance (Cap.486) (2007),
issued by Office of the Privacy Commissioner for Personal Data, Hong Kong,
http://www.pcpd.org.hk/english/publications/files/Yahoo_e.pdf (accessed on 14 March 2007)
First Instance Reasons for Verdict of the Changsha Intermediate People’s Court of Hunan Province
(2005), delivered by the Changsha Intermediate Criminal Division One Court, in Case No. 29 of 2005,
China. http://lawprofessors.typepad.com/china_law_prof_blog/files/ShiTao_verdict.pdf (accessed on 9
October 2010).
Kwan, M., Chow, K., Law, F. and Lai.P.,(2008) ‘Reasoning about evidence using Bayesian networks’,
Advances in Digital Forensics IV, Springer, Boston, Mass., pp.275-289.
Kwan, Y.K., Overill, R.E., Chow, K.-P., Silomon, J.A.M., Tse, H., Law, Y.W. and Lai, K.Y., (2010)
‘Evaluation of Evidence in Internet Auction Fraud Investigations’, Advances in Digital Forensics VI,
Springer, Boston, Mass., pp.121-132,
Kwan, M., Overill, R., Chow, K.-P., Tse, H., Law, F. and Lai, P., (2011) ‘Sensitivity Analysis of
Digital Forensic Reasoning in Bayesian Network Models’, Advances in Digital Forensics VII,
Springer, Boston, Mass., pp.231-244.
MathWorks (2011) MatLab: http://www.mathworks.co.uk/ (accessed on 11 November 2011).
Overill, R.E., Silomon, J.A.M., Kwan, Y.K., Chow, K.-P., Law, Y.W. and Lai, K.Y. (2010),
‘Sensitivity Analysis of a Bayesian Network for Reasoning about Digital Forensic Evidence’, 4th
International Workshop on Forensics for Future Generation Communication Environments, August
11-13, Cebu, Philippines.
Renooij, S. and van der Gaag, L.C. (2004), ‘Evidence-invariant Sensitivity Bounds’. 20th Conference
on Uncertainty in Artificial Intelligence, July 7-11, Banff, Canada.
Taroni, F., Aitken, C., Garbolino, P., and Biedermann, A. (2006), Bayesian Network and Probabilistic
Inference in Forensic Science, John Wiley & Sons Ltd., Chichester, UK.
140
FACILITATING FORENSICS IN THE MOBILE
MILLENNIUM THROUGH PROACTIVE ENTERPRISE
SECURITY
Andrew R. Scholnick
SNVC LC
ABSTRACT
This work explores the impact of the emerging mobile communication device paradigm on the
security-conscious enterprise, with regard to providing insights for proactive Information Assurance
and facilitation of eventual Forensic analysis. Attention is given to technology evolution in the areas
of best practices, attack vectors, software and hardware performance, access and activity monitoring,
and architectural models.
Keywords: Forensics, enterprise security, mobile communication, best practices, attack vectors.
1. INTRODUCTION
The exploding popularity of smartphone technology has greatly outpaced related advancements in the
area of information security. Exacerbating this problem is the fact that few organizations properly
understand the new contexts in which security is (and is not) an applicable concern. As a result, many
enterprises that should be concerned about the security posture of their smartphone device users are, in
actuality, unknowingly at risk of being compromised. These evolutionary changes regarding
communications technology have precipitated a need to rethink both the interrelationships and the
distinguishing factors influencing information security in enterprise voice and data infrastructure.
With ever-expanding functional capabilities and the ever increasing nuances they impose on
information security models, a new way of thinking about enterprise security is needed. At a time
when many traditional enterprise infrastructures are only now acclimating to models integrating
internet presence and/or VOIP capabilities, and while they are still reeling to accommodate the
emergence of social media concerns, the new breed of mobile devices which have emerged since the
introduction of the iPhone and the iPad have shattered old paradigms for data protection by
introducing entirely new methods for transporting and accessing data and data networks.
Paramount within the discussion of how data security issues have been impacted by these evolving
technologies is an understanding of the significant paradigm shifts which are emerging in the digital
and communications worlds. The still-embryonic emergence of personally-focused digital mobility,
which is itself an outgrowth of changes in wireless communications capabilities, has triggered a fast
and furious stream of innovations which are continuing to revolutionize how people think about their
personal manner of interaction with all aspects digital technology, especially with regard to
professional assets available from their employer’s enterprise environments. Overall, the confusion
surrounding rapid evolution in any technology arena often results in draconian posturing from the
enterprise security community until such time as things become more ‘sorted out’1. This document
attempts to identify the current primary areas of confusion surrounding secure adoption of mobile
technology, and examines the impact of the current paradigm shifts on the enterprise by evaluating the
security of both the underlying communications technologies in play and the resulting changes in
access technologies being built to exploit their evolving capabilities. Working within the context of
this paradigm shift, information assurance and enterprise security issues are considered and problems
regarding the enablement of better and more informative forensic tools are discussed.
1
Gallagher, Sean (2012), “Why the next ‘ObamaBerry’ might run Android or iOS”,
http://arstechnica.com/business/news/2011/11/will-the-next-obamaberry-be-a-nexus-or-an-ipad.ars, 28-JAN-2012
141
2. THE NEW PARADIGM
“What does it do?” This is a question which has probably greeted major advancements in technology
since the invention of the wheel. The answers to this question can have profound implications in the
realm of security. Nowhere is this truer than with the introduction of mobile phones into the enterprise
environment. When first introduced, for example, one might have reasonably surmised that these
devices were ‘just wireless phones’. As the technology evolved however, they quickly incorporated
the basic functionality of pagers – an advance which has further evolved into the Simple Message
Service (SMS) text messaging capability prevalent today. Further evolution of the devices allowed for
the incorporation of cameras, geo-location technology, and practical computer-equivalent
functionality. This evolutionary metamorphosis has introduced powerful technological changes which
represent a considerable shift in the overall security posture of the mobile phone.
What was once a simple voice communication tool is now a powerful ‘Swiss army knife’ offering a
wealth of ever increasing capabilities2 with an ever broadening spectrum of potential points of
compromise. In short, a potential nightmare for any organization concerned with information security.
Unfortunately, the technological changes have been so pervasive, and adoption of the resulting
computer powered multifunction portable communication technology (better known as ‘smartphone’
or ‘smart device’ technology) has occurred so rapidly, that accurate and appropriate identification of
potential security risks has not kept up, resulting in a growing concern for impending crisis3.
2.1 An Evolutionary Shift
Key to understanding the shift in paradigms is a need to appreciate the factors driving modern-day
technological change. Today’s workforce has learned that it is possible to have access to high quality
business resources regardless of where they are, when they want it, or what type of device (desktop,
laptop, tablet, or smartphone) they wish to use. Arguably, there are three primary categories of enduser demands which are contributing to the still-evolving technology solutions coming into
prominence:

Simplicity – easy to use, well integrated, interoperable

Performance – high speed, full color, real time

Comfort – safe to use, feels good, easy to access
The breakthroughs in communications technology represented by the new breed of mobile devices
have fueled a headlong charge by innovators striving to create newer and better resources for a
ravenous market. Resulting from this explosion of creative energy is a multifaceted shift in access
paradigms, usage models, and interaction scenarios which are necessitating the rethink of outdated
security practices4.
2.1.1 User Perception
At the heart of many current enterprise security problems is the rapidly emerging shift in social
attitudes towards digital communication capabilities. Succinctly, the user community knows it is now
possible to integrate everything needed for doing business into a single device they can carry with
them at all times, and they want that greater flexibility and lower cost capability now. When
combined with the rapidly changing technological environment, this ‘I want it now’ attitude
2
Fei, Liang, (2012), “Mobile app market set for increased growth”,
http://www.globaltimes.cn/NEWS/tabid/99/ID/692610/Mobile-app-market-set-for-increased-growth-Gartner.aspx, 29-JAN2012
3
Thierer, Adam (2012), ‘Prophecies of Doom & the Politics of Fear in Cybersecurity Debates’,
http://techliberation.com/2011/08/08/prophecies-of-doom-the-politics-of-fear-in-cybersecurity-debates/, 28-JAN-2012
4
Simple Security (2012), “Mobile security market in for exponential growth”,
http://www.simplysecurity.com/2011/09/30/mobile-security-market-in-for-exponential-growth/, 31-JAN-2012
142
encourages potentially disastrous snap judgment decision-making which can result in impractical
security models based on outmoded demand, usage, management, and maintenance models. Thus, the
shifts in underlying communications technologies influencing this attitudinal progression embody
many of the primary factors to consider when defining an appropriate way forward.
2.1.2 Tools and Resources
For most people, the dynamic shift in the function, performance, and scope of communication tools
which is currently being experienced, can be summed up in two catch-phrases: social media and cloud
computing. These two areas of influence dovetail beautifully with the perpetual enterpriseorganization search to enhance collaboration and standardize capabilities. Therein lays the problem…
Powerful new technologies have already become ubiquitous for private use, and the modern worker is
demanding that they be allowed as business resources too. Powerful new search engines make it easy
to find data; but in most workplaces the user is still tied to the old-fashioned relational database.
Amazing and versatile collaboration environments are popping up all over the internet facilitating
geographically agnostic coordination and transfer of data among friends, classmates, families, job
seekers, and gossips; yet the average team leader must continue to ‘make do’ with email (if lucky,
with remote access), voicemail, conference rooms, and, where available, occasional access to a VPN
connection or video conference. Yet talk of new file sharing and desktop virtualization services
abound in the media, and 4G ‘hotspots’ are advertised at the local coffee shop. Meanwhile, at present,
few or none of these innovative tools and resources is provided to the workforce effectively by their
employment enterprise.
2.1.3 Boundary Changes
Who would have believed back in 2000 that security professionals in 2012 would look back at them,
nostalgically thinking about how much simpler things were? What once were clearly defined borders
for wire-line digital access and data-centric information security have morphed into a world of
network-integrated real-time video feeds, geolocation, universal access, and terabyte pocket-drives.
The combination of high-volume portability, target tracking, and unsecured endpoints has obsoleteed
many formerly effective best practices, virtually overnight. Because of these changes, information
believed to be well protected by firewalls and access controls is being found, with increasing
frequency, to be exposed in previously unanticipated ways.
3. CONCERNS OF THE ENTERPRISE
Yesterday’s designs for tomorrow’s solutions must be rewritten today. Sufficient information exists to
predict where infrastructure needs and technological capabilities are headed. Technology plans
derived based on goals statements established prior to 2010 should be considered suspect and
reviewed for necessary course-correction. Any such goals and plans derived prior to 2007 should be
reassessed with even greater prejudice. Why? Two words – iPhone (introduced in 2007) and iPad
(introduced in 2010). The introduction of these devices has revolutionized the way in which society
views everything in both the personal and business communications realms. The explosive emergence
of corresponding open source (Google Android) and proprietary (RIM Blackberry PlayBook)
commercially viable technology in the same arena require a reassessment of the very meaning behind
a concept like Enterprise Security. These new tools have redefined the framework upon which futurefacing productive work environments must be built. By analyzing the nature of these changes it
becomes possible to implement integrated proactive and reactive tools and architectures focused on
affordably and effectively protecting the enterprise.
3.1 Problem Definition
Within today’s multifaceted communications technology framework it has become necessary for
security professionals to identify logical areas for conceptual delineation and use them to define
appropriate methods for segmenting the overall security problem into more manageable pieces. This
143
section will identify three major areas of concern, and provide a high-level perspective for why they
are applicable to protecting the enterprise environment.
3.1.1 Technology Trends
Perhaps the most significant advancements in technology impacting the integration of mobile device
use with enterprise security models are the advent of both deployed 4G cellular networks, which offer
access to greater bandwidth, and cool-running quad-core CPU technology5 for use at the heart of
mobile devices. These advances present a ‘good news / bad news’ dichotomy to enterprise security
professionals. The bad news is that we can now expect to see more sophisticated and powerful attacks
against and through mobile devices (thanks to the CPU enhancements), and more damaging
exfiltrations capitalizing on the higher bandwidth. The good news is that more complex and effective
defenses are now possible, thanks also to the CPU and bandwidth enhancements.
3.1.2 Device Vulnerability
From an enterprise security standpoint, the most noteworthy threats represented by mobile devices
stem from three primary attack vectors: eavesdropping, infection, and theft. All three of these risks are
magnified by the lack of sufficient protection on mobile devices both through their operating systems
and the applications they run. Insufficient security-focused device management and control options
distress any enterprise operations team attempting to implement acceptable mobile device
management (MDM) solutions while ineffective application marketplace quality controls facilitate
unsuspecting installation of apps containing malware. Added to the already challenging problems
presented by browser exploitations and popular document viewer and other third-party tool
vulnerabilities6, the intricate problem of mitigating mobile device vulnerabilities can seem daunting.
3.1.3 Infrastructure Vulnerability
Depending upon specifics of the enterprise architecture, additional aspects of two attack vectors,
eavesdropping and infection, may exist. Again, the problem stems from insufficient security-focused
device management and control options available in device operating systems and resulting failures
presented by the diversity of MDM solutions currently available.
3.2 Understanding Protection Issues
The primary issues regarding protection of enterprise environments without impeding use of mobile
technology result from the intersection of two questions: what type of access does the user need (the
access model) and what will happen to the data being accessed (the usage model). By understanding
the answers to these questions, many of the necessary steps for providing effectual mitigations and for
facilitating development and implementation of responsive and dynamic forensics tools become selfevident. With this information in hand it is subsequently possible to define effective and
comprehensive security architectures for the modern enterprise.
3.2.1 Access Models
As identified earlier in this work, recent advances in technology are fueling the already explosive
evolution and adoption of mobile technologies in ways that are significantly impacting worker
perspectives and expectations. Consider, for example, that less than a decade ago the VPN was
generally considered to be an enterprise-level tool. Utilizing them to provide personal access into an
enterprise environment was deemed inappropriate for the vast majority of individual workers. In fact,
few workers actually requested such capabilities from their employers because the tools and network
5
Purewal, Sarah Jacobsson (2012), “Nvidia Quad Core Mobile Processors Coming in August”,
http://www.pcworld.com/article/219768/nvidia_quad_core_mobile_processors_coming_in_august.html, 30-JAN-2012
Quirolgico, Steve, Voas, Jeffrey and Kuhn, Rick (2011), “Vetting Mobile Apps”, Published by the
IEEE Computer Society, JUL/AUG 2011
6
144
connectivity required to properly utilize such access were prohibitively expensive. Even when costs
were not a major factor and where the enterprise environment supported such access, the personal
equipment and home connectivity used to exploit such access was often ponderously slow, rendering it
undesirable to many. In light of existing technology improvements, as well as looming exponential
performance leaps, this entire paradigm has become invalid.
Within the same span of time, technologies have emerged which allow an attacker to target resources
that were previously seen as well-protected. Email servers, customer service portals, limited access
kiosks, and other common tools and utilities have been, and continue to be, successfully compromised
by direct and indirect attack. Similarly, techniques believed sufficient to protect the data flowing to an
endpoint believed to be secure have proven to be just as lacking in veracity. Successful attacks against
cryptographic keys, security and authentication certificates, and even the protocols that utilize them
have been repeatedly in the news and recounted at numerous technical conferences. Introduction of
mobile device capabilities require that formerly improbable attack vectors be reevaluated and
mitigations and protections identified for use.
It should also be noted that the primary access models discussed below are generally used in
combination, to provide a form of defense-in-depth, by layering the overall security model. Thus,
while requiring a password for user authentication provides a degree of protection, collecting the
password from the user through an encrypted envelope (like an SSL tunnel) is even better. In fact,
encrypting the password before passing it through the tunnel can enhance protection of the
authentication credential even further.
3.2.1.1 Authentication
Arguably the oldest and most prominent access model used for computer security is password
authentication, where a secret is held by the user and shared with a system or application to gain
access. While more complex authenticators have evolved over the years (such as time-sensitive and
out-of-band tokens, biometric sensors, physical authentication credentials, and digital certificates), the
basic principle of this access model is that users must authenticate themselves to the system using
theoretically unimpeachable credentials such as one or more shared secret and/or dynamic
authenticators. The degree of geographic independence obtainable though introduction of mobile
technology to enterprise environments can severely upset the dependability of many, previously
trusted authenticators. Biometrics, for example, is virtually useless as a remote authenticator since the
assurance they provide as an authenticator is tied to physical presence. A security model that
considers accepting them remotely risks introduction of attack possibilities based on credential
counterfeiting and hijacking which would otherwise have been improbable or impossible within an
enterprise infrastructure. Similar issues exist for physical keying devices, such as DoD CAC and PIV
cards because their authentication data is static, and could thus be intercepted in transit, bypassing the
need to authenticate to their embedded credentialing.
3.2.1.2 Protective Tunneling of Data in Transit
Without straying into a lengthy discussion of the ultimate ineffectiveness of existing computer
encryption techniques, it should be taken as historically axiomatic that as computing power increases,
even the best encryption algorithms eventually get cracked. Since all data tunneling protocols rely on
some form of computer based encryption (such as SSL, TLS, and various VPN technologies) it must
be accepted that, until encryption technology becomes significantly advanced beyond current designs,
this particular weakness will be an ongoing threat. Fortunately, the evolution of more sophisticated
algorithms has effectively mitigated this risk until now. However, the protocols and underlying
software engines which are utilized to incorporate encryption into their various protection schemes
have, themselves, proven to be unnervingly susceptible to attack. (This particular threat vector is a
lingering and well-discussed security issue with impact beyond the direct scope of this work.)
145
Many infrastructure analysts believe that this lingering issue for securely moving data between mobile
device users and the enterprise at the back end is effectively solved by use of VPN technology. With
the advent of convenient, acceptable-performance mobile VPN technology rapidly cresting the
horizon, it therefore might appear that satisfactory protection for corporate connectivity is at hand.
This is a false perception.
The manner in which all current mobile device operating systems implement network support for VPN
connectivity has a gaping security hole in it. This hole is a feature often referred to as ‘split
tunneling’. This feature of mobile devices neglects to perform a function deemed essential to the
default functioning of their larger computer cousins – routing all network traffic to the created VPN
tunnel unless explicitly instructed otherwise, through overrides to configuration defaults. In order to
address this specific problem, enterprise implementers must be able to alter the configured
functionality of the mobile device OS, until such time as device OS vendors begin incorporating better
enterprise-level security tools into their systems. While problematic but conceivable for open source
systems such as Google’s Android OS, only a cooperative vendor can mitigate this risk with their
proprietary operating systems, such as Apple, Microsoft, and Research In Motion (RIM).
3.2.1.3 Misdirection and Brute Force
Perhaps the conceptually simplest group of protective access models involves both active and passive
techniques for hiding in plain sight and for manual inspection and validation. Often clustered together
under the banners of firewalling and intrusion detection these techniques involve brute-force
processing of flowing data, occasionally requiring collaboration from endpoint systems and software.
For instance, while firewalling is largely about restricting the flow of data based on one or more
elements of network addressing, many network services (such as email, web servers, and VPNs) allow
the system administrator to modify a key component of addressing – the logical access port. While
requiring configurations changes at the enterprise back-end as well as on the users’ endpoint devices,
this misdirection can be exploited to provide a degree of camouflage to services provided for remote
access. In recent years this capability has become ubiquitous and can be found in many home wireless
technologies. On the ‘down side’, support for port reassignment on mobile devices is limited to
individual application-specific implementation. On the ‘up side’, app-level support for port
reassignment is prominent enough that it remains a useful tool for evolving enterprise environments.
Strictly the providence of back-end infrastructure, manual inspection and validation of moving data
presents an interesting conundrum for enterprise security. While malware and intrusion detection
systems based on this principle can prove to be extremely effective, they are not only costly, but also
may be defeated by some of the very-same tools used with the intent of protecting the enterprise.
After all, you cannot detect and protect against threats you cannot see, and SSL, TLS, VPNs, and other
encryption-based technologies can prevent brute-force data traffic inspection tools from ever seeing
the threat. The thoughtful enterprise administrator may mitigate this failing by employing malware
and threat detection tools on their deployed desktop, laptop, and server systems, but comparable
technologies for mobile devices are still in their infancy and provide little, if any, real protection.
3.2.2 Usage Models
While there are many variations of usage models for systems and data, when discussing the paradigm
shift in enterprise security being caused by advances in mobile device technology, only two broadbrush usage models are pertinent: securely accessing data and securely storing data. Although valid
arguments can be made for the use of application-level security models for mildly sensitive data, the
corresponding overhead involved in providing secondary protections and tracking user-specific access
contexts quickly becomes unmanageable. For this reason, these two usage models are discussed as
systemic models applicable to enterprise security, rather than application level models. Stemming in
large part from the lack of sufficient security-focused functionality available from mobile device
operating systems, addressing these two areas of concern is often perceived to be either prohibitively
146
costly or completely out of reach.
Continuing to avoid straying into a lengthy discussion of the inherent risks in using existing computer
encryption techniques, it should be duly noted that issues regarding the ultimate failings of modern
computer encryption implicitly complicates any discussion of how to protect data while in use and at
rest. However, modern encryption tools can invariably slow attackers down and should therefore be
utilized wherever and whenever available.
3.2.2.1 Data at Rest
Obviously there is a need to protect valuable enterprise data intended for local storage on a mobile
device. Even when available, because not all mobile device operating systems provide native support
for file encryption, provision for encryption of stored data is generally difficult to access and may
interfere with application functionality, device performance, and data portability. Also, when
implemented, effective enterprise employment of this capability can be impeded by those
manufacturers desiring to ‘protect the user experience’ by allowing dangerous manual overrides.
Further compounding the risk, should the security posture of the mobile device operating system
become compromised, enterprise-sensitive security keys could be revealed to malicious parties.
Make no mistake, if a device is lost or stolen then the information on it could eventually be seen by
undesirable viewers. Only through use of the most current and strongest encryption systems can this
eventuality be delayed.
3.2.2.2 Data in Use
Probably the most serious inherent threat to the enterprise security posture of a mobile device
operating system that has unfiltered, unprotected access to the internet is that the operating system
may become unknowingly compromised through ‘drive by’ attacks from websites, side-channel
exploitations, or malicious attachments to non-enterprise email messages. Although most mobile
device operating systems provide a system-enforced isolation between running applications, once the
OS is compromised this protection is easily circumvented by malware. Malicious tools such as keyloggers, screen-grabbers, and memory scrapers are then employed to acquire seemingly protected
enterprise data. Thus providing some form of enterprise-level protection to the mobile device
operating system from internet-based attack becomes a critical element of ensuring protection of data
in use, a logical association necessitated specifically by the advent of mobile device technology.
4. ENHANCING PROACTIVE DEFENSE AND EVIDENTIARY DISCOVERY
In the evolving universe of cyberspace, counterattack is not an option – it is illegal. This leaves
mitigation (proactive defense) and forensics (evidentiary discovery) as the primary weapons for
protecting enterprise security. Without adequate enabling enterprise-centric tools, effective enterprise
security is nearly impossible. Comprehensively unaddressed until recently, strategies and tools for
effectively protecting the enterprise while enabling seeming unrestricted use of mobile technology is
finally beginning to emerge. This section will discuss several of the most promising of these
advancements and provide practical examples for deployment and use in the enterprise environment.
Incorporating device-level technologies, back-end control tools and techniques, and supplemental
enhancing services, these innovations present realistic solutions that are available to the enterprise
security administrator right now.
4.1 Device Ownership
The core principle behind many, sometimes draconian, enterprise security policies is a simple one: “If
we don’t own it, we can’t trust it”. Therein lays the riddle… how to take ownership of a user’s mobile
device without argument, anxiety, and legal malediction? Although the obvious simple solution is to
provide a separate enterprise-use device, another viable answer is to manage perceptions so that
enterprise ‘assimilation’ of a personal device is perceived to be of benefit to the user. New
technologies are emerging which allow this assimilation at little or no additional cost to the enterprise,
147
which can provide their users with a variety of services including:

Automated secure backup of all device data
o Including assurance of secure and private handling of personal assets.

An unfettered ‘sandbox’ for personal use
o With less restrictive protections still available from corporate firewalls and
filters

One device supporting personal and business phone numbers
o Shared number or unique7

Access to all the tools and resources they have been begging for
o Online files, intranet, collaboration tools, search engines, video and
teleconferencing, etc.

Company-paid phone service8
o Much less expensive than many people think, competitive with existing phone
systems

Eliminate phone-carrier bloat-ware on the phones
o Only enterprise-vetted apps are allowed in the device’s protected enterprise
section
It should be stressed that there already exist practical, cost-effective, secure options for providing these
benefits to mobile device users who need access to enterprise attachments and resources. Central to all
of them is the need to address security limitations imposed by the device operating system. This is
why the enterprise must own the device. The cornerstone of any effective mobile device enabled
enterprise security architecture is the ability to rely on the security posture of the endpoint device. A
key component for one such solution is available today for free, courtesy of the NSA. As of January
2012, the NSA has made available a Security Enhanced (SE) version of the Android operating system9
for open use, and is planning widespread adoption within the agency itself10. This phone operating
system even boasts support from a comprehensive security compliance monitoring and management
tool. The resulting OS-level improvement in encryption, security policy enforcement, compromise
detection, and overall device control represents a solution for the problem upon which all other
significant resolutions depend.
That was the good news. The bad news is that, at present, each of the remaining primary non-Android
device OS providers cannot, or explicitly will not, currently support many or all of these requirements.
For this reason, the majority of solutions possible today are Android-centric. Within the remainder of
this Device Ownership discussion, unless otherwise explicitly noted, the solutions referenced should
be considered specific to the Android universe for this reason.
7
There are several options including VoIP clients such as Skype and OoVoo, or number consolidation platforms like Ribbit,
Phonebooth, and GoogleVoice.
8
Gray, Benjamin; Kane, Christian (2011), “10 Lessons Learned From Early Adopters Of Mobile Device management
Solutions”, Forrester Research, Inc., Cambridge, MA
9
Naraine, Ryan (2012), “NSA releases security-enhanced Android OS”, http://www.zdnet.com/blog/security/nsa-releasessecurity-enhanced-android-os/10108, 29-JAN-2012
10
Hoover, Nicholas (2012), “National Security Agency Plans Smartphone Adoption”,
http://www.informationweek.com/news/government/mobile/232600238, 05-FEB-2012
148
4.1.1.1 Mobile Device Management (MDM) and Mobile Risk Management (MRM)
The core of any device’s enhanced forensic potential, regardless of OS, will center on the availability
of more comprehensive monitoring and tracking capabilities both inside the device and at the back
end. For this reason available management tools should be closely scrutinized before an enterprise
decides on which vendor’s product will be selected to provide this capability.
Although still somewhat lacking in effective security control features, because of various OS
limitations, several MDM vendors are rumored to already be implementing support for the NSA’s SE
Android OS11. Until these products begin to appear, one MRM solution provider, Fixmo12, already
offers support for an OS-integrated monitoring and management solution comprehensive enough to
have been deemed acceptable for Sensitive But Unclassified (SBU) use with DoD resources. Among
this solution’s features are the ability to monitor, track, and control various device characteristics,
provide enhanced app security controls, sandboxing, FIPS-certified cryptography, control device
resources (camera, radios, etc.), and handle overall device security policy management, compliance
monitoring, and control. This product also provides comparable capabilities, where possible, for
Apple iOS, and RIM Blackberry as well as integrated features supporting Good Technology secure
enterprise email apps. It should be noted that several other vendors, such as 3LM, BoxTone, and
AirWatch, have voiced plans to improve their support for enterprise security in ways which would
provide comparable functionality, but in most cases delivery dates have not yet been specified.
4.1.1.2 Mandatory Boot-Time Captive Tunnel (A Truly Secure VPN)
Just as MDM/MRM capabilities are at the core of a device’s forensic potential, a ‘mandatory VPN’ is
at the center of any manageable device protection solution. The reason for this is straightforward; if
the device must connect to the enterprise VPN before it can touch the internet, then all of the
enterprise’s existing investment in network-level infrastructure protections can be brought to bear to
protect browsing, email, and other network communications without unduly jeopardizing the existing
enterprise security posture. In this way the enterprise can also monitor and control access to apps,
weather through redirection to an enterprise-run ‘app store’, monitoring of installable apps as content,
or outright blocking of access to non-enterprise app resources. While this capability is not currently
supported or allowed by any major cellular carrier, there is a way around them. This leads us to the
discussion of the Mobile Virtual Network Operator…
4.1.1.3 Mobile Virtual Network Operator (MVNO) Hosting
Although possessing a secure device operating system and the management tools to control it are
critical, they are of no value if the enterprise administrator cannot use them on a device. Since
existing cellular carriers currently do not support enterprise customization of the device OS in the
manner needed to support these needs, a way must be identified for obtaining affordable service for
enterprise devices which does permit use of an enterprise-customized OS. This is where the concept
of an MVNO becomes important, and the distinction for the enterprise between ‘owning’ the MVNO
and having it ‘hosted’.
The simplest way to understand what an MVNO is and why it is important would be to think of them
as a mobile communications carrier who does not actually own any cellular towers. Instead, an
MVNO purchases bandwidth from other carriers at a discount and resells it under their own brand.
Cricket Wireless is an example of an MVNO. Realizing the potential value of supporting enterprise
infrastructure with this technology, companies such as CDS Telecommunications of Ashburn
Virginia13 have begun packaging hosted services tailored toward providing this secure architectural
solution to the market. By enabling the enterprise itself to act as a cellular service provider with
11
Project website: http://selinuxproject.org/page/SEAndroid
Company website: http://www.fixmo.com/
13
Corporate website: http://www.CDSTelecom.com
12
149
competitive rates, the MVNO solution gives the enterprise the ability to lock their mobile operating
system and device management infrastructure into the ‘subscribing’ device – controlling all aspects of
data flow, call monitoring, security, and even application availability and installation. By using a
hosted source of their MVNO activity, the enterprise gains the advantages of high bandwidth
utilization from the primary carrier, resulting in lower overall rates for connectivity. Also, rather than
needing to customize the Android OS themselves, or purchase MDM/MRM licenses in limited
volumes, the MVNO host would bear the burden of providing and maintaining the modified OS and
passing through high volume licensing and sublicensing discounts for the preferred management tools.
4.2 Application Management
Having established the preferred infrastructure necessary to support Device Ownership, it is now
appropriate do discuss a variety of enhanced Application Management capabilities which can allow
the enterprise to further protect itself from malicious or risky device software (a.k.a. apps) without the
need for burdensome resource allocations. By exploiting the various app and resource monitoring
capabilities made possible through a comprehensive MRM solution, not only does on-device
enforcement of user and app compliance with enterprise security policies becomes possible, but the
ability to collect and monitor more comprehensive data for forensic use at the back-end is also
enhanced.
4.2.1 Vetting
The most monumental conundrum accompanying the introduction of mobile device support into any
enterprise ecosystem is how to establish weather apps abide with the enterprise security posture before
they are installed and without unduly impeding the user’s access. With over 400,000 apps available
directly through Google’s Android Market and over half a million currently available in the Apple
App Store14, and annual growth expected to be counted for both in the hundreds of thousands this year,
keeping pace with the need to establish the acceptability of desirable apps has already far exceeded the
reasonable limit for manual inspection. Further, since an overwhelming number of these apps
unnecessarily or inappropriately demand access to resources, both on-device and off, that the
enterprise would rather restrict, the already difficult management task can seem intimidating in its
vastness. As luck would have it, there already exist a few time and cost effective solutions for
mitigating theses difficulties, and many vendors are promising that more are in the works.
4.2.1.1. Eyes-On
Although still an imperfect solution, nothing beats eyes-on inspection of source code performed by a
well-trained vulnerability analyst when evaluating an application for safety and security. However,
being somewhat time-consuming and labor intensive, this method of vetting software for enterprise
use quickly becomes cost-prohibitive for any small enterprise environment. Even for a large and wellfunded security team, utilizing eyes-on inspection would be viable only for the most highly suspect
mobile applications whose functionality was deemed essential. Third party organizations exist, such
as VeriSign’s iDefense team, which can be contracted to provide some of the industry’s best talent for
this purpose, but this type of service comes at a high dollar cost and, as such, is likely only to be
employed by very large enterprises and MVNO Hosting services.
4.2.1.2 Automation
The field of apps available for mobile devices is already tremendous and is expanding with increasing
rapidity. Only an automated evaluation system can be expected to effectively handle the constant
onslaught, not to mention the backlog, of available mobile device apps. An obvious solution, almost
no effort has been expended in this area to-date. The key word here is ‘almost’. In a February 2012
14
Fitchard, Kevin, (2012), “Android development speeds up: Market tops 400,000 apps”,
http://www.abiresearch.com/press/3799Android+Overtakes+Apple+with+44%25+Worldwide+Share+of+Mobile+App+Downloads, 20-JAN-2012
150
article15, CNN reported that Professor Angelos Stavrou of George mason University has designed such
an automated vetting system for the US Government, and it has already churned through over 200,000
of the apps in the Android backlog over the past few months. Kryptowire, a company formed early in
2011 by Professor Stavrou, is preparing to launch a version of this tool for public use sometime in the
first half of 2012, as well as some eyes-on vetting services.
4.2.2 Access Control
In the world of mobile devices, the term ‘access control’ (AC) has three connotations. The obvious
and most common understanding of the term refers to the ability to moderate access to the
functionality of the device itself, for example - by setting a device password for all activity other than
answering an incoming call. Additionally, this term refers to the ability to control the permissions
which each app installed on the device receives for accessing device resources, such as a camera, local
storage, radios, and audio I/O resources. Lastly, AC refers to the ability to regulate the manner in
which the device and its apps connect with Internet resources. It is this last area which is most
problematic when attempting to define a secure enterprise usage model, in part due to previously
discussed Secure VPN concerns. In all of these areas, appropriate on-device (in the OS and the apps)
and back-end logging of historical data is imperative to support enterprise forensic needs.
4.2.2.1 Logging On
Perhaps the only area of mobile device security which has been addressed to an adequate degree by
existing technology regards device-level access controls. Although there is certainly room for
improvement, multiple technologies providing user authentication are available which offer features
including:

Remote-controlled access revocation

Password retry limits

Password complexity

Password aging

External credentials (CAC/PIV)

Check-in timers requiring periodic back-end connection
to name a few. In most cases, these solutions provide both on-device and back-end monitoring and
management capabilities which are even adequate for use in highly sensitive environments.
4.2.2.2 Device Resources
Of all the mobile device manufacturers participating in today’s marketplace, Apple stands out as the
singularly worst prepared for enterprise use when considering the ability to mandate access controls
from the back-end. Although a limited degree of control is possible through the use of their access
policy mechanism, the device user has the ability to ignore policies without detection. More thorough
controls are available for the three other major players, RIM (Blackberry), Google (Android), and
Microsoft (WinMobile). However, additional controls are still necessary. For example, the ability for
an enterprise to require high-level encryption for stored data, restrict or allow specific Bluetooth
devices, and to control access to the device microphone, camera, and GPS on an app-specific basis is
only available to a limited degree. The previously mentioned MDR solution from Fixmo is, arguably,
the best example of an existing product which addresses this need, pushing available controls to their
limit regarding each of the four primary device OS manufacturers. It is also worth noting that in late
15
Milian, Mark (2012), “U.S. government, military to get secure Android phones”,
http://www.cnn.com/2012/02/03/tech/mobile/government-android-phones/index.html, 03-FEB-2012
151
2011 Dell announced a secure version of its Streak device which was secure enough to be deemed
acceptable for some uses within the DoD.
4.2.2.3 Network Virtualization Facts and Fallacies
With regard to access control, the question how to safely provide enterprise users with the ability to
access the back-end network infrastructure may be the most misunderstood. Earlier in this work the
need to ‘own’ the device OS was discussed. Nowhere is the justification for this requirement clearer
than with regard to implementing mobile device access strategies for virtual private network
connectivity. The defining logic is simple, if an attacker has a path to the OS that does not force data
to travel through ‘industrial strength’ protection systems then the device’s integrity cannot be
guaranteed. If the device’s integrity is in question, then the security provided by the VPN must also be
suspect. As described previously, utilizing a MVNO architecture mitigates the problem of device
trustworthiness. Without such an architecture, no aspect of VPN authentication from a mobile device
can be considered safe from compromise.
5. CONCLUSION
The introduction of mobile device technology into enterprises creates a multitude of new problems for
security professionals. What were once simple voice communication tools are now powerful
multifaceted devices offering a multitude of ever increasing capabilities with an ever broadening
spectrum of potential points of compromise. These new tools have redefined the very framework
upon which modern work environments are being built. This metamorphosis has resulted in the
introduction of powerful technological changes which represent a considerable shift in the overall
security posture of the mobile phone, a potential nightmare for any organization concerned with
information security. In short, the exploding popularity of smartphone technology has greatly
outpaced the ability of many enterprises to update their security infrastructure.
Emerging technology is rapidly making its way to market which greatly enhances the enterprise
security posture and provides data monitoring and collection capability to enhance management
activity and proactively support potential forensic needs. Affordable commercial solutions, which
provide Government and Military grade protections, are emerging in today’s marketplace which
greatly enhance the ability of businesses, small and large, to achieve an acceptable security posture
supporting integrated use of mobile device resources.
6. ACKNOWLEDGEMENTS
Technology inputs from Professor Angelos Stavrou (George Mason University), Mr. Rick Segal
(Fixmo), and Dr. Mark Gaborik (DoD) are gratefully acknowledged as contributing factors to this
work.
7. AUTHOR BIOGRAPHY
A subject matter expert at SNVC LC, Andrew Scholnick is a cyber security professional with over 30
years experience in the field. In his most recent position as a technical team leader for the US Army,
he guided the efforts of vendor, DoD, and government contributors through the integration of
technologies which resulted in DoD approval for the first off-the-shelf Android smartphone solution
allowed for Army use. He has previously headed the VeriSign iDefense Vulnerability Analysis Lab
and was one of the principle technology innovators who securely connected AOL to the internet.
8. REFERENCES
Fei, Liang, (2012), “Mobile app market set for increased growth”,
http://www.globaltimes.cn/NEWS/tabid/99/ID/692610/Mobile-app-market-set-for-increased-growthGartner.aspx, 29-JAN-2012
152
Fitchard, Kevin, (2012), “Android development speeds up: Market tops 400,000 apps”,
http://www.abiresearch.com/press/3799Android+Overtakes+Apple+with+44%25+Worldwide+Share+of+Mobile+App+Downloads, 20-JAN2012
Gallagher, Sean (2012), “Why the next ‘ObamaBerry’ might run Android or iOS”,
http://arstechnica.com/business/news/2011/11/will-the-next-obamaberry-be-a-nexus-or-an-ipad.ars,
28-JAN-2012
Gray, Benjamin; Kane, Christian (2011), “10 Lessons Learned From Early Adopters Of Mobile
Device management Solutions”, Forrester Research, Inc., Cambridge, MA
Hoover, Nicholas (2012), “National Security Agency Plans Smartphone
http://www.informationweek.com/news/government/mobile/232600238, 05-FEB-2012
Adoption”,
Milian, Mark (2012), “U.S. government, military to get secure Android phones”,
http://www.cnn.com/2012/02/03/tech/mobile/government-android-phones/index.html , 03-FEB-2012
Naraine,
Ryan
(2012),
“NSA
releases
security-enhanced
Android
http://www.zdnet.com/blog/security/nsa-releases-security-enhanced-android-os/10108
OS”,
Purewal, Sarah Jacobsson (2012), “Nvidia Quad Core Mobile Processors Coming in August”,
http://www.pcworld.com/article/219768/nvidia_quad_core_mobile_processors_coming_in_august.ht
ml, 30-JAN-2012
Quirolgico, Steve, Voas, Jeffrey and Kuhn, Rick (2011), “Vetting Mobile Apps”, Published by the
IEEE Computer Society, JUL/AUG 2011
Simple Security (2012), “Mobile security market in for exponential growth”,
http://www.simplysecurity.com/2011/09/30/mobile-security-market-in-for-exponential-growth/, 31JAN-2012
Thierer, Adam (2012), ‘Prophecies of Doom & the Politics of Fear in Cybersecurity Debates’,
http://techliberation.com/2011/08/08/prophecies-of-doom-the-politics-of-fear-in-cybersecuritydebates/, 28-JAN-2012
153
154
A CASE STUDY OF THE CHALLENGES OF CYBER
FORENSICS ANALYSIS OF DIGITAL EVIDENCE IN A
CHILD PORNOGRAPHY TRIAL.
Richard Boddington
School of IT
Murdoch University
Perth, WA 6150
Australia.
[email protected]
Tel: +61 893602801. Fax: +61 89360 2941.
ABSTRACT
Perfunctory case analysis, lack of evidence validation, and an inability or unwillingness to present
understandable analysis reports adversely affect the outcome course of legal trials reliant on digital
evidence. These issues have serious consequences for defendants facing heavy penalties or
imprisonment yet expect their defence counsel to have clear understanding of the evidence. Poorly
reasoned, validated and presented digital evidence can result in conviction of the innocent as well as
acquittal of the guilty. A possession of child pornography Case Study highlights the issues that appear
to plague case analysis and presentation of digital evidence relied on in these odious crimes; crimes
increasingly consuming the time, resources and expertise of law enforcement and the legal fraternity.
The necessity to raise the standard and formalise examinations of digital evidence used in child
pornography seems timely. The case study shows how structured analysis and presentation processes
can enhance examinations. The case study emphasises the urgency to integrate vigorous validation
processes into cyber forensics examinations to meet acceptable standard of cyber forensics
examinations. The processes proposed in this Case Study enhance clarity in case management and
ensure digital evidence is correctly analysed, contextualised and validated. This will benefit the
examiner preparing the case evidence and help legal teams better understand the technical
complexities involved.
Keywords: Digital evidence, evidence analysis, evidence validation, presentation of evidence, digital
evidence standards.
1. INTRODUCTION
Because the legal fraternity generally understands little about computer science, the potential for
miscarriages of justice are great. The cyber forensics community sometimes exploits this situation and
obfuscates the environment by focusing on issues such as preserving, collecting, and presenting digital
evidence with evidence validation under-stated or ignored (Caloyannides, 2003). Ultimately, juries
must evaluate the evidence and if they misread or misunderstand it because of inadequate forensics
analysis and presentation, and faulty validation processes, unreliable decision as to the guilt of those
accused are inevitable. The disappearance of baby Azaria Chamberlain at Ayres Rock more than thirty
years ago and subsequent coronial inquests, a court case featuring controversial forensics evidence,
and the subsequent Royal Commission into her sad death, resulted in a fundamental reconsideration of
forensic practices in Australia (Carrick, 2010). Digital evidence may on occasions, also be failing to
meet the same high standards expected of more established forensics regimes.
Criminal trials relying on digital evidence are increasingly common and regrettably, trials where
innocents are convicted are not rare (George, 2004; Lemos, 2008). Defendants are pleading guilty
based on what appears to be overwhelming hearsay evidence, mainly digital evidence without robust
defence rebuttal. Reasons for this may be the evidence is compelling, the defendant may have limited
155
financial resources, the defence lawyers misread the evidence, plea-bargaining offers lesser sentences,
etc. Various factors can affect the validity of the evidence, including failure of the prosecution or a
plaintiff to report exculpatory data, evidence taken out of context and misinterpreted, failure to
identify relevant evidence, system and application processing errors, and so forth (Cohen, 2006;
Palmer, 2002).
Since 2008, the author has provided expert analysis of digital evidence to defence criminal lawyers in
Western Australian. This involved re-examination and validation of digital evidence presented in state
and federal law enforcement cases. A number of defendants were able to convince the jury of their
innocence, partly with the assistance of the author’s re-examination and testing of the digital evidence.
The selected Case Study, a possession of child pornography, highlights the incomplete and incorrect
analysis common in cyber forensics analysis of child pornography cases in Western Australia.
According to the Australian Federal Police, possession of and trafficking in child pornography cases
are more frequent in Australia with a 30% increase arrests for child pornography offences in 2011
compared with 2010 (Sydney Morning Post, 2012). Child pornography cases are technically complex
and require analysis of evidence that supports claims of criminal intent including knowledge and
control of offensive materials. Locating evidence that proves more than simple possession of the
materials requires skill and expertise in presenting evidence to prove deliberate actions by suspects.
Linking the user to the crime may happen too quickly on some occasions without sound validation of
the evidence.
Officers who undertake these important but tedious tasks may well be under-resourced, over-burdened
with complex cases, sometimes made more difficult by inexperienced analysts and communicators.
There is some anecdotal evidence suggesting that these prosecutions are in response to political
lobbies determined to eradicate any form of immoral cyber behaviour through draconian, resultoriented legislation. The inherent problem with such an approach is too much pressure on examiners
who put at risk the innocent inadvertently caught up in criminal investigations. These problems are not
unique to Western Australia and the Case Study is not intended to criticise law enforcement agencies.
What it attempts is to identify some common problems affecting their forensics examinations and
suggests enhancements to improve outcomes. What is evident to the author, and his fellow workers in
the field, are two related problems, 1) faulty case management through inadequate analysis and
presentations of the digital evidence, and 2) incomplete and incorrect validation of the digital
evidence. The Case Study highlights typical problems, identifies best standards, and offers processes
to achieve outcomes that are more acceptable and helpful to the examiners and legal practitioners.
2. INTRODUCTION TO THE CASE
The case selected is the State of Western Australia versus Buchanan (2009) on a charge of possession
of child pornography, an indictable offence usually resulting in imprisonment on conviction in the
jurisdiction. The defendant’s computer was seized and he was charged with possession of offensive
photographs and movies contrary to the Western Australian Criminal Code Section 321. The offence
of possession is contingent on the images being of an offensive nature of a person under sixteen years,
purporting to be, or depicting a person under the statutory age. Mere possession is not sufficient to
convict under the legislation and some degree of knowledge, control of the offensive material, and
criminal intent has to be proven by the prosecution. Nevertheless, in reality, it is a reversal of the
presumption of innocence and possession carries more weight than perhaps it should. On occasion,
disproportionate onus is placed on a defendant to explain away incriminating digital evidence that is
sometimes indiscriminate in signifying blame. It is easy to overlook the gap between possession and
possession with criminal intent. Ownership or possession of a computer is tantamount to criminal guilt
in some mindsets, yet it ignores the requirement to link a specific computer user with the evidence.
A number of computers were seized and examined and a perfunctory analysis report was produced
describing the digital evidence clearly of an offensive nature located on one of the computers. The
156
defence team was instructed by the defendant to analyse the digital evidence and seek a better
understanding of the nature of the prosecution’s evidence and to develop a possible defence strategy.
During the re-examination of the forensic image, exculpatory digital evidence exhibits were identified
and tendered at the trial. This new evidence and demonstrations of the unreliability of some existing
evidence, challenged some key prosecution assertions and contributed to the defendant’s swift
acquittal by the jury.
3. PROBLEMS OF ANALYSIS AND PRESENTATION
Forensics examiners overlooking or mis-reading evidence, and worse still, resorting to ‘cherrypicking’ when choosing or omitting evidence to gain legal advantage, is a common phenomenon of the
digital domain (Berk, 1983: Flushe, 2001; Koehler & Thompson, 2006). Moreover, bias, examiner
inexperience and pressures to process cases with limited time resources can also explain the
phenomenon. The reasoning used in the analysis may be faulty, lacking any safeguards to ensure
complete and thorough analysis occurs. If abductive reasoning was used in the case presented for
study, and it probably was as it is commonly used in such circumstances, then it seems to have been
done poorly.
Abductive reasoning is inferential reasoning based on a set of accepted facts from which infers the
most likely explanation for them and is most commonly used in legal proceedings (Australian Law
Dictionary, 2012). In contrast, deductive reasoning abstracts directly from data while inductive
reasoning is based on but extrapolates partially beyond data. Abductive reasoning extrapolates
inductive reasoning even further (Walton, 2004, p. 13). Abductive reasoning is used to develop
plausible hypotheses and evaluate candidate hypotheses to seek the best explanation based on a
preponderance of supporting facts (Walton, 2004, pp. 22, 174). Walton (2004, pp. 1, 4, 20 and 33)
asserts that logic is expected to be exact whereas abduction is inexact, uncertain, tentative, fallible,
conjectural, variable and presumptive, labelling it as, ". . . the judgment of likelihood". Abductive
reasoning draws its conclusions from incomplete evidence; a guess but an, ". . . intelligent guess. . ."
according to Walton (2004. pp. 3, 215).
Abductive reasoning involves a series of questions and answers and eliciting and ultimately evaluating
competing explanations that emerge from the process (Walton, 2003, p. 32). Such legal debate and
opinion of the hypotheses are passed to the jury for their consideration but of concern is the likelihood
that incorrect and incomplete reasoning, abductive or otherwise, of technically complex digital
evidence, hardly serves the course of justice. Certainly, no questioning or answering process was
shared with the defence team involved in the Case Study, and guesswork seemed banal not intelligent.
Cases relying on digital evidence are often complex and involve various groups of related and
unrelated evidence that make up the various threads of evidence that form part of the rope of evidence.
The problem confronting the examiner is locating and selecting the evidence which requires careful,
unbiased reasoning. Each thread complements the whole but often important threads are subject to
misinterpretation or are overlooked. Pulling the threads a together then requires validation to check
and test the evidence. That accomplished, the evidence must be presented in an easily understood form
which defines the evidence, explains its relevance and evidentiary strength, and includes potential
rebuttal based on validation and other issues that may challenge the claim.
4. ANALYSIS AND PRESENTATION ISSUES IN THE CASE STUDY
Subjective assumptions, evidently based on a perfunctory understanding of the evidence, with no
attempt to ensure its completeness and correctness in the Case Study were also common to other child
pornography case examined by the author, even though the innocence of those defendants was less
clear than in the Case Study.
The prosecution analyst’s original analysis report provided no narrative on the groups of catalogued
evidence or the relationship between them or their combined contribution to the criminal charge. The
157
report lacked complete contextualisation to help the legal teams and defendant understand the
significance of the evidence. No timeline, no storyboard, and no detailed explanation of the
significance of the exhibits were provided. The prosecution analyst’s lack of reliable case analysis, an
absence of evidence validation, and confusing analysis presentation was problematic for the defence
lawyers. The prosecution lawyer seemed to misunderstand the digital evidence based on weak crossexamination of the defence expert.
Expedient use of the evidence selected by the prosecution analyst, combined with questionable
inferences about the probity of the evidence, suggested a disregard about the defendants’ presumed
innocence in the selected case. The charge of possession with intent, hinged on the defendant’s
ownership and exclusive access to the computer. No explicit evidence was offered to support the truth
of the contention nor was any attempt made to show others had access of the computer. Offensive
pictures and video files and access to child pornography websites was offered as prima facie evidence
of guilt, presumably based on abductive reasoning. Whatever reasoning was used to determine the
merit of the cases from a prosecution perspective, it appeared cursory and little thought given to the
possibility of any alternative hypotheses. The power of the ‘smoking gun’ alone was enough to lay
charges.
Exculpatory digital evidence recovered from extant and carved files, earlier identified but disregarded
by the prosecution analyst’s seemingly Procrustean disposition as “being irrelevant”, suggested that
the defendant was not the only suspect, nor the most obvious one. This evidence was not catalogued,
nor was it voluntarily shared with the defence team, yet its existence was acknowledged prior to the
trial and during cross-examination of the prosecution analyst. It is common for the re-examination of
the evidence in these cases, to identify extra incriminating evidence as well providing helpful analysis
presentation that sometime benefits the prosecution at monetary cost to the defendant and
disadvantage to the defence strategy. It seems unjust that defence analysts are required to complete
and improve the case evidence because of the shoddy work of the prosecution. In this case vital
exculpatory evidence was recovered and inculpatory evidence was challenged.
Although unlikely to face the same charge as the defendant, or for perjuring themselves during their
testimony, others were the likely culprits. Other witness testimony further implicated one or more of
these persons who were tenants in the defendant’s home at the time of the offence. Why the defendant
was charged and not others, when available evidence contradicted the evidence of two of the
prosecution witnesses, remains puzzling to the author. This was an exceptional case and even the
prosecutor intimated its likely collapse but the judge directed the proceedings continue and allow the
jury the final decision.
In this and other cases, the problem seems that the forensics examiners provide statements of evidence
selection but no explanation why exhibits were selected in terms of their relevance and significance to
the cases. Nonetheless, examiners should possess the experience and expertise to state the relevance of
the evidence and its relationship to other evidence in the case. It seems this task is for the legal teams
to elicit through various means; hardly efficacious case management. This raises problems of evidence
reliability; notably its accuracy, authenticity, corroboration, consistency, relevance, etc. From this
morass, some formal process is required to convey the gist of the examiner’s analysis and conclusions.
5. POTENTIAL SOLUTIONS TO ANALYSIS AND PRESENTATION ISSUES IN THE CASE
STUDY
Inman and Rudin (2001) state, “Before the criminalist ever picks up a magnifying glass, pipette or
chemical reagent, he must have an idea of where he is headed; he must define a question that science
can answer”, neatly defining a basic cyber forensics case management problem. According to Pollitt
(2008), this places the forensics examiner in a quandary who must have a sound understanding of
defining investigative or legal questions and be able to convert them into scientific questions. Pollitt
(2008) stresses the importance of first defining the legal and investigative questions before defining
158
the digital forensic (scientific) questions. If that advice were heeded in the Case Study, the
prosecution analyst would have benefited from more direction from the outset of the examination and
probably be more inclined to use more reliable logic in assembling the case. Assuming sound
scientific logic is applied during analysis, presenting the evidence requires some dedicated thought.
Yet there are various simple, effective processes such as Toulmin’s model, discussed below that can
help organise analysis and presentation of digital evidence.
Toulmin's model based on his theory of The Layout of Argumentation (1958) has been used to
construct arguments at various stages of litigation and works for legal argument because of its
accuracy, flexibility, and effectiveness, according to Saunders (1994, p. 169). Toulmin (1958, p. 7)
was concerned that sound claims should be based on solid grounds and backed with firmness to
support claims used in arguments. The model accommodates lawyers’ reliance on precedential and
statutory authority and incorporates the elements inference and uncertainty in judicial reasoning and
decision-making (Saunders, 1994, p. 169). Most importantly it includes in the argument the element of
rebuttal; anticipating refutation of counter arguments by lawyers. The same process is just as relevant
to the forensics examiner.
Toulmin (1958) asserted that formal rules of logic were incompatible with common practices of
argument as a means of critiquing and analysing public argument and has been used by lawyers to
understand the constraints in legal cases when defining reasonableness standards. Toulmin’s theory
(1958) defines six aspects of argument common to any type of argument as described below and
illustrated in Figure 1:
Data (Object) is the evidence, facts, data and information for the claim. It establishes the basis of
the argument. Data can be grounded in anecdotal evidence and a specific instance can provide the
basis for the argument. Data can be human testimony or grounded in statistical data.
Warrant is the component of the argument that establishes the logical connection or reasoning
process between the Data and the Claim:
-
Authoritative warrants rely on expert testimony offering conclusions about the Data to support
the Claim.
Motivational Warrants rely on appeals to the audience offering conviction, virtues and values
to support the claim.
Substantive warrants more closely resemble traditional forms of logical reasoning, including
Cause-Effect/Effect-Cause, and generalisation based on example and classification.
Claim is the point of an argument and represents the conclusion advocated by the arguer based on
the Data linked to the Warrant.
Backing is the material that supports the Warrant and explains the reasoning used in the Warrant.
Backing adds credibility to an argument; without it the arguments seems lacking:
-
-
Statistical Backing relies on numbers to quantify information but can create an allusion of
truth.
Example Backing are concrete instances that illustrate the Warrant and provide a real world
view but caution is required when using generalised examples that may not be true in a given
argument.
Testimony Backing is based on expert opinion and personal experience which adds credibility
to the argument.
Qualifier represents the soundness, the strength and worthiness of an argument.
Reservation (Rebuttal) is an exception to the claim made by the arguer as arguments may not be
universally true.
159
Figure 1. Toulmin’s Model of Argumentation (Toulmin, 1958, p. 105)
The flexibility of Toulmin’s model is that it can be used to take a top down view of the case based on
validation of the combined evidence as well as individual and clusters of related evidence at an
elementary level. The model offers the opportunity to present the evidence (Data), explain the
reasoning for the Claim (Warrant). As highlighted in Toulmin’s example, providing explanation and
credibility in support of the Warrant (Backing) offers some measurement of the claim (Qualifier), and
permits a rebuttal of the Claim (Reservation), all which promote a better understanding of the
argument inherent in the Claim.
The Case Study suggests no consideration was expressed that exculpatory evidence may exist, that the
evidence may not be correct and no validation was undertaken. Toulmin’s model offers the
opportunity to develop templates to ensure that more complete and vigorous examination of the
evidence occurs. If Toulmin’s model is applied to the Case Study, it replaces the disorder with a
thorough, complete and structured perspective of the elements of the charge against the defendant.
Taking an overview of the Case Study, the prosecution claim and the defence rebuttal is illustrated in
Figure 2. The model shows assertions made by the prosecution, such as the defendant had sole access
to the computer based on witness testimony. This appears false, as exculpatory evidence suggested the
witness testimony was dubious based on other digital evidence that was valid and which contradicted
their perjuries.
160
Fig. 2. An overview of the Case Study case using Toulmin’s Model.
The benefit of representing the argument in this format should be evident to the reader. Backing and
for that matter Reservation, can contain expert opinion and statistical research, but both should be
validated. The model allows the examiner to build a simple list of facts from which assertions are
derived and check those against a list of facts that may exist and used in the reservation to test the
original argument. This visual aid encourages rebuttal of the counter claim to complete analysis and
show the lines of reasoning; a simple yet powerful model. The model can be used to show an overview
of the case evidence and broken down into individual evidence exhibits or groups.
Computer events should be checked and tested to avoid ambiguous, inaccurate and irrelevant
outcomes and this can also be represented in the model.
6. VALIDATION PROBLEMS
The International Standards ISO/IEC DIS 27037 sets broad guidelines to validate forensics tool and
processes used in the evidence retrieval stages with an expectation that the evidence is what it purports
to be. The Standards Australia International’s Guidelines for the Management of IT evidence: A
handbook (2003) states that, “The objective of this stage of the lifecycle is to persuade decisionmakers (e.g. management, lawyer, judge, etc.) of the validity of the facts and opinion deduced from the
evidence.” The guidelines were intended to assist a range of stakeholders, including investigators and
the legal fraternity, who rely on digital evidence held in electronic records in various legal cases.
These standards are broad but offer no formal validation process of digital evidence per se during the
analysis stage.
Dardick (2010) offers guidance, stressing the need for standards of assurance required and asserts that
digital evidence validation requires a rigorous examination of the quality of evidence available and
proposes a checklist that ensures cases are thoroughly validated through examination of: accuracy,
authenticity, completeness, confidentiality, consistency, possession, relevance and timeliness.
Certainly, digital evidence validation requires more study and research as it underpins a crucial
161
forensic tenet. Defining validation and testing applicable processes that make it useful to examiners
and lawyers seems overdue.
A definition of validation or correctness in the context of cyber forensics may be taken from Sippl &
Sippl (1980, p. 608) as being a relative measure of the quality of being correct, sound, efficient, etc.,
and defining data validity as a relation or measure of validity. Such relations and measures based on
specific examination must rely on tests and checks to verify the reliability of the data, thereby
validating the data or determining a degree of acceptability of the evidence (Sippl & Sippl, 1980, p.
140). The Dictionary of Psychology (2009) defines validation as, “. . . soundness or adequacy of
something or the extent to which it satisfies certain standards or conditions.” The Oxford Dictionary
of English (2005) defines validation as, “. . . The process of establishing the truth, accuracy, or
validity of something. The establishment by empirical means of the validity of a proposition.”
More relevant to digital evidence is a legal definition of validity and soundness of judicial inference
that involves conceptualisation of the actual event described by language for the trial, while abstract
law approaches actuality as it is interpreted for application in the verdict (Azuelos-Atias, 2007).
Consequently, to apply an abstract law to a concrete occurrence, the occurrence is abstracted and the
law is interpreted.
Verification of the evidence involves complete, objective checking of conformity to some well-defined
specification, whereas validation refers to a somewhat subjective assessment of likely suitability in the
intended environment (A Dictionary of Computing, 2008). If the verification and validation of the
existing digital and the extra digital evidence had provided contradictory or ambiguous findings, the
case may not have proceeded to trial because of the weakness of the evidence to link the defendant to
the crime.
According to Cohen (2006), incomplete scrutiny of the available evidence during the validation stage
of the investigative process and failure to validate the evidence at that point is where the investigation
can fail. But what is sometimes missing in cyber forensics is some formal and practical process of
validating evidence to measure the extent to which the evidence is what it purports to be: a simple,
reliable, validation test. The introduction of validation standards and compliance to such standards
should encourage correctness and completeness in cyber forensics analysis. Selecting evidence
relevant to only one party to a case contravenes legal discovery requirements. Failing to validate that
same evidence is unacceptable neglect.
7. VALIDATION ISSUES IN THE CASE STUDY
The prosecution analyst in the Case Study did establish implicit relationships between each exhibit but
failed to describe the relationship in full, meaningful terms and certainly provided no proof of
comprehensive evidence validation. These issues seem to be an inherent deficiency in other child
pornography cases examined by the author.
One argument presented by the prosecution analyst in the Case Study suggested the defendant
installed software to delete browser cookies and history cache files automatically and opined this was
done to conceal browsing for child pornography. The general assumption that computer users install
such software for anti-forensics purposes was based on the expert opinion of the analysts and not
backed with any meaningful statistics which may have been admissible had they been available. It was
guesswork and well outside proper expert opinion. The defendant’s explanation, never sought by the
prosecution, and later examination of the computer confirmed conclusively the software related to a
browser not installed on his computer; the validity of the claim never being tested before being
presented to the jury. Use of such ‘proclivity’ evidence in child pornography trials is always
controversial and on occasions introduced under legislation to bolster prosecution cases. Had it not
been challenged by the defence it is likely that the argument would have been accepted at face value
by the jury. More properly, this evidence should have been debated and rejected as inadmissible in the
absence of the jury based on the outcome of argument between the prosecution analyst and defence
162
expert and not been allowed to influence the jury unnecessarily.
The prosecution analyst argued that the Internet browser was uninstalled just prior to the seizure of the
evidence to conceal wrongdoing but the files were recovered from the Recycler. The prosecution
lawyer made much of the allegation that the defendant had attempted to uninstall the browser based on
the prosecution analyst’s testimony. The matter of whether the browser was uninstalled or deleted was
patently irrelevant to the argument; the fact that the application was removed was a strong claim the
prosecution could use without needlessly obfuscating the issue. What the prosecution failed to validate
was whether the time of deletion corresponded with the defendant’s access to the computer. The
deletion timestamp was never validated nor was it used to check the defendant’s alibi that he was
elsewhere when the deletion occurred. As it transpired, the browser uninstall operation was a deletion;
appearing to be a panic reaction by the real culprits who were inadvertently warned of the raid during
the absence of the defendant and later most likely perjured themselves when denying all access to the
computer. The reader can be forgiven for believing the prosecution analyst was determined to secure
conviction on clearly dubious facts.
Significantly, the exculpatory evidence located on the computer included correspondence and browser
events that pointed to the use of the computer by the defendant’s tenants who rented an adjacent
building with free and open access to the defendant’s residence. Some of this evidence was recovered
from unallocated space and contained little or no temporal metadata. What it did contain was content
linking it to the tenants, notably Internet access logs and cookies and private documents and
photographs exclusive to the tenants and their friends. It was also possible to calculate the creation
dates of recovered job applications, school projects, photographs of school parties and curriculum
vitae. The creation dates of more than twenty of these files corresponded with periods when the
computer was used to browse for child pornography. This required corroboration and validation of the
evidence against known events in the lives of the tenants. This information was known to the
prosecution analyst but for some reason discounted and ignored.
Browsing activities for child pornography may be corroborated through search histories, downloaded
files, browser caches, and viewing and storage behavior by the user. There was no attempt made to
link the browsing activities to known or suspected users of the computer, despite the defendant’s
explanation provided at the time of his arrest and subsequent interview. A simple validation check
would have identified exculpatory evidence raising the possibility that others were involved in illicit
browsing and downloading offensive material. Reconstruction of browsing activities is part of the
validation process, checking and testing each file is crucial to measure the truth of the matter. This
must be done before any attempt can be made to test the weight of the evidence.
8. POTENTIAL SOLUTION TO THE VALIDATION ISSUES IN THE CASE STUDY
Validation of the digital evidence presented in the Case Study and majority of prosecution cases
examined by the author appeared superficial or absent. In themselves, the reports were meaningless to
the non-technical lawyers requiring the author to translate and interpret the evidence for them in
meaningful terms. The prosecution analyst corroborated some digital evidence exhibits presented in
the case but not all, seemingly taking others at face value or interpreting their status to suit his
viewpoint when testifying.
Digital evidence is circumstantial evidence and considered hearsay evidence that may only be
admitted in legal proceedings under established procedures (Anderson & Twinning, 1991). Business
records, including electronic records, are admissible in evidence as an exception to the hearsay rule but
are subject to certain requirements such as those maintained in normal business activities and
assurances that reasonable measures were taken to protect the authenticity and accuracy of the records
(Chaikin, 2006).
In line with many other jurisdictions, Western Australian jurisprudence gives the benefit of doubt to
accused parties when circumstantial evidence cannot be corroborated. For example, undated offensive
163
images recovered through data carving of unallocated space will be regarded as inadmissible during a
trial if it cannot be corroborated by other evidence (SOWA versus Sabourne, 2010). Consequently, the
corroboration of a digital evidence exhibit may be seen as a mandatory part of the validation process.
From a forensics perspective, the measurement of evidentiary weight requires validation checking and
testing of the admissibility and plausibility of digital evidence, and then confirming corroboration.
Admissible evidence means it was legally acquired; plausible evidence means that it is relevant,
accurate and consistent with known facts; and corroboration means proving the existence of
independent evidence to validate the exhibit and its relationship with the former exhibit.
Some structure is required if validation is to be attempted and here the author offers a formal,
validation process, as distinct from an ad hoc, intuitive process, to measure the evidentiary weight of
digital evidence through measurements of its admissibility, plausibility and corroboration. Evidentiary
weight is the strength of the evidence against a pre-set threshold above which the evidence may be
considered likely to be true in a specific legal case.
Validation requires checking and testing of each exhibit as well as the relationship between
corroborating exhibits to measure their evidentiary weights:
Checking is examining an exhibit to measure validity of the data, metadata and relationships with
other exhibits. For example, in the Case Study, the time of deletion of the Internet browser was
obtained from the Recycler, compared with the defendant’s alibi, triangulated with the computer
clock and was then checked against other events to complete the validation process.
Testing uses experiments, existing experiment data or reliable statistics to measure the validity of
the relationship between exhibits. Testing whether the browser was deleted, complemented the
testing of the deletion and showed through modelling that deletion and uninstallation left different
artefacts on a computer; a thorough and conclusive exercise that provided a more reliable and
complete reconstruction of events compared with the prosecution analyst’s report.
Using the process, validation is depicted as a three-step process consisting of an object (the
evidence), a claim (statement about the evidence) and a test (to validate the claim). As shown in
the example in Figure 3 the process would test the correctness of the timestamp of a photograph
on a storage device. The process starts with a statement that the evidence (Object) was correct
(Claim) and the claim was checked and tested (Test) and produced a result. In this example, six
outcomes are offered but this may vary according to case context. Whether the weight of the
evidence passes a predetermined, acceptable threshold will depend on the outcomes of the test.
Fig. 3. Validation process to test the evidence.
The testing stages entails measuring the strength of the claim through checking and testing the
admissibility of the evidence (o), the plausibility of the evidence (p) and corroboration of the evidence
(c) to determine whether the strength of the evidence is higher than a predetermined threshold. A
higher threshold would be appropriate in criminal cases where a greater the burden of proof is placed
164
on the prosecution, where the soundness of the evidence must be beyond reasonable doubt. In civil
litigation the burden of proof is determined at a lower threshold based on a balance of probability.
The admissibility of the evidence requires confirmation that the evidence was obtained lawfully and is
relevant to the case (claim, o,), although relevance issues may be decided during pre-trial ‘hot-tubbing’
of the analysts and during the trial. If the evidence fails this test the evidence is inadmissible and must
be excised from the case. If the evidence is admissible the claim may be set alongside the plausibility
test to determine its plausibility (claim, p). At this stage it does not matter whether plausibility is
proved to be true or false as long as it is sufficiently reasonable to include it as part of the argument
that will ultimately require validation of each supporting exhibit used in the claim.
Corroboration requires confirmation that the exhibit is corroborated with one other valid exhibit but a
requirement for more than one corroborating exhibit may be factored in depending on the case type.
The claim may then be set alongside corroboration (claim, c). Assuming the conditions of
admissibility are met, examination of the results of the plausibility and corroboration tests can be used
to measures whether the strength of evidence is higher or lower than the set threshold:
If (c,p) > threshold then the claim has a high degree of probability.
In the Case Study, the assertion was made that the defendant deliberately uninstalled the browser to
conceal illegal browsing activity. An alibi confirmed that comparing the time of the removal (later
confirmed to be deletion) of the browser with the whereabouts of the defendant established that the
defendant was not present and could not have been involved. No further testing is required – the
evidence is irrelevant and must be rejected. As shown in Figure 4 the evidence, while legally acquired
under warrant, was irrelevant to the case although it was allowed to be presented to the jury. Plausible
argument was demolished by a lack of corroboration and additional evidence that rebutted the original
argument.
Fig. 4. Inadmissibility of the evidence.
If the evidence is admissible the plausibility and corroboration stages will test and check the evidence
so that the two sets of results may be used to measure the strength of the evidence and determine the
likelihood the claim is true. In the hypothetical example in Figure 5 the claim that the defendant
deliberately deleted the browser to conceal evidence of a crime is a plausible assertion based on the
presence of evidence of deletion and the defendant’s ownership of the computer. It is not proven and
still requires corroboration. Some other evidence, such as linking the defendant to the computer during
the deletion process would bolster the strength of the evidence. If the plausibility and corroboration are
calculated to be above the threshold then the claim is substantiated as being highly probable.
165
Fig. 5 Example of the plausibility and corroboration of digital evidence.
Testing and checking the validity of these exhibits might require comparison of the timestamps of the
deleted files recovered from the Recycler and the sent email messages as illustrated in figure 6. The
email messages would also require examination to determine the plausibility of the messages being
created by the defendant or an impostor.
Fig. 6. Comparison of the corroboratory exhibit.
The process of admissibility checking of the primary exhibit is shown in Figure 7 which involves
plausibility checking to determine the relevance, accuracy and consistency (unambiguity) of the
evidence. For example: testing if the timestamps are relevant to a user of another user accessing the
Internet; consistency checking to check for ambiguities timestamps that are unclear as to whether they
were edited or the changed as a result of some other process; and checking the accuracy of time
stamps to see if the files are relevant to the case.
166
Fig. 7. Checking the relevance, accuracy and consistency during the plausibility stage.
Figure 8 shows the process continued through to the corroboration stage where the corroborating
exhibit and the relationship between the primary exhibit and the corroborating exhibit are checked and
tested. Corroboration between exhibits may involve: relevance checking to show that the file accessed
on the external drive was the same file shown in the Jump List Log; consistency checking to see if a
deleted file was identical with a file shown in an application log or other files with the same name; and
accuracy checking the timestamps to show a correlation between browsing and other critical user
events.
167
Fig. 8. Checking corroboration and relationships between exhibits.
Presenting the findings of the analysis and the validation checking on which the claims are evaluated
confronts forensics examiners and prompts more thorough examination. This sub-argument, based on
the validation testing in the Case Study could be represented using Toulmin’s model as shown in
168
Figure 9. The reservation (rebuttal) statements are based on testing the plausibility and corroboration
of relevant exhibits, and cast a different outlook on the case than that prosecution argument.
Validation issues are shown such as evidence that the deletion of the browser was incompatible with
the defendant’s alibi.
Of course, if appropriate, the rebuttal may also be rebutted by the analyst and legal team and so forth.
The point is, clarity of the argument is clearer and the evidence relied that much easier to understand
and evaluate providing both parties a more reliable prognosis.
Fig. 9. A sub-argument showing a strong rebuttal
The process can be used to measure each individual thread of evidence as well as measuring the
combined weight of evidence that comprises the trial case. The process offers some structural form to
ensure that all relevant evidence is validated and presented with greater clarity in child pornography
cases and potentially in a range of other digital evidence-based cases. The process minimises the
chance that key validation issues are overlooked or trivialised. Ideally, it provides the means to
measure the strength of each exhibit and evidence string that form part of the case, although this Case
Study does not address the complexities of combining and measuring results of the process that affect
the validity of the evidence.
9. CONCLUSION
The Case Study identifies issues of inadequate reasoning during analysis, compounded by poor
presentation of even the basic facts, further degraded by inadequate validation of the digital evidence.
Innocent or not, all facing the court should expect that the evidence presented is complete and correct.
It is reasonable to expect that vigorous processes were used to measure its completeness and
correctness; that the evidence is valid and is what it purports to be. Ideally, the trial should proceed
with the best evidence available with a degree of confidence that it is what it purports to be.
169
Validation seeks a rigorous examination of the admissibility, plausibility and corroboration of the
evidence. Presenting the evidence that has undergone complete validation using well-established
argument models such as Toulmin’s model has much to commend it. Correct and complete validation
of digital evidence presented with clarity is so important and offers great benefits to the forensics
examiner and the legal practitioner. It allows the evidence analysis to be independently scrutinised and
audited; it makes the examiner accountable; and engenders thorough and diligent analysis of a high
standard. Most importantly, it seeks the truth of the matter and without bias, a fundamental hallmark
of forensics science.
The author has adopted Toulmin’s model and the validation processes in case analysis presentations
and already notes improved efficiencies in case management and communication with legal
practitioners. Further research into refining the validation processes to serve a range of different case
scenarios appears worthwhile.
AUTHOR BIOGRAPHY
Mr. Richard Boddington holds a B.Sc (Hons) 1st Class and is completing Ph.D. research in digital
evidence validation at Murdoch University, Australia where he teaches and researches information
security and cyber forensics. He has a police and security intelligence background and provides cyber
forensic analysis and expert testimony for the legal fraternity in a range of civil and criminal cases.
ACKNOWLEDGEMENTS
Sincere thanks are extended to Drs. Valerie Hobbs and Graham Mann of Murdoch University for their
support and feedback during the preparation of the paper.
REFERENCES
A Dictionary of Computing. (2008). Eds. John Daintith and Edmund Wright. Oxford University Press,
Oxford Reference Online. Accessed 21 December 2010
http://0-www.oxfordreference.com.prospero.murdoch.edu.au/views/ENTRY.html?subview=Main&ent
ry=t11.e5680
A Dictionary of Psychology. (2010). Ed. Andrew M. Colman. Oxford University Press, Oxford
Reference Online. Accessed 21 December 2010
ry=t87.e8721
Anderson, T., & Twining, W. (1991). Analysis of evidence: How to do things with facts based on
Wigmore's Science of Judicial Proof. Evanston, IL: Northwestern University Press. Australian Law
Dictionary. (2012). Accessed 20 January 2012:
ry=t317.e10
Azuelos-Atias, S. (2007). A pragmatic analysis of legal proofs of criminal intent. Philadelphia: J.
Benjamins Pub. Co
Berk, R. A. (1983). An introduction to sample selection bias in sociological data. American
Sociological Review, 48, 386 - 398.
Caloyannides, M. A. (2003). Digital evidence and reasonable doubt. IEEE Security and Privacy, 1(6),
89 - 91.
Carrick, D. (2010). The Chamberlain case: The lessons learned. Melbourne: ABC Radio National.
Chaikin, D. (2006). Network investigations of cyber attacks: The limits of digital evidence. Crime Law
& Social Change, 46, 239 - 256.
Cohen, F. (2006). Challenges to digital forensic evidence. Accessed 22 June, 2006, from
http://all.net/Talks/CyberCrimeSummit06.pdf.
170
Dardick, G. S. (2010). Cyber forensic assurance. Paper presented at the 8th Australian Digital
Forensics Conference.
Flusche, K. J. (2001). Computer forensic Case Study: Espionage, Part 1 Just finding the file is not
enough! Information Security Journal, 10(1), 1 - 10.
George, E. (2004). Trojan virus defence: Regina v Aaron Caffrey, Southwark Crown Court. Digital
Investigation, 1(2), 89.
Guidelines for the management of IT evidence: A handbook (HB171). (2003).
Inman, K., & Rudin, N. (2001), Principles and Practices of Criminalistics: The Profession of Forensic
Science. CRC Press: Boca Raton, Florida.
Jones, A. (2011, November 2011). Meet the DF Professionals. Digital Forensics, 9, 37 – 38.
Koehler, J. J., & Thompson, William. C. . (2006). Mock jurors’ reactions to selective presentation of
evidence from multiple-opportunity searches: American Psychology-Law Society/Division 41 of the
American Psychological Association.
Lemos, R. (2008). Lax security leads to child-porn charges [Electronic Version]. Security Focus.
Accessed 22 November 2008 from http://www.securityfocus.com/brief/756.
Palmer, G. L. (2002). Forensic analysis in the digital world. International Journal of Digital Evidence,
1(1).
Pollitt, M. M. (2008). Applying traditional forensic taxonomy to digital forensics. Advances in Digital
Forensics IV IFIP International Federation for Information Processing, 285, 17 - 26.
Saunders, K., M. (1994 ). Law as Rhetoric, Rhetoric as Argument. Journal of Legal Education, 44,
566.
State of Western Australia versus Sabourne. (2010). Perth District Court.
State of Western Australia versus Buchanan, 2009. Perth District Court.
Sippl, C. J., & Sippl, R. J. (1980). Computer Dictionary (3rd ed.). Indianapolis: Howard W Sams &
Co.
Sydney Morning Herald. (2012). Accessed 8 February 2012
http://www.smh.com.au/national/growing-alarm-over-child-porn-epidemic-20120207-1r667.html
The Oxford Dictionary of English. (2010). (revised edition). Eds. Catherine Soanes and Angus
Stevenson. Oxford University Press, Oxford Reference Online. Accessed 21 December 2010 http://0www.oxfordreference.com.prospero.murdoch.edu.au/views/ENTRY.html?subview=Main&entry=t140
.e85868
Toulmin, S. E. (1958). The uses of argument. Cambridge: University Press.
Walton, D. (2004). Abductive Reasoning. Tuscaloosa: The University of Alabama Press.
171
172
AFTER FIVE YEARS OF E-DISCOVERY MISSTEPS:
SANCTIONS OR SAFE HARBOR?
Milton Luoma
Metropolitan State University
700 East Seventh Street
St. Paul, Minnesota 55106
651.793.1481
651.793.1246 (fax)
[email protected]
Vicki Luoma
Minnesota State University
145 Morris Hall
Mankato, Minnesota 56001
507.389.1916
507.389.5497(fax)
[email protected]
ABSTRACT
In 2003 the Zubulake case became the catalyst of change in the world of e-discovery. In that case
Judge Shira Scheindlin of the United States District Court for the Southern District of New York set
guidelines for e-discovery that served as the basis for amending the Federal Rules of Civil Procedure
(FRCP) in December 2006. The amendments incorporated a number of concepts that were described
by Judge Scheindlin in the Zubulake case. ( Zubulake v. UBS Warburg LLC, 2003) Since the
Zubulake case and the FRCP amendments, numerous cases have interpreted these rules changes, but
one of the main points of court decisions is that of preservation of electronically stored information
(ESI). A litigation hold to preserve ESI must be put into place as soon as litigation is reasonably
anticipated. The failure to preserve ESI has resulted in the largest number of cases where judges have
imposed sanctions, but certainly not the only one. This paper reviews the cases to answer the question
– are the courts granting safe harbor protection when litigants failed to follow the rules and best
practices rather than imposing sanctions?
Keywords:
e-discovery, electronic discovery, sanctions, safe harbor, electronically stored
information, ESI, sanctions
1. ELECTRONICALLY STORED INFORMATION AND THE PROBLEM
The biggest problem in complying with discovery requests is the enormous amount of electronically
stored information that exists. According to a study conducted at Berkeley in 2003, more than five
exabytes of information were stored electronically. Five exabytes of information would be the same
as 37,000 libraries the size of the Library of Congress. (Lyman, 2003) They further predicted that
based on past growth rates, the amount of ESI doubles every three years. (Lyman, 2003) To put this
information in visual terms, one exabyte of information is equal to 500,000,000,000 (500 trillion)
typewritten pages of paper. (Luoma M. V., 2011) Beyond the sheer volume of data, other problems
include how to determine which of the information is relevant to the litigation at hand, how to retrieve
it, in what format it must be provided to the opposing party, and most importantly, to ensure none of
the relevant or potentially relevant data has been deleted or lost.
Yet another problem with electronically stored information is that it contains metadata. If the metadata
173
is not provided in response to a discovery request, court sanctions are a real possibility. Metadata is
data about data. So when discovery requests demand data it normally includes the metadata. Litigants
must ensure that the metadata is intact and not altered. Metadata will not only provide information
concerning the creator, recipient, creation dates and times, but also whether there have been any
alterations or deletions and the identity of the person making these changes. It can also provide a
timeline. Further, it also includes how and when the alternations were made.
Three types of metadata are of interest, namely, file metadata, system metadata, and embedded
metadata. File data includes information about the creator, reviser, editor and data and times. File
system metadata is important because if data has been altered this metadata will show that
information. Also this is one area in which spoliation occurs. If the collection of data is not done
properly, then metadata can be altered or deleted. System metadata is normally recovered from an
organization’s IT system and will include the path a file took and where it is located on a hard drive or
server. The metadata is often in databases in the computer system. Embedded metadata contains the
data, content, numbers that are not found in the native format of a document. One example of
embedded data would be the formulas used in a spreadsheet. Metadata can also demonstrate an
evidence timeline.
In a 2005 case, Williams v. Sprint, the court set the standard concerning metadata when it ruled as
follows:
When a party is ordered to produce electronic documents as they are maintained in the
ordinary course of business, the producing party should produce the electronic
documents with their metadata intact, unless that party timely objects to production of
metadata, the parties agree that the metadata should not be produced, or the producing
party requests a protective order. (Williams v. Sprint/United Mgmt. Co., 2005)
Metadata is an important element in discovery. The metadata can be used as a search tool to help find
relevant documents and it can be used to discover attempts at hiding or deleting information or
revealing who knew what when. For example, in the Martha Stewart case in which she was found
guilty of four counts of obstruction of justice and lying to investigators about a stock sale, it was the
metadata that showed she had made alterations to her electronic calendar, ( Securities and Exchange
Commission vrs Martha Stewart and Peter Bacanovic, 2003) and in the Qualcomm case metadata
helped to locate emails that Qualcomm had denied receiving. (Luoma M. &., 2009) The pure volume
of information and the layers of information available to a litigant make discovery a difficult dilemma.
When does a party have enough information?
2. PRIOR TO THE CIVIL RULE CHANGES
The former version of the FRCP required litigants to comply with discovery requests in an effort to
prevent surprises at trial and to ensure a fair trial. Although some courts interpreted the rules to
include electronic data as well as paper data, there were no well-established guidelines in this matter.
The case that was the catalyst for change in electronic discovery was the Zubulake case. The Zubulake
case began as a gender discrimination case, but became the first authoritative case in the United States
on electronic discovery issues. ( Zubulake v. UBS Warburg LLC, 2003)
The Zubulake case forced the legal community to review the rules of civil procedure and make the
necessary changes to the Federal Rules of Civil Procedure to include specific instructions concerning
electronically stored information. In 1999 Laura Zubulake was hired as the director and senior
salesperson of the UBS Asian Equities Sales Desk and was told that she would be considered for her
supervisor’s position when he left. When Laura’s supervisor took another position, another male was
given that position without consideration of any other candidates, including Laura Zubulake. Her new
supervisor made it clear that he did not feel a woman belonged in Laura’s position and earning
$650,000 a year. Laura Zubulake complained that her new supervisor made sexist remarks, excluded
174
her from office activities and demeaned her in the presence of her co-workers. In response to this
treatment Laura Zubulake filed a gender discrimination claim with the EEOC against her employer
UBS Warburg LLC. She lost the case and was fired. She then brought suit against her employer under
federal law, New York state law, and New York City law for both gender discrimination and
retaliation. ( Zubulake v. UBS Warburg LLC, 2003)
This case was atypical in that there were five pre-trial motions dealing with discovery issues. When
Warburg could not produce the desired emails and other electronic documents requested, Zubulake
brought a motion requesting access to UBS backup media. UBS responded by asking the court to shift
the cost of restoring the backup tapes to the plaintiff. What followed were four more motions to
resolve discovery issues. During the restoration effort it was determined that many backup tapes were
missing and some were erased. The court ordered a sampling to be done of the backup tapes. In these
results it was evident that Zubulake’s supervisor had taken steps to conceal or destroy particularly
relevant emails. As a result of this action, the court set standards for retention and deletion
requirements, litigation holds and cost shifting. It became clear after the Zubulake case that the old
rules of civil procedure were no longer adequate. Clarification had to be made concerning electronic
discovery. The guidelines forged by the judge in the Zubulake case were debated in setting new rules
with trial adoption of the rule changes in December 2006 and permanent adoption one year later. (
Zubulake v. UBS Warburg LLC, 2003)
3. NEW FEDERAL RULES
In April of 2006 the U.S. Supreme Court determined the amount of electronically stored information
involved in discovery requests required clarification and standards. Changes in the Federal Rules of
Civil Procedure that dealt with ESI issues that took effect in December 1, 2006 included Rules 16, 26,
34 and 37. Rule 26 provided that parties must provide an inventory, description and location of
relevant ESI and required the parties to meet and develop a discovery plan. Rule 34 sets out rules for
document requests and Rule 37 addresses the safe harbor provisions.
Rule 26 (A) (1)(ii) requires the litigants to provide the following:
(ii) a copy — or a description by category and location — of all documents, electronically
stored information, and tangible things that the disclosing party has in its possession, custody,
or control and may use to support its claims or defenses, unless the use would be solely for
impeachment; (Federal Rules of Civil Procedure, 2006)
This revision now requires a party to reveal all of its information without requiring the opposing party
to ask for the information. This provision requires attorneys who have always been adversaries to
cooperate. In addition, Rule 26(f) requires that the parties must confer as soon as practicable or at
least 21 days before a scheduling conference is to be held or a scheduling order is due under Rule
16(b). (Federal Rules of Civil Procedure, 2006)
4. SANCTIONS
Since the Zubulake case it has been clear that parties must put a litigation hold in place as soon as
litigation is known and anticipated. That one issue has been the primary reason for courts imposing
sanctions on a party. However, there are other reasons for sanctions that have arisen since the Federal
Rules of Civil Procedure were modified. Those reasons have included data dumping, data wiping,
intentional destruction and certainly failure to have a litigation hold.
4.1 Data Dumping
If an opposing party provides too much information it may be guilty of data dumping while
demanding too much information can result in cost shifting and a litigation nightmare. Failure to retain
electronic data in a retrievable format for litigation that a litigant knew or should have known might be
imminent can result in sanctions.
175
In a 2008 case, ReedHycalog v. United Diamond, a Texas court found that in discovery the producing
party must cull out irrelevant information from document production and must not engage in data
dumping. (ReedHycalog v. United Diamond, 2008) The court ruled that “there are two ways to lose a
case in the Eastern District of Texas: on the merits or by discovery abuse.” (ReedHycalog v. United
Diamond, 2008) The court stated, “While these provisions generally ensure that parties do not
withhold relevant information, a party may not frustrate the spirit of discovery rules — open,
forthright, and efficient disclosure of information potentially relevant to the case — by burying
relevant documents amid a sea of irrelevant ones.” (ReedHycalog v. United Diamond, 2008)
In a 2010 case of data dumping the court did not award sanctions even though the defendant dumped
the computer hard drive on the plaintiff because the plaintiff did not make the motion in a timely
fashion. However the court did sanction the defendant for other discovery violations and warned if the
motion on dumping had been timely there would have been additional sanctions. (Cherrington Asia
Ltd. v. A & L Underground, Inc, 2010)
In yet another data dumping case, a third party produced three servers in response to a subpoena and
court orders without conducting a review for either privilege or responsiveness. Later the party asked
the court for the right to search the 800 GB and 600,000 documents for relevant materials at their cost
in exchange for the return of any privileged documents. The court found that the party had made
voluntary disclosure and resulted in a complete waiver of applicable privileges. The court pointed out
that in nearly three months the party had not flagged even one document as privileged, so the court
rejected its "belatedly and casually proffered" objections as "too little, too late." (In re Fontainebleau
Las Vegas Contract Litig., 2011)
In a 2011 District of Columbia case, the defendants had produced thousands of e-mails just days
before trial and continued to "document dump" even after the trial ended. The court found that
"repeated, flagrant, and unrepentant failures to comply with Court orders" and "discovery abuse so
extreme as to be literally unheard of in this Court." The court also repeatedly noted the defendants'
failure to adhere to the discovery framework provided by the Federal Rules of Civil Procedure and
advised the defendants to invest time spent "ankle-biting the plaintiffs" into shaping up its own
discovery conduct. (DL v. District of Columbia, 2011)
4.2 Failure to Maintain a Litigation Hold
Failing to maintain a litigation hold when litigation can be reasonably anticipated is another ground for
court-imposed sanctions. Kolon executives and employees had deleted thousands emails and other
records relevant to DuPont’s trade secret claims. The court fined the company’s attorneys and
executives reasoning they could have prevented the spoliation through an effective litigation hold
process. Three litigation notices sent that were all deficient in some manner. ( E.I. du Pont de
Nemours v. Kolon Industries, 2011) The court issued a severe penalty against defendant Kolon
Industries for failing to issue a timely and proper litigation hold. The court gave an adverse inference
jury instruction that stated that Kolon executives and employees destroyed key evidence after the
company’s preservation duty was triggered. The jury responded by returning a stunning $919 million
verdict for DuPont.
4.3 Data Wiping
In a recent shareholders’ action in Delaware extreme sanctions were ordered against the defendant
Genger. Genger and his forensic expert used a wiping program to remove any data left on the
unallocated spaces on his ESI sources after a status quo order had been entered and after the opposing
side had searched his computer and obtained all ESI. The sanctions included attorney fees of
$750,000, costs of $3.2 million, changing the burden of proof from “a preponderance of the evidence”
to “clear and convincing evidence,” and requiring corroboration of Genger’s testimony before it would
be admitted in evidence. On appeal, the defendant argued the sanctions were disproportionate and
excessive since he erased only unallocated free space and did not erase this information until after the
176
plaintiff had searched all of the data sources. Further, the status quo order did not specifically mention
preserving the unallocated space on the computer. The defendant also argued that normal computer
use would likely cause overwriting of unallocated space to occur. Further, if this order were affirmed
by the court computer activities would have to be suspended every time a discovery order issued. In
2011 the Supreme Court of Delaware upheld the sanctions. (Genger v. TR Investors, LLC, 2011)
In a patent infringement case, plaintiffs asked for sanctions against the defendants for their failure to
produce relevant electronic documents. The defendants’ excuse was that their e-mail servers were not
designed for archival purposes. The company policy was that employees should preserve valuable emails. The court refused to grant safe harbor provision citing the forensic expert’s declaration that
failed to state the destruction was a result of a "routine, good-faith operation." (Phillip M. Adams &
Assocs. LLC v. Dell, Inc., 2009)
In another case, almost every piece of media ordered to be produced was wiped, altered or destroyed.
In addition, the last modified dates for critical evidence were backdated and modified. The court
found the plaintiff guilty of "bad faith and with willful disregard for the rules of discovery" and
ordered a default judgment, dismissed the plaintiff's complaint with prejudice and ordered $1,000,000
in sanctions. In addition, the plaintiff's counsel was ordered to pay all costs and attorney fees for their
part in the misconduct. (Rosenthal Collins Grp., LLC v. Trading Tech. Int'l Inc., 2011)
4.4 Social Media
In a social media case an attorney was sanctioned when the attorney had his client purge unflattering
posts and photos on his Facebook account. The court found that the attorney, Murray, told his client,
the plaintiff in a wrongful death suit brought after his wife was killed in an auto accident, to remove
unflattering photos including one in which the distraught widower was holding a beer and wearing a tshirt emblazoned with “I [heart] hot moms.” (Lester v Allied Concrete et al, 2012)Murray instructed
his client through his assistant to “clean up” his Facebook account. Murray’s assistant emailed to the
client “We do not want blow ups of other pics at trial, so please; please clean up your Facebook and
MySpace!!” (Lester v Allied Concrete et al, 2012) The attorney was fined $522,000 even though he
argued he did not consider the social media site an ESI site. (Lester v Allied Concrete et al, 2012)
In another interesting case, several key employees intentionally and in bad faith destroyed 12,836 emails and 4,975 electronic files. The defendant argued that most of these files were recovered and thus
the plaintiffs were not harmed. Declaring these deletions significant in substance and number, the
court imposed an adverse inference instruction and ordered payment of attorney fees and costs
incurred as a result of the spoliation. (E.I. Du Pont De Nemours & Co. v. Kolon Indus., Inc, 2011)
In another case, the plaintiff sought a default judgment sanctions alleging the defendants intentionally
deleted relevant ESI by lifting a litigation hold, erasing a home computer, delaying preservation of
computers hard drives and deleting files, defragmenting disks, and destroying server backup tapes,
ghost images, portable storage devices, e-mails and a file server. The court determined that a default
judgment was appropriate given the defendants’ “unabashedly intentional destruction of relevant,
irretrievable evidence” and egregious conduct. (Gentex Corp. v. Sutter, 2011)
4.5 Egregious Behavior
After five years of case law, rules, and The Sedona Conference best practices principles there are still
cases that so blatantly flaunt the rules and good practices that all can be said is what were they
thinking? In an intellectual property dispute, the plaintiff and third-party defendants appealed the
district court’s decision to grant default judgment as a sanction for ESI spoliation. The court found that
the plaintiff willfully and in bad faith destroyed ESI. The plaintiff and his employees videotaped the
employees talking about their deliberate destruction of the potentially harmful evidence. In addition,
the employees tossed one laptop off a building and drove a car over another one. In addition, one
employee said '[If] this gets us into trouble, I hope we’re prison buddies.'" Finding this behavior
177
demonstrated bad faith and a general disregard for the judicial process, the court affirmed the default
judgment and award of attorneys' fees and costs. (Daynight, LLC v. Mobilight, Inc, 2011)
In a products liability case, the plaintiff sought to re-open a case and asked that sanctions be ordered
against the defendant for systematically destroying evidence, failed to produce relevant documents and
committed other discovery violations in bad faith. The plaintiff's attorney uncovered documents
requested in the litigation nearly a year after trial ended when conducting discovery in another case.
The court determined the unproduced e-mails were extremely valuable and prejudiced the plaintiff.
Further, the court found the defendant's discovery efforts were unreasonable. The defendant put one
employee who was admittedly "as computer literate —illiterate as they get" in charge. In addition, the
defendant failed to search the electronic data, failed to institute a litigation hold, instructed employees
to routinely delete information and rotated its backup tapes, thus permanently deleting data. The court
ordered that defendant was to pay $250,000 in civil contempt sanctions. The unusual part of the order
was that the court imposed a "purging" sanction of $500,000, extinguishable if the defendant furnished
a copy of the order to every plaintiff in every lawsuit proceeding against the company for the past two
years and to file a copy of the order with its first pleading or filing in all new lawsuits for the next five
years. (Green v. Blitz U.S.A., Inc., 2011)
5. THE SAFE HARBOR
The court has great leeway in imposing sanctions on litigants who fail to produce relevant materials to
the opposing party or who has tampered with or destroyed information or metadata. Sanctions can
vary from fines, attorney fees, an award of costs, and adverse-inference instructions to outright
dismissal of the case. However, in an effort to distinguish between inadvertent mistakes and outright
obstruction, Federal Rule 37(f) provides: “Absent exceptional circumstances, a court may not impose
sanctions under these rules on a party for failing to provide electronically stored information lost as a
result of the routine, good-faith operation of an electronic information system.’ (Federal Rule of Civil
Procedure, 2006)
This rule indicates that parties could implement and rely on their document retention and deletion
policy that provides for the routine and frequent destruction of electronic evidence and still be
protected from civil sanctions when they were unable to produce relevant electronic evidence.
However, case law has not always followed that simple interpretation. With all this information from
rules to cases to think tanks on best practices, the question that remains is whether the safe harbor
provision protects litigants and does it matter if the failure is based on ignorance, mistake or
willfulness?
5.1 Ignorance
In a 2011 case the defendants sought sanctions alleging the plaintiff failed to produce relevant
information and further was guilty of spoliation of evidence by donating her personal computer to an
overseas school after commencing the action. The court found that the plaintiff did not act in bad faith
and unlike corporate parties, the plaintiff in this case was unsophisticated and unaccustomed to
preservation requirements. Further, the court stated the e-mails were withheld under the good faith
misconceptions of relevance and privilege. Therefore, the court found no evidence of prejudice or bad
faith and their court declined to impose sanctions. (Neverson-Young v. Blackrock, Inc, 2011)
5.2 Mistake
In another 2011 case, the plaintiff brought a motion for sanctions in a wrongful termination case
alleging the defendants failed to: (1) issue a prompt litigation hold resulting in the destruction of
electronically stored information (ESI); and (2) provide emails in their native file format, producing
them in paper instead. The court denied the plaintiff’s motion for sanctions holding that FRCP 37(e)
grants safe harbor for the defendants’ automated destruction of emails based on their existing
document retention policy. (Kermode v. University of Miss. Med. Ctr, 2011)
178
5.3 Lack of Good Faith
In a 2008 case, the defendants sought a spoliation jury instruction alleging the plaintiff failed to
preserve and produce requested copies of critical e-mails. Further, the plaintiff failed to notify the
defendants that evidence had been lost prior to the defendant sending an employee out to the plaintiff’s
site to inspect it. The court determined there was an absence of bad faith and denied both requests for
sanctions. (Diabetes Ctr. of Am. v. Healthpia Am., Inc, 2008)
In a 2011 products liability litigation case, the plaintiffs sought ESI sanctions against the defendants
for failure to preserve data. Despite the discovery violations alleged by the plaintiff, including the
failure to preserve and produce relevant e-mails, the court noted that procedural defects and the Rule
37(e) safe harbor provision barred the imposition of sanctions as the e-mails were deleted as part of a
routine system
5.4 Not enough Evidence
In another 2011 case the court refused to compel data restoration or a finding of bad faith in an
employment law case. The defendant requested damages from the plaintiff (the former employee) for
damages for erasing data from his company-issued laptop. The employee claimed that he did not have
any way of removing his personal data. The court found that it was far from clear whether plaintiff
deleted the files in bad faith and that there was a lack of evidence that the defendant was harmed.
6. EXTREME MEASURES
In September, 2011 Chief Judge Randall R. Rader introduced a Model Order to be used in Patent cases
which basically eliminated e-discovery and metadata. For example, item 5 of the Model Order read
“General ESI production requests under Federal Rules of Civil Procedure 34 and 45 shall not include
metadata absent a showing of good cause.” In addition this model order severely limited electronic
discovery. (Rader, 2011)
This order is contrary to the Sedona Principle 12 that holds the production of data should take into
account “the need to produce reasonably accessible metadata that will enable the receiving party to
have the same ability to access, search, and display the information as the producing party where
appropriate or necessary in light of the nature of the information and the needs of the case.” (Sedona,
2009)
7. CONCLUSION
In conclusion both federal and state courts have had an increasing number of cases where they have
determined that sanctions are appropriate since the new Federal Rules of Civil Procedure were enacted
in 2006, especially Rule 26(f). The probability of receiving sanctions seems to depend on the harm
the missing information has caused or can cause as well as the bad faith involved in the failure to
provide discovery. The severity of bad faith conduct increases the severity of the sanction imposed.
Often the litigant has had numerous acts of misconduct that will result in negative-inference jury
instructions and summary judgment.
In a landmark case decided by Judge Paul Grimm, the defendant responded to discovery using
boilerplate objections. Judge Grimm ruled that use of such broad objections violates FRCP 33(b)(4)
and 34(b)(2). Judge Grimm stated that the parties must have a meet-and-confer conference prior to
discovery, discuss any controversial issues – including timing – costs, and the reasonableness of the
discovery request in proportion to the value of the case. (Mancia v. Mayflower Textile Servs. Co,
2008)
Lawyers have been trained to be advocates and adversaries and to represent their clients zealously.
However, with the volume of ESI today, lawyers must redefine what zealous representation means.
Cooperation in the discovery process by full disclosure of the ESI and cooperation in devising a
discovery plan will save the client money in the long run, avoid sanctions, and allow a full and fair
179
trial on the merits.
REFERENCES
Securities and Exchange Commission vrs Martha Stewart and Peter Bacanovic, 03 CV 4070 (NRB)
Complaint ( United States Disct Court Southern District of New York 2003).
Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y 2003).
E.I. du Pont de Nemours v. Kolon Industries, 3:09cv58 (E.D. VA July 21, 2011).
Cherrington Asia Ltd. v. A & L Underground, Inc, WL 126190 (D. Kansas January 8, 2010).
Daynight, LLC v. Mobilight, Inc, WL 241084 (Utah App Jan 27, 2011).
Diabetes Ctr. of Am. v. Healthpia Am., Inc, WL 336382 (S.D. Texas Feb 5, 2008).
DL v. District of Columbia, No. 05-1437 (D.D.C. May 9, 2011).
E.I. Du Pont De Nemours & Co. v. Kolon Indus., Inc, WL 2966862 (E.D. VA July 21, 2011).
Federal Rule of Civil Procedure, 37(f) (2006).
Federal Rules of Civil Procedure, Rule 26 (A)(1)(ii) (2006).
Federal Rules of Civil Procedure, Rule 26(f) (December 2006).
Genger v. TR Investors, LLC, WL 2802832 (Del Supreme July 18, 2011).
Gentex Corp. v. Sutter, WL 5040893 (M.D. PA October 24, 2011).
Green v. Blitz U.S.A., Inc., WL 806011 (E.D. Tex March 1, 2011).
In re Fontainebleau Las Vegas Contract Litig., WL 65760 (S.D. Fla Jan 7, 2011).
Kermode v. University of Miss. Med. Ctr, 3:09-CV-584-DPJ-FKB (S.D. Jul 1, 2011).
Lester v Allied Concrete et al, CL108-150 (CC Virgina 2012).
Luoma, M. &. (2009). Qualcomm v. Broadcom: Implications for Electronic Discovery. Proceedings of
the 7th Australian Digital Forensics Conference. Perth: Edith Cowan University School of Computer
and Information Science.
Luoma, M. V. (2011). ESI a Global Problem. International Conference on Technology and Business
Management, Dubai. Dubai: UAE.
Lyman, P. V. (2003). How Much Information? Retrieved August 6, 2010, from University of
California Berkley School of Information Management and Systems: www.sims.berkeley.edu/howmuch-info
Mancia v. Mayflower Textile Servs. Co, WL 4595275 (D. MD October 15, 2008).
Neverson-Young v. Blackrock, Inc, WL 3585961 (S.D.N.Y. August 11, 2011).
Phillip M. Adams & Assocs., LLC v. Dell, Inc, WL 910801 (D. Utah March 30, 2009).
Rader, R. (2011, September). Model Order. Retrieved January 21, 2012, from An E-Discovery Model
Order:
http://memberconnections.com/olc/filelib/LVFC/cpages/9008/Library/Ediscovery%20Model%20Orde
r.pdf
ReedHycalog v. United Diamond, Lexis 93177 (E.D. Texas October 3, 2008).
Residential Funding Co. v. DeGeorge Financial Co, 306 F.3d 99 (2d Cir 2003).
Rosenthal Collins Grp., LLC v. Trading Tech. Int'l Inc., WL 722467 (N.D. Ill Feb 23, 2011).
Sedona. (2009). Commentary on Achieving Quality in the E-Discovery Process. Sedona conference.
180
Sedona: Sedona Publishers.
Victor Stanley, Inc. v. Creative Pipe, Inc., WL 3530097 (D. MD 2010).
Williams v. Sprint/United Mgmt. Co., . LEXIS 21966 ( U.S. Dist Kansas September 20, 2005).
181
182
DIGITAL EVIDENCE EDUCATION IN SCHOOLS OF LAW
Aaron Alva
Barbara Endicott-Popovsky
Center for Information Assurance and Cybersecurity
University of Washington
4311 11th Ave NE Suite 400 Box 354985
Seattle, Washington 98105
[email protected], [email protected]
ABSTRACT
An examination of State of Connecticut v. Julie Amero provides insight into how a general lack of
understanding of digital evidence can cause an innocent defendant to be wrongfully convicted. By
contrast, the 101-page opinion in Lorraine v. Markel American Insurance Co. provides legal
precedence and a detailed consideration for the admission of digital evidence. An analysis of both
cases leads the authors to recommend additions to Law School curricula designed to raise the
awareness of the legal community to ensure such travesties of justice, as in the Amero case, don’t
occur in the future. Work underway at the University of Washington designed to address this
deficiency is discussed.
Keywords: digital forensics, law education, ESI, admissibility, evidence
1. INTRODUCTION / BACKGROUND
There is an alarming gap in the legal and judicial community’s understanding of digital evidence. This
was brought home vividly after one of the authors received a call from an attorney acquaintance
seeking advice on a case involving incriminating emails that were pending admission as evidence in a
contentious divorce case. The accused wife was an injured Iraqi War veteran whose husband sought
dissolution, as well as all of the couple’s assets and full custody of their children, based on her alleged
crimes of cyber stalking. As evidence, the husband’s lawyer provided paper copies to the judge of
incriminating emails that did indeed appear to emanate from the wife’s account. Without legal
challenge, the judge was inclined to admit it. Endicott-Popovsky recommended that the related digital
email files be requested from the husband’s lawyer, who agreed to forward them immediately. Three
weeks later, the digital email files still were not forthcoming and the lawyer--and his client—dropped
the allegations against the wife of violation of Washington State’s strict cyber stalking statutes and
withdrew the ”evidence” from the judge’s consideration. You can draw your own conclusion why this
“evidence,” initially so compelling according to the other side, was quietly withdrawn.
This entire episode gave pause. Had the wife’s attorney not known of one Author’s interest in digital
forensics, he might not have called. Had the judge then admitted the evidence proposed by the
husband’s counsel, a serious miscarriage of justice almost surely would have ensued. The tragedy of a
veteran of active duty service, and a woman at that, officially being labeled a cyberstalker, stripped of
her parental rights and losing her assets (not to mention the effect that this would have on the children)
was chilling to contemplate and reminiscent of the Julie Amero case which has become a legend
among digital forensics experts and which will be discussed in more detail later. Examination of
additional cases confirms this experience, resulting in our recommendation that education in a range of
subjects related to digital evidence be added to law school curricula where, unfortunately, today it
often is not.
Failing to provide lawyers and judges with sufficient education in digital evidence can result in serious
miscarriages of justice and disruption of the legal system. The innocent will be wrongly convicted and
incarcerated; those deserving of punishment will get away with crimes. Society as a whole would be
183
better served by increasing the legal and judiciary communities’ understanding of digital evidence
(Endicott-Popovsky and Horowitz 2012). This will require that schools of law an engage in an effort
to identify what needs to be taught.
2. STATE OF CONNECTICUT V. JULIE AMERO
State of Connecticut v. Julie Amero exposed how legal ignorance of digital evidence could have a
profound impact on an individual’s life. Defendant, Amero was convicted on four charges of Risk of
Injury to a Child, which carried up to a 40-year sentence (Kantor 2007). Following four delays in
sentencing, a new trial was granted when the conviction was overturned on appeal. After years of
suffering under a cloud of suspicion, wanting to put the nightmare behind her, Amero pled guilty to
disorderly conduct, her teaching license was revoked, and she paid a $100 fine (Krebs 2008).
To summarize the facts of the case, Julie Amero was substitute-teaching a seventh grade classroom on
October 19, 2004. After stepping out of the hallway for a moment, she found two students browsing a
hairstyling site. Shortly afterwards, the computer browser began continuously opening pop-ups with
pornographic content. She was explicitly told not to turn off the computer, and was unaware that the
monitor could be shut off. Students were exposed to the pornography. The primary evidence admitted
by the court was the forensic duplicate of the hard drive on the computer in question. While the
forensic investigator did not use industry standards to duplicate the hard drive, the information was
used in the investigation (Eckelberry et al. 2007). The evidence purported to show Internet history of
pornographic links that indicated the user deliberately went to those sites (Amero Trial Testimony
2007).
Later pro bono forensics experts for the defendant showed that antivirus definitions were not updated
regularly and at the time were at least three months out-of-date. Additionally, no antispyware or client
firewall was installed and the school's content filter had expired (Eckelberry et al. 2007).
2.1 Evaluation of digital evidence by Judge and attorneys
During the trial, the judge refused to allow full testimony from the defense expert witness Herb
Horner, noting that the information was not made available beforehand. That information was relevant
to gaining a full understanding of the digital evidence crucial to the case. The decision not to admit it
indicates a troubling lack of understanding of the nature of digital evidence. Horner’s evidence should
have been provided to the jury (Amero Trial Testimony 2007).
Maintaining a digital chain of evidence is essential for admissibility of any digital evidence. In State v.
Amero, this is questionable based on the uncertainty of the forensic duplicate process (Eckelberry et al.
2007). Additionally, timestamp differences between the e-mail server (the time authority in the school
system’s network), and the computer in question, as a witness stated, “was ten or twelve minutes. I
don't remember who was faster and who was slower” (Amero Trial Testimony 2007). Both of these
discrepancies should put into question the authenticity of the digital evidence, although neither arose
as a strong defense argument. This indicates that the attorneys did not have sufficient technical
knowledge to evaluate the evidence.
Further, the judge did not find relevant the preparations taken by one expert witness to examine the
hard drive forensically. This is necessary to provide foundation for admissibility and authenticity of
digital evidence (Amero Trial Testimony 2007). The defense attorney did not question authenticity
based on the time stamp differences between PC and server, nor did the defense make an argument
regarding the process of the forensic investigation. Similarly, the prosecution did not have a proper
understanding of how to show the digital evidence in ways consistent with the actual event, as seen by
their display of full size pornographic pictures instead of thumbnails.
On the basis of the transcript of the case, the questions attorneys asked (or did not ask) of witnesses
also indicated low computer literacy. While expert witnesses are important to the case, the technical
knowledge of the attorneys (with the judge’s permission) guided the questioning of the witnesses.
184
The prosecuting attorney, when questioning the defense expert witness, apparently did not understand
the information being provided. A lack of understanding on the attorney’s part resulted in a lack of
precision in direct questioning that could have elicited more meaningful answers from the witness.
The following dialogue between the prosecuting attorney (questioning) and the defense expert witness
is an example:
Q So in order for it to show up on the temporary Internet files, that person would have to actively
go to that site, correct? They were not redirected to that site, correct?
A Wrong.
Q Okay.
A You don’t understand.
Q I hear you saying that.Give me more questions. (Amero Trial Testimony 2007)
One line of questioning by the defense regarded computer functions related to the Internet, adware,
spyware, and viruses (Amero Trial Testimony 2007). Cross-examination containing phrases such as
‘parasites’ and other incompetent questioning further displayed a low level of computer literacy from
attorneys on both sides. When the prosecutor displayed full-size pornographic pictures in the
courtroom, the defense did not argue, as it should have, that the relative size of the pictures displayed
for the jury was not consistent with the pop-up size thumbnails displayed in the classroom. The lack of
a specific argument by the defense against using a full size display in the courtroom contributed to a
false impression that prejudiced the jury (Willard 2007).
2.2 Expert witness testimony
The following section will detail the expert witness testimony in the Julie Amero case.
2.2.1 Bob Hartz, IT Manager
This case heard several expert witnesses, each of whom provided information that proved to be
misleading. The jury heard testimony from Bob Hartz, IT Manager for the Norwich Public Schools
first. Hartz’s testimony provided information on server logs that provided a history of sites accessed
from the computer in question. His testimony also provided a basic understanding of the computer
environment at the School district, including notice that the timestamps between server/firewall logs
and the computer were either 10-12 minutes ahead or behind. Additionally, he testified that the content
filtering was not working, as it “had not been updated correctly” (Amero Trial Testimony 2007).
During Hartz’s testimony, he was asked a series of questions regarding the possibility of certain events
occurring, based on his 20-plus years of experience in the field. His answers provided misleading
information. When asked if it were possible to be in an ‘endless loop of pornography,’ referring to the
continual pornographic popups, Hartz stated, “I've never seen that, so I would have to say probably
not” (Amero Trial Testimony 2007). Additionally, when asked whether spyware and adware generates
pornography, Hartz replied, “I’m not aware they do” (Amero Trial Testimony 2007). Both of these
replies were speculative and should have been challenged, along with his experience to respond
competently to questions involving malicious activity on the Internet.
2.2.1 Detective Mark Lounsbury
Detective Mark Lounsbury, the computer crimes officer for the Norwich Police Department, was the
officer who personally copied and examined the hard drive. From testimony given by Lounsbury, it
appears that he may have investigated the original hard drive rather than the copy he claimed to have
made. Best practice is to preserve the original hard drive for evidentiary purposes, and to perform the
investigation on the forensic duplicate (Noblett, Pollitt, et al. 2000). Any digital forensic expert should
know that direct access to the hard drive, including opening files, will alter the files from the original
state—which in turn alters the evidence.
185
Another revealing insight into the incompetence of Lounsbury’s hard drive examination was revealed
in his answer to the question, “Did you examine the hard drive for spyware, adware, viruses or
parasites?” (Amero Trial Testimony 2007) He responded that he had not. Digital forensics best
practices include examination for event correlation that searches for causes of activities in question
(NIST 800-61 2008). It is safe to say that poor examination procedures, led to missed findings that
were directly relevant to the case.
2.2.2 Herb Horner, defense expert witness
Herb Horner, a self-employed computer consultant, was called in by the defense as an expert witness.
Horner obtained the hard drive copy from the police, and then created copies for his investigation.
Horner’s testimony was cut short by the judge’s decision not to continue with information that was not
provided beforehand to the prosecution. Horner later stated, "This was one of the most frustrating
experiences of my career, knowing full well that the person is innocent and not being allowed to
provide logical proof. If there is an appeal and the defense is allowed to show the entire results of the
forensic examination in front of experienced computer people, including a computer literate judge and
prosecutor, Julie Amero will walk out the court room as a free person." (Kantor 2007). The
information that was to be presented by Horner was evidence of spyware on the computer, which was
caused pornographic pop-ups (Amero Trial Testimony 2007). As Horner stated to the judge while the
jury was dismissed, “there were things done before the 19th that led to this catastrophe, and this is a
fact” (Amero Trial Testimony 2007). Despite this, evidence that spyware caused the pop-ups still was
not allowed into the record.
2.3 Legal results
Legal precedence cited in State v. Amero was limited. There was one mention of U.S. v. Frye during
an objection to the admissibility of expert testimony by Hartz on the basis that he did not lay proper
foundation for his testimony (Amero Trial Testimony 2007). The prosecution argued that the Hartz’s
expertise was based on his described twenty years of experience, and the judge found this sufficient
(Amero Trial Testimony 2007).
During the same exchange, the defense cited State v. Porter to argue that the reliability of scientific
information was a major issue. In State v. Porter, the Connecticut Supreme Court adopted the Federal
standard set by U.S. v. Daubert, however, questioning continued due to lack of clarity on what the
defense was objecting to specifically (Amero Trial Testimony 2007).
The primary law cited in this case was risk of injury to a minor, Connecticut General Statute Section
53-21(a)(1), from which the charges stemmed. There were no laws or regulations cited relevant to
digital evidence admissibility.
The defendant was found guilty on four counts of Risk of Injury to a Child, with the possibility of a
40-year prison sentence. After four delays in sentencing, the State Court of Appeals reversed the lower
court decision and a motion for a new trial was accepted. She pled guilty to a misdemeanor to get the
nightmare behind her. As part of the deal, she agreed to have her teaching license revoked. The
emotional toll on her and her family was extreme, and the stress of trial resulted in many health
problems. She has become a cause celebre for digital forensics experts ever since.
3. LORRIANE V. MARKEL AM. INS. CO.
There are a few examples where the justice system has properly handled the admission of digital
evidence. We transition from an example of glaring misunderstandings and lack of knowledge of
digital evidence (Amero case), to an analysis of a competent judicial opinion regarding digital
evidence, the case of Lorriane v. Markel American Insurance Company. The opinion proceeding from
the ruling made by Chief United States Magistrate Judge Paul W. Grimm has set major legal
precedence (Lorraine v. Markel Am. 2007). The case arose from an insurance payment dispute. The
actual facts of the case are not important; the opinion of Judge Grimm is. It provides a detailed
186
procedure for admitting digital evidence. The following section will summarize each step and
requirement of the process.
3.1 Digital evidence admissibility process
The first criteria for gauging admissibility of digital evidence is based on Federal Rules of Evidence
Rule 104. Judge Grimm explained that determining the authenticity of Electronically Stored
Information (ESI) is a two-step process (Lorraine v. Markel Am. 2007). First,
“...before admitting evidence for consideration by the jury, the district court must determine
whether its proponent has offered a satisfactory foundation from which the jury could reasonably
find that the evidence is authentic” (Lorraine v. Markel Am. quoting U.S. v. Branch).
Secondly,
“...because authentication is essentially a question of conditional relevancy, the jury ultimately
resolves whether evidence admitted for its consideration is that which the proponent
claims” (Lorraine v. Markel Am. quoting U.S. v. Branch).
Relevance is the first requirement for admissibility of evidence (Fed. R. Evid. 401). Evidence is
sufficient, in terms of relevance, if it has “…any tendency’ to prove or disprove a consequential fact in
litigation” (Lorraine v. Markel Am. 2007). Of importance, if evidence is not relevant, it is never
admissible according to Fed. R. Evid 402. In terms of the case at hand, Lorraine, the emails were
determined to be relevant to the case (Lorraine v. Markel Am. 2007).
The next step in determining admissibility of ESI is its authenticity as guided by Federal Rules of
Evidence 901 and 902. Judge Grimm submits that the authenticity of digital evidence is an important
requirement, and that the degree of admissibility only need be sufficient in terms of showing the
evidence is what it is purported to be (Lorraine v. Markel Am. 2007). Specifically, the non-exclusive
examples provided by Rule 901(b) can be studied to know how to address authentication of ESI in
Rule 901(a) (Lorraine v. Markel Am. 2007).
Federal Rules of Evidence 902 shows twelve non-exclusive methods that can be used for ‘selfauthentication’ of digital evidence (Lorraine v. Markel Am. 2007):
(1) Domestic Public Documents That Are Sealed and Signed.
(2) Domestic Public Documents That Are Not Sealed but Are Signed and Certified.
(3) Foreign Public Documents.
(4) Certified Copies of Public Records.
(5) Official Publications.
(6) Newspapers and Periodicals
(7) Trade Inscriptions and the Like.
(8) Acknowledged Documents.
(9) Commercial Paper and Related Documents.
(10) Presumptions Under a Federal Statute.
(11) Certified Domestic Records of a Regularly Conducted Activity.
(12) Certified Foreign Records of a Regularly Conducted Activity.
These methods establish a practice of authentication that can be performed without the need for expert
witness testimony, although the lack of such testimony does not exempt evidence of authentication
from challenge (Lorraine v. Markel Am. 2007; Fed. R. Evid. 902).
Procedurally, evidence that is already deemed relevant and authentic must also withstand any
argument of hearsay. Rule 801 governs hearsay, and states that electronic writings or other
information generated entirely by a “computerized system or process” is not made by a person, and
187
therefore cannot be considered hearsay (Lorraine v. Markel Am., 2007). There are exemptions to the
hearsay rule within the Federal Rules of Evidence, which Judge Grimm linked to ESI in his opinion.
These included Fed. R. Evid. 803(1-3, 6, 7, 17) (Lorraine v. Markel Am. 2007).
The Original Writing Rule is considered the next hurdle for electronic evidence admissibility, which is
included in Federal Rules of Evidence 1001-1008. Rule 1002 ensures the ‘best evidence’ available and
applies when a “writing, recording or photograph is being introduced to ‘prove the context of a
writing, recording or paragraph’” (Fed. R. Evid. 1002). Rule 1003 states that duplicates of evidence
can be admitted in place of originals unless the authenticity of the original is in question (Lorraine v.
Markel Am. 2007). In determining whether secondary evidence can be included in place of an original,
Rule 1004 provides guidance.
The summary of the guidelines from the Federal Rules of Evidence cited in the Lorraine opinion
follows:
Table 1: Rules of Evidence Identified in Lorraine v. Markel as Guidance for Digital Evidence
Admissibility
Legal Guidance
Subject
Federal Rules of Evidence 104(a)
Federal Rules of Evidence 104(b)
Preliminary Questions; relationship between
judge and jury
Federal Rules of Evidence 401
Relevance
Authenticity; including examples of how to
authenticate
Self-Authentication; including examples
Hearsay; including exceptions to the hearsay
through 1008
Original Writing Rule; also known as the “Best
Evidence Rule.” Includes use of accurate
duplicates.
Balance of Probative Value with Unfair
Prejudice
(Lorraine v. Markel Am. 2007; LexisNexis 2007)
3.2 Applicability to State of Connecticut v. Julie Amero
The next section applies, retrospectively, digital forensic guidelines established in Lorriane v. Markel
to State of Connecticut v. Julie Amero to determine whether this would have resulted in a different
outcome. As a note, the trial portion of the Amero case preceded the Lorraine v. Markel Am. opinion
by four months in 2007. While Amero could not have capitalized on the Lorraine opinion, an analysis
helps identify knowledge the legal participants in Amero should have had to ensure the case was
properly adjudicated.
188
4. ANALYSIS
4.1 Digital evidence admitted
The primary piece of digital evidence in the Amero case was the hard drive. The opinion of Judge
Grimm includes methods describing how to handle the admissibility of this type of evidence (Section
4.5).
4.2 Evaluation of digital evidence by Judge and attorney
State v. Amero is an appalling example of the blindness of the legal system when computer literacy of
the judge and lawyers is at the very low end of the spectrum. The proceedings of this case highlight
the need for even the most basic understanding of how computers operate, including the threats to
computer systems that can cause the pop-up symptoms argued by the defense. In State v. Amero, the
lawyers did not question the authenticity of expert testimony describing the behaviors of viruses and
spyware. Of more importance, the lawyers did not put forth a clear and full objection to the digital
evidence presented. The Lorraine v. Markel Am. opinion specifically states that the burden of ensuring
that digital evidence is what it purports to be depends largely on objections by opposing counsel. Thus,
it is the responsibility of lawyers to be sufficiently knowledgeable to object competently to faulty
evidence.
4.3 Expert and witness testimony
Amero provided an example of the affects expert testimony can have on a case. The numerous errors
of so-called experts swayed the outcome of this case, and further exposed the lack of basic computer
literacy among the professional legal participants. The opinion rendered in Lorraine v. Markel Am.
references examples provided by Fed. R. Evid. 901 as methods to authenticate digital evidence,
including the call for an expert witness. Laying proper foundation qualifying the expert witness, as
well as directing a competent line of questioning, rely heavily on the computer literacy of the lawyers
involved. Reliance on digital forensic “expert” witnesses was key to State v. Amero, although the line
between testimony and speculation was crossed. An objection to speculation as to whether spyware
could produce pop-up pornography would have been warranted, given that opposing counsel had some
knowledge of computer threats.
4.4 Legal precedence
Legal precedence is scarce in the area of digital evidence, although it is building. Some cases establish
sound precedence, as indicated in Lorraine. While Daubert and Frye have established general
guidance for admission of scientific evidence, the science of digital forensics is new and evolving
(Daubert v. Merrell Dow 1993; Frye v. U.S. 1923). The speed of technological change is at odds with
the time it takes for legal precedence to accumulate. This impacts every court case involving a
computer, and hardly any don’t—whether we’re talking civil cases, such as divorces, or criminal cases
where digital evidence plays a significant role. The legal system lags in handling digital evidence
adequately (Endicott, Chee, et. al. 2007). In State v. Amero, Frye and Daubert were cited in an
objection by the defense, yet neither was applied appropriately. In order to build an adequate digital
evidence curriculum for law schools, extensive review of relevant legal cases will be required. This is
a matter for future research.
4.5 Laws and regulations identified
In Amero, first the court should have determined whether a satisfactory foundation had been laid
before the jury viewed the evidence (United States v. Branch 1992; Fed. R. Evid. 104). Then relevance
should have been considered (Fed. R. Evid. 401 and 402), then authenticity guided by Fed. R. Evid.
901 and 902. Application of the hearsay Rules (Fed. R. Evid. 801-807) and the Original Writing Rule
(Fed. R. Evid. 1001-1008) would follow in order to fully ensure the evidence, and duplicates of the
evidence, were what they purported to be (Lorraine v. Markel 2007).
189
4.6 Legal Result
What is missing from most analyses of the Amero case is the larger picture of the emotional and health
effects on the innocent. Julie Amero, who faced forty years in jail, went through tremendous emotional
stress, and had a series of health issues arise including a tragic miscarriage (Cringely 2008). Her
family relationships were also impacted. While the legal system eventually righted the wrong inflicted
on Amero, the accumulated health and personal impacts cannot be undone. This will be repeated again
and again until we have a more predictable legal system when it comes to the use of digital evidence.
The contribution by Judge Paul W. Grimm’s opinion in Lorraine v. Markel Am. provides the basis for
guidance in this area. There are others emerging, but scant few.
5. COMPUTER AND DIGITAL FORENSICS EDUCATION RECOMMENDATIONS
State v. Amero and Lorraine v. Markel Am. provide a basis for recommending digital evidence
educational requirements in schools of law. The following recommendations will inform future
curricula for the University of Washington’s School of Law, and may be useful to others that wish to
mitigate deficiencies in computer knowledge of lawyers and the judiciary. At a minimum, the
curriculum must include:

Basic computer literacy. This includes an understanding of computer vulnerabilities.
A basic understanding that a compromised computer may show erratic actions not
performed (or intended) by the user is important and would have prevented the
Amero tragedy. This knowledge will enable lawyers to establish proper foundation
and a proper line of questioning.

Understanding of the digital forensics process. This includes basic knowledge of
how easily digital evidence can be altered and what it means to have a proper chain of
evidence, including storage and control. In addition, there should be sufficient
knowledge of how evidence is collected on a computer hard drive (and on a network),
how a hard drive is appropriately duplicated for forensic purposes, and then searched
by forensic tools. This recommendation arises from the several glaring errors in the
Amero case. It was never established that proper steps were taken to maintain a proper
chain of evidence during forensic duplication and investigation (State v. Amero 2008).
Additionally, the lack of a search for malware by police initially missed crucial
evidence.

Knowledge of the Federal Rules of Evidence, and how they apply to electronic
evidence. The Federal Rules of Evidence are integral to understanding the process for
admitting digital evidence. Lorraine v. Markel Am. Insurance Co. provides a
framework for applying these rules to digital evidence. Fed. R. Evid. 901 and 902
specifically deal with authentication of digital evidence, including examples of how to
do so. This is directly relevant to the Amero case; abiding by this framework would
have provided a basis for questioning whether the digital chain of evidence was
reliable, and not broken, during the investigatory process.

Survey of case law. A thorough search for relevant cases and an extraction of
precedence should be conducted before developing digital forensics curriculum.
Knowledge of how to apply the Federal Rules of Evidence as well as Daubert and
Frye in cases involving digital evidence will provide material for any classes
developed (Daubert v. Merrell Dow 1993; Frye v. U.S. 1923). A thorough survey of
other cases will provide and even more comprehensive understanding of the state of
the practice regarding digital evidence. Lorraine v. Markel Am. emphasizes that the
190
burden of ensuring digital evidence admissibility rests largely on objections to such
evidence by opposing counsel. The inability to competently challenge testimony of
the State’s ‘expert’ witness led to a travesty of justice in the Amero case.
6. CONCLUSIONS
The above review provides insights into the legal and judicial communities’ lack of sufficient
knowledge of how to handle digital evidence appropriately and consistently. The authors believe this
argues for additional curriculum in schools of law that educate law students in the challenges of digital
evidence: digital evidence collection, chain of custody, the challenges of cybersecurity, basic computer
literacy. The authors recommend that law schools consider adding courses in these subjects as they
relate to digital evidence. A previously published digital forensics course conducted at the University
of Washington for a combined audience of technical and law students, is an example of what can be
accomplished with a collaboration between digital forensics/computer science and law faculty. Based
on a successfully and competently prosecuted case of online digital theft and compromise, the course
culminates in a moot court that requires law students to participate in the preparation and questioning
of digital forensics experts (computer science students taking the same course) (Endicott-Popovsky,
Frincke, et al. 2004). This is just the beginning of innovations that the authors recommend be
incorporated into legal education and training.
7. FUTURE WORK
Future work will involve researching existing case law in order to assist the University of
Washington’s School of Law, in partnership with the Information School, in revamping their
curriculum to include interdisciplinary courses that will improve digital evidence literacy among law
students. It is expected that a thorough analysis of cases where digital evidence has been
inappropriately handled will further refine recommendations for curriculum content made above.
Work on this project has begun, with preliminary findings discussed in this paper. Insights of a
thorough examination of case law will be disseminated broadly to the digital forensics community.
AUTHOR BIOGRAPHIES
Aaron Alva is a candidate of the Masters of Science in Information Management program and an
upcoming candidate, Juris Doctorate at the University of Washington. He earned his Bachelor degree
at the University of Central Florida studying political science with a minor in digital forensics (2011).
His interests are in cybersecurity law and policy creation, particularly digital evidence admissibility in
U.S. courts. He is a current recipient of the National Science Foundation Federal Cyber Service:
Scholarship For Service.
Barbara Endicott-Popovsky, Ph.D., Director for the Center of Information Assurance and
Cybersecurity at the University of Washington, holds a joint faculty appointment with the Information
School and Masters in Strategic Planning for Critical Infrastructure, following a 20-year industry
career marked by executive and consulting roles in IT and project management. Her research interests
include forensic-ready networks and the science of digital forensics. She earned her Ph.D. in
Computer Science/Computer Security from the University of Idaho (2007), and holds an MS in
Information Systems Engineering from Seattle Pacific University (1987), an MBA from the University
of Washington (1985).
REFERENCES
Connecticut General Statute Section 53-21(a)(1)
Cringely,
Robert
(2008),
‘The
Julie
Amero
Case:
A
Dangerous
Farce’,
http://www.pcworld.com/businesscenter/article/154768/the_julie_amero_case_a_dangerous_farce.htm
l, PC World, December 2, 2008.
Daubert v. Merrell Dow Pharmaceuticals, Inc., 113 S. Ct. 2786. (1993).
191
Eckelberry, Alex; Glenn Dardick; Joel Folkerts; Alex Shipp; Eric Sites; Joe Stewart; Robin Stuart
(2007), ‘Technical review of the Trial Testimony State of Connecticut vs. Julie Amero’, Technical
Report, http://www.sunbelt-software.com/ihs/alex/julieamerosummary.pdf, March 21, 2007.
Endicott-Popovsky, B. and Horowitz, D. (2012). Unintended consequences: Digital evidence in our
legal system. IEEE Security and Privacy. (TBD) (Endicott-Popovsky and Horowitz, 2012)
Endicott-Popovsky, B., Chee, B., & Frincke, D. A. (2007). “Calibration Testing Of Network Tap
Devices”, IFIP International Conference on Digital Forensics, 3–19.
Endicott-Popovsky, B.E., Frincke, D., Popovsky, V.M. (2004), “Designing A Computer Forensics
Course For an Information Assurance Track,” Proceedings of CISSE 8th Annual Colloquium.
Fed. R. Evid. 104, 401-402, 801-807, 901-902, 1001-1008
Frye v. United States. 293 F. 1013 D.C. Cir. (1923).
Kantor, Andrew (2007), ‘Police, school get failing grade in sad case of Julie Amero’, USA Today
http://www.usatoday.com/tech/columnist/andrewkantor/2007-02-22-julie-amaro_x.htm, February 25,
2007.
Krebs, Brian (2008), ‘Felony Spyware/Porn Charges Against Teacher Dropped’, Washington Post,
http://voices.washingtonpost.com/securityfix/2008/11/ct_drops_felony_spywareporn_ch.html?nav=rss
_blog, November 24, 2008.
LexisNexis (2007), ‘Lorraine v. Markel: Electronic Evidence 101’,
http://www.lexisnexis.com/applieddiscovery/LawLibrary/whitePapers/ADI_WP_LorraineVMarkel.pd
f Accessed February 1, 2012.
Lorraine v. Markel American Insurance Company, 241 F.R.D. 534 D.Md (2007).
NIST 800-61 Rev. 1 (2008), “Computer Security Incident Handling Guide”, National Institute of
Standards and Technology, http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf,
March 2008.
Noblett, M.G., Pollitt, M. M., & Presley, L. A. (2000). ‘Recovering and Examining Computer
Forensic Evidence’ Forensic Science Communications, 2(4).
http://www.fbi.gov.hq/lab/fsc/backissu/oct2000/computer.htm, October 2000.
State of Connecticut v. Christian E. Porter, 241 Conn. 57, 698 A.2d 739, (1997).
State of Connecticut v. Julie Amero Trial Testimony,
http://drumsnwhistles.com/pdf/amero-text.zip, January 3-5, 2007.
(2007),
Retrieved
from
State of Connecticut v. Julie Amero, (2008).
United States v. Branch, 970 F.2d 1368 4th Cir. (1992)
Willard, Nancy (2007), ‘The Julie Amero Tragedy’, Center for Safe and Responsible Use of the
Internet, http://csriu.org/onlinedocs/AmeroTragedy.pdf, February, 2007.
192
PATHWAY INTO A SECURITY PROFESSIONAL: A NEW
CYBER SECURITY AND FORENSIC COMPUTING
CURRICULUM
Elena Sitnikova
University of South Australia
F2-26 Mawson Lakes Campus,
Mawson Lakes SA 5095
Ph +61 8 8302 5442
Fax +61 8 8302 5233
[email protected]
Jill Slay
University of South Australia
MC2-22 Mawson Lakes Campus,
Mawson Lakes SA 5095
Ph +61 8 8302 3840
Fax +61 8 8302 5785
[email protected]
ABSTRACT
The University of South Australia has developed a new two and a half year full time equivalent
qualification to meet the established Australian Law Enforcement high demand for graduates with a
Master Degree level in cyber security and forensic computing to fulfill expertise for the Australian
courts. It offers a pathway through a suite of nested programs including Graduate Certificates, a
Graduate Diploma, Masters and possible continuing to PhD level. These are designed to attract a
diverse group of learners traditionally coming from two cohorts of industry practitioners: one with
engineering and the other with IT background. It also enables industry-trained and qualified learners
without undergraduate degrees to gain the security qualification required though their access to tertiary
study as a career choice. This paper describes this curriculum, provides an overview on how these
nested programs are conceived, developed and implemented; their current state, their first outcomes to
assess the effectiveness of the pathway through the students’ feedback; and future planned initiatives.
Keywords: cyber security curriculum, computer forensic education, security professionals
1. INTRODUCTION
In today’s Information Age a rapidly increasing number of organisations in the Australian Defence
sector, security, critical infrastructures (oil, gas, water, electricity, food production and transport),
banking and other commercial and government industries are facing significant challenges in
protecting information assets and their customers’ sensitive information from cyber-attacks.
Cyber security, computer forensics, network security and critical infrastructure protection are
emerging subfields of computer science that are gaining much attention. This will create many career
opportunities for information technology (IT), computer science and engineering graduates in law
enforcement, Australian Federal and State departments, large accounting companies and banks. Some
employment is available in small and medium enterprises but this is less common with the move
towards IT outsourcing in general and security and forensic outsourcing in particular. Students are
thus being prepared for careers such as:
193

Forensic IT Specialist

Electronic Evidence Specialist

Forensic Computer Investigator

Information Security Professional

IT Risk Advisor

Information Assurance Professional

Critical Infrastructure Protection Specialist
Frost & Sullivan’s global information security workforce study (Frost & Sullivan, 2011), conducted
on behalf of (ISC)2, estimates 2.28 million of information security professionals worldwide in 2010,
with signs of strong growth. The number of computer forensic and related professionals has been
experiencing double digit growth and it is set to increase. According to Frost & Sullivan, by 2015 the
number of security professionals will increase to nearly 4.2 million with a 14.2% increase in US and
11.9% in the Asia- pacific region (APAC). The survey shows that the average salary for security
professionals worldwide is US$98,600 with (ISC)2 certification and US$78,500 without. For the
APAC region it is US$74,500 and US$ 48,600 respectively. The survey also identifies a clear gap in
skills needed to protect organisations in the near future, not only from cyber-attacks to an
organisation’s systems and data, but also to its reputation, end-users and customers.
This paper will discuss the design and development of a curriculum for the new program in cyber
security and forensic computing within the School of Computer Science at the University of South
Australia. The program has been established with the support of Australian Law Enforcement to meet
the high demand for information security professionals at Masters degree level with the required skills
expertise for the Australian courts. It prepares both IT and engineering students for the workplace by
covering industry recommended competencies for information assurance, cyber security, electronic
evidence, forensic computing and critical infrastructure professionals. The curriculum is unique – no
other Masters Degrees in Australia have been developed around these competencies.
According to an international commentator and INL’s infrastructure protection strategist Michael
Assante, for many managers and engineers responsible for control systems, physical security has
always been a priority. For many of them information security is a new field, they have to understand
the importance of CI systems’ cyber security requirements, associated risks and thus make a
deployment of proper security measures. In his testimony to the US government on process control
security issues, Assante, (2010) criticises the last decade’s considerable body of research in the area
of implementing yesterday’s general IT security approaches into today’s operational process control
systems. He asserts it is “proven ineffective in general IT systems against more advanced threats”. He
also notes that as more technological advancements are introduced to SCADA (Supervisory Control
and Data Acquisition System) and process control systems, more complexity and interconnectedness
are added to the systems, requiring higher levels of specialty skills to secure such systems. Training
managers and engineers in the field will help to meet this need.
Other literature mentions that SCADA and process control systems vulnerabilities can increase from a
lack of communication between IT and engineering departments (ITSEAG,2012). As highlighted in
the authors’ previous work (Slay and Sitnikova, 2008) engineers are responsible for deploying and
maintaining control systems, whilst network security comes from an IT background. The gap between
these two disciplines needs to be bridged to recognise, identify and mitigate against the vulnerabilities
in SCADA and process control systems networks. Broader awareness and the sharing of good practice
on SCADA security between utility companies themselves is a key step in beginning to secure the
Australian nation’s critical resources.
194
Industry-trained professionals and qualified learners, often working in process control services and
government organisations today, bring to class their fundamentally different skills, objectives and
operating philosophies to the concept of security in an enterprise IT context. Thus, the authors are
challenged to develop a curriculum that aims to address both discipline-specific engineering and IT
issues and bridge the educational gap between IT network specialists and process control engineers
within the post-graduate cyber security and forensic computing nested programs. To address these
issues, the curriculum is designed to accommodate both process control engineers (with no or limited
IT skills) and IT specialists (with no or limited engineering skills).
The paper thus describes the factors that have prompted and supported our collaboration with industry
and government and the production of a nexus with academia especially with respect to curriculum
development and delivery and the maintenance of practical work with a strong hands-on and industry
relevant component. It explains the program’s goals and objectives; highlights the pedagogical aspects
of curriculum design and some challenges related to educating part-time mature aged students both
engineers and IT specialists. The design involves:

Addressing security education across the program including cyber security of process
control systems and forensic computing;

Educational issues involved in teaching foundation skills in technologically diverse
engineering industrial sectors;

Some challenges related to educating part-time mature aged students;

Determination of the success of problem based learning outcomes.
2. TARGET STUDENTS AND STAKEHOLDERS
The defining characteristics of the majority of students coming into the program are as follows:

they are experienced engineering or IT specialists and technical officers with no less
than 6 years’ experience in the area, who come from government and industry
organisations;

their main motivation to study is to gain a post-graduate qualification and become
better positioned for employment in the industry;

they are part-time mature aged students with a degree in IT or engineering (electrical
and electronic) and technicians with more than 6 years’ experience background
articulating from multiple pathways (work, Technical and Further Education
(TAFE)).
Traditionally, process control engineers are mature professionals who have been in the industry for
much of their career. They have a depth of experience in the operation and maintenance of the
SCADA systems. IT network specialists are often in the earlier stages of their careers, they have a
networking background and a good understanding of the security and reliability issues involved.
From a curriculum perspective the challenge is to help these professionals from diametrically opposed
backgrounds to bridge this gap. That is, to educate the process control engineers in basic IT network
security and then applying relevant aspects to process control systems, while building the IT network
specialists’ knowledge of process control systems from basics to the stage where they can understand
the risks that need to be mediated within internet connected process control systems. The course in
critical infrastructure and control systems security, for example, seeks to provide students from both
backgrounds with the necessary skills to improve the security and resilience of process control
systems. Similarly, the challenge comes into educators at tension when they constrain, for example,
electronic evidence course in forensic computing to provide the necessary skills for digital forensic
195
examinations to control systems engineers with limited IT background.
There are multiple stakeholders involved. Directly, governments, operators (management), the
operator’s shareholders, and the operator’s employees gain from education on how to improve the
security and resilience of these systems. Indirectly, SCADA and control system owners and
consumers also benefit. Particularly through the support of government bodies like GovCERT.au, and
through activities like the ‘red/blue team war games’ to test and demonstrate the possible threats, the
operators of these systems can clearly see that the importance of this work and realise that it is in
everyone’s interests to improve these systems. This support from operators is crucial to gain funding
for the improvements and training required to bring about these changes. Employees benefit from an
improved knowledge and skill base, increasing their employability and value to their employer. These
stakeholders have different desired outcomes depending on their role and the curriculum needs to
balance these.
3. GOALS AND OBJECTIVES
The major goal of the curriculum for the new program in cyber security and forensic computing
(‘CSFC’) is to introduce students to the concepts and theoretical underpinnings in cyber security,
forensic computing, intrusion detection, secure software lifecycle and critical infrastructure protection
with a focus on developing and extending a foundational skill set in these areas and preparing students
to take two major international IT certifications (CISSP -Certified Information Systems Security
Professional and CSSLP - Certified Secure Lifecycle Professional).
The program objectives are defined depending on the levels offered. For Graduate Certificates and
Graduate diploma the objectives are:

To develop knowledge and skills in forensic computing / electronic evidence to
enable students to analyse and investigate computer-based systems;

To develop knowledge and skills in cyber security to enable students to protect and
defend information and information systems by ensuring their availability, integrity,
authentication, confidentiality and non-repudiation.
For Masters, in addition to the objectives above:

To enable students to develop and demonstrate their technical expertise, independent
learning attributes, research and critical appraisal skills through the application of
taught theory, processes, methods, skills and tools to a pure or applied forensic
computing, cyber security or information assurance research question.
4. DESIGNING AND IMPLEMENTING CSFC CURRICULUM - A NESTED SUITE OF
PROGRAMS IN CYBER CECURITY AND FORENSIC COMPUTING
The Cyber Security and Forensic Computing (‘CSFC’) curriculum is developed for a set of nested
programs of forensic computing and cyber security courses designed for the professional development
of ITC practitioners within Australian Law Enforcement, in order to be recognised as Forensic
Computing/Electronic Evidence specialists in the Australian court. The program also provides postgraduate qualifications in both forensic computing and cyber security, to meet the high demands of
Australian Defence and banking industries for professionally qualified IT security staff who have
undergraduate qualifications in ITC or engineering.
The program allows students to follow a pathway from Graduate Certificate to Graduate Diploma to
Masters and PhD in forensic computing and cyber security. Students undertaking this program apply
for entry to the appropriate study stream and must meet the University’s entry requirements for
postgraduate study. Since the program is ‘nested’ there are exit points after the Graduate Certificate
and Graduate Diploma phases. (Refer Figure 1).
196
4.1 Courses in CSFC Curriculum
The curriculum consists of the following two streams, each of which corresponds to four courses (4.5
units each).
I. Forensic Computing Stream:




Electronic Evidence 1 – Forensic Computing
Electronic Evidence 2 – Network and Internet Forensics
Electronic Evidence Analysis and Presentation
e-Crime, e-Discovery and Forensic Readiness
II. Cyber Security Stream:




Intrusion Analysis and Response
Critical Infrastructure and Control Systems Security
Information Assurance and Security
Software Security Lifecycle
Course objectives are listed in Table 1. After successful completion of all 8 courses students who are
continuing on Masters level will enroll into Minor Thesis1 & 2 (18 units) to comprise 54 units of the
program in total.
A pathway for professional staff in law enforcement and other professions to increase their
capability in cyber security and forensic computing
Graduate Certificate in Science (Forensic Computing) or
Graduate Certificate in Science (Cyber Security)
Graduate Diploma in Science (Cyber Security and Forensic Computing)
Master of Science (Cyber Security and Forensic Computing)
A pathway to a PhD in the areas of Cyber Security and Forensic Computing
Figure 1: The CSFC nested programs
4.2 COURSE STRUCTURE
The CSFC curriculum consists of two distinct parts: the courseware and the hands-on practical
supplementary materials.
4.2.1 CSFC curriculum courseware
Each course is broken into weekly sessions and associates with a particular topic. Each topic contains
197
detailed study instructions, recorded lectures, notes and a list of required reading materials.
Most sessions contain the following set of information:

Audio recorded lectures over slide presentations using Adobe Presenter tool including
detailed notes for corresponding slides. Students are required to listen and study the
topic on their own time prior to the face-to-face lecture (internal class) or virtual
seminar (external class)

Required Reading materials - these readings are expected to be done in their own time
in advance of the session that scheduled for the week.

Additional reading materials provided to students for further study and help with their
assignments

Quizzes – this assessment activity is designed to encourage students to learn materials
and check their gained skill performance

Discussions – the virtual space for discussions created for students to practice writing
their opinions about the question / problem posted by instructor and also to
collaborate with their fellow students.
4.2.2 Delivery options
As a majority of our students are working and studying part-time, we accommodate their needs and
make their study arrangements as flexible as possible.
Table 1. CSFC curriculum - Course Objectives
Course Objectives
COMP 5064 Electronic
Evidence 1 – Forensic
Computing
Evidence 2 – Network
Forensics Course
Evidence Analysis and
Presentation
COMP 5063 e-Crime, eDiscovery and Forensic
Readiness
COMP 5067 Intrusion
Analysis and Response
This course is designed to provide students with a sound knowledge and
understanding to enable them to recover admissible evidence from PC based
computers and the skills and competencies to prepare such evidence for
presentation in a Court of Law and to develop knowledge and understanding of
advanced forensic computing techniques and to acquire the skills to apply these
successfully.
This course is designed to enable students to develop knowledge, understanding
and skills for the recovery of admissible evidence from computers which are
connected to a network and for the recovery of admissible evidence from
computers which have been used to exchange data across the Internet.
understanding to enable them to apply NIST and ISO 17025 lab standards for
validation and verification to a forensic computing lab, to comprehend continuity
and exhibit management systems and documentation systems, to understand key
legal aspects of computer crime and to provide expert evidence to the court.
understanding to enable them to apply NIST and ISO 17025 lab standards for
validation and verification to a forensic computing lab, to comprehend continuity
and exhibit management systems and documentation systems, to understand key
legal aspects of computer crime and to provide expert evidence to the court.
This course is designed to develop knowledge and understanding of the strategies,
techniques and technologies used in attacking and defending networks and how to
design secure networks and protect against intrusion, malware and other hacker
exploits.
198
COMP 5069 Critical
Infrastructure and
Control Systems
Security
COMP 5062 Software
Security Lifecycle
COMP 5062 Software
Security Lifecycle
COMP 5005, 5003
Masters Computing
Minor Thesis 1 & 2
This course is designed to understand the key policy issues and technologies
underlying critical control infrastructures in various industries and the design
considerations for these systems in light of threats
of natural or man-made catastrophic events with a view to securing such critical
systems.
This course is designed to provide students with a deep understanding of the
technical, management and organisational aspects of Information Assurance
within a holistic legal and social framework.
This course is designed to provide students with a deep understanding of, and the
ability to implement and manage security throughout the software development
lifecycle.
These courses are designed to develop the student’s ability to carry out a
substantial Computer and Information Science research and development project
under supervision, and to present results both at a research seminar and in the form
of written documentation.
To maximise flexibility, availability and convenience, the courses are delivered in different study
modes; both as traditional face-to-face teaching, requiring effort spread over 13 weeks including an
intensive week workshops or as an online teaching in a virtual class plus single intensive week of faceto-face in-class workshops.

Face-to-face study mode (internal class) – 1 face-to-face class per course per week
over 12 weeks plus one week half day intensive study in-class per subject (15 hours).

Online distance study mode (external class) – 1 virtual online class per course per
week over 12 weeks plus one week half day intensive study in-class per subject (15
hours).
External students are provided with an online synchronous environment where they meet virtually
with the course coordinator and fellow students. We use two e-Learning tools to facilitate online
learning for external students – the Moodle Learning Management System and the Adobe Connect Pro
System. These tools allow us to facilitate online connect meetings, virtual classrooms and other
synchronous online activities in a seamless and integrated environment. Students will be able to hear
online presentations and participate in live class discussions. However, students might experience
difficulties with poor connections from their ends using videos if they have bandwidth implications or
some technological challenges (no USB ports for head phones/microphones etc.).
Intensive study week is the cornerstone of the curriculum. Students from both external and internal
classes attend face-to-face workshops in Adelaide. This is a unique opportunity for all students
(internals and externals) to attend hands-on practicals, guest speakers’ presentations and also
networking opportunities among peers
4.2.3 Assessment
The assessment structure and their weightings vary from course to course, however all CSFC
curriculum courses are based on Bigg’s theory of reflective knowledge and the model of constructive
alignment for designing teaching and using criterion-referenced assessment. “Once you understand a
sector of knowledge it changes that part of the world; you don’t behave towards that domain in the
same way again” (Biggs 2007).
The curriculum design is based on the authors’ previous observations of the struggles faced by mature
aged students who come with a technical background to a university environment (Sitnikova and Duff,
2009). These students in their transition to post-graduate levels have much life experience but little
exposure to the ‘academic ways’ of university life. The new curriculum aims not only to increase
199
students’ knowledge and capabilities in cyber security and computer forensics, but also to strengthen
their academic skills and performance.
The students tend to come from full or part-time employment so the course delivery, and program,
need to be flexible. Due to the nature of the industry, these people are critical to the operation and
maintenance of these systems so they will need to negotiate their study arrangements with their
employers to ensure business continuity. This has benefits for the employer and employee. As
discussed, the differing backgrounds of the students impact on the range of learning styles preferred by
students. To address this, a range of different teaching and assessment activities are used.
There is less discussion in the literature around issues facing mature aged students and even less so for
those coming from a technical background to a more academic engineering background. Maturity is
considered a factor in student success and few lecturers would disagree that the eager, mature aged
student strives for excellent marks. Some of the motivations for mature aged students going back to
study include general interest; an ambition to fulfill degree or qualification aspirations and the desire
for career advancement (Leder and Forgasz 2004). Linke et al. in Evance (2000) in a study of 5000
South Australian students who had deferred their studies to return to study later, perceived personal
life experience as ‘valuable’ and useful to subsequent study.
However, mature aged students have particular struggles in a new academic environment. Yorke
(2000) goes so far as to suggest mature students moving into the ‘detached’ environment of a
university can constitute a crisis for some and cites feelings of insecurity, rusty academic skills and
discomfort with younger students as just a few hurdles to overcome. This is supported by Leder and
Forgasz (2004) who found mature aged students were concerned by their own lack of critical
background knowledge and skills.
The new curriculum proposed includes a structured assessment which aims to foster the attributes of
life-long learning, while engaging the students in their studies from a theoretical perspective in their
problem based outcomes. It is hoped this approach will maximise students’ engagement with their
‘new ways’ of learning through a well-thought process of scaffolding and constructive alignment
(Biggs 2007, Vygotsky 2002).
The assessment strategy proposed for the program applies a scaffolded approach to course assessment
which embeds generic communication skills. Students will have the opportunity to ‘practice’ their
growing skills through their hands-on practical in the lab, writing a preparatory assignment on the
relevant literature (post-class essay 1) and practicing through online quizzes and discussions prior to
their major assignment (post-class essay 2).
Assessment includes the following components:

In-class activity (group hands-on exercises in the security lab) 20%

Post-class essay 1- Literature review 25%

Online exercises(Quizzes and discussion forums) -10%

Post class essay 2 - Major assignment – Security report or Security plan 45%
4.2.4 In-class activities
The cornerstone of each course is an intensive study week when students attend a half day (15 hours)
face-to-face sessions at Mawson Lakes campus at UniSA. During this intensive week students are able
to attend lectures and guest speakers’ presentations from industry, police, and law enforcement.
Students receive the majority of the course materials and hands-on practicals in class. Practicals are
based on specific tools (for example EnCase) with the licences available at the security lab at the
University of South Australia.
While the material in this curriculum does not necessarily assume that a student has knowledge in both
200
control systems engineering principles and IT skills; the constraints around the coursework, weekly
seminars and discussion, as well as group exercises in a security lab, help students to share their
experience and learn from each other.
4.2.5 Post-class activities
Post-class essays for all CSFC curriculum courses are comprised of two scholarly components:
Literature review (post-class essay one) and a research report or security plan (assignment two) and
require academic writing skills.
Even high performing students do not necessarily understand the fundamental concepts of research
and research methodologies. Mature aged practitioners and part-time study students coming from
industry are often new to the concepts of academic writing and searching library databases. Some
students are accepted into the program with no degree, but more than 6 years experience in the
industry. Others with undergraduate IT or engineering degrees, succeeded by having learned how to
study laid-out coursework and master well-known solution methods. In their previous experience they
had a limited chance to learn about research because in their institutions, research activity is usually
limited. The students have received little training in how to think independently, invent new problems,
and figure out ways to solve problems in relatively unconstrained situations.
To overcome this problem and stimulate students’ interest in a research career, two scholarly face-toface sessions and one library session on searching databases have been introduced to the program.
During these sessions students can learn about the nature of research, its value and rewards; apply this
knowledge to their writing assignments and prepare themselves for their pathway to Masters or PhD
levels.
5. CHARACTERISTICS OF SUCCESS
5.1 Students
The main focus on the curriculum is on developing and extending a foundational skill set in these
areas and preparing students to become security professionals able to help organisations to be more
effective, efficient and secure in their business operations. This requires a student who is willing and
able to approach both IT and control systems support and administration from a holistic perspective,
including business, people and processes, not simply from a technology perspective.
The diversity of the students’ backgrounds is challenging for educators and students alike. For
students who have worked in industry as IT specialists, it can be difficult to study process control
system fundamentals such as PLCs, MODBUS and DMP3 SCADA protocols. For students who have
been control systems administrators for a while, studying network security, electronic evidence may
be difficult, because many of the SCADA and process control engineers consider advancements in
information technology of organisations as independent tasks carried out by a separate IT departments.
A student who is willing to step beyond their existing perceptions and see cyber security and computer
forensics as an essential skill set for the security professional has a good chance to succeed in this
curriculum.
This curriculum is new and flexible in delivery to accommodate part-time mature aged students.
Students have to be motivated and engaged in course activities during face-to-face intensive weeks
and online seminars. To be an active learner, students’ preparation prior to virtual seminars is essential
through the lecture recordings, reading materials and online discussions. Students who are flexible in
their approach to this educational environment, good in their study plans and willing to accept new
challenges are more likely to succeed.
One of the major goals of the programs is the applicability of knowledge gained to the students’ work
environments. We received positive feedback to this effect:
“The subject matter covered throughout the course was generally directly relevant to the industry
201
I work in. The assignments were very helpful and relevant. Data collected during the first
assignment and the report generated as part of the second assignment was able to link directly
with issue within my own enterprise and been able to submit internally within the enterprise for
further action”
“It's been so much more than I expected - a good balance of technical along with practical skills
that will hopefully help me gain employment in the Computer Forensics field. The lecturers have
all been knowledgeable, enthusiastic and encouraging of students. You should be congratulated
for producing such a fine program and on the first go too!”
5.2 Instructors
Courses are developed and offered by academics who are active researchers and industry practitioners,
and who bring the resulting expertise to their teaching. The program is directly supported by the
relevant University of South Australia’s research institutes and has been developed to meet the needs
of industry through collaborative links with NIATEC’s Director Professor Corey Schou and the South
Australian Police. Our strong links with industry and research organisations ensure that the degrees
offered are highly relevant to industry employers at local, national and international level.
6. CONCLUSIONS
This program has completed its first two-year cycle and is still a work-in-progress. It is now on its
third year of implementation, with the first three students having passed all eight courses and decided
to continue to Masters level and pursue Minor Thesis1 and Minor Thesis2.
The program has been modified every year to reflect rapid changes in the field. It has effective
intensive week practicals where industry practitioners enhance the hands-on exercises by embedding
new technologies and up-to-date case studies. Key elements in keeping the programs current are the
active researcher academics who teach our courses. Additional expertise is provided by international
security advisors as well as close contacts with industry vendors and practitioners locally, interstate
and internationally, and alliances with other academic institutions and Government organizations. It is
also important to highlight a very close relationship with the law enforcement community in order to
address national need in security professionals and establish expertise in Australian courts.
7. ACKNOWLEDGEMENT
The authors acknowledge Dr Patricia Kelly’s helpful comments on this paper.
8. REFERENCES
Assante M. J., (2010), Testimony on Securing Critical Infrastructure in the Age of Stuxnet, National
Board of Information Security Examiners , November 17, 2010.
Biggs, J. B. and Tang, C. (2007). Teaching for quality learning at university. Open University
Press/Mc Graw-Hill Education
Evans, M. (2000) ‘Planning for the transition to tertiary study: A literature review’ Journal of
institutional research (South East Asia) Volume 9.
Frost and Sullivan (2011), The 2011 (ISC)2 Global Information Security Workforce Study.
ITSEAG, SCADA Security – Advice for CEOs : Executive summary,
http://www.ag.gov.au/.../(930C12A9101F61D43493D44C70E84EAA)~SCADA+Security.../SCADA+
Security.pdf viewed 27 January 2012
Leder, G C and Forgasz, H J (2004) ‘Australian and international mature students: the daily
challenges’ Higher Education Research and Development Vol. 23 No. 2 pp 183 – 198.
202
Sitnikova E., Duff A., (2009) Scaffolding the curriculum to enhance learning, motivation and
academic performance of mature aged students in engineering, Proceedings of the 2009 AaeE
Conference, Adelaide,
Slay J., Sitnikova E., (2008) Developing SCADA Systems Security Course within a Systems
Engineering Program, proceedings 12th Colloquium for Information Systems Security Education,
Dallas, US.
Vygotsky, L. S. (2002). Mind in society and the ZPD. In A. Polard (Ed.), Readings for reflective
teaching (pp. 112-114). London: Continuum.
Yorke, M (2000) ‘Smoothing the transition into higher education: What can be learned from student
non-completion’ Journal of Institutional Research Vol 9 (1) pp.35 – 45.
203
204
Subscription Information
The Proceedings of the Conference on Digital Forensics, Security and Law is a publication of the
Association of Digital Forensics, Security and Law (ADFSL). The proceedings are published on a
non-profit basis.
The proceedings are published in both print and electronic form under the following ISSN's:
ISSN: 1931-7379 (print)
ISSN: 1931-7387 (online)
Subscription rates for the proceedings are as follows:
Institutional - Print & Online: $120 (1 issue)
Institutional - Online:
$95 (1 issue)
Individual
- Print:
$25 (1 issue)
Individual
- Online:
$25 (1 issue)
Subscription requests may be made to the ADFSL.
The offices of the Association of Digital Forensics, Security and Law (ADFSL) are at the following
address:
Association of Digital Forensics, Security and Law
1642 Horsepen Hills Road
Maidens, Virginia 23102
Tel: 804-402-9239
Fax: 804-680-3038
E-mail: [email protected]
Website: http://www.adfsl.org
205
206
Contents
Committee.................................................................................................................................................... 4
Schedule ....................................................................................................................................................... 5
Update on the State of the Science of Digital Evidence Examination .................................................... 7
Fred Cohen*
A Proposal for Incorporating Programming Blunder as Important Evidence in
Abstraction-Filtration-Comparison Test ................................................................................................ 19
P. Vinod Bhattathiripad*
The Xbox 360 and Steganography: How Criminals and Terrorists could be “Going Dark” ............ 33
Ashley Podhradsky*, Rob D’Ovidio and Cindy Casey
Double-Compressed JPEG Detection in a Steganalysis System ........................................................... 53
Jennifer L. Davidson* and Pooja Parajape
Toward Alignment between Communities of Practice and Knowledge-Based Decision
Support ...................................................................................................................................................... 79
Jason Nichols*, David Biros* and Mark Weiser
A Fuzzy Hashing Approach Based on Random Sequences and Hamming Distance.......................... 89
Frank Breitinger* and Harald Baier
Cloud Forensics Investigation: Tracing Infringing Sharing of Copyrighted Content in Cloud ...... 101
Yi-Jun He, Echo P. Zhang*, Lucas C.K. Hui, Siu Ming Yiu* and K.P. Chow
iPad2 Logical Acquisition: Automated or Manual Examination? ..................................................... 113
Somaya Ali*, Sumaya AlHosani*, Farah AlZarooni and Ibrahim Baggili
Multi-Parameter Sensitivity Analysis of a Bayesian Network from a Digital Forensic
Investigation ............................................................................................................................................ 129
Richard E. Overill, Echo P. Zhang* and Kam-Pui Chow
Facilitating Forensics in the Mobile Millennium Through Proactive Enterprise Security .............. 141
Andrew R. Scholnick*
A Case Study of the Challenges of Cyber Forensics Analysis of Digital Evidence in a
Child Pornography Trial ........................................................................................................................ 155
Richard Boddington*
After Five Years of E-Discovery Missteps: Sanctions or Safe Harbor?............................................. 173
Milton Luoma* and Vicki Luoma*
Digital Evidence Education in Schools of Law ..................................................................................... 183
Aaron Alva* and Barbara Endicott-Popovsky
Pathway into a Security Professional: A new Cyber Security and Forensic Computing
Curriculum .............................................................................................................................................. 193
Elena Sitnikova* and Jill Slay
* Author Presenting and/or Attending

Automated or Manual Examination?

Transcription

Similar documents

COMPUTER SECURITY AND INVESTIGATIONS DIGITAL

MS-DOS / PC-DOS MS-DOS / PC-DOS MS-DOS / PC-DOS MS

e-discovery seminar - MS

slides

What is Computer Forensics?

Forensic Detecting Tools on Data Breaches

Article - American Scientist

Forensic Micropigmentation