||FLASH MEMORY MOBILE FORENSIC
||This paper is an introduction to flash memory forensic, and completeness and integrity of evidences acquired from mobile phones. Moving through academic papers and industrial documents, the reader will be introduced to the particular nature of non-volatile memories present in nowadays mobile phones; how they really work and which challenges they pose to forensic investigators. Then will be presented a test in which some brand new flash memories will be used to hide data in man-made bad blocks: the aim is to see if forensic software tools are able to acquire data from such blocks, and to evaluate the possibility to hide data at analysts' eyes. As reader will see, the reality seems worst then imagination.
||The On Line Reference For Forensic Investigation Professionals
| A.Castiglione, A.De Santis, C.Soriente
|| Taking advantages of a disadvantage: Digital forensics and steganography using document metadata
||All the information contained in a plain-text document are visible to everybody. On the other hand, compound documents using opaque formats, like Microsoft Compound Document File Format, may contain undisclosed data such as authors name, organizational information of users involved, previously deleted text, machine related information, and much more. Those information could be exploited by third party for illegal purposes. Computer users are unaware of the problem and, even though the Internet offers several tools to clean hidden data from documents, they are not widespread. Furthermore, there is only one paper about this problem in scientific literature, but there is no detailed analysis. In this paper we fill the gap, analyzing the problem with its causes and then we show how to take advantage of this issue: we show how hidden data may be extracted to gain evidence in forensic environment where even a small piece of information may be relevant and we also introduce a new stegosystem especially designed for Microsoft Office documents. We developed FTA, a tool to improve forensic analysis of Microsoft Office documents, and StegOlè, another tool that implements a new stegosystem for Microsoft Office documents. This is the first scientific paper to address the problem from both a steganographic and a forensic point of view.
| A.Castiglione, A.De Santis, C.Soriente
|| Security and privacy issues in the Portable Document Format
||The Portable Document Format (PDF) was developed by Adobe in the early nineties and today it is the de-facto standard for electronic document exchange. It allows reliable reproductions of published materials on any platform and it is used by many governmental and educational institutions, as well as companies and individuals. PDF documents are also credited with being more secure than other document formats such as Microsoft Compound Document File Format or Rich Text Format. This paper investigates the Portable Document Format and shows that it is not immune from some privacy related issues that affect other popular document formats. From a PDF document, it is possible to retrieve any text or object previously deleted or modified, extract user information and perform some actions that may be used to violate user privacy. There are several applications of such an issue. One of them is relevant to the scientific community and it pertains to the ability to overcome the blind review process of a paper, revealing information related to the anonymous referee (e.g., the IP address of the referee).
| J.Kelsey, J.Callas, A.Clemm
|| Signed Syslog Messages - IETF RFC 5848
||This document describes a mechanism to add origin authentication, message integrity, replay resistance, message sequencing, and detection of missing messages to the transmitted syslog messages. This specification is intended to be used in conjunction with the work defined in RFC 5424, "The Syslog Protocol".
|| Syntax for Binding Documents with Time-Stamps - IETF RFC 5544
||This document describes an envelope that can be used to bind a file (not necessarily protected by means of cryptographic techniques) with one or more time-stamp tokens obtained for that file, where "time-stamp token" has the meaning defined in RFC 3161 or its successors. Additional types of temporal evidence are also allowed. The proposed envelope is based on the Cryptographic Message Syntax as defined in RFC 5652
| W.Jansen, A.Delaitre
|| Mobile Forensic Reference Materials: A Methodology and Reification - NIST Interagency Report 7617
||This report concerns the theoretical and practical issues with automatically populating mobile devices with reference test data for use as reference materials in validation of forensic tools. It describes an application and data set developed to populate identity modules and highlights subtleties involved in the process. Intriguing results attained by recent versions of commonly-used forensic tools when used to recover the populated data are also discussed. The results indicate that reference materials can be used to identify a variety of inaccuracies that exist in present-day forensic tools.
| A.Hoog, K.Gaffaney
|| iPhone Forensics
||This paper will review forensic tools available for the iPhone, perform forensic analysis with each tool and report on the installation, acquisition, reporting and accuracy of each tool. The 3G iPhone (firmware version 2.2) was used for the testing but this white paper may, over time, include other models and firmware versions.
| A.Halderman, S.D.Schoen, N.Heninger, W.Clarkson, W.Paul, J.A.Calandrino, A.J.Feldman, J.Appelbaum, E.W.Felten
|| Lest We Remember: Cold Boot Attacks on Encryption Keys - Princeton University
||Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access.
|| Data Remanence in Flash Memory Devices
||Data remanence is the residual physical representation of data that has been erased or overwritten. In non-volatile programmable devices, such as UV EPROM, EEPROM or Flash, bits are stored as charge in the floating gate of a transistor. After each erase operation, some of this charge remains. Security protection in microcontrollers and smartcards with EEPROM/Flash memories is based on the assumption that information from the memory disappears completely after erasing. While microcontroller manufacturers successfully hardened already their designs against a range of attacks, they still have a common problem with data remanence in floating-gate transistors.
| C.V.Marsico, M.K.Rogers
|| iPod Forensics
||The iPod is one of the most popular digital music devices in today’s marketplace. The newest versions of the iPod have become more PDA/storage like than ever before. With this new functionality the iPod has recently found its way into the criminal world. With the continued growth of the digital music device market, the iPod’s use in criminal activity will only continue to increase. This paper discusses some of the features of the iPod and how a criminal could use them.
| J. van den Bos, R. van der Knijff
|| TULP2G - An Open Source Forensic Software Framework for Acquiring and Decoding Data Stored in Electronic Devices
||TULP2G is a forensic software framework for acquiring and decoding data stored in electronic devices. The framework consists of a layered architecture with communication, protocol, conversion, and export plug-ins to acquire, decode, and report evidence in customizable layouts. All acquired data is stored in an XML formatted evidence file along with information for auditing purposes. Currently available plug-ins are mainly targeted towards GSM phone examinations, but the applied open source strategy tries to stimulate other parties in developing more examination functionality.