This article is a recap of some of the main highlights from the Systematic Approaches to Digital Forensics Engineering conference, held in Malaga from the 30th of September to the 2nd of October 2015.
The conference began with an opening keynote from Michael Losavio, who discussed ethical issues in digital forensics.
The discussion touched on how information security and digital forensics are intertwined disciplines; the infosec trilogy being ‘prevention, detection, recovery’ and the digital forensics trilogy being ‘detect, recover, prevent’. The same challenges are often faced by both disciplines, especially when taking into account corporate and civil cases, rather than just law enforcement.
Digital forensics is also increasingly becoming an issue for political decisions. There is no mandatory reporting requirement for federal agencies in the US, the way there is for corporations. This, coupled with the revelations of Snowden and others, is leading to a disconnect between the general population’s perception of digital forensics, and practitioners being able to do their jobs.
Some challenges surrounding the future of digital forensics were put forward as suggested discussion topics throughout the remainder of the conference, including smart cities, the Internet of Things, cloud forensics, and foundational issues. However, rather than just looking at these from a practical viewpoint, conference attendees were encouraged to also focus on the political climate and the ethical implications of workstreams – an unusual and refreshing take on some frequently-debated topics.
The discussion was then opened to the audience, to uncover some of the current gaps in digital forensics. This resulted in a fairly long list, including:
- Warrants are not always straightforward, because investigators are often not allowed to take everything they feel might be important to a case. Instead, they have to look for and seize specific items named in the warrant itself. However, as device proliferation continues, getting an appropriate warrant for each situation becomes more challenging.
- Gaps in the technical knowledge of legal investigators, and access to files for civil investigations.
- Encryption and the speed of technological development in general; it is difficult for digital forensics as a field to keep up.
- The huge amount of data that can now be associated with each case; if an investigator acquires all of it, then it can’t be investigated in a reasonable amount of time.
- There is a disconnect between students who are conducting academic research in digital forensics, and the investigators themselves. Often, law enforcement agencies refuse to share information with students, but want these students to provide them with software that can help them. However, the lack of information means that the students are unaware of what is actually important to most investigators, and what the biggest challenges currently are.
- Protecting the privacy of the general public is another area that requires careful thought, as well as public relations and how investigative agencies are viewed.
- For many companies, there is a lack of incentives for helping in forensic investigations. For example, mobile manufacturers have a commercial goal, which is frequently opposed to forensic activities. Heightened encryption capacity, driven by user demand, is a classic example of this.
Losavio set the stage for a brilliant week of debate and knowledge sharing among the digital forensics community, and in the talks that followed this theme continued, with much more audience participation than is frequently seen at such events.
Following the keynote introduction, the conference moved into the more technical presentations.
Monika Singh’s paper on sdhash similarity hashing provided an insight into some previous research by Breitinger et al, who claimed that 20% of the contents of a file could be modified without influencing its final sdhash digest. However, Singh demonstrated that this percentage is much lower, with sdhash digests being changed when even 2% of the file contents were modified. An algorithm was then presented, which allows file contents to be modified so that an sdhash remains the same when up to 12% of the contents have been altered.
This was followed by an interesting overview of twelve years’ worth of digital forensic investigations within the Dubai police force. Ibtesam Al Awadhi discussed some of the most difficult challenges facing investigators, including the diversification of storage and devices. Conducting investigations and managing processes within a reasonable timeframe is becoming increasingly difficult for police forces around the world.
Al Awadhi presented some empirical evidence around the volume of cases and number of examiners per case over the past twelve years. This demonstrated that the average volume per case has increased significantly, but that there was no single factor that affected the amount of time each investigation took. Rather, it is a combination of factors that all need to be taken into consideration. One potentially useful conclusion that can be drawn from this research is that when an examiner is given specific information about a case, they are less likely to spend a very long time on it, meaning that data triage should be a top priority.
David Billard from the University of Applied Sciences in Geneva then introduced a technique for chip-off data extraction. The idea behind this technique’s development was to avoid having to heat the chip or to reball the ball grid array, thus enhancing the integrity of the extraction. The technique has been named frigida via, to distinguish it from the calda via, or infrared heating technique.
SCADA systems were the next subject of discussion, with Kam-Pui Chow explaining how Programmable Logic Controllers are difficult to forensically analyse due to the proprietary operating system by which they are controlled. Chow introduced the Control Program Logic Change Detector (CPLCD), which alongside Wireshark can be used to perform digital forensic investigations on PLCs.
The focus of the day then shifted to Android forensics, looking at dynamic extraction of data from Android’s Dalvik virtual machine, and how to extract data from MTK-based Android devices. MTK phones are commonly used in criminal activities due to their low prices and high performance ratios, making it important for forensic investigators to have some understanding of how to analyse them. However, this is made difficult by the fact that manufacturers do not provide firmware updates, operational manuals or detailed system specs. Joe Kong from the University of Hong Kong presented research in which he captured data from various MTK Android phones, then ran this through selected forensic tools to see how much evidence could be extracted.
A panel discussion about the future of digital forensics focused on various issues that were brought up in the opening keynote address: heterogeneous sources, data diversity, and anti-forensics all being hot topics of discussion.
Several speakers agreed that there seems to be a disconnect between what students are learning at university, and skills that will actually be needed on the job. Interviewing graduates often demonstrates that candidates have not been primed to be well-rounded: either they lack a certain amount of technical ability, or they do not seem like they could be put before a judge and cross-examined. The necessity for academia, corporations and law enforcement to work together to address these challenges was highlighted.
An audio forensic framework was then discussed, with an in-depth look at various instant messaging services who are now providing voice chat options for their users. The idea of a semi-automated framework was put forward; this would reduce manpower in investigations and would involve taking certain current technologies, such as speech to text and gender and frequency analysis, and applying them to a forensic framework.
Xiao-Xi Fan from the University of Hong Kong gave an overview of the cyberlocker service, which is becoming increasingly popular especially for people sharing illegal content. Since cyberlocker’s anonymity is relatively foolproof, Fan suggested collecting cyberlocker-related data from public forums where its users distribute content. This could then be used to build a framework which would detect profiles with similar behaviours, with the ultimate goal of linking them back to individual identities.
Lee Tobin from University College Dublin discussed concerns surrounding training and funding for law enforcement agencies, which is currently not keeping up with the amount and types of digital evidence that has to be analysed in many crime scenes. Tobin put forward an open-source forensic platform that would be easy to use and deployable on most hardware devices, including embedded systems such as the Raspberry Pi.
The idea of an open-source forensic toolkit was in fact a focus of the week, with the organisers of SADFE working to create a common framework which would integrate different forensic tools. This was a subject of discussion every day, with participants encouraged to look for advantages and disadvantages of an open-source approach, and to talk about ways in which such an initiative could be realistically deployed.
IMVU is a virtual universe which combines several sources of potentially useful information, including instant messaging, content creation and commerce. Unsurprisingly, it is being exploited fairly commonly by criminals, however the amount of research conducted into the forensic analysis of IMVU has been minimal. Robert Van Voorst of the Netherlands National Police discussed some of the main challenges around IMVU forensics, and gave an overview of the current literature and future recommendations for ongoing research.
The organisers of SADFE made a concerted effort to ensure that attendees thoroughly enjoyed their time in Malaga, and the entertainment certainly deserves a mention. Nightly events were booked for attendees, including a gala dinner at a beautiful restaurant and a tour of the historic Jardin Botanico just outside the city. The social events provided an excellent opportunity to converse with fellow attendees in an informal setting, and to continue some of the work started during the daily programme.
The next SADFE conference will be held in Hong Kong in 2016. Anyone interested in attending should consult the official website for details.