Research Output
Peer-reviewed publications, theses, posters, and presentations from the Forensics and Security Research Group.
13th Annual Digital Forensics Research Workshop Europe (DFRWS EU 2026)
This paper proposes a computer vision approach to geolocation using universal visual cues, specifically electrical plug sockets, to narrow down the search space for law enforcement in combating crimes such as human trafficking and child exploitation.
Forensic Science International: Digital Investigation Vol. 56 pp. 302055
AutoDFBench 1.0 is a comprehensive benchmarking framework for digital forensic tool testing and validation, addressing the lack of standardisation in tool validation and evaluation methodologies. It integrates five areas defined by the NIST CFTT programme and enables fair and reproducible comparison across tools and forensic scripts.
Forensic Science International: Digital Investigation Vol. 56 pp. 302056
This paper presents a novel approach to indoor multimedia geolocation using electrical sockets as consistent indoor markers for geolocation. A three-stage deep learning pipeline detects plug sockets, classifies them into standardized types, and maps them to countries. The approach is evaluated on the Hotels-50K dataset and demonstrates its practical utility for law enforcement in human trafficking investigations.
Forensic Science International: Digital Investigation Vol. 56 pp. 302063
VAAS: A novel dual-module framework for image manipulation detection in digital forensics, combining global attention-based anomaly estimation with patch-level self-consistency scoring for interpretable anomaly detection and tamper localization.
Forensic Science International: Digital Investigation Vol. 54S pp. 301982
This paper proposes a standardized methodology for evaluating the performance of Large Language Models (LLMs) in digital forensic timeline analysis tasks, such as event summarization. The methodology includes a dataset, timeline generation, and ground truth development, and recommends the use of BLEU and ROUGE metrics for quantitative evaluation.
Proceedings of the 18th International Workshop on Digital Forensics, part of the 20th International Conference on Availability, Reliability and Security
This paper presents an AI-based network forensic readiness framework for resource-constrained environments. The framework integrates optimised artificial intelligence models to detect attacks in real-time, capturing and preserving critical forensic artefacts. It aligns with ISO/IEC 27043:2015 Digital Forensic Readiness principles, reducing time and human effort.
ACM Digital Threats: Research and Practice pp. 3748264
This paper proposes recommendations for fine-tuning large language models (LLMs) for digital forensics tasks, addressing the gap in existing research. A case study on chat summarization showcases the applicability of the recommendations, evaluating multiple fine-tuned models to assess their performance. The study shares lessons learned from the case study, providing insights into the fine-tuning process, computational power issues, data challenges, and evaluation methods.
Digital Forensics Doctoral Symposium
AutoDFBench is an automated framework for testing and evaluating AI-generated digital forensic code and tools. It validates AI-generated code against NIST's Computer Forensics Tool Testing Program (CFTT) procedures and calculates a benchmarking score. The framework operates in four phases: data preparation, API handling, code execution, and result recording with score calculation.
IEEE Access Vol. 13
This paper proposes a model architecture that integrates image N-dominant colours and colour histogram vectors with image embedding from deep metric learning and classification perspectives to improve image geolocation in indoor scenes.
Digital Forensics Doctoral Symposium
This paper proposes a low-overhead and non-invasive electromagnetic side-channel monitoring approach for forensic-ready industrial control systems. It uses unintentional electromagnetic radiation emitted by Ethernet network cables to detect denial of service attacks with considerable accuracy, introducing an architecture for ICS infrastructure to be forensic-ready with minimal computational resources.
Forensic Science International: Digital Investigation Vol. 52 pp. 301859
This study explores the potential of Large Language Models (LLMs) in improving digital forensic investigation efficiency, addressing challenges such as bias, explainability, censorship, and resource-intensive infrastructure. A comprehensive literature review highlights the current challenges in digital forensics and the possibilities of incorporating LLMs, with a focus on established models, methods, and key challenges.
2024 Cyber Research Conference - Ireland (Cyber-RCI)
This paper explores the effectiveness of combining a strategic contextual approach with large language models in password cracking. The authors create context-based password dictionaries through training PassGPT models with contextual information, demonstrating improved password cracking efficiency and accuracy.
2024 Cyber Research Conference - Ireland (Cyber-RCI)
This study investigates the effectiveness of colour-based descriptors in Content-Based Image Retrieval (CBIR) for human trafficking image analysis. The research evaluates the impact of various parameters on image matching accuracy, achieving a Top-50 accuracy of over 95% on the Hotels-50K dataset. The approach demonstrates potential in advancing image analysis tools for human trafficking investigations and other contexts.
2024 Cyber Research Conference - Ireland (Cyber-RCI)
This paper introduces the Network Forensic Readiness for Edge Devices (NetFoREdge) framework, which deploys lightweight AI models in resource-constrained environments for attack detection, evidence collection, and preservation. The framework is evaluated on two datasets, achieving accuracy rates exceeding 99.60% and 99.98% for multiclassification.
Journal of Information Security and Applications
This paper evaluates the benefits of context-based password cracking for digital forensics, demonstrating that targeted approaches can increase the likelihood of success when contextual information is available. The study presents an experimental methodology and results section analyzing the approach's performance across ten datasets, proving the impact of context in password cracking.
Proceedings of the 12th International Symposium on Digital Forensics and Security
This paper presents a novel digital forensic methodology for recovering encryption keys from black-box IoT devices using electromagnetic side-channel analysis (EM-SCA). The approach leverages machine learning techniques to enhance the digital forensic process, reducing key space and mitigating investigative roadblocks. This automated, adaptable system preserves forensic evidence integrity and ensures wide applicability in the evolving IoT landscape.
Proceedings of the 12th International Symposium on Digital Forensics and Security
This paper proposes an integrated framework for digital forensic investigations employing AutoGen AI agents and Large Language Models (LLMs) to alleviate investigative workload and shorten the learning curve for investigators. The framework utilizes AI agents and LLMs to perform tasks articulated in natural language by a human agent, addressing the challenges of evolving requirements and information accuracy.
Electronics
This study explores the application of Electromagnetic Side-Channel Analysis (EM-SCA) for non-invasively detecting cryptographic settings in IoT devices. The researchers used a machine learning-based approach to identify key lengths and algorithms employed in IoT devices, demonstrating a notable accuracy of 94.55% in distinguishing between AES and ECC operations. This method has significant implications for digital forensic investigations, offering a novel approach for uncovering encrypted data's cryptographic settings.
Forensic Science International: Digital Investigation Vol. 48 pp. 301685
This study surveys 135 peer-reviewed articles published at the Digital Forensics Research Conference Europe (DFRWS EU) from 2014 to 2023, analyzing co-authorships, geographical spread, and citation metrics to inform future research directions in digital forensic research.
Forensic Science International: Digital Investigation Vol. 48 pp. 301684
This study investigates the cross-device portability of Electromagnetic Side-Channel Analysis (EM-SCA) for digital forensics, exploring its applicability to various smart devices. The authors experiment with different devices, including iPhones and Nordic Semiconductor nRF52-DK, and demonstrate the effectiveness of transfer learning techniques in achieving high accuracy.
Forensic Science International: Digital Investigation Vol. 51 pp. 301844
This paper presents the results of the largest digital forensic practitioner survey to date, DFPulse, conducted in 2024. The survey collected data from 122 practitioners worldwide, providing insights into their operating environments, technologies used, challenges faced, and future research directions. The study aims to improve collaboration between academia and practitioners, addressing the gap between research and practice in digital forensics.
14th Annual IEEE Ubiquitous Computing, Electronics & Mobile Communication Conference (IEEE UEMCON)
This paper evaluates AI-based network intrusion detection in resource-constrained environments, proposing a novel approach that trains and deploys AI models on resource-constrained devices. The approach achieves high classification accuracy, identifying and recording potential malicious attacks in real-time with minimal overhead.
School of Computer Science, University College Dublin
This thesis presents a context-based password cracking approach for digital investigation, introducing a methodology and framework for creating and assessing custom dictionary wordlists for dictionary-based password cracking attacks. The approach leverages contextual information to generate bespoke password candidate lists, achieving significant improvements over traditional approaches, with over 50% improvement in some instances.
Forensic Science International: Digital Investigation Vol. 44 pp. 301543
This editorial discusses the implications of ChatGPT on digital forensic investigation, highlighting both beneficial use cases and potential risks. It explores the use of Large Language Models (LLMs) in generating scripts, question answering, multilingual analysis, and automated sentiment analysis, while also addressing concerns about bias, errors, and overreliance on these systems.
Forensic Science International: Digital Investigation Vol. 44S pp. 301507
This paper presents a methodology for optimising and ranking contextual wordlists for password cracking, tailored to the suspect in a digital forensic investigation. The approach is evaluated with data leaks from compromised online communities, demonstrating its effectiveness in finding passwords not recovered by traditional methods.
Forensic Science International: Digital Investigation Vol. 46 pp. 301609
This paper assesses the impact of ChatGPT on digital forensics, evaluating its capabilities and risks in various use cases, including artefact understanding, evidence searching, code generation, anomaly detection, incident response, and education. The study highlights both the potential benefits and limitations of using ChatGPT in digital forensic investigations, concluding that it can be a useful supporting tool for knowledgeable users but requires careful consideration of its strengths and weaknesses.
The 13th EAI International Conference on Digital Forensics and Cyber Crime
This paper presents a deep learning-based network intrusion detection system (IDS) for resource-constrained environments. The proposed 1D-Dilated Causal Neural Network (1D-DCNN) model achieves high accuracy in detecting malicious attacks, outperforming existing deep learning approaches. The model's efficiency and effectiveness make it suitable for resource-constrained environments.
IEEE Access Vol. 10
This paper provides a comprehensive survey of the application of artificial intelligence (AI) in network forensics, including expert systems, machine learning, deep learning, and ensemble/hybrid approaches. It discusses the current challenges and future directions in network forensics, covering various application areas such as network traffic analysis, intrusion detection systems, and Internet-of-Things devices.
Applied Sciences Vol. 13 pp. 2928
This study demonstrates a novel attack vector on industrial control systems (ICS) that leverages electromagnetic (EM) radiation from wired Ethernet connections to exfiltrate sensitive information. The attack exploits compromised firmware to encode data into packet transmission patterns, which are then captured and demodulated by an attacker's software-defined radio. This covert channel facilitates data exfiltration from up to two meters away with a 10 bps data rate.
IEEE Access Vol. 10 pp. 59178-59188
This paper introduces a novel dictionary generation methodology for contextual-based password cracking, enabling the creation of custom dictionary word lists for dictionary-based password cracking attacks. The approach leverages contextual information encountered during an investigation, such as user habits and personal information, to generate targeted password candidates. This methodology has the potential to expedite password cracking processes in law enforcement investigations.
Mixed Reality for Education
This chapter explores security, ethics, and privacy concerns in remote extended reality learning environments, highlighting the need for a comprehensive approach to address these issues in immersive education.
Forensic Science International: Digital Investigation Vol. 39 pp. 301308
This study explores the application of machine learning techniques to identify complex activities on IoT devices using electromagnetic side-channel analysis. The researchers created a dataset by running ten sorting algorithms on an Arduino device and used it to train various classification models, including deep learning models. The results show that convolutional neural networks can accurately predict the activity being executed with a high level of accuracy (99.6%).
The 12th EAI International Conference on Digital Forensics and Cyber Crime
This paper presents PCWQ, a novel framework for evaluating the quality of password cracking wordlists. The framework assesses wordlists based on several interconnecting metrics, including final percentage of passwords cracked, number of guesses until target, progress over time, size of wordlist, and better performance with stronger passwords. The authors conduct a preliminary analysis to demonstrate the framework's evaluation process.
Forensic Science International: Digital Investigation Vol. 37 pp. 301186
This study analyzed over 3.9 billion real-world passwords to assess their guessability and identify patterns in password construction. The analysis reveals that certain semantic classes are more common than others, indicating the importance of user context in password selection. The study also evaluates the effectiveness of password cracking tools and techniques, providing insights for digital investigators.
School of Computer Science, University College Dublin
This PhD thesis presents a novel approach to facial age estimation using deep learning techniques to assist cybercrime investigations. The research addresses the digital forensic backlog by proposing age estimation models that surpass the state-of-the-art facial age detectors for subjects under 25. The study evaluates the performance of various image pre-processing techniques, neural network architectures, and hyper-parameter optimisation strategies.
Forensic Science International: Digital Investigation
This study compares the performance of Support Vector Machines (SVMs) and Neural Networks (NNs) for file type identification using n-gram analysis. The authors investigate the influence of input parameters, such as learning rate and n-gram values, on the results and compare the scalability of SVMs and NNs. The study finds that SVM-based approaches perform better than NNs, but their scalability is still a challenge.
Forensic Science International: Digital Investigation
This paper presents TraceGen, an automated system for generating realistic digital forensic test images through user activity emulation. The framework consists of a series of actions contained within scripts that are executed both externally and internally to a target virtual machine. TraceGen aims to address the issue of emulating user activities and behaviours, ensuring forensically realistic traces are created in the resulting test images.
Forensic Science International: Digital Investigation
This paper presents Vec2UAge, a novel regression-based model for estimating the age of underage individuals from facial embeddings. The model is trained on the VisAGe and Selfie-FV datasets and achieves a mean absolute error rate of 2.36 years. The authors evaluate the impact of random initializations, optimizers, and learning rates on the model's performance.
Book Series: World Scientific Series in Digital Forensics and Cybersecurity
This paper proposes a novel approach to network forensic analytics by leveraging programmable data plane switches to detect and mitigate Distributed Denial of Service (DDoS) attacks and Internet of Things (IoT) device misuse. The authors implement two switch-based use cases to conduct network forensics at line rate, reducing latency and improving incident response.
Forensic Science International: Digital Investigation Vol. 35 pp. 301075
This paper explores the potential of Open Source Intelligence (OSINT) for more efficient password cracking in digital investigations. A comprehensive survey of password strength, cracking, and OSINT is presented, along with an analysis of password structure and demographic factors influencing password selection. The authors discuss the challenges of password cracking and the potential impact of OSINT on law enforcement.
School of Computer Science, University College Dublin
This PhD thesis proposes a methodology for alleviating the digital forensic backlog through automated digital evidence processing. The research leverages data deduplication and automated analysis techniques to reduce redundant digital evidence data handling, enabling faster and more efficient investigations.
School of Computer Science, University College Dublin
This thesis explores the potential of leveraging Electromagnetic Side-Channel Analysis (EM-SCA) as a forensic evidence acquisition method for Internet of Things (IoT) devices. A model for IoT forensics using EM-SCA methods is formulated, enabling investigators to perform complex forensic insight-gathering procedures without expertise in EM-SCA. A proof-of-concept, EMvidence, is implemented as an open-source software framework, utilizing a modular architecture to extract specific forensic insights from IoT devices. The thesis presents methods for acquiring forensic insights, including detecting cryptography-related events, firmware version, and malicious modifications to the firmware. Machine Learning algorithms are used to automatically identify known patterns of EM radiation with over 90% accuracy.
The 11th EAI International Conference on Digital Forensics and Cyber Crime
This paper presents a new method for quickly locating Kodi artifacts and gathering information for successful prosecution of digital piracy and streaming of illegal content. The approach is evaluated on Windows, Android, and Linux platforms, demonstrating the location of file artifacts, databases, and viewed content history.
The 13th International Workshop on Digital Forensics (WSDF), held at the 15th International Conference on Availability, Reliability and Security (ARES)
This systematic overview of artificial intelligence (AI) in digital forensic investigation explores the current state of the art and future potential of AI in expediting digital forensic analysis and increasing case processing capacities. The authors discuss AI applications in data discovery, device triage, and other areas, highlighting current challenges and future directions.
Forensic Science International: Digital Investigation
This paper presents the EMvidence framework, a software tool that facilitates electromagnetic side-channel analysis for IoT investigation. The framework automates and simplifies the process of acquiring and analyzing electromagnetic signals from IoT devices, making it accessible to digital forensic investigators without specialized equipment or expertise.
The 6th IEEE International Conference on Cyber Security and Protection of Digital Services (Cyber Security)
This study evaluates the influencing factors on the accuracy of underage facial age estimation using two cloud services, Microsoft Azure's Face API and Amazon Web Service's Rekognition service. The analysis of the VisAGe dataset reveals correlations between facial attributes and age estimation errors, identifying the most significant factors to be addressed in future age estimation modeling.
The 6th IEEE International Conference on Cyber Security and Protection of Digital Services (Cyber Security)
This paper presents an approach for automated artefact relevancy determination from artefact metadata and associated timeline events. The method uses a relevancy score to rank file artefacts by likely relevance, based on data reduction techniques and machine learning models. The approach is validated through experimentation with three emulated investigation scenarios, demonstrating its potential to aid investigators in the discovery and prioritisation of evidence.
6th IEEE International Conference on Cyber Security and Protection of Digital Services (Cyber Security)
This paper proposes smarter password guessing techniques that leverage contextual information and Open Source Intelligence (OSINT) to improve password recovery rates. The authors explore the use of OSINT to gather information about a suspect's online and offline life, which can be used to make educated guesses about their password. The research aims to create a bespoke, personalized dictionary list to feed into password cracking tools.
Forensic Science International: Digital Investigation Vol. 32 pp. 300927
This paper presents a systematic methodology to identify information leaking frequency channels from high dimensional EM data using multiple filtering techniques and machine learning. The approach is evaluated on a dataset of EM signals from an IoT device, demonstrating its effectiveness in reducing the number of channels from 20,000 to less than 100, improving real-time analysis efficiency.
Forensic Science International: Digital Investigation Vol. 32 pp. 300921
DeepUAge improves underage age estimation accuracy to aid Child Sexual Exploitation Material (CSEM) investigation. The model, trained on the VisAGe dataset, achieves state-of-the-art performance for age estimation of minors, with a mean absolute error (MAE) rate of 2.73 years. This work tackles the challenges of collecting and annotating underage facial age data, and its application can expedite digital investigations.
Forensic Science International: Digital Investigation Vol. 32 pp. 300907
This paper presents EMvidence, a software framework for digital forensic investigators to acquire evidence from IoT devices through electromagnetic side-channel analysis. The framework automates and performs electromagnetic side-channel evidence collection, making it a practical reality for digital forensic investigators.
The 8th International Workshop on Cyber Crime (IWCC), held at the 14th International Conference on Availability, Reliability and Security (ARES)
This paper presents an ensemble learning approach to improve facial age estimation for borderline adulthood cases. The authors develop a deep learning model (DS13K) and fine-tune it on the Deep Expectation (DEX) model to achieve an accuracy of 68% for the age group 16-17 years old, outperforming DEX by 4 times. The study also evaluates existing cloud-based facial age prediction services.
The 12th International Workshop on Digital Forensics (WSDF), held at the 14th International Conference on Availability, Reliability and Security (ARES)
This paper proposes a methodology for automatically prioritizing suspicious file artefacts in digital forensic investigations, leveraging a supervised machine learning approach and a toolkit for data extraction from disk images. The methodology aims to reduce manual analysis effort and improve the efficiency of the investigative process.
Digital Investigation Vol. 29 pp. 43-54
This paper surveys electromagnetic side-channel attacks and their potential for digital forensics on IoT devices. It discusses the challenges of analyzing encrypted data from IoT devices and explores the use of electromagnetic side-channel analysis to recover cryptographic keys and other sensitive information.
Digital Investigation
This paper presents a novel methodology to inspect the internal software activities of IoT devices through their electromagnetic radiation emissions during live device investigation. The approach uses electromagnetic side-channel analysis (EM-SCA) to detect software activities, including cryptographic algorithms and malicious modifications, with high accuracy.
Digital Investigation Vol. 28 pp. S142
This study evaluates existing age prediction services and introduces a deep learning model, DS13K, to improve the accuracy of underage facial age estimation in child sexual exploitation material (CSEM) investigations. The model outperforms existing services, particularly in the borderline adulthood age range (16-17 years old), with an accuracy rate of 68%.
Digital Investigation
This study examines Apple's desktop search technology, Spotlight, to recover deleted file metadata on macOS. Researchers developed a novel approach to extract persistent records of deleted files directly from the Spotlight database and recover records from deleted database pages in unused space. The study provides a proof-of-concept implementation and discusses the forensic opportunities offered by recovering records for deleted files within the database and unused space on the filesystem.
Digital Forensics and Cyber Crime pp. 149-164
This paper examines the current state of solid-state drive (SSD) forensics, addressing the challenges posed by SSDs' background data movement and garbage collection processes. The authors investigate the impact of TRIM, data volume, and powered-on time on data recovery and provide guidance on extracting artefacts from SSDs under various conditions.
The Second International Workshop on Criminal Use of Information Hiding (CUING), part of the 13th International Conference on Availability, Reliability and Security (ARES)
This paper investigates the accuracy of electromagnetic side-channel attacks on computer monitors, focusing on factors beyond sampling rate and bandwidth. The authors evaluate noise removal, image blending, and image quality adjustments to improve image reconstruction accuracy, exploring avenues for future improvements in EM side-channel attacks.
Proceedings of the 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom-18) pp. 1942-1947
This paper examines the Kodi software ecosystem, focusing on its role in illegal IPTV networks. It identifies key roles in the Kodi community, including users, addon authors, and distributors, and explores the relationships between them. The study uses cloud evidence to connect devices to addon distributors and investigates networks among authors and distributors using GraphQL in the GitHub cloud.
Proceedings of the 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom-18) pp. 1674-1679
This paper presents a system for deduplicated disk image evidence acquisition and forensically-sound reconstruction, addressing the growing digital evidence backlog in law enforcement. The system enables automated, centralized acquisition and analysis, reducing storage and bandwidth requirements, and facilitating non-expert evidence processing.
Advances in Digital Forensics XIV pp. 183-197
This paper proposes a novel approach to analyze large volumes of intercepted network traffic based on network metadata, reducing analysis duration and providing insights for non-technical investigators. The approach is tested with a large sample of network traffic data and can be used to identify devices and usage behind an internet connection.
Digital Investigation Vol. 26 pp. S118 - S126
This paper presents a deep learning-based malware classification approach that requires no expert domain knowledge and is based on a purely data-driven approach for complex pattern and feature identification. The model achieves a high accuracy of 98.2% in classifying raw binary files into one of 9 classes of malware, with a processing time of 0.02 seconds per file.
Digital Investigation Vol. 26S pp. xx-xx
This study investigates the digital forensic traces in modern two-way radio communication equipment and services, which is crucial for law enforcement in crime investigations. The research proposes a novel workflow for investigators to follow when encountering such equipment, highlighting the need for knowledge about radio communication equipment, infrastructure, and associated services.
Digital Investigation Vol. 26 pp. S77 - S86
This paper investigates the digital forensic investigation of two-way radio communication equipment and services, including the acquisition and analysis of digital traces in modern radio communication devices. The authors propose a workflow for radio device investigation and evaluate the possibility of using popular forensic tools to acquire artefacts from radio communication equipment.
Proceedings of the International Workshop on Speculative Side Channel Analysis (WoSSCA 2018)
This paper explores the potential of electromagnetic side-channel analysis in progressing hindered digital forensic investigations. The authors argue that EM side-channel attacks can provide a hands-off approach to accessing internal device information, overcoming encryption and limited standardization of IoT devices.
12th International Workshop on Systematic Approaches to Digital Forensics Engineering (SADFE), IEEE Security & Privacy Workshops
This paper evaluates existing automated facial age estimation techniques for digital forensics, highlighting their limitations and proposing a dataset generator to overcome the lack of sufficient sample images in specific age ranges. The study assesses the performance of offline and cloud-based models, releasing a tool to generate uniformly distributed random images by age and gender.
Journal of Digital Forensics, Security and Law Vol. 13 pp. 81-96
This paper proposes the use of Hierarchical Bloom Filter Trees (HBFTs) to improve the runtime efficiency of approximate matching techniques in digital forensics. HBFTs reduce the number of pairwise comparisons required, achieving substantial speed gains while maintaining effectiveness. The authors evaluate the effectiveness of HBFTs using the MRSH-v2 algorithm and explore the effects of different configurations of HBFTs.
Digital Forensics and Cyber Crime. ICDF2C 2017 Vol. 216 pp. 144-157
This paper presents an improvement to the MRSH-v2 approximate matching algorithm using Hierarchical Bloom Filter Trees (HBFT) to expedite the search process for digital forensic investigators. Experiments demonstrate substantial speed gains over the original MRSH-v2 while maintaining effectiveness.
Journal of Information Warfare Vol. 17
This study examines the Epic Privacy Browser, a private web browser designed to protect users' privacy, and its potential for forensic analysis. The researchers investigate the types of evidence left behind by the browser on Windows 10 and Windows 7 operating systems, including live and post-mortem analysis. The study aims to identify the tools and methods for effective analysis of the browser's artefacts.
Predict Conference; Europe's Leading Data Conference (Predict 2017)
This paper addresses the problem of information overload in digital forensics and cybersecurity by proposing a data analytics approach for intelligent, real-time, automated data processing and event categorization. The solution aims to combat the increasing frequency and sophistication of cyberattacks by reducing false positive alerts in network intrusion detection systems.
Proceedings of the 16th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom-17) pp. 737-744
This paper presents a script for handling privileged data in digital forensic tools, specifically in Nuix, to minimize exposure to investigators and automate the filtering process. The script increases effectiveness by relating files based on content, addressing the limitations of traditional filtering methods.
Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS 2017) pp. 573-581
This paper evaluates the applicability of existing digital forensic process models to a cloud-based evidence processing paradigm, specifically Digital Forensics as a Service (DFaaS). The authors analyze the characteristics of each current process model and review the benefits of DFaaS, aiming to expedite the investigative process and reduce costs.
Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS 2017) pp. 341-350
This paper presents a forensic analysis of Epic Privacy Browser on Windows operating systems, focusing on the identification and analysis of artefact evidence left on Windows 10 compared to Windows 7. The study aims to establish if the introduction of Windows 10 has had an adverse effect on the browser's claim of clearing all user activity traces upon closure.
Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS 2017) pp. 419-425
This paper presents a new approach to malware analysis by integrating Ether Unpacker into the plugin-based malware analysis tool, Ragpicker. The integration aims to improve the unpacking rate of malware samples, enabling the analysis of transferred and reused code. The authors evaluate their approach against real-world malware patterns, demonstrating its effectiveness in identifying malware variants and families.
Digital Investigation Vol. 20S pp. 47-55
This paper proposes Behavioral Service Graphs, a formal data-driven approach for prompt investigation of enterprise and internet-wide infections. It leverages probing activities to rapidly infer infections and models infected machines as graphs to infer and correlate distributed groups of infected machines.
Digital Investigation Vol. 20S pp. 29-36
EviPlant is a system designed to efficiently create, manipulate, store, and distribute digital forensic challenges for education and training. It allows educators to create evidence packages that can be integrated with base images, reducing the need for large, full-image files and making it easier to distribute challenges to students.
Proceedings of the IFIP International Workshop on Cybercrime Investigation and Digital Forensics (CID) pp. 1-5
This paper proposes Behavioral Service Graphs, a proactive approach to generating network-based evidence for network forensic investigation. It leverages big data behavioral analytics and graph theoretical concepts to infer and correlate groups of compromised network machines, providing actionable insights for prompt mitigation and further analysis.
Proceedings of the IFIP International Workshop on Cybercrime Investigation and Digital Forensics (CID) pp. 1-5
This paper proposes a data deduplication system to expedite digital forensic evidence acquisition and analysis. The system leverages a deduplicated forensic data storage system to eliminate unnecessary reacquisition and analysis of previously processed data, reducing acquisition time and improving the overall efficiency of the digital forensic process.
Proceedings of the 2nd International Workshop on Cloud Security and Forensics (WCSF 2016) pp. 10-14
This paper discusses the growing digital forensic backlog faced by law enforcement agencies due to the increasing number of digital devices involved in investigations. It highlights the challenges in identifying, acquiring, storing, and analyzing digital evidence from various sources, including cloud-based services and IoT devices. The author proposes future research directions to improve the efficiency of the digital forensic process.
Proceedings of the 6th IEEE International Conference on Innovative Computing Technologies (INTECH 2016)
This paper proposes a novel solution to combat the digital forensic backlog through data deduplication. The solution leverages a centralized storage system to store a single copy of each object, eliminating redundant storage and reanalysis of previously processed data. This approach can reduce storage requirements, expedite digital forensic processing, and facilitate collaborative examination and sharing of digital evidence.
2nd International Workshop on Cloud Security and Forensics (WCSF 2016) pp. 743-748
This paper presents a new approach to investigate IPv6 network attacks with case studies, focusing on IPv6 security and forensics. It discusses different types of IPv6 attacks and provides a comprehensive overview of IPv6 network attack techniques, including reconnaissance, exploitation, and mitigation strategies.
15th European Conference on Cyber Warfare and Security (ECCWS 2016)
This paper presents an analytical approach to recovering data from 3rd party proprietary CCTV file systems, focusing on a Ganz CCTV DVR model C-MPDVR-16. The authors reverse engineer the proprietary file system, enabling the retrieval of the oldest video footage possible. The method is evaluated using a case study, demonstrating the feasibility of recovering video footage from a DVR with no initial knowledge or documentation available.
The 11th ADFSL Conference on Digital Forensics, Security and Law (CDFSL 2016) pp. 9-20
This paper explores the current challenges in digital forensic investigations, including the digital evidence backlog, and outlines future research areas to improve the process. The authors discuss the increasing complexity, diversity, and volume of digital evidence, as well as the need for standardization and automation in digital forensic tools and processes.
The 4th International Symposium on Digital Forensics and Security (ISDFS 2016) pp. 68-73
This paper proposes a workflow management automation framework to streamline digital investigation workflows, reducing time spent on acquisition and preparation steps, and increasing efficiency of forensic software and hardware use. The framework is evaluated in a real-world scenario, demonstrating its benefits and robustness.
Advanced Multimedia and Ubiquitous Engineering: FutureTech & MUE pp. 641-647
This paper explores the application of Information Retrieval (IR) and Information Extraction (IE) techniques to digital forensics, highlighting their potential to improve the efficiency and effectiveness of investigations. The authors discuss the benefits of cloud-based digital forensic investigation platforms and the importance of precision and recall in different stages of an investigation.
Digital Investigation Vol. 16 pp. 75-85
This paper presents a tiered forensic methodology model for digital field triage by non-digital evidence specialists. The model aims to increase investigation efficiency and reduce the backlog of digital evidence waiting for analysis by trained specialists. The authors propose a framework for training front-line investigators to conduct digital field triage, allowing them to provide actionable information quickly and maintain the integrity of digital evidence.
Proceedings of 8th International Conference on Engaging Pedagogy (ICEP 2015)
This study evaluates Google Plus Communities as an active learning journal alternative to improve learning efficacy. The authors present guidelines for deploying G+ Communities in educational settings, highlighting their potential to foster collaborative learning, social interaction, and community engagement.
Digital Forensics and Cyber Crime Vol. 157 pp. 85-99
This paper presents a forensic analysis and remote evidence recovery techniques for Syncthing, an open-source decentralized file synchronization utility. The authors outline the entry points for a Syncthing investigation, describe the network communication protocol, and develop a proof-of-concept tool for remote evidence recovery. The study addresses the need for digital forensics procedures to keep pace with decentralized services like Syncthing.
Computers & Security Vol. 54 pp. 27 - 43
This paper proposes a network investigation methodology for BitTorrent Sync, a peer-to-peer file synchronization service, to aid in the control of data flow across security perimeters. The methodology includes recommendations for investigating various scenarios, including legitimate and illicit activities.
Journal of Digital Forensics, Security and Law: Proc. of 10th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE 2015) pp. 115-124
This paper presents a forensic analysis of Project Maelstrom, a decentralized web browser powered by BitTorrent. The authors explore the browser's functionality, forensic value, and the evidence it leaves behind, including installation and configuration files, user data, and torrent-related settings.
10th International Conference on Availability, Reliability and Security (ARES 2015) pp. 556-565
This paper provides an overview of the forensic investigation of cloud services, discussing the challenges and opportunities of cloud computing in digital forensics. It examines the state-of-the-art in cloud-focused digital forensic practices, including the collection and analysis of evidence, and the potential use of cloud technologies to provide Digital Forensics as a Service.
Proceedings of the International Workshop on Digital Forensics (WSDF 2015)
This paper presents a novel approach to remote evidence acquisition in digital forensics. The authors propose a method for collecting and preserving digital evidence from remote locations, addressing the challenges of on-site collection. The contribution is a framework for secure and efficient evidence transfer, enhancing the integrity and admissibility of digital evidence in investigations.
Proceedings of 10th International Conference on Availability, Reliability and Security (ARES 2015)
This paper presents a new approach to rapidly and reliably identify cloud-hosted servers through non-invasive wiretaps. A handheld device composed of an embedded computer and a method of undetectable Ethernet-based communication interception is developed and tested. The device captures minimal information and only stores relevant data, with an audit log of operator actions for reporting.
The 10th ADFSL Conference on Digital Forensics, Security and Law (CDFSL 2015) pp. 135-150
This paper explores the security risks and challenges of HTML5 zero-configuration covert channels, including the potential for cybercriminals to use these services for illegal activities. The authors analyze the forensic consequences of these services and propose methods for retrieving evidence.
23rd International Conference on Computer Communication and Networks (ICCCN 2014) pp. 1-6
This paper analyzes BitTorrent cross-swarm peer participation and geolocational distribution. The authors collected 2 terabytes of data from 16 swarms of popular TV shows, identifying 6.3 million distinct IPs. The study found significant cross-swarm participation and geolocational distribution, with Australia, Europe, and North America playing a crucial role in influencing swarm size. The results can aid in network usage prediction, bandwidth provisioning, and future network design.
Proceedings of 9th International Conference on Availability, Reliability and Security (ARES 2014) pp. 21-29
This paper presents a network investigation methodology for BitTorrent Sync, a decentralized file replication utility, to aid digital forensic investigations. The authors propose a framework for retrieving digital evidence from the network and provide results from a proof-of-concept investigation.
Journal of Digital Forensics, Security and Law: Proc. of Sixth International Conference on Digital Forensics & Cyber Crime (ICDF2C 2014) pp. 85-99
This paper presents a methodology for the remote recovery and verification of digital evidence from decentralized file synchronization services, specifically BitTorrent Sync. The authors outline a proof-of-concept implementation and discuss the challenges and opportunities of remote digital evidence retrieval in the context of mobile devices and cloud-based services.
Proceedings of the 7th International Symposium on Digital Forensics and Information Security (DFIS-2013), Future Information Technology, Application, and Service pp. 307-314
This paper proposes a new digital evidence bag format for P2P network investigations, addressing the limitations of existing formats in handling network traffic and metadata. The proposed format incorporates network byte streams and on-the-fly metadata generation to expedite identification and analysis.
Digital Investigation Vol. 11, Supplement 1 pp. S77-S86
This paper presents a forensic analysis of BitTorrent Sync, a decentralized file synchronization service, and its implications for digital investigations. The authors examine the client application, network traffic, and artefacts created during installation and use, providing valuable insights for digital forensic investigators.
Proceedings of the 9th International Conference on Cyber Warfare and Security (ICCWS 2014) pp. 287-293
This paper proposes a collaborative universal peer-to-peer botnet investigation framework to fast-track the investigative process through collaboration between key stakeholders. The framework exploits common attributes of P2P networks, including intra-peer communication, self-propagation, and node maintenance, to identify and record communication patterns. This enables the elimination of duplicated work by forensic investigators and facilitates the investigation of any known botnet and adaptation to new networks.
PhD Thesis
This PhD thesis explores the investigation of Peer-to-Peer (P2P) networks, which are vulnerable to cybercrimes such as botnet propagation and malware distribution. The Universal P2P Network Investigation Framework (UP2PNIF) is introduced to facilitate faster and more efficient investigations of P2P networks.
Pervasive and Ubiquitous Technology Innovations for Ambient Intelligence Environments pp. 109-115
This paper presents a methodology for investigating cybercrimes on documented P2P networks, specifically BitTorrent, by analyzing the top 100 most popular swarms over a one-week period. The investigation aims to quantify the scale of unauthorized distribution of copyrighted material and identify the geographical distribution of peers involved.
Availability, Reliability and Security (ARES), 2013 Eighth International Conference on pp. 694-700
This paper introduces the Universal Peer-to-Peer Network Investigation Framework (UP2PNIF), a tool for investigating P2P networks. The framework exploits common attributes of P2P networks to enable faster and less labor-intensive investigations. It can be used for various investigation types, including evidence collection, anatomy, wide-area measurement, and takeover.
Proceedings of the 6th International Symposium on Digital Forensics and Information Security (DFIS-2012), Future Information Technology, Application, and Service," pp. 231-238
This paper reviews the state-of-the-art in Peer-to-Peer (P2P) botnet investigation, highlighting the challenges and obstacles faced by investigators. It discusses the evolution of botnet design from traditional client/server to decentralized P2P networks, and the implications for investigation and takedown. The paper outlines three main approaches to P2P botnet investigation and presents case studies of the Nugache, Storm, and Waledec botnets.
International Journal of Ambient Computing and Intelligence Vol. 3 pp. 56-63
This paper presents a methodology for investigating cybercrimes on documented P2P networks, specifically BitTorrent, by analyzing the top 100 most popular swarms over a one-week period. The investigation aims to quantify the scale of unauthorized distribution of copyrighted material through BitTorrent.
Proceedings of the 5th Annual Symposium on Information Assurance (ASIA 2010) pp. 32-36
This paper presents an analysis of the most popular BitTorrent swarms over a week, focusing on the scale of unauthorized distribution of copyrighted material. The investigation collected data on 8,489,287 unique IP addresses, with 50.6% of files split into smaller chunks for distribution. The results show a global distribution of peers, with the US, UK, India, and Canada being the top countries detected.
MSc Thesis
This thesis presents RAFT, a system for remote acquisition of digital forensic evidence through secure data transmission and verification. RAFT enables law enforcement officers to transfer images from suspect computers to forensic labs for analysis, reducing investigation time and ensuring court-admissible evidence.
Proceedings of International Conference on Digital Forensics and Cyber Crime (ICDF2C 2009) pp. 122-131
This paper introduces RAFT, a remote forensic hard drive imaging tool designed to reduce the time wasted by forensic investigators in collecting digital evidence. RAFT enables law enforcement officers to remotely transfer images of suspect computers to a forensic laboratory for analysis, ensuring court-admissible evidence through secure and verifiable client/server imaging architecture.
