IFIP AICT 433 Gilbert Peterson Sujeet Shenoi (Eds.) Advances in Digital Forensics X 123 IFIP Advances in Information and Communication Technology 433 Editor-in-Chief A.JoeTurner,Seneca,SC,USA EditorialBoard FoundationsofComputerScience JacquesSakarovitch,TélécomParisTech,France Software:TheoryandPractice MichaelGoedicke,UniversityofDuisburg-Essen,Germany Education ArthurTatnall,VictoriaUniversity,Melbourne,Australia InformationTechnologyApplications ErichJ.Neuhold,UniversityofVienna,Austria CommunicationSystems AikoPras,UniversityofTwente,Enschede,TheNetherlands SystemModelingandOptimization FrediTröltzsch,TUBerlin,Germany InformationSystems JanPries-Heje,RoskildeUniversity,Denmark ICTandSociety DianeWhitehouse,TheCastlegateConsultancy,Malton,UK ComputerSystemsTechnology RicardoReis,FederalUniversityofRioGrandedoSul,PortoAlegre,Brazil SecurityandPrivacyProtectioninInformationProcessingSystems YukoMurayama,IwatePrefecturalUniversity,Japan ArtificialIntelligence TharamDillon,CurtinUniversity,Bentley,Australia Human-ComputerInteraction JanGulliksen,KTHRoyalInstituteofTechnology,Stockholm,Sweden EntertainmentComputing MatthiasRauterberg,EindhovenUniversityofTechnology,TheNetherlands IFIP–TheInternationalFederationforInformationProcessing IFIPwasfoundedin1960undertheauspicesofUNESCO,followingtheFirst WorldComputerCongressheldinParisthepreviousyear.Anumbrellaorgani- zation for societies working in information processing, IFIP’s aim is two-fold: tosupportinformationprocessingwithinitsmembercountriesandtoencourage technologytransfertodevelopingnations.Asitsmissionstatementclearlystates, IFIP’s mission is to be the leading, truly international, apolitical organizationwhichencouragesandassistsinthedevelopment,ex- ploitationandapplicationofinformationtechnologyforthebenefit ofallpeople. IFIPisanon-profitmakingorganization,runalmostsolelyby2500volunteers.It operatesthroughanumberoftechnicalcommittees,whichorganizeeventsand publications.IFIP’seventsrangefromaninternationalcongresstolocalseminars, butthemostimportantare: • TheIFIPWorldComputerCongress,heldeverysecondyear; • Openconferences; • Workingconferences. TheflagshipeventistheIFIPWorldComputerCongress,atwhichbothinvited andcontributedpapersarepresented.Contributedpapersarerigorouslyrefereed andtherejectionrateishigh. As with the Congress, participation in the open conferences is open to all and papersmaybeinvitedorsubmitted.Again,submittedpapersarestringentlyref- ereed. The working conferences are structured differently. They are usually run by a workinggroupandattendanceissmallandbyinvitationonly.Theirpurposeis tocreateanatmosphereconducivetoinnovationanddevelopment.Refereeingis alsorigorousandpapersaresubjectedtoextensivegroupdiscussion. Publications arising from IFIP events vary. The papers presented at the IFIP WorldComputerCongressandatopenconferencesarepublishedasconference proceedings,whiletheresultsoftheworkingconferencesareoftenpublishedas collectionsofselectedandeditedpapers. Anynationalsocietywhoseprimaryactivityisaboutinformationprocessingmay applytobecomeafullmemberofIFIP,althoughfullmembershipisrestrictedto onesocietypercountry.FullmembersareentitledtovoteattheannualGeneral Assembly,Nationalsocietiespreferringalesscommittedinvolvementmayapply forassociateorcorrespondingmembership.Associatemembersenjoythesame benefitsasfullmembers,butwithoutvotingrights.Correspondingmembersare not represented in IFIP bodies.Affiliated membership is open to non-national societies,andindividualandhonorarymembershipschemesarealsooffered. Gilbert Peterson Sujeet Shenoi (Eds.) Advances in Digital Forensics X 10th IFIP WG 11.9 International Conference Vienna, Austria, January 8-10, 2014 Revised Selected Papers 1 3 VolumeEditors GilbertPeterson AirForceInstituteofTechnology Wright-PattersonAirForceBase,OH45433-7765,USA E-mail:gilbert.peterson@afit.edu SujeetShenoi UniversityofTulsa Tulsa,OK74104-3189,USA E-mail:[email protected] ISSN1868-4238 e-ISSN1868-422X ISBN978-3-662-44951-6 e-ISBN978-3-662-44952-3 DOI10.1007/978-3-662-44952-3 SpringerHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:2014948941 ©IFIPInternationalFederationforInformationProcessing2014 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection withreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeingenteredand executedonacomputersystem,forexclusiveusebythepurchaserofthework.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthePublisher’slocation, inistcurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Permissionsforuse maybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violationsareliabletoprosecution undertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication, neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforanyerrorsor omissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespecttothe materialcontainedherein. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Contents Contributing Authors ix Preface xix PART I INTERNET CRIME INVESTIGATIONS 1 Conditional Weighted Transaction Aggregation for Credit Card 3 Fraud Detection Wee-Yong Lim, Amit Sachan, and Vrizlynn Thing 2 Using Fraud Trees to Analyze Internet Credit Card Fraud 17 Clive Blackwell 3 Automated Analysis of Underground Marketplaces 31 Aleksandar Hudic, Katharina Krombholz, Thomas Otterbein, Christian Platzer, and Edgar Weippl 4 An Exploratory Profiling Study of Online Auction Fraudsters 43 Vivien Chan, Kam-Pui Chow, Michael Kwan, Guy Fong, Michael Hui, and Jemy Tang 5 Web User Profiling Based on Browsing Behavior Analysis 57 Xiao-Xi Fan, Kam-Pui Chow, and Fei Xu 6 Validation Rules for Enhanced Foxy P2P Network Investigations 73 Ricci Ieong and Kam-Pui Chow vi ADVANCES IN DIGITAL FORENSICS X PART II FORENSIC TECHNIQUES 7 Windows Event Forensic Process 87 Quang Do, Ben Martini, Jonathan Looi, Yu Wang, and Kim-Kwang Choo 8 Schema Reconstruction in Database Forensics 101 Oluwasola Mary Adedayo and Martin Olivier 9 Analysisofthe Use ofXORasanObfuscationTechnique in aReal 117 Data Corpus Carolina Zarate, Simson Garfinkel, Aubin Heffernan, Scott Horras, and Kyle Gorak 10 Similarity Hashing Based on Levenshtein Distance 133 Frank Breitinger, Georg Ziroff, Steffen Lange, and Harald Baier 11 UsingApproximateMatchingtoReducetheVolumeofDigitalData 149 Frank Breitinger, Christian Winter, York Yannikos, Tobias Fink, and Michael Seefried 12 Active Linguistic Authentication Using Real-Time Stylometric 165 Evaluation for Multi-Modal Decision Fusion Ariel Stolerman, Alex Fridman, Rachel Greenstadt, Patrick Brennan, and Patrick Juola 13 Breakingthe Closed-WorldAssumption in Stylometric Authorship 185 Attribution Ariel Stolerman, Rebekah Overdorf, Sadia Afroz, and Rachel Greenstadt PART III MOBILE DEVICE FORENSICS 14 PreservingDatesandTimestampsforIncidentHandlinginAndroid 209 Smartphones Robin Verma, Jayaprakash Govindaraj, and Gaurav Gupta Contents vii 15 An Open Source Toolkit for iOS Filesystem Forensics 227 Ahmad Raza Cheema, Mian Muhammad Waseem Iqbal, and Waqas Ali 16 Smartphones as Distributed Witnesses for Digital Forensics 237 Heloise Pieterse and Martin Olivier 17 Smartphone Message Sentiment Analysis 253 Panagiotis Andriotis, Atsuhiro Takasu, and Theo Tryfonas 18 Forensic Analysis of the TomTom Navigation Application 267 Nhien-An Le-Khac, Mark Roeloffs, and Tahar Kechadi PART IV FORENSIC TOOLS AND TRAINING 19 Performance of a Logical Five-Phase, Multithreaded, Bootable 279 Triage Tool Ibrahim Baggili, Andrew Marrington, and Yasser Jafar 20 Towards Fully Automated Digital Alibis with Social Interactions 297 Stefanie Beyer, Martin Mulazzani, Sebastian Schrittwieser, Markus Huber, and Edgar Weippl 21 Data Corpora for Digital Forensics Education and Research 309 York Yannikos, Lukas Graner, Martin Steinebach, and Christian Winter 22 Educating the Next Generation of Cyberforensic Professionals 327 Mark Pollitt and Philip Craiger Contributing Authors Oluwasola Mary Adedayo is a Lecturer and Ph.D. student in Com- puter Science at the University of Pretoria, Pretoria, South Africa. Her research interests include digital forensics and database security. Sadia Afroz is a Postdoctoral Researcher in the Computer Science Division attheUniversity of CaliforniaatBerkeley, Berkeley, California. Her research interests include security, privacy and machine learning. Waqas Ali is an M.S./M.Phil. student in Information Security at the National University of Sciences and Technology, Islamabad, Pakistan. Hisresearchinterestsincludevulnerabilitydiscovery, penetrationtesting and digital forensics. Panagiotis Andriotis is a Ph.D. student in Computer Science at the University of Bristol, Bristol, United Kingdom. His research interests include digital forensics, content analysis and systems security. Ibrahim Baggili is an Assistant Professor of Computer Science at the University of New Haven, West Haven, Connecticut. His research inter- ests include digital forensics and cyber crime. Harald Baier is a Professor of Internet Security at the Darmstadt University of Applied Sciences, Darmstadt, Germany; and a Princi- pal Investigator at the Center for Advanced Security Research Darm- stadt, Darmstadt, Germany. His research areas include digital forensics, network-based anomaly detection and security protocols. x ADVANCES IN DIGITAL FORENSICS X Stefanie Beyer received her M.Sc. degree in Computer Science from the Vienna University of Technology, Vienna, Austria. Her research interestsareintheareaofdigitalforensics,withafocusonthereliability of digital alibis. Clive Blackwell is a Research Fellow in Digital Forensics at Oxford Brookes University, Oxford, United Kingdom. His research interests include cyber security and digital forensics, with a focus on developing a scientific basis for digital forensics. Frank BreitingerisaPh.D.studentinComputerScienceattheDarm- stadt University of Applied Sciences, Darmstadt, Germany; and a Re- searcherattheCenterforAdvancedSecurityResearchDarmstadt,Darm- stadt, Germany. Hisresearch interests includedigital forensics, fileanal- ysis and approximate matching. Patrick Brennan is the Chief Executive Officer of Juola and Asso- ciates, Pittsburgh, Pennsylvania. His research interests include digital forensics and stylometry. Vivien Chan is a Research Project Manager at the University of Hong Kong, Hong Kong, China. Her research interests include cyber criminal profiling and digital forensics. Ahmad Raza Cheema is an Assistant Professor of Information Secu- rity at the National University of Sciences and Technology, Islamabad, Pakistan. His research interests include network security and digital forensics. Kim-Kwang Choo is a Senior Lecturer of Cyber Security at the Uni- versity of South Australia, Adelaide, Australia. His research interests include anti-money laundering, cyber crime, digital forensics and infor- mation security. Kam-Pui Chow is an Associate Professor of Computer Science at the University of Hong Kong, Hong Kong, China. His research interests include information security, digital forensics, live system forensics and digital surveillance.