IFIP AICT 462 Gilbert Peterson Sujeet Shenoi (Eds.) Advances in Digital Forensics XI 123 IFIP Advances in Information and Communication Technology 462 Editor-in-Chief KaiRannenberg,GoetheUniversityFrankfurt,Germany EditorialBoard FoundationofComputerScience JacquesSakarovitch,TélécomParisTech,France Software:TheoryandPractice MichaelGoedicke,UniversityofDuisburg-Essen,Germany Education ArthurTatnall,VictoriaUniversity,Melbourne,Australia InformationTechnologyApplications ErichJ.Neuhold,UniversityofVienna,Austria CommunicationSystems AikoPras,UniversityofTwente,Enschede,TheNetherlands SystemModelingandOptimization FrediTröltzsch,TUBerlin,Germany InformationSystems JanPries-Heje,RoskildeUniversity,Denmark ICTandSociety DianeWhitehouse,TheCastlegateConsultancy,Malton,UK ComputerSystemsTechnology RicardoReis,FederalUniversityofRioGrandedoSul,PortoAlegre,Brazil SecurityandPrivacyProtectioninInformationProcessingSystems YukoMurayama,IwatePrefecturalUniversity,Japan ArtificialIntelligence TharamDillon,LaTrobeUniversity,Melbourne,Australia Human-ComputerInteraction JanGulliksen,KTHRoyalInstituteofTechnology,Stockholm,Sweden EntertainmentComputing MatthiasRauterberg,EindhovenUniversityofTechnology,TheNetherlands IFIP –The International FederationforInformationProcessing IFIPwas foundedin 1960underthe auspicesof UNESCO, followingthe First World ComputerCongressheldinParisthepreviousyear.Anumbrellaorganizationforsoci- etiesworkingininformationprocessing,IFIP’saimistwo-fold:tosupportinformation processingwithinitsmembercountriesandtoencouragetechnologytransfertodevel- opingnations.Asitsmissionstatementclearlystates, IFIP’smissionistobetheleading,trulyinternational,apoliticalorganizationwhich encourages and assists in the development, exploitation and application of informationtechnologyforthebenefitofallpeople. IFIP is a non-profitmakingorganization,run almost solely by 2500 volunteers. It operatesthrougha numberoftechnicalcommittees,whichorganizeeventsandpubli- cations. IFIP’s events range from an international congress to local seminars, but the mostimportantare: (cid:129) TheIFIPWorldComputerCongress,heldeverysecondyear; (cid:129) Openconferences; (cid:129) Workingconferences. TheflagshipeventistheIFIPWorldComputerCongress,atwhichbothinvitedand contributed papers are presented. Contributed papers are rigorously refereed and the rejectionrateishigh. AswiththeCongress,participationintheopenconferencesisopentoallandpapers maybeinvitedorsubmitted.Again,submittedpapersarestringentlyrefereed. Theworkingconferencesarestructureddifferently.Theyareusuallyrunbyawork- inggroupandattendanceissmallandbyinvitationonly.Theirpurposeistocreatean atmosphereconducivetoinnovationanddevelopment.Refereeingisalsorigorousand papersaresubjectedtoextensivegroupdiscussion. PublicationsarisingfromIFIPeventsvary.ThepaperspresentedattheIFIPWorld ComputerCongressandatopenconferencesarepublishedasconferenceproceedings, while the results of the workingconferencesare often publishedas collections of se- lectedandeditedpapers. Any nationalsociety whose primaryactivity is aboutinformationprocessingmay applyto becomea fullmemberofIFIP, althoughfullmembershipis restrictedto one societypercountry.FullmembersareentitledtovoteattheannualGeneralAssembly, Nationalsocietiespreferringalesscommittedinvolvementmayapplyforassociateor correspondingmembership.Associate membersenjoy the same benefitsas fullmem- bers, but without voting rights. Corresponding members are not represented in IFIP bodies.Affiliatedmembershipisopentonon-nationalsocieties,andindividualandhon- orarymembershipschemesarealsooffered. Moreinformationaboutthisseriesathttp://www.springer.com/series/6102 · Gilbert Peterson Sujeet Shenoi (Eds.) Advances in Digital Forensics XI 11th IFIP WG 11.9 International Conference Orlando, FL, USA, January 26–28, 2015 Revised Selected Papers ABC Editors GilbertPeterson SujeetShenoi DepartmentofElectricalandComputer TandySchoolofComputerScience Engineering UniversityofTulsa AirForceInstituteofTechnology Tulsa,Oklahoma Wright-PattersonAirForceBase,Ohio USA USA ISSN1868-4238 ISSN1868-422X (electronic) IFIPAdvancesinInformationandCommunicationTechnology ISBN978-3-319-24122-7 ISBN978-3-319-24123-4 (eBook) DOI10.1007/978-3-319-24123-4 LibraryofCongressControlNumber:2015951345 SpringerChamHeidelbergNewYorkDordrechtLondon (cid:2)c IFIPInternationalFederationforInformationProcessing2015 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation,broad- casting,reproduction onmicrofilmsorinanyotherphysicalway,andtransmissionorinformationstorage andretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynowknown orhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher, theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication. Neitherthepublishernortheauthorsorthe editorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforanyerrorsor omissionsthatmayhavebeenmade. Printedonacid-freepaper SpringerInternationalPublishingAGSwitzerlandispartofSpringerScience+BusinessMedia (www.springer.com) Contents Contributing Authors ix Preface xvii PART I THEMES AND ISSUES 1 A Tale of Two Traces – Diplomatics and Forensics 3 Fred Cohen 2 Notions of Hypothesis in Digital Forensics 29 Segen Tewelde, Stefan Gruner and Martin Olivier 3 UsingYin’sApproachtoCaseStudiesasaParadigmforConducting 45 Forensic Examinations Oluwasayo Oyelami and Martin Olivier 4 AnInformationExtractionFrameworkforDigitalForensicInvestigations 61 Min Yang and Kam-Pui Chow PART II INTERNET CRIME INVESTIGATIONS 5 A Graph-Based Investigation of Bitcoin Transactions 79 Chen Zhao and Yong Guan 6 Profiling and Tracking a Cyberlocker Link Sharer in a Public Web 97 Forum Xiao-Xi Fan, Kam-Pui Chow and Fei Xu vi ADVANCES IN DIGITAL FORENSICS XI 7 APrivacy-PreservingEncryptionSchemeforanInternetReal-Name 115 Registration System Fei Xu, Ken Yau, Ping Zhang and Kam-Pui Chow 8 A Logic-BasedNetwork Forensic Model for Evidence Analysis 129 Changwei Liu, Anoop Singhal and Duminda Wijesekera PART III FORENSIC TECHNIQUES 9 Characteristics of Malicious DLLs in Windows Memory 149 Dae Glendowne, Cody Miller, Wesley McGrew and David Dampier 10 Determining Trigger Involvement During Forensic Attribution in 163 Databases Werner Hauger and Martin Olivier 11 Using Internal MySQL/InnoDB B-Tree Index Navigation for Data 179 Hiding Peter Fruhwirt, Peter Kieseberg and Edgar Weippl 12 Identifying PasswordsStored on Disk 195 Shiva Houshmand, Sudhir Aggarwal and Umit Karabiyik 13 Fragmented JPEG File Recovery Using Pseudo Headers 215 Yanbin Tang, Zheng Tan, Kam-Pui Chow, Siu-Ming Yiu, Junbin Fang, Xiamu Niu, Qi Han and Xianyan Wu PART IV MOBILE DEVICE FORENSICS 14 Forensic-Ready Secure iOS Apps for Jailbroken iPhones 235 JayaprakashGovindaraj, RashmiMata, RobinVermaandGauravGupta 15 AFrameworkforDescribingMultimediaCirculationinaSmartphone 251 Ecosystem Panagiotis Andriotis, Theo Tryfonas, George Oikonomou and Irwin King Contents vii PART V CLOUD FORENSICS 16 A Trustworthy Cloud Forensics Environment 271 Shams Zawoad and Ragib Hasan 17 Locating and Tracking Digital Objects in the Cloud 287 Philip Trenwith and Hein Venter PART VI FORENSIC TOOLS 18 A Tool for Extracting Static and Volatile Forensic Artifacts of 305 Windows 8.x Apps Shariq Murtuza, Robin Verma, Jayaprakash Govindaraj and Gaurav Gupta 19 Criteria for Validating Secure Wiping Tools 321 Muhammad Sharjeel Zareen, Baber Aslam and Monis Akhlaq 20 Do Data Loss Prevention Systems Really Work? 341 Sara Ghorbanian, Glenn Fryklund and Stefan Axelsson Contributing Authors Sudhir Aggarwal is a Professor of Computer Science at Florida State University, Tallahassee, Florida. His research interests include password cracking, information security and building software tools and systems for digital forensics. Monis Akhlaq is an Assistant Professor of Information Security at the National University of Sciences and Technology, Islamabad, Pakistan. His research interests includedigital forensics, network security, incident handling and risk management. Panagiotis Andriotis is a Ph.D. student in Computer Science at the University of Bristol, Bristol, United Kingdom. His research interests include digital forensics, text mining, content analysis and systems se- curity. Baber Aslam is an Assistant Professor and Head of the Department of Information Security at the National University of Sciences and Tech- nology, Islamabad, Pakistan. His research interests include computer security, network security and digital forensics. Stefan Axelsson is a Senior Lecturer of Computer Science at the Blekinge Institute of Technology, Karlskrona, Sweden. His research in- terests include digital forensics, intrusion and fraud detection, visualiza- tion and digital surveillance. Kam-Pui Chow is an Associate Professor of Computer Science at the University of Hong Kong, Hong Kong, China. His research interests include information security, digital forensics, live system forensics and digital surveillance. x ADVANCES IN DIGITAL FORENSICS XI Fred Cohen is the Chief Executive Officer of Management Analytics, Pebble Beach, California; a Member of Fearless Security, Pebble Beach, California; andActingDirector oftheWebster University CyberLab,St. Louis, Missouri. His research interests include digital forensics, informa- tion assurance and critical infrastructure protection. David Dampier is a Professor of Computer Science and Engineering, and Director of the Distributed Analytics and Security Institute at Mis- sissippi State University, Mississippi State, Mississippi. His research interests include digital forensics, information assurance and software engineering. Xiao-Xi Fan is a Ph.D. student in Computer Science at the University of Hong Kong, Hong Kong, China. Her research interests include digital forensics, digital profiling and data mining. Junbin Fang is an Associate Professor of Optoelectronics Engineering at Jinan University, Guangzhou, China. His research interests include information security and forensics, and quantum cryptography. Peter FruhwirtisaResearcheratSBAResearch, Vienna,Austria. His research interests include digital forensics, mobile security and applied security. Glenn Fryklund is a Security Analyst at Coresec Systems, Malmo, Sweden. His research interests include computer and network security, and digital forensics. Sara Ghorbanian is a Security Analyst at Coresec Systems, Malmo, Sweden. Her research interests include computer and network security, and digital forensics. Dae Glendowne is an Assistant Research Professor at the Distributed Analytics and Security Institute at Mississippi State University, Missis- sippi State, Mississippi. His research interests include malware reverse engineering, memory forensics and machine learning.