Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 88 EditorialBoard OzgurAkan MiddleEastTechnicalUniversity,Ankara,Turkey PaoloBellavista UniversityofBologna,Italy JiannongCao HongKongPolytechnicUniversity,HongKong FalkoDressler UniversityofErlangen,Germany DomenicoFerrari UniversitàCattolicaPiacenza,Italy MarioGerla UCLA,USA HisashiKobayashi PrincetonUniversity,USA SergioPalazzo UniversityofCatania,Italy SartajSahni UniversityofFlorida,USA Xuemin(Sherman)Shen UniversityofWaterloo,Canada MirceaStan UniversityofVirginia,USA JiaXiaohua CityUniversityofHongKong,HongKong AlbertZomaya UniversityofSydney,Australia GeoffreyCoulson LancasterUniversity,UK Pavel Gladyshev Marcus K. Rogers (Eds.) Digital Forensics and Cyber Crime Third International ICST Conference ICDF2C 2011 Dublin, Ireland, October 26-28, 2011 Revised Selected Papers 1 3 VolumeEditors PavelGladyshev UniversityCollegeDublin SchoolofComputerScienceandInformatics Belfield,Dublin4,Ireland E-mail:[email protected] MarcusK.Rogers PurdueUniversity DepartmentofComputerandInformationTechnology WestLafayette47907,IN,USA E-mail:[email protected] ISSN1867-8211 e-ISSN1867-822X ISBN978-3-642-35514-1 e-ISBN978-3-642-35515-8 DOI10.1007/978-3-642-35515-8 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2012953905 CRSubjectClassification(1998):K.4.1,K.4.4,K.6.5,C.5.3,E.5,K.5,J.1 ©ICSTInstituteforComputerScience,SocialInformaticsandTelecommunicationsEngineering2012 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface TheInternethasmadeiteasiertoperpetratecrimesbyprovidingcriminalswith anavenueforlaunchingattackswithrelativeanonymity.Theincreasedcomplex- ity of the communication and networking infrastructure is making investigation of cyber crimes difficult. Clues of illegal activities are often buried in large vol- umesofdatathatneedtobesiftedthroughinordertodetectcrimesandcollect evidence. The investigations are increasingly cross-borderrequiring coordinated police efforts in different jurisdictions. ThisvolumecontainspaperspresentedattheThirdInternationalICSTCon- ference on Digital Forensics and Cyber Crime (ICDF2C 2011), held October 26–28, 2011 in Dublin, Ireland. Unlike other conferences in the field of digital forensics, ICDF2C focuses on the applications of digital forensic research, pro- viding a forum where practitionerscan learnhow the latest researchresults can be used in everyday investigations of cyber crimes and corporate misconduct. The24paperscontainedinthisvolumecoveravarietyoftopicsrangingfrom tacticsofcybercrimeinvestigationstodigitalforensiceducation,networkforen- sics, and the use of formal methods in digital investigations. There is a large section addressing forensics of mobile digital devices. Each paper was reviewed by a minimum of three members of the Technical ProgramCommittee. We sin- cerelythanktheTechnicalProgramCommitteefortheirhardworkinreviewing the submissions.Wethank the OrganizingCommittee,NasirMemon,Felix Bal- ado,FergusToolan,MichaelHarris,BernhardOtupal,IbrahimBaggili,Avinash Srinivasan, Cormac Doherty, and Joshua I. James, for their tireless efforts in managing all of the arrangements required for a successful conference. Finally, we offer special thanks to Anna Sterzi, Elena Fezzardi, and all the staff at EAI who made this conference possible. August 2012 Pavel Gladyshev Marcus K. Rogers Organization Organizing Committee General Chair PavelGladyshev University College Dublin, Ireland Technical Program Chair Marcus Rogers Purdue University, USA Publications Chair Nasir Memon Polytechnic Institute of New York University, USA Workshops Chair Felix Balado University College Dublin, Ireland Sponsorship Chair Fergus Toolan University College Dublin, Ireland Industry Track Chair Dr. Michael Harris Ernst & Young, Ireland Demos and Tutorials Chair Mr. Bernhard Otupal DELL Corporation, UK Publicity Chair Dr. Avinash Srinivasan Bloomsburg University, USA Local Chair Dr. Cormac Doherty University College Dublin, Ireland Web Chair Mr. Joshua I. James University College Dublin, Ireland Conference Organizer Ms. Anna Sterzi European Alliance for Innovation VIII Organization Steering Committee Ibrahim Baggili Zayed University, UAE Imrich Chlamtac Create-Net, Italy Sanjay Goel University at Albany, State University of New York, USA Table of Contents Cybercrime Investigations The Role of Perception in Age Estimation........................... 1 Cynthia A. Murphy Internet Child Pornography,U.S. Sentencing Guidelines, and the Role of Internet Service Providers ...................................... 17 Kathryn C. Seigfried-Spellar, Gary R. Bertoline, and Marcus K. Rogers Law Enforcement 2.0: Regulating the Lawful Interception of Social Media .......................................................... 33 Esti Peshin Mobile Device Forensics All Bot Net: A Need for Smartphone P2P Awareness ................. 36 Kelly A. Cole, Ramindu L. Silva, and Richard P. Mislan Results of Field Testing Mobile Phone Shielding Devices .............. 47 Eric Katz, Richard P. Mislan, Marcus K. Rogers, and Anthony Smith Windows Phone 7 from a Digital Forensics’ Perspective............... 62 Thomas Schaefer, Hans H¨ofken, and Marko Schuba An Agent Based Tool for Windows Mobile Forensics.................. 77 Satheesh Kumar S., Bibin Thomas, and K.L. Thomas Forensic Extractions of Data from the Nokia N900 ................... 89 Mark Lohrum New Developments in Digital Forensics A Strategy for Testing Metadata Based Deleted File Recovery Tools.... 104 James R. Lyle Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus ............................................... 115 Neil C. Rowe and Simson L. Garfinkel X Table of Contents A Novel Methodology for Malware Intrusion Attack Path Reconstruction .................................................. 131 Ahmed F. Shosha, Joshua I. James, and Pavel Gladyshev Performance Issues about Context-TriggeredPiecewise Hashing........ 141 Frank Breitinger and Harald Baier Short Papers Formal Parameterization of Log Synchronization Events within a Distributed Forensic Compute Cloud Database Environment......... 156 Sean Thorpe, Indrakshi Ray, Indrajit Ray, Tyrone Grandison, Abbie Barbir, and Robert France Yahoo! Messenger Forensics on Windows Vista and Windows 7 ........ 172 Matthew Levendoski, Tejashree Datar, and Marcus K. Rogers Robust Hashing for Efficient Forensic Analysis of Image Sets .......... 180 Martin Steinebach Tracking User Activity on PersonalComputers ...................... 188 Anthony Keane and Stephen O’Shaughnessy Digital Forensics Techniques The Forensic Value of the Windows 7 Jump List ..................... 197 Alexander G. Barnett Finding Forensic Information on Creating a Folder in $LogFile of NTFS........................................................ 211 Gyu-Sang Cho and Marcus K. Rogers Rescuing Digital Data from Submerged HDD........................ 226 Toshinobu Yasuhira, Kazuhiro Nishimura, and Tomofumi Koida Digital Forensics Education Evaluating the Forensic Image Generator Generator .................. 238 Christian Moch and Felix C. Freiling Internet and Network Investigations Forensic Extractions of Data from the Nokia N900 ................... 253 Mark Lohrum Table of Contents XI Formal Methods of Digital Forensics A Forensic Framework for Incident Analysis Applied to the Insider Threat ......................................................... 268 Clive Blackwell Reasoning about a Simulated Printer Case Investigation with Forensic Lucid........................................................... 282 Serguei A. Mokhov, Joey Paquet, and Mourad Debbabi Author Index.................................................. 297 The Role of Perception in Age Estimation Cynthia A. Murphy Madison Police Department, 211 S. Carroll Street, Madison, WI 53703 [email protected] Abstract. Law enforcement is increasingly called upon to investigate child exploitation crimes, a task that involves the important task of estimating the age of depicted children. There is limited research into our ability to perceive adult versus child and to more specifically estimate the age of a child based upon an image. There are few training programs available and lack of uniform methodology for child age estimation. A more stable foundation can be found through input from multidisciplinary fields in science and Art. The results of surveys and review of multidisciplinary literature indicate that the human ability to perceive the difference between juvenile and adult is a not just a matter of common sense, but a hardwired, preconscious condition of human experience based upon perceptual cues, and further, indicates a normative ability to make reasonably accurate age estimations based upon facial features and proportion when provided with an evaluative framework. Keywords: Child sexual abuse images, child pornography, age estimation, computer forensics, digital forensics, cyber crime investigation, child exploitation, law enforcement, perception. 1 Introduction The Internet and digital photography technologies have played a significant role in the proliferation and availability of child pornography1 and in the increasing number of child exploitation investigations. As a consequence, law enforcement investigators including digital forensic examiners2 are increasingly tasked with investigating and assisting in the prosecution of these crimes. The ability to estimate of the ages of unidentified children depicted in illicit media is an important, understudied, and challenging area of consideration. During the investigation of child pornography cases, investigators are often directly involved in the estimation of the age of child victims depicted in illicit media. In some cases, the identity of the child depicted in the sexually explicit media is known and estimation of the age of the depicted child is simply a matter of determining at what point during the child’s life the media was created, and how old 1 The term “child sexual abuse images” is often considered a more appropriate reflection of the contents of the visual representations encompassed by the term child pornography because the term “pornography” insinuates the consent of the child/children featured in the visual representations. 2 The terms forensic examiner and investigator are used interchangeably herein. P. Gladyshev and M.K. Rogers (Eds.): ICDF2C 2011, LNICST 88, pp. 1–16, 2012. © Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2012