No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Systematic Literature Review on Forensics in Cloud, IoT, AI & Blockchain
Abstract
In the growing diversified software applications, cybersecurity plays a vital role in preserving and avoiding the loss of data in terms of money, knowledge, and assets of businesses and individuals. The Internet of Things and cloud computing are nowadays the integral part of most software applications that assist in acquiring and storing data seamlessly. It provides the convenience of accessibility for the end-user like home automation, storage of huge streams of data, giving elasticity for increasing or decreasing the volume of data. When it comes to decentralized behavior, applications need to be transformed into blockchain technology. Blockchain technology offers value-added features to applications in terms of enhanced security and easier traceability. The blockchain’s unchangeable and incorruptible nature protects it from tampering and hacking. Forensics requires the collection, preservation, and analysis of digital evidence. Artificial Intelligence is predominant in many areas and momentum is gaining to utilize it in the field of forensics. This chapter reviews the application of forensics using Artificial Intelligence in the field of Cloud computing, IoT, and Blockchain Technology. To fulfill the study’s goal, a systematic literature review (SLR) was done. By manually searching six (6) well-known databases, documents were extracted. Based on the study topic, thirty three (33) primary studies were eventually considered. The study also discovered that (1) highlights several well-known challenges and open-Issues in IoT forensics research, as it is dependent on other technologies and is crucial when considering an end-to-end IoT application as an integrated environment with cloud and other technologies. (2) There has been less research dedicated to the use of AI in the field of forensics. (3) Contributions on forensic analysis of attacks in blockchain-based systems is not found.KeywordsForensicsCloud computingBlockchain technologyProvenanceIOTAIMachine learning
... The applications built on holochains may be used in a variety of ways and are more efficient than blockchains (no token or mining required) [28]. Because of Holochain, humans will be able to engage with each other without depending on any authority to define or unilaterally modify the rules that govern their interactions with each other. ...
... In the end, the victorious node is chosen at random, thus consensus isn't precisely what it is in the real world. In any event, the blockchain nodes agree on a global state of data, where each node has a copy of the same information [28]. The supply information of HoT token is shown in table 4. As a result, the issue of scalability arises: writing and storing the same data on all nodes demands a significant amount of computer power. ...
The accomplishment of blockchain has increased the focus on the various applications for simplifying the confidentiality and transaction sanctuary using the decentralized architecture via consensus mechanisms between different internet of things (IoT) nodes in daily increasing societal areas. The growth of blockchain lasted to grow and used to do compare technologies. The major shortcomings of blockchain is the lack of scalability in modern application settings. Holochain technology vends itself as a “thinking” exterior to blocks, and it is a peer-to-peer disseminated ledger technology. It works contrarily compared to the blockchain, and it offers an exclusive value in the existing market. IoT devices are continuously used in distributed environments, in various smart applications. The peer-to-peer IoT networks, connected to smart agricultural systems are exposed to the security issues. Specifically, the personal data of agricultural land records need protection against unauthorized access and eradicate corruption in land transactions. The Blockchain offers a possible solution based on distributed ledger, but it has scalability issues due to high storage and processing requirements with growing network size. Also data is not locally stored in a Blockchain. This paper studies the conventions of holochain technology, its architecture and challenges, and critical mechanisms of holochain applications. We also analyze the numerous models utilized for the implementation of protected transactions. We discuss an agent centric framework with distributed hash table for secured applications.
... Despite the concerns of standardized privacy and preservation, the technology could not be used as an indicator for future development based on the log-enabling functionalities [11]. However, most of the work in social media forensics is observational, which is related to multimedia. ...
Ambient Intelligence is a concept that relates to a new paradigm of pervasive computing and has D Ambient intelligence
the objective of automating responses from the system to humans without any human interven- Social media forensics
tion. In social media forensics, gathering, analyzing, storing, and validating relevant evidence Blockchain technology
for investigation in a heterogeneous environment is still questionable. There is no hierarchy for Internet of things (IoT)
E automation, even though standardization and secure processes from data collection to valida- Federated learning
Digital investigation
tion have not yet been discussed. This poses serious issues for the current investigation proce- dures and future evidence chain of custody management. This paper contributes threefold. First, T
it proposes a framework using a blockchain network with a dual chain of data transmission for privacy protection, such as on-chain and off-chain. Second, a protocol is designed to detect and separate local and global cyber threats and undermine multiple federated principles to personal- ize search space broadly. Third, this study manages personalized updates by means of optimiz- C
ing backtracking parameters and automating replacements, which directly affects the reduction of negative influence on the social networking environment in terms of imbalanced and distrib- E
uted data issues. This proposed framework enhances stability in digital investigation. In addi- tion, the simulation uses an extensive social media dataset in different cyberspaces with a vari- ety of cyber threats to investigate. The proposed work outperformed as compared to traditional single-level personalized search and other state-of-the-art schemes.
... Ganesh et al. [21] provided a literature review on the application of forensics using Artificial Intelligence in the field of Cloud computing, IoT, and Blockchain technology. ...
Contemporary societies are increasingly dependent on products and services provided by Critical Infrastructure (CI) such as power plants, energy distribution networks, transportation systems and manufacturing facilities. Due to their nature, size and complexity, such CIs are often supported by Industrial Automation and Control Systems (IACS), which are in charge of managing assets and controlling everyday operations.
As these IACS become larger and more complex, encompassing a growing number of processes and interconnected monitoring and actuating devices, the attack surface of the underlying CIs increases. This situation calls for new strategies to improve Critical Infrastructure Protection (CIP) frameworks, based on evolved approaches for data analytics, able to gather insights from the CI.
In this paper, we propose an Intrusion and Anomaly Detection System (IADS) framework that adopts forensics and compliance auditing capabilities at its core to improve CIP. Adopted forensics techniques help to address, for instance, post-incident analysis and investigation, while the support of continuous auditing processes simplifies compliance management and service quality assessment.
More specifically, after discussing the rationale for such a framework, this paper presents a formal description of the proposed components and functions and discusses how the framework can be implemented using a cloud-native approach, to address both functional and non-functional requirements. An experimental analysis of the framework scalability is also provided.
Privacy and security are the most concerning topics while using cloud-based applications. Malware detection in cloud applications is important in identifying application malware activity. So, a novel Goat-based Recurrent Forensic Mechanism (GbRFM) is used to detect the attack and provide the attack type in cloud-based applications. At first, the dataset is pre-processed in the hidden phase, and the errorless features are extracted. The proposed model also trains the output of the hidden layer to identify and classify the malware. The wild goat algorithm enhances the identification rate by accurately detecting the attack. Using the NSL-KDD data, the preset research was verified, and the outcomes were evaluated. The performance assessment indicates that the developed model gained a 99.26% accuracy rate for the NSL-KDD dataset. Moreover, to validate the efficiency of the proposed model, the outcomes are compared with other techniques. The comparison analysis proved that the proposed model attained better results.
Social media evidence is the new topic in digital forensics. If social media information is correctly explored, there will be significant support for investigating various offenses. Exploring social media information to give the government potential proof of a crime is not an easy task. Digital forensic investigation is based on natural language processing (NLP) techniques and the blockchain framework proposed in this process. The main reason for using NLP in this process is for data collection analysis, representations of every phase, vectorization phase, feature selection, and classifier evaluation. Applying a blockchain technique in this system secures the data information to avoid hacking and any network attack. The system’s potential is demonstrated by using a real-world dataset.
Security Information and Event Management (SIEM) systems have been widely deployed as a powerful tool to prevent, detect, and react against cyber-attacks. SIEM solutions have evolved to become comprehensive systems that provide a wide visibility to identify areas of high risks and proactively focus on mitigation strategies aiming at reducing costs and time for incident response. Currently, SIEM systems and related solutions are slowly converging with big data analytics tools. We survey the most widely used SIEMs regarding their critical functionality and provide an analysis of external factors affecting the SIEM landscape in mid and long-term. A list of potential enhancements for the next generation of SIEMs is provided as part of the review of existing solutions as well as an analysis on their benefits and usage in critical infrastructures.
As a disruptive emerging technology, the Internet of things (IoT) has rapidly developed, but its privacy risks and security vulnerabilities are still key challenges. The decentralized and distributed architecture of blockchain has the potential to satisfy IoT privacy and security requirements. This gives birth to the new domain of blockchain for IoT (BIoT). BIoT will cause significant transformations across several industries, paving the way for new business models. Based on the Science Citation Index Expanded (SCIE) and Social Sciences Citation Index (SSCI) databases in Web of Science (WoS) Core Collection, this study aims to explore the research trends and cooperation in the field of BIoT using the bibliometric method. The results indicate that the publications in this field have increased significantly from 2016 to 2020, with China and the USA being the most productive and influential countries. Keyword co-occurrence analysis shows that the most important research topics are as follows: security issues, core technologies, application dimensions, and transaction processes. Text mining analysis indicates that future research directions for BloT will focus more on both computing paradigms and key applications. This study will provide researchers with a greater understanding on the state of the art of BIoT and will serve as a reference for researchers engaging in this field to identify their own future research directions.
Although Blockchain is still an emerging technology it has the potential to serve as a general purpose information technology platform. Already, smart contract / chaincode platforms, such as Ethereum and Hyperledger Fabric, provide support for the execution of arbitrary computations. However, the suitability of these platforms for specifying and enforcing data and service usage constraints (e.g., usage policies, regulatory obligations, societal norms) and providing guarantees with respect to conformance has yet to be determined. In order to address this gap, in this position paper we argue that symbolic artificial intelligence techniques in the form of semantic technology based policy languages and business process conformance tools and techniques, can together be used to provide guarantees with respect to the behaviour of autonomous smart contract / chaincode applications.
The blockchain technology is taking the world by storm. Blockchain with its decentralized, transparent and secure nature has emerged as a disruptive technology for the next generation of numerous industrial applications. One of them is Cloud of Things enabled by the combination of cloud computing and Internet of Things. In this context, blockchain provides innovative solutions to address challenges in Cloud of Things in terms of decentralization, data privacy and network security, while Cloud of Things offer elasticity and scalability functionalities to improve the efficiency of blockchain operations. Therefore, a novel paradigm of blockchain and Cloud of Things integration, called BCoT, has been widely regarded as a promising enabler for a wide range of application scenarios. In this paper, we present a state-of-the-art review on the BCoT integration to provide general readers with an overview of the BCoT in various aspects, including background knowledge, motivation, and integrated architecture. Particularly, we also provide an in-depth survey of BCoT applications in different use-case domains such as smart healthcare, smart city, smart transportation and smart industry. Then, we review the recent BCoT developments with the emerging blockchain and cloud platforms, services, and research projects. Finally, some important research challenges and future directions are highlighted to spur further research in this promising area.
Collecting and preserving the smart environment logs connected to cloud storage is challenging due to the black-box nature and the multi-tenant cloud models which can pervade log secrecy and privacy. The existing work for log secrecy and confidentiality depends on cloud-assisted models, but these models are prone to multi-stakeholder collusion problems. This study proposes 'PLAF,' a holistic and automated architecture for proactive forensics in the Internet of Things (IoT) that considers the security and privacy-aware distributed edge node log preservation by tackling the multi-stakeholder issue in a fog enabled cloud. We have developed a test-bed to implement the specification, as mentioned earlier, by incorporating many state-of-the-art technologies in one place. We used Holochain to preserve log integrity, provenance, log verifiability, trust admissibility, and ownership non-repudiation. We introduced the privacy preservation automation of log probing via non-malicious command and control botnets in the container environment. For continuous and robust integration of IoT microservices, we used docker containerization technology. For secure storage and session establishment for logs validation, Paillier Homomorphic Encryption, and SSL with Curve25519 is used respectively. We performed the security and performance analysis of the proposed PLAF architecture and showed that, in stress conditions, the automatic log harvesting running in containers gives a 95% confidence interval. Moreover, we show that log preservation via Holochain can be performed on ARM-Based architectures such as Raspberry Pi in a very less amount of time when compared with RSA and blockchain.
Currently, universities, as centers of research and innovation, integrate in their processes various technologies that allow improving services and processes for their members. Among the innovative technologies are the Internet of Things that, through a variety of devices, allows obtaining data from the environment and people. This information is processed in cloud computing models and Big Data architectures that obtain knowledge through data analysis. These results lead to improving processes and making better decisions that improve the services available at the university. The integration of technologies allows for the generation of a sustainable environment that seeks the cohesion of the population with the environment, in such a way that economic growth is guaranteed in balance with the environment. However, all technology needs to guarantee the security of processes and data, and for this purpose, a new technology such as blockchain is integrated, which seeks to respond to two needs, the security and agility of processes. Integrating this technology in a university requires the analysis of the blockchain components to generate a new layer that adapts to the architecture of a university campus. This ensures that the data are kept cryptographically private to avoid exposure and that the entire process is verified by multiple blocks.
One of the biggest challenges in IoT-forensics is the analysis and correlation of heterogeneous digital evidence, to enable an effective understanding of complex scenarios. This paper defines a methodology for extracting unique objects (e.g., representing users or devices) from the files of a case, defining the context of the digital investigation and increasing the knowledge progressively, using additional files from the case (e.g. network captures). The solution includes external searches using
open source intelligence
(OSINT) sources when needed. In order to illustrate this approach, the proposed methodology is implemented in the
JSON Users and Devices analysis
(JUDAS) tool, which is able to generate the context from JSON files, complete it, and show the whole context using dynamic graphs. The approach is validated using the files in an IoT-Forensic digital investigation where an important set of potential digital evidence extracted from Amazon’s Alexa Cloud is analysed.
Today is the era of the Internet of Things (IoT). The recent advances in hardware and information technology have accelerated the deployment of billions of interconnected, smart and adaptive devices, in critical infrastructures like health, transportation, environmental control and home automation. Transferring data over a network without requiring any kind of human-to-computer or human-to-human interaction, brings reliability and convenience to consumers, but also opens a new world of opportunity for intruders, and introduces a whole set of unique and complicated questions to the field of Digital Forensics. Although IoT data could be a rich source of evidence, forensics professionals cope with diverse problems, starting from the huge variety of IoT devices and non-standard formats, to the multi-tenant cloud infrastructure and the resulting multi-jurisdictional litigations. A further challenge is the end-to-end encryption which represents a trade-off between users’ right to privacy and the success of the forensics investigation. Due to its volatile nature, digital evidence has to be acquired and analysed using validated tools and techniques that ensure the maintenance of the Chain of Custody. Therefore, the purpose of this paper is to identify and discuss the main issues involved in the complex process of IoT-based investigations, particularly all legal, privacy and cloud security challenges. Furthermore, this work provides an overview of the past and current theoretical models in the digital forensics science. Special attention is paid to frameworks that aim to extract data in a privacy-preserving manner or secure the evidence integrity using decentralized blockchain-based solutions. In addition, the present paper addresses the ongoing Forensics-as-a-Service (FaaS) paradigm, as well as some promising cross-cutting data reduction and forensics intelligence techniques. Finally, several other research trends and open issues are presented, with emphasis on the need for proactive Forensics Readiness strategies and generally agreed-upon standards.
There are two different concepts [Internet of Things (IoT) and cloud computing] influencing our lives in many ways as they will further be used and highlighted in the future of the Internet. The present systematic study discusses a combination of these two concepts. Many studies have focused on IoT and cloud computing separately. These studies lack a deep investigation of their combination, which has new challenges and issues. Yet, the recent integration of them has been paid a primary focus. This systematic study attempts to analyse how the combination of IoT and cloud has been presented and detects the challenges and metrics of such integration. Further, this analysis aims to develop an understanding of the current affair of this integration by overviewing a collection of 38 recent papers. The contributions of this study, in brief, are: (i) overviewing the current challenges correlated with combination of cloud computing and IoT; (ii) presenting the anatomy of some proposed combination platforms, applications, and integrations; (iii) summarising major areas to boost the integration of cloud and IoT in the upcoming works.
Cloud forensics is an intelligent evolution of digital forensics that defends against cyber-crimes. However, centralized evidence collection and preservation minimizes the reliability of digital evidence. To resolve this severe problem, this paper proposes a novel digital forensic architecture using fast-growing Software-Defined Networking (SDN) and Blockchain technology for Infrastructure-as-a-Service (IaaS) cloud. In this proposed forensic architecture, the evidence is collected and preserved in the blockchain that is distributed among multiple peers. To protect the system from unauthorized users, Secure Ring Verification based Authentication (SRVA) scheme is proposed. To strengthen the cloud environment, secret keys are generated optimally by using Harmony Search Optimization (HSO) algorithm. All data are encrypted based on the sensitivity level and stored in the cloud server. For encryption, Sensitivity Aware Deep Elliptic Curve Cryptography (SA-DECC) algorithm is presented. For every data stored in the cloud, a block is created in the SDN controller and the history of data is recorded as metadata. In each block, the Merkle hash tree is built by using Secure Hashing Algorithm-3 (SHA-3). Our system allows users to trace their data by deploying Fuzzy based Smart Contracts (FCS). Finally, evidence analysis is enabled by constructing Logical Graph of Evidence (LGoE) collected from the blockchain. Experiments are conducted in an integrated environment of java (for cloud and blockchain) and network simulator-3.26 (for SDN). The extensive analysis shows that proposed forensic architecture shows promising results in Response time, Evidence insertion time, Evidence verification time, Communication overhead, Hash computation time, Key generation time, Encryption time, Decryption time and total change rate.
Users utilize IoT devices and sensors in a co-operative manner to enable the concept of a smart environment. This integration generate data with high forensic value. Nonetheless, current smart app programming platforms do not provide any digital forensics capability to identify, trace, store, and analyze the data produced in these settings. To overcome these limitations, in this poster, we present our ongoing work to introduce a novel digital forensic framework for a smart environment.
Since the publication of Satoshi Nakamoto's white paper on Bitcoin in 2008, blockchain has (slowly)become one of the most frequently discussed methods for securing data storage and transfer through decentralized, trustless, peer-to-peer systems. This research identifies peer-reviewed literature that seeks to utilize blockchain for cyber security purposes and presents a systematic analysis of the most frequently adopted blockchain security applications. Our findings show that the Internet of Things (IoT)lends itself well to novel blockchain applications, as do networks and machine visualization, public key cryptography, web applications, certification schemes and the secure storage of Personally Identifiable Information (PII). This timely systematic review also sheds light on future directions of research, education and practices in the blockchain and cyber security space, such as security of blockchain in IoT, security of blockchain for AI data, and sidechain security,etc.
Until now, there has been little research on digital forensics in the IoT (Internet of Things)-based infrastructure. Current digital forensic tools, investigation frameworks, and processes cannot meet the heterogeneity and distribution characteristics of the IoT environment. These characteristics are a challenge for digital forensic investigators and law enforcement agencies. To solve these problems, this paper proposes a digital forensics framework for the IoT environment based on the blockchain technology. In the proposed framework, all communications of IoT devices are stored in the blockchain as transactions, thus making the existing chain of custody process easier and more powerful. By using the blockchain technology, the integrity of the data to be analyzed is ensured and security is strengthened, and the preservation of integrity is made more reliable by a decentralized method of integrity preservation. In addition, since the public distributed ledger is provided, participants in the forensic investigation—such as device users, manufacturers, investigators, and service providers—can confirm the investigation process transparently. We simulated the proposed model to support the proof of concept.
Forensic analyst skills are at stake for processing of growing data from IoT based environment platforms. Tangible sources often have the size limits, but that’s not the case for communication traffic source. Hence, increasing the thirst for an efficient benchmarking for big data analysis. Available solutions to date have used an anomaly-based approach or have proposed approaches based on the deviation from a regular pattern. To tackle the seized bytes, authors have proposed an approach for big data forensics, with efficient sensitivity and precision. In the presented work, a generalized forensic framework has been proposed that use Google’s programming model, MapReduce as the backbone for traffic translation, extraction, and analysis of dynamic traffic features. For the proposed technique, authors have used open source tools like Hadoop, Hive, and Mahout and R. Apart from being open source, these tools support scalability and parallel processing. Also, comparative analysis of globally accepted machine learning models of P2P malware analysis in mocked real-time is presented. Dataset from CAIDA was taken and executed in parallel to validate the proposed model. Finally, the forensic performance metrics of the model shows the results with the sensitivity of 99%. © 2018 Springer Science+Business Media, LLC, part of Springer Nature
IoT-Forensics is a novel paradigm for the acquisition of electronic evidence whose operation is conditioned by the peculiarities of the Internet of Things (IoT) context. As a branch of computer forensics, this discipline respects the most basic forensic principles of preservation, traceability, documentation, and authorization. The digital witness approach also promotes such principles in the context of the IoT while allowing personal devices to cooperate in digital investigations by voluntarily providing electronic evidence to the authorities. However, this solution is highly dependent on the willingness of citizens to collaborate and they may be reluctant to do so if the sensitive information within their personal devices is not sufficiently protected when shared with the investigators. In this paper, we provide the digital witness approach with a methodology that enables citizens to share their data with some privacy guarantees. We apply the PRoFIT methodology, originally defined for IoT-Forensics environments, to the digital witness approach in order to unleash its full potential. Finally, we show the feasibility of a PRoFIT-compliant digital witness with two use cases.
The rapid rise in the technology today has brought to limelight mobile devices which are now being used as a tool to commit crime. Therefore, proper steps need to be ensured for Confidentiality, Integrity, Authenticity and legal acquisition of any form of digital evidence from the mobile devices. This study evaluates some mobile forensic tools that were developed mainly for mobile devices memory and SIM cards. An experiment was designed with five android phones with different Operating System. Four tools were used to find out the capability and efficiency of the tools when used on the sampled phones. This would help the forensic investigator to know the type of tools that will be suitable for each phone to be investigated for acquiring digital evidence. The evaluation result showed that AccessData FTK imager and Paraben device seizure performs better than Encase and Mobiledit. The experimental result shows that, Encase could detect the unallocated space on the mobile deice but could retrieve an deleted data.
Cloud forensics is the new emerging science where traditional digital forensics methodology and cloud computational intelligence have been blended in such a way that all the malicious cloud criminals can be identified and punished in a justified manner. The distributed and black-box architecture of the cloud has faded the concept of examining each and every local host to identify proper malicious actors. Here, an obvious demand of an automated criminal recognition model has come into play. This paper mainly focuses on this legitimate demand of cloud forensic investigators by proposing a Cloud Malicious Actor Identifier model. This model identifies the malicious actors related to a particular crime scene and ranks them according to their probability of being malicious using a very well-known machine learning technique, Boosting. The main purpose of this model is to mitigate the overhead of probing each and every IP address while investigation. The performance evaluation of the proposed model has also been explained with logical explanation and achieved output.
As the digitization of information-intensive processes gains momentum in nowadays, the concern is growing about how to deal with the ever-growing problem of cybercrime. To this end, law enforcement officials and security firms use sophisticated digital forensics techniques for analysing and investigating cybercrimes. However, multi-jurisdictional mandates, interoperability issues, the massive amount of evidence gathered (multimedia, text, etc.) and multiple stakeholders involved (law enforcement agencies, security firms, etc.) are just a few among the various challenges that hinder the adoption and implementation of sound digital forensics schemes. Blockchain technology has been recently proposed as a viable solution for developing robust digital forensics mechanisms. In this chapter, we provide an overview and classification of the available blockchain-based digital forensic tools, and we further describe their main features. We also offer a thorough analysis of the various benefits and challenges of the symbiotic relationship between blockchain technology and the current digital forensics approaches, as proposed in the available literature. Based on the findings, we identify various research gaps, and we suggest future research directions that are expected to be of significant value both for academics and practitioners in the field of digital forensics.
Lawful evidence management in digital forensics is of paramount importance in police investigations because such evidence is used to convict suspects of crimes. Existing studies have adopted cloud computing to collect evidence and then leveraged blockchain to support the transparency, immutability, and auditability of the evidence. Unfortunately, such studies only rely on a weak security model and do not cover the entire life cycle of the evidence or address the key privacy issues, i.e., witness privacy in evidence collection and juror privacy in court trials. In this work, we propose LEChain, a blockchain-based lawful evidence management scheme to supervise the entire evidence flow and all of the court data (e.g., votes and trial results), extending from evidence collection and access during the police investigation to jury voting in the court trials. Specifically, we utilize short randomizable signatures to anonymously authenticate witnesses’ identities to protect the witness privacy. Then, we leverage fine-grained access control based on ciphertext-policy attribute-based encryption for evidence access. Next, we design a secure voting method to protect juror privacy. In addition, we build a consortium blockchain to record evidence transactions. Finally, we formally analyze the security and privacy of LEChain and evaluate its computational costs and communication overhead by implementing a prototype based on a local Ethereum test network.
Despite the benefits that digital forensic medical evidence offers, the custody and sharing of such information remains an ongoing problem. While waiting for an optimal solution, both professionals and institutions must evaluate their options and choose the least disadvantageous among them. This paper proposes resolving the problem through an operational hybrid platform that uses a consensus mechanism to record a transparent history of access and prevent unauthorised users from modifying it. The digital evidence is encrypted and saved in an online file storage system, while the file properties are stored on a private implementation of the Hyperledger Fabric™ blockchain. The blockchain nodes allow access to the data through a dynamic consensus mechanism, and all operations (like uploads, views, or deletions) are continuously and permanently recorded on the blockchain. The network is safe and accessible through a dedicated application. All information is agreed upon and shared between the blockchain nodes to avoid single points of failure, and secure access to digital evidence is assured by combining cryptography and the blockchain consensus mechanism.
The result is a secure and complete framework with which to upload, store and share digital forensic medical evidence.
Despite some limitations, this proposal offers an implementable solution for the custody of digital evidence in forensic medicine that has been identified through existing and innovative technologies, the implementation of a proof of principle prototype, and benchmarks.
In parallel with the exponentially growing number of computing devices and IoT networks, the data storage and processing requirements of digital forensics are also increasing. Therefore, automation is highly desired in this field, yet not readily available, and many challenges remain, ranging from unstructured forensic data derived from diverse sources to a lack of semantics defined for digital forensic investigation concepts. By formally describing digital forensic concepts and properties, purpose‐designed ontologies enable integrity checking via automated reasoning and facilitate anomaly detection for the chain of custody in digital forensic investigations. This article provides a review of these ontologies, and investigates their applicability in the automation of processing traces of digital evidence.
This article is categorized under:
• Digital and Multimedia Science > Artificial Intelligence
• Digital and Multimedia Science > Cybercrime Investigation
• Digital and Multimedia Science > Cyber Threat Intelligence
The challenges of cloud forensics have been well-documented by both researchers and government agencies (e.g., U.S. National Institute of Standards and Technology), although many of the challenges remain unresolved. In this article, we perform a comprehensive survey of cloud forensic literature published between January 2007 and December 2018, categorized using a five-step forensic investigation process. We also present a taxonomy of existing cloud forensic solutions, with the aim of better informing both the research and practitioner communities, as well as an in-depth discussion of existing conventional digital forensic tools and cloud-specific forensic investigation tools. Based on the findings from the survey, we present a set of design guidelines to inform future cloud forensic investigation processes, and a summary of digital artifacts that can be obtained from different stakeholders in the cloud computing architecture/ecosystem.
Background
The easy accessibility and simplicity of Short Message Services (SMS) have made it attractive to malicious users thereby incurring unnecessary costing on the mobile users and the Network providers’ resources.
Aim
The aim of this paper is to identify and review existing state of the art methodology for SMS spam based on some certain metrics: AI methods and techniques, approaches and deployed environment and the overall acceptability of existing SMS applications.
Methodology
This study explored eleven databases which include IEEE, Science Direct, Springer, Wiley, ACM, DBLP, Emerald, SU, Sage, Google Scholar, and Taylor and Francis, a total number of 1198 publications were found. Several screening criteria were conducted for relevant papers such as duplicate removal, removal based on irrelevancy, abstract eligibility based on the removal of papers with ambiguity (undefined methodology). Finally, 83 papers were identified for depth analysis and relevance. A quantitative evaluation was conducted on the selected studies using seven search strategies (SS): source, methods/ techniques, AI approach, architecture, status, datasets and SMS spam mobile applications.
Result
A Quantitative Analysis (QA) was conducted on the selected studies and the result based on existing methodology for classification shows that machine learning gave the highest result with 49% with algorithms such as Bayesian and support vector machines showing highest usage. Unlike statistical analysis with 39% and evolutionary algorithms gave 12%. However, the QA for feature selection methods shows that more studies utilized document frequency, term frequency and n-grams techniques for effective features selection process. Result based on existing approaches for content-based, non-content and hybrid approaches is 83%, 5%, and 12% respectively. The QA based on architecture shows that 25% of existing solutions are deployed on the client side, 19% on server-side, 6% collaborative and 50% unspecified. This survey was able to identify the status of existing SMS spam research as 35% of existing study was based on proposed new methods using existing algorithms and 29% based on only evaluation of existing algorithms, 20% was based on proposed methods only.
Conclusion
This study concludes with very interesting findings which shows that the majority of existing SMS spam filtering solutions are still between the “Proposed” status or “Proposed and Evaluated” status. In addition, the taxonomy of existing state of the art methodologies is developed and it is concluded that 8.23% of Android users actually utilize this existing SMS anti-spam applications. Our study also concludes that there is a need for researchers to exploit all security methods and algorithm to secure SMS thus enhancing further classification in other short message platforms. A new English SMS spam dataset is also generated for future research efforts in Text mining, Tele-marketing for reducing global spam activities.
In the recent year, Internet of Things (IoT) is industrializing in several real-world applications such as smart transportation, smart city to make human life reliable. With the increasing industrialization inIoT, an excessive amount of sensing data is producing from various sensors devices in the Industrial IoT. To analyzes of big data, Artificial Intelligence (AI) plays a significant role as a strong analytic tool and delivers a scalable and accurate analysis of data in real-time. However, the design and development of a useful big data analysis tool using AI have some challenges, such as centralized architecture, security, and privacy, resource constraints, lack of enough training data. Conversely, asan emerging technology, Blockchain supports a decentralized architecture. It provides a secure sharingof data and resources to the various nodes of the IoT network is encouraged to remove centralizedcontrol and can overcome the existing challenges in AI. The main goal of our research is to designand develop an IoT architecture with blockchain and AI to support an effective big data analysis. Inthis paper, we propose a Blockchain-enabled Intelligent IoT Architecture with Artificial Intelligencethat provides an efficient way of converging blockchain and AI for IoT with current state-of-the-art techniques and applications. We evaluate the proposed architecture and categorized into twoparts: qualitative analysis and quantitative analysis. In qualitative evaluation, we describe how touse AI and Blockchain in IoT applications with ‘‘AI-driven Blockchain’’ and ‘‘Blockchain-driven AI.’’ Inquantitative analysis, we present a performance evaluation of the BlockIoTIntelligence architecture tocompare existing researches on device, fog, edge and cloud intelligence according to some parameterssuch as accuracy, latency, security and privacy, computational complexity and energy cost in IoT applications.TheevaluationresultsshowthattheproposedarchitectureperformanceovertheexistingIoT architectures and mitigate the current challenges.
The decentralized nature of blockchain technologies can well match the needs of integrity and provenances of evidences collecting in digital forensics (DF) across jurisdictional borders. In this paper, a novel blockchain-based DF investigation framework in the Internet of Things (IoT) and social systems environment is proposed, which can provide proof of existence and privacy preservation for evidence items examination. To implement such features, we present a block-enabled forensics framework for IoT, namely, IoT forensic chain (IoTFC), which can offer forensic investigation with good authenticity, immutability, traceability, resilience, and distributed trust between evidential entitles as well as examiners. The IoTFC can deliver a guarantee of traceability and track provenance of evidence items. Details of evidence identification, preservation, analysis, and presentation will be recorded in chains of block. The IoTFC can increase trust of both evidence items and examiners by providing transparency of the audit train. The use case demonstrated the effectiveness of the proposed method.
Cloud computing has become a prominent and widespread technology nowadays. However, it agonized due to incremental serious security issues. To solve these issues forensic techniques needs to be applied in cloud. Log is a paramount element in forensic investigations to reveal 3W i.e. who, what, when of happened suspicious activity. That’s the reason, secure preservation and investigation of different logs is an essential job for cloud forensics. Due to very little control over the clouds, it’s very difficult to collect authentic logs from cloud environment while preserving integrity and confidentiality. Till today, forensic investigator has to trust Cloud Service Provider (CSP), who collect the logs from individual sources of cloud environment. However, untrusted stakeholders of cloud and malicious entities from outside the cloud can collude with each other to alter the logs after the fact and remain untraceable. Thus, validity of the provided logs for forensics can be questionable. In this paper, we proposed forensic aware blockchain assisted secure logging-as-a-service for cloud environment to securely store and process logs by tackling multi-stakeholder collusion problem and ensuring integrity & confidentiality. The integrity of logs is ensured using immutable property of blockchain technology. Cloud Forensic Investigator (CFI) can only be able to access the logs for forensic investigation by BlockSLaaS, which preserves confidentiality of logs.
To expedite the forensic investigation process in the cloud, excessive and yet volatile data needs to be acquired, transmitted and analyzed in a timely manner. A common assumption for most existing forensic systems is that credible data can always be collected from a cloud infrastructure, which might be susceptible to various exploits. In this paper, we present the design, implementation, and evaluation of LiveForen, a system that enforces a trustworthy forensic data acquisition and transmission process in the cloud, whose computer platforms’ integrity has been verified. To fulfill this objective, we propose two secure protocols that verify the fingerprints of the computer platforms, as well as the attributes of the human agents, by taking advantage of the trusted platform module (TPM) and the attribute-based encryption (ABE). To transmit forensic data as a data stream and verify its integrity at the same time, a unique fragile watermark is embedded into the data stream without altering the data itself. The watermark allows not only the data integrity to be verified, but also any malicious data manipulation to be localized, with minimum communication overhead. The experimental results demonstrate that LiveForen achieves good scalability and limited performance overhead for authentication, data transmission, and integrity verification in an Infrastructure as a Service (IaaS) cloud environment.
The need for digital forensic analysis in response to the unprecedented growth in the number of cases involving and depending on electronic data is at an all‐time high. Rapid evolution of technology has further complicated matters necessitating the acquisition and analysis of digital evidence from a wide variety of media. Current digital forensic analysis capabilities utilizing standalone forensics workstations are arduously time‐consuming and have been long surpassed by the ever‐growing case backlog.
However, fundamental advances in the computing and communications industry has has catalyzed the transformation of cloud computing from a mere plausibility to a hard‐reality and a survival necessity, especially for small and medium business enterprises. It has fueled numerous business opportunities in service industry as well as innovation across verticals that were previously in the realm of beyond available computing resources. It is now time to embrace the dawn of such evolution to develop innovative solutions to address the ever‐growing and seemingly unsurmountable challenge faced by the digital forensics community.
Advancements in Information Technology landscape over the past two decades have made the collection, preservation, and analysis of digital evidence an extremely important tool for solving cybercrimes and preparing court cases. Digital evidence plays an important role in cybercrime investigation, as it is used to link individuals with criminal activities. Thus it is of utmost importance to guarantee integrity, authenticity, and auditability of digital evidence as it moves along different levels of hierarchy in the chain of custody during cybercrime investigation. Modern day technology is more advanced in terms of portability and power. A huge amount of information is generated by billions of devices connected to the internet that needs to be stored and accessed, thus posing great challenges in maintaining the integrity and authenticity of digital evidence for its admissibility in the court of law. Handling digital evidences poses unique challenges because of the fact they are latent, volatile, fragile, can cross jurisdictional borders quickly and easily and in many cases can be time/machine dependent too. Thus guaranteeing the authenticity and legality of processes and procedures used to gather and transfer the evidence in a digital society is a real challenge. Blockchain technology's capability of enabling comprehensive view of transactions (events/actions) back to origination provides enormous promise for the forensic community. In this research we proposed Forensic-Chain: A Blockchain based Digital Forensics Chain of Custody, bringing integrity and tamper resistance to digital forensics chain of custody. We also provided Proof of Concept in Hyperledger Composer and evaluated its performance.
This paper exposes and explore the practical issues with the usability of log artefacts for digital forensics in cloud computing. Logs, providing detailed events of actions on a time scale have been a prime forensic artefact. However collection of logs for analysis, from a cloud computing environment is complex and challenging task, primarily due to the volatility, multi-tenancy, authenticity and physical storage locations of logs, which often results in jurisdictional challenges too. Diverse nature of logs, such as network logs, system logs, database logs and application logs produces additional complexity in the collection and analysis for investigative purposes. In addition there is no commonality in log architecture between cloud service providers, nor the log information fully meets the specific needs of forensic practitioners. In this paper we present a practical log architecture framework, analyse it from the perspective and business needs of forensic practitioners. We prove the framework on an ownCloud - a widely used open source platform. The log architecture has been assessed by validating it against the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence guidelines. Further validation has been done against the National Institute of Standards and Technology published report on Cloud Computing Forensic Challenges, i.e., NISTIR 8006. Our work helps the forensic examiners and law enforcement agencies in establishing confidence in log artefacts and easy interpretation of logs by presenting it in a user friendly way. Our work also helps the investigators to build a collective chain of evidence as well as the Cloud Service Providers to provision forensics enabled logging.
This hands-on textbook provides an accessible introduction to the fundamentals of digital forensics. The text contains thorough coverage of the theoretical foundations, explaining what computer forensics is, what it can do, and also what it can’t. A particular focus is presented on establishing sound forensic thinking and methodology, supported by practical guidance on performing typical tasks and using common forensic tools. Emphasis is also placed on universal principles, as opposed to content unique to specific legislation in individual countries.
Topics and features:
• Introduces the fundamental concepts in digital forensics, and the steps involved in a forensic examination in a digital environment
• Discusses the nature of what cybercrime is, and how digital evidence can be of use during criminal investigations into such crimes
• Offers a practical overview of common practices for cracking encrypted data
• Reviews key artifacts that have proven to be important in several cases, highlighting where to find these and how to correctly interpret them
• Presents a survey of various different search techniques, and several forensic tools that are available for free
• Examines the functions of AccessData Forensic Toolkit and Registry Viewer
• Proposes methods for analyzing applications, timelining, determining the identity of the computer user, and deducing if the computer was remote controlled
• Describes the central concepts relating to computer memory management, and how to perform different types of memory analysis using the open source tool Volatility
• Provides review questions and practice tasks at the end of most chapters, and supporting video lectures on YouTube
This easy-to-follow primer is an essential resource for students of computer forensics, and will also serve as a valuable reference for practitioners seeking instruction on performing forensic examinations in law enforcement or in the private sector.
Joakim Kävrestad is a Lecturer in informatics at the University of Skövde, Sweden, with several years of experience as a forensic expert with the Swedish police.
When digital evidence is presented in front of a court of law, it is seldom associated with a scientific evaluation of its relevance, or significance. When experts are challenged about the validity of the digital evidence, the general answer is "yes, to a reasonable degree of scientific certainty". Which means all and nothing at the same time, since no scientific metric is volunteered. In this paper we aim at providing courts of law with weighted digital evidence. Each digital evidence is assigned with a confidence rating that eventually helps juries and magistrates in their endeavor. This paper presents a novel methodology in order to:
-Provide digital forensics experts with the ability to form a digital evidence chain, the Digital Evidence Inventory (DEI), in a way similar to an evidence "block chain", in order to capture evidence;
-Give experts the ability to rate the level of confidence for each evidence in a Forensics Confidence Rating (FCR) structure;
-Provide experts with a Global Digital Timeline (GDT) to order evidence through time.
As a result, this methodology provides courts of law with sound digital evidences, having a confidence level expressed in metrics and ordered through a timeline. The objective of this work is to add a reliable pinch of scientific certainty when dealing with digital evidence.
The problem of cloud forensics aims at processing multidimensional, massive and heterogeneous data to collect and recover evidence in cloud environment. Existing approaches focus on excavating all suspicious behaviors from data and ignore privacy leakage details and behavioral characteristics. In order to conduct privacy leakage analysis in cloud specifically, we propose a multi-granularity privacy leakage forensics method to analyze privacy violations caused by malware in cloud environment. By simulating the target virtual machine environment, our method can detect privacy leakage behaviors of malware without touching user’s privacy data. We combine continuous RAM mirroring technology and dynamic taint analysis to assist the forensics investigation. To demonstrate the efficacy and utility of our method, we evaluate its performance with some real-world malware samples by comparing with some state-of-the-art malware analysis systems. Experimental results indicate that our method can identify more privacy leakage paths and behaviors.
Analyzing cyber incident datasets is an important method for deepening our understanding of the evolution of the threat situation. This is a relatively new research topic and many studies remain to be done. In this paper, we report a statistical analysis of a breach incident dataset corresponding to 12 years (2005-2017) of cyber hacking activities that include malware attacks. We show that, in contrast to the findings reported in the literature, both the hacking breach incident inter-arrival times and the breach sizes should be modeled by stochastic processes, rather than by distributions because they exhibit autocorrelations. Then, we propose particular stochastic process models to respectively fit the inter-arrival times and the breach sizes. We also show that these models can predict the inter-arrival times and the breach sizes. In order to get deeper insights into the evolution of hacking breach incidents, we conduct both qualitative and quantitative trend analyses on the dataset. We draw a set of cybersecurity insights, including that the threat of cyber hacks is indeed getting worse in terms of their frequency, but not in terms of the magnitude of their damage.
User activity logs can be a valuable source of information in cloud forensic investigations; hence, ensuring the reliability and integrity of such logs is crucial. Most existing solutions for secure logging are designed for conventional systems rather than the complexity of a cloud environment. In this paper, we propose the Cloud Log Assuring Soundness and Secrecy (CLASS) process as an alternative scheme for the securing of logs in a cloud environment. In CLASS, logs are encrypted using the individual user's public key so that only the user is able to decrypt the content. In order to prevent unauthorized modification of the log, we generate proof of past log (PPL) using Rabin's fingerprint and Bloom filter. Such an approach reduces verification time significantly. Findings from our experiments deploying CLASS in OpenStack demonstrate the utility of CLASS in a real-world context.
With the increasing adoption of cloud computing, a growing number of users outsource their datasets to cloud. To preserve the privacy, the datasets are usually encrypted before outsourcing. However, the common practice of encryption makes the effective utilization of the data difficult. For example, it is difficult to search the given keywords in encrypted datasets. Many schemes are proposed to make encrypted data searchable based on keywords. However, keyword-based search schemes ignore the semantic representation information of users retrieval, and cannot completely meet with users search intention. Therefore, how to design a content-based search scheme and make semantic search more effective and context-aware is a difficult challenge. In this paper, we propose ECSED, a novel semantic search scheme based on the concept hierarchy and the semantic relationship between concepts in the encrypted datasets. ECSED uses two cloud servers. One is used to store the outsourced datasets and return the ranked results to data users. The other one is used to compute the similarity scores between the documents and the query and send the scores to the first server. To further improve the search efficiency, we utilize a tree-based index structure to organize all the document index vectors. We employ the multikeyword ranked search over encrypted cloud data as our basic frame to propose two secure schemes. The experiment results based on the real world datasets show that the scheme is more efficient than previous schemes. We also prove that our schemes are secure under the known ciphertext model and the known background model.
This study explores the challenges of digital forensics investigation in file access, transfer and operations, and identifies file operational and behavioral patterns based on timestamps—in both the standalone as well as interactions between Windows NTFS and Ubuntu Ext4 filesystems. File-based metadata is observed, and timestamps across different cloud access behavioral patterns are compared and validated. As critical metadata information cannot be easily observed, a rigorous iterative approach was implemented to extract hidden, critical file attributes and timestamps. Direct observation and cross-sectional analysis were adopted to analyze timestamps, and to differentiate between patterns based on different types of cloud access operations. Fundamental observation rules and characteristics of file interaction in the cloud environment are derived as behavioral patterns for cloud operations. This study contributes to cloud forensics investigation of data breach incidents where the crime clues, characteristics and evidence of the incidents are collected, identified and analyzed. The results demonstrate the effectiveness of pattern identification for digital forensics across various types of cloud access operations.
Computational Intelligence techniques have been widely explored in various domains including forensics. Analysis in forensic encompasses the study of pattern analysis that answer the question of interest in security, medical, legal, genetic studies and etc. However, forensic analysis is usually performed through experiments in lab which is expensive both in cost and time. Therefore, this book seeks to explore the progress and advancement of computational intelligence technique in different focus areas of forensic studies. This aims to build stronger connection between computer scientists and forensic field experts.
This book, Computational Intelligence in Digital Forensics: Forensic Investigation and Applications, is the first volume in the Intelligent Systems Reference Library series. The book presents original research results and innovative applications of computational intelligence in digital forensics. This edited volume contains seventeen chapters and presents the latest state-of-the-art advancement of Computational Intelligence in Digital Forensics; in both theoretical and application papers related to novel discovery in intelligent forensics. The chapters are further organized into three sections: (1) Introduction, (2) Forensic Discovery and Investigation, which discusses the computational intelligence technologies employed in Digital Forensic, and (3) Intelligent Forensic Science Applications, which encompasses the applications of computational intelligence in Digital Forensic, such as human anthropology, human biometrics, human by products, drugs, and electronic devices.
The Virtual Machine Introspection (VMI) has emerged as a fine-grained, out-of-VM security solution that detects malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS). Specifically, it functions by the Virtual Machine Monitor (VMM), or hypervisor. The reconstructed semantic details obtained by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, the existing out-of-VM security solutions require extensive manual analysis. In this paper, we propose an advanced VMM-based, guest-assisted Automated Internal-and-External (A-IntExt) introspection system by leveraging VMI, Memory Forensics Analysis (MFA), and machine learning techniques at the hypervisor. Further, we use the VMI-based technique to introspect digital artifacts of the live guest OS to obtain a semantic view of the processes details. We implemented an Intelligent Cross View Analyzer (ICVA) and implanted it into our proposed A-IntExt system, which examines the data supplied by the VMI to detect hidden, dead, and dubious processes, while also predicting early symptoms of malware execution on the introspected guest OS in a timely manner. Machine learning techniques are used to analyze the executables that are mined and extracted using MFA-based techniques and ascertain the malicious executables. The practicality of the A-IntExt system is evaluated by executing large real-world malware and benign executables onto the live guest OSs. The evaluation results achieved 99.55% accuracy and 0.004 False Positive Rate (FPR) on the 10-fold cross-validation to detect unknown malware on the generated dataset. Additionally, the proposed system was validated against other benchmarked malware datasets and the A-IntExt system outperforms the detection of real-world malware at the VMM with performance exceeding 6.3%.