UNH Cyber Forensics Research & Education Group / Lab (Est. 2013)
Dr. Baggili presents research at SADFE 2013, in Hong Kong (IEEE) 8th International Workshop on Systematic Approaches to Digital Forensic Engineering
November 18, 2013
Dr. Baggili particiapted in two papers will be presented at this conference. To see this year's conference program click here. Below are the Abstracts:
Paper 1: Forensic artifacts of the ChatON Instant Messaging application
Abstract— Instant Messaging (IM) is one of the most used types of applications across all digital devices, and is an especially popular feature on smartphones. This research is about the artifacts left by Samsung’s ChatON IM application, which is a multi-platform IM application. In this work, we acquired forensic images of a Samsung Galaxy Note device running Android 4.1 and an iPhone running iOS 6. The acquired images were analyzed and the data relevant to the ChatON application were identified. This research resulted is a map of the digital evidence left by ChatON on these mobile devices which assists digital forensics practitioners and researchers in the process of locating and recovering digital evidence from ChatON.
Paper 2: CAT Record (Computer Activity Timeline Record): A unified agent based approach for real time computer forensic evidence collection
Abstract— In this paper we present CAT Record – a real time computer forensics agent that records computer activity for subsequent forensic investigation on a Windows computer system as actions are taking place on a system. This approach is different from the traditional post-mortem approach of examining a hard disk since activities are being recorded as they are happening. The prototype agent included six modules 1) Windows Event Watcher - which records the Windows Operating System events 2) Active Window Detector - which records the active windows on the screen 3) Font-Time-Power-Resolution Detector - which records changes in font, time, power or resolution on the system 4) Explorers Monitor - which records the activity when opening an item from the Windows Explorer or Internet Explorer 5) Removable Devices Detector - which records any external devices that are plugged in or removed from a system and 6) File System Watcher - which records the activity taking place on the file system. CAT Record was stress tested in three scenarios using an automated program that was written to test the accuracy of the agent and its memory consumption on Windows XP and Windows 7. Overall, the results indicated that the amount of recorded data varied between Windows XP and Windows 7 and that CAT Record on average did not consume more than 42,876 KB of memory per second during its operation under extremely stressful tests.