A Framework of Network Forensics and its Application of Locating Suspects in Wireless Crime Scene Investigation

Digital forensics is the science of laws and technologies fighting computer crimes. It can be divided into two sub-areas, computer forensics and network forensics. Network forensics is still a frontier area of digital forensics and is the focus of this paper. We propose to classify network forensic investigations into three categories based on when law enforcement officers conduct investigations in response to cyber crime incidents. We define proactive investigations as those occurring before cyber crime incidents; real time investigations as those occurring during cyber crime incidents, and retroactive investigation as those occurring after cyber crime incidents. This classification in terms of incident timing helps us understand related laws since laws differ with investigation timing. We present a holistic study of the relationship between laws and network forensic investigations and believe that this framework provides a solid guide for digital forensic research. For example, the framework tells us that certain strategies (including technologies transformed from attacks against security systems) would violate the Constitution or relevant laws of the United States, which is the focus of this paper. With the guidance of this network forensic framework, we propose HaLo, a hand-held device transferred from the Nokia n900 smartphone for the real-time localization of a suspect committing crimes in a wireless crime scene. We collect only wireless signal strength information, which requires low-level legal authorization, or none in the case of private 2 investigations on campus. The basic idea of localization is to collect wireless signal strength samples while walking. The position where the maximum signal strength is measured will be a good estimate of the suspect device‟s location. The key challenge of accurate localization via the hand-held device is that the investigator has to control its walking speed and collects enough wireless signal strength samples. We found that digital accelerator on a smartphone and GPS are very often rough for measuring walking speed. We propose the space sampling theory for effective target signal strength sampling. We validate the localization accuracy via extensive experiments. A video of HaLo is at http://youtu.be/QGhBrt26Q8Y. In this demo, we placed a laptop which was sending out ICMP packets inside one classroom, used HaLo to sniff along the corridor and finally located the laptop.

[1]  Gang Wang,et al.  I am the antenna: accurate outdoor AP location using smartphones , 2011, MobiCom '11.

[2]  Brian Neil Levine,et al.  Forensic investigation of the OneSwarm anonymous filesharing system , 2011, CCS '11.

[3]  Hai Jin,et al.  Distributed agent-based real time network intrusion forensics system architecture design , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[4]  Mark Pollitt,et al.  A History of Digital Forensics , 2010, IFIP Int. Conf. Digital Forensics.

[5]  Andreas Haeberlen,et al.  Practical robust localization over large-scale 802.11 wireless networks , 2004, MobiCom '04.

[6]  Fabrice Labeau,et al.  Discrete Time Signal Processing , 2004 .

[7]  Brian Neil Levine,et al.  Strengthening forensic investigations of child pornography on P2P networks , 2010, Co-NEXT '10.

[8]  Sujeet Shenoi,et al.  Extracting Concealed Data from BIOS Chips , 2005, IFIP Int. Conf. Digital Forensics.

[9]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[10]  Ricci S. C. Ieong,et al.  FORZA - Digital forensics investigation framework that incorporate legal issues , 2006, Digit. Investig..

[11]  H. Marshall Jarrett,et al.  Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations , 1979 .

[12]  George M. Mohay,et al.  Mining e-mail content for author identification forensics , 2001, SGMD.

[13]  Sarah Mocas,et al.  Building theoretical underpinnings for digital forensics research , 2004, Digit. Investig..

[14]  Brian Neil Levine,et al.  Effective Digital Forensics Research Is Investigator-Centric , 2011, HotSec.

[15]  Daniel B. Faria Modeling Signal Attenuation in IEEE 802.11 Wireless LANs-Vol. 1 , 2022 .

[16]  Azizah Bt Abdul Manaf,et al.  Digital Evidence Retrieval and Forensic Analysis on Gambling Machine , 2009, ICDF2C.

[17]  Srihari Nelakuditi,et al.  SpinLoc: spin once to know your location , 2012, HotMobile '12.

[18]  Sujeet Shenoi,et al.  Forensic Analysis of BIOS Chips , 2006, IFIP Int. Conf. Digital Forensics.

[19]  Phillip G. Bradford,et al.  Developing a proactive digital forensics system , 2007 .

[20]  Marcus K. Rogers,et al.  A cyber forensics ontology: Creating a new approach to studying cyber forensics , 2006, Digit. Investig..

[21]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[22]  T.S. Rappaport,et al.  Radio path loss and penetration loss measurements in and around homes and trees at 5.85 GHz , 1998, IEEE Antennas and Propagation Society International Symposium. 1998 Digest. Antennas: Gateways to the Global Network. Held in conjunction with: USNC/URSI National Radio Science Meeting (Cat. No.98CH36.

[23]  R. Dworkin Reasonable Expectation of Privacy , 2014 .

[24]  Eugene H. Spafford,et al.  Categories of digital investigation analysis techniques based on the computer history model , 2006, Digit. Investig..

[25]  Paul Burke,et al.  Xbox Forensics , 2006, J. Digit. Forensic Pract..

[26]  Tao Xiang,et al.  When Digital Forensic Research Meets Laws , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[27]  Stephen G. MacDonell,et al.  Software Forensics: Extending Authorship Analysis Techniques to Computer Programs , 2002 .

[28]  Gregg H. Gunsch,et al.  An Examination of Digital Forensic Models , 2002, Int. J. Digit. EVid..

[29]  Nasir D. Memon,et al.  Digital Forensics , 2009, IEEE Secur. Priv..

[30]  Patrick Juola,et al.  Authorship Attribution for Electronic Documents , 2006, IFIP Int. Conf. Digital Forensics.

[31]  Sebastian Thrun,et al.  Sub-meter indoor localization in unmodified environments with inexpensive sensors , 2010, 2010 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[32]  Dr. Ren Wei A Framework of Distributed Agent-based Network Forensics System , 2004 .