- Université de Lausanne / University of Lausanne
Batochime
CH-1015 Lausanne-Dorigny
Eoghan Casey
University of Lausanne, École Des Sciences Criminelles, Faculty Member
- Digital Forensic Science, Digital Evidence, Digital Forensics, Forensic Science, Mobile Forensics, Android Forensics, and 27 moreDigital Investigation, DIGITAL EVIDENCE AND INVESTIGATION, Information Security, Cybersecurity, Computer Forensics, Network Forensics, Knowledge sharing, Organizational Learning, Knowledge Management, Learning Sciences, Digital Investigation,Computer Forensics, Computer security, Computer & Cyber forensics, Digital Forensics, Security and Law, Digital Forensic Readiness, Information Security Digital Forensics, All areas of Informatics, Educational technologies, Cyber Security & Forensics, Cyber Audit, ICT, Computer Forensics for Cyberspace Crimes, Cyber Forensics, PLE, LMS, E-learning, E-learning 2.0, Connectivism, Constructivism, Education, Pedagogy, and Computer Scienceedit
- Eoghan Casey is a professor of Digital Forensic Science and Investigation in the School of Criminal Sciences at the U... moreEoghan Casey is a professor of Digital Forensic Science and Investigation in the School of Criminal Sciences at the University of Lausanne. He is an internationally recognized expert in digital forensic science and cybersecurity incident investigation. He previously served as Chief Scientist at the Defense Cyber Crime Center (DC3), prioritizing research and development across multiple organizational units, and providing strategic and technical guidance to navigate evolving challenges in digital forensics and intrusion/malware analysis. In his prior work as Lead Cyber Security Engineer at The MITRE Corporation, Eoghan Casey developed new capabilities for extracting and analyzing digital evidence associated with smartphones and network attacks. As a professional consultant, he has helped organizations handle security breaches and analyzed digital evidence in a wide range of complex investigations, including network intrusions with international scope. He has testified in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. Eoghan Casey wrote the foundational book Digital Evidence and Computer Crime, now in its third edition, and he created Smartphone Forensics courses taught worldwide. He has also coauthored several advanced technical books including Malware Forensics, and the Handbook of Digital Forensics and Investigation. He received his Ph.D. in Computer Science from University College Dublin, and taught digital forensics at the Johns Hopkins University Information Security Institute. Since 2004, Eoghan Casey has been Editor-in-Chief of Digital Investigation: The International Journal of Digital Forensics & Incident Response, publishing cutting edge work by and for practitioners and researchers. He also contributes to definitions, guidelines, and standards as Executive Secretary of the Digital/Multimedia Scientific Area Committee of the Organization for Scientific Area Committees. He helps organize the digital forensic research DFRWS.org conferences each year, and is on the DFRWS Board of Directors.edit
Research Interests:
The Malware Forensics resource and the accompanying Malware Forensics Field Guides provide digital investigators with the knowledge required to handle malicious code from a forensic perspective. Created by subject matter experts with... more
The Malware Forensics resource and the accompanying Malware Forensics Field Guides provide digital investigators with the knowledge required to handle malicious code from a forensic perspective. Created by subject matter experts with real-world investigative and forensic experience, these books are tools with checklists for specific tasks, case studies of difficult situations, and expert analyst tips.
COMPUTER FORENSIC AND COMPUTER SECURITY RELATED BOOK TITLES: Casey, Handbook of Computer Crime Investigation, ISBN 0-12-163103-6, 448pp, 2002. Kovacich, The Information Systems Security Officer's Guide, ISBN 0-7506-7656-6, 361pp,... more
COMPUTER FORENSIC AND COMPUTER SECURITY RELATED BOOK TITLES: Casey, Handbook of Computer Crime Investigation, ISBN 0-12-163103-6, 448pp, 2002. Kovacich, The Information Systems Security Officer's Guide, ISBN 0-7506-7656-6, 361pp, 2003. Boyce and ...
Research Interests:
... Thank you Stacy, Jacob, Audra and Jenna for letting me take nights and weekends away from you to write. ... Curtis W. Rose I would like to thank Federal Bureau of Investigation Special Agents Mike and Gail Gneckow; Wendy Olson and... more
... Thank you Stacy, Jacob, Audra and Jenna for letting me take nights and weekends away from you to write. ... Curtis W. Rose I would like to thank Federal Bureau of Investigation Special Agents Mike and Gail Gneckow; Wendy Olson and Traci Whelan, Assistants United States ...
... This book at Amazon. Edition, electronic version. ... Imprint, Burlington, MA : Elsevier, 2008. - 713 p. Subject category, Computing and Computers. ISBN, 9780080560199 (This book at Amazon) (electronic version) 9781597492683 (This... more
... This book at Amazon. Edition, electronic version. ... Imprint, Burlington, MA : Elsevier, 2008. - 713 p. Subject category, Computing and Computers. ISBN, 9780080560199 (This book at Amazon) (electronic version) 9781597492683 (This book at Amazon) (print version). ...
This book is printed on acid-free paper. Copyright© 2002 by ACADEMIC PRESS All Rights Reserved Second printing 2003 No part of this publication may be reproduced or transmitted in any form or by or any information storage and retrieval... more
This book is printed on acid-free paper. Copyright© 2002 by ACADEMIC PRESS All Rights Reserved Second printing 2003 No part of this publication may be reproduced or transmitted in any form or by or any information storage and retrieval system, without permission in writing from ...
Research Interests:
Research Interests:
With the growing number of digital forensic tools and the increasing use of digital forensics in various contexts, including incident response and cyber threat intelligence, there is a pressing need for a widely accepted standard for... more
With the growing number of digital forensic tools and the increasing use of digital forensics in various contexts, including incident response and cyber threat intelligence, there is a pressing need for a widely accepted standard for representing and exchanging digital forensic information. Such a standard representation can support correlation between different data sources, enabling more effective and efficient querying and analysis of digital evidence. This work summarizes the strengths and weaknesses of existing schemas, and proposes the open-source CybOX schema as a foundation for storing and sharing digital forensic information. The suitability of CybOX for representing objects and relationships that are common in forensic investigations is demonstrated with examples involving digital evidence. The capability to represent provenance by leveraging CybOX is also demonstrated, including specifics of the tool used to process digital evidence and the resulting output. An example is provided of an ongoing project that uses CybOX to record the state of a system before and after an event in order to capture cause and effect information that can be useful for digital forensics. An additional open-source schema and associated ontology called Digital Forensic Analysis eXpression (DFAX) is proposed that provides a layer of domain specific information overlaid on CybOX. DFAX extends the capability of CybOX to represent more abstract forensic-relevant actions, including actions performed by subjects and by forensic examiners, which can be useful for sharing knowledge and supporting more advanced forensic analysis. DFAX can be used in combinationwith other existing schemas for representing identity information (CIQ), and location information (KML). This work also introduces and leverages initial steps of a Unified Cyber Ontology (UCO) effort to abstract and express concepts/constructs that are common across the cyber domain.
Research Interests:
The number of forensic examinations being performed by digital forensic laboratories is rising, and the amount of data received for each examination is increasing significantly. At the same time, because forensic investigations are... more
The number of forensic examinations being performed by digital forensic laboratories is rising, and the amount of data received for each examination is increasing significantly. At the same time, because forensic investigations are results oriented, the demand for timely results has remained steady, and in some instances has increased. In order to keep up with these growing demands, digital forensic laboratories are being compelled to rethink the overall forensic process. This work dismantles the barriers between steps in prior digital investigation process models and concentrates on supporting key decision points. In addition to increasing efficiency of forensic processes, one of the primary goals of these efforts is to enhance the comprehensiveness and investigative usefulness of forensic results. The purpose of honing digital forensic processes is to empower the forensic examiner to focus on the unique and interesting aspects of their work, allowing them to spend more time addressing the probative questions in an investigation, enabling them to be decision makers rather than tool runners, and ultimately increase the quality of service to customers. This paper describes a method of evaluating the complete forensic process performed by examiners, and applying this approach to developing tools that recognize the interconnectivity of examiner tasks across a digital forensic laboratory. Illustrative examples are provided to demonstrate how this approach can be used to increase the overall efficiency and effectiveness of forensic examination of file systems, malware, and network traffic.
Research Interests:
The number of forensic examinations being performed by digital forensic laboratories is rising, and the amount of data received for each examination is increasing significantly. At the same time, because forensic investigations are... more
The number of forensic examinations being performed by digital forensic laboratories is rising, and the amount of data received for each examination is increasing significantly. At the same time, because forensic investigations are results oriented, the demand for timely results has remained steady, and in some instances has increased. In order to keep up with these growing demands, digital forensic laboratories are being compelled to rethink the overall forensic process. This work dismantles the barriers between steps in prior digital investigation process models and concentrates on supporting key decision points. In addition to increasing efficiency of forensic processes, one of the primary goals of these efforts is to enhance the comprehensiveness and investigative usefulness of forensic re- sults. The purpose of honing digital forensic processes is to empower the forensic exam- iner to focus on the unique and interesting aspects of their work, allowing them to spend more time addressing the probative questions in an investigation, enabling them to be decision makers rather than tool runners, and ultimately increase the quality of service to customers. This paper describes a method of evaluating the complete forensic process performed by examiners, and applying this approach to developing tools that recognize the interconnectivity of examiner tasks across a digital forensic laboratory. Illustrative examples are provided to demonstrate how this approach can be used to increase the overall efficiency and effectiveness of forensic examination of file systems, malware, and network traffic.
Research Interests:
Abstract: There is an urgent need to reduce the growing backlog of forensic examinations in Digital Forensics Laboratories (DFLs). Currently, DFLs routinely create forensic duplicates and perform in-depth forensic examinations of all... more
Abstract: There is an urgent need to reduce the growing backlog of forensic examinations in Digital Forensics Laboratories (DFLs). Currently, DFLs routinely create forensic duplicates and perform in-depth forensic examinations of all submitted media. This approach is rapidly becoming untenable as more cases involve increasing quantities of digital evidence. A more efficient and effective three-tiered strategy for performing forensic examinations will enable DFLs to produce useful results in a timely manner at different phases of an investigation, and will reduce unnecessary expenditure of resources on less serious matters. The three levels of forensic examination are described along with practical examples and suitable tools. Realizing that this is not simply a technical problem, we address the need to update training and establish thresholds in DFLs. Threshold considerations include the likelihood of missing exculpatory evidence and seriousness of the offense. We conclude with the implications of scaling forensic examinations to the investigation.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer... more
The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.
Research Interests:
Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications... more
Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.
Research Interests:
To assess the importance and potential impact of an incident accurately computer security professionals need to understand an offender’s criminal skill, knowledge of targets, and intent. A thief who selects targets of opportunity based on... more
To assess the importance and potential impact of an incident accurately computer security professionals need to understand an offender’s criminal skill, knowledge of targets, and intent. A thief who selects targets of opportunity based on insecure systems presents a significantly different threat than an individual who targets a specific organization to obtain specific information. This article compares two intellectual property theft cases to provide readers with practical investigative insights, noting costly mistakes and pointing out behaviour reflected in digital evidence. Although these cases are based on actual investigations, they have been modified to protect the innocent.
Research Interests:
This paper presents strengths and shortcomings of WinHex Specialist Edition (version 11.25 SR-7) in the context of the overall digital forensics process, focusing on its ability to preserve and examine data on storage media. No serious... more
This paper presents strengths and shortcomings of WinHex Specialist Edition (version 11.25 SR-7) in the context of the overall digital forensics process, focusing on its ability to preserve and examine data on storage media. No serious problems were found during non-exhaustive testing of the tool's ability to create a forensic image of a disk, and to verify the integrity of an image. Generally accepted data sets were used to test WinHex's ability to reliably and accurately interpret file date–time stamps, recover deleted files, and search for keywords. The results of these tests are summarized in this paper. Certain advanced examination capabilities were also evaluated, including the creation of custom templates to interpret EXT2/EXT3 file systems. Based on this review, several enhancements are proposed. In addition to these results, this paper demonstrates a systematic approach to evaluating similar forensic tools.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
... extortion committed with the assistance of computers, organizations are seeking more effective ways to ... new flow tcpflow[1248]: 192.168.000.005.01261-192.168.000.003.00139: opening new output file ... A placeholder is inserted if... more
... extortion committed with the assistance of computers, organizations are seeking more effective ways to ... new flow tcpflow[1248]: 192.168.000.005.01261-192.168.000.003.00139: opening new output file ... A placeholder is inserted if an internal object is not available (eg, content ...