Digital Forensics and Cyber Investigation

completely equipped to assimilate the detailed and complicated technical aspects of video forensics. Keywords Video forgery detection · Video tamper detection · Passive-blind video forensics · Video anti-forensics · Video content authentication · Video phylogeny detection · Video recapture detection · Video up-conversion detection

The old adage, "seeing is believing", no longer holds true in modern society. Digital media has paved the way for anyone to doctor images and for videos to misrepresent truth. The lines between fact, entertainment, advertising, fabrication and fiction are becoming increasingly blurred as what is termed 'fake news' increases in modern day society. A natural consequence of the increase in fake news is the outcry for investigations into misinformation (think Cambridge Analytica). Investigations need to be forensically sound in order for any evidence to hold up in court. This research aims to propose forensic guidelines for the investigation of fake news by researching current fact checking methodologies and determining whether what is currently in place can be aligned to the current ACPO Forensic Guidelines. In order to do this, it first attempts to establish how easily a non-professional fact checker can detect fake news by carrying out a rudimentary fake news quiz. This was then followed by a review of 41 fact checkers to understand their fact checking methodologies and concluded with a basic fact checking experiment to test the veracity of a subset of the reviewed tools. In concluding, fake news investigations can be aligned to the current ACPO forensic guidelines, however, they will need to be specifically adapted to the three main categories of fake news: images, text and video.

With the growing number of digital forensic tools and the increasing use of digital forensics in various contexts, including incident response and cyber threat intelligence, there is a pressing need for a widely accepted standard for representing and exchanging digital forensic information. Such a standard representation can support correlation between different data sources, enabling more effective and efficient querying and analysis of digital evidence. This work summarizes the strengths and weaknesses of existing schemas, and proposes the open-source CybOX schema as a foundation for storing and sharing digital forensic information. The suitability of CybOX for representing objects and relationships that are common in forensic investigations is demonstrated with examples involving digital evidence. The capability to represent provenance by leveraging CybOX is also demonstrated, including specifics of the tool used to process digital evidence and the resulting output. An example is provided of an ongoing project that uses CybOX to record the state of a system before and after an event in order to capture cause and effect information that can be useful for digital forensics. An additional open-source schema and associated ontology called Digital Forensic Analysis eXpression (DFAX) is proposed that provides a layer of domain specific information overlaid on CybOX. DFAX extends the capability of CybOX to represent more abstract forensic-relevant actions, including actions performed by subjects and by forensic examiners, which can be useful for sharing knowledge and supporting more advanced forensic analysis. DFAX can be used in combinationwith other existing schemas for representing identity information (CIQ), and location information (KML). This work also introduces and leverages initial steps of a Unified Cyber Ontology (UCO) effort to abstract and express concepts/constructs that are common across the cyber domain.

Digital vision technologies emerged exponentially in all living areas to watch, play, control, or track events. Security checkpoints have benefited also from those technologies by integrating dedicated cameras in studied locations. The aim is to manage the vehicles accessing the inspection security point and fetching for any suspected ones. However, the gathered data volume continuously increases each day, making their analysis very hard and time-consuming. This paper uses semantic-based techniques to model the data flow between the cameras, checkpoints, and administrators. It uses ontologies to deal with the increased data size and its automatic analysis. It considers forensics requirements throughout the creation of the ontology modules to ensure the records' admissibility for any possible investigation purposes. Ontology-based data modeling will help in the automatic events search and correlation to track suspicious vehicles efficiently.

In the wake of widespread proliferation of inexpensive and easy-to-use digital content editing software, digital videos have lost the idealized reputation they once held as universal, objective and infallible evidence of occurrence of events. The pliability of digital content and its innate vulnerability to unobtrusive alterations causes us to become skeptical of its validity. However, in spite of the fact that digital videos may not always present a truthful picture of reality, their usefulness in today’s world is incontrovertible. Therefore, the need to verify the integrity and authenticity of the contents of a digital video becomes paramount, especially in critical scenarios such as defense planning and legal trials where reliance on untrustworthy evidence could have grievous ramifications. Inter-frame tampering, which involves insertion/removal/replication of sets of frames into/from/within a video sequence, is among the most un-convoluted and elusive video forgeries. In this paper, we propose a potent hybrid forensic system that detects inter-frame forgeries in compressed videos. The system encompasses two forensic techniques. The first is a novel optical flow analysis based frame-insertion and removal detection procedure, where we focus on the brightness gradient component of optical flow and detect irregularities caused therein by post-production frame-tampering. The second component is a prediction residual examination based scheme that expedites detection and localization of replicated frames in video sequences. Subjective and quantitative results of comprehensive tests on an elaborate dataset under diverse experimental set-ups substantiate the effectuality and robustness of the proposed system.

A common task in digital forensics investigations is to identify known contraband images. This is typically achieved by calculating a cryptographic digest, using hashing algorithms such as SHA256, for each image on a given media, comparing individual digests with a database of known contraband.
However, the large capacities of modern storage media, and increased time pressure on forensics examiners, necessitates that more efficient processing mechanisms be developed. This work describes a technique for creating signatures for images of the PNG format which only requires a tiny fraction of the file to effectively distinguish between a large number of images. Highly distinct, and compact, such analysis lays the foundation for future work in fast forensics filtering using subsets of evidential data.

Malware is currently growing rapidly, diverse and complex. But, human resources that can carry out malware analysis is limited, because special expertise is needed. Reverse engineering is one of many solution that can carry out malware analysis, because reverse engineering techniques can reveal malware code. On March 5, 2018, found spam email containing files, the file contained malware flawed ammyy. This flawed ammyy is a software that comes from Ammyy Admin version 3 and then misused by hackers TA505. This study aims to identify the malware, especially the Flawed Ammyy RAT malware. This research uses descriptive methodology, then to do malware analysis used dynamic analysis and reverse engineering methods. The results of the study show that the Flawed Ammyy RAT malware works by hiding in the Ammyy Admin application then connecting to the attacker with ip address 103.208.86.69. netname ip address 103.208.86.69 is zappie host. There are 50 registry changes that are carried out by malware on infected systems. After the attacker has been connected with the victim, the attacker can easily do the remote control without the victim's knowledge. Abstrak  Malware saat ini berkembang dengan pesat, beragam dan komplek. Namun kurangnya sumber daya manusia yang dapat melakukan analisis malware karena diperlukan keahlian khusus. Reverse engineering merupakan salah satu solusi untuk melakukan analisis malware karena menggunakan teknik reverse engineering kode pada malware dapat diketahui. 5 Maret 2018 ditemukan spam email yang berisi file, file tersebut terdapat malware flawed ammyy. Flawed ammyy ini merupakan software yang berasal dari Ammyy Admin versi 3 kemudian disalah gunakan oleh hacker TA505. Penelitian ini bertujuan untuk melakukan proses identikasi malware kususnya malware Flawed Ammyy RAT. Penelitian ini menggunakan metodologi deskriptif, kemudian untuk melakukan analisis malware digunakan metode analisis dinamis dan reverse engineering. Hasil dari penelitian menunjukan bahwa malware Flawed Ammyy RAT bekerja dengan bersembunyi pada aplikasi Ammyy Admin kemudian melakukan koneksi dengan attacker dengan ip address 103.208.86.69. netname ip address 103.208.86.69 adalah zappie host. Perubahan 50 registry yang dilakukan malware pada system yang terinfeksi. Setelah attacker terkonesi dengan korban maka attacker dengan mudah melakukan remote control tanpa sepengetahuan korban. Kata Kunci  Ammyy, Flawed, Engineering, Malware, Reverse I. PENDAHULUAN Internet telah menjadi bagian penting dari kehidupan sehari-hari bagi orang-orang. Internet dapat membantu seseorang memanfaatkan banyak layanan hanya dengan bantuan beberapa klik [1]. Tingginya penggunaan internet menciptakan kejahatan tak hanya terjadi dalam dunia nyata, tetapi merambah ke dunia maya yang sering disebut sebagai cybercrime [2]. Kejahatan di dunia cyber saat ini beragam. Teknik yang digunakan oleh penyerang semakin beragam dan kompleks. Berbagai serangan tersebut diantranya melibatkan malicious software atau yang biasa disebut malware yang merupakan suatu program jahat [3]. Beragam tujuan yang dimiliki para pelaku ini beberapa diantaranya adalah untuk mencari kesenangan dan mencari keuntungan [4]. Malware diciptakan dengan maksud tertentu yaitu melakukan aktifitas berbahaya yang berdampak sangat merugikan bagi para korbannya, antara lain seperti penyadapan serta pencurian informasi pribadi [5]. Malware dapat berisi kode berbahaya seperti Virus, Worm, Trojan Horse, juga bisa membuat Back Door yang dapat melakukan pencurian informasi pribadi atau mengambil kendali sistem seseorang [6]. Seringkali malware masuk ke sistem melalui file yang diunduh. Setelah malware memasuki sistem, malware melakukan aktivitas dan merusak seluruh sistem [7]. Kemampuan untuk melakukan analisa malware bagi seorang investigator menjadi tuntutan dalam setiap melakukan investigasi. Meningkatnya sejumlah malware serta evolusi dan mampu beradaptasinya terhadap perangkat analisis yang selama ini digunakan [8]. Analisa malware dengan menggunakan Reverse engineering merupakan salah satu solusi yang bisa digunakan saat ini. Reverse engineering dalam analisis malware berguna untuk ekstraksi data yang memuat informasi yang ada didalam malware [9]. Para analis Proofpoint telah menemukan Trojan akses jarak jauh yang sebelumnya tidak terdokumentasi yang disebut Flawed Ammyy RAT [10]. Malware Flawed ammyy dibangun diatas kode Ammyy adminversi versi 3 yang disalah gunakan. Ammyy admin merupakan perangkat lunak desktop jarak jauh yang digunakan diantara jutaan konsumen dan bisnis untuk menangani remote control dan diagnosis pada platfom Windows, ini bukan pertama kalinya Ammyy admindisalahgunakan, serangan Juli 2016 juga menggunakannya untuk menyembunyikan malware [11].

Email merupakan salah satu fasilitas internet yang banyak digunakan untuk komunikasi dan bertukar informasi. Hal ini memungkinkan pihak ketiga menyalahgunakan email untuk mendapatkan informasi secara ilegal dengan mengubah identitas pengirim email dan menjadikannya seperti email yang berasal dari email yang sah (legitimate email), aktivitas tersebut biasa dikenal dengan istilah email spoofing. Untuk dapat mendeteksi adanya email spoofing, maka perlu adanya investigasi forensik email terhadap email spoofing. Salah satu teknik investigasi forensik email adalah menggunakan analisis header email (header analysis method). Teknik ini bekerja dengan memeriksa dan membandingkan value yang terdapat pada beberapa header email yang ditetapkan sebagai parameter deteksi email spoofing. Parameter yang digunakan dalam penelitian ini adalah header ‘From’, ‘Message-ID’, ‘Date’ dan ‘Received’. Jika value yang terdapat pada header tersebut identik, maka email tersebut adalah email yang sah (legitimate email), jika tidak maka email tersebut dikategorikan sebagai email spoofing.

In recent times, most of the data such as books, personal materials and genetic information digitally. This transformation gives rise to a field of Cyberspace. This newly created space, gave rise to a new set of crime Cybercrime, this lead to the development of securing the cyberspace and protecting against cybercrime. As more people started using cyberspace, more number of cybercrime were registered. As the number of crime increases, we are in need of help from Machine Learning. Machine Learning in the field of Cyber forensics, is a boon. In this paper we have an overview of Machine Learning in the field of Cyber Forensics and various method of it implementation. I. INTRODUCTION 1) Deep Learning and Machine Learning: The field of Artificial Intelligence and Machine Learning has been around since a long time but it is now that we have enough computational power to effectively develop strong artificial neural networks (ANN) in a reasonable time frame with the help of strong hardware and software support. The most important aspect of Cyber security involves protecting key data and devices from cyber threats. It's an important part of corporations that collect and maintain large databases of client data, social platforms wherever personal information were submitted and also the government organizations wherever secret, political and defence information comes into measure. Unlike the traditional machine learning algorithm that uses feature engineering and illustration ways. They will chose the best options by themselves. 2) Cyber Security: Cyber security is that the set of framework and processes designed to protect computers, networks, programs, and data from attack, unauthorized access, change, or destruction. These frameworks are consist of network security and host security systems, every of those has a minimum firewall, antivirus computer code, associated an intrusion detection system. 3) Deep Learning and Cyber Security: This survey summarizes the association of cyber security and Deep learning techniques (DL). Deep learning technique are being used by researchers in recent days. Deep learning can be used alongside the prevailing automation ways like rule and heuristics based and machine learning techniques. This survey helps is understand the benefits of deep learning algorithms to classify and tackle malicious activities that perceived from the varied sources like DNS, email, URLs etc. In recent days, non-public firms and public establishments are dealing with constant and complicated cyber threats and cyberattacks. As a precaution, organizations should build and develop a cybersecurity culture and awareness so as to defend against cyber criminals. 4) Shared Task: In this shared task conference, the train data set will be distributed among the participants and the train model will be evaluated based on the test data set. This is most common in NLP area recently shared task on identifying phishing email has been organized by. The details of the submitted runs are available throughout. Followed by shared task on detecting malicious domain organized intruders. These two shared tasks enables the participants to share their approach through working notes or system description paper. Each year there is one more shared task conducted by CDMC. But they don't provide us an option to submit system description papers. But recently they are giving an option to submit system description papers (CDMC 2018). One significant issue was that the available data sets are very old and each data set has their own limitations. The main issue we face now is due to the non-maintenance of Cybercrime data. To overcome such issues a brief investigative issue made to understand the need of Security domain, datasets and key feature of data sciences is discussed in for problems employing the data science towards cyber security. The need for such dataset in to be promoted.