oÔÇûýÿÿ?rSaleh Almotairi Andrew Clark Marc Dacier Corrado Leita George Mohay Van Hau Pham Olivier Thonnard Jacob Zimmermann2007QExtracting Inter-arrival Time Based Behaviour from Honeypot Traffic using Cliques78-86/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, WestsÇûýÿÿ? Kessler, Gary2007+Anti-Forensics and the Digital Investigator1-7/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4ŸÇûýÿÿ?Sansurooah, Krishnun2007OAn approach in identifying and tracing back spoofed IP packets to their sources8-21/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4œÇûýÿÿ?Sansurooah, Krishnun2007KAn overview and examination of digital PDA devices under forensics toolkits34-52/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4¼Çûýÿÿ?)Al-Hajiri, Haitham Williams, Patricia A H2007VThe effectiveness of investigative tools for Secure Digital (SD) Memory Card forensics22-33/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4~Çûýÿÿ?Lee Fueng Yap Andy Jones2007)Profiling Through a Digital Mobile Device52-58/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4{o Çûýÿÿ? Brand, Murray20071Forensic Analysis Avoidance Techniques of Malware59-66/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0 -7298-0646-4Âo|DÇóýÿÿ?Angelopoulou, Olga20079ID Theft: A Computer Forensics’ Investigation Framework/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 200«ohÇûýÿÿ? =Sorot Panichprecha Jacob Zimmermann George Mohay Andrew Clark20071Multi-Step Scenario Matching Based on Unification87-96/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Pn Çûýÿÿ? Ahmed Ibrahim 2007"Steganalysis in Computer Forensics97-107/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4Ÿo¨Çûýÿÿ? )David P. Biros Mark Weiser John Whitfield20077Managing Digital Forensic Knowledge An Applied Approach108-117/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Wester¢oÜÇûýÿÿ? Patryk Szewczyk2007TADSL Router Forensics Part 1: An introduction to a new source of electronic evidence118-125/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Wes¬o!¬Çûýÿÿ? "Marwan Al-Zarouni Haitham Al-Hajri2007KA Proof-of-Concept Project for Utilizing U3 Technology in Incident Response134-140/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, ±o#¨Çûýÿÿ?Hannay, Peter James, Peter2007XPocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment 152-161/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan Univers S7?The exposure of online identities grows rapidly nowadays and so does the threat of having even more impersonated identities. Internet users provide their private information on multiple web-based agents for a number of reasons, online shopping, memberships, social networking, and many others. However, the number of ID Theft victims grows as well, resulting to the growth of the number of incidents that require computer forensics investigation in order to resolve this type of crime. For this reason, it appears of value to provide a systematic approach for the computer forensics investigators aiming to resolve such type of computer based ID Theft incidents. The issues that demand individual examinations of this type of crime are discussed and the plan of an ID Theft computer forensics investigation framework is presented. 0-7298-0646-4‘ern Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4 <erth, Western Australia3rd December, 2007 0-7298-0646-4 0n Australia3rd December, 2007 0-7298-0646-4 3tern Australia3rd December, 2007 0-7298-0646-4 Co#ðÇóýÿÿ? Peter James2007LCan SDV Technology be Utilised in a Smartphone to Prevent Forensic Analysis?162-176/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western AustralËo+ÈÇóýÿÿ?%Peter Hannay Andrew Woodward Nic Cope2007rA forensically tested tool for identification of notebook computers to aid recovery: LIARS phase1 proof of concept177-182/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Inf…oA¼Çóýÿÿ?4Glenn S. Dardick Claire R. La Roche Mary A. Flanigan20070BLOGS: ANTI-FORENSICS and COUNTER ANTI-FORENSICS197-202/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, WeoEØÇóýÿÿ?Craig Valli Aaron Wooten2007BAn Overview of ADSL Homed Nepenthes Honeypots In Western Australia202-207/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Aust”Çûýÿÿ?Patryk Szewczyk2007FAn examination of the Asus WL-HDD 2.5 as a Nepenthes malware collector126-133/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4=Perth, Western Australia3rd December, 2007 0-7298-0646-4·Çûýÿÿ?Marwan Al-Zarouni2007gIntroduction to Mobile Phone Flasher Devices and Considerations for their Use in Mobile Phone Forensics141-151/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4 Bity, Perth, Western Australia3rd December, 2007 0-7298-0646-4 Ôia3rd December, 2007ªEliminating the opportunities to successfully acquire data from mobile devices is a critical security objective for certain organisations. In particular, Government agencies require assurance that classified data is secured against hostile forensic analysis. The Secure Systems Silicon Data Vault (SDV) is a hardware based data encryption and access control device that has been accredited by the Australian Government to secure classified information held on laptops and portable hard disk drives; hardware is recognised as a superior trusted platform to implement security mechanisms. The SDV’s 128bit Advanced Encryption Standard (AES) cryptography, sophisticated key management & access controls and total disk encryption makes the SDV an extremely difficult device from which to acquire data and perform forensic analysis. With the increasing functionality and storage capabilities of Smartphones strong security mechanisms are required by organisations that may hold sensitive data on these devices. Software based security applications exist for Smartphones that provide good security and severely impact the acquisition of data suitable for forensic analysis. If strong hardware based security can be integrated into a Smartphone, forensic analysis could be further constrained. This paper considers the feasibility of implementing the SDV technology into a Palm Treo. An overview of the SDV is given and six security design principles are enumerated. Implementation of the six design principles ensure the SDV provides strong security. The Treo architecture is reviewed and the concept of operation enumerated. The challenges with respect to implementing a Smartphone SDV that is conformant with the security design principles are discussed. Possible Smartphone SDV conceptual designs are presented. The concept of operation, implementation issues and conformance of each conceptual design to the SDV security design principles are discussed. 0-7298-0646-4 \ormation Science, Edith Cowan University, Perth, Western Australia3rd December, 2007òThe LIARS tool was designed to enable identification, and potentially the return, to the rightful owner of stolen laptop or notebook computers. Many laptops are discovered by Police, but time constraints prevent recovered devices from being identified. This project has produced a proof of concept tool which can be used by virtually any police officer, or other investigator, which does not alter the hard drive in any fashion. The tool uses a modified version of the chntpw software, and is based on a forensically tested live Linux CD. The tool examines registry hives for known location of keys which may provide information about the owner of the laptop. This paper outlines the successful first phase of the project and looks at future directions. 0-7298-0646-4 YÇóýÿÿ? Hilven, An2007Mood 300 IPTV decoder forensics183-192/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007î Since June 2005, viewers in Belgium can get access digital TV or IPTV available via ADSL through Belgacom, the largest telecommunications provider in the country. The decoders used to enjoy these services are the Mood 300 series from Tilgin (formerly i3 Micro Technology). As of the Mood 337, the decoders contain a hard disk to enable the viewer to record and pause TV programs. Although it is publicly known that the Mood’s hard disk is used to save recorded and paused TV programs, it was still unknown if it contains any data that could be of interest during a forensic investigation. Interesting data ranges from which TV programs where watched, over discovery of unauthorized data storage, to criminal profiling and alibi verification. This paper will research the possibilities, especially with regards to which TV programs were watched and alternate data storage, as criminal profiling and alibi verification is not merely a task the forensic investigator can do alone. Just like game consoles that use a hard disk, the Mood 337 can easily be disassembled and attached to a PC for forensic analysis. The reason why analysis of this system is necessary is simply because it contains a hard disk. Anyone with a screwdriver can remove, replace or modify it not only for experimenting purposes but also for illegitimate uses. Analysis shows that most of the 80 Gb of disk space on the disk is not even in use, and can easily have data being written on it without interfering with the system’s primary function of providing IPTV services. It was also found that the Mood runs on a Linux base system with a 2.4 kernel, using XML file for the configuration of IPTV functions and services. Analysis reveals that even the (billable) ‘pause’ function is nothing more but a ‘yes’ or ‘no’ flag in an XML file. Other files that would be expected on a Linux system, such as /etc/fstab or /etc/passwd, were not found, while these might have been proven useful in this analysis. Further examination of the hard disk indicates the use of certificates for protection against piracy. However, it was proven to be a trivial task to simply copy recorded data to a PC and play it with a media player. The most important discovery of this research is that correctness of time and date appears to be of lesser value for the creators and/or distributors of the Mood 337. Throughout the system, various different time stamps and time zones were used, and more importantly time and date were changed several times. Even though two NTP servers are configured for time synchronisation, neither one of them seems to be correct. In order for data recovered from this hard disk to be acceptable before a court of law, fixing the time and date should be one of the highest priority changes that are needed. 0-7298-0646-4¾Çûýÿÿ? Peter Hannay2007sA Methodology for the Forensic Acquisition of the TomTom One Satellite Navigation System – A Research in Progress193-196/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4œoHˆÇûýÿÿ? Victor Luo2007STracing USB Device artefacts on Windows XP operating system for forensic purpose 208-216/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western A¥oH¸Çûýÿÿ?Craig Valli Andrew Woodward2007NOops They Did it Again: Results of the 2007 Australian Remnant Hard Disk Study217-/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, |ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿlank 2007>Proceedings of The 5th Australian Digital Forensics Conference/The 5th Australian Digital Forensics Conference!Dr Craig Valli Dr Andrew Woodward>Edith Cowan University, Mount Lawley Campus, Western Australia\School of Computer and Information Science, Edith Cowan University, Perth, Western Australia3rd December, 2007 0-7298-0646-4 stern Australia3rd December, 2007ßBlogging gives an ordinary person the ability to have a conversation with a wide audience and has become one of the fastest growing uses of the Web. However, dozens of employee-bloggers have been terminated for exercising what they consider to be their First Amendment right to free speech and would-be consumer advocates face potential liability for voicing their opinions. To avoid identification and prevent retribution, bloggers have sought to maintain anonymity by taking advantage of various tools and procedures - anti-forensics. Unfortunately some anonymous bloggers also post content that is in violation of one or more laws. Some blogging content might be viewed as harassing others - an area known as cyber-bullying. Law enforcement and network forensics specialists are developing procedures called Counter Anti-forensics that show some promise to identify those who violate the law. However, these techniques must be used with caution so as not to violate the rights of others. 0-7298-0646-4 ªralia3rd December, 2007}This paper outlines initial analysis from research in progress into ADSL homed Nepenthes honeypots. One of the Nepenthes honeypots prime objective in this research was the collection of malware for analysis and dissection. A further objective is the analysis of risks that are circulating within ISP networks in Western Australian. What differentiates Nepenthes from many traditional honeypot designs it that is has been engineered from a distributed network philosophy. The program allows distribution of results across a network of sensors and subsequent aggregation of malware statistics readily within a large network environment. 0-7298-0646-4-ustralia3rd December, 2007 0-7298-0646-4 6Western Australia3rd December, 2007 0-7298-0646-4