To see the other types of publications on this topic, follow the link: Memory forensics.
Dissertations / Theses on the topic 'Memory forensics'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Memory forensics.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Pagani, Fabio. "Advances in memory forensics." Electronic Thesis or Diss., Sorbonne université, 2019. http://www.theses.fr/2019SORUS299.
Full textAbstract:
L'adoption de la memory forensics - l'art d'extraire artefacts de la mémoire volatile d'un système compromis - est propagation dans les enquêtes de cybersécurité. De cette façon, les analystes en memory forensics peuvent gagner la grande image sur un comportement malveillant. Néanmoins, memory forensics a moins de deux décennies: de nombreux défis sont non résolus. Cette thèse donne une nouvelle perspective sur trois de ces problèmes. La première contribution étudie les effets non atomiques méthodes d'acquisition. La cause première de ce problème est que pendant la mémoire est acquise, l'utilisateur et les processus du noyau sont en cours d’exécution et modifient donc le contenu de la mémoire. Pour cette raison, la mémoire résultante le vidage ne représente pas l'état de la mémoire en un point donné dans le temps, mais plutôt un mélange de plusieurs points. La deuxième contribution se concentre sur l'extraction automatique d'un profil de forensics à partir d'un vidage de la mémoire. Avoir un profil valide est une exigence forte pour l'analyse de la mémoire, car sans aucun technique de forensics de la mémoire structurée peut être appliquée. Donc, ce problème empêche efficacement l'application de l'investigation judiciaire sur la mémoire dans les scénarios où la création d'un profil est plus difficile. La troisième et dernière contribution de cette thèse vise à changer la manière dont les règles de forensics, mieux connues sous le nom de plugins, sont créées. De nos jours, ces règles sont écrites manuellement par le noyau experts et praticiens de memory forensics. Malheureusement, cette approche n’a aucune garantie sur la qualité ni sur le l'unicité de ces règlesThe adoption of memory forensics - the art of extracting artifacts from the volatile memory of a compromised system - is spreading in cyber-security investigations. The main reason of this enthusiasm comes from the fact that many artifacts can not be found elsewhere. In this way, the forensics analysts can gain the big picture over a malicious behavior. Nevertheless, memory forensics is less than two decades old: many challenges are unsolved and many questions are unanswered. This thesis gives a new perspective over three of these problems. The first contribution studies the effects non-atomic acquisition methods. The root cause of this problem is quite straightforward to explain: while the memory is acquired, user and kernel processes are running and therefore modifying the content of the memory. For this reason, the resulting memory dump does not represent the state of the memory in a given point in time, but rather a mix of multiple points. The second contribution focus on automatically extracting a forensics profile from a memory dump. Having a valid profile is a strong requirement for memory analysis because without one any structured memory forensics technique can be applied. Therefore, this problem effectively prevents memory forensics to be applied in those scenarios where creating a profile is harder -- if not impossible. The third and last contribution of this thesis aims to change how forensics rules, better known as plugins, are created. Nowadays, these rules are manually written by kernel experts and forensics practitioners. Unfortunately, this manual approach does not have any guarantee on the quality or on the uniqueness of these rules
2
Ayers, Amy L. "Windows hibernation and memory forensics." Thesis, Utica College, 2015. http://pqdtopen.proquest.com/#viewpdf?dispub=1586690.
Full textAbstract:
ABSTRACT The purpose of this capstone project was to research the hibernation file, its role in memory forensics and to explore current technology, techniques and concepts for analysis. This study includes an in-depth look at the Windows hibernation feature, file format, potential evidence saved to the file and its impacts in digital forensic investigations. This research was performed to demonstrate the importance of the hibernation file and to generate awareness for this forensic artifact. The research questions presented were designed to identify the properties of Windows hibernation and its significance in digital forensics. Additionally, these research questions were aimed at identifying the important concepts analysts should understand in selecting forensic software and in hibernation analysis. Through the literature review process, the hibernation file was identified as an essential part of digital forensics which provides analysts with snapshots of system memory from various points in the past. This data includes web, email and chat sessions in addition to running processes, login credentials, encryption keys, program data and much more. Beyond forensics, the hibernation file is useful in the fields of data recovery and incident response. A review of current hibernation file publications revealed incomplete and conflicting works culminating in the acknowledgment that more research is needed in order to close these research gaps. More awareness for hibernation forensics through its inclusion in future published works and in computer forensic educational courses is recommended. These inclusions will assist to arm practitioners with the ability to accurately utilize the hibernation file in order to obtain the highest quality forensic evidence. Keywords: Cybersecurity, hiberfil.sys, hybrid sleep, malware, slack space, Albert Orbinati.
3
Veca, Matthew. "Extracting Windows event logs using memory forensics." ScholarWorks@UNO, 2015. http://scholarworks.uno.edu/td/2119.
Full textAbstract:
Abstract Microsoft’s Windows Operating System provides a logging service that collects, filters and stores event messages from the kernel and applications into log files (.evt and .evtx). Volatility, the leading open source advanced memory forensic suite, currently allows users to extract these events from memory dumps of Windows XP and Windows 2003 machines. Currently there is no support for users to extract the event logs (.evtx) from Windows Vista, Win7 or Win8 memory dumps, and Volatility users have to rely on outside software in order to do this. This thesis discusses a newly developed evtxlogs.py plugin for Volatility, which allows users the same functionality with Windows Vista, Win7 and Win8 that they had with Windows XP and Win 2003’s evtlogs.py plugin. The plugin is based on existing mechanisms for parsing Windows Vista-format event logs, but adds fully integrated support for these logs to Volatility.
4
Case, Andrew. "Detecting Objective-C Malware through Memory Forensics." ScholarWorks@UNO, 2016. http://scholarworks.uno.edu/td/2132.
Full textAbstract:
Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors.
In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides a rich set of APIs that malware uses to manipulate and steal data and to perform other malicious activities. The novel memory forensics techniques presented in this thesis deeply examine the state of the Objective-C runtime, identifying a number of suspicious activities, from keystroke logging to pointer swizzling.
5
Oliveri, Andrea. "A Zero-Knowledge Approach to Memory Forensics." Electronic Thesis or Diss., Sorbonne université, 2023. http://www.theses.fr/2023SORUS312.
Full textAbstract:
L'essor rapide des appareils embarqués et des objets IoT entraîne une multiplication des systèmes d'exploitation et des architectures de processeurs, qui ne sont généralement pas pris en charge par les outils forensiques actuels et nécessitent un effort considérable pour être adaptés. Pour surmonter ce problème, nous introduisons, le concept d’analyse forensique de la mémoire à connaissance nulle : réaliser une analyse forensique de la mémoire sans aucune connaissance du système d’exploitation sous-jacent. En supposant que nous ayons effectué un dump mémoire du système d’exploitation inconnu, en utilisant uniquement les informations dérivées de la configuration matérielle de la machine, nous affirmons qu’il est possible de reconstruire l’espace d’adressage du noyau de manière indépendante du système d’exploitation. À partir de ceux-ci, il est possible de reconstruire les structures de données du noyau en mémoire en utilisant uniquement leur topologieThe rapid increase of embedded devices and IoT objects is leading to a multiplication of operating systems and processor architectures, which are generally not supported by current forensic tools and require considerable effort to adapt. To overcome this problem, we introduce the concept of zero-knowledge memory forensics: performing a memory forensic analysis without any knowledge of the underlying operating system. Assuming that we have performed a memory dump of the unknown operating system, using only information derived from the machine's hardware configuration, we claim that it is possible to reconstruct the kernel address space independently of the operating system. From these, it is possible to reconstruct kernel data structures in memory using only their topology
6
Saltaformaggio, Brendan D. "Forensic Carving of Wireless Network Information from the Android Linux Kernel." ScholarWorks@UNO, 2012. http://scholarworks.uno.edu/honors_theses/20.
Full textAbstract:
Modern smartphones integrate ubiquitous access to voice, data, and email communication and allow users to rapidly handle both personal and corporate business affairs. This is possible because of the smartphone’s constant connectivity with the Internet. Digital forensic investigators have long understood the value of smartphones as forensic evidence, and this thesis seeks to provide new tools to increase the amount of evidence that one can obtain and analyze from an Android smartphone. Specifically, by using proven data carving algorithms we try to uncover information about the phone’s connection to wireless access points in a capture of the device’s volatile memory.
7
White, Andrew J. "Identifying the unknown in user space memory." Thesis, Queensland University of Technology, 2013. https://eprints.qut.edu.au/64181/1/Andrew_White_Thesis.pdf.
Full textAbstract:
This thesis is a study of how the contents of volatile memory on the Windows operating system can be better understood and utilised for the purposes of digital forensic investigations. It proposes several techniques to improve the analysis of memory, with a focus on improving the detection of unknown code such as malware. These contributions allow the creation of a more complete reconstruction of the state of a computer at acquisition time, including whether or not the computer has been infected by malicious code.
8
Sylve, Joseph T. "Towards Real-Time Volatile Memory Forensics: Frameworks, Methods, and Analysis." ScholarWorks@UNO, 2017. http://scholarworks.uno.edu/td/2359.
Full textAbstract:
Memory forensics (or memory analysis) is a relatively new approach to digital forensics that deals exclusively with the acquisition and analysis of volatile system memory. Because each function performed by an operating system must utilize system memory, analysis of this memory can often lead to a treasure trove of useful information for forensic analysts and incident responders. Today’s forensic investigators are often subject to large case backlogs, and incident responders must be able to quickly identify the source and cause of security breaches. In both these cases time is a critical factor. Unfortunately, today’s memory analysis tools can take many minutes or even hours to perform even simple analysis tasks. This problem will only become more prevalent as RAM prices continue to drop and systems with very large amounts of RAM become more common. Due to the volatile nature of data resident in system RAM it is also desirable for investigators to be able to access non-volatile copies of system RAM that may exist on a device’s hard drive. Such copies are often created by operating systems when a system is being suspended and placed into a power safe mode.
This dissertation presents work on improving the speed of memory analysis and the access to non-volatile copies of system RAM. Specifically, we propose a novel memory analysis framework that can provide access to valuable artifacts orders of magnitude faster than existing tools. We also propose two new analysis techniques that can provide faster and more resilient access to important forensic artifacts. Further, we present the first analysis of the hibernation file format used in modern versions of Windows. This work allows access to evidence in non-volatile copies of system RAM that were not previously able to be analyzed. Finally, we propose future enhancements to our memory analysis framework that should address limitations with the current design. Taken together, this dissertation represents substantial work towards advancing the field of memory forensics.
9
Sylve, Joseph T. "Android Memory Capture and Applications for Security and Privacy." ScholarWorks@UNO, 2011. http://scholarworks.uno.edu/td/1400.
Full textAbstract:
The Android operating system is quickly becoming the most popular platform for mobiledevices. As Android’s use increases, so does the need for both forensic and privacy toolsdesigned for the platform. This thesis presents the first methodology and toolset for acquiringfull physical memory images from Android devices, a proposed methodology for forensicallysecuring both volatile and non-volatile storage, and details of a vulnerability discovered by theauthor that allows the bypass of the Android security model and enables applications to acquirearbitrary permissions.
10
Sansurooah, Krishnun. "A forensics framework and method in the acquisition and extraction of data from NAND Flash memory storage chip." Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2015. https://ro.ecu.edu.au/theses/1725.
Full textAbstract:
The aim of this thesis is to investigate a method for acquiring and extracting data from NAND flash memory storage devices and to validate that methodology. Furthermore, a validated and reproducible framework for the acquisition and extraction of data from the NAND flash memory storage chip is developed as a guideline for forensic investigators who are required to preserve and recover data stored on NAND flash memory storage devices in a forensically acceptable manner.
The digital forensic community is currently facing a situation determined by the rapidly increasing popularity of NAND flash memory technology. NAND flash technology is significantly different from other storage memory technologies. Like any technology that is new and evolving, manufacturers are still experimenting with the design and implementation of their versions. Compared to magnetic drives, there is no standardized approach to producing the NAND flash memory storage devices.
The first part of this thesis presented the results of a literature review of NAND flash memory storage devices, digital forensics practices and principles, an understanding of the Flash Translation Layer (FTL) and the characteristics of the NAND flash memory chip, together with, logical versus physical acquisition and forensic guidelines. The literature review examined how the NAND flash memory storage chip differs architecturally from a traditional magnetic hard disk drive (HDD) and also highlighted that, given the increased use of NAND flash technology related devices as part of digital devices, NAND flash memory storage devices are an integral part of the creation of digital artefacts that may later need to be considered as evidence in criminal or civil proceedings.
Existing forensic guidelines and procedures were developed based mainly on HDD technology and although NAND flash memory storage devices are widely accepted by consumers, they are poorly integrated into the forensic guidelines which have been explicitly discussed by forensic and data recovery experts.
This thesis then identifies the gaps between well reputed forensic guidelines and further outlines through a series of experiments and analysis carried out with various parameters and concludes that those well repute forensic practices and principles are inadequate to handle the NAND flash memory technology in a forensic manner.
Through a series of experiments and iterations, the analysis showed that a complex forensic framework for the acquisition and extraction of NAND flash memory storage chip was created, verified and validated. This reinforces the need to recognise the issues raised by NAND flash memory storage devices to maximise the chance of data recovery. Specific processes were identified and the data recovery rate was measured for testing.
In conclusion, this thesis develops a validated forensic framework and method in the acquisition and extraction of NAND flash memory storage chip that existing forensic techniques and guidelines are incapable of addressing thereby generating new knowledge and perspectives on ways to acquire and extract raw data from NAND flash memory storage device in general. This innovative model provides a new perspective on the acquisition and extraction of raw data from NAND flash memory storage devices which may be potentially useful in a court of law or similar.
11
Tagesson, Samuel. "Anti-forensik mot minnesforensik : En litteraturstudie om anti-forensiska metoder mot minnesdumpning och minnesanalys." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-17818.
Full textAbstract:
IT-forensiker möter många svårigheter i sitt arbete med att inhämta och analysera data. Brottslingar använder mer och mer anti-forensiska metoder för att gömma bevis som kan användas emot dem. En vanligt förekommande anti-forensisk metod är kryptering. För att IT-forensiker skall kunna komma åt den krypterade informationen kan krypteringsnyckeln hittas i minnet på datorn. Vilket gör att datorns minne blir värdefullt att hämta och analysera. Däremot finns det flera anti-forensiska metoder som en förbrytare kan använda för att förhindra att minnet hämtas eller analyseras. Denna studie utför en systematisk litteraturstudie för att identifiera de aktuella anti-forensiska metoder mot minnesanalys och minnesdumpning på Windows system. Flera metoder tas upp där bland annat operativsystemet modifieras eller inbyggda säkerhetsfunktioner på CPUn används för att förhindra att information hämtas eller analyseras från minnet.IT forensics face many difficulties in their work of obtaining and analyzing data. Criminals are using more and more anti-forensic methods to hide evidence that can be used against them. One common anti-forensic method is encryption. In order for IT forensics to access the encrypted information, the encryption key can be found in the memory of the computer. This makes the computer's memory valuable to retrieved and analyze. However, there are several anti-forensic methods that a criminal can use to prevent the memory from being retrieved or analyzed. This study performs a systematic literature study to identify the current anti-forensic methods against memory analysis and memory dumping on Windows system. Several methods are addressed where, among other things, the operating system is modified or built-in security functions on the CPU are used to prevent information being retrieved or analyzed from memory.
12
Hjerpe, David, and Henrik Bengtsson. "Digital forensics - Performing virtual primary memory extraction in cloud environments using VMI." Thesis, Blekinge Tekniska Högskola, Institutionen för datalogi och datorsystemteknik, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-16735.
Full textAbstract:
Infrastructure as a Service and memory forensics are two subjects which have recently gained increasing amounts of attention. Combining these topics poses new challenges when performing forensic investigations. Forensics targeting virtual machines in a cloud environment is problematic since the devices are virtual, and memory forensics are a newer branch of forensics which is hard to perform and is not well documented. It is, however an area of utmost importance since virtual machines may be targets of, or participate in suspicious activity to the same extent as physical machines. Should such activity require an investigation to be conducted, some data which could be used as evidence may only be found in the primary memory. This thesis aims to further examine memory forensics in cloud environments and expand the academic field of these subjects and help cloud hosting organisations. The objective of this thesis was to study if Virtual Machine Introspection is a valid technique to acquire forensic evidence from the virtual primary memory of a virtual machine. Virtual Machine Introspection is a method of monitoring and analysing a guest via the hypervisor. In order to verify whether Virtual Machine Introspection is a valid forensic technique, the first task was to attempt extracting data from the primary memory which had been acquired using Virtual Machine Introspection. Once extracted, the integrity of the data had to be authenticated. This was done by comparing a hash sum of a file located on a guest with a hash sum of the extracted data. The experiment showed that the two hashes were an exact match. Next, the solidity of the extracted data was tested by changing the memory of a guest while acquiring the memory via Virtual Machine Introspection. This showed that the solidity is heavily compromised because memory acquisition process used was too slow. The final task was to compare Virtual Machine Introspection to acquiring the physical memory of the host. By setting up two virtual machines and examining the primary memory, data from both machines was found where as Virtual Machine Introspection only targets one machine, providing an advantage regarding privacy.
13
Markanovic, Michel, and Simeon Persson. "Trusted memory acquisition using UEFI." Thesis, Blekinge Tekniska Högskola, Institutionen för kreativa teknologier, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3582.
Full textAbstract:
Context. For computer forensic investigations, the necessity of unmodified data content is of vital essence. The solution presented in this paper is based on a trusted chain of execution, that ensures that only authorized software can run. In the study, the proposed application operates in an UEFI environment where it has a direct access to physical memory, which can be extracted and stored on a secondary storage medium for further analysis. Objectives. The aim is to perform this task while being sheltered from influence from a potentially contaminated operating system. Methods. By identifying key components and establishing the foundation for a trusted environment where the memory imaging tool can, unhindered, operate and produce a reliable result Results. Three distinct states where trust can be determined has been identified and a method for entering and traversing them is presented. Conclusions. Tools that does not follow the trusted model might be subjected to subversion, thus they might be considered inadequate when performing memory extraction for forensic purposes.
14
Stuettgen, Johannes [Verfasser], and Felix [Akademischer Betreuer] Freiling. "On the Viability of Memory Forensics in Compromised Environments / Johannes Stuettgen. Gutachter: Felix Freiling." Erlangen : Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), 2015. http://d-nb.info/1076120490/34.
Full text
15
Maystorovich, Chulio Natalie Rebecca. "The Materiality of Human Remains in Unearthing Spain’s Repressed Past: What Exhumations Tell Us About Law, Forensics, Human Rights and Memory." Thesis, The University of Sydney, 2019. http://hdl.handle.net/2123/20904.
Full textAbstract:
The exhumation of clandestine graves by NGOs and relatives of the disappeared involves human rights narratives and scientific forensic techniques. This research investigates the meaning generated by the exhumation and reburial of victims of enforced disappearance in Spain. The dissertation is theoretically anchored in symbolic interactionism, and explores how contemporary forensic techniques enhancing the evidentiary value of the body to testify enable human remains to be constructed as political and national subjects and mortuary rights are used to reconstitute relations between the living and the dead. The investigation utilised ethnographic data produced from participant observation, semi-structured interviews and documentary analysis. Exploring the ability of legal activists to forge links globally through legal and forensic collaboration. The Law of Historical Memory was passed after successful lobbying to establish a legal avenue of recognition and access to documentation and sites for the purpose of exhumation and identification of the disappeared. The thesis provides an original contribution to the literature with respect to the continuing bonds that are established through the materiality of human remains, not simply the objects tied to life. The thesis offers significant contribution to ethnographic studies of forensic exhumations by addressing the involvement of Argentine national courts demands for exhumations. This reinforces human rights narratives, highlighting the capacity of national courts to pressure foreign legal and political systems. The movement aims to change the legal architecture that has prevented investigations and recognition of the past, contributing to the continued discrimination of the vanquished. The contribution to the literature on transitional justice is distinctive given the exhumations are not connected to legal investigations and the attribution of guilt. The thesis argues the exhumation serves wider needs for justice and reconciliation through the acknowledgment of the past as part of an inclusive national narrative through the use of forensic evidence. It is the resignification of the dead in the public sphere to revive the political struggles of the past.
16
Maclennan, Maria. "Forensic jewellery : a design-led approach to exploring jewellery in forensic human identification." Thesis, University of Dundee, 2018. https://discovery.dundee.ac.uk/en/studentTheses/58ace496-6d42-4ea1-966e-a89080e69d6f.
Full textAbstract:
Jewellery as a tool in the identification of the deceased is increasingly referenced within the scientific process of Forensic Human Identification (FHI). Jewellery’s prevalence in society, connection to both place and geographic region, potential to corroborate primary methods of identification (such as DNA, fingerprinting, or odontology), and robust physical form, means it progressively contributes to practices surrounding identification in a number of forensic fields. Physical marks or characteristics such as hallmarks or serial numbers, personal inscriptions or engravings, representational symbols (such as medals, badges of office, religious iconography or military insignia), and genealogical or gemmological markings, may also prove useful in informing investigators much about a piece - and potentially - the individual to whom it may have belonged. Despite this, jewellery is an approach to establishing human identity that has yet to be explicitly investigated from the perspective of either forensic science or jewellery design. The aim of this research has been to explore the potential of jewellery and highlight its significance within this context, through employing the processes and approaches of design. Informed by my own background in both jewellery and service design; I sought to co-design the interdisciplinary proposition of Forensic Jewellery as an extension of my own personal design practice, in addition to a broader hybrid methodology through which the dualistic perspective(s) of both forensic science and jewellery design may come to be mutually explored. By centring my methodology upon my practice, the research serves to document and reflect upon my auto-ethnographic experiences in inadvertently ‘prototyping’ my emergent new role as a Forensic Jeweller – a jewellery designer engaged within, or whose work pertains to, the field of forensic science. Through a range of forensic-based fieldwork, I sought to immerse myself within various communities of forensic practice by way of considering how a design practitioner may come to add value to this otherwise polarised field - a highly subjective and interpretive framework that has remained wholly unconsidered within forensic science. In simultaneously considering the impact of the perspective of forensics upon the broader field of jewellery design, I came to capture some of the otherwise restricted narratives of Forensic Jewellery emerging from the developing research context through a series of theoretically-informed design ‘reconstructions’: objects, concepts, and scenarios (representational, propositional, and metaphorical); educational material, and series of public engagement activities. The research thus culminates in a unique portfolio of practice – written, conceptual, and visual – with relevance to both forensic science and jewellery design history, theory, and practice. Original contributions to knowledge are demonstrated through the direct study of jewellery within real-world forensic settings through combined theory and practice, while the theoretical and conceptual debates surrounding identity, death, and the human body present within the field of jewellery design are simultaneously extended through the inclusion of forensics as a perspective. The research additionally demonstrates how the visual and tangible sensibilities of design can help to attend to otherwise challenging, emotional, or difficult subjects, capture and communicate tacit knowledge or anecdotal evidence, and ultimately contribute to the development of new and emergent research contexts.
17
Oskarsson, Tim. "Digital incursion: Breaching the android lock screen and liberating data." Thesis, Högskolan i Halmstad, Akademin för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-44939.
Full textAbstract:
Android is the most used operating system in the world, because of this the probability of an android device being acquired in an investigation is high. To begin to extract data from an android device you first need to gain access to it. Mechanisms like full system encryption can make this very difficult. In this paper, the advantages and disadvantages of different methods of gaining access and extracting data from an android device with an unlocked bootloader are discussed. Many users unlock the bootloader of their android device to gain a much greater level of control over it. Android forensics on a device without a unlocked bootloader is very limited. It is therefore interesting to study how you can extract data from an android device that doesn’t have this limitation to android forensics. A literature study is done on previous related research to gather methods for gaining access and extracting data. The methods collected are then tested by performing experiments on a Oneplus 3 android 9 and Oneplus 8 android 11. The research of this paper found that it is possible to perform a brute force attack within a reasonable time against a PIN of length 4-5 or pattern of length 4-6 on the lock screen of an android device. It found that you can optimise the attack by performing a dictionary attack by using public lists of the most used PIN codes. A list of all possible pattern combinations sorted and optimised for a dictionary attack is generated based on statistics of pattern starting location and length. A proof of concept is made by creating a copy of a fingerprint with common cheap materials to gain access through the fingerprint sensor. A device image were able to be extracted by using a root shell through Android Debug Bridge and common command-line tools. Memory forensics were performed by using Frida and was able to extract usernames, passwords, and emails from Google Chrome and Gmail. The custom recovery image TWRP was used to boot the device, gain root access, and was able to extract a full device image with common command-line tools. The results of the TWRP backup feature is also analysed. The results of the data extraction is then analysed manually and with Autopsy.
18
Bond, Elyse. "Creating Volatility Support for FreeBSD." ScholarWorks@UNO, 2015. http://scholarworks.uno.edu/td/2033.
Full textAbstract:
Digital forensics is the investigation and recovery of data from digital hardware. The field has grown in recent years to include support for operating systems such as Windows, Linux and Mac OS X. However, little to no support has been provided for less well known systems such as the FreeBSD operating system.
The project presented in this paper focuses on creating the foundational support for FreeBSD via Volatility, a leading forensic tool in the digital forensic community. The kernel and source code for FreeBSD were studied to understand how to recover various data from analysis of a given system’s memory image. This paper will focus on the base Volatility support that was implemented, as well as the additional plugins created to recover desired data, including but not limited to the retrieval of a system’s process list and mounted file systems.
19
Geier, Florian. "The differences between SSD and HDD technology regarding forensic investigations." Thesis, Linnéuniversitetet, Institutionen för datavetenskap (DV), 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-44921.
Full textAbstract:
In the past years solid state disks have developed drastically and are now gaining increased popularity compared to conventional hard drives. While hard disk drives work predictable, transparent SSD routines work in the background without the user’s knowledge. This work describes the changes to the everyday life for forensic specialists; a forensic investigation includes data recovery and the gathering of a digital image of each acquired memory that provides proof of integrity through a checksum. Due to the internal routines, which cannot be stopped, checksums are falsified. Therefore the images cannot prove integrity of evidence anymore. The report proves the inconsistence of checksums of SSD and shows the differences in data recovery through high recovery rates on hard disk drives while SSD drives scored no recovery or very poor rates.
20
Thakur, Neha S. "Forensic Analysis of WhatsApp on Android Smartphones." ScholarWorks@UNO, 2013. http://scholarworks.uno.edu/td/1706.
Full textAbstract:
Android forensics has evolved over time offering significant opportunities and exciting challenges. On one hand, being an open source platform Android is giving developers the freedom to contribute to the rapid growth of the Android market whereas on the other hand Android users may not be aware of the security and privacy implications of installing these applications on their phones. Users may assume that a password-locked device protects their personal information, but applications may retain private information on devices, in ways that users might not anticipate. In this thesis we will be concentrating on one such application called 'WhatsApp', a popular social networking application. We will be forming an outline on how forensic investigators can extract useful information from WhatsApp and from similar applications installed on an Android platform. Our area of focus is extraction and analysis of application user data from non-volatile external storage and the volatile memory (RAM) of an Android device.
21
Regan, James E. "The forensic potential of flash memory." Thesis, Monterey, California : Naval Postgraduate School, 2009. http://edocs.nps.edu/npspubs/scholarly/theses/2009/Sep/09Sep%5FRegan.pdf.
Full textAbstract:
Thesis (M.S. in Computer Science)--Naval Postgraduate School, September 2009.Thesis Advisor(s): Garfinkel, Simson. "September 2009." Description based on title screen as viewed on November 5, 2009. Author(s) subject terms: Flash Memory, Forensics, Flash File Systems, Flash Transition Layer, YAFFS, JFFS2. Includes bibliographical references (p. 73-75). Also available in print.
22
Schultz, John S. "Offline forensic analysis of Microsoft Windows XP physical memory." Thesis, Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2006. http://library.nps.navy.mil/uhtbin/hyperion/06Sep%5FSchultz.pdf.
Full textAbstract:
Thesis (M.S. in Computer Science)--Naval Postgraduate School, September 2006.Thesis Advisor(s): Chris Eagle. "September 2006." Includes bibliographical references (p. 73-74). Also available in print.
23
Wiley, Stephen K. (Stephen Kenneth). "Forensic Hypnosis and Memory Enhancement: Recall, Recognition, and Confidence." Thesis, University of North Texas, 1989. https://digital.library.unt.edu/ark:/67531/metadc331238/.
Full textAbstract:
The recent finding of memory enhancement using either cognitive mnemonic or standard hypnotic interviews (Geiselman et al., 1985) suggests the possibility of additive forensic utility when these methods are combined. The present crime-analogue study compared waking and hypnotic cognitive
mnemonics to investigate this and potential problems previously unaddressed. Recall and recognition accuracy and confidence were measured for low and high density stimuli in a videotaped murder, including central, peripheral, and facial detail. The effect of misleading information given after stimulus presentation was also examined.
24
Maartmann-Moe, Carsten. "Forensic Key Discovery and Identification : Finding Cryptographic Keys in Physical Memory." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2008. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-8895.
Full textAbstract:
Communication and whole-disk cryptosystems are on the verge of becoming mainstream tools for protection of data, both in corporate laptops and private computing equipment. While encryption is a useful tool, it also present new problems for forensic investigators, as clues to their investigation may be undecipherable. However, contrary to popular belief, these systems are not impenetrable. Forensic memory dumping and analysis can pose as ways to recover cryptographic keys that are present in memory due to bad coding practice, operation system quirks or hardware hacks. The volatile nature of physical memory does however challenge the classical principles of digital forensics as its transitory state may disappear at the flick of a switch. In this thesis, we analyze existing and present new cryptographic key search algorithms, together with different confiscation and analysis methods for images of volatile memory. We provide a new proof of concept tool that can analyze memory images and recover cryptographic keys, and use this tool together with a virtualized testbed to simulate and examine the different states of platforms with several separate cryptosystems. Making use of this testbed, we provide experiments to point out how modern day encryption in general are vulnerable to memory disclosure attacks. We show that memory management procedures, coding practice and the overall state of the system has great impact on the amount and quality of data that can be extracted, and present simple statistics of our findings. The discoveries have significant implications for most software encryption vendors and the businesses relying on these for data security. Using our results, we suggest best practices that can help investigators build a more comprehensive data foundation for analysis, by reconstructing virtual memory from RAM images. We also discuss how investigators may reduce the haystack by leveraging memory and process structure on Windows computers. Finally we tie this to current digital forensic procedures, and suggest an optimized way of handling live analysis based on the latest development in the field.
25
Stimson, Jared M. "Forensic analysis of Windows' virtual memory incorporating the system's page-file." Thesis, Monterey, California. Naval Postgraduate School, 2008. http://hdl.handle.net/10945/3714.
Full textAbstract:
Computer Forensics is concerned with the use of computer investigation and analysis techniques in order to collect evidence suitable for presentation in court. The examination of volatile memory is a relatively new but important area in computer forensics. More recently criminals are becoming more forensically aware and are now able to compromise computers without accessing the hard disk of the target computer. This means that traditional incident response practice of pulling the plug will destroy the only evidence of the crime. While some techniques are available for acquiring the contents of main memory, few exist which can analyze these data in a meaningful way. One reason for this is how memory is managed by the operating system. Data belonging to one process can be distributed arbitrarily across physical memory or the hard disk, making it very difficult to recover useful information. This report will focus on how these disparate sources of information can be combined to give a single, contiguous address space for each process. Using address translation a tool is developed to reconstruct the virtual address space of a process by combining a physical memory dump with the page-file on the hard disk.
26
Stimson, Jared M. "Forensic analysis of Window's® virtual memory incorporating the system's page-file." Monterey, Calif. : Naval Postgraduate School, 2008. http://edocs.nps.edu/npspubs/scholarly/theses/2008/Dec/08Dec%5FStimson.pdf.
Full textAbstract:
Thesis (M.S. in Computer Science)--Naval Postgraduate School, December 2008.Thesis Advisor(s): Eagle, Chris S. "December 2008." Description based on title screen as viewed on February 2, 2009. Includes bibliographical references (p. 89-90). Also available in print.
27
Ryan, Rebecca G. "Assessment of a novel interview technique for improving young children's forensic reports." Morgantown, W. Va. : [West Virginia University Libraries], 2004. https://etd.wvu.edu/etd/controller.jsp?moduleName=documentdata&jsp%5FetdId=3607.
Full textAbstract:
Thesis (M.A.)--West Virginia University, 2004.Title from document title page. Document formatted into pages; contains viii, 76 p. : ill. Includes abstract. Includes bibliographical references (p. 40-43).
28
Sarwar, Farhan. "Eyewitness testimonies : The memory and meta-memory effects of retellings and discussions with non-witnesses." Doctoral thesis, Lund university. Department of psychology, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-16643.
Full textAbstract:
This thesis investigated the effects of eyewitnesses retellings and discussions with non-witnesses on the eyewitness memory and meta-memory judgments. In Study I, the effect of eyewitness discussions with non-witnesses (persons who had not experienced the event) on eyewitness memory and meta-memory realism for the overall information about an event was investigated. The results suggest that discussions of an experienced event may reduce some of the beneficial memory and meta-memory effects caused by mere retellings, but may not have great negative effects compared to a control condition. Analysis of the type of questions asked suggests listeners ask more about the peripheral details as compared with the central details. In a follow-up study to study I conducted a year later participants in the Retell condition no longer showed evidence of the memory and meta-memory benefits evident at the original final test after about 24 days. However, participants in the Retell condition recalled a higher number of correct items than participants in the Control condition. In Study II, the effect of eyewitness discussions with non-witnesses on eyewitness memory and meta-memory realism for different types of information was investigated. The different types of information were Forensically central, Forensically peripheral, and Non-forensic information. These are types of information that the police may ask at the beginning of a crime investigation. The results from the two experiments showed that participants had better memory and meta-memory realism for Forensically central and Non-forensic information than for Forensically peripheral information. Moreover, participants in the four conditions were equally capable of distinguishing between correct and incorrect items. Further, in Experiment 1 participants in conditions involving retelling and discussing the event reported more total number and number of correct Forensically central items as compared to the Control condition. Study III investigated if retellings and discussions would cause more reminiscence and hypermnesia than mere retellings. The results showed that discussions indeed cause more reminiscence and hypermnesia over the five sessions as compared to mere retellings. The results also showed that the number of times a piece of in- formation was repeated over the sessions was associated with a higher probability for that piece of information being retrieved at the final recall. Interestingly, if the information was retold or discussed in an earlier or later session did not predict if this information would be reported in the testing session or not. Last, the results showed that the forensically peripheral information, but not forensically central information was affected by the reiteration effect (i.e., the effect that confidence tends to increase when a person asserts the same statement many times). This may be due to the fact that the peripheral information was less integrated than the central information.Det är vanligt att ögonvittnen återger och diskuterar en upplevd brottshändelse med sin familj och vänner. Syftet med dessa diskussioner är att uppdatera familj och vänner om vad som är nytt. Dessa diskussioner har konsekvenser för ögonvittnets senare minnesrapportering och meta-minnesbedömningar. Med minnesrapportering menas här vad ett ögonvittne kan återerinra sig om den bevittnade händelsen och med meta-minnesbedömningar menas ögonvittnets känslor av säkerhet på att hans/hennes minnen av händelsen är korrekta. Vittnens meta-minnesbedömningar kallas nedan konfidensbedömningar. Med uttrycket ”god realism” i meta-minnesbedömningarna menas att nivån på vittnets konfidensbedömningar matchar nivån på korrektheten i vittnets minnesrapportering av den upplevda händelsen. Vittnets minnesrapportering och konfidensbedömningar av sina rapporterade minnen är viktig information i kriminaltekniska sammanhang. Minnet hjälper oss att förstå detaljerna i brottshändelsen och vittnets konfidensbedömningar ger hjälp att förstå korrektheten av dessa minnen. Denna avhandling har undersökt effekterna av att ögonvittnen återberättar och diskuterar (en filminspelning av) en upplevd brottshändelse med icke-vittnen (personer som inte upplevt händelsen) på ögonvittnens minnesrapportering och på deras konfidensbedömningar av de rapporterade minnena. I Studie I fick deltagarna först se en kort film (c:a 4 minuter) och därefter fem gånger över en tre-veckorsperiod uppdelade i tre betingelser antingen enbart fick återberätta händelsen eller både återberätta och diskutera händelsen med icke-vittnen (antingen i en laboratoriemiljö eller med familjemedlemmar och vänner). Lyssnarna var nya personer i var och en av de fem sessionerna. Dessa tre försöksbetingelser jämfördes mot en kontrollbetingelse där dessa aktiviteter inte skedde. Alla deltagarna genomförde en avslutande sjätte testsession där vittnena fick instruktionen att återberätta allt vad de kan minnas av den upplevda händelsen (dvs öppen fri framtagning) och tre dagar senare ge konfidensbedömningar av de olika ingående elementära minneutsagorna i de rapporterade minnena. Av intresse i studien var alltså effekten av upprepat återberättande och diskussioner av en upplevd händelse på ögonvittnens minnesrapportering och på realismen i vittnenas konfidensbedömningar i den avslutande sjätte testsessionen. Resultaten tyder på att diskussioner om en upplevd händelse kan minska några av de positiva effekterna på kvalitén i minnesrapporteringen och på realismen i meta-minne som orsakas av enbart återberättande, men att diskussionerna inte får stora negativa effekter jämfört med en kontrollbetingelse där återberättande och diskussioner av händelsen inte skett. Analys av vilken typ av frågor lyssnarna ställde visade att man frågade mer om de perifera detaljerna i händelsen, jämfört med händelsens centrala detaljer (i första hand handlingar). En uppföljande studie till studie I genomfördes ett år senare. Denna studie visade inga kvarstående tecken på de fördelar på minnesrapportering och meta-minne som deltagarna i den betingelse som enbart återberättat händelsen fem gånger uppvisade i slutsessionen i Studie I efter c:a 24 dagar. Däremot hade deltagarna, i den betingelse som enbart återberättat händelsen, efter ett år ett högre antal korrekta minnesrapporterade utsagor jämfört med deltagarna i kontrollbetingelsen. Studie II utgick delvis från samma data som i Studie I. Här undersöktes effekten av ögonvittnens diskussioner med icke-vittnen på ögonvittnens minne och meta-minne realism för olika typer av information. De olika typer av information som analyserades var Forensiskt central, Forensiskt perifer och Icke-forensiskt relevant information. De två Forensiskt relevanta informationstyperna är sådan information som det är troligt att polisen kan vilja ha i början av en brottsutredning. Resultaten från de två experimenten i Studie II visade att deltagarna hade bättre minne och meta-minne realism för Forensiskt central och för Icke-forensiskt relevant information än för Forensiskt perifer information. Dessutom var deltagarna i de fyra betingelserna i Experiment I (samma fyra betingelser som i Studie I) lika kapabla att skilja mellan korrekt och inkorrekt objekt med hjälp av nivån på sina konfidensbedömningar för alla tre informationstyperna. Experiment 1 i Studie II visade också att deltagarna i de betingelser där deltagarna återberättade och diskuterade händelsen rapporterade ett högre antal korrekta Forensiskt centrala minnesutsagor jämfört med kontrollbetingelsen. Studie III gällde data från två av betingelserna i Studie I, närmare bestämt inspelade data från de fem återgivningsomgångarna i den betingelse där deltagarna enbart återberättat händelsen och inspelade data från den betingelse där deltagarna både återberättade och diskuterade händelsen i laboratoriet. Studien visade att deltagarna i den betingelse där deltagarna både återgav och diskuterade händelsen uppvisade mer reminiscens (fler minnesutsagor, både korrekta och inkorrekta över de fem sessionerna) och mer hypermnesi (tillskott av mer korrekta minnesutsagor över de fem sessionerna) än deltagarna i den betingelse där de bara återberättade händelsen fem gånger över tre veckor. Resultaten visade också att antalet gånger en minnesutsaga upprepades under sessionerna var förenat med en högre sannolikhet för att minnesutsagan skulle återges vid den slutliga återgivningen. Däremot hade det, intressant nog, ingen effekt om minnesutsagorna hade återberättats eller diskuterats i en tidigare eller senare session (av de 5 sessionerna) på om minnesutsagan skulle redovisas i den sjätte testsession eller inte. Slutligen visade resultatet i Studie III att de Forensiskt perifera minnesutsagorna, men inte de Forensiskt centrala utsagorna, uppvisade en så kallad reitereringseffekt vilken innebär att säkerhetskänslan (dvs upplevd konfidens att utsagan är korrekt) höjs som en effekt av att utsagan upprepas fler gånger. Detta kan bero på att den Forensiskt perifera informationen är mindre välintegrerad än den Forensiskt centrala informationen.
29
Gurney, D. J. "The misleading potential of communicative hand gestures in a forensic interview." Thesis, University of Hertfordshire, 2011. http://hdl.handle.net/2299/6003.
Full textAbstract:
A wealth of research has highlighted the susceptibility of eyewitnesses to verbal influence. However, considerably less attention has been paid to the role of nonverbal influence in police questioning. The purpose of this thesis was to evaluate the extent to which gestures can exert an influence on witnesses and skew their responses when questioned. Study 1 initially investigated this by presenting participants with an on-screen 'police' interviewer who accompanied his questions with gestures conveying either accurate or misleading information about a piece of video footage they had witnessed. Results showed that, for one question in particular, participants' responses concurred with the information conveyed to them in gesture; accurate gestures led more participants to giving correct responses and misleading gestures led more participants to giving fabricated responses. Study 2 built on this by examining whether gestures could also affect the confidence attributed to their responses in order to give insight into whether gestures were knowingly processed for information. It was found that, in some cases, gestures were able to increase confidence in both accurate and misled responses. Study 3 examined participants' awareness of gesture further by studying their attention to gesture during its performance and ability to identify it retrospectively on a recognition task. A new set of questions confirmed that gestures could influence the responses of participants (including those working in the legal profession) and revealed that the influence of gesture appears to be at its strongest when unnoticed by participants. Finally, study 4 considered whether the results of the previous studies could be replicated in a more ecologically valid interview scenario and confirmed that gestures continued to be influential when performed face-to-face. Overall, it was concluded that gestures can impact accurate eyewitness testimony and can be a powerful influential tool in police interviews.
30
Caiola, Marisa Anna Lucia. "Effects of alcohol intoxication and encoding conditions on eyewitness memory." FIU Digital Commons, 1993. http://digitalcommons.fiu.edu/etd/1969.
Full textAbstract:
Several researchers have investigated the effects of alcohol on memory. Few researchers have studied the effects of alcohol on an eyewitness's recall and recognition of crime events. This study proposed to examine the effects of alcohol and viewing conditions on subjects' ability to recall information regarding a videotaped bank robbery. Thirty male and 22 female subjects participated in a 2 (consumption: alcohol v. no alcohol) x 2 (lighting: good v. poor) factorial experiment with Average Accuracy and Total Amount of Information recalled as the primary dependent measures. There was no significant difference between the Intoxicated and Sober subjects regarding the amount of information recalled or their average accuracy. The main effect for lighting conditions and gender differences were also not significant.
31
Vömel, Stefan [Verfasser], and Felix C. [Akademischer Betreuer] Freiling. "Forensic Acquisition and Analysis of Volatile Data in Memory / Stefan Vömel. Gutachter: Felix C. Freiling." Erlangen : Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), 2014. http://d-nb.info/1075475597/34.
Full text
32
Hedlund, Niklas. "IT-Forensisk undersökning av flyktigt minne : På Linux och Android enheter." Thesis, Högskolan Dalarna, Datateknik, 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:du-13124.
Full textAbstract:
Att kunna gör en effektiv undersökning av det flyktiga minnet är något som blir viktigare ochviktigare i IT-forensiska utredningar. Dels under Linux och Windows baserade PC installationermen också för mobila enheter i form av Android och enheter baserade andra mobila opperativsy-stem.Android använder sig av en modifierad Linux-kärna var modifikationer är för att anpassa kärnantill de speciella krav som gäller för ett mobilt operativsystem. Dessa modifikationer innefattardels meddelandehantering mellan processer men även ändringar till hur internminnet hanteras ochövervakas.Då dessa två kärnor är så pass nära besläktade kan samma grundläggande principer användas föratt dumpa och undersöka minne. Dumpningen sker via en kärn-modul vilket i den här rapportenutgörs av en programvara vid namn LiME vilken kan hantera bägge kärnorna.Analys av minnet kräver att verktygen som används har en förståelse för minneslayouten i fråga.Beroende på vilken metod verktyget använder så kan det även behövas information om olika sym-boler. Verktyget som används i det här examensarbetet heter Volatility och klarar på papperet avatt extrahera all den information som behövs för att kunna göra en korrekt undersökning.Arbetet avsåg att vidareutveckla existerande metoder för analys av det flyktiga minnet på Linux-baserade maskiner (PC) och inbyggda system(Android). Problem uppstod då undersökning avflyktigt minne på Android och satta mål kunde inte uppnås fullt ut. Det visade sig att minnesanalysriktat emot PC-plattformen är både enklare och smidigare än vad det är mot Android.The ability to be able to make a efficient investigation of volatile memory is something that getsmore and more important in IT forensic investigations. Partially for Linux and Windows based PCsystems but also for mobile devices in the form of the Android or devices based on other mobileoperative systems.Android uses a modified Linux kernel where the modifications exclusively are to adapt it to thedemands that exists in a operative system targeting mobile devices. These modifications containsmessage passing systems between processes as well as changes to the memory subsystems in theaspect of handling and monitoring.Since these two kernels are so closely related it is possible to use the same basic principles for dum-ping and analysing of the memory. The actual memory dumping is done by a kernel module whichin this report is done by the software called LiME which handles both kernels very well.Tools used to analyse the memory needs to understand the memory layout used on the systemin question, depending on the type of analyse method used it might also need information aboutthe different symbols involved. The tool used in this project is called Volatility which in theory iscapable of extracting all the information needed in order to make a correct investigation.The purpose was to expand on existing methods for analysing volatile memory on Linux-basedsystems, in the form of PC machines as well as embedded systems like Android. Difficulties arisedwhen the analysing of volatile memory for Android could not be completed according to existinggoals. The final result came to show that memory analysis targeting the PC platform is bothsimpler and more straight forward then what it is if Android is involved.
33
Woolnough, Penny S. "Victimisation and eyewitness memory : exploring the effects of physiological and psychological factors." Thesis, University of St Andrews, 2002. http://hdl.handle.net/10023/13121.
Full textAbstract:
This thesis presents research designed to explore the role of physiological and psychological factors in mediating the effects of victimisation upon eyewitness memory. A tripartite model of arousal and memory is proposed encompassing physiological, psychological and motivational mechanisms. In order to investigate the potential role of these mechanisms, three laboratory based studies and one archival study are presented. The results of the laboratory studies suggest that physiological arousal may not influence eyewitness memory. In contrast, whilst direct support for an influence of psychological arousal is not provided, the possibility that psychological arousal may be an important factor cannot readily be dismissed. From a methodological perspective, contrary to existing laboratory-based research concerning visually-induced arousal, the results of the laboratory studies suggest that personal involvement may be an important factor influencing memory. Furthermore, the third laboratory study found that, differences in memory for emotional and neutral material may be a function of inherent differences between the material rather than an influence of arousal. Finally, in order to compare and contrast laboratory based research with the performance of real witnesses, a field based study utilising closed-circuit television to assess eyewitness accuracy for action details was conducted. In line with Studies One and Two, victims and bystanders were not found to differ in their memory performance. This study provides direct support for existing field and archival research suggesting that real victims and bystanders tend to be highly accurate in their eyewitness accounts. Taken together, the results of the research presented in this thesis suggest that whilst physiological arousal may not be an important factor influencing eyewitness memory, psychological and motivational influences may be important when witnesses are personally involved with the target incident.
34
Ogeskär, Tobias. "Forensisk analys av volatilt minne från operativsystemet OS X." Thesis, Högskolan Dalarna, Datateknik, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:du-17319.
Full textAbstract:
Behovet av att analysera volatilt minne från Macintosh-datorer med OS X har blivit allt mer betydelsefull på grund av att deras datorer blivit allt populärare och att volatil minnesanalysering blivit en allt viktigare del i en IT-forensikers arbete. Anledningen till att volatil minnesanalysering blivit allt viktigare är för att det går att finna viktig information som inte finns lagrad permanent på datorns interna hårddisk. Problemet som låg till grunden för det här examensarbetet var att det uppenbart fanns brist på undersökningsmetoder av det volatila minnet för Mac-datorer med OS X.Syftet med detta arbete var därför att undersöka möjligheten att utvinna information från ett volatilt minne från en Mac-dator med OS X genom att kartlägga och bedöma olika undersökningsmetoder. För att göra denna undersökning har litteraturstudier, informella intervjuer, egna kunskaper och praktiska försök genomförts.Slutsatsen blev att möjligheten att utvinna information från det volatila minnet från en Mac-dator med OS X är relativt begränsad. Det största problemet är själva dumpningen av minnet. Många av dumpningsmetoderna som finns att tillgå kräver administrativa rättigheter. Vid analysering av en minnesdump bör man aldrig förlita sig på en analysmetod då olika analysmetoder ger olika resultat som kan vara till nytta för en vidare undersökning av en Mac-dator.The need to analyze volatile memory on Macintosh computers with OS X has become increasingly important due to the fact that their computers have become more popular and volatile memory analysis has become a more important part of an IT-forensics work. The reason volatile memory analysis has become more important is that it's possible to find information that’s not stored permanently on the computer’s hard drive. The problem that formed the basis for this thesis was that it was obvious there was a lack of methods of investigation of the volatile memory for Macs running OS X.The aim of this work was therefore to investigate the possibility of extracting information from a volatile memory from a Mac computer with OS X by identifying and assessing different methods of investigation. To do this investigation, literature studies, informal interviews, own knowledge and practical attempts have been conducted.It was concluded that the ability to extract information from the volatile memory from a Mac-computer with OS X is relatively limited. The biggest problem is the dumping of the memory. Many of the available dumping methods require administrative rights. When analyzing a memory dump you should never rely on one analyze method since different analyze methods give different results that can be useful for further investigation of a Mac-computer.
35
Dilevski, Natali. "Adult Memory for Instances of Repeated Emotionally Stressful Events: Forensic Implications for Victims’ Testimony Regarding Repeated Abuse." Thesis, The University of Sydney, 2021. https://hdl.handle.net/2123/26859.
Full textAbstract:
This thesis examined the effect of different estimator (emotional stress) and system variables (retention interval, retrieval cues) on women’s ability to accurately remember repeated-event instances. Experiments 1 and 2 examined whether emotional stress impacted memory for a repeated event differently than no stress. Experiment 1 findings suggested that particularising an instance of a repeated event was challenging regardless of whether the event was emotionally stressful or not. However, when memory was assessed for the entire repeated event (i.e., all instances in the series) in Experiment 2, the findings revealed that emotional stress had a general recall-enhancing effect on memory for the entire repeated event in comparison to the no stress group.
Experiment 3 examined the effect of shorter (15-mins, 1-week) and longer (3-weeks) retention intervals on memory for each instance of a repeated emotionally stressful event. The findings revealed that following a short retention interval, memory was better for the last instance, while memory for the first instance was better when there was a longer retention interval. Experiments 4 and 5 examined the effect of different retrieval strategies on participants’ ability to identify and report on a well-remembered instance. The results showed that repeated-event participants were better at identifying a memorable instance when memory was cued using a self-generated ‘remember best’ prompt (e.g., “the time with the hammer”) rather than a temporal-based ‘remember best’ prompt (e.g., “tell me about the first time”).
The findings from this thesis suggest that memory for a repeated event might be influenced by factors such as emotional stress, retention interval, the instance being recalled, and the retrieval cue used to elicit the memory. The discussion outlines the theoretical contributions of these findings for adult memory for repeated events, and the forensic implications for victims’ testimony regarding repeated abuse.
36
Latzo, Tobias [Verfasser], Felix [Akademischer Betreuer] Freiling, and Felix [Gutachter] Freiling. "All your System Memory are belong to us: From Low-Level Memory Acquisition to High-Level Forensic Event Reconstruction / Tobias Latzo ; Gutachter: Felix Freiling ; Betreuer: Felix Freiling." Erlangen : Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), 2021. http://d-nb.info/1239419090/34.
Full text
37
French, Tricia A. "The effect of a weapon's presence on witnesses' memory for auditory information." Virtual Press, 2001. http://liblink.bsu.edu/uhtbin/catkey/1221315.
Full textAbstract:
Research supports the notion that weapons impair eyewitnesses' memory for visual information (weapon focus effect). Pickel and Betts (1999) found that the presence of a weapon can also interfere with witnesses' memory for auditory information. The primary objective of the current study was to replicate Pickel and Betts's (1999) findings, to extend their findings by implementing different methodological procedures, and to control for a confound associated with their study. A secondary goal was to further investigate the impact that arousal and novelty have on the weapon focus effect. Participants watched a videotape depicting a story about a man stalking a woman. The man approached the woman holding either a switchblade knife or a black ballpoint pen. The man's conversation varied so that it was either easy or difficult to comprehend. Participants then completed questionnaires assessing their arousal level, memory for visual and auditory information, and perceived unusualness of the object carried by the target. [n addition, they attempted to identify the target in a photo and audio lineup. Results indicate that the presence of a weapon does not affect memory for vocal characteristics or for semantic content of speech when the content of the message is rather simple. As the complexity of the message increases, however, a weapon will interfere with witnesses' memory for the content. Also, results support the hypothesis that the weapon focus effect occurs because the weapon is perceived to be unusual and that increased levels of arousal are not necessary to obtain the effect. Analyses revealed no significant effects or interactions related to witnesses' ability to identify the man in the photo or audio lineup. The results supported Pickel and Betts's (1999) conclusions, thus increasing our knowledge concerning the reliability of eyewitness testimony.Department of Psychological Science
38
Varnaseri, Helena. "Specificity of autobiographical memory : a mediator in the relationship between interpersonal experience and functioning." Thesis, Canterbury Christ Church University, 2014. http://create.canterbury.ac.uk/12790/.
Full textAbstract:
This study sought to investigate whether three forms of Early Maladaptive Schema (EMS) and autobiographical memory specificity mediated the relationship between abuse and attachment in childhood with Borderline Personality Disorder (BPD) characteristics among forensic inpatients. The study adopted a quantitative cross-sectional design. Thirty-four male adults residing in medium secure facilities completed self-report measures. Data was analysed using bootstrapped mediation procedures. The study’s hypotheses received partial support. The EMS of “mistrust/abuse”, “entitlement/grandiosity” and autobiographical memory specificity differentially mediated the relationship between emotional and physical abuse and neglect and parental care and overprotection with BPD characteristics. The study concluded that in line with attachment theory and the functional avoidance mechanism (Williams et al., 2007), the proposed mediators are conceptualised as adaptive responses to early adversity with potential maladaptive consequences for later interpersonal functioning. Clinical implications encourage the incorporation of these mediators into clinical formulation, intervention and ward practices. It is recommended that future research replicates the study’s design with a larger sample and investigates the role of other mediators and moderators in this complex relationship.
39
McIntyre, A. H. "Applying psychology to forensic facial identification : perception and identification of facial composite images and facial image comparison." Thesis, University of Stirling, 2012. http://hdl.handle.net/1893/9077.
Full textAbstract:
Eyewitness recognition is acknowledged to be prone to error but there is less understanding of difficulty in discriminating unfamiliar faces. This thesis examined the effects of face perception on identification of facial composites, and on unfamiliar face image comparison. Facial composites depict face memories by reconstructing features and configurations to form a likeness. They are generally reconstructed from an unfamiliar face memory, and will be unavoidably flawed. Identification will require perception of any accurate features, by someone who is familiar with the suspect and performance is typically poor. In typical face perception, face images are processed efficiently as complete units of information. Chapter 2 explored the possibility that holistic processing of inaccurate composite configurations will impair identification of individual features. Composites were split below the eyes and misaligned to impair holistic analysis (cf. Young, Hellawell, & Jay, 1987); identification was significantly enhanced, indicating that perceptual expertise with inaccurate configurations exerts powerful effects that can be reduced by enabling featural analysis. Facial composite recognition is difficult, which means that perception and judgement will be influence by an affective recognition bias: smiles enhance perceived familiarity, while negative expressions produce the opposite effect. In applied use, facial composites are generally produced from unpleasant memories and will convey negative expression; affective bias will, therefore, be important for facial composite recognition. Chapter 3 explored the effect of positive expression on composite identification: composite expressions were enhanced, and positive affect significantly increased identification. Affective quality rather than expression strength mediated the effect, with subtle manipulations being very effective. Facial image comparison (FIC) involves discrimination of two or more face images. Accuracy in unfamiliar face matching is typically in the region of 70%, and as discrimination is difficult, may be influenced by affective bias. Chapter 4 explored the smiling face effect in unfamiliar face matching. When multiple items were compared, positive affect did not enhance performance and false positive identification increased. With a delayed matching procedure, identification was not enhanced but in contrast to face recognition and simultaneous matching, positive affect improved rejection of foil images. Distinctive faces are easier to discriminate. Chapter 5 evaluated a systematic caricature transformation as a means to increase distinctiveness and enhance discrimination of unfamiliar faces. Identification of matching face images did not improve, but successful rejection of non-matching items was significantly enhanced. Chapter 6 used face matching to explore the basis of own race bias in face perception. Other race faces were manipulated to show own race facial variation, and own race faces to show African American facial variation. When multiple face images were matched simultaneously, the transformation impaired performance for all of the images; but when images were individually matched, the transformation improved perception of other race faces and discrimination of own race faces declined. Transformation of Japanese faces to show own race dimensions produced the same pattern of effects but failed to reach significance. The results provide support for both perceptual expertise and featural processing theories of own race bias. Results are interpreted with reference to face perception theories; implications for application and future study are discussed.
40
Cameron, Lynsey. "An exploration of self-awareness of autobiographical memory deficits in forensic mental health service users with psychosis and its impact on service engagement." Thesis, University of Glasgow, 2015. http://theses.gla.ac.uk/6710/.
Full textAbstract:
Background: People with psychosis display difficulties with autobiographical memory (AM). They also show poor awareness of deficits in cognitive ability; however, it is not yet known if this extends to awareness of deficits in AM. It is unclear if any awareness deficit is specific to AM or is part of a more general deficit in metacognitive ability. Alternatively, awareness deficits could be attributable to executive functioning problems. Deficits in these domains are also predicted to disrupt engagement in services. Aims: We aimed to test the degree to which patients were aware of deficits in AM and the extent to which this awareness, and their AM ability, were related to metacognitive ability. We also aimed to identify if AM for crime-related memories differed to that for general events and to study the impact of these factors on engagement in services. Methods: AM and metacognitive abilities were indexed using the AMI and the MAS-A. Awareness of AM abilities was operationalised as the discrepancy between self-ratings and actual performance. Cognitive functioning was also tested using a digit span, story recall, and ToPF. Staff members rated the service engagement of each participant using the SES. Results : Participants recalled recent events better than events from early adulthood or childhood. They judged that they were able to better recall offence histories than other life events. They exhibited a more impaired metacognitive ability than observed in a previous sample of healthy controls, and the results display a non-significant trend towards AM ability being related to metacognitive ability. Engagement was unrelated to metacognition or AM. Conclusions: We present preliminary evidence of an association between AM ability and metacognition; however, there are methodological limitations. This shows signs that there may be a benefit to conducting a larger sample size study in this area. It also allowed us to pilot and evaluate the methods, identifying ways in which research could be progressed in the future.
41
Gültekin, Raver. "Testifying through another tongue:Examining the effects of language barriers on accuracy and suggestibility in eyewitness testimonies." Thesis, Stockholms universitet, Psykologiska institutionen, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:su:diva-160651.
Full textAbstract:
Language barriers in eyewitness testimonies may pose threats toward witnesses’ accuracy, and consequently on the outcome of judicial procedures. The present study aims to investigate the credibility and the extent of reported detail information of eyewitnesses’ testimony of a crime event, when the testimony is given in witnesses’ first language, second language, or second language through interpreter. Moreover, the study examines whether eyewitness suggestibility is affected by the language to which the testimony is provided. Participants (N=60) were exposed to a mock crime event and subsequently performed memory tests about that event. Results showed no differences in accuracy of suggestibility between experimental conditions. The personality trait social desirability showed no relation to suggestibility or the extent of inaccurate detail information provided in the present study. The findings are discussed in the context of implications, limitations and future directions.
42
Sjöberg, Rickard L. "Children's testimony /." Stockholm, 2002. http://diss.kib.ki.se/2002/91-7349-124-1/.
Full text
43
Roth, Jessica A. Roth. "The Politics of Victimization and Search for the Disappeared in Post-Conflict Peru." Ohio University Honors Tutorial College / OhioLINK, 2018. http://rave.ohiolink.edu/etdc/view?acc_num=ouhonors1524844642964494.
Full text
44
Scheuermann, Melina. "Animated Memories : A case study of the animated documentary 'Saydnaya – Inside a Syrian Torture Prison' (2016) and its potential within social memory." Thesis, Stockholms universitet, Filmvetenskap, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:su:diva-185061.
Full textAbstract:
Through its ability to create images of non-representable incidents animation expands the range and depth of what documentary can represent and how. This master thesis investigates the potential of animated documentary within social memory exemplified by the interactive animated documentary Saydnaya – Inside a Syrian Torture Prison (Forensic Architecture, 2016). By applying a feminist spatial approach, I aim to contribute to the understanding of the role of animated documentary images within social memory.Embodied and haptic spectatorship as well as haptic materiality are crucial in this case study due to the nature of the virtual screen images and interactive navigation (compared to montage) of the architectural 3D model. Testimonies and evidence presented in documentary film require a discursive establishment of truth. Indexicality is discussed in this regard and eventually a theoretical shift towards movement suggested. I demonstrate that Saydnaya extends the strategies in animated documentary that have been in focus so far, such as representing mental states and subjective experiences, by deploying methods of forensic aesthetics. This opens up novel ways to establish truth claims and persuasion in documentary filmmaking that require future research.
45
Brown, Sarah. "The course of cognition in mentally ill offenders and the implications for risk of violence : a 10-12-year follow-up study." Thesis, University of Edinburgh, 2017. http://hdl.handle.net/1842/22913.
Full textAbstract:
Background: It is now well established that there are core cognitive impairments associated with a diagnosis of schizophrenia. In parallel with our increased understanding of these core deficits, our awareness that mentally ill offenders (MIOs) are at additional risk of cognitive impairment due to an increased rate of traumatic brain injury and substance abuse has also grown. Absent from the literature is evidence of whether these cognitive impairments change over longer periods of time in MIO’s and whether these changes, or baseline abilities, impact an individual’s risk of violence. Furthermore, the negative impact head injury has on an individuals’ cognitive, behavioural and psychological functioning is well documented. These changes can lead to an increased likelihood of violence and crime, yet there is currently a scarcity of knowledge regarding the prevalence of head injury within mentally ill offenders in Scotland and its association with risk-related outcomes. Aims: The aims of the present thesis were to; (a) Examine the course of cognition in N=49 mentally ill offenders who underwent neuropsychological assessment while in the State Hospital, Scotland in 2004-5, and assess whether baseline or change in cognition predicts violent incidents or risk at follow-up, and; (b) Examine the cross-sectional association between head injury, substance abuse and risk-related outcomes of all individuals within the forensic network in Scotland for whom data could be extracted (N=428). Hypotheses: (a) We hypothesized that processing speed, verbal comprehension, working memory, delayed verbal memory, delayed non-verbal memory, impulsivity, inattention and problem-solving would decline over a 10-year period, and that deficits in impulsivity, emotion recognition, working memory and delayed memory would predict patients’ risk-related outcomes in a sample of mentally ill offenders. (b) It was also hypothesized that the presence of head injury and/or substance abuse within patients would predict worse risk-related outcomes, namely: quantity of violent offences, risk of harm to self, risk of harm to others and severity of violent offences. Analysis: We conducted a series of repeated measures MANOVAs, MANCOVAs and hierarchical linear regressions in SPSS Statistics to test our hypotheses. Individuals with a primary or secondary diagnosis of a learning disability were excluded. Results: (a) Our results propose that cognitive abilities significantly change over time (F(1.51, 30.1) = 5.98, p = .011), but direction of change is ability dependent. We found that impulsivity (Effect Size (ES) = .253), inattention (ES = .233), working memory (ES = .288) and auditory delayed memory (ES= .268) worsen over time. Measures of impulsivity and working memory significantly predicted some, but not all, risk-related outcomes, however these effects became diluted once additional variables with shared variance were added into the predictive models. We did not find that traumatic brain injury, substance misuse or alcohol misuse significantly mediated change in cognition over time. (b) In the national cohort study, results suggested that head injury had a significant effect on HCR total scores, F(1,259) = 6.679, p = .010 (partial eta square = .025), violence during admission (χ2 = 5.545, p = .022) and violent offences at a .1 p-value only, F(1,259) = 3.495, p = .063 (partial eta square = .013). Drug misuse only had a significant impact on total violent offences, F(1,259) = 8.933, p = .003 (partial eta square = .033) and nothing else. Furthermore, the interaction between alcohol misuse and schizophrenia also only had impact on total violent offences, F(1, 259) = 7.516, p = .007 (partial eta square = .028). Head injury was not significantly associated with either historical or current self-harm, however alcohol misuse, drug misuse and schizophrenia were. Conclusions: Our results highlight the unstable nature of cognition in mentally ill offenders and the impact that head injury has on violence-related outcomes, over and above substance misuse and a diagnosis of schizophrenia. This has potentially renovating implications for clinical practice regarding risk management, assessment, and treatment planning.
46
Clack, Maureen. "Returning to the scene of the crime the Brothers Grimm and the yearning for home /." Access electronically, 2006. http://www.library.uow.edu.au/adt-NWU/public/adt-NWU20080807.150418/index.html.
Full text
47
Pina, Ríos Rocío. "Recordando un suceso de violencia de género. El caso del recuerdo de la información lingüística con contenido emocionalmente negativo en función del esquema, el contexto de presentación y las características de recuperación." Doctoral thesis, Universitat Autònoma de Barcelona, 2016. http://hdl.handle.net/10803/370113.
Full textAbstract:
Si es poca la investigación alrededor del recuerdo y la exactitud de conversaciones en testigos auditivos, menos aún el análisis de información lingüística emocionalmente negativa en el contexto forense. En la presente investigación examinamos este particular tipo de recuerdo a partir de la presentación, en un contexto natural, de declaraciones que incluyeron violencia verbal y psicológica en una típica escena de la violencia de género. Manipulamos el formato de presentación (audiovisual y auditivo) así como el formato de recuperación (con y sin reinstauración mental del contexto), y evaluamos el posible efecto predictor del conocimiento estereotipado hacia el suceso recordado de violencia de género por medio del DomesticViolenceAcceptanceMithScale (DVMAS). Para el recuerdo se utilizaron diferentes medidas de análisis. Por un lado, realizamos una tarea de reconocimiento en la que se incluyeron tanto acciones verdaderas como falsas, pero típicas para la situación de violencia presentada, cuyo contenido hacía referencia a acciones visuales o auditivas. Por otro, se procedió a un análisis del recuerdo libre del que se evaluó el número de unidades de recuerdo, distorsiones e intrusiones, referidas a personas, objetos, entorno, acciones y conversaciones. Respecto a estas últimas, se midió el recuerdo literal o general presente. Los resultados obtenidos indicaron una prácticamente ausencia de relación entre la medida del conocimiento estereotipado evaluado y las puntuaciones de recuerdo y falsas memorias obtenidas. Altas puntuaciones en el DVMAS sólo predijeron mayores tasas de reconocimiento y omisiones acordes al esquema estereotipado de la secuencia presentada. La presentación visual de la infamación, como era de esperar, sólo favoreció el recuerdo de información con contenido visual, pero no el recuerdo de información lingüística. En lo referente a la reinstauración mental del contexto, ésta solo resultó efectiva para la mejora del recuerdo de informaciones visuales en quienes no disponían de información perceptiva al respecto. El análisis de las conversaciones corroboró la primacía del recuerdo general por encima del literal. Finalmente, y en lo referente a las falsas memorias generadas, se observa la falta de asociación en su creación a las variables de estudio, a excepción de un aumento en su producción por parte de quienes sólo recibieron información auditiva. Estos resultados son interpretados al amparo de la importancia y alta carga interactiva de la información verbal emocionalmente negativa que es codificada, cuya significación en la escena presentada habría redirigido el recuerdo y enmascarado los posibles efectos que los factores de análisis pudieran haber provocado. Se anima, en consecuencia, a seguir investigando en cómo se produce el recuerdo de violencias verbales y psicológicas, qué las caracteriza, cómo son recordadas y transmitidas, para así entender el efecto que su recuerdo tiene en el contexto forense en que nos situamos.If there is little research about memories and the accuracy of conversations in hearing witnesses, there is even less analysis of linguistic information with emotionally negative in the forensic context. In the present study we examine this particular type of recall from the presentation, in a natural context, of statements that included verbal and psychological violence on a typical scene of gender-based violence. We manipulate the presentation format (audiovisual and aural) and the recovery format as well (with and without mental reinstatement of context), and we evaluate the possible predictor effect of stereotyped knowledge to the remembered event of gender-based violence through the Domestic Violenc eAcceptance Mith Scale (DVMAS). There were used different measures as analysis. On the one hand, we perform a recognition task in which both true and false actions were included, all of them typical for the violence presented, which content referred to visual or aural actions. On the other hand, we proceeded to an analysis of the free memory, evaluating the number of memory units, distortions and intrusions, referred to people, objects, environment, actions and conversations. Regarding the latter, the literal of general recall was measured. The results showed virtually no relationship between the measurement of the evaluated stereotyped knowledge and memories and false memories scores obtained. High scores on the DVMAS only predicted higher rates of recognition and omission in compliance with the stereotyped scheme of the sequence presented. The visual presentation of the defamation, as expected, just favored the memory of visual content information, but not the memory of linguistic information. Regarding the mental reinstatement of context, this was only effective in improving the memory of visual information in those who did not have perceptual information about it. Analysis of conversations confirmed the primacy of general recall over literal. Finally, with regard to false memories generated, it is noted the lack of association in creating study variables, except for an increase in production by those who received only aural information. These results are interpreted under the high importance and burden of interactive of verbal and emotionally negative information that is encoded, whose significance in the scene would have redirected the memory and masked the potential effects that analysis factors could have triggered. It is encouraged, therefore, to continue the research on how the memory of verbal and psychological violence occurs, what characterizes them, how they are remembered and transmitted, in order to understand the effect that his memory has in the forensic context in which we find ourselves.
48
Baghyari, Roza, and Carolina Nykvist. "Händelsekonstruktion genom säkrande och analys av data från ett hemautomationssystem." Thesis, Linköpings universitet, Datorteknik, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-157619.
Full textAbstract:
I detta examensarbete har tidsstämplar extraherats ur ett forensiskt perspektiv från ett hemautomationssystem med styrenheten Homey från Athom. Först konstruerades ett fiktivt händelsescenario gällande ett inbrott i en lägenhet med ett hemautomationssystem. Hemautomationssystemet bestod av flera perifera enheter som använde olika trådlösa nätverksprotokoll. Enheterna triggades under händelsescenariot. Därefter testades olika metoder för att få ut data i form av tidsstämplar. De metoder som testades var rest-API, UART och chip-off på flashminnet medan JTAG inte hanns med på grund av tidsbrist. Den metod som gav bäst resultat var rest-API:t som möjliggjorde extrahering av alla tidsstämplar samt information om alla enheter. I flashminnet hittades alla tidsstämplar, men det var inte möjligt att koppla ihop dessa tidsstämplar med en specifik enhet utan att använda information från rest-API:t. Trots att rest-API:t gav bäst resultat så var det den metod som krävde en mängd förutsättningar i form av bland annat inloggningsuppgifter eller en rootad mobil. Med hjälp av de extraherade tidsstämplarna rekonstruerades sedan händelsescenariot för inbrottet.The purpose of this bachelor thesis was to extract timestamps from a home automation system with a control unit named Homey in a forensic perspective. The first step was to create a course of event regarding a burglar breaking into an apartment with home automation. The home automation system consisted of some peripheral units using different types of wireless network protocols. All these units were triggered during the break in. Thereafter different types of methods were tested in an attempt to extract the timestamps for each unit. These methods included rest-API, UART and chip-off on a flash memory. The method using JTAG were not tested due to lack of time. Rest-API was the method that provided most information about the units and time stamps. The flash memory also contained every timestamp, however it did not provide any information about which timestamp belonged to which unit. Even though the rest-API was the best method to extract data, it was also the method with most requirements such as credentials or a rooted smartphone. With the extracted timestamps it was possible to reconstruct the course of events of the break-in.
49
CHANG-YUNG-CHUN and 張詠竣. "Evidence Investigations against Anti-forensics in Memory Analysis." Thesis, 2016. http://ndltd.ncl.edu.tw/handle/2668j7.
Full text
50
(8083268), Rohit Bhatia. "On Cyber-Physical Forensics, Attacks, and Defenses." Thesis, 2019.
Find full textAbstract:
Cyber-physical systems, through various sensors and actuators, are used to handle interactions of the cyber-world with the physical-world. Conventionally, the temporal component of the physical-world has been used only for estimating real-time deadlines and responsiveness of control-loop algorithms. However, there are various other applications where the relationship of the temporal component and the cyber-world are of interest. An example is the ability to reconstruct a sequence of past temporal activities from the current state of the cyber-world, which is of obvious interest to cyber-forensic investigators. Another example is the ability to control the temporal components in broadcast communication networks, which leads to new attack and defense capabilities. These relationships have not been explored traditionally.
To address this gap, this dissertation proposes three systems that cast light on the effect of temporal component of the physical-world on the cyber-world. First, we present Timeliner, a smartphone cyber-forensics technique that recovers past actions from a single static memory image. Following that, we present work on CAN (Controller Area Network), a broadcast communication network used in automotive applications. We show in DUET that the ability to control communication temporally allows two compromised ECUs, an attacker and an accomplice, to stealthily suppress and impersonate a victim ECU, even in the presence of a voltage-based intrusion detection system. In CANDID, we show that the ability to temporally control CAN communication opens up new defensive capabilities that make the CAN much more secure.
The evaluation results show that Timeliner is very accurate and can reveal past evidence (up to an hour) of user actions across various applications on Android devices. The results also show that DUET is highly effective at impersonating victim ECUs while evading both message-based and voltage-based intrusion detection systems, irrespective of the features and the training algorithms used. Finally, CANDID is able to provide new defensive capabilities to CAN environments with reasonable communication and computational overheads.