New Programs Collect Computer, Phone Evidence in Real Time

Forensic evidence from a smart phone or a computer might be critical to solving a crime.

February 06, 2014

But most of the time, it takes months for a hard drive or phone to be analyzed.

That’s why Ibrahim Baggili, an assistant professor computer science in the Tagliatela College of Engineering at the University of New Haven, has been developing programs that will allow analysis of both computer hard drives and phones in real time or at the scene of the crime.

In two research studies he recently presented at the Systematic Approaches for Digital Forensic Engineering (SADFE) conference in Hong Kong, he and his colleagues demonstrated that evidence collection can be done on both smart phones and computers in real time.

"The ‘Tunnel of History’ project is an important addition to the exhibits already featured in the Lee Institute of Forensic Science," said President Steven Kaplan.

"We are proposing that not all the forensics stages have to be done post-mortem," he said. "We should be focusing on real time forensics – where data is being collected from the system in real time. Of course, this works best in work environments where the company owns the data. It cannot be used without a court order on home computers because it could violate people’s rights to privacy."

Collecting the evidence in real time would eliminate the long delays investigators traditionally face. In digital forensics, after an incident happens, a computer is typically taken to a forensic laboratory, where the hard drive is extracted, cloned, and then analyzed. Often there is a backlog of cases, and police become frustrated waiting for evidence.

"What we are proposing instead is that an agent can be installed on a computer or computer system that collects forensically important digital evidence," Baggili said. "This means that an analysis can be done in real time."

Using Baggili’s method, investigators could see, for example, when someone opens up a web browser and could view the pages the user visits. The action would be recorded, along with the date and time. If a person modifies, deletes or updates a file, those items are recorded as well.

"This can help us in building a data set and testing it to identify weaknesses in a system," he said. "We are also thinking futuristically about digital forensics."

Baggili’s research was conducted in conjunction with professors at Zayed University in the United Arab Emirates, where he worked before joining UNH last fall. He presented his findings at a recent conference hosted by the University of Hong Kong.

The research was conducted using a tool the professors and a master’s student built called Computer Activity Timeline record (CAT) on a Windows computer system as actions were taking place on a system. The CAT record was stress tested in three scenarios using an automated program that was written to test the accuracy of the agent and its memory consumption on Windows XP and Windows 7.

Overall, the results indicated that the amount of recorded data varied between Windows XP and Windows 7 and that the CAT Record, on average, did not consume more than 42,876 KB of memory per second during its operation under extremely stressful tests, Baggili said. The proceedings of this research should shortly be available from the Institute of Electronic and Electrical Engineers (IEEE).

Baggili and his colleagues are working now to refine the research.

In an unrelated study, Baggili and his colleagues from the UAE looked at a program called ChatON instant messaging. This could analyze phone data in real time.

Since instant messaging is one of the most used applications across all digital devices – and because it is an especially popular feature on smartphones – learning to analyze it is important, Baggili says.

"There are almost as many mobile phones as people in this world," he said. "So investigating the digital evidence from applications on mobile phones is important. This information, which is known as forensic artifacts, can help solve a case."

Their study looked at the digital artifacts left by Samsung’s ChatON IM application, which is a multi-platform IM application, and forensic images of a Samsung Galaxy Note device running Android 4.1 and an iPhone running iOS 6.

The research resulted in a map of the digital evidence left by ChatON on the mobile devices. "We believe this will assist digital forensics practitioners and researchers in the process of locating and recovering digital evidence from ChatON," he said.

Baggili also has a paper accepted at IFIP – a highly regarded peer reviewed conference, hosted by the Vienna University of Technology. Baggili and other researchers joined forces with a company, Cryptic in the United Kingdom, to build a system called Forensics2020 capable of triaging computer systems.

The system resides on a USB stick and can be plugged into any computer.

"Even if the system is password protected," Baggili said, "we can still boot from the USB and retrieve all the data from the computer." The paper presented a novel five-phased, multi-threaded bootable approach to digital forensic triage.

The idea, said Baggili, is that investigators can now use this tool to do on-scene investigations as opposed to taking the computer system back to the lab. The system collects all data about all the files on the computer, along with their signatures, and a complete audit of all the .EXE files found.

The technology has many applications in national security – and could be used by traditional investigators or at airports or U.S. borders.

More information about Baggili’s studies is available at http://baggili.weebly.com or at Google Scholar