By Topic

• Abstract

SECTION I

## INTRODUCTION

### D. Analysis

The analysis phase has a twofold objective: (1) verify that the digital evidence produced by the automation on the TS is coherent with the alibi timeline; (2) discover any unwanted evidence left by the automation. In order to accomplish these tasks a digital forensic analysis has been arranged according to the methodology presented in [65]. With respect to a real case, the DFA has full knowledge about methods, procedures and technologies adopted to construct the digital alibi. As a consequence, the analysis may be better targeted. The TS has been implemented as a Virtual Machine (VM) in order to speed-up and simplify the overall analysis procedure. Moreover, the use of a VM allows to create different snapshots of the system in order to analyze differences between the state before and the state after the execution of the automation procedure. The analysis mainly focused on the following aspects.

Operating System and Applications: All the system structures containing information about executed applications (e.g., Registry, Prefetch and Superfetch files, Pagefile, and so on) have been analyzed in order to verify whether the automation produced artifacts. Any evidence being part of the alibi (accesses to websites, creation of documents, etc.) has been also collected in order to reconstruct the alibi timeline.

Timeline: This analysis focused on the identification of all the files accessed or modified during the construction of the alibi in order to detect any relationship with the automation that generated them.

File Content: All the files modified during the alibi timeline have been analyzed in order to find any suspicious trace that may be linked to the execution of the automation.

Low-level search: A set of signatures of the automation has been used to perform a deep low-level scan of the entire hard disk (including allocated and unallocated space) in order to find any possible clue of the automation.

The above activities have been carried out by using the following digital forensic tools. RegRipper2 [66] has been used to analyze the Windows Registry. IECookiesView [67], IEHistoryView [68] and IECacheView [69] have been used to analyze the browser activities. AccessData Forensic Toolkit [70] has been used for the storage media analysis, and in particular the DT Search engine has been adopted to perform the low-level signature search. The Superfetch files have been analyzed by means of SuperFetch Dumper [61]. All the traces revealed by the analysis confirmed the alibi, while no clue about the automation was found.

SECTION VII

## CONCLUSION

This paper presents a methodology to generate a set of digital evidence that could be exploited by a party in a trial in order to claim an alibi. With respect to common anti-forensic techniques, which are typically based on information tampering, our methodology relies on the construction of an automation. The automation is a program able to simulate a series of human activities on a computer at a given time. They include local operations such as document writing and music playing, as well as remote operations such as Web surfing and email sending. Using this approach, it is possible to construct a digital alibi involving trusted-third-parties such as ISPs and companies providing services via Internet. The problem of avoiding or deleting unwanted traces left by the automation is also addressed. Finally, a case study on a target system running Windows 7 is presented in order to show a real application and implementation of the proposed methodology. A computer forensic analysis of the target system has confirmed the alibi and has revealed no unwanted evidence about the presence and execution of the automation. Apart some differences, the same methodology can be extended to any digital device equipped with a modern operating system, such as Android smartphones [71], [72].

This work highlights the need of an evolution in approaching legal cases that involve digital evidence. Digital evidence are circumstantial evidence and should be always considered as part of a larger behavioural pattern, which requires to be reconstructed by means of traditional investigation techniques. To sum up, the plausibility of a digital alibi should be always verified cum grano salis.

### ACKNOWLEDGMENT

The authors would like to thank friends from IISFA (International Information System Forensics Association) for their support, their valuable suggestions and useful discussions during the research phase. In particular to Gerardo Costabile (President of IISFA Italian Chapter), Francesco Cajani (Deputy Public Prosecutor High Tech Crime Unit Court of Law in Milano, Italy), Mattia Epifani and Litiano Piccin of IISFA Italian Chapter.

We would like to thank V.Q.A. Elvira D'Amato (Head of the Centre Against Child Pornography on the Internet, Postal and Communications Police, Italian Ministry of the Interior), Lieutenant Colonel Antonio Colella (cybercriminologist and Italian Army Officier) and Moti Yung (Google Inc. and Columbia University) for their worthy advices and support.

A special thank goes to Mario Ianulardo, Computer Crime Lawyer (Naples, Italy) for the endless and interesting discussions on the probative value of a false digital alibi.

## Footnotes

A. Castiglione, G. Cattaneo, G. De Maio and A. De Santis are with the Department of Computer Science, University of Salerno, Via Ponte don Melillo, Fisciano I-84084, Italy

Corresponding author: A. Castiglione (castiglione@ieee.org)

Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org.

## References

No Data Available

## Cited By

No Data Available

None

## Multimedia

No Data Available
This paper appears in:
No Data Available
Issue Date:
No Data Available
On page(s):
No Data Available
ISSN:
None
INSPEC Accession Number:
None
Digital Object Identifier:
None
Date of Current Version:
No Data Available
Date of Original Publication:
No Data Available

Comment Policy