Publications - Dr. Bradley Schatz

Peer Reviewed Academic Publications

Book Chapter: Conducting Digital Investigations

Casey, Eoghan; Schatz, Bradley (2011) Digital Evidence and Computer Crime (3rd ed) Academic Press

Keywords: Digital evidence, Methodology

Hash based imaging using AFF4

Cohen, Michael; Schatz, Bradley (2010) Digital Forensics Research Workshop Portland, Oregon.

Keywords: Digital evidence, Evidence containers, Representation, Forensic File Format, AFF4

Description
Forensic imaging has been facing scalability challenges for some time. As disk capacity growth continues to outpace storage IO bandwidth, the demands placed on storage and time are ever increasing. Data reduction and de-duplication technologies are now commonplace in the Enterprise space, and are potentially applicable to forensic acquisition. Using the new AFF4 forensic file format we employ a hash based compression scheme to leverage an existing corpus of images, reducing both acquisition time and storage requirements. This paper additionally describes some of the recent evolution in the AFF4 file format making the efficient implementation of hash based imaging a reality
less
Forensic imaging has been facing scalability challenges for some time. As disk capacity growth continues to outpace storage IO bandwidth, the demands placed on storage and time are ever increasing. Data reduction and de-duplication technologies are now ...
more

Refining the AFF4 evidence container for provenance and accurate data representation

Schatz, Bradley; Cohen, Michael (2010) Advances in Digital Forensics VI, G. Peterson and S. Shenoi (Eds.), Springer, 2010. (Proceedings: Fifth Annual IFIP WG 11.9 International Conference), Hong Kong, China.

Keywords: Digital evidence, Evidence containers, Representation, Forensic File Format

Description
It is well acknowledged that there is a pressing need for a general solution to the problem of storage of digital evidence, both in terms of copied bit-stream images and general information which describes the images and surrounding context of the case. In a prior paper, the authors introduced the AFF4 evidence container format, focusing in particular on the description of the efficient and layered bitstream storage architecture, a general approach to representing arbitrary information, and a compositional approach to managing and sharing evidence. In this paper we describe our work refining the representation schemes embodied in the new format, addressing the accurate representation of discontiguous data and description of the provenance of both data and information.
less
It is well acknowledged that there is a pressing need for a general solution to the problem of storage of digital evidence, both in terms of copied bit-stream images and general information which describes the images and surrounding context of the case. ...
more

Extending the Advanced Forensic Format to accommodate Multiple Data Sources, Logical Evidence, Arbitrary Information and Forensic Workflow

Cohen, Michael; Garfinkel, Simson; Schatz, Bradley (2009) Proceedings of the Digital Forensics Research Workshop 2009, Montreal, Canada.

Keywords: Digital evidence, Evidence containers, Representation, Forensic File Format

Description
Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible evolutionary redesign of the Advanced Forensic Format—an open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification was designed to be simple to implement, allowing the use of the well supported Zip File format specifications for bit level file access.
less
Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. ...
more

Digital evidence: representation and assurance

Schatz, Bradley (2007) Ph.D. thesis, Queensland University of Technology, Brisbane.

Keywords: Digital evidence, Computer based electronic evidence, Digital forensics, Computer forensics, Forensic computing, Evidence provenance, Evidence representation, Knowledge representation

Description
The field of digital forensics is concerned with finding and presenting evidence sourced from digital devices, such as computers and mobile phones. The complexity of such digital evidence is constantly increasing, as is the volume of data which might contain evidence. Current approaches to interpreting and assuring digital evidence rely implicitly on the use of tools and representations made by experts in addressing the concerns of juries and courts. Current forensics tools are best characterised as not easily verifiable, lacking in ease of interoperability, and burdensome on human process. The tool-centric focus of current digital forensics practise impedes access to and transparency of the information represented within digital evidence as much as it assists, by nature of the tight binding between a particular tool and the information that it conveys. We hypothesise that a general and formal representational approach will benefit digital forensics by enabling higher degrees of machine interpretation, facilitating improvements in tool interoperability and validation. Additionally, such an approach will increase human readability. This dissertation summarises research which examines at a fundamental level the nature of digital evidence and digital investigation, in order that improved techniques which address investigation efficiency and assurance of evidence might be identified. The work follows three themes related to this: representation, analysis techniques, and information assurance. The first set of results describes the application of a general purpose representational formalism towards representing diverse information implicit in event based evidence, as well as domain knowledge, and investigator hypotheses. This representational approach is used as the foundation of a novel analysis technique which uses a knowledge based approach to correlate related events into higher level events, which correspond to situations of forensic interest. The second set of results explores how digital forensic acquisition tools scale and interoperate, while assuring evidence quality. An improved architecture is proposed for storing digital evidence, analysis results and investigation documentation in a manner that supports arbitrary composition into a larger corpus of evidence. The final set of results focus on assuring the reliability of evidence. In particular, these results focus on assuring that timestamps, which are pervasive in digital evidence, can be reliably interpreted to a real world time. Empirical results are presented which demonstrate how simple assumptions cannot be made about computer clock behaviour. A novel analysis technique for inferring the temporal behaviour of a computer clock is proposed and evaluated.
less
The field of digital forensics is concerned with finding and presenting evidence sourced from digital devices, such as computers and mobile phones. The complexity of such digital evidence is constantly increasing, as is the volume of data which might contain evidence ...
more

BodySnatcher: towards reliable volatile memory acquisition by software

Schatz, Bradley., Digital Investigation, 4 (Supplement 1), pp. 126-134., 2007 Digital Forensics Research Workshop, Pittsburgh, PA. (2007)

Keywords: Volatile memory forensics, Memory forensics, Memory acquisition, Memory imaging, Computer forensics

Description
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring the contents of volatile memory from arbitrary operating systems in a manner that provides point in time atomic snapshots of the host OS volatile memory. Additionally the method is more resistant to subversion due to its reduced attack surface. Our method is to inject an independent, acquisition specific OS into the potentially subverted host OS kernel, snatching full control of the host’s hardware. We describe an implementation of this proposal, which we call BodySnatcher, which has demonstrated proof of concept by acquiringmemory from Windows 2000 operating systems.
less
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of ...
more

A correlation method for establishing provenance of timestamps in digital evidence

Schatz, Bradley, Mohay, George, Clark, Andrew, (2006) Digital Investigation, 3 (Supplement 1) pp. 89-107. 2006 Digital Forensics Research Workshop, West Lafayette, Indiana)

Keywords: Computer forensics, Digital forensics, Digital evidence, Event correlation, Reverse engineering, Timestamp interpretation, Temporal provenance

Description
Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated timestamps for correlating events is complicated by uncertainty as to clock skew and drift, environmental factors such as location and local time zone offsets, as well as human fac- tors such as clock tampering. Establishing that a particular computer’s temporal behaviour was consistent during its operation remains a challenge. The contributions of this paper are both a description of assumptions commonly made regarding the behaviour of clocks in computers, and empirical results demonstrating that real world behaviour diverges from the idealised or assumed behaviour.We present an approach for inferring the temporal be- haviour of a particular computer over a range of time by correlating commonly available local machine timestamps with another source of timestamps. We show that a general characterisation of the passage of time may be inferred from an analysis of commonly available browser records.
less
Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated timestamps for correlating events is complicated by uncertainty as to clock skew and drift ...
more

An open architecture for digital evidence integration

Schatz, Bradley., Clark, Andrew., (2006) Proceedings of the 2006 Australian Security Response Team Annual Conference (AUSCERT 2006), Gold Coast, Australia.

Keywords: Computer forensics, Digital evidence, Evidence containers, Evidence integration, Digital evidence bags, Tool interoperability

Description
Recently the need for "digital evidence bags" - a common storage format for digital evidence - has been identified as a key requirement for enabling inter-organisational sharing of digital evidence, and interoperability between forensic analysis tools. Recent work has described an ontology based approach to correlation of event log based evidence, using semantic web technologies for describing and representing event log based digital evidence. In this paper we apply the representational approach to the integration of metadata related to digital evidence, and propose a globally unique identification scheme for digital evidence and related metadata. We relate the representational approach to the digital evidence bags concept identifying a number of shortcomings. We propose an alternative architecture for digital evidence bags, which we call the sealed digital evidence bags architecture. This approach treats bags as immutable objects, and facilitates the building of a corpus of digital evidence by composition and referencing between evidence bags. This architecture facilitates modular forensic tool development and interoperability between forensics tools.
less
Recently the need for "digital evidence bags" - a common storage format for digital evidence - has been identified as a key requirement for enabling inter-organisational sharing of digital evidence, and interoperability between forensic analysis tools...
more

Framework for Detecting Network-Based Code Injection Attacks Targeting Windows and UNIX

Andersson, Stig., Clark, Andrew., Mohay, George., Schatz, Bradley., Zimmermann, Jacob, (2006) Proceedings of Twenty-first Annual Computer Security Applications Conference, pages 41--50. IEEE Computer Society, December 2005. ISBN: 0-7695-2461-3.

Keywords: Network intrusion detection, code injection attacks

Description
Code injection vulnerabilities continue to prevail. Attacks of this kind such as stack buffer overflows and heap buffer overflows account for roughly half of the vulnerabilities discovered in software every year. The research presented in this paper extends earlier work in the area of code injection attack detection in UNIX environments. It presents a framework for detecting new or previously unseen code injection attacks in a heterogeneous networking environment and compares code injection attack and detection strategies used in the UNIX and Windows environments. The approach presented is capable of detecting both obfuscated and clear text attacks, and is suitable for implementation in the Windows environment. A prototype intrusion detection system (IDS) capable of detecting code injection attacks, both clear text attacks and obfuscated attacks, which targets Windows systems is presented
less
Code injection vulnerabilities continue to prevail. Attacks of this kind such as stack buffer overflows and heap buffer overflows account for roughly half of the vulnerabilities discovered in software every year. The research presented in this paper extends earlier work in the area of code injection attack detection ...
more

Generalising Event Correlation Across Multiple Domains

Schatz, Bradley., Mohay, George. and Clark, Andrew.
Journal of Information Warfare, vol 4, iss 1, pp. 69-79. (2005)

Generalising Event Forensics Across Multiple Domains

Schatz, Bradley., Mohay, George., Clark, Andrew., (2004) Proceedings of the 2004 Australian Computer Network and Information Forensics Conference (ACNIFC 2004), Perth, Australia.

Keywords: Computer Forensics, Event Correlation, Modelling of IT Security, Semantic Forensics, Automated reasoning, Knowledge representation

Description
In cases involving computer related crime, event oriented evidence such as computer event logs, and telephone call records are coming under increased scrutiny. The amount of technical knowledge required to manually interpret event logs encompasses multiple domains of expertise, ranging from computer networking to forensic accounting. Automated methods of classifying events and patterns of events into higher level terminology and vocabulary hold promise for assisting investigators to cope with voluminous, low-level event oriented evidence. In a previous paper, we showed that the semantic web language OWL was an effective means of representing domain-specific event based knowledge, and when combined with a rule language, was sufficient to apply standard correlation techniques to the task of automated forensic investigation. We also described a prototype implementation of this approach, called FORE. In this paper, we demonstrate that the approach can be extended to be rapidly applied to events sourced from new domains, enabling cross-domain correlation, and that the new approach will accommodate standardised component ontologies which model the separate domains under consideration.
less
In cases involving computer related crime, event oriented evidence such as computer event logs, and telephone call records are coming under increased scrutiny. The amount of technical knowledge required to manually interpret event logs encompasses multiple domains of expertise, ranging from computer networking to forensic accounting ...
more

Rich Event Representation for Computer Forensics

Schatz, Bradley., Mohay, George., Clark, Andrew., Proceedings of the 2004 Asia Pacific Industrial Engineering and Management Systems (APIEMS 2004), Gold Coast, Australia (2004)

Keywords: Computer Forensics, Event Correlation, Modelling of IT Security, Semantic Forensics, Automated reasoning, Knowledge representation

Description
Recent advances in computer internetworking and continued increases in Internet usage have been accompanied by a continued increase in the incidence of computer related crime. At the same time, the number of sources of potential evidence in any particular computer forensic investigation has grown considerably, as evidence of the occurrence of relevant events can potentially be drawn not only from multiple computers, networks, and electronic systems but also from disparate personal, organizational, and governmental contexts. Potentially, this leads to significant improvements in forensic outcomes but is accompanied by an increase in both the complexity and scale of event information. In order for forensic investigators to effectively investigate this mass of data, semantically strong representational models and automated methods of correlating such event data is becoming a necessity. The contribution of the work described in this paper is the automated detection of a computer forensic scenario, based upon facts automatically derived from digital event logs. We present an expert systems based approach that has the ability to manage the scalability and semantic issues arising in such inter-domain forensics, using an extensible, semantic domain model specified using the Web Ontology Language (OWL). We have developed a prototype system, Forensics of Rich Events (FORE), which supports investigation of heterogeneous event data using a novel form of manipulation of hypothetical knowledge, while supporting the application of standard rule and signature based event correlation techniques. We demonstrate proof of concept of our approach by applying the prototype we have developed to a test case scenario that demonstrates the flexibility of the approach in a single domain context.
less
Recent advances in computer internetworking and continued increases in Internet usage have been accompanied by a continued increase in the incidence of computer related crime. At the same time, the number of sources of potential evidence in any particular computer forensic investigation has grown...
more

Unrefereed Publications

Forged Email: Lessons learned from the OzCar scandal

Schatz, Bradley., Hearsay - The Journal of the Bar Association of Queensland, Brisbane (2009)

Keywords: Email forgery, Email authentication

Description
By now, all but the most naïve of us are immune to the promises of Nigerian riches and the disquieting urges to action from banks which find their way into our email inboxes. Fraudulent emails barely rate any action or consideration beyond that needed to delete them from our inbox. Why then was the leader of the Australian opposition, and one of Australia’s most senior lawyers besides, tripped up by a forged email?
less
By now, all but the most naïve of us are immune to the promises of Nigerian riches and the disquieting urges to action from banks which find their way into our email inboxes. Fraudulent emails barely rate any action or consideration beyond that needed to delete them from our inbox...
more

Digital Evidence: A Fundamental Shift in the Nature of Information

Schatz, Bradley., Hearsay - The Journal of the Bar Association of Queensland, Brisbane (2007)

Keywords: Digital evidence, Computer evidence, Digital forensics, Computer forensics

Description
The arrival of the internet in the public’s eye in the late 1990’s was heralded as an event as revolutionary as the invention of Gutenberg’s press. A decade later, the true effects of digital technologies on communications, publishing, and commerce are only beginning to be appreciated. News reports of novel evidential sources are appearing: records of Google searches used to establish premeditation in murder trials, car air bag sensor data presented as a digital eyewitness in prosecuting unsafe driving.
While the occurrence of cyber-crime and the employment of computer forensics have increased substantially in this time, this revolution has largely bypassed the practice of law. This is due in part to the unique technical difficulties in presenting in court evidence sourced from digital devices, so called digital evidence.
less
The arrival of the internet in the public’s eye in the late 1990’s was heralded as an event as revolutionary as the invention of Gutenberg’s press. A decade later, the true effects of digital technologies on communications, publishing, and commerce are only beginning to be appreciated. News reports of novel evidential sources are appearing ...
more

return to top