Schatz ForensicPublications - Dr. Bradley Schatz
Peer Reviewed Academic Publications
Book Chapter: Conducting Digital Investigations
Casey, Eoghan; Schatz, Bradley (2011) Digital Evidence and Computer Crime (3rd ed) Academic Press
Keywords: Digital evidence, Methodology
Hash based imaging using AFF4
Cohen, Michael; Schatz, Bradley (2010) Digital Forensics Research Workshop Portland, Oregon.
Keywords: Digital evidence, Evidence containers, Representation, Forensic File Format, AFF4
Description
Forensic imaging has been facing scalability challenges for some time. As disk capacity
growth continues to outpace storage IO bandwidth, the demands placed on storage and
time are ever increasing. Data reduction and de-duplication technologies are now
commonplace in the Enterprise space, and are potentially applicable to forensic acquisition. Using the new AFF4 forensic file format we employ a hash based compression scheme
to leverage an existing corpus of images, reducing both acquisition time and storage
requirements. This paper additionally describes some of the recent evolution in the AFF4
file format making the efficient implementation of hash based imaging a reality
less
Forensic imaging has been facing scalability challenges for some time. As disk capacity
growth continues to outpace storage IO bandwidth, the demands placed on storage and
time are ever increasing. Data reduction and de-duplication technologies are now ...
more
Refining the AFF4 evidence container for provenance and accurate data representation
Schatz, Bradley; Cohen, Michael (2010) Advances in Digital Forensics VI, G. Peterson and S. Shenoi (Eds.), Springer, 2010. (Proceedings: Fifth Annual IFIP WG 11.9 International Conference), Hong Kong, China.
Keywords: Digital evidence, Evidence containers, Representation, Forensic File Format
Description
It is well acknowledged that there is a pressing need for a general solution to the problem of storage of
digital evidence, both in terms of copied bit-stream images and general information which describes the
images and surrounding context of the case. In a prior paper, the authors introduced the AFF4
evidence container format, focusing in particular on the description of the efficient and layered bitstream
storage architecture, a general approach to representing arbitrary information, and a compositional
approach to managing and sharing evidence. In this paper we describe our work refining the
representation schemes embodied in the new format, addressing the accurate representation of
discontiguous data and description of the provenance of both data and information.
less
It is well acknowledged that there is a pressing need for a general solution to the problem of storage of
digital evidence, both in terms of copied bit-stream images and general information which describes the
images and surrounding context of the case. ...
more
Extending the Advanced Forensic Format to accommodate Multiple Data Sources, Logical Evidence, Arbitrary Information and Forensic Workflow
Cohen, Michael; Garfinkel, Simson; Schatz, Bradley (2009) Proceedings of the Digital Forensics Research Workshop 2009, Montreal, Canada.
Keywords: Digital evidence, Evidence containers, Representation, Forensic File Format
Description
Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible evolutionary redesign of the Advanced Forensic Format—an open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification was designed to be simple to implement, allowing the use of the well supported Zip File format specifications for bit level file access.
less
Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. ...
more
Digital evidence: representation and assurance
Schatz, Bradley (2007) Ph.D. thesis, Queensland University of Technology, Brisbane.
Keywords: Digital evidence, Computer based electronic evidence, Digital forensics, Computer forensics, Forensic computing, Evidence provenance, Evidence representation, Knowledge representation
Description
The field of digital forensics is concerned with finding and presenting evidence sourced from digital devices, such as computers and mobile phones. The complexity of such digital evidence is constantly increasing, as is the volume of data which might contain evidence. Current approaches to interpreting and assuring digital evidence rely implicitly on the use of tools and representations made by experts in addressing the concerns of juries and courts. Current forensics tools are best characterised as not easily verifiable, lacking in ease of interoperability, and burdensome on human process.
The tool-centric focus of current digital forensics practise impedes access to and transparency of the information represented within digital evidence as much as it assists, by nature of the tight binding between a particular tool and the information that it conveys. We hypothesise that a general and formal representational approach will benefit digital forensics by enabling higher degrees of machine interpretation, facilitating improvements in tool interoperability and validation. Additionally, such an approach will increase human readability.
This dissertation summarises research which examines at a fundamental level the nature of digital evidence and digital investigation, in order that improved techniques which address investigation efficiency and assurance of evidence might be identified. The work follows three themes related to this: representation, analysis techniques, and information assurance.
The first set of results describes the application of a general purpose representational formalism towards representing diverse information implicit in event based evidence, as well as domain knowledge, and investigator hypotheses. This representational approach is used as the foundation of a novel analysis technique which uses a knowledge based approach to correlate related events into higher level events, which correspond to situations of forensic interest.
The second set of results explores how digital forensic acquisition tools scale and interoperate, while assuring evidence quality. An improved architecture is proposed for storing digital evidence, analysis results and investigation documentation in a manner that supports arbitrary composition into a larger corpus of evidence.
The final set of results focus on assuring the reliability of evidence. In particular, these results focus on assuring that timestamps, which are pervasive in digital evidence, can be reliably interpreted to a real world time. Empirical results are presented which demonstrate how simple assumptions cannot be made about computer clock behaviour. A novel analysis technique for inferring the temporal behaviour of a computer clock is proposed and evaluated.
less
The field of digital forensics is concerned with finding and presenting evidence sourced from digital devices, such as computers and mobile phones. The complexity of such digital evidence is constantly increasing, as is the volume of data which might contain evidence ...
more
BodySnatcher: towards reliable volatile memory acquisition by software
Schatz, Bradley., Digital Investigation, 4 (Supplement 1), pp. 126-134., 2007 Digital Forensics Research Workshop, Pittsburgh, PA. (2007)
Keywords: Volatile memory forensics, Memory forensics, Memory acquisition, Memory imaging, Computer forensics
Description
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel
level rootkits, anti-forensics, and the threat of subversion that they pose threatens to
undermine the reliability of such memory images and digital evidence in general. In this
paper we propose a method of acquiring the contents of volatile memory from arbitrary
operating systems in a manner that provides point in time atomic snapshots of the host
OS volatile memory. Additionally the method is more resistant to subversion due to its
reduced attack surface. Our method is to inject an independent, acquisition specific OS
into the potentially subverted host OS kernel, snatching full control of the host’s hardware.
We describe an implementation of this proposal, which we call BodySnatcher, which has
demonstrated proof of concept by acquiringmemory from Windows 2000 operating systems.
less
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel
level rootkits, anti-forensics, and the threat of subversion that they pose threatens to
undermine the reliability of ...
more
A correlation method for establishing provenance of timestamps in digital evidence
Schatz, Bradley, Mohay, George, Clark, Andrew, (2006) Digital Investigation, 3 (Supplement 1) pp. 89-107. 2006 Digital Forensics Research Workshop, West Lafayette, Indiana)
Keywords: Computer forensics, Digital forensics, Digital evidence, Event correlation, Reverse engineering, Timestamp interpretation, Temporal provenance
Description
Establishing the time at which a particular event happened is a fundamental concern when
relating cause and effect in any forensic investigation. Reliance on computer generated
timestamps for correlating events is complicated by uncertainty as to clock skew and drift,
environmental factors such as location and local time zone offsets, as well as human fac-
tors such as clock tampering. Establishing that a particular computer’s temporal behaviour
was consistent during its operation remains a challenge. The contributions of this paper
are both a description of assumptions commonly made regarding the behaviour of clocks
in computers, and empirical results demonstrating that real world behaviour diverges from
the idealised or assumed behaviour.We present an approach for inferring the temporal be-
haviour of a particular computer over a range of time by correlating commonly available
local machine timestamps with another source of timestamps. We show that a general
characterisation of the passage of time may be inferred from an analysis of commonly
available browser records.
less
Establishing the time at which a particular event happened is a fundamental concern when
relating cause and effect in any forensic investigation. Reliance on computer generated
timestamps for correlating events is complicated by uncertainty as to clock skew and drift ...
more
An open architecture for digital evidence integration
Schatz, Bradley., Clark, Andrew., (2006) Proceedings of the 2006 Australian Security Response Team Annual Conference (AUSCERT 2006), Gold Coast, Australia.
Keywords: Computer forensics, Digital evidence, Evidence containers, Evidence integration, Digital evidence bags, Tool interoperability
Description
Recently the need for "digital evidence bags" - a common storage format for digital
evidence - has been identified as a key requirement for enabling inter-organisational
sharing of digital evidence, and interoperability between forensic analysis tools. Recent
work has described an ontology based approach to correlation of event log based evidence,
using semantic web technologies for describing and representing event log based digital
evidence. In this paper we apply the representational approach to the integration of
metadata related to digital evidence, and propose a globally unique identification scheme
for digital evidence and related metadata. We relate the representational approach to the
digital evidence bags concept identifying a number of shortcomings. We propose an
alternative architecture for digital evidence bags, which we call the sealed digital evidence
bags architecture. This approach treats bags as immutable objects, and facilitates the
building of a corpus of digital evidence by composition and referencing between evidence
bags. This architecture facilitates modular forensic tool development and interoperability
between forensics tools.
less
Recently the need for "digital evidence bags" - a common storage format for digital
evidence - has been identified as a key requirement for enabling inter-organisational
sharing of digital evidence, and interoperability between forensic analysis tools...
more
Framework for Detecting Network-Based Code Injection Attacks Targeting Windows and UNIX
Andersson, Stig., Clark, Andrew., Mohay, George., Schatz, Bradley., Zimmermann, Jacob, (2006) Proceedings of Twenty-first Annual Computer Security Applications Conference, pages 41--50. IEEE Computer Society, December 2005. ISBN: 0-7695-2461-3.
Keywords: Network intrusion detection, code injection attacks
Description
Code injection vulnerabilities continue to prevail. Attacks of this kind such as stack buffer overflows and heap buffer overflows account for roughly half of the vulnerabilities discovered in software every year. The research presented in this paper extends earlier work in the area of code injection attack detection in UNIX environments. It presents a framework for detecting new or previously unseen code injection attacks in a heterogeneous networking environment and compares code injection attack and detection strategies used in the UNIX and Windows environments. The approach presented is capable of detecting both obfuscated and clear text attacks, and is suitable for implementation in the Windows environment. A prototype intrusion detection system (IDS) capable of detecting code injection attacks, both clear text attacks and obfuscated attacks, which targets Windows systems is presented
less
Code injection vulnerabilities continue to prevail. Attacks of this kind such as stack buffer overflows and heap buffer overflows account for roughly half of the vulnerabilities discovered in software every year. The research presented in this paper extends earlier work in the area of code injection attack detection ...
more
Generalising Event Correlation Across Multiple Domains
Schatz, Bradley., Mohay, George. and Clark, Andrew.
Journal of Information Warfare, vol 4, iss 1, pp. 69-79. (2005)
Generalising Event Forensics Across Multiple Domains
Schatz, Bradley., Mohay, George., Clark, Andrew., (2004) Proceedings of the 2004 Australian Computer Network and Information Forensics Conference (ACNIFC 2004), Perth, Australia.
Keywords: Computer Forensics, Event Correlation, Modelling of IT Security, Semantic Forensics, Automated reasoning, Knowledge representation
Description
In cases involving computer related crime, event oriented evidence such as computer event logs, and telephone
call records are coming under increased scrutiny. The amount of technical knowledge required to manually
interpret event logs encompasses multiple domains of expertise, ranging from computer networking to forensic
accounting. Automated methods of classifying events and patterns of events into higher level terminology and
vocabulary hold promise for assisting investigators to cope with voluminous, low-level event oriented
evidence. In a previous paper, we showed that the semantic web language OWL was an effective means of
representing domain-specific event based knowledge, and when combined with a rule language, was sufficient
to apply standard correlation techniques to the task of automated forensic investigation. We also described a
prototype implementation of this approach, called FORE. In this paper, we demonstrate that the approach can
be extended to be rapidly applied to events sourced from new domains, enabling cross-domain correlation, and
that the new approach will accommodate standardised component ontologies which model the separate
domains under consideration.
less
In cases involving computer related crime, event oriented evidence such as computer event logs, and telephone
call records are coming under increased scrutiny. The amount of technical knowledge required to manually
interpret event logs encompasses multiple domains of expertise, ranging from computer networking to forensic
accounting ...
more
Rich Event Representation for Computer Forensics
Schatz, Bradley., Mohay, George., Clark, Andrew., Proceedings of the 2004 Asia Pacific Industrial Engineering and Management Systems (APIEMS 2004), Gold Coast, Australia (2004)
Keywords: Computer Forensics, Event Correlation, Modelling of IT Security, Semantic Forensics, Automated reasoning, Knowledge representation
Description
Recent advances in computer internetworking and continued increases in Internet usage have
been accompanied by a continued increase in the incidence of computer related crime. At the
same time, the number of sources of potential evidence in any particular computer forensic
investigation has grown considerably, as evidence of the occurrence of relevant events can
potentially be drawn not only from multiple computers, networks, and electronic systems but
also from disparate personal, organizational, and governmental contexts. Potentially, this
leads to significant improvements in forensic outcomes but is accompanied by an increase in
both the complexity and scale of event information. In order for forensic investigators to
effectively investigate this mass of data, semantically strong representational models and
automated methods of correlating such event data is becoming a necessity. The contribution
of the work described in this paper is the automated detection of a computer forensic scenario,
based upon facts automatically derived from digital event logs. We present an expert systems
based approach that has the ability to manage the scalability and semantic issues arising in
such inter-domain forensics, using an extensible, semantic domain model specified using the
Web Ontology Language (OWL). We have developed a prototype system, Forensics of Rich
Events (FORE), which supports investigation of heterogeneous event data using a novel form
of manipulation of hypothetical knowledge, while supporting the application of standard rule
and signature based event correlation techniques. We demonstrate proof of concept of our
approach by applying the prototype we have developed to a test case scenario that
demonstrates the flexibility of the approach in a single domain context.
less
Recent advances in computer internetworking and continued increases in Internet usage have
been accompanied by a continued increase in the incidence of computer related crime. At the
same time, the number of sources of potential evidence in any particular computer forensic
investigation has grown...
more
Unrefereed Publications
Forged Email: Lessons learned from the OzCar scandal
Schatz, Bradley., Hearsay - The Journal of the Bar Association of Queensland, Brisbane (2009)
Keywords: Email forgery, Email authentication
Description
By now, all but the most naïve of us are immune to the promises of Nigerian riches and the disquieting urges to action from banks which find their way into our email inboxes. Fraudulent emails barely rate any action or consideration beyond that needed to delete them from our inbox. Why then was the leader of the Australian opposition, and one of Australia’s most senior lawyers besides, tripped up by a forged email?
less
By now, all but the most naïve of us are immune to the promises of Nigerian riches and the disquieting urges to action from banks which find their way into our email inboxes. Fraudulent emails barely rate any action or consideration beyond that needed to delete them from our inbox...
more
Digital Evidence: A Fundamental Shift in the Nature of Information
Schatz, Bradley., Hearsay - The Journal of the Bar Association of Queensland, Brisbane (2007)
Keywords: Digital evidence, Computer evidence, Digital forensics, Computer forensics
Description
The arrival of the internet in the public’s eye in the late 1990’s was heralded as an event as revolutionary as the invention of Gutenberg’s press. A decade later, the true effects of digital technologies on communications, publishing, and commerce are only beginning to be appreciated. News reports of novel evidential sources are appearing: records of Google searches used to establish premeditation in murder trials, car air bag sensor data presented as a digital eyewitness in prosecuting unsafe driving.
While the occurrence of cyber-crime and the employment of computer forensics have increased substantially in this time, this revolution has largely bypassed the practice of law. This is due in part to the unique technical difficulties in presenting in court evidence sourced from digital devices, so called digital evidence.
less
The arrival of the internet in the public’s eye in the late 1990’s was heralded as an event as revolutionary as the invention of Gutenberg’s press. A decade later, the true effects of digital technologies on communications, publishing, and commerce are only beginning to be appreciated. News reports of novel evidential sources are appearing ...
more