The role of computers and portable media devices such as cell phones and GPS devices in criminal activity has increased significantly in recent years. Accordingly, these devices frequently contain vital evidence, including user information, call logs, location information, text messages, emails, images, and audio and video recordings.
In the area of cyber forensics, law enforcement has a significant challenge keeping up with technology advances. New technology—hardware and software—is released into the market at a very rapid pace and used in criminal activity almost immediately. Because the large volume of information contained on digital devices can make the difference in an investigation, law enforcement investigators require updated tools to address the ever-changing technology.
Since its inception in November 2008, the Cyber Forensics Working Group (CFWG) has provided project requirements. Part of S&T’s Cyber Security Division, CFWG is composed of representatives from federal, state and local law enforcement agencies. Members meet biannually to provide requirements, discuss capability gaps and prioritize the areas of most immediate concern to focus technology development. The working group members also participate as test and evaluation partners of newly developed solutions.
Basis Technology: Enabling Law Enforcement with Open Source Digital Forensics Software
Nearly every crime involves digital media and the size and number of devices continues to increase, however many local and state law enforcement agencies budgets are not keeping up. This work builds on a previous S&T effort by the same name which ended in 2016 and helps solve this problem by building law enforcement-focused solutions using free and open-source software.
Mississippi State University: A Supervised Learning Approach for Supplemental Malware Identification in Memory Images
Malware is a threat seen across multiple domains—ranging from the home user to government. Despite the availability of specialized tools, the process of finding malware in a memory image is still a manual process. The goal of this project is to develop a machine learning classifier capable of analyzing Windows 10 memory images, extract the specified features and classify the structures in memory as either malicious or legitimate.
National Institute of Standards and Technology (NIST): Cyber Forensics Tool Testing
Along with funding from the Cyber Forensics Tool Testing program at NIST, this effort offers a measure of assurance that the tools used by law enforcement in the investigation of computer-related crimes produce valid results. The implementation of testing based on rigorous procedures provides impetus for vendors to improve law enforcement tools that provide consistent and objective test results that will stand up in court.
VTO Inc.: Drone Forensics
This effort is developing new methods and techniques to extract and analyze data acquired from drones. It also will create a website repository to disseminate captured data for the research and operational forensics community.
VTO Inc.: Damaged Mobile Device Forensics
Despite the proliferation of commercial and open-source tools for extracting data from mobile devices, there is little research into the extraction of data from damaged mobile devices. Currently, some agencies that receive damaged mobile devices consider the units unrecoverable and do not try to extract potential evidence from the devices. This effort is developing guidance for investigations involving damaged devices.