Making the Invisible Visible – Techniques for Recovering Deleted SQLite Data Records

Forensic analysis and evidence collection for web browser activity is a recurring problem in digital investigation. It is not unusual for a suspect to cover his traces. Accordingly, the recovery of previously deleted data such as web cookies and browser history are important. Fortunately, many browsers and thousands of apps used the same database system to store their data: SQLite. Reason enough to take a closer look at this product. In this article, we follow the question of how deleted content can be made visible again in an SQLite-database. For this purpose, the technical background of the problem will be examined first. Techniques are presented with which it is possible to carve and recover deleted data records from a database on a binary level. A novel software solution called FQLite is presented that implements the proposed algorithms. The search quality, as well as the performance of the program, is tested using the standard forensic corpus. The results of a performance study are discussed, as well. The article ends with a summary and identifies further research questions.

Download Full-text

Forensic analysis and evidence collection for web browser activity

2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT) ◽

10.1109/icacdot.2016.7877639 ◽

2016 ◽

Cited By ~ 4

Author(s):

Apurva Nalawade ◽

Smita Bharne ◽

Vanita Mane

Keyword(s):

Forensic Analysis ◽

Web Browser ◽

Evidence Collection

Download Full-text

Web browsers forensic analysis reviewWeb tarayıcılarda adli analiz incelemesi

Journal of Human Sciences ◽

10.14687/ijhs.v12i2.3244 ◽

2015 ◽

Vol 12 (2) ◽

pp. 757 ◽

Cited By ~ 1

Author(s):

Erkan Baran ◽

Huseyin Çakır ◽

Çelebi Uluyol

Keyword(s):

Web Applications ◽

File Systems ◽

Forensic Analysis ◽

Web Browsers ◽

Web Browser ◽

Mode Effects ◽

The World

Nowadays, web browser tools are seen ıntensıvely durıng the usage of web applıcatıons. Because of that, browsers provıdes ınfrastructure of a largo majorıty of crımes. Because guılty or suspect can use the browsers to collect ınformatıons, to hıde hıs crıme, learn new crımınal methods or to apply they have learned. In thıs study, ıt ıs also seeked answers of how a process can be monıtored on the computers whıch are used on browsers, ın whıch fıles whıch datas are looked and when and whıch sıtes are accessed. Accordıng to research of W3counter web stats tool, Chrome Web browser, whıch has %43 persentage of across the world ın usage, ıs proses as the most demanded browser ın thıs study by users, and ıt ıs scented out ın thıs browser's related fıles. In these days, ''hıdden mode'' whıch take part ın vast majorıty of browsers ıs also examıned. Thıs feature of the browser, whıch ıs receıved reference, ıs tracked by testıng and ıs sought data ın RAM memory and fıle systems. Thus, '' hıdden mode'' effects are dıscussed ın provıdıng studıes about suspect or crımınal posıtıon people, what kınd of data can be obtaıned ın usıng '' hıdden mode” ıs revealed. ÖzetGünümüzde internet uygulamalarının kullanımı sırasında web tarayıcı araçlarının yoğun bir şekilde kullanımı görülmektedir. Bu nedenle tarayıcılar, işlenen suçların büyük bir çoğunluğuna altyapı sağlar. Çünkü suçlu ya da şüpheli, tarayıcıları bilgi toplamak, suçunu gizlemek, yeni suç metotları öğrenmek ya da öğrendiklerini uygulamak için kullanabilir. Bu çalışmada da tarayıcıların kullanıldığı bilgisayarlar üzerinde bırakılan izlerin tespitinde nasıl bir süreç izlenebileceği, hangi dosyalarda hangi verilere bakılabileceği ve ne zaman hangi sitelere erişim sağlandığı gibi çeşitli sorulara cevaplar aranmaktadır. w3counter adlı internet istatistik aracının yaptığı araştırmaya göre, dünya genelinde %43'lük bir kullanım alanına sahip olan Chrome web tarayıcısı, kullanıcılar tarafından en çok talep gören tarayıcı olarak bu araştırma içinde referans alınmaktadır ve bu tarayıcıya ait ilgili dosyalarda izler sürülmektedir. Ayrıca günümüz tarayıcıların büyük bir çoğunluğunda yer alan “gizli mod” özelliği incelenmektedir. Referans alınan tarayıcının bu özelliği test edilerek iz sürülmekte, dosya sistemlerinde ve RAM bellekte veri aranmaktadır.Böylelikle “gizli mod” kullanımında ne tür veriler elde edilebileceği ortaya konarak şüpheli ya da suçlu konumundaki kişilere ait delillendirme çalışmalarında “gizli mod” kullanımının etkileri tartışılmaktadır.

Download Full-text

A Framework for the Forensic Investigation of Unstructured Email Relationship Data

International Journal of Digital Crime and Forensics ◽

10.4018/jdcf.2011070101 ◽

2011 ◽

Vol 3 (3) ◽

pp. 1-18 ◽

Cited By ~ 11

Author(s):

John Haggerty ◽

Alexander J. Karran ◽

David J. Lamb ◽

Mark Taylor

Keyword(s):

Forensic Analysis ◽

Structured Data ◽

Unstructured Data ◽

Forensic Investigation ◽

Qualitative Information ◽

Data Set ◽

Analysis Techniques ◽

Potential Sources ◽

Network Identification ◽

Digital Investigation

The continued reliance on email communications ensures that it remains a major source of evidence during a digital investigation. Emails comprise both structured and unstructured data. Structured data provides qualitative information to the forensics examiner and is typically viewed through existing tools. Unstructured data is more complex as it comprises information associated with social networks, such as relationships within the network, identification of key actors and power relations, and there are currently no standardised tools for its forensic analysis. This paper posits a framework for the forensic investigation of email data. In particular, it focuses on the triage and analysis of unstructured data to identify key actors and relationships within an email network. This paper demonstrates the applicability of the approach by applying relevant stages of the framework to the Enron email corpus. The paper illustrates the advantage of triaging this data to identify (and discount) actors and potential sources of further evidence. It then applies social network analysis techniques to key actors within the data set. This paper posits that visualisation of unstructured data can greatly aid the examiner in their analysis of evidence discovered during an investigation.

Download Full-text

The Physiology Constant Database of Teen-Agers in Beijing

The Scientific World JOURNAL ◽

10.1100/tsw.2004.98 ◽

2004 ◽

Vol 4 ◽

pp. 442-448

Author(s):

Wei Wei-Qi ◽

Zhu Guang-Jin ◽

Xu Cheng-Li ◽

Han Shao-Mei ◽

Qi Bao-Shen ◽

...

Keyword(s):

Relational Database ◽

Database System ◽

Living Systems ◽

Scatter Diagram ◽

Web Interface ◽

Web Browser ◽

Relational Database System ◽

Advanced Search ◽

Statistical Table ◽

The Web

Physiology constants of adolescents are important to understand growing living systems and are a useful reference in clinical and epidemiological research. Until recently, physiology constants were not available in China and therefore most physiologists, physicians, and nutritionists had to use data from abroad for reference. However, the very difference between the Eastern and Western races casts doubt on the usefulness of overseas data. We have therefore created a database system to provide a repository for the storage of physiology constants of teen-agers in Beijing. The several thousands of pieces of data are now divided into hematological biochemistry, lung function, and cardiac function with all data manually checked before being transferred into the database. The database was accomplished through the development of a web interface, scripts, and a relational database. The physiology data were integrated into the relational database system to provide flexible facilities by using combinations of various terms and parameters. A web browser interface was designed for the users to facilitate their searching. The database is available on the web. The statistical table, scatter diagram, and histogram of the data are available for both anonym and user according to queries, while only the user can achieve detail, including download data and advanced search.

Download Full-text

Wireless Forensic Analysis Tools for Use in the Electronic Evidence Collection Process

10.1109/hicss.2007.617 ◽

2007 ◽

Cited By ~ 8

Author(s):

Benjamin Turnbull ◽

Jill Slay

Keyword(s):

Forensic Analysis ◽

Electronic Evidence ◽

Analysis Tools ◽

Collection Process ◽

Evidence Collection

Download Full-text

Evidence Collection Agent Model Design for Big Data Forensic Analysis

Lecture Notes in Electrical Engineering - Advanced Multimedia and Ubiquitous Engineering ◽

10.1007/978-981-13-1328-8_83 ◽

2018 ◽

pp. 647-653

Author(s):

Zhihao Yuan ◽

Hao Li ◽

Xian Li

Keyword(s):

Big Data ◽

Forensic Analysis ◽

Model Design ◽

Agent Model ◽

Evidence Collection ◽

Collection Agent

Download Full-text

Forensic Evidence Collection by Reconstruction of Artifacts in Portable Web Browser

International Journal of Computer Applications ◽

10.5120/15872-4862 ◽

2014 ◽

Vol 91 (4) ◽

pp. 32-35

Author(s):

Divyesh GDharanD ◽

Nagoor Meeran A R

Keyword(s):

Forensic Evidence ◽

Web Browser ◽

Evidence Collection

Download Full-text

Komparasi Hukum Acara Pembuktian E-Arbitration di Indonesia dengan Shenzhen, Cina

Acta Comitas ◽

10.24843/ac.2020.v05.i03.p17 ◽

2021 ◽

Vol 5 (3) ◽

pp. 631

Author(s):

I Gusti Agung Ayu Gita Pritayanti Dinar

Keyword(s):

Dispute Resolution ◽

Cost Efficiency ◽

Research Method ◽

Legal Theory ◽

Cell Phones ◽

Legal Research ◽

Online Technology ◽

Online Dispute Resolution ◽

Evidence Collection ◽

Research Questions

Online dispute resolution (ODR) is designed to facilitate the proceedings of parties dispute through online technology media such as PCSs, laptops and cell-phones. ODR is expected to facilitate an effective mediation, adjudication communication, so it can provide benefits in the form of time and cost efficiency in dispute resolution. The research questions investigated in this study are: (i) What are the advantages of the concept of proceedings by e-arbitration? (ii) Does the e-arbitration evidence collection procedure in accordance with the evidence principles of civil procedure law? This study employs the normative legal research method. The theories applied in investigating the problems in this research are the economic-legal theory and evidence principles. Through this study, it can be determined the comparison of procedure, benefit of e-arbitration evidence regulation in ShenZhen and Indonesia.

Download Full-text

Estudio Comparativo De Las Metodologías De Análisis Forense Informático Para La Examinación De Datos En Medios Digitales

European Scientific Journal ESJ ◽

10.19044/esj.2018.v14n18p40 ◽

2018 ◽

Vol 14 (18) ◽

pp. 40

Author(s):

Iván Mesias Hidalgo Cajo ◽

Saul Yasaca Pucuna ◽

Byron Geovanny Hidalgo Cajo ◽

Víctor Manuel Oquendo Coronado ◽

Fanny Valeria Salazar Orozco

Keyword(s):

Digital Media ◽

Scientific Method ◽

Forensic Analysis ◽

Computer Forensics ◽

Comparison Results ◽

Digital Investigation ◽

Computer Forensic ◽

Robust Process ◽

Investigation Process

The aim of this research is to compare the different standards and methodologies of computer forensic analysis used in the examination of data in digital media. The research was developed based on the scientific method, and a standard and two analysis methodologies were specifically used, which were applied to ten researchers. The analysis variables were based on the feasibility of use and on the time of extracting information from the computer. Among the comparison results of the different methodologies analyzed, it was determined that for the Methodology UNE 71506: 2013, 60% of the researchers used it due to the feasibility of use because it is made up of a robust process (contains the most detailed steps of computer forensics). Reliable and applicable in any field necessarily supervised by specialists working in the area, compared to the National Institute of Standards and Technology that selected 30%, Integrated Digital Investigation Process 10%. Regarding the time of analysis in the examination of digital media with different methodologies (Case study: Extraction of a file of 100 Mb, of a hard disk of 20 Gb in off mode. It is revealed that in the UNE 71506: 2013 it took less than 1 hour compared to the National Institute of Standards and Technology, which took between 1 and less than 2 hours, the Integrated Digital Investigation Process, which lasted longer than 3 hours. In addition, with the use of the Methodology UNE 71506: 2013, it was possible to have greater feasibility in the examination of digital media, since it is composed of four stages such as the preservation, acquisition, analysis and presentation of information results.

Download Full-text

Forensic analysis of private browsing mechanisms: Tracing internet activities

Journal of Forensic Science and Research ◽

10.29328/journal.jfsr.1001022 ◽

2021 ◽

Vol 5 (1) ◽

pp. 012-019

Author(s):

Fayyad-Kazan Hasan ◽

Kassem-Moussa Sondos ◽

Hejase Hussin J ◽

Hejase Ale J

Keyword(s):

Forensic Analysis ◽

Web Browser ◽

Digital Devices ◽

Private Browsing ◽

Mode A

Forensic analysts are more than ever facing challenges upon conducting their deep investigative analysis on digital devices due to the technological progression. Of these are the difficulties present upon analyzing web browser artefacts as this became more complicated when web browser companies introduced private browsing mode, a feature aiming to protect users’ data upon opening a private browsing session, by leaving no traces of data on the local device used. Aiming to investigate whether the claims of web browser companies are true concerning the protection private browsing provides to the users and whether it really doesn’t leave any browsing data behind, the most popular desktop browsers in Windows were analyzed after surfing them regularly and privately. The results shown in this paper suggest that the privacy provided varies among different companies since evidence might be recovered from some of the browsers but not from others.

Download Full-text