105 10 3494 https://omeka.ibu.edu.ba/files/original/1056611ea52aa3af46a621565f44a083.docx 96eb602b430ebdeb7500344511974541 https://omeka.ibu.edu.ba/files/original/29edef7b557d79377c32ab692f59257c.pdf 2a793f87e8af4a73b8a17bcd1e7f5b7d PDF Text Text ESKİ VE ORTA TÜRKÇEDE GEÇEN BAZI FİİLLERİN ÇEŞİTLİ ALTAY DİLLERİNDEKİ GÖRÜNÜMLERİ Mehmet Turgut BERBERCAN Çankırı Karatekin Üniversitesi, Edebiyat Fakültesi, Türk Dili ve Edebiyatı Bölümü, Çankırı / Türkiye Anahtar Kelimeler: Altay dilleri, Eski Türkçe, Orta Türkçe, Fiiller. ÖZET 7. yüzyıldan 16. yüzyıla kadar, “Eski Türkçe” ve “Orta Türkçe” olarak anılan dil devreleri içinde ortaya konmuş çeşitli dil yadigârlarından alınmış bazı fiil örnekleri, çağdaş Altay dillerinin (Turki, Moğolca, Tunguzca, Mançuca vs.) sözvarlığında hâlihazırda bulunan benzer şekil ve örneklerle karşılaştırılarak ses bilgisel ve yapıbilgisel açıdan incelenmiştir. Elde edilen sonuçların ışığında, Eski ve Orta Türkçede geçtiği tespit edilen bu örnek fiillerin etimolojik yapısı ve geçiş yolları ortaya çıkarılmıştır. Bu vesileyle Altay dillerinin bazılarında bulunan ses ve yapı açısından değişime uğrasa da aynı kökten türemiş veyahut eşasıllı olması kesin ya da muhtemel olan fiillerin durumuyla ilgili olarak genel bir değerlendirme yapılmış, Altay dillerinin ortak söz varlığı Eski ve Orta Türkçeden seçilmiş fiil kök ve gövdelerinin baz alındığı bir zeminde karşılaştırmalı olarak irdelenmiştir. � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 2002 Title A name given to the resource ESKİ VE ORTA TÜRKÇEDE GEÇEN BAZI FİİLLERİN ÇEŞİTLİ ALTAY DİLLERİNDEKİ GÖRÜNÜMLERİ Author Author BERBERCAN, Mehmet Turgut Abstract A summary of the resource. Anahtar Kelimeler: Altay dilleri, Eski Türkçe, Orta Türkçe, Fiiller. ÖZET 7. yüzyıldan 16. yüzyıla kadar, “Eski Türkçe” ve “Orta Türkçe” olarak anılan dil devreleri içinde ortaya konmuş çeşitli dil yadigârlarından alınmış bazı fiil örnekleri, çağdaş Altay dillerinin (Turki, Moğolca, Tunguzca, Mançuca vs.) sözvarlığında hâlihazırda bulunan benzer şekil ve örneklerle karşılaştırılarak ses bilgisel ve yapıbilgisel açıdan incelenmiştir. Elde edilen sonuçların ışığında, Eski ve Orta Türkçede geçtiği tespit edilen bu örnek fiillerin etimolojik yapısı ve geçiş yolları ortaya çıkarılmıştır. Bu vesileyle Altay dillerinin bazılarında bulunan ses ve yapı açısından değişime uğrasa da aynı kökten türemiş veyahut eşasıllı olması kesin ya da muhtemel olan fiillerin durumuyla ilgili olarak genel bir değerlendirme yapılmış, Altay dillerinin ortak söz varlığı Eski ve Orta Türkçeden seçilmiş fiil kök ve gövdelerinin baz alındığı bir zeminde karşılaştırmalı olarak irdelenmiştir. Publisher An entity responsible for making the resource available International Burch University Date A point or period of time associated with an event in the lifecycle of the resource 2013-05-17 Keywords Keywords. Article PeerReviewed Identifier An unambiguous reference to the resource within a given context ISSN 2203-4548 https://omeka.ibu.edu.ba/files/original/45c6ee41f17feb05a0b807e73a6927ae.docx 96eb602b430ebdeb7500344511974541 https://omeka.ibu.edu.ba/files/original/48014fdae1dcdfe99bab1ea7dbec68e5.pdf 2a793f87e8af4a73b8a17bcd1e7f5b7d PDF Text Text ESKİ VE ORTA TÜRKÇEDE GEÇEN BAZI FİİLLERİN ÇEŞİTLİ ALTAY DİLLERİNDEKİ GÖRÜNÜMLERİ Mehmet Turgut BERBERCAN Çankırı Karatekin Üniversitesi, Edebiyat Fakültesi, Türk Dili ve Edebiyatı Bölümü, Çankırı / Türkiye Anahtar Kelimeler: Altay dilleri, Eski Türkçe, Orta Türkçe, Fiiller. ÖZET 7. yüzyıldan 16. yüzyıla kadar, “Eski Türkçe” ve “Orta Türkçe” olarak anılan dil devreleri içinde ortaya konmuş çeşitli dil yadigârlarından alınmış bazı fiil örnekleri, çağdaş Altay dillerinin (Turki, Moğolca, Tunguzca, Mançuca vs.) sözvarlığında hâlihazırda bulunan benzer şekil ve örneklerle karşılaştırılarak ses bilgisel ve yapıbilgisel açıdan incelenmiştir. Elde edilen sonuçların ışığında, Eski ve Orta Türkçede geçtiği tespit edilen bu örnek fiillerin etimolojik yapısı ve geçiş yolları ortaya çıkarılmıştır. Bu vesileyle Altay dillerinin bazılarında bulunan ses ve yapı açısından değişime uğrasa da aynı kökten türemiş veyahut eşasıllı olması kesin ya da muhtemel olan fiillerin durumuyla ilgili olarak genel bir değerlendirme yapılmış, Altay dillerinin ortak söz varlığı Eski ve Orta Türkçeden seçilmiş fiil kök ve gövdelerinin baz alındığı bir zeminde karşılaştırmalı olarak irdelenmiştir. � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 1961 Title A name given to the resource ESKİ VE ORTA TÜRKÇEDE GEÇEN BAZI FİİLLERİN ÇEŞİTLİ ALTAY DİLLERİNDEKİ GÖRÜNÜMLERİ Author Author BERBERCAN, Mehmet Turgut Abstract A summary of the resource. Anahtar Kelimeler: Altay dilleri, Eski Türkçe, Orta Türkçe, Fiiller. ÖZET 7. yüzyıldan 16. yüzyıla kadar, “Eski Türkçe” ve “Orta Türkçe” olarak anılan dil devreleri içinde ortaya konmuş çeşitli dil yadigârlarından alınmış bazı fiil örnekleri, çağdaş Altay dillerinin (Turki, Moğolca, Tunguzca, Mançuca vs.) sözvarlığında hâlihazırda bulunan benzer şekil ve örneklerle karşılaştırılarak ses bilgisel ve yapıbilgisel açıdan incelenmiştir. Elde edilen sonuçların ışığında, Eski ve Orta Türkçede geçtiği tespit edilen bu örnek fiillerin etimolojik yapısı ve geçiş yolları ortaya çıkarılmıştır. Bu vesileyle Altay dillerinin bazılarında bulunan ses ve yapı açısından değişime uğrasa da aynı kökten türemiş veyahut eşasıllı olması kesin ya da muhtemel olan fiillerin durumuyla ilgili olarak genel bir değerlendirme yapılmış, Altay dillerinin ortak söz varlığı Eski ve Orta Türkçeden seçilmiş fiil kök ve gövdelerinin baz alındığı bir zeminde karşılaştırmalı olarak irdelenmiştir. Publisher An entity responsible for making the resource available IBU Publishing Date A point or period of time associated with an event in the lifecycle of the resource 2013-05-03 Keywords Keywords. Article PeerReviewed https://omeka.ibu.edu.ba/files/original/e65743ea2ced30db753f86e2b9a5b109.docx f5092750d9a18de7f4f5998d092d0614 https://omeka.ibu.edu.ba/files/original/8ab77d18d6433a657a5593a00d428760.pdf 5a9fbe8b3535a9bf7ef1f09d5c0bf133 PDF Text Text ESL Teachers' Professional Development on Facebook Reima Al-Jarf King Saud University/ Riyadh, Saudi Arabia Key words: Facebook pages, ESL teachers, online communities ,professional development, social networks ABSTRACT ESL teacher from around the world can create or join Facebook pages, groups or clubs for ESL teachers for free. Those pages are online learning communities that provide opportunities for in-depth peer-to-peer interaction. They help teachers exchange knowledge, information and experiences. They create social inter-personal rapport among the participants. They foster dialog among teachers, promote asynchronous self-directed learning, peer support and greater involvement in teaching-learning and student-teacher issues. They provide opportunities for cognitive, social, and teaching presences and are essential for the successful development of online learning communities. Members of the Facebook ESL teachers' pages constitute a homogeneous group of teachers from different countries and cultures and the climate of interaction is warm and positive. Members are inclusive, supportive and receptive of each other's ideas and attend to each other's needs. Members can upload and download resources such as tests, video activities, movies for the ESL classroom, ebooks, lesson plans, software, and worksheets. They post questions and receive answers about teaching and learning English such as: how to become a teacher, teaching via skype, grammar usage rules, improving students’ accent, ideas for increased comprehension, communicative activities, how to reinforce speaking, problems in teaching writing, reading, grammar, pronunciation…etc. Facebook teachers' pages also enhance teachers’ awareness of non-conventional ESL teaching issues such as: Teaching business with no teaching certificate, Facebook pen-friends, teaching in rural schools in China, online tutoring, testing private students at Euro levels, using songs in TEFL, ideas for teaching presentation with 600 students, and others. The presentation will give examples of Facebook pages, groups or clubs for ESL teachers, kinds of topics, issues and problems posted about the teaching and learning of English to students of all ages, the role of Facebook teachers' pages in professional development as perceived by a sample of ESL teacher members. � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 1921 Title A name given to the resource ESL Teachers' Professional Development on Facebook Author Author JARF, Reima Al Abstract A summary of the resource. Key words: Facebook pages, ESL teachers, online communities ,professional development, social networks ABSTRACT ESL teacher from around the world can create or join Facebook pages, groups or clubs for ESL teachers for free. Those pages are online learning communities that provide opportunities for in-depth peer-to-peer interaction. They help teachers exchange knowledge, information and experiences. They create social inter-personal rapport among the participants. They foster dialog among teachers, promote asynchronous self-directed learning, peer support and greater involvement in teaching-learning and student-teacher issues. They provide opportunities for cognitive, social, and teaching presences and are essential for the successful development of online learning communities. Members of the Facebook ESL teachers' pages constitute a homogeneous group of teachers from different countries and cultures and the climate of interaction is warm and positive. Members are inclusive, supportive and receptive of each other's ideas and attend to each other's needs. Members can upload and download resources such as tests, video activities, movies for the ESL classroom, ebooks, lesson plans, software, and worksheets. They post questions and receive answers about teaching and learning English such as: how to become a teacher, teaching via skype, grammar usage rules, improving students’ accent, ideas for increased comprehension, communicative activities, how to reinforce speaking, problems in teaching writing, reading, grammar, pronunciation…etc. Facebook teachers' pages also enhance teachers’ awareness of non-conventional ESL teaching issues such as: Teaching business with no teaching certificate, Facebook pen-friends, teaching in rural schools in China, online tutoring, testing private students at Euro levels, using songs in TEFL, ideas for teaching presentation with 600 students, and others. The presentation will give examples of Facebook pages, groups or clubs for ESL teachers, kinds of topics, issues and problems posted about the teaching and learning of English to students of all ages, the role of Facebook teachers' pages in professional development as perceived by a sample of ESL teacher members. Publisher An entity responsible for making the resource available IBU Publishing Date A point or period of time associated with an event in the lifecycle of the resource 2013-05-03 Keywords Keywords. Article PeerReviewed Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 3515 Title A name given to the resource ESP CURRICULUM AT THE UNIVERSITY LEVEL Author Author Vučen, Nevena Abstract A summary of the resource. The paper focuses on the former curricula for English for Special Purposes at the University of Banjaluka. Namely, the old curricula that had been used to teach ESP to students of mathematics, physics, chemistry, biology, geography, and spatial planning had displayed a poor focus on the specific vocabulary. Furthermore, the main focus was one the basic grammar points so the students could not be expected to show deep understanding of specific texts. If we consider the fact that students from the target departments all use different vocabulary in their own fields, it became obvious that the target vocabulary should be included, which had not been the case. Another flaw of the former curricula was that the students did not deal with any original English texts in their subject field or with the translation. Hence, we introduced such texts in the new curriculum resulting in a better understanding of the students' own subject matter. We also considered the fact that most scientific papers and handbooks that the students use during their college years were written in English. Our suggestion was that apart from the grammar points presented to the students, their ESP curricula should more focus on their own scientific language, i.e. on the vocabulary that is typical of their own subject matter and which they might be able to use one day in their own field of research. The new curricula resulted in students being more eager to study ESP and better understand the specific target texts. Keywords: ESP, curriculum, revision, university level, teaching trends Date A point or period of time associated with an event in the lifecycle of the resource 2014 Keywords Keywords. Conference or Workshop Item PeerReviewed PE English https://omeka.ibu.edu.ba/files/original/0a2e121c178465daec26934a46dbce80.docx 5e79ba56a2c17f55b8684a4d0b7be94f https://omeka.ibu.edu.ba/files/original/8b162f37886c0ebdd800bc8318869eb8.pdf 17908fdf590ab91d30db0c73eea5bdc6 PDF Text Text ESP in the Academia Željka Babić University of Banja Luka/ Banja Luka, Bosnia and Herzegovina Key words:ESP, vocational English, academia, teaching, syllabi ABSTRACT The role of the English as lingua franca is indubitable, and our academia acknowledged this fact a long time ago. Nowadays it is almost impossible to find any university programme or department which does not have English course(s) in their curricula. Understandably, the particular syllabi have been made according to the specific, usually vocational, needs of each of the programmes or departments. Nevertheless, if a closer look is made into the syllabi of English language departments in Bosnia and Herzegovina, it becomes obvious that very little, if any, attention is paid in teaching English for Specific Purposes. Even though one can see some traces of ESP in the above-mentioned departments, the majority of teaching has still been focused on teaching what can be called “general English”. This presentation will focus on the results of the survey of the present state in teaching of the ESP at the University of Banja Luka, the second largest university in Bosnia and Herzegovina. There has been a need felt that the English departments throughout the country should immediately take some action into introduction of courses in ESP not only in the first cycle studies, but also in the second and the third. There is a need felt in the academia for professionals who will both be experts in the language itself and the specific needs which each branch of the ESP has. � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 2056 Title A name given to the resource ESP in the Academia Author Author BABIC, Željka Abstract A summary of the resource. Key words:ESP, vocational English, academia, teaching, syllabi ABSTRACT The role of the English as lingua franca is indubitable, and our academia acknowledged this fact a long time ago. Nowadays it is almost impossible to find any university programme or department which does not have English course(s) in their curricula. Understandably, the particular syllabi have been made according to the specific, usually vocational, needs of each of the programmes or departments. Nevertheless, if a closer look is made into the syllabi of English language departments in Bosnia and Herzegovina, it becomes obvious that very little, if any, attention is paid in teaching English for Specific Purposes. Even though one can see some traces of ESP in the above-mentioned departments, the majority of teaching has still been focused on teaching what can be called “general English”. This presentation will focus on the results of the survey of the present state in teaching of the ESP at the University of Banja Luka, the second largest university in Bosnia and Herzegovina. There has been a need felt that the English departments throughout the country should immediately take some action into introduction of courses in ESP not only in the first cycle studies, but also in the second and the third. There is a need felt in the academia for professionals who will both be experts in the language itself and the specific needs which each branch of the ESP has. Publisher An entity responsible for making the resource available IBU Publishing Date A point or period of time associated with an event in the lifecycle of the resource 2013-05-03 Keywords Keywords. Article PeerReviewed https://omeka.ibu.edu.ba/files/original/40bbc90ba9a72c4a34e6785cff9e3877.pdf 2dcd2ef28957dcdde41cbfdaf93f7195 PDF Text Text Journal of Foreign Language Teaching and Applied Linguistics ESP Teaching Practice at Technical Faculties Aida Tarabar University of Zenica, Bosnia and Herzegovina Submitted: 15.04.2014. Accepted: 24.11.2014. Abstract The paper offers an insight into the highlights of the ESP teaching practice at the University of Zenica, the university with the longest ESP tradition in the country. This type of language instruction started as part of an optional course at the Faculty of Metallurgy in 1970s. During the following decades – especially in recent times – the teaching has been developed and organized into several obligatory ESP courses that are taught during the final four semesters of undergraduate studies at technical faculties. The training finishes with so called Public Lecture – a series of presentations delivered by the students themselves. The main characteristics of ESP instruction at these faculties are total flexibility and adaptability. This means the ESP teacher not only tends to follow the most recent findings in the realm of the ELT, but also observes the specific educational and social circumstances within which the learning/teaching process takes place. In a country such as Bosnia and Herzegovina, where the legacy of war includes a brain drain and a complex situation at all three educational levels, it is important to design innovative practices that can compensate for the aforementioned deficiencies. By being responsive to students’ needs, we try to bridge and/or fill in the gaps in their knowledge. In the course of our ESP instruction the students are equipped with the most appropriate and practical tools they can use when they encounter the problem of translating a technical text – a simplified 'translation technology'. Thus, they are encouraged to enter the language arena. Without such a scaffold, they would most probably remain only spectators. Key words: ESP, translation technology, vocabulary, syntax, morphology Introduction We are all aware of a growing tendency for universities to provide courses in English. In his book, The Future of English, a British linguist David Graddol describes this trend and its consequences in the following words: 7 �ESP Teaching Practice at Technical Faculties 'One of the most significant educational trends world-wide is the teaching of a growing number of courses in universities through the medium of English. The need to teach some subjects in English, rather than the national language, is well understood: in the sciences, for example, up-to-date text books and research articles are obtainable much more easily in one of the world languages and most readily of all in English ... English-medium higher education is thus one of the drivers of language shift, from L2 to L1 Englishspeaking status’ (Graddol 1997: 45) Indeed, such education presents an invaluable advantage for those who can afford it. But the question remains: Is such education possible in most countries? If not - What should be done? How can the grounds for such education be set or how can we speed up its implementation? Having been a language teacher at different technical faculties for fifteen years now, I have become quite familiar with the situation in B&H education. The University of Zenica provides more English teaching at its technical faculties than any other university in Bosnia and Herzegovina. It was the management of the Faculty of Mechanical Engineering that first recognized the importance of the English language for their students and their professional development. They introduced English as a subject during each year of studies. Soon afterwards, the other faculties, i.e. the Faculty of Metallurgy and Materials and The Faculty of Polytechnics, followed suit. Due to these actions, conditions were met for an adequate instruction in English for Specific Purposes (hereinafter: ESP). The results of such a praxis proved to be so good that the University opened its 'doors' to quite modern approaches in foreign language teaching such as Content and Language Integrated Learning (CLIL). During the academic year 2012/2013, CLIL was tested at technical faculties and the outcome was exceptionally good. However, CLIL is not the topic of this paper. I mention it only because one of the researchers’ conclusions was that CLIL would not have produced such good results at our faculties had it not been supported by the ESP teaching in the first place.1 In other words, the time is not ripe for modern approaches such as CLIL at the majority of our universities. This is because students who enrol in the faculties generally arrive with poor English proficiency. This situation is mainly the legacy of war. Over the last 10 years, some of the deficiencies in English teaching have been overcome, but many of them remain, particularly those related to vocational or technical schools. The majority of students recruited by technical faculties have graduated from schools where English doesn't have the status it deserves. 1 This paper's discussion of ESP instruction focuses exclusively on the kind that is currently practiced at our technical faculties. 8 �Journal of Foreign Language Teaching and Applied Linguistics Therefore, we wish to share our experience, particularly in terms of ESP, in order to help others find their way to contemporary types of English language teaching. Is a Different Approach to ESP Teaching Needed at Technical Faculties? There is nothing new about the idea that ESP is reserved for professional discourse and university-level education. Although ESP instruction is also offered in certain secondary schools and in companies that prepare professionals for tasks that require proficiency in English, universities pose a special challenge for ESP. There are few reasons for this. It is expected that students' proficiency at this level of education is high – intermediate at the very least. Also, students are expected to demonstrate a significant level of enthusiasm for studying English, because it is the language that will help them understand the content of the books and texts from their reading lists in the course of their studies as well as in their further specialization through Life Long Learning (LLL). However, the situation in B&H falls far short of these expectations. When referring to foreign language knowledge, we must appreciate that students studying at these faculties typically come from rural areas where, up until recently, foreign languages at primary school level were taught by unqualified staff. The same goes for teaching the mother tongue. A similar situation prevails in secondary technical schools, which supply the most students to the technical faculties.2 The language instruction has been deficient, substandard and irregular, which has generated resistance amongst students towards learning foreign languages in particular. Turnover among teachers is often high, which adds to the students’ uneasiness about dealing with foreign language texts. However, aware of the importance of the English language, these students are keen to fill in the gaps in their knowledge. Given a low number of hours allocated to teaching foreign languages (2 hours per week) and a high number of students, it was not possible to apply the usual foreign language teaching methods and expect high achievement rates across the student population. Therefore, we decided to: a) introduce the General English classes in the first two years of studies, b) start with the ESP in the third year (when there are fewer students compared to Years 1 and 2) and to c) offer 'a new beginning' to students by adopting an approach that is designed to give them a badly needed boost. 2 The number of students coming from gymnasiums (general secondary schools) is negligible. 9 �ESP Teaching Practice at Technical Faculties In other words, we knew that students needed a different, or enstranged3 approach to reading technical texts. More precisely - they required a different ‘language narrative’. Bearing all this in mind, we designed the ESP, which includes, amongst other things, an analysis of a limited range of simple sentence structures, as well as some phrasal forms, which is necessary for basic understanding of a technical text. Particular focus is given to simple sentence forms, such as SV, SVO, SVA and SVSC, and to simple and easily recognisable phrasal forms, such as NP, PP, and VP. This seemed to be the only way to give students a sense of a new beginning and motivation to start learning and using English in a practical manner. Our current experience of teaching ESP suggests that students with basic foreign language knowledge find this aspect of ESP most helpful in gaining confidence when translating an English technical text. A Short Overview of ESP Activities at the University of Zenica At the time the ESP starts, students are supposed to have already passed their exams in General English (1, 2, 3 and 4). The General English courses take place during the first four semesters and are designed to provide an elementary basis for students' further development in the field of Technical English (ESP). In the fifth semester, students are instructed to use the basic vocabulary and syntax related to technical English, both orally and in writing. In this semester, they translate simple technical texts while using bilingual dictionaries. In the sixth semester, the texts to be translated are more complex, both in terms of vocabulary and in their morphological and syntactic structures. In the seventh semester students are developing their oral skills by means of repetition, reformulation, substitution of certain elements in given constructions etc. Writing skills are developed mainly through translating longer texts from English into BHS4 and vice versa. Students are expected to master vocabulary and grammar typical of technical-register sentence constructions. Special attention is paid to writing summaries of different technical texts. 3 This term, quite appropriate for the purpose, was coined by a literary critic and theorist V. Shklovsky. The term is found in Russian Formalists who posited that something attracts attention only if it is 'enstranged' or unusual. (see: Petković, N. 1988: 71-111). 4 BHS stands for Bosnian-Croatian-Serbian. It is the mutual language of the people of Bosnia and Herzegovina. 10 �Journal of Foreign Language Teaching and Applied Linguistics The eighth semester is reserved for assignments that lead to Public Lecture - the final activity where students deliver their own lectures in English on different technical topics. The Technology of Translation From the overview, it is evident that translating technical texts from English into BHS and other way round is one of the priorities for ESP teaching at the technical faculties in Zenica.5 In an attempt to bring the process of translating closer to the students’ experience, we sometimes call it ‘Technology of Translating a Technical Text’. Namely, the use of this technical term (technology) has a significant positive effect on removing the barriers that the students have towards language teaching and on raising their motivation levels, which very often result in high achievement. In the following paragraphs we will explain how using the ESP methodology can help students overcome problems they encounter when translating technical texts. In this process, the grammatical explanations are adapted to technical discourse that these students are familiar with, and the use of technical vocabulary and descriptions resonate with the familiar content of technical subjects that they have learnt in their mother tongue. As typical for any technology, the starting point is basic materials. In our case, basic materials are word classes (parts of speech). This is one of the most difficult problems our students must overcome, as they are not sufficiently familiar with the word classes and their functions. Therefore, at the very beginning of the course we introduce word classes and provide basic information about them. During this process we try to avoid overburdening the students with unfamiliar linguistic jargon or excessive information. Our aim is to achieve maximum results with minimum means. We therefore carefully assess the quantity of information, or technically speaking ‘the volume of information input’, in order to avoid excess information that may discourage students from continuing, or even cause them to drop out.6 In the next phase we try to address the structure of sentences. Our starting point is the foundation, i.e. basic 'materials', which are then combined into more complex 'structures'. In order to bring these language phenomena to life, we often use graphic representations, such as diagrams, graphs, tables, technical drawings, photographs, etc. This approach has very positive results on students’ motivation. Grammar stops The ESP Curriculum Plan at the technical faculties places the greatest emphasis on building students’ knowledge and skills to enable them to translate technical texts. 6 The academic strength of individual student cohorts is often a deciding factor for selecting ESP teaching materials. 5 11 �ESP Teaching Practice at Technical Faculties being a collection of prescriptive rules that must be learnt in order to translate a technical text and becomes a toolbox that facilitates translation. That is what the students need. Successes during this phase of teaching encourage students to achieve more later on. It is important to emphasise that initially students are not expected to translate paragraphs. Instead they concentrate on singular simple sentences, which are then broken down into smaller constituent parts. For that purpose it is important for students to learn how to move from the sentence level down to a phrase level. 7 In order to learn this, the students have to understand how phrases are connected into sentences, i.e. how lower-level constituent parts link together to form higher-level parts, thereby forming a sentence structure. Students are introduced to the simplest sentence types, e.g. SV, SVO, SVA, SVSC, and SVOA, which are selected from textbooks suitable for this level.8 In the process of identifying sentence types, or their individual constituent parts that perform certain functions within those sentence types, students are advised to use certain ‘road signs’ or ‘ signals’. Learning to recognise them makes it easier to divide sentences into smaller constituent segments (phrases), which are then individually translated before they are connected again and translated as a whole sentence. The following are examples of these ‘road signs’: A) Students are asked to start analysing a sentence by identifying the predicate in the main sentence. They are advised to first identify all verbs, both finite and non-finite ones, and after that to exclude the following9: 1. all non-finite forms i.e. those verbs that they identify as incomplete to form a Tense and then: 2. finite forms appearing in dependent/subordinate clauses after the dependent clause markers, such as which, that, when, because, where, who, when, if, etc. with which they would be familiar from the previous year of study. The remaining verb is then identified as the predicate of the main sentence. 7 In our explanations we often use technical terminology the students have already learned in their Machine Elements syllabus, which is as important for their chosen study as Anatomy is for medicine. 8 The textbooks used in our ESP classes are: English for Metallurgy and English for Mechanical Engineering. See: Šestić, L. (1985.), (1994.) 9 It is worth noting that during lessons we do not use linguistic terminology, such as constituent, finite or non-finite verb form, or markers, because this would create barriers and disengage the students. 12 �Journal of Foreign Language Teaching and Applied Linguistics Here we are only referring to selected examples. The students are never given difficult sentences. The examples we give our students illustrate the above methodology very clearly10. Here are a couple of examples: 1) The factory producing steel needs iron ore. 2) The conveyor belt which carries raw material to the plant is very expensive. Applying the above methods the students will exclude from the first sentence the non-finite form producing and will deduce that the predicate can only be needs, which is also confirmed by its affix –s. In the second sentence, the students will exclude the clause beginning with the marker which, thereby concluding that is is the only finite form of verb, which therefore represents the main verb (linking verb) and introduces the subject complement. B) The identification of the subject in the sentence is made easy by explaining the fixed word order in English sentences in which the subject precedes the predicate, especially in affirmative sentences. Such sentences are typical in technical texts. For instance, A vast quantity of energy has been lost in the process. S V A C) Students are also alerted to the possibility of adverbials appearing at the beginning of the sentence, which can also be positioned in the middle or at the end of the sentence. The comma is cited as the most common ‘road sign’, albeit not the only one, for differentiating an adverbial from the subject. However, technical texts are often riddled with mispunctuation, which makes the comma an unreliable ‘road sign’. For that reason, the students are asked to check if an adverbial is placed at the very start of the sentence before they mark another segment as the subject of the sentence and start translating it as such. The students are also advised that it is possible to have an adverbial in the form of a prepositional phrase at the beginning of the sentence, or a dependent clause starting with e.g. when, how, which, or if which precedes the main clause. At this point, we The aim is to provide simple examples for sentence analysis, which would boost the students’ confidence. Otherwise, it would become obvious very quickly that such 'road signs' are not always present in more complex examples. 10 13 �ESP Teaching Practice at Technical Faculties do not introduce the notion that clauses with the aforementioned markers can act as the subject of the main sentence, as that may cause a degree of confusion. Let us look at some examples we use in the syllabus: Over the past few years, the laboratory has been performing regular inspections. A S V O If the temperature does not rise, the speed of molecules will not increase A S V When this ideal condition is obtained, we start the process. A S V O It is, of course, possible to have an adverb, functioning as an adverbial and ending with -ly at the start of the sentence, which the students recognise easily, such as the following example: Usually, the process starts upon the completion of the prerequisites. A S V A In parallel with learning how to identify the subject, the students are also introduced to noun phrases and the functions they perform in the sentence. The basic elements are covered as well as the importance of their meaning for the correct translation of a sentence. By using the technical terminology, the noun phrase is referred to as a subsystem 'meshing' with other similar subsystems to form a whole sentence, which is a system in itself. To help identify a noun phrase, the students are introduced to signals such as determiners that precede it.11 Students can easily remember that this function is performed by indefinite and definite articles, a, an and the. In order to help them memorise as many determiners as possible, we draw a parallel between the indefinite article a and number one, which also introduces numbers, as well as quantifiers such as some, any, much, little, many, few etc. as possible determiners. Similar methodology is used with the definite article the, and the students are taught to regard demonstrative pronouns this and that as determiners. This number of words signalling a noun phrase is enough for the students’ translation needs. From our experience it is evident that the students have no difficulties in identifying other similar determiners, although they were not explicitly mentioned during the course. 11 In the ESP syllabus, the term determiner is used to designate both a pre- and a post-determiner in order to avoid unnecessary confusion that such complexity may cause amongst the students. 14 �Journal of Foreign Language Teaching and Applied Linguistics The absence of determiners is also referred to, but not elaborated on. The students accept the possibility of nouns not being signalled by determiners. They regard the presence of a determiner as an aid for easier identification of a text segment, such as a noun phrase. In the next step students are informed that the following element within the noun phrase can be a noun premodifier (usually adjective), the task of which is to modify i.e. to change the meaning of the noun while preceding it. In other words, we explain that the premodifier unites its meaning with the meaning of the noun, whereby the reference of the noun is narrowed down. In order to reduce the probability of their making mistakes in determining the noun head within a noun phrase, students are made aware of a possibility that the noun head can be preceded by another noun (noun adjunct) that also functions as a premodifier (e.g. metal part). The majority of students make mistakes while translating such phrases. When they encounter two nouns, one next to another, they usually go in the wrong direction and use the first noun as a noun head of a phrase. Then they try to adjust the rest of the phrase to the initially inaccurate translation. Such errors normally occur in the series of nouns that the students are not familiar with. When informed of a possibility that a noun can be a premodifier to a noun head, they become more careful and consequently make fewer mistakes. It becomes evident to them that the second noun to the right in the linear series of two is actually the noun head of the phrase. Of course, this refers to situations when there is neither a preposition nor a hyphen between the nouns. As far as the intensifier is concerned, we explain to the students that it has the same influence on the premodifier as the premodifier has on the noun. Namely, the premodifier inherently modifies and narrows down the meaning of the related noun, so does the intensifier modify the meaning of the premodifier. For instance, in the phrase very successful production the premodifier successful modifies the meaning of production and the intensifier very further modifies the preceding premodifier. Most common intensifiers are identified, such as adverbs with the suffix -ly (e.g. successfully conducted experiments). However, as students expand their vocabulary over time, they begin to recognise other, non-derivative forms of adverbs. In this phase of their learning, it is important to help the students understand the linear nature of language, where the words appearing in a linear order are interconnected and interdependent. In this respect, our approach has had positive results. Because we provide a short repository of word classes (parts of speech) at the beginning of ESP teaching, the students become quite successful in identifying them. 15 �ESP Teaching Practice at Technical Faculties Although they are not expected to have an extensive vocabulary, these students display a fairly good grasp of morphological markers, which enables them to identify the key word classes. Therefore, we pay particular attention to affixes of derived nouns, adjectives and adverbs, which also has positive results on student attainment. In this phase, the students become very aware that the knowledge of basic elements of noun phrases will be very useful for their future work. As to the role of noun postmodifiers, students are told that they modify meaning of a noun, similarly to noun premodifiers, the only difference being that they are placed after, not before the noun. The students are acquainted with the most frequent postmodifiers: 1. Relative Clause with its markers: which, where, who, that (N+ which...) e.g.: the conditions which/that can be obtained 2. Reduced form of Relative Clause in Active Voice (N+Ving) e.g.: the power plant producing energy (obtained by reduction of: the power plant which produces energy) 3. Reduced form of Relative Clause in Passive Voice (N+Ved) e.g: metallurgical phenomenon observed in cold worked metals (obtained by reduction of: metallurgical phenomenon which was observed in cold worked metals) 4. Prepositional Phrase (N + PP) e.g: a support for rotating elements A special attention is paid to the last type of postmodification (N + PP). When we first introduce a prepositional phrase in our classes, students are told that this phrase consists of preposition and a new noun phrase. This information usually arouses a feeling of satisfaction among the students because it brings them back into the noun phrase domain, which – in their opinion – they know well by then. Also, the students are constantly warned to be careful about the scope that a noun phrase can take within a sentence. The warning makes them more concentrated and analytical, especially when a more complex noun phrase is in question – particularly the one with prepositional phrase as a postmodifier to a noun head, i.e. N + PP. It should be highlighted that this type of postmodification is rather frequent in technical texts. It is interesting to note that students easily discern the difference between the noun head in a noun phrase and the noun in the noun phrase within a prepositional phrase that serves as a postmodifier to noun head. Namely, the students immediately observe that the position of a noun after a preposition indicates that the noun is not 16 �Journal of Foreign Language Teaching and Applied Linguistics the head noun of the phrase (N+PP) but only a part of its postmodifier (PP=prep+NP). With regard to the appositive adjective phrase and infinitive phrase, we rarely mention them as possible postmodifiers in order to avoid information overload, which could have negative effect on students. D) When identifying the object (O) of a sentence, the emphasis is given to its position after the sentence predicate. Nevertheless, this position can be occupied by an adverbial in the form of a prepositional phrase (e.g. The slag layer remains on the surface), or by an adverb (e.g. The process develops slowly). For that reason, students are advised to analyse closely what comes after the predicate before they move on to translating the sentence. Thus, if the position is taken by a noun phrase, the students know it can only be the object of the sentence. It is well known that sentences of the SVOA structure are quite frequent. It is difficult for the students to quickly determine where the object ends and where the adverbial starts, which slows down their translation process. However, a number of them manage to do this correctly thanks to their knowledge of noun phrases as well as the context of a subject area with which they are familiar. One of the things that we always insist on is for students to rely on the context and general technical knowledge. E) Finally, when introducing the subject complement (SC) to students, we underline that the best indicator of its presence in the sentence is the linking verb to be.12 It is also stressed that this verb, as the main verb in the sentence, is followed by either noun phrase or adjective phrase.13 The name of subject complement is derived from the word subject, as they can be interchangeable in function. Therefore, this relation is easily explained by using the ‘equals’ sign between the subject and its complement, as in the following example: Arcelor Mittal is the biggest company in this region. → Arcelor Mittal = the biggest company in this region. 12 In the initial phase of the ESP course we do not mention other linking verbs such as seem, prove, appear etc. 13 Of course, other constructions that may serve as subject complements, such as: infinitive, gerund or noun clause, are not mentioned at this stage, because the complexity of information could potentially confuse students. 17 �ESP Teaching Practice at Technical Faculties Although seemingly simple, this sentence type (SVSC) leads to plethora of incorrect translations. Namely, students that are not acquainted with it see the verb to be as an auxiliary verb, i.e. as a part of predicate. While looking for the main verb of the predicate, they identify the coming word (usually noun or adjective) as a verb, and translate it accordingly. Then, confused by the remainder of the text, which obviously does not fit the translation, they start improvising and end up with inaccurate translations. It is for this reason that a special attention is paid to the SVSC type of sentence. We should mention here that once the students get enough skill in translating simple sentences, more complex structures are introduced. In the end, it is worth mentioning that the students are warned of exceptions to all rules, including the ones provided by the course, as well as of the necessity to always check out the truth-value of their translations. If they feel that their translation does not fit the logic of the text, they are advised revise it. Conclusion Our approach to teaching English for Special Purposes (ESP) focuses on functional sentence analysis with the aim of simplifying the translation process. We try not to overburden our students with more linguistic information than they would find useful in their future engineering careers. With that in mind, we have introduced relatively simple examples of individual sentences, or texts specifically adapted for this purpose. When introducing this teaching methodology, we were concerned that the ‘technology of translating technical texts’ might be problematic, but we were prepared to take the risk in consideration of other factors such as the students’ very low level of English proficiency. We were pleased to note very positive results. Our experience, as well as numerous student surveys, confirmed that the students are very satisfied with this approach. They are mindful of the fact that they are future engineers, not linguists. They are aware that their linguistic knowledge will be limited but they are still keen to learn. The students approach translations with pragmatism and logic. The methodology used in ESP classes enables them to engage in the process of translation without fear, and to translate simple texts independently. This is a good basis for translating more complex texts in the future. Their progress is evident even after the initial translation exercises. This boosts the students’ motivation, as well as self- confidence. 18 �Journal of Foreign Language Teaching and Applied Linguistics In conclusion, the approach described above empowers the students to translate technical texts from and into English with a degree of confidence and ease. Our experience confirms that it is better to encourage students to use their limited linguistic knowledge than not to try at all for fear of the reaction of their tutors or peers. The guidance we offer them, and continue to do so, is not aimed at producing proficient translators but at enabling future engineers to take important steps towards interrogating technical literature in English with confidence, thereby using the language as a tool for furthering their professional knowledge. References Graddol, D. (1997). The Future of English. London: British Council. Huskanović, A.; Tarabar, A. (2009). The Importance of Foreign Language in Teaching Mathematics at Technical Faculties. Proceedings: 13th International Research/Expert Conference - TMT 2009. Tunisia: Hammamet, 265-267 Šestić, L. (2013). Forme sa nastavkom –ing u engleskom tehničkom registru i njihovi prevodni ekvivalenti u bosanskom/hrvatskom/srpskom. Zenica: Univerzitet u Zenici Šestić, L. (2002). Gramatika tehničkog engleskog sa rječnikom. Zenica: Minex Šestić, L. (1994). English for Mechanical Engineering Students, Engleski za studente mašinstva. Zenica: Univerzitet u Sarajevu Šestić, L. (1985). English for Metallurgists - Engleski za metalurge. Zenica: Univerzitet u Sarajevu Tarabar, A. (2013). Jezička komponenta CLIL-a na univerzitetskom nivou. (Doctoral dissertation) Zenica: Univerzitet u Zenici Tarabar, A. (2010). Nastava engleskog jezika i upotreba lokaliziranog softvera na tehničkim fakultetima. Zbornik radova III Međunarodni naučno-stručni skup: Edukacija nastavnika za budućnost, Zenica: Univerzitet u Zenici, 679-686. Tarabar, A. (2003). EFL and ESP Teaching Practice at the Faculty of Mechanical Engineering. Proceedings of the 11th International Scientific Conference COMAT-TEC, Bratislava: Slovenska tehnická univerzita v Bratislave 19 �ESP Teaching Practice at Technical Faculties Petković, N. (1988). Poetika avangarde kao avangardna poetika: teorijska načela ruskih formalista. Moderna tumačenja književnosti, ur. Đurčinović, M. et al. Sarajevo: Svjetlost, 71-111. Trimble, L. (1985). English for Science and Technology: A Discourse Approach, Cambridge: Cambridge University Press 20 � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 2779 Title A name given to the resource ESP Teaching Practice at Technical Faculties Author Author TARABAR, Aida Abstract A summary of the resource. The paper offers an insight into the highlights of the ESP teaching practice at the University of Zenica, the university with the longest ESP tradition in the country. This type of language instruction started as part of an optional course at the Faculty of Metallurgy in 1970s. During the following decades – especially in recent times – the teaching has been developed and organized into several obligatory ESP courses that are taught during the final four semesters of undergraduate studies at technical faculties. The training finishes with so called Public Lecture – a series of presentations delivered by the students themselves. The main characteristics of ESP instruction at these faculties are total flexibility and adaptability. This means the ESP teacher not only tends to follow the most recent findings in the realm of the ELT, but also observes the specific educational and social circumstances within which the learning/teaching process takes place. In a country such as Bosnia and Herzegovina, where the legacy of war includes a brain drain and a complex situation at all three educational levels, it is important to design innovative practices that can compensate for the aforementioned deficiencies. By being responsive to students’ needs, we try to bridge and/or fill in the gaps in their knowledge. In the course of our ESP instruction the students are equipped with the most appropriate and practical tools they can use when they encounter the problem of translating a technical text – a simplified 'translation technology'. Thus, they are encouraged to enter the language arena. Without such a scaffold, they would most probably remain only spectators. Key words: ESP, translation technology, vocabulary, syntax, morphology Date A point or period of time associated with an event in the lifecycle of the resource 2014-11-24 Keywords Keywords. Article PeerReviewed P Philology. Linguistics,PE English,PN Literature (General),PR English literature Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 3392 Title A name given to the resource ESP TUITION AND THE INTERNET Author Author KOVAČEVIĆ, Darko Abstract A summary of the resource. The paper discusses the options for using the Internet and various resources it provides within specific ESP courses and tuition in general. After a general introduction dealing with specific features of ESP in higher education (purpose, objectives, issues, tuition organization modes) the paper will mention, analyse and explain various aspects of using the Internet resources for tuition improvement and enrichment. On that occasion, the resources will be grouped and classified on the basis of different relevant criteria, and observed pursuant to that. At the end of the paper, the conclusion will give an overview on the usability of mentioned and discussed resources. Keywords: ESP, Internet, tuition. Date A point or period of time associated with an event in the lifecycle of the resource 2014 Keywords Keywords. Conference or Workshop Item PeerReviewed PE English,PL Languages and literatures of Eastern Asia, Africa, Oceania https://omeka.ibu.edu.ba/files/original/3c43bbdca717ab9bb8b214e6318c4941.pdf a85ed28176bdfa2c9a8b13c68a6c6736 PDF Text Text Essentials of Digital Forensics Start Detected security incident with digital devices used Notification LAW Enforcement PR Digital forensic action initiated in written form Security staff notified Preservation Initial Incident type identification Collection Consent form Post-mortem Live acquisition Invoke incident response team Examination Fraud Malware Analysis Unauthorised access Network related incident Outcome satisfied DoS/DDoS Domestic violence NO YES Homicide Managament Reporting Notification End Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic �II �Essentials of Digital Forensics Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic Sarajevo, 2019 III �Authors: Dr. Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic Proofreading: Ana Tankosic Publisher: International Burch University Editor-in-Chief: Dr. Kemal Hajdarević Reviewed by: Dr. Hamid Jahankhani, Dr Jasmin Azemovic and Dr. Colin Pattinson DTP & Design: Dr. Kemal Hajdarevic DTP and Prepress: International Burch University Circulation: electronic copy Place of Publication: Sarajevo Copyright: International Burch University, 2019 Reproduction of this Publication for educational or other non-commercial purposes is authorized without prior permission from the copyright holder. Reproduction for resale or other commercial purposes prohibited without prior written permission of the copyright holder. Disclaimer: While every effort has been made to ensure the accuracy of the information, contained in this publication, International Burch University will not assume liability for writing and any use made of the proceedings, and the presentation of the participating organizations concerning the legal status of any country, territory, or area, or of its authorities, or concerning the delimitation of its frontiers or boundaries. ----------------------------------CIP - Katalogizacija u publikaciji Nacionalna i univerzitetska biblioteka Bosne i Hercegovine, Sarajevo 343.98:004 HAJDAREVIĆ, Kemal Essentials of digital forensics [Elektronski izvor] / Kemal Hajdarevic, Nermin Ziga, Mirza Halilovic. - El. knjiga. - Sarajevo : International Burch University, 2019 Način pristupa (URL): https://omeka.ibu.edu.ba/items/show/3447. - Nasl. sa nasl. ekrana. - Opis izvora dana 11. 7. 2019. ISBN 978-9958-834-66-0 1. Žiga, Nermin 2. Halilović, Mirza COBISS.BH-ID 27750406 ----------------------------------- IV �Table of Contents Author’s Preface ......................................................................................................... XI IMPORTANT DEFINITIONS ......................................................................................XIII PURPOSE OF THIS BOOK........................................................................................... XV COMPUTER FORENSICS AND INFORMATION SECURITY TRAINING COURSES ........ XV JOBS RELATED TO COMPUTER FORENSICS AND INFORMATION SECURITY ............ XVI ORGANISATION OF THE BOOK SECTIONS ............................................................. XVII LEARNING TRACKS ............................................................................................. XVIII 1. Introduction to digital forensics ........................................................................ 1 CHAPTER ABSTRACT .................................................................................................. 1 HISTORY OF FORENSICS.............................................................................................. 1 HISTORY OF DIGITAL FORENSICS ............................................................................... 4 DIGITAL FORENSICS – DEFINITION ............................................................................. 5 DIGITAL EVIDENCE .................................................................................................... 5 DIGITAL VS. COMPUTER FORENSICS .......................................................................... 5 DIGITAL TRANSFORMATION IMPACT ON DIGITAL FORENSICS .................................. 6 AUDIT VS. DIGITAL FORENSIC INVESTIGATION ......................................................... 7 DIGITAL FORENSIC PROCESS ...................................................................................... 8 DIGITAL FORENSIC SCOPE .......................................................................................... 8 Personal computers and servers ............................................................................. 9 Network devices and active components .............................................................. 10 Databases ............................................................................................................. 10 Mobile Devices ..................................................................................................... 11 Digital Images ...................................................................................................... 11 Multimedia .......................................................................................................... 11 Memory ................................................................................................................ 11 FORENSIC INVESTIGATION INITIATION .................................................................... 12 INCIDENT RESPONSE ................................................................................................ 13 SUMMARY ................................................................................................................ 14 KNOWLEDGE ACQUIRED .......................................................................................... 14 V �REVIEW QUESTIONS.................................................................................................. 14 FURTHER READINGS ................................................................................................. 15 VIDEO RESOURCES ................................................................................................... 15 2. Digital forensics – classification ...................................................................... 17 CHAPTER ABSTRACT ................................................................................................ 17 DIGITAL FORENSIC CLASSIFICATION BASED ON DATA SOURCE .............................. 17 Forensics of general computer systems ................................................................ 18 Database forensics ................................................................................................ 19 Forensics of multimedia ....................................................................................... 23 Watermarking ...................................................................................................... 23 Digital signatures ................................................................................................ 23 Mobile device forensics ......................................................................................... 23 Network forensics................................................................................................. 24 SUMMARY ................................................................................................................ 25 KNOWLEDGE ACQUIRED .......................................................................................... 25 REVIEW QUESTIONS.................................................................................................. 25 FURTHER READINGS ................................................................................................. 25 VIDEO RESOURCES ................................................................................................... 26 3. Digital forensics – process ................................................................................ 27 CHAPTER ABSTRACT ................................................................................................ 27 STEPS IN THE DIGITAL FORENSIC INVESTIGATION PROCESS .................................. 27 Preservation ......................................................................................................... 29 Collection ............................................................................................................. 31 Transport ............................................................................................................. 32 Examination ......................................................................................................... 32 Analysis ............................................................................................................... 33 TYPES OF DIGITAL EVIDENCE ANALYSIS................................................................. 33 Media analysis ..................................................................................................... 34 Media management analysis ................................................................................ 34 File system analysis ............................................................................................. 34 Network analysis.................................................................................................. 35 Application analysis ............................................................................................. 35 Operating System (OS) analysis ......................................................................... 36 Executable analysis .............................................................................................. 36 Image analysis ...................................................................................................... 36 VI �Video analysis ...................................................................................................... 36 Memory Analysis ................................................................................................. 37 Reporting.............................................................................................................. 37 DIGITAL EVIDENCE COLLECTION ............................................................................ 38 Live Data collection.............................................................................................. 39 Post-mortem data collection ................................................................................. 41 DATA CONCEALMENT.............................................................................................. 42 Spoliation ............................................................................................................. 42 Encryption ........................................................................................................... 42 Steganography ..................................................................................................... 42 SUMMARY ................................................................................................................ 46 KNOWLEDGE ACQUIRED .......................................................................................... 46 REVIEW QUESTIONS.................................................................................................. 47 FURTHER READINGS ................................................................................................. 47 VIDEO RESOURCES ................................................................................................... 47 4. Digital forensics – tools .................................................................................... 49 CHAPTER ABSTRACT ................................................................................................ 49 DIGITAL FORENSIC TOOLS ....................................................................................... 49 HARDWARE DIGITAL FORENSIC TOOLS AND THEIR USAGE ..................................... 50 Usage of hard disk docking stations ..................................................................... 50 Usage of memory card docking stations ............................................................... 51 Usage of Portable Computer Forensic Lab ........................................................... 51 USAGE OF GENERAL COMPUTER FORENSIC TOOLS................................................. 52 Disk Genius usage ............................................................................................... 52 DD command tool usage ...................................................................................... 53 Busybox usage ...................................................................................................... 54 Hash Calculation ................................................................................................. 54 DATABASE TOOLS USAGE ......................................................................................... 55 Usage of the Oracle LogMiner ............................................................................. 55 Usage of the IBM Guardium Data Protection for Databases .............................. 57 Usage of the DB Browser for SQlite .................................................................... 58 Usage of the Undark - a SQLite data recovery tool .............................................. 59 Usage of the SQLite-Deleted-Records-Parser ...................................................... 60 USAGE OF THE NETWORK FORENSIC TOOLS............................................................ 60 Wireshark usage ................................................................................................... 60 VII �NIKSUN NetDetector usage ............................................................................... 62 Xplico usage ......................................................................................................... 62 USAGE OF THE MOBILE DEVICE FORENSIC TOOLS ................................................... 63 Rooting Tools usage ............................................................................................. 63 Santoku usage ...................................................................................................... 64 AF Logical OSE usage ......................................................................................... 67 Autopsy and the Sleuth Kit usage........................................................................ 67 Ingest Module usage ............................................................................................ 71 Android Analyser module usage .......................................................................... 72 Accessing Partitions ............................................................................................ 73 Timeline ............................................................................................................... 74 Reporting ............................................................................................................. 76 SUMMARY ................................................................................................................ 77 KNOWLEDGE ACQUIRED .......................................................................................... 78 REVIEW QUESTIONS.................................................................................................. 78 FURTHER READINGS ................................................................................................. 79 VIDEO RESOURCES ................................................................................................... 80 5. Simulation of digital forensic cases................................................................. 81 CHAPTER ABSTRACT ................................................................................................ 81 CASE 1: FORENSIC DATA RECOVERY OF FILES ON PC.............................................. 81 CASE 2: FORENSIC INVESTIGATION OF VIBER, VOICE CALL, SMS, AND COCO ON AN ANDROID MOBILE DEVICE .................................................................................. 84 DEFINING THE SCOPE OF THE INVESTIGATION ....................................................... 84 PREPARING THE ENVIRONMENT FOR THE DATA ACQUISITION ............................. 86 Rooting the Device ............................................................................................... 87 Busybox Sideloading ............................................................................................ 91 Determining Partitions and Blocks ..................................................................... 93 ACQUIRING DATA FROM THE EVIDENCE DEVICE ................................................... 95 Logical data acquisition........................................................................................ 95 Physical data acquisition...................................................................................... 98 IMPORTING IMAGE FILE INTO AUTOPSY ............................................................... 100 ANALYSIS OF THE ACQUIRED MOBILE DEVICE DATA .......................................... 100 Analysis of Logically Acquired Data ................................................................. 100 Analysis of the Physically Acquired Data ......................................................... 102 Viber Message and Call Investigation ............................................................... 104 VIII �SMS Message Investigation .............................................................................. 109 GSM Voice Call Investigation ........................................................................... 112 Coco Message Investigation ............................................................................... 114 INVESTIGATION FINDINGS ..................................................................................... 117 ENDING INVESTIGATIONS ...................................................................................... 118 CASE 3: DATABASE FORENSICS – USER COMPLAINTS ON HIGH BILLS ................... 120 CASE 4: DATABASE FORENSICS – SALARIES DATA LEAKAGE ................................ 122 CASE 5: DATABASE FORENSICS – DATA DELETION ................................................ 125 SUMMARY .............................................................................................................. 128 KNOWLEDGE ACQUIRED ........................................................................................ 128 REVIEW QUESTIONS................................................................................................ 129 FURTHER READINGS ............................................................................................... 129 VIDEO RESOURCES ................................................................................................. 129 6. Conclusions ...................................................................................................... 131 CHAPTER ABSTRACT .............................................................................................. 131 Appendix – Consent Form...................................................................................... 133 Appendix – Incident response form ...................................................................... 134 GENERAL DATA ABOUT INCIDENT......................................................................... 134 TYPE OF INCIDENT ................................................................................................. 134 Details for malicious software ............................................................................ 135 DoS / DDoS attack............................................................................................. 135 Details for an unauthorized access: .................................................................... 135 Leakage of data and information in public: ........................................................ 135 Appendix – Digital forensic process ..................................................................... 136 List of Figures ........................................................................................................... 138 List of Tables ............................................................................................................. 141 Acronyms .................................................................................................................. 143 References ................................................................................................................. 145 Index .......................................................................................................................... 159 About authors ........................................................................................................... 163 IX �X �Author’s Preface Information available on Internet Live Stats web site (www.internetlivestats.com) that 40 percent of world’s population is using Internet Media almost daily reports on different cyber and digital security incidents. Many more similar incidents have never been reported or they have been reported years after they had occurred due to the fact that they could have jeopardised ongoing law enforcement investigations or because they could have been embarrassing and thus negatively affect reputation of the victim – organisation or a person. After cyber- or information security incident, the obvious step is to make efforts to minimize losses, establish practices to avoid future similar situations, and punish executioners and/or masterminds of the incident to discourage future attempts. To be able to accomplish the above-mentioned goals it is necessary to understand the nature of the incident, actual losses, and detect, collect, and preserve evidence, as well as to detect and locate executives of attack that led to the cyber incident. A common scientific approach of collecting, preserving, analysing, and reporting criminal cases where computers and digital equipment are used XI �or where they have been an object of the attack is called the digital forensics. If a specific device or software is the object of the forensic investigation process, the scientific approach can be called computer forensics, network forensics, database forensics, etc. There are different areas of digital forensics based on the object of the criminal activity and on technological tools used to commit an attack. Digital forensics can be performed by external forensic service or it can be done in a house. Knowledge about forensic process is very important even if the external forensic knowledge or service is used so that affected organisation is able to monitor external forensic service or to perform forensics internally if there are enough internal resources for such an activity. Some of the first professionals that can detect criminal or fraud activities where computers are involved are computer operators and system or network administrators. Another profession that can have an active role in detecting fraud or abuse of the system resources are internal auditors. Because internal and external auditors have experience, and a broad knowledge of computer and network systems, they can detect criminal activity and perform initial forensic analysis. However, forensics and audit are not the same process, and differences between the two are presented in this book. Not every organisation is obliged to have a regular internal and external audit, or testing for technical vulnerabilities (also called penetration XII �testing), nevertheless, from the experience of organisations which have this type of assurance and from incidents which occurred in the past, regular vulnerability checks are needed. Auditors can be given the task by the top management to analyse a fraudulent or a criminal activity as professionals who already have an in-depth knowledge of the specific system. Furthermore, revealing the information about fraud or crime to the public can bring a negative publicity. That is why it is important for computer professionals, information technology professionals, and internal auditors to understand steps and procedure of the digital forensic investigation process. It is also important for them to understand what a good digital forensic practice should be and what should not be done during the forensic process. The aim of this book is to clarify forensic topics and bring them closer to students, professionals, information security managers, internal auditors, and other IT specialists who want more information about digital forensic process, tools, and activities. Based on Criminal Justice Degree Schools (2019) as well as courses and authors’ experience in teaching, this book also names potential and some already taught courses in computer forensics and information security. Important definitions Data - “factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation, (Data, MerriamWebster, 2019) XIII �Information – “a signal or character (as in a communication system or computer) representing data; the communication or reception of knowledge or intelligence, (Information, Merriam-Webster, 2019) Information technology – “the technology involving the development, maintenance, and use of computer systems, software, and networks for the processing and distribution of data”. (Information technology, MerriamWebster, 2018). Information system (IS) – “an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products… The main components of information systems are computer hardware and software, telecommunications, databases and data warehouses, human resources, and procedures…”, (Information system, Britanica, 2019) Information System (IS) Security – “Refers to the activities, processes, methodologies, frameworks, and standards used for the maintenance of information and information assets confidentiality, integrity, and availability”. (Techopedia, 2018) Forensics – “belonging to, used in, or suitable to courts of judicature or to public discussion and debate” (Forensic, Merriam-Webster, 2018). Digital forensics - includes not only computers but also any digital device, such as digital cameras, flash drives, digital networks, cell phones, IoT. Wiley C. (2019) XIV �Internal auditing - “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (IIA, 2019) Purpose of this book The purpose of this book is to provide an insight into forensics of computer and other digital devices. This is because the world of physical operations and business is changing into digital and the world of Internet wherever possible, thus creating a greater risk of cyber-attacks. In common business surroundings, criminal activities are not something that business owners would like to encounter. Considering that digital world and cyber-attacks are not something that business owners usually come in contact with, they are more often not prepared for the aftermath of the potential incident. They are also unaware of their need for the computer or digital forensics investigation process. Thus, the purpose of this book is to familiarize them with the following: Confidentiality, Integrity, Availability (CIA), Authentication, Authentication, and Audits. Computer Forensics and information Security Training Courses Following are the courses in the field of information security and cyber forensics: - Computer Forensics Essentials - Cybercrime XV �- Current Issues in Cyberlaw - Computer Forensics File Systems - Architecture of Secure Operating Systems - Forensic Analysis in a Windows Environment - Forensic Analysis in a Linux/Unix Environment - Malware and Software Vulnerability Analysis - Network Security - Network Forensics - Mobile Forensics Analysis - Forensic Management of Digital Evidence - Cyber Incident Analysis and Response - Digital Forensics Investigative Techniques - Forensic Management of Digital Evidence - Computer Forensic Ethics - Advanced Topics in Computer Forensics - Information Systems Security Planning and Audit Criminal Justice Degree Schools (2019) Jobs related to computer forensics and information security Based on Criminal Justice Degree Schools (2019) and authors’ experience following are some job titles common in the cyber security industry: - Business Intelligence Analyst - Information Security Auditor - Information System Auditor - Crime Analyst XVI �- Computer Forensics Investigator - Computer Systems Analyst - Cybersecurity Officer - Digital Forensics Investigator - Digital Forensics Specialist - Information Security Officer - Chief Information Security Officer - Information Security Analyst Organisation of the book sections This book is divided into six sections: 1. Introduction to digital forensics 2. Digital forensics – classification 3. Digital forensics – process 4. Digital forensics – tools 5. Simulation of digital forensic cases 6. Conclusions While reading, it is possible to follow different tracks. XVII �Learning tracks It is possible for a reader to acquire a specific set of skills and knowledge on certain paths through different chapters. Chapter Introduction Digital forensics classification Digital forensics process X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Job title Business Intelligence Analyst Information Security Auditor Information System Auditor Crime Analyst Computer Forensics Investigator Computer Systems Analyst Cybersecurity Officer Digital Forensics Investigator Digital Forensics Specialist Information Security Officer Chief Information Security Officer Information Security Analyst XVIII Digital forensics tools Digital forensics cases X X X �XIX ��1. Introduction to digital forensics Chapter abstract Chapter goals: Digital transformation has a great impact on cyber forensics because of new services in place, new technologies, and devices. This chapter presents some general information about the early advancements in forensics, and digital forensics. It also provides the explanation of what the digital evidence is and in what state it can be found. Furthermore, this chapter explains different types of digital forensics as well as the difference between digital forensic analysis types. Digital forensics is usually followed by and triggers incident response process which is also explained in this chapter. Learning outcomes: Learning about one aspect of the forensic history. Knowledge of the core principles of forensics and digital forensics. History of forensics In early societies there was a need to resolve different issues and disputes in an acceptable manner so that conclusions are clear and there is no space for ambiguities. As presented in Figure 1. the English word forensic comes from the Latin word forum and it initially meant “in open court” (Williams A., 2000). �Figure 1. Word “Forensic” explanation (google, 2018) Historians found evidence of the ancient societies’ need for clarification of criminal and other cases in process of finding the truth for the events that happened before, using the science of that time and common knowledge for a better understanding of past events (Williams A., 2000). It was a practice to present evidence to the public for comments and criticism with a goal to make everyone aware of what happened in a specific case. With time, forensic process became a key part of all criminal investigation cases which came later. Forensic process became a key step of every future criminal investigation case, because every criminal case needed a resolution in terms of finding who is responsible for the wrongdoings. Edmond Locard Principle of Exchange (Crime Museum, 2019): “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” 2 �The “something” is the goal of every forensic investigator, and it is crucial to detect and preserve it for the later use in the process of reporting findings. German born scientist Archibald Reiss was the founder of the first academic forensic science program and Institute of forensic science at the University of Lausanne in 1909. (Witte de With, 2019). Through history, forensics as a discipline is perhaps mostly known from the medical pathology cases, however, recent history shows that traffic accident cases, usage of firearms, and digital and computer equipment also became an important area of forensic investigations. One view on history of forensics would certainly include usage of fingerprints found at the crime scene. Because of its uniqueness, the fingerprint became an important resource which is used to authenticate each person. As some other scientific advancements, the fingerprint used for the forensic purposes contributed more than a single inventor (History of Fingerprints, 2018). Recent advancements in computer technology use pictures and videos to identify a person with a high accuracy (Kremic, Subasi, Hajdarevic, 2012). Other important methods used for forensic purposes were blood groupings, and DNA sampling, firearms and bullet comparison, traffic analysis, and other (History of Fingerprints, 2018) as listed below: - Francis Galton, Edmond Locard – study of fingerprints - Leone Lattes – Discovered blood groupings (A, B, AB, & 0) 3 �- Calvin Goddard – Firearms and bullet comparison - Albert Osborn – Developed principles of document examination Due to different areas where scientific forensics can help in solving disputes, different forensic research areas emerged, some of which are named below: - Forensic Pathology – Sudden unnatural or violent deaths - Forensic Anthropology – Identification of human skeletal remains - Forensic Psychiatry – Forensics of psychiatric cases - Forensic Odontology – Dental forensics History of digital forensics Computers are objects of early forensic investigations, and digital forensics is related to all digital equipment, not only computer devices. Today many digital devices that use, store, and communicate digital data are available. All these digital devices are potential candidates for forensic investigation cases. Below is a short history of digital forensic advancements:  1984 FBI Computer Analysis and Response Team (CART) was formed.  1991 International Law Enforcement meeting was held to discuss computer forensics and the need for the standardized approach.  1997 Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards.  2001 Digital Forensic Research Workshop (DFRWS) was established for development of the research roadmap. 4 �Digital forensics – definition Digital forensic investigators use science throughout the entire process of collecting, analysing, and reporting evidence. Digital Forensic Science (DFS) is defined by Digital Forensic Research Workshop (DFRWS, 2001) as: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Digital evidence Heart of every digital forensic investigation is data as evidence upon which the entire potential case is built. When considering types of digital forensics, one approach could be to classify digital forensic analysis based on data sources for digital investigation, because data is crucial for making decisions, navigating through evidence, and producing the digital forensics report. Digital vs. Computer forensics 5 �Digital evidence is the heart of every digital forensic investigation and sometimes the term computer forensics is used to refer to the same process. Computer forensics is related to the forensics of computers and related devices, as well as associated software used on computers. On the other hand, digital forensics has a wider scope which includes digital devices such as smart and cell phones, flash drives, media devices, and digital cameras. The purpose of digital forensics is to determine whether a device is used in a criminal act. Criminal act can be the computer fraud, computer hacking, traffic accidents, illegal pornography distribution, etc. Wiley C. (2019) Digital forensics Computer forenisc Figure 2. Digital and Computer forensic realm Digital transformation impact on digital forensics Digital transformation has an impact on digital forensics because of an increased number of users and digital devices. 6 �These devices are used and sometimes misused in a way that they become objects of criminal investigations. Law enforcement agencies use sources such as personal or business computers and Internet cache history to analyse behaviour of suspects and law offenders with a goal to resolve criminal cases. Audit vs. Digital forensic investigation Having digital devices as means of support for business and everyday life activities poses a risk of using those devices for unlawful or other wrongdoings. To support every activity where digital data exists, there is a need to analyse and investigate how data and digital devices are being used. Two general approaches for analysing and investigating digital evidence and operation with digital data are known as audit and digital forensic investigation. Audit and forensic investigation are not the same and based on Marcella and Mendey’s (2008) comparison, this book presents some major differences between the two investigation processes. TABLE 1. Audit vs. Digital forensic investigation Elements Definition Audit “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (IIA, 2019) Cyber Forensic Investigation “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal…”(DFRWS, 2001) 7 �Objective To determine alignment of organisational operation with law regulations, bylaws, and standards. The scope should be determined during the planning phase and it depends on the audit goals. Planned regular audits or audit by the request of management. To detect digital evidence and identify individuals responsible for the wrongdoing. All digital devices which can be used to document a specific case. Part of the investigation process after an incident in which digital device was used. Methodology Professional Practice of Internal Auditing by The Institute of Internal Auditors. Reporting Reporting to the organisation or company management. Impact Presented in a non-confronted manner, the aim is to help auditee recognise risks and improve performances and level of alignment with law and standards. Available and approved local or international methodology which defines digital forensic steps such as justification for starting the forensic investigation, getting approval for investigation, and steps for conducting forensic investigation on the scene: “…preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources…“ (DFRWS, 2001) Reporting to prosecutor, law enforcement, or the organisational management. It depends on the investigation outcome. Scope Timing Digital forensic process Digital forensic process refers to the identification, preservation, collection, analysis, and reporting of evidence found on any digital device to support investigations and legal actions. Digital forensic scope Scope of digital forensics is not limited to specific technology, hardware, or software component, because digital evidence can be stored in a 8 �database or file, and transferred via different network technologies. Criteria for determining scope of digital forensic investigation can be based on the object of attack or fraud, devices used for fraud or attack, and vector of the attack. Some of these sub-disciplines of digital forensics which determine digital forensics are presented below (Open University, 2018). Personal computers and servers Computer forensic process is performed on computers, laptops, and storage media. PC PC Tap PC Switch PC Monitoring device Computer Forensic Figure 3. Computer forensic Forensic investigators search for digital evidence in directories, files, and logs that can be stored on hard drives, and other media such as removable media used with computer systems. 9 �Network devices and active components Network forensic process includes monitoring and/or capturing, preserving and analysing network traffic, sessions, and other network activities or events in order to discover the source of security attacks, intrusions, or other problem incidents, i.e. worms, virus, or malware attacks, abnormal network traffic, and security breaches. Special care must be taken in collecting forensic data in networks because network traffic has to be captured in order to be analysed. In most cases if the traffic and session are not captured, it is only possible to analyse result of sessions and traffic generated in time before the investigation took place. PC PC Tap PC Switch PC Monitoring device Network Forecisc Figure 4. Network forensics Databases The recovery of information from databases entails the recovery of logs associated with database operations, as well as user and administrator interactions with data stored in database files and logs. 10 �Mobile Devices Mobile device forensics is the process of collecting and analysing electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets, and game consoles. Digital Images Digital image forensics is the process of the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history. Multimedia Multimedia forensics encompasses Digital Video/Image/Audio Forensics which refers to the collection, analysis, and evaluation of sound, image, and video recordings. The science in this sense refers to the establishment of authenticity as to whether a recording is original and whether it has been tampered with, either maliciously or accidentally. Memory Live acquisition or memory forensic process refers to the recovery of evidence from the RAM of a running computer. Triggers for digital forensics Different events trigger digital forensic investigation such as:  Denial of service attacks  Child pornography  Domestic violence  Using organisation’s computer or other equipment for the personal benefit  Computer fraud 11 � Hacking  Blackmail  Extortion  Homicide cases  Missing person  Other cases Events stated above trigger incident response which has to involve digital forensic process. Forensic investigation initiation Common practice for the forensic analysis is that law enforcement initiates the forensic analysis in a written form. Who What Digital forensic analysis goals to detect Where When Figure 4. Forensic analysis goals to detect – who, what, when, where Other possibilities for the initiation of the digital forensics could be company’s or organisation’s management with a goal of performing the 12 �forensic analysis to determine who, what, when, and where is something done with the use of digital equipment (digital assets). Incident response Computer and digital forensics has to be a part of the incident response due to the fact that after each incident, proper actions need to be taken so that the future incidents are prevented, and perpetrators are punished. Preparation Identification Containment Eradiction Recovery Post-Mortem Figure 5. Incident response plan (Banking and Insurance, 2017) 13 �Incident response is performed through predefined stages and it is usually a planned activity (Banking and Insurance, 2017). It contains stages as it is shown in Figure 5: Preparation, Identification, Containment, Eradication, Recovery, Post-Mortem. Some useful information about the recovery phase and post mortem-analysis can be found in the Appendix – Incident response form. Post-mortem is considered to be the initial step of the digital forensic process which is explained in Chapter 3. Summary Digital forensics is a science about investigation where digital equipment is used to acquire relevant data for criminal investigations. On the market, we encounter new devices, software, and services which could be the object or tool for committing a cyber-crime, which in order to be solved requires a specific knowledge to conduct a criminal investigation. Knowledge acquired The difference between different digital forensic types. History of forensics and digital forensics. Review questions 1. Explain the difference between computer and digital forensics. 2. Define digital forensics. 3. What are the types of digital forensics? 4. What is the incident response and what triggers it? 14 �5. Why is digital and computer forensics important? 6. What is digital evidence? 7. What are the basic steps of digital forensics? Further readings - US CERT Cyber forensic, https://www.uscert.gov/sites/default/files/publications/forensic.pdf - A Beginners Guide to Computer Forensic http://ithare.com/a-beginners-guide-to-computer-forensic/ Video resources - How the Feds Caught Russian Mega-Carder Roman Seleznev https://www.youtube.com/watch?v=6Chp12sEnWk&t=2529s - Cyber forensic https://www.youtube.com/watch?v=2D5wTo1adbg - What is cyber forensic https://www.youtube.com/watch?v=lxUN-fOIe00 - What is cyber forensic, Smithsonian Channel https://www.youtube.com/watch?v=BSyi6yMIB0s 15 �16 �2. Digital forensics – classification Chapter abstract Chapter goals: To present different computer and digital forensic types based on data source used for the digital forensic investigation. To explain each recognised class of forensic investigation. Learning outcomes: Knowledge of the core forensic classification and data such as database log files important for conducting the forensic investigation. Digital forensic classification based on data source Based on data source and scope of digital forensic explained in the previous chapter, digital forensics can be classified as following: general computer system forensics, database forensics, forensics of multimedia devices, forensics of general computer systems, mobile device forensics, and network forensics. 17 �Figure 6. Digital and Cyber forensic types Forensics of general computer systems Computer systems are built on components such as motherboards, memory, hard drives, monitors, and DVD. Depending on usage and mobility, systems can be on laptop, home computer, work computer, and server in the enterprise environment. These systems can have an abundance of interesting digitally stored information needed for a potential forensic analysis. Investigators can obtain written documents with dates of creation, e-mail correspondence, pictures, messages, etc. This information can be used to determine the timeline of events and involved actors. (Casey, 2011). 18 �Database forensics Database forensics relies on data stored in databases and files used by database management system (DBMS). Paul M. Wright (2007) defined major sources of evidence in Oracle database which can be considered when performing database forensics: Listener log – This log stores the name of the listener, protocol, and communication port used for accepting connections, nodes allowed to connect to database, database services, and control parameters. Alert log – This log stores starting and halting database, errors connected to data storage, etc. Sqlnet log – The purpose of this log is to keep track of an unsuccessful access to a database. Forensic analyst has to check this log to discover potential unauthorised attempts to access database. This log can provide useful information about the source address of the connection establishment attempt. Redo logs – This log holds history of all changes in a database. Every redo log file has a redo record that represents the change made in a specific block in database (Oracle, pp. 79) if Oracle archiving is activated (Litchfield, 2007). Every change in a database is written on database buffers in the system global area (SGA) memory. Buffers are stored either by issuing COMMIT command, or they are stored every three seconds on a disk in the file known as Online Redo Log by Oracle Log Writer 19 �background process (LGWR). There is a possibility that these logs can be filed up and log files rewritten with new entries. To be able to recover important logs from database and avoid deletion of important logs it is necessary to activate Archive (ARCn) option in a database (Litchfield, 2007). It is possible to check if archiving is turned on by issuing SQL query: SQL> SELECT VALUE FROM V$PARAMETER WHERE NAME = ‘log_archive_start’; VALUE -------TRUE Value TRUE indicates that log archiving is activated, while FALSE indicates that it is not enabled. FGA (Fine Grained Auditing) audit log can be used for collecting data about changes in a database. It tracks commands INSERT, UPDATE, and DELETE, and other changes such as data movement in a database. All detected activities are recorded in audit tables (Oracle Fine Grained Auditing, 2019). Nanda A. and Burleson (2003) wrote: “The ability to check who actually handles objects, not just who has authority is provided by auditing. A good auditing system provides a 20 �process for recording the access to the objects in a storage system, forming an audit trail” (Oracle DBA_FGA_AUDIT_TRAIL, 2019): “Audit trail records created by Fine Grained Auditing can be captured and analysed in Oracle Audit Vault and Database Firewall, automatically alerting the security team about possible malicious activity.” Audit tables contain information presented below (Oracle Fine Grained Auditing, 2019): DB_USER – database user which issued queries in database. SESSION_ID – unique ID session. TRANSACTION_ID – Transaction ID with which object is changed or accessed. OS_USER – Operating system user. USERHOST – name of the computer (host). OBJECT_SCHEMA & OBJECT_NAME – scheme and table. SCN – (System Control Number of the database) – defines when an audit trail was generated. SQL_TEXT – text SQL commands. COMMENT$TEXT – additional comments linked to audit if they exist. EXT_NAME – If users are accessing from the outside, their name is displayed here. TIMESTAMP – date and time of the audit. The following are DBA_AUDIT tables that can be used for the forensic analysis, and which can be listed by issuing SQL query: 21 �SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA%AUDIT%' OR view_name LIKE 'USER%AUDIT%' ORDER by view_name DBA_AUDIT_EXISTS DBA_REPAUDIT_ATTRIBUTE DBA_REPAUDIT_COLUMN DBA_AUDIT_OBJECT DBA_AUDIT_SESSION DBA_STMT_AUDIT_OPTS DBA_AUDIT_STATEME DBA_AUDIT_POLICIES DBA_AUDIT_TRAIL DBA_AUDIT_POLICY_COLUMNS DBA_COMMON_AUDIT_TRAIL DBA_FGA_AUDIT_TRAIL DBA_OBJ_AUDIT_OPTS DBA_PRIV_AUDIT_OPTS USER_AUDIT_SESSION USER_AUDIT_OBJECT USER_AUDIT_STATEMENT USER_AUDIT_TRAIL USER_AUDIT_POLICIES USER_AUDIT_POLICY_COLUMNS USER_OBJ_AUDIT_OPTS USER_REPAUDIT_ATTRIBUTE USER_REPAUDIT_COLUMN Tables above contain data that indicate which, what, where, and when specific user made changes. This information can be used for the forensic analysis of Oracle database. Forensic tools presented in Chapter 4. Digital forensics tools are used for database forensic investigation to find specific evidence in a large volume of data through different files and tables in a database. 22 �Forensics of multimedia Multimedia such as audio, video, and pictures are sources of digital data which can be used for the forensic analysis. Most popular devices that hold multimedia content are smart phones, however, other devices such as gaming consoles, TVs, PDAs, CCTV, other video or audio recording, and even IoT devices are also multimedia devices which can be used for the forensic analysis. Watermarking Watermarking of image is a process of identification of user who created it as well as the original source of that image. Digital signatures Digital signatures are signatures which can be found in an electronic form, and which indicate a specific originator of electronic data. Mobile device forensics Increased usage of mobile devices opens digital forensic area of mobile devices. Computer systems are not only in a form of desktops, laptops, or servers. They are also produced in a form of small computers embedded into smart cards, mobile devices, GPS devices, and car computers. Mobile communication devices can contain personal information, messages, photos, and locations. Navigations systems can reveal location information of a person under the investigation. All those devices are valuable sources of information, especially because embedded devices are 23 �usually small, and used on a daily basis and in the mobile environment (Casey, 2011). Network forensics Modern life is embedded into communication systems by all means. Humans, computers, and sensors all communicate through communication networks. Pieces of information are always left in the system logs, no matter what type of communication is used. Traditional telephone systems and internet service providers can be valuable points for the investigation of the digital evidence. Mobile service providers transfer SMS/MMS messages and mobile internet interconnections, while Internet service providers transfer e-mails. In addition to the exact content of the communication channel, an additional log examination can give more information about who, when, and to whom information is sent (Casey, 2011). Network forensics is performed in order to investigate network flows, network traffic and network connections. To be able to collect and analyse network traffic, traffic has to be recorded and archived for the later use. In most organisations, this approach is not applied because it adds an additional load on the already busy network administrators. Many network devices such as switches, routers, and firewall have basic syslog capabilities which provide network administrators with information about established connections, and device operations. Syslog functionality cannot provide information about data payload inside network packets. 24 �Summary Cyber security is a subset of information security that deals with the security of information stored in a digital form and transferred over communication links. A great part of information security related standards deals with cyber security issues. Almost on a daily basis, media reports reveal cyber security related incidents. After the historical analysis, we can conclude that we will see an increase in incidents of this type, especially as more services and users use digital technology in everyday work and life. Knowledge acquired The difference between digital forensics classification types that includes Forensics of general computer systems, Database forensics, Forensics of multimedia, Watermarking, Digital signatures, Mobile device forensics, Network forensics. Review questions 1. What is watermarking? 2. Name digital and cyber forensic types. 3. What is network forensics? 4. What is mobile device forensics? Further readings - Network forensics https://www.itpro.co.uk/cyber-attacks/31660/what-is-networkforensic 25 �Video resources - Advanced Wireshark Network Forensics – Part 1/3 https://www.youtube.com/watch?v=e_dsGhvq9CU - Network Forensic Data Theft Detection, Under the Hood https://www.youtube.com/watch?v=CYRYmKhz3QI - Mobile Device Forensics https://www.nist.gov/sites/default/files/documents/2017/05/08/aa fs-mobiledeviceforensic.pdf - Forensics, SANS https://www.sans.org/readingroom/whitepapers/forensic/paper/32888 26 �3. Digital forensics – process Chapter abstract Chapter goals: To define digital forensic process which includes Preservation, Handling evidence at crime scene, Collection, Transport, Examination, and Analysis of digital evidence. This chapter briefly explains media analysis, file system analysis, network analysis, application analysis, OS analysis, executables analysis, image analysis video analysis, memory analysis, and reporting. It also provides the explanation regarding digital evidence collection and data concealment. Learning outcomes: Knowledge of core principles of digital forensics, and different types of analysis. Steps in the Digital Forensic Investigation Process In order to successfully show evidence and defend legitimacy of the entire forensic process, it is necessary to perform every step of forensic investigation with sound science methods. Courts will not accept evidence if forensic process was jeopardised with negligence in evidence handling, 27 �preservation, and transportation. Forensic investigators and examiners must be well trained and certified for forensic investigations. All actions in the forensic investigation process have to be well documented through policies and procedures. Every digital forensic investigator or agency has to follow digital forensic steps, so that reports are admissible at the courts of law. Preservation Collection Examination Analysis Reporting Figure 7. Steps in the Digital Forensic Investigation Process 28 �One of the main approaches in forensic investigation is to follow welldefined and accepted digital forensic investigation steps (Kaur and Kaur, 2012): - Preservation - Collection - Examination - Analysis - Reporting. In Appendix – Digital forensic process are presented steps for forensic process. Preservation In the preservation phase, all evidence has to be properly documented to avoid any prior change of the crime scene. Crime scene has to be secured so that nothing is changed when investigators enter the scene. Digital forensic investigators are focused on finding and preserving digital evidence, however, it is also possible that other forensic skills are needed to collect biological samples such as fingerprints, DNA, etc. All mentioned evidence has to be detected, documented, and preserved in the original form, if possible, to avoid jeopardizing data and evidence integrity. Depending on available information it is possible that digital devices are contaminated with hazardous material. In that case other forensic investigation specialists might be needed. 29 �If a device such as PC or a mobile device is found switched off, and somebody turns it on as a part of digital forensic process, they may cause a change of potential evidence on that device, in which case evidence would lose its integrity and it would not be valid (Kaur and Kaur, 2012). Massachusetts Digital Evidence Consortium (2015) explained in their publication that first responders have to perform evidence preservation and collection with a special care. Crime scene has to be investigated with forensic methods only if law enforcement agencies approve such process. All digital evidence such as hard disks has to be secured from the high temperature, high electromagnetic fields, and moisture. This is because such external influence can destroy potential evidence. Forensic investigators are responsible for documenting the crime scene by taking photographs and making video recordings of the scene. It is useful to sketch the scene and keep records about investigators who were on the scene as well as their responsibilities. It is also suggested to ask owners of devices if they are willing to cooperate, and if they give their consent investigators can request passwords, PIN, or other security features. Device owner has to sign consent form with authentication methods and passwords. Owner has to provide information of other possible authentication methods such as face, fingerprint, or other biometric recognition methods used for the authentication. At the end of this book the Appendix – Consent form is an example of the consent form created based on Massachusetts Digital Evidence 30 �Consortium (2015) documentation. If the consent is not given, suspects in many jurisdictions will be fined. The chain of custody has to be kept through the entire process. Digital evidence must be secured at all times, so that all activities performed during seizure, access, storage, and transfer can be completely documented, preserved, and authorized. Documentation which proves all of the above has to be available for the review. It needs to be emphasized that individuals are fully responsible for digital evidence while evidence is in their custody. It is important to determine if devices are switched on or off. If a device is switched on and then switched off, data about active connections or data from volatile memory would be lost. This is a way in which forensic investigators have to check if the device produces vibrations due to HDD operation, other sounds, and lights. Device has to be accessed with caution, by isolating it from networks such as wired, wireless, and GSM. If possible, device has to stay powered to collect all available passwords. If a device is turned off and then switched on, potential evidence would be lost. Thus, the device has to be packed and prepared for the transportation. Collection Collection is the process of detecting and collecting evidence relevant for the forensic investigation. Because most of data is stored on media such 31 �as hard disk, memory cards, and other removable media, it has to be duplicated: cloned and/or copied to media that will be used in the forensic investigation process. Forensic investigators should not change collected evidence, because in that way the investigation process would be compromised. Sources such as seized hard disc have to be secured and kept in custody while investigation is performed with cloned data (Kaur and Kaur, 2012). Transport There is a risk associated with a transport of digital evidence because its confidentiality, integrity, and availability can be jeopardized. Therefore, it is important that digital forensic investigators be well educated and aware of the risk associated with digital evidence transportation. Digital evidence has to be delivered to forensic laboratory in the shortest time period, and protected from external influences depending on inherited weakness of specific digital device or asset (Law Enforcement Cyber Center, 2017). Examination Process that defines which methods and tools have to be used in the digital forensic process is called the examination. Different devices which hold digital evidence may require different tools and methods for acquiring forensic evidence. All activities in the examination process have to be performed on cloned and copied data (Kaur and Kaur, 2012). 32 �Analysis Analysis refers to the process of using examined data and placing findings from the examination stage in the context for the digital forensic report. In the analysis process, available data is used to determine meaning of that data, i.e. how it was created or transferred to or from a device, and what story data tells forensic investigators. In the analysis process, forensic investigator has to acquire information about data ownership, potential hidden data, file, or application. Types of Digital Evidence Analysis Due to a different source and scope of data usage, digital forensic investigators are able to conduct different types of digital forensic investigation (Carrier and Spafford, 2004). Examples of digital forensic analysis reported by Carrier and Spafford (2004) are the following:  “Media analysis  Media management analysis  File system analysis  Network analysis  Application analysis o OS analysis o Executable analysis o Image analysis o Video analysis  Memory analysis” 33 �These types of analysis can be applied to computer as well as mobile devices. Media analysis Media analysis refers to the analysis of storage media. It does not consider any partitions or other operating system-specific structures. Storage media can be USB drive or disk, and SD cards for cameras or mobile devices (Carrier and Spafford, 2004). Media management analysis Media management analysis focuses on media logical organization, such as combining more disks into one logical volume. An example of combining more disks into a logical volume is mirroring of two physical disks into one logical disk. Mirroring disks in such manner means that one chunk of information is written on both disks at the same time. In case of one disk failure, another one continues to operate (Carrier and Spafford, 2004). File system analysis File system analysis is the analysis of the system data inside the disk or deleted files in order to extract the contents of the file (Carrier and Spafford, 2004). File system takes care of the files written across the available partition. In case a file is deleted, it is usually marked deleted, signalling to other processes that location is free to record the next data. When deleted files need to be recovered, special tools can be used to locate file fragments and rebuild them to a useful file. 34 �Network analysis Network analysis refers to the analysis of the data inside protocol layers (Carrier and Spafford, 2004). Network analysers can be used to reconstruct raw data packets into application layer information. Communication level is essential to reconstruct possible scenarios of user or computer interactions, and it is a very valuable source of information. Application analysis This type of analysis analyses data information inside the files and application. Files are created by the user, and format of the content is application-specific such as text documents or photos. Figure 8. Application analysis 35 �Some special types of a common application analysis are: o OS analysis o Executable analysis o Image analysis o Video analysis Operating System (OS) analysis OS analysis is the operating system-specific analysis of the configuration and events during usage (Carrier and Spafford, 2004). OS communicates with hardware and upper layers. All interaction details such as errors, warnings, different types of events as well as configuration, are recorded and stored inside OS compartments. This information can help build the overall digital landscape. Executable analysis Executable files can cause events and they are noticed when executed as processes. Executables such as malwares are common for the analysis during the intrusion investigation (Carrier and Spafford, 2004). Image analysis Image analysis refers to the analysis of the person recorded on image, location, or timestamp. Image analysis includes the analysis of the potential steganography information (Carrier and Spafford, 2004). Video analysis Video files are the subject of the analysis of surveillance cameras, web camera, and smart phone camera. Same as image analysis, video analysis 36 �leads to information about person, location, or timestamp (Carrier and Spafford, 2004). Memory Analysis Memory analysis can reveal very useful information, because it is used for dynamic operations and storage of temporary results. Operating systems use two types of memory: a) The volatile memory (RAM) is a fast memory used for dynamic operations. It stores data until device is switched off. The main function of volatile memory is to store application and system data during runtime, which contain information such as password, usernames, session data, encryption keys, data about activities and network, etc. b) The non-volatile memory refers to the internal storage such as flash memory and equipment extensible storage device known as the SD card. This type is mainly used for static data storage such as application and system data, user settings, and data files. Data is stored even after device restarts or powers off. Reporting Reporting is the final word about findings. Examiner is responsible to write an accurate and complete report on findings and analysis of the digital information and device. In addition to findings and analysis, it is important to have accurately documented steps taken during all phases of the investigation. General suggestions for the information that could be included in the report is the following (National Institute of Justice, 2004):  Identity of the reporting agency  Case identifier or submission number 37 � Case investigator  Identity of the submitter  Date of receipt  Date of report  Descriptive list of items submitted for examination, including serial number, make, and model  Identity and signature of the examiner  Brief description of steps taken during the examination, such as string searches, graphics/image searches, and recovering erased files  Results/conclusions Digital Evidence Collection Every digital forensic investigator must be aware of the entire context of digital surroundings and other sources of evidence at the crime scene. Every digital device, if accessed in an improper manner, can cause data change and evidence loss. Data can be in form of network connections, processes, memory data, and data on hard disk or peripheral memory, or in volatile and non-volatile memory. Data written on mobile device memory cards, hard drive, and external memory storage can be considered as static memory or non-volatile, while data written in RAM is considered as volatile memory. With this in mind, it is important to distinguish states in which data can be found. Furthermore, digital forensic investigator has to be careful in approaching data collection phase. 38 �Computer or other digital devices which are recognised at the crime scene must be approached with care. Crime scene has to be preserved and documented using sketches and photos, and if computer or other digital devices are found, their power status must be checked. Hard drive data will remain on media after a device is powered off and that data can be cloned and duplicated. Data in RAM will disappear after device is turned off. This includes information such as running processes, network connections, and system settings (Nelson, Phillips & Steuart, 2015). This is the way in which two major approaches have to take care of live data and post-mortem data acquisition. Live Data collection Tools for the acquisition of data in volatile memory can copy data from volatile memory and transfer it to the forensic location on non-volatile memory for the later analysis. Data from volatile memory or system can also be copied with the goal to collect information such as established sessions, running processes, network processes, passwords, and connected users. Live acquisition is done if a digital forensic investigator decides to collect all available data in volatile memory from the crime scene. Digital forensic investigator needs to be aware that any access to running system can change data and destroy evidence on that system. Data acquired from volatile or non/volatile memory has to be copied or cloned on a disk which will be used for the forensic analysis. During this 39 �phase, all data dumps must be saved on a separate disk and calculated with hash functions such as SHA512 to be able to have a guaranteed evidence integrity. All results from hash calculation such as SHA512 have to be saved for the later use. Data that can exist in a volatile memory is the following: - Information about running processes, network sessions, and services - Unpacked/decrypted versions of protected programs - Running malware/Trojans - Cloud service information - System information (system uptime, system inventory, etc.) - Information about logged in users - Registry information - Open network connections and content of ARP cache tables - Social networks information - Online communication (Viber, Skype) - History of Web browsing activities - Information about an access to Webmail systems - Decryption keys for encrypted volumes mounted at the time of the capture - Recently viewed images Information about running process, open network connections, and evidence will not remain after the process is completed, which is due to volatile memory data limitations. However, with types of data such as web browsing history, online chats will not disappear instantly after the end of 40 �communication. System or its user can overwrite data (Afonin and Gubanov, 2013). Post-mortem data collection Digital device which is powered off is ready for the post-mortem data acquisition. Only approved tools for data imaging are used for the postmortem forensic data acquisition. For data acquisition it is necessary to make a clone and perform the forensic analysis with cloned and copied data while original media stays intact in the safe place with calculated hash value such as SHA512. Devices which prevent changes on the original device with data are called write blockers. This type of devices disables writing on the original storage media. Direct access to disk plates and memory chips is enabled if a device is damaged. Forensic computer which has tools and ports able to access external devices with cloned data is used for accessing data on the cloned disk. Completeness and accuracy are two critical measurable attributes of the acquisition process. While completeness quantifies whether all the data was acquired, accuracy quantifies the correctness of acquired data. In order to achieve completeness and accuracy in copying data from the original source, bit-for-bit copy and bit-stream duplicate data from the original data source to destination memory location. Bit-for-bit can be used with specialized tools, while bit-stream can be performed with the computer (NIST, 2004). 41 �Data concealment It is not possible to investigate data which is not available and visible to the investigator. Thus, criminals and wrongdoers employ different techniques to destroy and hide evidence (Marcella A. J. and Menendez D., 2008). Spoliation Spoliation is an act of destroying or changing evidence with the goal to make evidence unusable. Encryption Encryption is a process of converting data and files into cryptic form so that data can be accessed only by using passwords for symmetric encryption and using private and secret keys if asymmetric encryption is used. Steganography Steganography is the process of hiding data such as messages into existing files which can be textual files, pictures, and video files. Various tools are being used for performing data concealment in data files. One of the well-known tools for hiding messages in data files is snow tool (SNOW, 2019) which uses whitespace steganography practice. This program is used: “to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built42 �in encryption is used, the message cannot be read even if it is detected.” (SNOW, 2019) For the purpose of explaining the process of hiding the text inside the file, “sample_file.txt” was created with the content shown in Figure 9. Figure 9. Sample_file.txt content Issuing snow command with flags –C program snow compresses the data if concealing, or uncompresses it if extracting the file. (SNOW, 2019) 43 �Figure 10. Creating concealed message in sample_file1.txt content In Figure 11. it is possible to see content of the new file “sample_file1.txt” after issuing the type command. Figure 11. also shows in “cmd” editor that additional space is added but no content is visible. Figure 11. Creating concealed message in sample_file1.txt content 44 �Figure 12. shows an unsuccessful attempt to read a concealed message without the password as well as a successful attempt by providing the password with “-p” flag that is “secret_password.” Figure 12. Reading concealed message in sample_file1.txt content To make it harder for the investigators to find concealed data, it is possible to replace the original with the file which contains a concealed message by deleting the original file, and renaming the file with concealed message with an original file name. Figure 13. shows the size difference between “sample_file.txt” and “sample_file1.txt.” Due to such calculation of files, hash is the technique which can be used to detect if somebody, in person or by using a malicious program, changed the content of the files. 45 �Figure 13. File sizes comparison Summary With a goal to successfully present forensic findings, it is necessary to conduct forensic investigation with care and by the latest forensic investigation advancements. Every forensic investigator has to know that suspects can hide data using different techniques such steganography, encryption, or simply by destroying data. It is important to emphasize that before the analysis, data has to be copied. The preferred action is to clone data from the original media to avoid deletion of the original data. Knowledge acquired Common steps in the digital forensic investigation process that includes Preservation, Collection, Transport, Examination, Analysis. Essential knowledge of types of digital evidence analysis that includes Media analysis, Media management analysis, file system analysis, network 46 �analysis, application analysis, operating system analysis, executable analysis, image analysis, video analysis. Memory Analysis, Reporting. Digital evidence collection that includes Live Data collection Post-mortem data collection and data concealment methods which can be used such as spoliation, encryption, and steganography. Review questions 1. Explain common steps in the digital forensic investigation process. 2. Name digital evidence collection methods? 3. What is image analysis? 4. What is video analysis? Further readings - Digital transformation: online guide to digital business transformation https://www.i-scoop.eu/digital-transformation/ - The Cyber Security Management System: A Conceptual Mapping, SANS Institute InfoSec Reading Room https://www.sans.org/reading-room/whitepapers/basics/cybersecurity-management-system-conceptual-mapping-591 Video resources - Computer Forensic Investigation Process https://www.youtube.com/watch?v=NmuhGa4QekU - Overview of Digital Forensics https://www.youtube.com/watch?v=ZUqzcQc_syE 47 �48 �4. Digital forensics – tools Chapter abstract Chapter goals: To present forensic tools and explain for what purpose they can be used in digital forensic process investigation. Digital forensics covers different technologies and components, hence, different and specialised digital forensic tools exist, namely for database forensics, network forensic, and mobile devices. Learning outcomes: Knowledge of digital forensic tools and how they can be used. Digital Forensic Tools To achieve desired results, scope of the investigation must be defined first. Defining scope will also determine what the investigator is looking for, how to reach those locations and information and which tool has to be used. Concerning forensic tools, there are many ways to reach the same goal. This section will focus only on Android tools needed to perform the necessary steps. 49 �Hardware digital forensic tools and their usage Hardware tools are necessary for accessing data on devices such as hard drives or mobile devices. One of the most important aims is to clone data from original digital devices and provide the exact digital copy which will be used for the investigation. Usage of hard disk docking stations Hard disk docking stations should be in the arsenal of every digital forensic investigator. This type of devices should be able to access different types of disks which can be found in laptops, personal computers, and servers. It should also have the clone function for cloning HDDs without laptop, PC, or server to prevent losing or changing files of suspects. Figure 14. Hard disk docking station (Renkforce, 2019) 50 �Usage of memory card docking stations Many devices such as smart phones, laptops, and CCTV cameras hold SD memory and other types of memory cards which have to be investigated. Figure 15. Memory card docking station (Logilink, 2019) Memory card docking station is used to read data from memory cards taken from the device. Usage of Portable Computer Forensic Lab Figure 16. shows the specialised all-in-one case called Road Master (Road MASSter 2, 2019). 51 �Figure 16. Portable Computer Forensic Lab Road MASSter 2, 2019 The Road Master is capable of high-speed forensic data acquisition operations used to access external devices. Usage of General Computer forensic tools Different hardware and software tools are used to preserve and collect crucial data for the forensic analysis process. Disk Genius usage DiskGenius is a software with functions able to recover partitions and make data backups, and it has other disk utilities required for the disk management. It can manage storage space, deletion acts, and virus attack; it also has the formatting function, and recovers data lost due to the disk corruption, etc., and it provides the backup to prevent data loss. 52 �Figure 17. Disk Genius DD command tool usage Mobile device, computer, or any other digital device found at the crime scene can be a subject of the post-mortem data acquisition. This is a way of collecting data information on devices found switched off. Since a device if off, volatile data in memory is not available, but data stored on a hard drive/solid memory is a very valuable source of information. Investigator must make an image of a hard drive or mobile device solid memory or some other storage devices. Linux command line dd is used to copy the content of a seized device. Example of dd usage is: dd if=/dev/sda of=/dev/sdb and it copies the content from /dev/sda to the /dev/sdb destination. 53 �Busybox usage Busybox is a toolset based on many UNIX utilities. Utilities are combined into a small executable. Busybox provides a usable environment for small or embedded systems. It is very modular, and it is made for limited resources. Busybox set of commands makes access to the system at a lower level making environment more accessible. It is available for download on https://busybox.net/. Hash Calculation Calculation of file hashes must be done immediately after the acquisition of digital information. It ensures the integrity of the collected data. It is usually a solid memory image or a separate file. Linux commands used for generating hash values are sha256sum or sha512sum. SHA256SUM uses 32-bit blocks, while SHA512SUM uses 64-bit blocks. Figure 18. is an example of generating usb_modeswich.conf file using both generators. Figure 18. Calculating Hash Value 54 hash values of �Database tools usage The following passages present tools which can be used for the database forensic process. Usage of the Oracle LogMiner Oracle LogMiner, (2019) is a tool that can be used for digital forensic investigations. Figure 19. Q Capture program works with LogMiner to retrieve changed data IBM Knowledge, Center, 2013 It allows the analysis of changes to be performed in a database, and provides the rollback function for data including errors made by users. Figure 20. shows how with LogMiner it is possible to view and save redo logs, as well as create and execute queries to find specific actions using GUI. It also shows query for a specific time and database user. 55 �Figure 20. View all transactions for user, Nanda A., 2019 As a result, Oracle LogMiner created an initial report which shows database user activity. Figure 21. LogMiner results, Nanda A., 2019 By opening transactions detail, it is possible to see which query a specific user issued. LogMiner can be used for acquiring data on usage of data manipulation language (DML) which is a programming language used in a database for adding (inserting), deleting, and modifying (updating) data. The goal of using the Oracle LogMiner is to find DML statements for the post-mortem forensic investigation. 56 �Figure 22. LogMiner results, Nanda A., 2019 LogMiner can be used for an offline analysis of archived redo logs on a separate database. Usage of the IBM Guardium Data Protection for Databases IBM Guardium (2019) Data Protection for Databases is a forensic tool used to protect database from an unauthorised access. It detects unusual activities on sensitive data. It provides a real-time monitoring and alerts on suspicious activities. Figure 23. IBM Guardium (2019) Navigation Overview IBM Guardium provides a preventive protection, but it can also be used for database forensic investigations which need to show if the user or administrator committed a suspicious or criminal activity. 57 �Figure 24. IBM Guardium (2019) Out of the box creation Usage of the DB Browser for SQlite Even small devices such as mobile phone, tablet, or embedded systems based on Android operating system utilize databases needed for services they are produced for. Regardless of whether data is structured or repeating, Android stores data in the SQLite database. SQlite is an embedded SQL database engine. Unlike other, SQL databases does not have a separate server process, which means it reads and writes directly to disk files. The entire database is contained in a single file located on a disk. Considering that size of the library is approximately 300-500 KB, and it is made to run under a minimal stack space (4KB) and heap (100KB), SQLite is ideal for devices struggling with memory space such as tablets, GPS navigations, MP3 players, etc. It is free for use regardless of being commercial or a free project. Since each Android device consists of more databases of this type, for the forensic investigation, it is helpful to have a tool for a direct access to database. One of such free tools is DB browser for SQLite shown in Figure 25. 58 �Figure 25. DB Browser for SQLite Usage of the Undark - a SQLite data recovery tool Undark is a data recovery tool for SQLite databases. It is useful to retrieve deleted data from the database file. Chances to recover a useful set of data are minimal if database is defragmented and vacuumed. Undark relies on the fact that actual data is not purged immediately when the process of deletion started, because there could be active transactions which could still access the old version of the record. It is rather performed at a later stage when system does periodical checks for the old data record. Download is available at GitHub https://github.com/inflex/undark. Undark capabilities are to: - Retrieve most available records from the SQLite database; - Deposit actual records; - Recover deleted records; 59 �- Retrieve data from a corrupted SQLite database. The command to convert the recovery SQLite database broken.db into recover.csv file format is: undark -i broken.db > recover.csv Recover.csv file will be filled with actual and recovered records from broken.db. Usage of the SQLite-Deleted-Records-Parser This is another useful tool used to recover SQLite deleted records. It is simple to use, but results are valuable in recovering deleted data from an unallocated space. Download is available on https://github.com/mdegrazia/SQLite-Deleted-Records-Parser. Command for its usage is: sqlparse_CLI -p -f source.db -r -o dbreport.txt Usage of the Network forensic tools Different network forensic tools can be used, however data and session traffic have to be captured and stored in order to have all relevant information available for forensic purposes. Wireshark usage Wireshark is a popular tool for capturing and analysis of the network traffic. 60 �Control Port 21 FTP Client Data port 20 FTP Server Figure 26. FTP connection Figure 27. shows the captured Wireshark traffic for the FTP session initiation with an entered username and password as an example of how the unencrypted traffic can be captured for a later analysis. Figure 27. Captured FTP connection with Wireshark 61 �NIKSUN NetDetector usage NIKSUN NetDetector (2019) is capable of a dynamic application recognition, and it has integrated anomaly and signature-based IDS, data leakage prevention, real-time surveillance and application, and session reconstruction. NetDetector web site is the following: https://www.phoenixdatacom.com/product/niksun-netdetector-packetcapture-network-security-forensics/ Figure 28. NIKSUN NetDetector, 2019 Xplico usage Network forensic tool Xplico is an open source software used for the analysis of network sessions. Xplico web site is https://www.xplico.org/ 62 �Figure 29. Xplico (2019) Usage of the Mobile device forensic tools General forensic tools for computer system and database tools can be used to perform the forensic analysis of mobile devices. Rooting Tools usage Investigator needs to decide what type of rooting needs to be performed, with or without a computer. Whatever the choice is, it should produce the same result, which is for a device to be rooted. However, a higher success rate is expected for the computer driven process. If a device needs to be rooted without the computer, a special crafted apk package needs to be downloaded and installed directly to the Android device. Very commonly used tool to root over the computer is Kingo Root (Figure 30). 63 �Figure 30. Kingo Android Root If the rooting process needs to be performed without the computer, then this task can be done with an application named TowelRoot. Software can be downloaded at https://towelroot.com/ Santoku usage Santoku is a Linux based platform used for various security related activities. Operating system comes with the pre-installed platform Software Development Kits (SDK), drivers, and utilities. Santoku auto-detects and sets up new connected mobile devices, saving time for investigation tasks. A graphic User Interface (GUI) tool makes an easy deployment and takes control of mobile applications and investigation tools as shown in Figure 31. 64 �Figure 31. Santoku Linux The installation is free for download at http://santoku-linux.com (Figure 32), and the platform can be installed on hardware or in the virtual environment. Figure 32. Santoku Linux Download 65 �The main aim of Santoku platform is: Mobile Forensics Tools to acquire and analyse data Firmware flashing tools for multiple manufacturers  Imaging tools for NAND, media cards, and RAM  Free versions of some commercial forensic tools  Useful scripts and utilities specifically designed for mobile forensic Mobile Malware Tools for examining mobile malware - Mobile device emulators - Utilities to simulate network services for dynamic analysis - Decompilation and disassembly tools - Access to malware databases Mobile Security Assessment of mobile applications - Decompilation and disassembly tools - Scripts to detect common issues in mobile applications - Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more. 66 �AF Logical OSE usage AFLogical OSE is an open source tool used for a simple logical acquisition of data from the Android device. It can be found already compiled in Santoku Linux distribution (Figure 33). Figure 33. AFLogical OSE Autopsy and the Sleuth Kit usage The Sleuth Kit is an open source digital forensic set with the collection of command line tools. Autopsy is a graphical interface (Figure 34.) for the Sleuth Kit and it provides an easy usage of available tools. It also provides case management, image integrity, keyword searching, and other operations without the need for an external software. 67 �Figure 34. Autopsy Main Operations Screen Image Import and Supported Image Formats Autopsy can analyse raw, dd, or E011 format of disk images and local drives, or a folder of local files. Before the analysis, investigator is required to choose which type of data source is the source of information (Figure 35.). Forensic investigator can select Disk Image or VM File obtained with available methods, attached Local Disk, already prepared Logical Files, or Unallocated Space Image. It is possible to use a file taken out of the disk image section for an additional investigation. 1 The popular commercial forensic suite, EnCase, developed a proprietary format called EnCase Evidence File format. EnCase Evidence Files use the file extension, E01, and are based on the Expert Witness Format (EWF) by ASR Data (Forensicwiki, 2012). These image files are commonly referred to as Expert Witness, E01 or EWF files.- (https://www.sans.org/reading-room/whitepapers/forensic/forensic-images-viewingpleasure-35447,10.1.2018) 68 �Figure 35. Type of Data Source Analysis Features Below is the list of Autopsy features.  Multi-User Cases: Collaborate with fellow examiners on large cases.  Timeline Analysis: Displays system events in a graphical interface to help identify the activity.  Keyword Search: Text extraction and index searched modules enable you to find files which mention specific terms and find regular expression patterns.  Web Artefacts: Extracts web activity from common browsers to help identify user activity.  Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.  LNK File Analysis: Identifies shortcuts and accessed documents.  Email Analysis: Parses MBOX format messages, such as Thunderbird. 69 � EXIF: Extracts geo location and camera information from JPEG files.  File Type Sorting: Group files by their type to find all images or documents.  Media Playback: View videos and images in the application and there is no need for an external viewer.  Thumbnail viewer: Displays thumbnail of images to help view pictures quickly.  Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.  Hash Set Filtering: Filter out good known files using NSRL and flag bad known files using custom hashsets in HashKeeper, md5sum, and EnCase formats.  Tags: Tag files with arbitrary tag names, such as 'bookmark' or 'suspicious', and add comments.  Unicode Strings Extraction: Extracts strings from an unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).  File Type Detection is based on detection of signatures and extension mismatch.  Interesting Files Module will flag files and folders based on name and path.  Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more. (The Sleuth Kit, 2018) 70 �Ingest Module usage Ingest Module is a very helpful and powerful feature. During the initial case setup, it offers selection of needed ingest modules as shown in Figure 36. It identifies files and extracts known data as records. Examples of those records are emails, SMS messages, etc. Analysis of time and disk space may vary depending on how many modules are selected. It is important to have an Android Analyser module selected if an Android device image is an object of the import. Figure 36. Autopsy Ingest Module 71 �Android Analyser module usage This module helps identify files and present data containing contacts, messages and other communications records, web history, web bookmarks etc. It gives an option to manually tag findings for different types of categories such as Child Exploitation. Figure 37. shows which types of categorization can be found on the main screen. Figure 37. Android Analyzer 72 �Accessing Partitions Beside an automatic search for interesting records, it is possible to access image partitions manually. This offers another view to the acquired data, having a flexible approach to the offered data structure. Figure 38. shows all partitions acquired by the physical acquisition. Figure 38. Access to Imaged Partitions 73 �Timeline Timeline option offers a powerful overview of the recorded events in time domain. With filtering options, timeline makes context building in View Mode Counts easier (Figure 39.). Figure 39. Timeline – View Counts Colours represent main types of event categories, File System, Web Activity, and Misc. Types (Figure 40.). This filter is useful when many events are presented, thus allowing the focus on the interesting ones. 74 �Figure 40. Filter Events Categories When the View Mode is set to Details, it is possible to see and pin a potential interesting event. Figure 41. shows SMS and pinned messages. Figure 41. Timeline - View Details 75 �Reporting Autopsy offers an option of generating reports in various formats (Figure 42.). The final report will include either all analysis results or only tagged ones. When a large amount of data is generated, Excel format report gives more flexibility in case that data needs to be exported further. Figure 42. Report Formats Generated report is filled with the case summary as shown in Figure 43. 76 �Figure 43. Report - Case Summary Figure 44. Report - Tagged Images Figure 44. shows a detailed list of Keyword Hits, Tagged Files, Tagged Images, or Tagged Results. Summary Cyber security is a subset of information security which deals with the security of information stored in a digital form and transferred over 77 �communication links. A great part of information security related standards deals with cyber security issues. Almost daily, media reports reveal cyber security related incidents. After the historical analysis, we can conclude that we will see an increase in the frequency of incidents of this type, especially as more services and users use digital technology in their everyday work and life. Knowledge acquired Digital forensics – tools and usage: of hard disk and memory card docking stations, Portable Computer Forensic Lab, usage of general computer forensic tools such as Disk Genius usage, DD command tool usage, Busybox usage. Database tools usage such as the Oracle LogMiner, IBM Guardium Data Protection for Databases, DB Browser for SQlite, Undark - a SQLite data recovery tool, SQLite-Deleted-Records-Parser. Usage of the network forensic tools such as Wireshark usage, NIKSUN NetDetector, Xplico usage. Usage of the mobile device forensic tools such as Rooting Tools usage, Santoku usage, Autopsy and the Sleuth Kit, Ingest Module usage, Android Analyser module and how to access partitions and use reports. Review questions 1. Explain the difference between digital forensics tools. 2. Name tools for each technology? 3. Steps for mobile forensic investigation. 78 �Further readings - Digital transformation: online guide to digital business transformation https://www.i-scoop.eu/digital-transformation/ - United States Secret Service: Best Practices for Seizing Electronic Evidence http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf - National Institute of Justice: Forensic Examination of Digital Evidence: A Guide for Law Enforcement https://www.ncjrs.gov/pdffiles1/nij/199408.pdf - National Institute of Justice: Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition https://www.ncjrs.gov/pdffiles1/nij/219941.pdf - National Institute of Justice: Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders https://www.ncjrs.gov/pdffiles1/nij/227050.pdf - National Institute of Justice: Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors https://www.ncjrs.gov/pdffiles1/nij/211314.pdf - Department of Justice: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations 79 �- http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009. pdf Video resources - Disk Imaging/Acquisition Using Linux DD / DCFLDD command https://www.youtube.com/watch?v=aJp7_OVW2FA - Computer Forensics: fdisk and dd https://www.youtube.com/watch?v=nzRo8gh7wkA - Creating a Disk Image for Forensic Analysis https://www.youtube.com/watch?v=zY1rblisrBQ - Starting a New Digital Forensic Investigation Case in Autopsy 4 https://www.youtube.com/watch?v=WB4xj8VYotk - Processing and analysis of disk images with Autopsy 4 default modules https://www.youtube.com/watch?v=FJqoUakfmdo - 80 NIKSUN Netdetector https://niksun.com/notebook.php �5. Simulation of digital forensic cases Chapter abstract Chapter goals: To present digital forensic investigation cases which deal with the general computer, smart and mobile phones, and databases. To provide an insight into real forensic investigation processes not limited to single technology or a tool. Learning outcomes: Knowledge of the possible ways in which digital forensic cases can be performed explained in different case simulated scenarios offering students a real hands-on experience from presented cases. Case 1: Forensic data recovery of files on PC The goal of the forensic investigation was to find a specific file on a disk on which windows quick-format was performed. There was no need to acquire live data for this process, because disk had already been removed from the PC. 81 �For this purpose, Disk Genius was first used together with the hard disk docking station to clone the original disk to the investigation disk, and then to copy cloned data to the local investigator’s forensic station. Figure 45. Disk Genius access to the investigated hard disk Figure 46. shows how data was copied from the cloned hard disk to the local forensic investigator PC. All folders and files were available and needed file was easy to find. 82 �Figure 46. Disk Genius data copy 83 �Case 2: Forensic investigation of Viber, VOICE CALL, SMS, and Coco on an Android mobile device While working with the law enforcement team as contractors, we came across the case of two harassed persons. They were under the pressure because they were harassed over digital channels such as Global System for Mobile Communications (GSM) call, SMS text message, Viber message and threatening photographs, and Coco messenger. Both of them showed their Android smartphone devices with disturbing content. Everything was documented in the file. Local police arrested the suspect and seized his Android mobile phone while following all the rules and procedures. The android mobile device was labelled and shielded against the radio frequency radiation, thus isolating the source of evidence, and transported to the laboratory. Defining the Scope of the Investigation Scope definition presents an important factor of the investigation. The initial interview with reporting persons discovered some basic information about events such as date and time, content, digital channel etc. Seized device in this particular case was Lenovo A2020a40 running Android operating system version 5.1.1 equipped with GSM SIM card +38761078857. Device did not have any external storage, nor was it 84 �locked or encrypted. USB debugging was enabled. Team collected all available information from the first victim (referred to as person 1). TABLE 2. Reporting Person 1 Data Report 061abcdef SMS message Viber message Viber photo Content Hi beauty, I saw you yesterday. I’m in love with you. Picture of message “Are you afraid of the night?” Viber call Date time of receipt 3.2.2018 15:23 2.2.2018 10:27 3.2.2018 15:29 2.2.2018 10:31 duration 63 sec Team also collected all available information from the second victim (referred to as person 2). TABLE 3. Reporting Person 2 Data Report 062342097 GSM Voice call Content - Coco message Coco message Careful with your door lock You promised me not to leave me alone. Now you will regret. Date time of receipt 2.12.2017 11:37 duration 30 seconds 3.2.2018 15:25 2.2.2018 10:42 Both victims experienced unpleasant calls, messages, and photographs delivered over:  Traditional voice GSM service  Traditional SMS GSM service  Viber Internet service  Coco Internet service First of all, it was necessary to search for the evidence on the seized Android device without knowing whether or not potential digital artefacts were deleted. After an additional analysis, decision was made to search for database files and photographs in both spaces – allocated and especially unallocated – because it was assumed that perpetrator deleted 85 �all or some of the messages/calls/photographs. Goal was to find as much evidence as possible against the attacker. Preparing the Environment for the Data Acquisition Workstation dedicated for the investigation must be equipped with hardware and software needed for the image acquisition. Depending on the type of image data acquisition, some prerequisites must be met. Communication interface for the object of the investigation needs to be ADB connected over the USB port. Since this scope is limited to gathering logical images, some additional steps must be performed beforehand. - Verifying ADB interface - Root the device - Install Busybox set of utilities Verifying ADB Interface The installed ADB connector will act as a link between the workstation and device, and it will be shown in a device manager as presented in Figure 47. If there is a malfunctioning issue, it will be shown at this point. 86 �Figure 47. ADB Driver Verified; Android Device Connected Rooting the Device Device rooting is needed in order to obtain privileges for the full access to a system, or a non-volatile memory landscape. This step is critical to get root privileges for forensic activities. Process requires to:  Connect device to USB  Start the rooting tool When the Android device is connected to the workstation, it will appear in a tray (Figure 48.), as well as in device manager under control panel. Figure 48. Android Device Connected 87 �In order to check adb connection, it is necessary to start the command ADB DEVICES from the following location: C:\Users\<username>\AppData\Local\Android\sdk\platform-tools This is the location where platform tools with adb utility are installed. Figure 49. shows that workstation has been successfully communicated with the mobile device named 8d62f4b5. Figure 49. Successful Communication to Mobile Device over ADB Before using rooting tools, some precautions must be taken. Rooting is a powerful process and it can lead to a damage of phone and/or evidence. If the rooting process is used under normal circumstances, then it immediately leads to the warranty void. Antivirus and firewall setup can interfere with normal operations. Checking and testing connection should be done before the usage. 88 �Starting tool for rooting will show the basic data. Introduction screen shows data about the device and the start button (Figure 50.). If the device is recognized, then the process can be initiated by pressing the “root” button. Figure 50. Lenovo Rooting Start Progress will last for a couple of minutes and will be shown in the application. During the process, device screen will display the status of rooting (Figure 51.). 89 �Figure 51. Device Status During Rooting Process When the process is successfully completed, the message “succeed” will appear. Each brand has its own supporting software, but there are many other applications used for root checking, one of which is the RootChecker. 90 �Figure 52. Lenovo Moto Smart Assistant Device Status Lenovo Moto Smart Assistant was used to check the status of the device (Figure 52.). Busybox Sideloading Since Android is a Linux-based operating system, it is quite useful to have it installed on your device. After checking the adb connection to device, it is necessary to place the .apk busy box file (ru.meefik.busybox_34.apk) within the folder /android-sdk/platform-tools. Adb is available in the same location. In order to sideload the application, run the following command in command line (Figure 53.): 91 �Adb install ru.meefik.busybox_34.apk Figure 53. Sideloading BusyBox Over ADB In order to check if the installation was properly completed, type busybox in the device shell to see whether it starts (Figures 54, and 55.). Available commands will be listed. Figure 54. Starting Busybox In order to use command SHA1SUM from Busybox toolset to calculate hash value of the file ueventd.rc, type #busybox sha1sum ueventd.rc (Figure 55.). 92 �Figure 55. Testing Busybox Tool Sha1sum Determining Partitions and Blocks Since Android is a Linux-based operating system, partitions are organized in the same way as every other Linux OS. Knowledge of partitions, names, and mount points is necessary in order to get to the right place and determine the source of data before the imaging process begins. A simple command to list partitions is: adb shell – to get to the andoid device cat /proc/partitions Running these commands will give an overview of what is happening on the partition level, thus, helping understand which block belongs to which partition name (Figure 56). 93 �Figure 56. Android Block Names Another way to obtain information about dev block names is adb shell ls –la /dev/block/platform/7824900.sdhci/by-name 7824900.sdhci is not a common name for all devices, because it varies. It is also the subject of the investigation. Running the command stated above will show results with more familiar names (Figure 57.). During the imaging process it is important to decide which blocks will be captured and transferred. Usually a whole memory landscape (mmcblk0) is captured and transferred, however, in some special occasions only a single block might need imaging (e.g. mmcblk0p2). Names may vary, and they are subjects of device examination. 94 �Figure 57. Android Partition Names and Blocks Acquiring Data from the Evidence Device Data from a device will be acquired by applying two methods, namely Physical and Logical data acquisition. Logical data acquisition To start the acquisition, Android device must have a debugging option enabled, and working adb. From the Linux command line start the command: aflogical-ose and then enter sudo password (Figure 58.). 95 �Figure 58. Starting AFLogical OSE acquisition Before pressing Enter to pull data on the device, it is necessary to mark interesting logs for acquisition, and then press the “capture” button (Figure 59.). Figure 59. Device Capture Options Data is transferred to the remote folder with data packed in a comma separated value format (Figure 60). 96 �Figure 60. AFLogical OSE Data Extraction and Transfer Acquired data can be found in folder /home/nera/aflogical-data/ (Figure 61). Figure 61. Acquired Data in Remote Folder 97 �Data in this folder shows only what logically exists in the phone records regarding logs we were offered, and which we selected during the initial logical acquisition step. Deleted records are not available. Physical data acquisition In this process, the imaging command of the /dev/block will be issued and at the same time the transfer over adb link using redirection will be initiated. Netcat utility will allow forwarding commands across the adb link. For the imaging process, Linux command dd will be used. Syntax is: dd if=/mountpoint of=/destinationpoint/partitiontype of – Output can be redirected thru netcat (nc) to remote file dd if=/mountpoint | busybox nc –l –p portnumber Obtaining data from the source device will be done through two opened concurrent shells in Santoku investigative workstation (Figure 62.). This process can take some time. In this case, 7818182656 bytes were transferred in 7836.341 seconds (approximately 130 minutes). Remote destination should have enough storage to receive an image. Another important factor is the type of file system being formatted. FAT32 will not be able to accept a file larger than 4GB. 98 �Shows if there is a device present at the adb connection. If the device is present and communication successful, the name will appear. In this case device with name 8d62f4b5 is present. This command setup is forwarding host port 6970 over TCP protocol to remote device port 6970 over TCP (in this case this is the receiving side Santoku Linux – investigative workstations waiting at the SHELL 2) su command on the remote shell Initiate the remote shell to the only connected device Copying content /dev/block/mmcblk0 to remote destination port 6970 using BusyBox Netcat utility Nc is command used to start NetCat utility to transfer data. In this case netcat is receiving data from previously started transfer of mmcblk0 block using dd command on port 6970. Received content will have the name Digital_Evidence_Android_01.dd. This image will be used later, first to calculate the hash value, and then for the forensic analysis. Figure 62. An integrity of the evidence image file In order to maintain integrity check of the obtained image file, hash calculation has to be performed and documented (Figure 63.). Calculated hash value is checked through the entire process, and complete life cycle of evidence. Command issued in the shell is: 99 �Sha256sum Digital_Evidence_Android_01.dd Figure 63. Calculating Hash Value of the Evidence Image Importing Image File into Autopsy Before the analysis starts, collected image file needs to be imported into tool Autopsy 4.5.0. This process can take a while depending on a size of the image file. During the image collection process, dd command is used to collect the whole image of Android device including unallocated space for allowing a deeper analysis. During the initial case creation, option Disk Image or VM File was chosen as a data source. Ingestion module is left with default settings fully marked with all available options. Analysis of the Acquired Mobile Device Data Data acquired with both methods logical and physical will be the subject of the investigation. Analysis of Logically Acquired Data Logical acquisition is simple, and all data acquired from the phone is located in one folder with names which correspond to data (Figure 64). 100 �Figure 64. Files Containing Acquired Data Figure 65. shows the content of the file SMS.csv. Figure 65. Content of SMS File CallLog Calls.csv file contains data about calls. Corresponding records are found in the listing. Figure 66. shows that call is made to number 062342097, date is formatted as EPOCH 2 date time format, and 1512211049405 is 2.12.2017 11:37:29.405., with duration of 30 seconds. Figure 66. Content of CallLog Calls File 2 The Unix epoch (or Unix time or POSIX time or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). 101 �None of the other applications’ log data was retrieved during the logical acquisition using AF Logical OSE tool. Other matches except voice call were found (Table 3. and Table 4.). TABLE 4. Overview of Logically Acquired Data for Reporting Person 1 Report 061abcdef SMS message Viber message Viber call Viber threating photo Content Date/time of receipt Hi beauty, I saw you yesterday. I’m in love with you. 3.2.2018 15:23 Evidence/Logical acquisition found NO 2.2.2018 10:27 2.2.2018 10:31 call duration 1:03 sec NO NO 3.2.2018 15:29 NO Picture of the message “Are you afraid of the night?” TABLE 5. Overview of Logically Acquired Data for Reporting Person 2 Report 062342097 Content Date/time of receipt GSM Voice call - Coco message Careful with your door lock You promised me not to leave me alone. Now you will regret. 2.12.2017 11:37 duration 30 seconds 3.2.2018 15:25 Coco message 2.2.2018 10:42 Evidence/Logical acquisition found YES NO NO Analysis of the Physically Acquired Data Physical analysis begins with the Autopsy tool first. Full Android mobile device image Lenovo_Android05 is imported and ingest module runs on data with task configured at the beginning. Autopsy also searches unallocated space. It could particularly be interesting in case of hiding data or recovering deleted data. 102 �Autopsy mounted 35 partitions (Figure 67.). Partition vol34 – userdata is the place where all applications hold data. Figure 67. Autopsy Mounted Partition from the Evidence Image Table 6. lists collected information about applications in the scope of investigation. TABLE 6. Collected Data about Applications in Investigation Scope Application name Viber SMS Coco msg/voice GSM Telephone dialler Location of application Location of database /data/com.viber.voip /data/com.viber.voip/databases /data/com.android.provi ders/telephony /data/com.instanza.coco voice /data/com.android.provi ders.contacts /data/com.android.providers/telephony/ databases /data/com.instanza.cocovoice/databases /data/com.android.providers.contacts/da tabases Database names Viber_mess ages Mmssms.db 59317329_c oco.db Contacts2.d b 103 �Viber Message and Call Investigation Viber investigation searched for evidence to match data from the table from the beginning of the case. The goal was to prove the existence of digital trail related to Viber. Table 7. shows receiving report from user 061abcdef. TABLE 7. Viber Message and Call Investigation Report 061abcdef Viber message Viber call Content I’m in love with you. Date/time of receipt 2.2.2018 10:27 2.2.2018 10:31 call duration 1:03 sec Viber threating photo Picture of message “Are you afraid of the night?” 3.2.2018 15:29 First of all, we need to locate the proper partition and data path, found in the Viber database (Figure 68.). Figure 68. Viber Database Location and Metadata Searching for the Viber Message – “I’m in love with you” 104 �In order to find the message, database needs to be extracted to the operation folder (right click on database – extract) and then opened in DB Browser for SQLite. Viber database structure is shown in Figure 69. Tables messages and messages_calls will be the subject of analysis because they contain data interesting for the investigation. Figure 69. Viber Database Structure Executing an SQL command over the table messages in database viber_message will yield results which is proof that the message “I’m in love with you” was sent from the phone (Figure 70.). Epoch data 1517563641920 is 2.2.2018 10:27:21.920 105 �Figure 70. Retrieve Data About Message from Table Messages Searching for the call 2.2.2018 10:31; call duration 1:03 sec The following step is to find the trail for Viber call to 061abcdef on 2.2.2018 at 10:31; call duration 1:03 sec. Table message_calls contains data. Executing an SQL command with parameters needed to narrow query will return data which is a proof that the call was made from this phone (Figure 71). Epoch time 1517563892604 is equal to 2.2.2018 10:31:32.604. 106 �Figure 71. Retrieve Data About Calls from Table Messages_Calls Searching for the sent picture of the message “Are you afraid of the night?” The following task is to find the Viber picture/photo of the threatening message “Are you afraid of the night?” sent 3.2.2018 at 15:29. Table messages in viber_messages database shows the record of a deleted message (Figure 72.). Other than date/time value and status of the message, other available data is not in the scope of the investigation. Figure 72. Viber Database Records 107 �Epoch 1517668146820 is 3.2.2018 15:29:06.820 which corresponds to date and time from the initial search table. Another step is to search unallocated space for deleted pictures. Autopsy has a strong engine inspecting files according to the ingest module configuration. Picture was found as a deleted file (Figure 73.). Figure 73. Recovered Deleted Picture Additional data about the file is shown in Figure 74. 108 �Figure 74. Recovered Deleted Picture Metadata SMS Message Investigation The scope of this investigation is database where SMS messages are stored. Initial data we were searching for is shown in Table 8. TABLE 8. SMS Message Investigation Report 061abcdef SMS message Content Hi beauty, I saw you yesterday. Date/time of receipt 3.2.2018 15:23 According to the previous mapping of the application location, SMS messages are stored in database mmssms.db located in /data/com.android.providers/telephony/databases. After the process of database extraction to the operational folder, the examination of the database structure is performed (Figure 75). Table named sms should have data about messages. Other tables were opened, and attributes were checked. Depending on the scope of the investigation, some other tables can be subject to a detailed analysis. 109 �Figure 75. MMSSMS Database Structure Searching for the sms message “Hi beauty, I saw you yesterday” No other tables except the sms table contained the needed records. The investigation shows that records in table sms do not contain data about the message “Hi beauty, I saw you yesterday” (Figure 76.). It is assumed that the message is deleted from the database because executed SQL commands do not retrieve any data on setup condition. Other tools should be used to perform the possible data recovery at database level. 110 �Figure 76. Retrieve Data about Calls from Table SMS SQLite-Deleted-Records-Parser tool could help determine deleted data in database. Start tool with mmssms.db and output file mmssms.txt. After that, the execution message is found in unallocated space (Figure 77.). 111 �Figure 77. Recovered Deleted Database Record GSM Voice Call Investigation The scope of the GSM voice call investigation will be database where data records are stored. Initial data we were searching for is shown in Table 9. TABLE 9. GSM Voice Call Investigation Report 062342097 GSM Voice call Content Date time of receipt - 2.12.2017 11:37 duration 30 seconds Voice call log records can be found in database contact2.db located in /data/com.android.providers.contacts/databases. The structure of database after the extraction to the operational folder is shown in Figure 78. 112 �Figure 78. Contact2 Database Structure Searching for the GSM voice call 2.12.2017 11:37 duration 30 seconds Table calls should have data related to executed call, incoming as well as outgoing call. Executed SQL command retrieves data about call dated in the table at the beginning of the investigation (Figure 79.). Epoch 1512211049405 is 2.12.2017 11:37:29.405. 113 �Figure 79. Retrieve Data About Calls from Table Calls Coco Message Investigation Coco messenger is not a widespread application. It supports messaging and voice communication. According to the previous analysis and application location mapping database, 59317329_coco.db is located in /data/com.instanza.cocovoice/databases. Initial data we were searching for is shown in Table 10. TABLE 10. Coco Message Investigation Report 06234209 7 Coco message Coco message Content Date/time of receipt Careful with your door lock 3.2.2018 15:25 You promised me not to leave me alone. Now you will regret. 2.2.2018 10:42 The structure of database after the extraction to the operational folder is shown in Figure 80. 114 �Figure 80. 59317329_coco Database Structure Searching for the message “Careful with your door lock”. Table ChatMessageModels should have data related to messages. Executed SQL command did not have any data about the message (Figure 81). 115 �Figure 81. Retrieve Data about Chat Message from Table Content SQLite-Deleted-Records-Parser tool retrieved deleted database data from the source file database 59317329_coco.db and output file coco.txt. After that, the execution message was found (Figure 82). Figure 82. Recovered Evidence Message from Deleted Database Record 116 �Searching for the Message “You promised me not to leave me alone. Now you will regret.” Table ChatMessageModels should have data related to messages. Executed SQL command retrieved data about the call dated in the table at the beginning of the investigation (Figure 83). Epoch 1517564524520 is 2.2.2018 10:42:04.520. Figure 83. Retrieve Data about the Message from Table Content Investigation Findings The investigation was completed by summarizing discovered digital artefacts on the perpetrator’s Android mobile device. Quantitative data is shown in Table 11. TABLE 11. Quantitative Data about Found Evidence Viber SMS Coco GSM calls Total Percentage Number of reported/expected digital artefacts 3 1 2 1 7 100% Logically acquired artefacts 0 0 0 1 1 14.2% Physically acquired artefacts 3 1 2 1 7 100% 117 �Summary of data shows that the team proved the existence of the searched data in the mobile device. Investigation started with 7 reported messages/calls/photos. That was the foundation for defining the scope of the investigation and tools needed to carry it out. During processes, two methods of data acquisition were used, namely Logical and Physical data acquisition. It is obvious that using AF Logical OSE tool for the logical acquisition was not enough to obtain the necessary data – especially when data was deleted (SMS) – and other Internet services such as Viber and Coco messenger and deleted photographs. Ending Investigations All collected evidence findings were submitted according to the rules and procedures. The report is handed over to the authorities together with the evidence. The evidence was used in the court. It is not known what happened to the perpetrator. Figure 84. shows the report summary with data about case such as case name, case number, examiner name, time zone, and the location of the taken image. 118 �Figure 84. Report Summary Figure 85. shows tagged files for evidence. Evidence list contains the exact location of evidence within the partition. Figure 85. Report of the Evidence Tagged Files and Locations Report navigation offers grouping of data by categories of keywords hits, tagged files, tagged images, and tagged results. The report showed in Figure 85. included files and images as the evidence trail. 119 �Case 3: Database forensics – user complaints on high bills The complain centre in the Internet provider’s company received the complaint from the customer about high bills at the end of the month. Management ordered forensic analysis, so internal forensic investigators began the forensic analysis on the RACUNI_USER_USER table where customer account details were kept to investigate the potential suspicious activity. The forensic analysis of the table RACUNI_USER_USER should indicate if there was an unauthorized change, and if yes, when and who did the changes. The report with IBM Guardian was created for the given table, and the result of the report is shown in Figure 86. aaa.bbb.cc.dd aaa.bbb.ii.jj aaa.bbb.cc.dd aaa.bbb.ii.jj aaa.bbb.cc.dd aaa.bbb.ii.jj Figure 86. IBM Guradium report for the customer complaints The report shows details indicating that there has been a change in the table, that is, in the set values for MOBILE, FIXED for two customers and INTERNET for one customer. We can notice that DB USER is an unclassified person (attacker) who came from the IP address: aaa.bbb.cc.dd where the service account ESJEDNICE_TST was logged on. 120 �By inspecting a HOST that corresponds to an IP address, it was confirmed that it is a file server of the Internet provider company (BH TELECOM) domain. aaa.bbb.cc.dd aaa.bbb.cc.dd aaa.bbb.cc.dd aaa.bbb.cc.dd aaa.bbb.cc.dd Figure 87. IP resolution Digital forensic investigators detected a criminal attempted to conceal evidence by logging in with a service account on the FILE server. Attacker used the file server to start SQLPLUS tool with the user ATTACKER to access the database and make unauthorized changes in the table. The next logical step in the forensic investigation was to try to find out who was hiding behind the username ATTACKER, or who gave the rights (rights to the database) to the ATTACKER who made the changes in the table. Information is presented in Figure 88. aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj Figure 88. Report from IBM Guardium shows ATTACKER creator 121 �User ATTACKER was created by one of the administrators (MIRZA_ADMIN) through SQLPLUS on a local server, and granted through the Oracle Enterprise Manager Tool. Case 4: Database forensics – Salaries data leakage Company management initiated the forensic analysis after salary details were revealed in the media. Due to disclosure of the confidential information, a written request from the management was made to conduct a detailed forensic investigation of the database to determine who and how accessed the table with data about salaries. Fact known by forensic investigators was that there were two tables containing the incriminated data. One table contained data on salaries and another on employee names. The next report in the IBM Guardium tool, which follows the sensitive tables, shows the events related to this case (Figure 89.). aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj Figure 89. IP address, username, and SQL command The first report shows that the undefined user POM_2015 connected to the database using the SQLPLUS tool, from the machine whose IP address is: aaa.bbb.ee.ff where the user is esjednice_stst1, and created tables with contents of the table PLATE (SALARIES) and UPOSLENIC_FIRME (COMPANY_EMPLOYEES). 122 �Figure 90. shows DNS name of PC with address aaa.bbb.ee.ff which determines PC ucionica (classrom1). This is an example of a fraudulent activity where the HOST classroom1 is used to hide database access traces. Another important issue is that the access to tables with salaries and table with names was not direct. Rather, in order to cover tracks, two so-called “help tables” were created (IZVJ_2015 and HR_IZVJ_2015) with data from sensitive tables. aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ee.ff Figure 90. IP Address name resolution From the fact that two additional tables were created for sensitive data access, we can understand that the attacker assumed that there were certain tools which followed the access to the above tables, and tried to obtain data from sensitive tables indirectly. The next step for the forensic team was to go into a deeper analysis of user POM_2015 and tables created by this user which indicated illegal activities on the database. aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj Figure 91. View detailed POM_2015 user-related activities 123 �Figure 91. shows the chronological overview of the user POM_2015 and administrator MITZA_DBA criminal activities on the database. After POM_2015 created the auxiliary tables from which s/he collected the information, s/he wiped it out to cover up the evidences. However, the IBM Guardium tool recorded one more item here, which is that in this procedure, a user (in this case, MIRZA_DBA) appeared, which erased the user who committed the criminal activity. Forensic analysis led to very important information indicating a valid trace, i.e., the fact that the administrator (MIRZA_DBA) was actually responsible for the criminal activity (Figure 92.). aaa.bbb.ee.ff aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj Figure 92. Details of the report about the creation of the user POM_2015 and granted access rights The forensic analysis presented in the previous report clearly shows when the user was created and in what way, and how he obtained privileges over the tables in order to access the database. In conclusion, we can notice that 124 �the account and tables were deleted in order to try to conceal the proof of the criminal activity. Case 5: Database forensics – data deletion Company’s marketing department discovered that data from a database was deleted and requested the investigation. Human resources also discovered that the column with monthly employees’ salaries in the database table was deleted. Thus, they initiated data recovery from the backup, however, before the procedure of restoring data from the backup, management wanted to report who, what, when, and in what way deleted data from the database. The report generated using IBM Guardium for the table where the data was deleted shows who deleted data, when and how that happened, and which tool was used. aaa.bbb.ee.ff aaa.bbb.ii.jj Figure 93. A forensic report related to deleted data in the table As shown in the IBM Guardium report, the user who is responsible for deleting all data from the table NOVE_USLUGE is TRON555. Figure 94. Report on details of creation and assignment of privileges for the user TRON555 125 �However, when the team tried to further explore the origin of the user, i.e. when it was created and who created it in the IBM Guardium, they failed. The forensic investigator realized that the attacker was well-acquainted with the IBM Guardium system and managed to hide the trace of creating and granting rights to the user who cleared all data in the table. The following forensic analysis showed that the attacker knew that there were users which were not recorded by the IBM Guardium when monitoring changes in the database. These users began the service and they were used to run backup scripts, which were excluded from monitoring through the IBM Guardium tool which was permitted by the management. Figure 95. View exception rules for users who are not treated through IBM Guardium Figure 96. shows that the attacker might have used one of the two mentioned users in order to circumvent the system and thereby attempt to hide the true trail indicating who is responsible for an unauthorized action of deleting data in the table. However, s/he did not consider that the forensic investigator had other methods and tools which could lead to 126 �evidence. By inspecting the redo log file with the LogMiner tool, the requested response indicated which user was behind the user TRON555. Figure 96. LogMiner Detailed report for the creation and permitting access for the TRON555 user However, since this was the service user account, the forensic investigator had to investigate further to see who enabled the user OPER to create and assign rights to users in the database or delete data from the table. The report received through the IBM Guardium gave the answer to this question and at the same time the solution to another request that came from the Human resources regarding deleted data containing salaries from the NAKNADE_USER table. aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj Figure 97. Details of the report related to deleting a column in the table 127 �The report shows that the user OPER was created on the computer whose IP address was aaa.bbb.gg.hh and on which the user MIRZAHAL has been registered with the help of the SYS base user. The user OPER was assigned rights to delete the column in the table. The report from logMiner shows that the same user (OPER) was used to create another user (TRON555) who deleted the data from the NOVE_USLUGE table. This test scenario is an indication that an attacker will always search for a "weak point" of the systems, programs, equipment, or devices. Attackers seek weak points in an attempt to hide themselves, thus avoiding any possible liability for the committed crime. Summary Cyber security is a subset of the information security which deals with the security of information stored in digital form and transferred over communication links. A great part of information security related standards deals with cyber security issues. Almost daily, media reports reveal cyber security related incidents. After the historical analysis, we can conclude that we will see an increase in incidents of this type, especially as more services and users use digital technology in their everyday work and life. Knowledge acquired Forensic data recovery of files on PC, forensic data recovery of Viber, voice call, SMS, and Coco on an Android mobile phone. Database 128 �forensic related to user complaints on high bills, salaries data leakage, and data deletion. Review questions 1. How attacker can hide wrongdoings? 2. Location of database on mobile Android phone? Further readings - Digital transformation: online guide to digital business transformation https://www.i-scoop.eu/digital-transformation/ - The Cyber Security Management System: A Conceptual Mapping, SANS Institute InfoSec Reading Room https://www.sans.org/reading-room/whitepapers/basics/cybersecurity-management-system-conceptual-mapping-591 Video resources - The case of the stolen exams https://www.youtube.com/watch?v=1BVG6cmPlPk - Digital Forensics – Famous Cases https://www.youtube.com/watch?v=gPuugbpLOeI 129 �130 �6. Conclusions Chapter abstract Chapter goals: To summarise book goals and review gained knowledge. Cybercrime is much different from the conventional crime related to the physical world. There are a lot of challenges for the law enforcement and organisations who are victims of the cyber-crime. There is not much difference between crimes in cyber and physical space, however, in cyber space there is a lot more data and ways in which criminals could hide it. Also, it is more challenging to perform the digital forensic investigation because specific data can be found in volatile or non/volatile memory. Another challenge is the fact that criminals do not have boundaries, while boundaries between different countries’ jurisdictions exist. Digital forensics is still in the process of development, and is constantly being upgraded with the latest scientific advancements and new practices. Technology progress must be followed by the goal to be ready to face new challenges in form of crime techniques in the cyberspace. Additional professional, legal, and scientific efforts have to be invested to improve the existing practices to combat cyber criminals. It is a professional duty to support activities and develop techniques and infrastructures to fight against the misuse of cyber resources. 131 �This book presents the range of free digital forensic tools which can be used by students as a guide to develop and practice their skills. We presented several simulated cases of digital forensic investigations with documented evidence, and steps which can be followed in similar situations. Furthermore, expert witnesses can present the evidence from real digital forensic cases at the court by following steps and using tools presented in this book, or similar procedures and tools accepted in local and international jurisdiction. Finally, the digital forensic investigator must continuously upgrade knowledge about cases, tools, best practices, and technology. Technology is developing very fast, so even some tools presented in this book might already be outdated, which is why reading and lifelong learning is important for a successful combat against the cyber-crime. 132 �Appendix – Consent Form I, _______________________________(name and surname), (DOB ____/____/____), hereby authorizes __________ ____________________________________, an __________________________________________________ (function title), to take custody and analyse the items detailed below for evidence. I understand that copies of the contents of the items, including all files and data, may be copied and retained for the analysis. I also understand that the analysis of the copies of the media may continue even after the items designated for the analysis are returned. I provide my consent to this analysis freely, willingly, and voluntarily, and with the knowledge that I have the right to refuse to consent. I provide my consent without fear, threat, coercion, or promise of any kind. Device Serial number Additional owner/user details Owner’s printed name Signature Witness’ printed name Signature Witness’ printed name Signature 133 �Appendix – Incident response form General data about incident  System under attack  Incident investigation in progress  Incident closed Required assistance:_________________________________________ Which data, service, project is under an impact: __________________________________________________________ __________________________________________________________ Type of incident  Malicious software  DoS/DDoS attacks  Unauthorized access  Leakage of data and information in public Date and time of the incident: _____________________________________ Brief summary: __________________________________________________________ __________________________________________________________ __________________________________________________________ 134 �Details for malicious software: Source (mail, web page, mobile memory such as USB): ____________________________________________________ Type: (virus, Trojan, worm, spyware, other): __________________________________________________________ __________________________________________________________ DoS / DDoS attack Attack source: __________________________________________________________ Service attacked (OS version, IP address): __________________________________________________________ Type of DoS / DDoS traffic: __________________________________________________________ Details for an unauthorized access: __________________________________________________________ __________________________________________________________ Leakage of data and information in public: 135 �__________________________________________________________ __________________________________________________________ Appendix – Digital forensic process 136 �137 �List of Figures Figure 1. Word “Forensic” explanation (google, 2018) ......................................2 Figure 2. Digital and Computer forensic realm ...................................................6 Figure 3. Computer forensic................................................................................9 Figure 4. Network forensics ..............................................................................10 Figure 4. Forensic analysis goals to detect – who, what, when, where .............12 Figure 5. Incident response plan (Banking and Insurance, 2017) .....................13 Figure 6. Digital and Cyber forensic types........................................................18 Figure 7. Steps in the Digital Forensic Investigation Process ...........................28 Figure 8. Application analysis ...........................................................................35 Figure 9. Sample_file.txt content ......................................................................43 Figure 10. Creating concealed message in sample_file1.txt content .................44 Figure 11. Creating concealed message in sample_file1.txt content .................44 Figure 12. Reading concealed message in sample_file1.txt content .................45 Figure 13. File sizes comparison .......................................................................46 Figure 14. Hard disk docking station (Renkforce, 2019) ..................................50 Figure 15. Memory card docking station (Logilink, 2019) ...............................51 Figure 16. Portable Computer Forensic Lab Road MASSter 2, 2019 ...............52 Figure 17. Disk Genius......................................................................................53 Figure 18. Calculating Hash Value ...................................................................54 Figure 19. Q Capture program works with LogMiner to retrieve changed data IBM Knowledge, Center, 2013 .........................................................................55 Figure 20. View all transactions for user, Nanda A., 2019 ..............................56 Figure 21. LogMiner results, Nanda A., 2019...................................................56 Figure 22. LogMiner results, Nanda A., 2019...................................................57 Figure 23. IBM Guardium (2019) Navigation Overview ..................................57 Figure 24. IBM Guardium (2019) Out of the box creation ...............................58 Figure 25. DB Browser for SQLite ...................................................................59 Figure 26. FTP connection ................................................................................61 Figure 27. Captured FTP connection with Wireshark .......................................61 Figure 28. NIKSUN NetDetector, 2019 ............................................................62 Figure 29. Xplico (2019) ...................................................................................63 Figure 30. Kingo Android Root ........................................................................64 Figure 31. Santoku Linux ..................................................................................65 Figure 32. Santoku Linux Download ................................................................65 Figure 33. AFLogical OSE................................................................................67 Figure 34. Autopsy Main Operations Screen ....................................................68 138 �Figure 35. Type of Data Source ........................................................................69 Figure 36. Autopsy Ingest Module ....................................................................71 Figure 37. Android Analyzer.............................................................................72 Figure 38. Access to Imaged Partitions .............................................................73 Figure 39. Timeline – View Counts ..................................................................74 Figure 40. Filter Events Categories ...................................................................75 Figure 41. Timeline - View Details ...................................................................75 Figure 42. Report Formats ................................................................................76 Figure 43. Report - Case Summary ...................................................................77 Figure 44. Report - Tagged Images ...................................................................77 Figure 45. Disk Genius access to the investigated hard disk ............................82 Figure 46. Disk Genius data copy .....................................................................83 Figure 47. ADB Driver Verified; Android Device Connected..........................87 Figure 48. Android Device Connected ..............................................................87 Figure 49. Successful Communication to Mobile Device over ADB ...............88 Figure 50. Lenovo Rooting Start .......................................................................89 Figure 51. Device Status During Rooting Process ............................................90 Figure 52. Lenovo Moto Smart Assistant Device Status ..................................91 Figure 53. Sideloading BusyBox Over ADB ....................................................92 Figure 54. Starting Busybox..............................................................................92 Figure 55. Testing Busybox Tool Sha1sum ......................................................93 Figure 56. Android Block Names......................................................................94 Figure 57. Android Partition Names and Blocks...............................................95 Figure 58. Starting AFLogical OSE acquisition................................................96 Figure 59. Device Capture Options ...................................................................96 Figure 60. AFLogical OSE Data Extraction and Transfer ................................97 Figure 61. Acquired Data in Remote Folder .....................................................97 Figure 62. An integrity of the evidence image file ............................................99 Figure 63. Calculating Hash Value of the Evidence Image ............................100 Figure 64. Files Containing Acquired Data.....................................................101 Figure 65. Content of SMS File ......................................................................101 Figure 66. Content of CallLog Calls File ........................................................101 Figure 67. Autopsy Mounted Partition from the Evidence Image ..................103 Figure 68. Viber Database Location and Metadata .........................................104 Figure 69. Viber Database Structure ...............................................................105 Figure 70. Retrieve Data About Message from Table Messages ....................106 Figure 71. Retrieve Data About Calls from Table Messages_Calls ................107 Figure 72. Viber Database Records .................................................................107 Figure 73. Recovered Deleted Picture .............................................................108 Figure 74. Recovered Deleted Picture Metadata .............................................109 Figure 75. MMSSMS Database Structure .......................................................110 Figure 76. Retrieve Data about Calls from Table SMS...................................111 Figure 77. Recovered Deleted Database Record .............................................112 Figure 78. Contact2 Database Structure ..........................................................113 139 �Figure 79. Retrieve Data About Calls from Table Calls .................................114 Figure 80. 59317329_coco Database Structure ...............................................115 Figure 81. Retrieve Data about Chat Message from Table Content ................116 Figure 82. Recovered Evidence Message from Deleted Database Record .....116 Figure 83. Retrieve Data about the Message from Table Content ..................117 Figure 84. Report Summary ............................................................................119 Figure 85. Report of the Evidence Tagged Files and Locations .....................119 Figure 86. IBM Guradium report for the customer complaints.......................120 Figure 87. IP resolution ...................................................................................121 Figure 88. Report from IBM Guardium shows ATTACKER creator .............121 Figure 89. IP address, username, and SQL command .....................................122 Figure 90. IP Address name resolution ...........................................................123 Figure 91. View detailed POM_2015 user-related activities ..........................123 Figure 92. Details of the report about the creation of the user POM_2015 and granted access rights........................................................................................124 Figure 93. A forensic report related to deleted data in the table .....................125 Figure 94. Report on details of creation and assignment of privileges for the user TRON555 ........................................................................................................125 Figure 95. View exception rules for users who are not treated through IBM Guardium.........................................................................................................126 Figure 96. LogMiner Detailed report for the creation and permitting access for the TRON555 user ..........................................................................................127 Figure 97. Details of the report related to deleting a column in the table .......127 140 �List of Tables TABLE 1. Audit vs. Digital forensic investigation .................................................. 7 TABLE 2. Reporting Person 1 Data ......................................................................... 85 TABLE 3. Reporting Person 2 Data ......................................................................... 85 TABLE 4. Overview of Logically Acquired Data for Reporting Person 1 ........ 102 TABLE 5. Overview of Logically Acquired Data for Reporting Person 2 ........ 102 TABLE 6. Collected Data about Applications in Investigation Scope .............. 103 TABLE 7. Viber Message and Call Investigation ................................................. 104 TABLE 8. SMS Message Investigation .................................................................. 109 TABLE 9. GSM Voice Call Investigation............................................................... 112 TABLE 10. Coco Message Investigation ............................................................... 114 TABLE 11. Quantitative Data about Found Evidence ....................................... 117 141 �142 �Acronyms ACK Acknowledgement CERT Centre for Emergency Report Team CISA Certified Information Security Auditor CISM Information Security Manager CISP Certified Information Security Professional CISO Chief Information Security Officer CISWG Corporate Information Security Workgroup CSO Chief Security Officer DMZ Demilitarised zone DoS Denial of Service DDoS Distributed Denial of Service DML Data Manipulation Language FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol IA Internal Auditor ICMP Internet Control Message Protocol IDS Intrusion Detection System IP Internet Protocol IPS Intrusion Prevention System IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronic Engineers IPX Internetwork Packet Exchange ISACA Information Systems Audit and Control Association 143 �ISM Information Security Manager ISMS Information Security Management System ISO International Standardisation Organisation ISSEA International Systems Security Engineering Association IT Information Technology KPI Key Performance Indicator LAN Local Area Network MIB Management Information Base NIST National Institute of Standards & Technology NMS Network Management Station OID Object identifier OSI Open System for Interconnection PDCA Plan Do Check Act QoS Quality of Service SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SQL Simple query language SYN Synchronize TCP Transmission Control Protocol UDP User Datagram Protocol UPS Uninterruptable Power Supplies VPN Virtual Private Network WAN Wide Area Network 144 �References AccessData. (2006). White paper: MD5 collision – The effect on Computer Forensics. Available from: https://ad- pdf.s3.amazonaws.com/papers/wp.MD5_Collisions.en_us.pdf Afonin, O. & Gubanov, Y. (2013, May 28). Catching the Ghost: How to Discover Ephemeral Evidence through Live RAM Analysis. Forensic magazine. Available from: http://www.forensicmag.com/article/2013/05/catching-ghost-howdiscover-ephemeral-evidence-through-live-ram-analysis Appazov, A. (2014). Legal Aspects of Cybersecurity. Faculty of Law University of Copenhagen. Retrieve from: http://justitsministeriet.dk/sites/default/files/media/Arbejdsomraader/For skning/Forskningspuljen/Legal_Aspects_of_Cybersecurity.pdf Android. (2017), Application Security, Available https://source.android.com/security/overview/app-security from accessed 25.9.2017 Android. (2017), Platform Architecture, Available https://developer.android.com/guide/platform/index.html#art from accessed 23.12.2017 145 �Ayers, R. Brothers, S and Jansen, W. (2014), Guidelines on Mobile Device Forensics, NIST Special Publication 800-101: Available from http://dx.doi.org/10.6028/NIST.SP.800-101r1, 20.12.2017 [Accessed on 12.01.2019] Banking and Insurance, 2017 Available from: http://en.finance.siapartners.com/20171211/cyber-incident-response-how-strong-yourincident-response-plan, [Accessed on 20.01.2019] Boccaccini, M.T. (2002). What Do We Really Know about Witness Preparation? Behav. Sci. Law 20: 161–189. DOI: 10.1002/bsl.472 Burnette, Michael W. “Forensic Examination of a RIM (BlackBerry) Wireless Device.” June 2002. Available from: http://www.rhlaw.com/ediscovery/Blackberry.pdf (accessed 11.1. 2018) Catts E.P. & Goff M.L. (1992). Forensic entomology in criminal investigations. Annu Rev Entomol. Vol.37:253-272. DOI: 10.1146/annurev.en.37.010192.001345 Carrier, B. and Spafford, E. (2004). An Event-Based Digital Forensic Investigation Framework, The Digital Forensic Research Conference, p23. Available from: https://www.dfrws.org/sites/default/files/session-files/paper-an_eventbased_digital_forensic_investigation_framework.pdf [Accessed on 20.01.2019] Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers 146 �and the Internet (3rd ed.). Elsevier Inc. Available from: http://booksite.elsevier.com/samplechapters/9780123742681/Front_Matt er.pdf 309 [Accessed on 11.02.2019] Cellebrite (2017), Cellebrite's Universal Forensic Extraction Device (UFED), Available from https://www.cellebrite.com/en/home/ (accessed 21.1.2018) Cosic, J., Cosic, Z., & Baca, M. (2011). An ontological approach to study and manage digital chain of custody of digital Evidence, Journal of Information and Organizational Sciences, 35 (1): 1-13 Chow, K.P. & Shenoi S. (2010, January), Advances in Digital Forensics VI. Sixth IFIP WG 11.9 International Conference on Digital Forensics. Cho, W. K. T., & Gaines, B. J. (2007). Breaking the (Benford) Law: Statistical Fraud Detection in Campaign Finance. The American Statistician, 61(3), 218­223. Criminal Justice Degree Schools (2019), Available at: https://www.criminaljusticedegreeschools.com/criminal-justicedegrees/computer-forensic-degree/ [Accessed on 20.02.2019] Crime Museum, 2019 Edmond Locard, Available at: https://www.crimemuseum.org/crime-library/forensicinvestigation/edmond-locard/ [Accessed on 20.02.2019] Data, Merriam-Webster 2019 Available at: https://www.merriam- webster.com/dictionary/data [Accessed on 02.07.2019] 147 �Desertcart. (2018), Palm V Hand held PDA, Available from https://www.desertcart.ae/products/15557437-palm-v-hand-held-pda htm [Accessed on 20.01.2019] Diekmann, A. (2012), Making Use of "Benford's Law" for the Randomized Response Technique, Article in Sociological Methods & Research, DOI: 10.1177/0049124112452525 Available from https://www.researchgate.net/profile/Andreas_Diekmann2/publication/2 69815391_Making_Use_of_Benford%27s_Law_for_the_Randomized_ Response_Technique/links/553bae070cf245bdd766705f.pdf [Accessed on 20.01.2019] (DFRWS, 2001), A Road Map for Digital Forensic Research Available from: http://dfrws.org/sites/default/files/session- files/a_road_map_for_digital_forensic_research.pdf [Accessed on 02.02.2019] Edson, J. (2011, July 25). A Brief History of Forensic Science. Australia’s Science Channel. Available from: http://riaus.org.au/articles/a-briefhistory-of-forensic-science/ [Accessed on 20.12.2018] Forensic, Merriam Webster, 2018, Available at: https://www.merriamwebster.com/dictionary/forensic, [Accessed on 20.12.2018] Forensics and Benford’s Law. (2018), Event https://eventlogxp.com/blog/forensics-and-benfords-law/ 20.1.2018 148 Log Explorer, accessed �Gadgeter (2018), RIM BlackBerry 950 Review, Available from https://thegadgeteer.com/2001/02/26/rim_blackberry_950_review/ accessed 10.1.2018 Google, 2018, Etymology of word Forensic, Available at: https://www.google.ba/search?rlz=1C1AVNC_enBA595BA595&q=fore nsic+etymology&spell=1&sa=X&ved=0ahUKEwi9offs6qPeAhVECyw KHaDMCM8QBQgnKAA&biw=1366&bih=657 [Accessed on 26.10.2018] Grand, J. (2002) pdd: Memory Imaging and Forensic Analysis of Palm OS Devices, https://www.researchgate.net/publication/2490864_pdd_Memory_Imagi ng_and_Forensic_Analysis_of_Palm_OS_Devices (accessed 20.1.2018) History of Fingerprints, (2018) Crime Scene Forensic, LLC, Available at: http://www.crimescene-forensic.com/History_of_Fingerprints.html [Accessed on 01.11.2018] IBM Guardium, (2019) IBM Guardium Data Protection for Databases, Available at: https://www.ibm.com/us-en/marketplace/ibm-guardiumdata-protection [Accessed on 01.11.2018] IBM Knowledge Center, 2013 How a Q Capture program works with the Oracle LogMiner utilit, Available at: https://www.ibm.com/support/knowledgecenter/SSTRGZ_10.2.0/com.ib m.swg.im.iis.repl.qrepl.doc/topics/iiyrqcapclogminercnc_ep.html [Accessed on 15.11.2018] 149 �IDC. (2017), Smartphone OS Market Share, 2017 Q1, Available at: https://www.idc.com/promo/smartphone-market-share/os accessed 5.12.2017 IIA, 2019, Institute of Internal Auditors, 2019, Definition of Internal Auditing, 2019, Available at: https://na.theiia.org/standards- guidance/mandatory-guidance/pages/definition-of-internal-auditing.aspx [Accessed on 20.01.2019] IOCE. (1999). IOCE Principe & Definitions. Available from: https://archives.fbi.gov/archives/about-us/lab/forensicscience-communications/fsc/april2000/swgde.htm [Accessed on 20.01.2019] Information, Merriam-Webster 2019, Available from: https://www.merriam-webster.com/dictionary/information [Accessed on 20.05.2019] Information system, Britanica, 2019, Information system, an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products, 2019 Available from: https://www.britannica.com/topic/information-system [Accessed on 20.01.2019] Information technology, Merriam-Webster, 2018, Available from: https://www.merriam- 150 �webster.com/dictionary/information%20technology, [Accessed on 20.01.2018] Infosec Institute. (2017), Computer Forensics Salary Data, http://resources.infosecinstitute.com/category/computerforensics/introdu ction/computer-forensics-salary-data/#gref accessed 19.12.2017 Kaur, R. & Kaur, A. (2012). Digital Forensics. International Journal of Computer Application (0975-8887), 50(5), 2-4. Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.7882&rep =rep1&type=pdf [Accessed on 20.01.2019] International Telecommunication Union. (2014). Understanding cybercrime: phenomena, challenges and legal response. Report. Available from: http://www.itu.int/en/ITU- D/Cybersecurity/Documents/cybercrime2014.pdf [Accessed on 20.01.2019] Kremic E.; Subasi A.; Hajdarevic K., Face recognition implementation for client server mobile application using PCA, Proceedings of the ITI 2012 34th International Conference on Information Technology Interfaces, Year: 2012 Page s: 435 – 440 Law Enforcement Cyber Center (2017), Available http://www.iacpcybercenter.org/officers/digital-evidence/ at: accessed 15.12.2017 151 �Lee, K. Lee, Y. Lee, H. and Yim, K. (2016), A Brief Review on JTAG Security, 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing DOI 10.1109/IMIS.2016.102 Levin. J, (2015), Android Internals: Power User's View (1st edition), Cambridge: Technologeeks.com Litchfield D., Oracle Forensic Part 1: Dissecting the Redo Logs, An NGSSoftware Insight Security Research (NISR) Publication ©2007 Next Generation Security Software Ltd. Logilink,2019, Available at: http://www.logilink.eu/media/images/produkt/_800/CR0012.png [Accessed on 20.11.2018] Lynch, V.A. & Duval J.B. (2011). Forensic Nursing Science (2nd ed.). Elsevier Mosby p2 Marcella A. J. and Menendez D. Cyber Forensic, Second Edition, Auerbach Publication, 2008 Massachusetts Digital Evidence Consortium, 2015, Digital Evidence Guide for First Responders, Available from: http://www.iacpcybercenter.org/wp- content/uploads/2015/04/digitalevidence-booklet-051215.pdf [Accessed on 20.11.2018] 152 �Nanda A., 2019 Transaction Management with LogMiner and Flashback Data Archive, Available from: http://www.oracle.com/us/solutions/11gtransactionmanagement-092065.html [Accessed on 20.11.2018] Nanda A. and Burleson D.K., Oracle Privacy Security Auditing, Rampant Techpress, 2003 National Institute of Justice. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Available from: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf Nelson, B., Phillips A., & Steuart C. (2015). Guide to Computer Forensics and Investigations (5th ed.). Course Technology. Available from: https://books.google.ba/books?id=PUh9AwAAQBAJ&pg=PA137&dq= what+is+digital+evidence+SWGDE&hl=en&sa=X&ved=0ahUKEwii87 LhrqnRAhUCVhQKHTsIAb4Q6AEIMTAB#v=onepage&q&f=false NIST. (2004). Digital Data Acquisition Tool Specification, Public Review of Version 4.0. Available from: http://www.cftt.nist.gov/Pub-Draft-1DDA-Require.pdf NIKSUN NetDetector, 2018 Available at: https://www.phoenixdatacom.com/product/niksun-netdetector-packetcapture-network-security-forensics/ [Accessed on 20.12.2018] Open University, 2018, Different types of digital forensic, Available at: https://www.open.edu/openlearn/science-maths-technology/digitalforensic/content-section-4.3, [Accessed on 20.12.2018] 153 �(Oracle, pp. 79) Database Administrator's Guide, Available at: https://docs.oracle.com/cd/B28359_01/server.111/b28310/onlineredo001 .htm#ADMIN11302 [Accessed on 15.02.2019] Oracle Fine Grained Auditing, Available at: https://www.oracle.com/technetwork/database/security/index083815.html2019 [Accessed on 18.02.2019] Oracle DBA_FGA_AUDIT_TRAIL Available at: https://docs.oracle.com/cd/B19306_01/server.102/b14237/statviews_311 5.htm#REFRN23075 [Accessed on 18.02.2019] Oracle LogMiner, 2019, Available at: https://www.oracle.com/technetwork/database/features/availability/logm ineroverview-088844.html, [Accessed on 25.03.2019] Pollit, M. (2017, January 15). A history of digital forensics. Available from: https://pdfs.semanticscholar.org/0d15/132439fc1de82724dd06effff5a782 eefeac.pdf Recombu. (2017), Android updates, Available from https://recombu.com/mobile/article/what-is-android-and-what-is-anandroid-phone_M12615.html , accessed 25.09.2017 Renkforce, 2019 Available at: https://www.conrad.com/p/renkforce-rfdocking-06-usb-30-esata-sata-4-ports-hdd-docking-station-1305502 [Accessed on, 14.03.2019] 154 �Road MASSter 2, 2019 Available at: http://dfrt.blogspot.com/2007/01/forensic-tools-hardware.html [Accessed on, 01.03.2019] Roy, NR. Khanna, AK. Aneja, L (2016), Android Phone Forensic: Tools and Techniques International Conference on Computing, Communication and Automation (ICCCA2016) Available from http://ieeexplore.ieee.org/document/7813792/ Ryder, K. (2002). Computer Forensics – We’ve Had an Incident, Who Do We Get to Investigate? SANS Institute InfoSec Reading Room. Available from: https://www.sans.org/reading- room/whitepapers/incident/computer-forensics-weve-incidentinvestigate-652 ShareTechnote. (2017), Android ADB, Available from http://www.sharetechnote.com/html/Android/Android_ADB.html accessed 25.9.2017 Sapir, G.I. (2007, January 2). Qualifying the Expert Witness: A Practical Voir Dire. Forensic magazine. Available from: http://www.forensicmag.com/article/2007/01/qualifying-expert-witnesspractical-voir-dire Singh, N and, Bansal, R. (2015), Analysis of Benford’s Law in Digital Image Forensics, Signal Processing and Communication (ICSC), 2015 International Conference 155 �Sophos. (2018), 2018 Malware Forecast: ransomware hits hard, continues to evolve, Available from https://news.sophos.com/enus/2017/11/02/2018-malware-forecast-ransomware-hits-hard-crossesplatforms/ accessed 6.1.2018 Smith, W. (1867). Dictionary of Greek and Roman Biography and Mythology Vol 1. Boston: Little Brown and Company p209 SNOW, 2019, The SNOW Home Page, Available at: http://www.darkside.com.au/snow/ [Accessed on, 14.03.2019] Startribune. (2018), Minnesota detectives crack the case with digital forensics, Available from http://www.startribune.com/when-teens-wentmissing-digital-forensics-cracked-case/278132541/ accessed 10.1.2018 SWGDE, (2013) Best Practices for Computer Forensic, Scientific Working Group on Digital Evidence, Version: 3.0 (September 14, 2013) Available at: https://www.swgde.org/documents/Archived%20Documents/SWGDE% 20Best%20Practices%20for%20Computer%20Forensic%20v3-0, [Accessed on, 29.10.2018] UNODC. (2013). Comprehensive Study on Cybercrime. Available from: https://www.unodc.org/documents/organizedcrime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213. pdf 156 �UNODC. (2013). Comprehensive Study on Cybercrime. (V.13-80699) Vienna: United nations office on drugs and crime UN. (2000). Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders. (A/CONF.187/10). Available from: https://www.asc41.com/UN_Congress/10th%20UN%20Congress%20on %20the%20Prevention%20of%20Crime/013%20ACONF.187.10%20Cr imes%20Related%20to%20Computer%20Networks.pdf Vandeven, S. (2014). Forensic Images: For Your Viewing Pleasure. SANS Institute InfoSec Reading Room. Available from: https://www.sans.org/reading-room/whitepapers/forensics/forensicimages-viewing-pleasure-35447 [Accessed on, 15.01.2019] Xplico (2019) Available at: http://www.xplico.org/wp- content/uploads/2008/11/xwi_email.png [Accessed on, 29.01.2019] Whitecomb, C.M. (2002). An Historical Perspective of Digital Evidence: A Forensic Scientist’s View. International Journal of Digital Evidence 1(1),1-3 Watson, D.A., Jones, A. (2013). Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements (1st ed.). London: Elsevier / Syngress. Wiley Carol, What Is the Difference Between Computer Forensic & Digital Forensic? Available at: https://careertrend.com/facts-6733855157 �difference-computer-forensic-digital-forensic-.html [Accessed on, 29.01.2019] Williams A., Leaving a trace: Forensic science through history, BBC, Available at: https://www.bbc.com/timelines/zcq2xnb#zgsg4wx, [Accessed on, 29.10.2018] Witte de With, 2019 https://www.wdw.nl/en/participants/rodolphe_archibald_reiss [Accessed on, 29.10.2018] Wright, Paul M. “Oracle forensic” Oracle security best practice, Rampant Techpress; May 2007. Yeatts, T. (2001) Forensics: Solving the Crime, Available from: http://connection.ebscohost.com/c/articles/15721149/chapter-one-jamesmarsh-toxicology 158 �Index A Access control Active attack Administrator and operator logs Applications Architecture Artificial Assessment Asset Attacker Audit Audit logging Authenticity Availability B Business Continuity Business continuity and risk assessment Business continuity management Business continuity planning framework C Change control procedures Change management Clock synchronization COBIT Communication Communications and operations management Compliance Computer Confidentiality Continuity Control of internal processing Control of operational software Control of technical vulnerabilities Controls against malicious code Controls against mobile code Countermeasure Crypto D Denial of service Developing and implementing BCP including information security Disaster DMZ Distance vector E Electronic Electronic messaging Electronic commerce Equipment identification in the network Encryption Escalation F Fault Fault logging Firewall Forensic FTP G Gap analysis Goal, Goals H Hardware Human Human resources HRA HTTP 159 �I O Incident Including information security in the BCM process Information access restriction Information Backup Information security Information security incident management Information systems acquisition, development and maintenance Infrastructure Input data validation Integrity Interruption Intrusion detection IP address IPX ISMS ISO 27000 ITIL OID On-line transactions Output data validation P K Passive attack Password management system Performance Physical and environmental security Policy on the use of cryptographic controls Policy on use of network services Privilege management PRA Proactive Procedure Protection of information systems audit tools Protection of log information Protection of system test data Protocol Publicly available systems Key management KPI Q L Limitation of connection time Local area networks M MAC address Management Media Message integrity Metric, Monitoring system use N Network Network controls Network connection control Network layer Network routing control NMS Non-Reputability 160 QoS Quality Qualitative Quantitative R Recovery Regulation of cryptographic controls Regulatory Remote diagnostic and configuration port protection Responsibilities and procedures Restrictions on changes to software packages Review of user access rights Risk Risk management Router RTGS S SABSA Secure disposal �Secure log-on procedures Security Security of network services Security of system documentation Security requirements analysis and specification Segregation in networks Separation of development, test and operational facilities Server Session time-out SMTP SNMP Software Spyware SQL Switch SYN System acceptance VPN Vulnerability W WAN Web Wide area networks Wireless Worm X XML T TCP / IP Technical compliance checking Technical review of applications after operating system changes Terminal Testing, maintaining and reassessing business continuity plan Threat Trojan U UDP Unicast UPS Use of system utilities User authentication for external connections User identification and authentication User password management User registration Utilities V Virus Virtual Private Network, Visualisation 161 �162 �About authors Kemal Hajdarevic PhD, received B.Sc. from the Faculty of Electrical Engineering, University of Sarajevo, Bosnia and Herzegovina, M.Sc. and PhD from Leeds Metropolitan University/Leeds Beckett University, Leeds, UK. He is currently working at the Central Bank of Bosnia and Herzegovina as a Senior Internal Auditor for information Security and IT projects, and he has a teaching position at the Faculty of Electrical Engineering, University of Sarajevo. Nermin Ziga MSc, received MSc from International Burch University. Nermin is an employee of Raiffeisen Bank, were he works as an Information Security Officer within Raiffeisen Bank’s Security Department. Mirza Halilovic MSc, received MSc and BSc from the Faculty of Electrical Engineering, University of Sarajevo. Mirza is the Head of IT department for monitoring, security, and data protection at BH Telecom d.d. Sarajevo. 163 �164 �Dr. Hamid Jahankhani: The area of “Digital Forensics” and its challenges, is clearly one of the key issues facing both the scientific community, industries and other users alike. Clearly understanding the digital forensics in a step by step format would help the practitioners in this fast paced technology development era. I welcome this new book on "Digital Forensics Essentials" which also aims to address some of the emerging issues. Looking at the table of content there are clearly a number of interesting areas of research and hence this book will undoubtedly help researchers and practitioners alike. To my opinion the scope and coverage of this book adequately represent a balanced review of the digital forensics subject. I feel the primary audience for this book would be Researchers, Practitioners, PhD and Postgraduate students. I highly recommend this book. Dr. Jasmin Azemovic: We are facing turbulent events in cyberspace, and digital forensics is on of dominant research topics which is continuously being updated with the latest scientific advancements. Innovations in digital revolution are evident and this book will help to face new challenges in digital era with goal to fight against crime in the cyberspace and committed with, and against digital infrastructures. Dr. Colin Pattinson: History has shown that, whenever a powerful new technology is developed, the desire to misuse that power soon follows. The field of computer network technology is no exception. Indeed IT misuse, whatever the underlying motivation, must be one of most frequent forms of unwanted activity there is. The ability to determine that an event has taken place, to learn from it and - hopefully - to prevent it occurring again is a prime motivation for a forensic analysis. Understanding of any losses have occurred, and building a legally sustainable case against the perpetrators requires even higher levels of information gathering and retention. It is therefore important that the skills and knowledge necessary to conduct such analysis are available to organisations when needed. This book provides a grounding in the tools and techniques necessary to investigate a range of attacks, showing the importance of a structured, logical and methodical approach. It is recommended for graduate students and those specialising in IT forensics. 1 � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource BOOKS Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Essentials of Digital Forensics Author Author Kemal Hajdarević, Nermin Ziga and Mirza Halilovic Abstract A summary of the resource. Information available on Internet Live Stats web site (www.internetlivestats.com) that 40 percent of world’s population is using Internet Media almost daily reports on different cyber and digital security incidents. Many more similar incidents have never been reported or they have been reported years after they had occurred due to the fact that they could have jeopardised ongoing law enforcement investigations or because they could have been embarrassing and thus negatively affect reputation of the victim – organisation or a person. Keywords Keywords. digital forensics Publisher An entity responsible for making the resource available International Burch University Date A point or period of time associated with an event in the lifecycle of the resource July, 2019 https://omeka.ibu.edu.ba/files/original/efe882f3fc7fba2eeb30756f84f93121.pdf dd8b19ee9d44647a225463096b694a16 PDF Text Text 3rd International Symposium on Sustainable Development, May 31 - June 01 2012, Sarajevo Estimating The Number Of Daily Patient Applications By Using Artificial Neural Networks İbrahim Güngör1, Sezgin Irmak1, Mehmet Özer Demir2 1Akdeniz University, Alanya Faculty of Business, Alanya/Antalya, Turkey 2Akdeniz University, Alanya Faculty of Engineering, Alanya/Antalya, Turkey E-mails: igungor@akdeniz.edu.tr, sezgin@akdeniz.edu.tr, mozerdemir@akdeniz.edu.tr Abstract This study is aiming at estimating the patient volumes of hospitals by using artificial neural networks. In order to train the artificial neural network models in this study, historical patient applications data from a Turkish hospital were used. All patient applications counted as daily numbers during three years and dependent variable of our study (patient_count) is derived. A different approach used in this study and instead of a single independent variable (which is time), four different time periods were used as input variables of the artificial neural network models. These input variables were day of month, day of week, month, and year. Several artificial neural network models have been generated and compared with each other by their predictive performance measures. The best predictive artificial neural network architecture has an estimation accuracy of 94.22 percent. This artificial neural network model has an input layer with four neurons, an output layer with one neuron, and only one hidden layer with nineteen neurons. The arithmetic mean of patient application in a day is 755.93 (S.d.=486.60). Mean error of the artificial neural network model is -0.047 and mean absolute error is 105.64. The linear correlation between the actual values and the predicted values of the number of patients is 0.918. Keywords: artificial neural networks, decision support systems, modeling, estimation, hospital management. 1. INTRODUCTION The study of artificial neural networks was inspired by attempts to simulate biological neural systems. Analogous to human brain structure, an artificial neural network is composed of an interconnected assembly of nodes and directed links (Tan et al., 2006). Artificial neural networks have been used in many types of applications and research studies in different areas. These areas including computer security systems, business management, decision making, finance, tourism, chemistry, transportation, medical applications and so on. Artificial neural networks can do classification, pattern recognition, optimization, estimation, and time series prediction tasks. All these tasks can be used for getting valuable information for business decision making and planning purposes. 119 �3rd International Symposium on Sustainable Development, May 31 - June 01 2012, Sarajevo Healthcare sector is a critical service sector that is highly people oriented and very intensive. Therefore forecasting is very important to plan next month’s, next week’s, and next day’s personnel or operations. One of the top important variables to forecast is the number of patient applications to the hospitals. In this study artificial neural networks are used for estimating the number of daily patient applications to a hospital. There are three types of neural networks, which are differentiate into input variables, are examined in this study. In the first one, only time index value was used as an input variable. In the other one, day of year, day of week, month, season, and year were used as input variables. Then the results of these two networks were compared. 2. ARTIFICIAL NEURAL NETWORKS Artificial neural networks are one of the most accurate and widely used forecasting models (Khashei & Bijari 2010) that are used extensively to model complex relationships between input and output data sequences, and to find hidden patterns in data sets. An artificial neural network is a computational model that emulates the essential features and operations of biological neural networks (Pintér 2011). The human brain consists primarily of nerve cells called neurons, linked together with other neurons via strands of fiber called axons. Axons are used to transmit nerve impulses from one neuron to another whenever the neurons are stimulated. A neuron is connected to the axons of other neurons via dendrites, which are extensions from the cell body of the neuron. The contact point between a dendrite and an axon is called synapse. Neurologists have discovered that the human brain learns by changing the strength of the synaptic connection between neurons upon repeated stimulation by the same impulse (Tan et al. 2006). 2.1. The Structure of an Artificial Neuron Every neuron in an artificial neural network represents an autonomous computational unit and receives inputs a series of signals that dictate its activation. Following activation, every neuron produces an output signal. All the input signals reach the neuron simultaneously, so the neuron receives more than one input signal, but it produces only one output signal. Every input signal is associated with a connection weight. The weight determines the relative importance the input signal can have in producing the final impulse transmitted by the neuron. The weights are adaptive coefficients that, in analogy with the biological model, are modified in response to the various signals that travel on the network according to a suitable learning algorithm. A threshold value, called bias, is usually introduced. Bias is similar to an intercept in a regression model (Giudici 2005). The components of an artificial neural network neuron are shown in Figure 1. 120 �3rd International Symposium on Sustainable Development, May 31 - June 01 2012, Sarajevo bias W0 Σ : Combination function f : Activation (or transfer) function W1 Inputs W2 Σ f Output Wn Figure 1. Components of an Artificial Neuron (Irmak 2009) The combination function commonly uses the standard weighted sum which is the summation of the input attribute values multiplied by the weights that have been assigned to those attributes, to calculate a value to be passed on to the transfer function. The transfer function applies either a linear or non-linear transformation to the value passed to it by the combination function. The hidden layer then employs this transfer function in moving data to the output nodes (Kros et al. 2006). The types of activation functions have very important influences on the learning speeds, classification correct rates and non-linear mapping precisions of artificial neural networks (Daqi & Genxing 2003). 2.2. The Architecture of Artificial Neural Networks Although researchers have studied numerous different neural network architectures, the most successful applications of neural networks have been multilayer feed-forward networks. These are networks in which there is an input layer consisting of nodes that simply accept the input values, and successive layers of nodes in the next layer. The last layer is called the output layer. Layers between the input and output layers are known as hidden layers. A feedforward artificial neural network is a fully connected network with a one-way flow and no cycles (Shmueli et al. 2007). Artificial neural networks have been extensively applied in various fields of science and engineering. It is mainly because feed-forward neural networks have universal approximation capability (Wang & Xu 2010). Single hidden layer feedforward network is the most widely used model form for time series modeling and forecasting (Zhang et al. 1998). Architecture of a feed-forward artificial neural network with a single hidden layer is given in Figure 1. 121 �3rd International Symposium on Sustainable Development, May 31 - June 01 2012, Sarajevo x1 x2 w1, 5 w1, w1, 6 7 h5 h6 y x3 x4 w4, 5 Input layer w4, 6 w4, 7 h7 Hidden layer Output layer Figure 2. A Feed-Forward Artificial Neural Network (Walczak 2012) Feed-forward artificial neural networks with one hidden layer are mathematically expressed in a simplified form as where for 0 ≤ j ≤ n, bj ∈ R are the thresholds, wj ∈ Rs are the connection weights, cj ∈ R are the coefficients, ⟨aj ⟩ is the inner product of wj and , and σ is the activation function of the network. In many fundamental network models, the activation function is the sigmoidal function of logistic type (Anastassiou 2011). 3. ESTIMATING THE NUMBER OF PATIENTS USING ARTIFICIAL NEURAL NETWORKS This study is aiming at estimating the patient volumes of hospitals by using artificial neural networks. In order to train the artificial neural network models in this study, historical numbers of patient data from a Turkish hospital were used. Data gathered from main database of the hospital. All patient applications during 3 years counted as daily numbers and dependent variable of our study (patient_count) is derived. This daily time series data set was used along with day, month, year, and day of week variables. In the first model, only time index value used as an input variable. The best artificial neural network architecture of this model has one neuron in the input layer, three neurons in only 122 �3rd International Symposium on Sustainable Development, May 31 - June 01 2012, Sarajevo one hidden layer, and one neuron in the output layer. The prediction accuracy of this network is 82.94%. The mean absolute error of this network’s predictions is 383.76 while the mean number of patient applications to the hospital is 755.93. Day of week variable was added to the second artificial neural network model in order to represent the changes in the different days of a week, especially the dramatic changes between the weekdays and the weekend. The final topology of this model has eight neurons in the input layer, three neurons in the hidden layer, and one neuron in the output layer. This model has 91.67% prediction accuracy and 139.18 mean absolute error. The error rate is considerably lower than the first model. The reason is that, this model has an ability to represent the fall in the number of patient applications in the weekends. The third model of this study has four variables that they may represent significant changes in patient numbers in a year. These variables are year, month, day, and day of week. This model has four neurons in the input layer, nineteen neurons in one hidden layer, and one neuron in the output layer. The final network of this model has the highest prediction accuracy that is 94.22 percent, and the lowest error rate. Mean absolute error of this model is 105.64 and the linear correlation between the actual values and the predicted values of the number of patients is 0.918. The third model of this study is the best predictive artificial neural network model to predict the next days’ patient application volumes to the hospital. Table 1 summarizes the results of the artificial neural network models. Table 1. The Results of Artificial Neural Network Models Model No ANN Topology Input Variables Prediction Accuracy (%) Mean Absolute Error (MAE) Linear Correlation (r) Model-1 1:3:1  Time Index 82.943 383.760 0.197 Model-2 8:3:1  Time Index  Day of Week 91.669 139.186 0.893 Model-3 4:19:1     94.223 105.643 0.918 Year Month Day of Month Day of Week A total of 1095 days’ data were used for training the neural network models. Generally time series forecasting could be made up to ten percent of the number of data points. In this study 1095 days’ data were used for predicting 120 days’ number of patient applications. Actual values of patient applications were gathered from hospital database. The actual values and the 123 �3rd International Symposium on Sustainable Development, May 31 - June 01 2012, Sarajevo predicted values of three artificial neural network models are given in Figure 3. As seen from the figure, the predictions of the first model represent the trend but do not reflect daily distinctions. The predictions of the third model best fit to the actual values. Figure 3. Actual Numbers of Patient Applications and the Predicted Values 4. CONCLUSION The main strength of artificial neural networks is their high predictive performance. Their structure supports capturing very complex relationships between predictors and a response (Shmueli et al. 2007). In this study time points were used as predictors to estimate patient volume of a hospital. Estimating the future volumes of patients is an important issue for decision making processes of hospital and healthcare sector managers. Three types of artificial neural network models were generated in this study. The third model which has four input neurons as day of month, day of week, month, and year, showed better predictive results. This result is strongly related to the structure of artificial neural networks. Because artificial neural networks have flexible structures that capture very complex relationships, they can show better results when detailed input information are given to the artificial neural network model. More detailed studies can be implemented to reveal sophisticated information about the predictive performances of artificial neural networks. REFERENCES Anastassiou, G. A. (2011). Multivariate Sigmoidal Neural Network Approximation. Neural Networks (24), 378-386. 124 �3rd International Symposium on Sustainable Development, May 31 - June 01 2012, Sarajevo Daqi, G. & Genxing, Y. (2003). Influences of Variable Scales and Activation Functions on the Performances of Multilayer Feedforward Neural Networks, Pattern Recognition (36), 869-878. Giudici, P. (2005) Applied Data Mining: Statistical Methods for Business and Industry, John Wiley & Sons, West Sussex, England. Khashei, M. & Bijari, M. (2010). An Artificial Neural Network (p,d,q) Model for Time Series Forecasting. Expert Systems with Applications (37), 479-489. Kros, J. F., Lin, M., & Brown, M. L. (2006). Effects of the Neural Network s-Sigmoid Function on the KDD in the Presence of Imprecise Data, Computers & Operations Research (33), 3136-3149. Irmak, S. (2009). Veri Madenciliği Yöntemleri ile Sağlık Sektörü Veritabanlarında Bilgi Keşfi: Tanımlayıcı ve Kestirimci Model Uygulamaları (Knowledge Discovery in Health Sector Databases by using Data Mining Methods: Applications of Descriptive and Predictive Models), Unpublished doctoral dissertation, Akdeniz University, Antalya, Turkey. Pintér, J. D. (2012). Calibrating Artificial Neural Networks by Global Optimization. Expert Systems with Applications 39(1), 25-32. Shmueli, G, Patel, N. R., & Bruce, P. C. (2007). Data Mining for Business Intelligence: Concepts, Techniques, and Applications in Microsoft Office Excel with XLMiner, John Wiley & Sons, Hoboken, NJ, USA. Tan, P.-N., Steinbach, M., & Kumar, V. (2006). Introduction to Data Mining, Pearson, Addison-Wesley, Boston, MA, USA. Walczak, S. (2012). Methodological Triangulation using Neural Networks for Business Research, Advances in Artificial Neural Systems, 1-12. doi:10.1155/2012/517234 Wang, J. & Xu, Z. (2010). New Study on Neural Networks: The Essential Order of Approximation. Neural Networks (23), 618-624. Zhang, G., Patuwo, B. E., & Hu, M. Y. (1998). Forecasting with Artificial Neural Networks: The State of the Art. International Journal of Forecasting (14), 35-62. 125 � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 1105 Title A name given to the resource Estimating The Number Of Daily Patient Applications By Using Artificial Neural Networks Author Author İbrahim Güngör, Güngör Abstract A summary of the resource. This study is aiming at estimating the patient volumes of hospitals by using artificial neural networks. In order to train the artificial neural network models in this study, historical patient applications data from a Turkish hospital were used. All patient applications counted as daily numbers during three years and dependent variable of our study (patient_count) is derived. A different approach used in this study and instead of a single independent variable (which is time), four different time periods were used as input variables of the artificial neural network models. These input variables were day of month, day of week, month, and year. Several artificial neural network models have been generated and compared with each other by their predictive performance measures. The best predictive artificial neural network architecture has an estimation accuracy of 94.22 percent. This artificial neural network model has an input layer with four neurons, an output layer with one neuron, and only one hidden layer with nineteen neurons. The arithmetic mean of patient application in a day is 755.93 (S.d.=486.60). Mean error of the artificial neural network model is -0.047 and mean absolute error is 105.64. The linear correlation between the actual values and the predicted values of the number of patients is 0.918. Keywords: artificial neural networks, decision support systems, modeling, estimation, hospital management. Date A point or period of time associated with an event in the lifecycle of the resource 2012-05-31 Keywords Keywords. Conference or Workshop Item PeerReviewed H Social Sciences (General) https://omeka.ibu.edu.ba/files/original/f608ee547bacf0a6cc6e18c1511353ad.pdf c716771f4c42ef1a863c85b804d79d6e PDF Text Text Estimation of Phenotypic and Genetic Parameters and Effect of Some Factors on Birth Weight in Brown Swiss Calves in Turkey Using MTDFREML Uğur Zülkadir Department of Animal Science, Faculty of Agriculture, Selcuk University, 42075, Konya / Turkey uzulkad@selcuk.edu.tr Đsmail Keskin Department of Animal Science, Faculty of Agriculture, Selcuk University, 42075, Konya / Turkey ikeskin@selcuk.edu.tr Đbrahim Aytekin Department of Animal Science, Faculty of Agriculture, Selcuk University, 42075, Konya / Turkey aytekin@selcuk.edu.tr Adel Salah Khattab Department of Animal Production, Faculty of Agriculture, Tanta University, EGYPT adelkhattab@yahoo.com Abstract: The objective of this study was therefore to assess the influence of the age of dam, sex of calf, birth type, season and year of birth of the calf on birth weight and to estimate phenotypic and genetic parameters for birth weight for Brown Swiss cattle in Turkey using Multiple Trait Derivative Free Restricted Maximum Likelihood (MTDFREML). A total of 1437 calf birth weight records of Brown Swiss cows raised at Altınova State Farm in Konya Province were used for estimation of phenotypic and genetic parameters for calf birth weight. Phenotypic and genetic parameters were estimated by MTDFREML programme using a Single Trait Animal Model (STAM). The model included additive direct effect, maternal permanent environment and errors as random effects, birth type, sex of calf, season of birth, year of birth and age of dam as fixed effects. Calf birth weight least square mean was determined as 39.20 ± 2.42 kg, the direct heritability (h2a), maternal heritability (h2m) and the repeatability (r) of calf birth weight were calculated as 0.12 ± 0.06, 0.15 ± 0.006 and 0.12 ± 0.06, respectively. The breeding value of dam, sire and calves were calculated. Minimum and maximum breeding value of calves and its accuracy were -1.037 ± 0.66, 0.979 ± 0.68, 0.41 and 0.45, respectively. The effect of birth type, sex of calf, season of birth, year of birth and age of dam on calf birth weight were significant (P<0.01). Key Words: Birth weight, Brown Swiss, Breeding value, Repeatability, Heritability Introduction One of the important breed characteristics in cattle breeding is calf birth weight. Since birth weight is considered as an initial reference point with regard to subsequent development of individual as well as other characteristics, this trait is of critical importance to cattle industry. It is demonstrated that calves having too small live weight at birth may lack vigor and tolerance to external condition, whereas various degrees of dystocia may occur in calves that are too large at birth. Besides these extremes, heifers having high birth weight grow fast and produce more beef (Bakır et al., 2004). These heifers also can reach mature weight to produce offspring at an earlier age and subsequently, milk production as described from Ilaslan et al.,(1978). In addition to these statements, some researchers were demonstrated similar evidence (Kaygısız et al., 1995; Kaygısız, 1998; Akbulut et al., 1998; Akbulut et al., 2001). A study of birth weights as a measure of the prospective value of the calf is therefore justified since it is one of the first measures that can be obtained and also one of the easiest to record with reasonable accuracy (Dawson, 1965). 269 �Growth in beef cattle has been extensively studied in part because of the economic value of growth in this type of farmed livestock. However, growth in dairy cattle has not been studied so extensively, particularly the genetic component of growth. Groen and Vos (1995) estimated the heritability of growth at different stages prior to first calving in Holstein heifers, and Korver et al., (1991) estimated genetic parameters for feed intake and feed efficiency in growing Holstein heifers. Demeke et al., (2003) estimated heritabilities for BW at various stages of life for a range of European and indigenous breeds and their crosses in Ethiopia (Coffey, 2006). Genetic selection in dairy cattle is applied to traits that are measured during the animal’s productive life, mostly those recorded during early productive life as genetic evaluations are best calculated from unbiased, early data. Consequently, much genetic research on correlated responses has focused on traits that change after lactation has started. For example, Pryce et al., (1999) showed that selection for yield would result in a decline in fertility and an increase in mastitis and lameness, as the genetic correlation between yield and these traits is unfavorable (Coffey, 2006). The practice of calving dairy heifers for the first time at 24 months of age has been adopted as a result of research and extension demonstrating the economic benefits Hoffman and Funk (1992). In order to avoid any detrimental effects and negative physiological activities of animals, the animals should be used as possible as early age to produce maximum yield in the later yields. The objective of this study was therefore to assess the influence of the age of dam, sex of calf, birth type, season and year of birth of the calf on birth weight and to estimate phenotypic and genetic parameters for birth weight for Brown Swiss cattle in Turkey using MTDFREML. Material and Method A total of 1437 birth weight records of Brown Swiss calves raised in the intensive conditions at the Altınova State Farm in Konya Province. Records covered the period from 1993 to 1998. The 1437 calves, 618 dams and 42 sires constituted pedigree data. Data were analyzed with a derivative-free algorithm Smith and Graser (1986) using MTDFREML. To ensure global convergence, the algorithm by Boldman et al., (1995) was restarted with estimates until the log likelihood did not change at the fourth decimal. The solutions given are from the final round of iteration. A maternal permanent environmental effect was included to account for repeated measures. Data were analysed by least squares techniques using the general linear models procedure of Harvey (1987). The differences between the factor levels were determined using the Duncan multiple comparison test (Düzgüneş, 1993). Experiment was carried out according to Selcuk University Faculty of Agriculture guidelines. The full model in the analysis is included the fixed effects of birth type (1 and 2), sex of calf (1 and 2), season of birth (1, 2, 3 and 4), year of birth (1993, 1994, 1995, 1996, 1997 and 1998), age of dams (2, 3, 4, 5, 6, 7 and 8) and the random effects of individuals and errors. Variance components were estimated using the following animal model: Y = Xβ + Za + Wm + Sp + e where; Y = a vector of the observations, β = a vector of fixed effects (birth type = 1(single) and 2 (twin); sex of calf = 1 (male) and 2 female); season of birth = 1 (spring), 2 (summer), 3 (autumn) and 4 (winter); year of birth = 1993, 1994, 1995, 1996, 1997 and 1998) a = a vector of animal direct genetic effects m = a vector of random maternal genetic effects p = a random vector of maternal permanent environmental effects e = a vector of random error To estimate heritability (h2) and repeatability (r) the following equation was used: h 2 = σ a2 /(σ a2 + σ m2 + σ am + σ p2 + σ e2 ) r = σ a2 + σ p2 /(σ a2 + σ m2 + σ am + σ p2 + σ e2 ) The mixed model equations (MME) for the best linear unbiased estimator (BLUE) of estimable functions of b and for the best linear unbiased prediction (BLUP) of a, m and p in matrix notation were as follows: 270 �X'X X'Z Z ' X Z ' Z + A −1α1 W ' X W ' Z + A −1α 2 α1 = σ e2 / σ a2 , and X 'S Z ' W + A −1α 2 W ' W + A −1α 3 S' W S' Z S' X Where X'W Z 'S W 'S S'S + Iα 4 α 2 = σ e2 / σ am , α 3 = σ e2 / σ m2 and ) b X'y a = Z' y m W'y p S' y α 4 = σ e2 / σ 2p Results and Discussion Unadjusted mean and standard deviation (SD) for CBW was 39.20 ± 2.42 kg, Table 1. The estimated mean of CBW was higher than those found for beef cattle by Dawson (1965); and also the present mean was lower than those reported for Holstein by Plum (1965). The estimated mean of CBW was similar those found for Brown Swiss by Yanar et al., (1999), (38.50) using another herd of Brown Swiss in Turkey. The differences between this informed means can be due to the difference between breeds or some macro environmental conditions. Traits Calf Birth Weight Mean s.d. CV % Estimates CBW 39.20 2.42 6.19 - 2 log L 3643.758 σ Observations 2 a 0.54844 No. of records 1437 σ m2 0.69107 No. of cows 618 σ am -0.61564 No. of sires 42 No. of dams 77 -1 σ 2 p 0.0000716219 σ 2 e 3.98718 2 Animals in relationship matrix (A ) 2097 ha Mixed Model Equations (MME) 4834 hm 35 ram No. of iterations 2 0.12 ± 0.06 0.15 ± 0.006 -1.00 ± 0.289 0.12± 0.06 r σ a = Additive genetic variance, σ m = Maternal genetic variance, σam = Maternal genetic covariance, σ2p= Permanent environmental variance, σ2e = Temporary environmental variance, h2a= Direct heritability, h2m= Maternal heritability, ram = Direct-maternal genetic correlation r = Repeatability, -2 log L= log likelihood 2 2 Table 1. Estimation of (co)variance components, genetic parameters and data structure, unadjusted mean (kg), standard deviation (s.d.) and coefficient of variation (CV%), number of mixed model equations and number of iterations for Calf Birth Weight (CBW) The heritability estimates was 0.12 for calf birth weight (Table 1). The heritability estimates found in this study was lower than some informed literature finding as Plum (1965); Ahunu (1997); Burrow (2001); Coffey (2006); Demeke (2003) and some informed literature finding was similar such as Dawson (1965); Demeke (2003); Kaygısız (1998); Bakır et al., (2004). Repeatability of birth weight estimates (Table 1) was 0.12 in herd. Similarly, the repeatability estimates found in this study was lower than some informed literature finding as Euclides et al., (1991); Ulusan (1992); Bakır et al., (2004) and the repeatability estimates found in this study was bigger than as defined by Bakır and Söğüt (1998). According to this result, It can be said that the genetic variation is low, therefore mass selection will be ineffective in respect of birth weight in this herd. Instead, the regulation of environmental conditions may be recommended. Table 2 shows the mean calf birth weight and standard deviations, R2 value, total and residual sum of squares of calf birth weight according to birth type, sex of calf, season of birth, year of birth and age of dam. The 271 �effect of birth type, sex of calf, season of birth, year of birth and age of dam on CBW was significant (P<0.01). Single born calves were heavier 2.71 kg than twins born calves and male calves heavier 1.14 kg than female born calves. Calves born in winter had the greatest birth weight and calves born in autumn had the least birth weight. The abundance of the fresh and dry feed in summer and autumn might have resulted in this phenomenon. Year by year, the birth weight decreases steadily but not necessarily linearly. This might be caused by the deterioration of the conditions of the farms and/or increased familiarization within herd. The birth weight increased with the increase of the maternal age. This increase continued up to 6 years then decreased again. N LSM ± SD 1331 106 39.57 ± 0.68a 36.86 ± 0.21b 669 768 37.64 ± 0.12a 38.78 ± 0.12b 463 349 307 318 38.09 ± 0.14b 38.28 ± 0.15ab 37.93 ± 0.15b 38.55 ± 0.15a R2 value Residual sum of square Total sum of square 0.237 6447.134797 8444.475992 Birth type Single (1) Twin (2) Sex of calf Female (1) Male (2) Season of birth Spring (1) Summer (2) Autumn (3) Winter (4) a,b Year of birth 1993 1994 1995 1996 1997 1998 Age of dam 2 3 4 5 6 7 8 N LSM ± SD 216 201 225 269 223 303 38.81 ± 0.17a 38.15 ± 0.18b 38.53 ± 0.17ab 38.27 ± 0.16b 38.06 ± 0.17b 37.46 ± 0.16c 304 322 278 201 135 83 114 37.10 ± 0.16c 37.72 ± 0.15b 38.48 ± 0.16a 38.55 ± 0.17a 38.91 ± 0.20a 38.30 ± 0.25ab 38.43 ± 0.22a Means in a column with different superscripts differ (P <0.01). Table 2. The least squares means (LSM) and standard deviations (SD), R2 value, total and residual sum of squares of calf birth weight according to birth type, sex of calf, season of birth, year of birth and age of dam Breeding value for calves, sires and dams ranged from -1.037 and 0.979, -1.130 and 0.884, -1.612 and 1.470, respectively. Its accuracies ranged from 0.41 to 0.45 for CBV’s, 0.53 to 0.57 for SBV’s and 0.22 to 0.52 for DBV’s, respectively (Table 3). Direct-maternal genetic correlation (ram) value was found to be -1.00 ± 0.289. This indicates that maternal component must be taken into account in selection. Minumum Maximum Range Accuracy Birth Weight (kg) CBV’s SBV’s -1.037 ± 0.66 -1.13 ± 0.63 0.979 ± 0.68 0.884 ± 0.61 2.016 2.02 0.41 to 0.45 0.53 to 0.57 DBV’s -1.612 ± 0.72 1.470 ± 0.63 3.082 0.22 to 0.52 Table 3. Range of predicted breeding values of calves (CBV’s), sires (SBV’s) and dams (DBV’s) and their accuracy for birth weight (kg) If there is a problem in regard to vitality because of low birth weight, a selection can be done for high breeding value in order to increase of vitality. In addition, Table 3 shows that importance of dam, since it gave the higher range of breeding values for birth weight. Thus, selection of dam for the next generation would lead to higher genetic improvement in the herd. Also, Table 3 shows that the accuracy of the estimates of sire breeding value was higher than the accuracy of dam breeding values and calve breeding value, which may be due to the higher number of progeny per sire. The breeding values (EBV) were estimated according to MTDFREML and the trends in breeding values according to years are presented in Figure 1. 272 �Figure 1. Mean breeding values of birth weight for DBV, Weighted Mean of SBV, CBW and SBV according to the years. According to Figure 1, it can be seen positive trends in breeding value of CBVs and weighted mean of SBVs. However, no positive or negative trends in DBVs have been observed among the years. A selection in the years, the use of bull breeding activity to determine whether the correct choice in selection for weighted mean of SBVs has been calculated. It can be seen that, looking at the values of both weighted mean of SBVs and SBVs in the same years, bulls used in breeding programs are chosen correctly. In this situation, success of selection from 1993 to 1998 has been increased. To obtain high birth weight, animal breeding values should be determined, environmental conditions must be well organized and the selection of animals must be done in a proper manner. From time to time to calculate genetic parameters and selection must be made according to these criteria. Acknowledgments This research was supported from the Coordinatory of Scientific Research Projects of Selcuk University, Turkey. We are thankful to Konuklar State Farm for providing data. References Ahunu, B.K., Arthur, P.F., & Kissiedu, H.W.A. (1997). Genetic and Phenotypic Parameters for Birth and Weaning Weights of Purebred and Crossbred Ndama and West African Shorthorn Cattle. Livest. Prod. Sci. 51: 165-171. Akbulut, Ö., Tüzemen, N. Yanar, M., & Aydın, R. (1998). Esmer Sığırlarda Erken Dönem Canlı Ağırlık ve Vücut Ölçülerinin ilk Laktasyon Süt Verimi Özellikleri ile Đlişkisi. Atatürk Üniv. Zir. Fak. Derg., 29 (2): 250-258. Akbulut, Ö., Bayram, B., & Yanar, M. (2001). Estimates of Phenotypic and Genetic Parameters on Birth Weight of Brown Swiss and Holstein Friesian Calves Raised in Semi Entansif Conditions. Lalahan Hay. Arst. Derg., 41 (2): 11-20. Bakır, G., & Söğüt, B. (1998). Genetic and Phenotipypic Parameter Estimates for Birth in Holstein Calves Raised the Ceylanpınar State. Doğu Anadolu Tarım Kongresi. Erzurum, 810-816. Bakır, G., Kaygısız, A., & Ülker, H. (2004). Estimation of Genetic and Phenotypic Parameters for Birth Weight in Holstein Friesian Cattle. Pakistan J. Biol Sci. 7: 1221-1224. Boldman, K.G., Kriese, L.A., Van Vleck, L.D., Van Tassell, C.P., & Kachman, S.D. (1995). A Manual For use of MTDFREML. A Set of Programs to Obtain Estimates of Variances and Covariances (Draft). U. S. Department of Agriculture, Agricultural Research Service, pp:14. Burrow, H.M. (2001). Variances and Covariances Between Productive and Adaptive Traits and Temperament in a Composite Breed of Tropical Beef Cattle. Livest. Prod. Sci. 70:213–233. 273 �Coffey, M.P., Hickey, J., & Brotherstone, S. (2006). Genetic Aspects of Growth of Holstein-Friesian Dairy Cows from Birth to Maturity. J. Dairy Sci, 89 (1): 322- 329. Dawson, W.M., Phillips, R.W., & Black, W.H. (1965). Birth Weight as a Criterion of Selection in Beef Cattle. J. Anim. Sci. 6: 247-257. Demeke, S., Nesera, F.W.C., & Schoemanb, S.J. (2003). Variance Components and Genetic Parameters for Early Growth Traits in a Mixed Population of Purebred Bos Indicus and Crossbred Cattle. Livest. Prod. Sci. 84: 11-21. Düzgüneş, O. (1993). Đstatistik Metodları (Statistical Methods). Ank. Üniv. Zir. Fak. Yay: 1291, Notebook: 369, Ankara. Euclides, F.K., Nobre, P.R.C., & Rosa, A.N. (1991). Age of Cow and its Interaction with Herd, Sire and Sex of Calf. Rev Bras Zootecn, 20: 40-46. Groen, A.F., & Vos, H. (1995). Genetic Parameters for Body Weight and Growth in Dutch Black and White Replacement Stock. Livest. Prod. Sci. 41: 201-206. Harvey, W.R. (1987). Users guide for LSMLMW PC-1 Version mixed model least squares and maximum likelihood computer program, Ohio State Uni. Colombus, Mimco, USA. Hoffman, P.C., & Funk, D.A. (1992). Applied Dynamics of Dairy Replacement Growth and Management. J. Dairy Sci. 76: 3179-3187. Ilaslan, M., Aşkın, Y., Geliyi, C., & Alataş, I. (1978). Body Condition, Milk and Reproductive Traits in Brown Swiss and Simmental Cattle Raised in Kars Testing Station. Kars Deneme Đst., Yay. No: 5, 1-36. Kaygısız, A., Akyol, I., & Yılmaz, I. (1995). Genetic and phenotypic parameters estimates for birth weight in brown swiss calves raised at regional school in Van. Journal of Central Animal Research Institute. 5(1-2): 71-73. Kaygısız, A. (1998). Estimates of Genetic and Phenotypic Parameters for Birth Weight in Brown and Simmental Calves Raised at Altındere State Farm. Tr. J. of Veterinary and Animal Sci, 22: 527-535. Korver, S., Van Eekelen, E.A.M., Vos, H., Nieuwhof, G.J., & Van Arendonk, J.A.M. (1991). Genetic Parameters for Feed Intake and Feed Efficiency in Growing Dairy Heifers. Livest. Prod. Sci. 29: 49-59. Plum, M., Andersen, H., & Swiger, L.A. (1965). Heritability Estimates of Gestation Length and Birth Weight in HolsteinFriesian Cattle and Their Use in Selection. J. of Dairy Sci. 48 (12): 1672-1675. Pryce, J.E., Nielsen, B.L., Veerkamp, R.F., & Simm, G. (1999). Genotype and Feeding System Effects and Interactions for Health and Fertility Traits in Dairy Cattle. Livest. Prod. Sci. 57:193–201. Ulusan, H.O.K. (1992). The Change of Calf Growth According to Birth Season and Repeatability of Birth Weight in Brown Swiss Cattle Raised in Elazığ Sugar Factory Farm. Uludağ Üniv. Vet. Fak. Derg., 11: 57-67. Yanar, M., Tuzemen, N., Yuksel, S., & Turgut, L. (1999). The effects of Individual and Group Rearing on the Characteristics of the Growth and Development of Brown Swiss Calves. International Animal Husbandry Congress 99, 21-24 September, Đzmir, Turkey. 274 � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Extent The size or duration of the resource. 440 Title A name given to the resource Estimation of Phenotypic and Genetic Parameters and Effect of Some Factors on Birth Weight in Brown Swiss Calves in Turkey Using MTDFREML Author Author Zülkadir, Uğur Keskin, İsmail Aytekin, İbrahim Khattab, Adel Salah Abstract A summary of the resource. The objective of this study was therefore to assess the influence of the age of dam, sex of calf, birth type, season and year of birth of the calf on birth weight and to estimate phenotypic and genetic parameters for birth weight for Brown Swiss cattle in Turkey using Multiple Trait Derivative Free Restricted Maximum Likelihood (MTDFREML). A total of 1437 calf birth weight records of Brown Swiss cows raised at Altınova State Farm in Konya Province were used for estimation of phenotypic and genetic parameters for calf birth weight. Phenotypic and genetic parameters were estimated by MTDFREML programme using a Single Trait Animal Model (STAM). The model included additive direct effect, maternal permanent environment and errors as random effects, birth type, sex of calf, season of birth, year of birth and age of dam as fixed effects. Calf birth weight least square mean was determined as 39.20 ± 2.42 kg, the direct heritability (h2 a), maternal heritability (h2 m) and the repeatability (r) of calf birth weight were calculated as 0.12 ± 0.06, 0.15 ± 0.006 and 0.12 ± 0.06, respectively. The breeding value of dam, sire and calves were calculated. Minimum and maximum breeding value of calves and its accuracy were -1.037 ± 0.66, 0.979 ± 0.68, 0.41 and 0.45, respectively. The effect of birth type, sex of calf, season of birth, year of birth and age of dam on calf birth weight were significant (P<0.01). Date A point or period of time associated with an event in the lifecycle of the resource 2010-06 Keywords Keywords. Conference or Workshop Item PeerReviewed Q Science (General)