16 10 3494 https://omeka.ibu.edu.ba/files/original/6b2e464890bd658d55b645c2200671f3.pdf 368e8f19562326e2eedc5b353024065f PDF Text Text Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020215 Machine Learning in Autism Spectrum Disorder Diagnosis Naida Nalo1, Jasmin Kevrić1 1 International Burch University, Sarajevo, Bosnia and Herzegovina naida.nalo@stu.ibu.edu.ba jasmin.kevric@ibu.edu.ba Abstract— This paper represents an overview of Machine Learning techniques used in Autism Spectrum Disorder - ASD diagnosis. ASD is detected based on behavioral screening which is time consuming and can only be taken by a medical professional. The idea is to find a smaller number of features that are still able to equally well provide satisfying results and not lose the accuracy, sensitivity nor specificity. Some of the algorithms mostly used in recent studies were Artificial Neural Network ANN and Alternating Decision Trees - ADTrees. The researches usually use WEKA software package for applying the algorithm and obtaining results. Keywords—Machine Learning, Autism Spectrum Disorder, diagnosis, features, ANN, ADTree, WEKA. 1. Introduction Autism Spectrum Disorder (ASD) is defined as a developmental disorder that reflects in difficulty to communicate and interact with people, to have minimal interests and to generate pattern like behaviors. There are three separate conditions that are combined into the Autism Spectrum Disorder and those are: Autistic disorder, Asperger’s syndrome and Pervasive developmental disorder not otherwise specified (PDD-NOS). Even though ASD can be a lifelong disorder, an early diagnosis and proper treatment can help improve communications skills and overall ability to function. However, the diagnosis sometimes takes a lot of time, which prolongs the appropriate treatment [1]. Two widely used clinical diagnosis tools for diagnosing autism are The Autism Diagnostic Interview-Revised (ADI-R) [2] and Autism Diagnostic Observation Schedule (ADOS) [3]. ADI-R consists of ninety-three questions that are to be answered by a clinician. This process can take up to two and a half hours to conduct. The ADOS contains four modules, that can be used to test children and adults, according to behavioral and language levels of the person to be tested. This tool uses an algorithm that results with a diagnosis based on the scores of responses. Each module has its own scores [4]. It has become of great importance to find a faster but reliable method of diagnosing ASD, since the earliest treatment gives a greater chance for improvement. �This paper gives insight on the studies conducted in the past on the subject of Machine Learning in ASD diagnosis. A brief review on differences between two versions of Diagnostics and Statistical Manual of Mental Disorders (DSM-IV [5] and DSM-5 [6]) is made. 2. Literature review The ADI-R is one of two most widely used instruments for behavioral diagnosis of ASD [7]. It is structured in a form of an exam containing ninety-three questions and can be applied to individuals from the age of eighteen months and above. The questions are answered by a trained professional but still take up to two and a half hours to finish. And additionally, the gap between the initial screening and the resulting diagnosis can be around thirteen months, depending on the socioeconomic status of the family [8]. This introduces an additional delay in the early treatment crucial for proper development of the person, especially children. In [9], it was proposed to create an exam that can be conducted in minutes, rather than hours and receive satisfying results. Machine learning was used to select the right amount of questions, out of initial ninety-three, that would be able to classify the person in either autism or non-spectrum class. In total, fifteen algorithms were tested, and the one that performed the best with the given data was found to be the Alternating Decision Tree (ADTree). This classification algorithm managed to successfully classify all individuals diagnosed with ASD using only eight questions, that were previously tested with a complete set of ninety-three questions of ADI-R and misclassified only one. However, this research was proved to be unreliable by [10]. This paper brought to attention the importance of understanding both the computational and clinical area before giving any conclusions. The research conducted in [9], was limited by the imbalance of data as well as excluding a big part of it due to missing values. This resulted in only a two-class diagnosis, when originally it should have been three. The middle class, which is the most difficult to identify, that was removed was the ASD Spectrum, leaving only the ASD and Nonspectrum cases. A recommendation from [10] is to use the Unweighted Average Recall – UAR, which is a measure of performance that works better for such unbalanced data and that was used in this paper, when they tried to replicate the work done in [9]. Their results were algorithm dependent and if another algorithm was to be applied to the same data, the number of features would vary. Another important issue that was discussed in [4] were the differences between results of DSM-IV and the new DSM-5. From [4] we learn that although both of the screening methods abovementioned have shown good sensitivity, specificity and high reliability in experiments, the majority of those studies were based on the DSM-IV rather than the new criteria for diagnosing ASD, the DSM-5. Several studies that were mentioned in [4] had conflicting results when using the two different versions of the manual. This introduces the need to reevaluate the current tools for diagnosis, and to adjust them to the new criteria of diagnosing ASD. �Combining all the research and experiments from the past, and critically analyzing the results, suggestions and advices for the future projects are provided in [11]. The author highlights that none of the screening tools currently in use, have incorporated the machine learning algorithm for diagnosing ASD from the recent studies. Along with the problem of unbalanced data, the overlap of ASD, ADHD and Asperger Syndrome as well as different forms of ASD, represents another obstacle in diagnosing, mentioned in [11]. Most studies simplified the classification process by removing these classes and leaving just the ‘Severe Autism’ and ‘Nonspectrum’ as a possible outcome. This of course leads to unreliable classifiers with questionable sensitivity, specificity and accuracy. 3. Problem formulation For the purpose of this project, in total three datasets have been downloaded from UCI Machine Learning Repository [12]. They deal with data related to ASD screening of three different sets of population: toddlers, adolescents and adults. The data was collected through an application in a form of a quiz [13]. The data sets consist of twenty questions, out of which ten are behavioral features, while the other ten are individual characteristics. The application offers four modules representing the age category for individuals from the age: 12-36 months, 4-11 years, 12-16 years and 17 years and older. Ten questions, that differed depending on the age of the individual, from the application are provided in Table 1, in Appendix 1. Description of the data set is provided in Table 2. Table 2. Data set characteristics ASD Screening Data MODULE CHILDREN ADOLESCENTS ADULTS Number of instances 292 104 704 Number of attributes 21 Missing values Yes The first module is based on current parent-assisted ASD screening tool, the Quantitative Checklist for Autism Toddlers (Q-CHAT), while the remaining three are based on appropriate versions of Autism Spectrum Quotient (AQ), which are considered to be good candidates of diagnosing and were somewhat referred to as a ‘red flag’. These screening tools were discussed in [4], where it has been noted that the ten questions can only be used for acknowledging if additional clinical testing is required and is not a definite diagnosis. An analysis that studied these tools is [14]. Next step of this paper will be to investigate the dataset and determine the best way to make the most of it. �4. Machine learning methods Seven algorithms that were chosen for the process of attribute selection with their brief description are provided in this chapter. Bayes Net’s function is to learn the Bayesian networks. This algorithm assumes nominal attributes and no missing values. Search process is done using K2 or TAN algorithm. More sophisticated search methods, used for search, are built on genetic algorithm, hill-climbing, simulated annealing, etc. Search speed can additionally be enhanced by ADTrees [15]. Simple Logistic is an algorithm that builds regression models and fits them with use of LogitBoost and simple regression functions as base learners. Number of iterations are calculated using cross-validation, supporting attribute selection [15]. Decision Stump’s function is to build one-level decision trees for sets with a categorical or numeric value. Missing values in this algorithm are dealt with by seeing them as a separate value and creating a third branch from the stump [15]. J48 is an algorithm that creates a pruned or unpruned C4.5 decision tree. C4.5 This algorithm produces a classifier in a form of a decision tree, which can be either a leaf or a decision node. A leaf indicates a class, a decision node specifies a test with one branch and a subtree for every possible outcome of the test [16]. Logistic Model Tree, or LMT, combines two most popular methods of classification: linear logistic regression and tree induction. This algorithm results in not only classification but also in explicit probability estimates of the class. Another advantage of LMT is that it results in a single tree which makes it easier to interpret [17]. Random Forest is an algorithm that combines tree predictors. Each tree is dependent on values of a random vector, which is sampled independently and with same distribution for all trees of the forest. Generalization error of this algorithm depends on strength of individual trees of thee forest and their correlation. As the number of trees grows, the generalizatioon error converges to the limit [18]. REPTree algorithm represents a fast decision tree learner. This algorithm uses information regarding gain or variance and prunes it with reduced-error pruning to build a ecision or regression tree. Values for numeric attributes are only sorted once, which optimized its speed [15]. 5. Results Classification procedure of this research paper was split in two main parts. First part was applying a 10-fold cross-validation to all attributes and all three datasets. Cross-validation of n-folds splits the original dataset into n parts where n-1 parts are used as a train test, while the nth part is used as a test set [19]. Another method used in this part was applying a percentage split of three different values: 50%, 70% and 90%. Percentage split separates the original dataset into train and test according to the chosen percentage. �Both methods were tested using sixteen algorithms, giving in total 64 results for each dataset. The second part of classification involved attribute selection. Algorithms chosen for this part resulted from the first part, since only those that gave 100% accuracy for all three datasets were again used in attribute selection part. A more detailed 10-fold cross-validation results and algorithm performance are presented in Table 3, and the results of percentage-split and algorithm performance is shown in Table 4. Table 3. 10-fold cross-validation accuracy results Method Cross-validation 10 Algorithm Dataset Bayes Child Adolescent Adult BayesNet 100% 100% 100% NaiveBayes 98.9726% 98.0769% 97.017% MultinomialText 51.7123% 60.5769% 73.1534% BayesUpdateable 98.9726% 98.0769% 97.017% Logistic 95.2055% 95.1923% 97.017% MultilayerPerceptron 99,6575% 89.4231% 100% SimpleLogistic 100% 100% 100% SMO 100% 89.4231% 100% 88.3562% 90.3846% 94.8864% DecisionStump 100% 100% 100% HoeffdingTree 100% 99.0385% 99.858% J48 100% 100% 100% LMT 100% 100% 100% RandomForest 100% 100% 100% RandomTree 93.1507% 80.7692% 96.1648% REPTree 100% 100% 100% Functions Lazy IBk Trees �Table 4. Percentage split accuracy Method Percentage Split (50%-50%, 70%-30%, 90%-10%) Algorithm Dataset Bayes Child Adolescent BayesNet 100% 100% 100% NaiveBayes 98.6% 96.5% 96.5% MultinomialText 51.36 % 55.68 % 41.37 % BayesUpdateable 98.6% 96.5% 96.5% Logistic 93.1% 89.7% 93.1% MultilayerPerceptr on 97.2% 97.7% 100% SimpleLogistic 100% 100% SMO 96.5% 100% 98.07 % 61.53 % 98.07 % 100% 100% Adult 100 % 100 % 54.83 % 50% 100% 100 % 100% 98.01 % 74.14 % 98.01 % 100% 100% 98.5% 97% 74.88 % 98.57 % 97.14 % 80% Functions 84.61 % 94.23 % 87.09 % 93.54 % 90% 96.59 % 94.78 % 95.71 % 80% 100% 100% 100% 100% 100% 100% 100 % 100% 100% 100% 95.4% 100% 92.3% 93.54 % 80% 100% 100% 100% 89.04 % 89.7% 86.2% 88.46 % 90.32 % 100 % 95.73 % 94.31 % 94.28 % DecisionStump 100% 100% 100% 100% 100% 100% 100% 100% HoeffdingTree 98.6% 100% 100% 98.07 % 100% 100% 100% 100% J48 100% 100% 100% 100% 100% 100% 100% 100% LMT 100% 100% 100% 100% 100% 100% 100% 100% RandomForest 100% 100% 100% 100% 100% 100% 100% 100% RandomTree 93.8% 94.3% 82.7% 67.3% 74.19 % 100% 90.99 % 100% REPTree 100% 100% 100% 100% 100% 100% 100% 100% Lazy IBk Trees 100 % 100 % 100 % 100 % 100 % 100 % 100 % Algorithms used for the second part of classifying process of this research paper were chosen according to the percentage of accuracy of Table 3. Out of four Bayes algorithms, only BayesNet gave 100%, SimpleLogistic is the only one out of four Function algorithms that proved the best, and lastly, Tree algorithms shown good results with DecisionStump, J48, LMT, RandomForest and REPTree performing in 100% accuracy for all three datasets. These seven algorithms were used in attribute selection part of classification. All three datasets originally had 21 attributes, and the previous two methods mentioned above included all attributes in the process. Attribute selection method [20] is a process of selecting the most relevant attributes and by doing so, reducing the processing time. �In total, five attribute evaluators have been used in attribute selection process. Those were: ClassifierAttributeEval, CorrelationAttributeEval, ReliefAttributeEval, CfsSubsetEval and WrapperSubsetEval. In a combination of these evaluators, three search methods were used: BestFirst, GreedyStepwise and Ranker [15]. ClassifierAttributeEval evaluates the worth of an attribute with use of a user-specified classifier [21]. CorrelationAttributeEval evaluates the worth of an attribute by measuring the correlation between the attribute and the class [21]. ReliefFAttributeEval sampling of instances happens randomly, and the neighboring instances of the same or different class is checked on [15]. CfsSubsetEval evaluates the worth of a subset of attributes by considering the individual predictive ability of each attribute along with the degree of redundancy between them. Missing values can be seen as a separate value or, with proportion to their frequency, its counts can be distributed among other values [15]. WrapperSubsetEval evaluates attribute sets by using a learning scheme. Cross-validation estimates the accuracy of the learning scheme for a set of attributes [15] . ClassifierAttributeEval, CorrelationAttEval and ReliefAttributeEval required Ranker as a search method. In all three datasets, number of attributes chosen for the Ranker was five. CfsSubsetEval and WrapperSubsetEval work using either BestFirst or GreedySetpwise search method. Combining the evaluators with search methods, we obtained 56 results for each dataset. After the attribute selection was performed on the complete set of 21 attributes, all evaluators resulted with 100% accuracy, regardless of the algorithm used. The attributes of all three datasets are presented in Table 5. Table 5. Attributes by number with description Attribute Description 1 - 10 Score of 10 questions 11 Age (number) 12 Gender (male or female) 13 Ethnicity (list provided) 14 Born with jaundice 15 Autism in family 16 Country of residence 17 Used app before 18 Result of app (automated calculation) 19 Age description (toddler, child, adolescent, adult) 20 Relation (who is completing the test) 21 Class ASD/NoASD Attribute that was present in all three datasets and that showed extremely high correlation was the 18th attribute. This attribute represents the score of ten questions of the application [13]. Therefore, a new approach was used. The 18th attribute was removed completely, and the process of selection was repeated for all three datasets. Results of selection are shown in Table 6, 7 and 8, in Appendix 2. Results of accuracy are shown in Table 9, 10 and 11, in Appendix 3. �The lowest performance for child, adolescent and adult dataset was achieved by DecisionStump, resulting in 78.082%, 70.192% and 82.822% respectively, as can be observed from the results. The lowest number of attributes selected is 1, and the highest is 14. However, the best results required less than that. The algorithms that showed best performance for child dataset were SimpleLogistic and LMT. These algorithms, with applied CfsSubsetEvaluator, resulted in accuracy of 98.973%, and used 10 attributes. BayesNet showed best results, with applied ClassifierAttributeEvaluator, it performed in 90.385% accuracy for adolescent dataset and used only 5 attributes. Simple Logistic successfully classified the adult dataset, with impressive accuracy of 99.432% and used 11 attributes in the process. 6. Conclusion The conclusion is split into two parts, one regarding actions taken to review already written papers and discuss their results, and second which deals with actions taken to derive our own conclusion through processing datasets. This research paper involved three datasets: child, adolescent and adult, with each having 21 attributes. Original datasets were processed using two methods for splitting the dataset into train and test and used sixteen algorithms for both. The obtained results from the first test helped choose algorithms for the second part of testing which involved attribute selection. According to the results, seven algorithms stood out. Attribute selection was performed on all three datasets using seven evaluators. All results had 100% accuracy, despite using different number of attributes. This leaded to another approach which included removing the 18th attribute and reapplying the selection process. Number of attributes for best performances were dependent on the dataset and therefore are different. One should keep in mind that classification process using five attributes can only be used as an indicator of whether further medical testing should be conducted. The main lesson learned, reading papers written so far on this topic, is that integrating ML in ASD diagnosis and its screening tools is a much harder process than it seems. Finding the appropriate number of features and managing to reduce the time of diagnosis depends on many parameters. Many experiments, in an attempt to reduce the time required for the diagnosis process, have discarded some important issues for the sake of simplicity. Their initially admiring results could not be taken for granted, due to misbalanced data and questionable reliability. The algorithm should not be dependent on data. The issue of distinguishing between ASD and PDD related disorders (ADHD, Asperger Syndrome) represents a big obstacle for proper diagnosis of ASD. The algorithm should be provided with a similar number of all possible outcomes in order to learn to better distinguish between categories. The need to reevaluate the current diagnosis tools and adjust them to fit the new criteria from DSM-5 arises. �APPENDIX 1 Table 1. Questions from the ASDQuiz application [13] 13-36 months TODDLER 4-11 years – CHILD 12-16 years – ADOLESCENT 17 & older – ADULT 1. Does your child look at you when you call his/her name? He/she often notices small sounds when other do not? He/she notices patterns in things all the time? I often notice small sounds when others do not? 2. How easy is it for you to get eye contact with your child? 3. 4. 5. 6. 7. Does your child point to indicate that he/she wants something (e.g. toy out of reach)? Does your child point to share interest with you? (e.g. pointing at an interesting sight) Does your child pretend? (e.g. care for dolls, talk on a toy phone) Does your child follow where you are looking? If you or someone else in the family is visibly upset, does your child show signs of wanting to comfort you/them? (e.g. gives a hug) He/she usually concentrates more on the whole picture rather than the small details? In a social group, he/she can easily keep track of several different people’s conversation? He/she finds it easy to go back and forth between different activities? He/she usually concentrates more on the whole picture rather than the small details? In a social group, he/she can easily keep track of several different people’s conversation? If there is an interruption, he/she can switch back to what he/she was doing very quickly? I usually concentrate more on the whole picture, rather than the small details? I find it easy to do more than one thing at once? If there is an interruption, I can switch back to what I was doing easily? He/she doesn’t know how to keep a conversation going with his/her peers? He/she frequently finds that he/she doesn’t know how to keep a conversation going? I find it easy to read between the lines when someone is talking to me? He/she is good at social chit-chat? He/she is good at social chit-chat? I know how to tell if someone listening to me is getting bored? When he/she reads a story, he/she finds it hard to work out the character’s intentions or feelings? When he/she was younger, he/she used to enjoy playing games involving pretending with other children? When I’m reading the story, I find it difficult to work out the character’s intentions? Would you describe your child’s first words as: typical, unusual, the child doesn’t speak? When he/she was on preschool, he/she used to enjoy playing games involving pretending with other children? She/he finds it difficult to imagine what it would be like to be someone else? I like to collect information about categories of things (e.g. types of car, types of bird, types of train, types of plants, etc.) 9. Does your child use simple gestures (e.g. waves goodbye)? He/she finds it difficult to work out what someone is thinking or feeling just by looking at their face? He/she finds social situations easy? I find it easy to work out what someone is thinking just by looking at their face 10. Does your child stare at nothing with no apparent purpose? He/she finds it hard to make new friends? He/she finds it hard to make new friends? I find it difficult to work out people’s intentions? 8. �APPENDIX 2 Table 6. Attribute selection results - child dataset Algorithm s vs. selected attributes BayesNet SimpleLo gistic DecisionS tump J48 ClassifierAttrib uteEval CorrelationAttrib uteEval 4,9,8,10,1 4,9,10,8,6 ReliefAttribu teEval 4,1,10,8,9 CfsSubset Eval (BF & Greedy) 1-10 LMT RandomF orest REPTree WrapperSubs etEval (BF Wrappe r, Greedy 1-10,17 3,4,6,7,10,12, 16 4,10 4,6,10,1 2,16 4 4 1,3,4,5,7,8,10 4,10 ,14 4,6,10,12,16 15,7,8,9,10,15, 4,10 17 1,4,8,10 4,10 Table 7. Attribute selection results - adolescent dataset Algorithm s vs. selected attributes ClassifierAttrib uteEval CorrelationAttrib uteEval ReliefAttribu teEval CfsSubset Eval (BF & Greedy) BayesNet SimpleLo gistic DecisionS tump J48 LMT RandomF orest REPTree 5,4,3,10,6 WrapperSubs etEval (BF Greedy 1,2,3,4,5,7,10 ,12 1,3,4,5,1 0,12 3,4,5,10,14 5,4,10,3,6 5,4,10,3,6 5,3,10,4,8 3,4,5,6,7,8, 10,17 5 2,5,9,14 3,4,5,10,14 5,4,3,10,6 15,7,8,10,17 5,4,10,3,6 2,3,5,8 4,5,7,10 Table 8 Attribute selection results - adult dataset Algorithm s vs. selected attributes BayesNet SimpleLog istic DecisionSt ump J48 LMT RandomFo rest REPTree ClassifierAttribu teEval CorrelationAttrib uteEval ReliefAttribut eEval CfsSubset Eval (BF & Greedy) 9,6,16,19,7 WrapperSubs etEval (BF Greed y 1-10,15,16 1,3,5,6,9,12,1 1,3,5, 5 6,9 9 9,6,8,7,19 9,6,5,4,3 5,9,6,4,7 1-10,16 1-5,710,16,15 1,3,5,6,9,12,1 5 9 1,5,9 1,3,5, 6,9 1-10,12,15,18,19 1,2,3,5,6,7,9,15 �APPENDIX 3 Table 9. Attribute selection accuracy - child dataset Attribute evaluator ClassifierAttribu teEval CorrelationAttE val ReliefAttributeE val CfsSubsetEval WrapperSubsetE val (BF) WrapperSubsetE val (Greedy) Bayes Net 86.644 % 84.932 % 85.616 % 95.206 % 91.438 % 82.192 % SimpleLog istic DecisionSt ump J48 LMT 78.082% 85.95 9% 84.93 2% 83.90 4% 91.43 8% 85.27 4% 82.19 2% 85.95 9% 84.58 9% 87.32 9% 98.97 3% 95.89 0% 83.90 4% 86.301% 84.589% 88.014% 98.973% 95.890% 82.192% RandomF orest 85.274% 81.849% 85.274% 93.151% 89.384% 84.247% REPT ree 85.616 % 85.959 % 83.219 % 83.562 % 84.589 % 83.562 % Table 10. Attribute selection accuracy - adolescent dataset Attribute evaluator ClassifierAttribu teEval CorrelationAttE val ReliefAttributeE val Bayes Net CfsSubsetEval 87.5% WrapperSubsetE val (BF) WrapperSubsetE val (Greedy) 88.462 % 77.885 % 90.385 % 89.423 % 82.692 % SimpleLog istic DecisionSt ump 89.423% 70.192% J48 80.76 9% 81.731% 89.423% 86.539% 68.269% 78.846% 84.61 5% 72.11 5% 71.15 4% LMT 89.42 3% 81.73 1% 88.46 2% 85.57 7% 78.84 6% RandomF orest REPT ree 86.539% 75% 85.577% 83.654% 86.539% 78.846% 76.923 % 68.269 % 72.115 % 71.154 % Table 11. Attribute selection accuracy - adult dataset Attribute evaluator ClassifierAttribu teEval CorrelationAttE val ReliefAttributeE val CfsSubsetEval WrapperSubsetE val (BF) WrapperSubsetE val (Greedy) Bayes Net 90.341 % 91.051 % 90.767 % 96.307 % 95.313 % 92.046 % SimpleLog istic DecisionSt ump 89.347% 90.909% 84.517% 90.625% 99.432% 95.881% 82.822% 93.04% J48 LMT 88.21 % 89.35 7% 90.90 9% 90.62 5% 99.00 6% 95.02 8% 93.89 2% 89.06 3% 92.04 6% 89.34 7% 89.06 3% RandomF orest REPT ree 89.347% 87.5% 91.761% 90.057% 91.193% 94.46% 91.761% 90.199 % 89.205 % 86.364 % 89.063 % 89.921 % �7. References [1] National Institute of Mental Health, Available at: https://www.nimh.nih.gov/health/topics/autism- spectrum-disorders-asd/index.shtml [2] Lord, C., Rutter, M., & Le Couteur, A. 1994. Autism Diagnostic Interview-Revised: A revised version of a diagnostic interview for caregivers of individuals with possible pervasive developmental disorders. Journal of Autism and Developmental Disorders, 24, 659–685 [3] Lord, C, Risi, S, Lambrecht, L et al, 2000. The Autism Diagnostic Observation Schedule-Generic: a standard measure of social and communication deficits associated with the spectrum of autism J Autism Dev Disord. 2000; 30:205–223.7. [4] F. Thabtah, 2017. Autism Spectrum Disorder Screening: Machine Learning Approach and DSM-5 Fulfillment, ICMHI '17, May 20-22, 2017, Taichung City, Taiwan © 2017 Association for Computing Machinery. ACM ISBN 978-1-4503-5224-6/17/05 [5] American Psychiatric Association 2000. Diagnostic and statistical manual for mental disorder (4th edn), Text revision. Washington, DC: American Psychiatric Association [6] American Psychiatric Association. 2013. Diagnostic and statistical manual of mental disorders: DSM-5. Washington, D.C: American Psychiatric Association [7] C. Lord et al., 1994. Autism Diagnostic Interview-Revised: A Revised Version of a Diagnostic Interview for Caregivers of Individuals with Possible Pervasive Developmental Disorders, Journal of Autism and Developmental Disorders, Vol. 24, No. 5, 1994 [8] L. D. Wiggins, J. Baio, C. Rice, 2006, Examination of the Time Between First Evaluation and First Autism Spectrum Diagnosis in a Population-based Sample, Developmental and Behavioral Pediatrics, Vol. 27, No.2, April 2006. [9] Wall DP, Dally R, Luyster R, Jung J-Y, DeLuca TF (2012) Use of Artificial Intelligence to Shorten the Behavioral Diagnosis of Autism. PLoS ONE 7(8): e43855. doi: 10.1371/journal.pone.0043855 [10] D. Bone, M. S. Goodwin, M. P. Black, et al, 2014. Applying Machine Learning to Facilitate Autism Diagnostics: Pifalls and Promises, Springer Science + Business Media New York 2014 [11] F. Thabtah (2018): Machine learning in autistic spectrum disorder behavioral research: A review and ways forward, Informatics for Health and Social Care, DOI: 10.1080/17538157.2017.1399132 [12] UCI Machine Learning Repository, Available at: https://archive.ics.uci.edu/ml/index.php [13] Thabtah, F. (2017). ASDTests. A mobile app for ASD screening. www.asdtests.com [14] C.Allison, B. Auyeung, S. Baron-Cohen, 2012, Toward Brief “Red Flags” for Autism Screening: The Short Autism Spectrum Quotient and the Short Quantitative Checklist in 1000 Cases and 3000 Controls, Journal of the American Academy of Child & Adolescent Psychiatry, DOI: 10.1016/j.jaac.2011.11.003 [15] I.H. Witten, E. Frank (2005), Data Mining: Practical Machine Learning Tools and Techniques, Elsevier [16] J. Ross Quinlan, C4.5: Programs for Machine Learning, Avilable at: https://link.springer.com/article/10.1007/BF00993309 [17] University of Waikato, Logistic at:https://www.cs.waikato.ac.nz/ml/publications/2005/LMT.pdf Model Trees, Available �[18] L. Breiman (2001), Random Forests, Available at: https://www.stat.berkeley.edu/~breiman/randomforest2001.pdf [19] Towards Data Science, Cross-Validation in Machine Learning, K-Fold Cross Validation, Available at: https://towardsdatascience.com/cross-validation-in-machine-learning-72924a69872f [20] Machine Learning Mastery, An Introduction to Feature Selection, Available https://machinelearningmastery.com/an-introduction-to-feature-selection/ [21] Weka – Version 3.8.3, Waikato Environment for Knowledge Analysis, ClassifierAttributeEval at: � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Machine Learning in Autism Spectrum Disorder Diagnosis Author Author Naida Nalo, Jasmin Kevrić Abstract A summary of the resource. This paper represents an overview of Machine Learning techniques used in Autism Spectrum Disorder - ASD diagnosis. ASD is detected based on behavioral screening which is time consuming and can only be taken by a medical professional. The idea is to find a smaller number of features that are still able to equally well provide satisfying results and not lose the accuracy, sensitivity nor specificity. Some of the algorithms mostly used in recent studies were Artificial Neural Network - ANN and Alternating Decision Trees - ADTrees. The researches usually use WEKA software package for applying the algorithm and obtaining results. Keywords Keywords. Machine Learning, Autism Spectrum Disorder, diagnosis, features, ANN, ADTree, WEKA. Identifier An unambiguous reference to the resource within a given context 2637-2835 Publisher An entity responsible for making the resource available International Burch University, Sarajevo, Bosnia and Herzegovina Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering Date A point or period of time associated with an event in the lifecycle of the resource January, 2020 https://omeka.ibu.edu.ba/files/original/c4bae5fbec77718447ec73dc65649ad6.pdf 62737558fce1a681d66b8438c8f8fedb PDF Text Text Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 Handwriting digit recognition using Decision Tree Classifiers Demir Korać1, Samed Jukić1, Mujo Hadžimehanović1 1 International Burch University, Sarajevo, Bosnia and Herzegovina demir.korac@stu.ibu.edu.ba samed.jukic@ibu.edu.ba mujo.hadzimehanovic@stu.ibu.edu.ba Abstract – The usage of handwritten character recognition has been useful for usage from large to common consumer usage. The transitional period of the handwritten to the digital age can be largely improved by focusing on perfecting handwritten character recognition. This paper and work aims to focus on handwritten digit recognition using the decision tree classifier machine learning method, implemented, trained and tested on the data set gathered from the Modified National Institute of Standards and Technology dataset. The data to be recognized is inputted from a pre-existing reliable set, used both for training and testing, in order to give a fair result. The system is run through a Python script and the data set is stored in CSV format, preprocessed and ready for further usage. Taking into consideration the size of the dataset (42000 rows of data), the system’s overall performance is satisfactory with an accuracy of 85% and outputs the results in an understandable manner. Keywords – character, decision, handwritten, recognition 1. Introduction Optical character recognition is the process of mechanically or electronically converting typed, printed or handwritten images of text into a machine-encoded text. The source can be taken from a photo of a document, a scanned document or a scene photo (billboards in a landscape photo). Another possible source is superimposed text on an image, such as subtitle text from a television broadcast. This process of recognition and the technique used in it is called a handwriting recognition system. In literature this recognition is classified into offline handwriting recognition and online handwriting recognition depending on the style of recognition. If an image of handwriting is previously acquired and recognized after it will be classified as offline recognition. However if the handwriting is inputted directly into the machine to be recognized this is called online recognition. One way of doing this is writing on a touchpad or other device dedicated for writing and having it recognized. Another classification exists regarding the recognition and it is based on the process of recognition itself and the technique. We can recognize two main categories: segmentation free and segmentation based recognition. Segmentation free recognition is based on recognizing the character without segmentation into smaller units or characters, �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 i.e. words into characters. Segmentation based recognition is the opposite of this. In this approach each word is segmented into smaller units/characters and each character is recognized separately. Handwriting has been for the most part of our history, the primary means of communication and information organization, but with the modernization of these fields handwriting is becoming slowly obsolete. However the legacy of handwritten information cannot be overlooked, so a transitional period and process needs to occur. That’s where handwriting and optical character recognition comes into play. The importance of handwriting recognition is reflected in many industries such as: health care (7,000 people are killed per year by the poor handwriting of doctors) automotive (digital handwriting solutions allow drivers to write characters or numerals, or simply gesture with their fingertips on vehicles' onboard computer screens instead of typing on a standard keyboard) field services (field service technicians use HWR technology for digital data capture, decreasing paperwork and information loss while also allowing technicians to see precise notes on customer history) education (using HWR technology, students can benefit from more than just the increased comprehension linked to taking handwritten notes. For example, handwriting recognition tech can take your sloppy algebra equation, convert it into neat, digital text, and then crunch the numbers in a matter of seconds. ) consumer (with the rapid success of tablets and smartphones, the market is desperately in need of an alternative to inaccurate, digital keyboards and HWR tech is the best remedy.) 2. Previous work Perwej Y. and Chaturvedi A. have worked on recognizing the English alphabet handwriting using Artificial Neural Networks using binary pixels of the alphabet to train the Neural Network and the accuracy of this method is 82.5% [1]. The data set that they worked on are handwritten English alphabet characters which are scanned from documents and then “cleaned” and “smoothed”. The characters are then split into 25 segment grids, scaling and thinning the segments of the characters to obtain skeletal patterns. This is then transformed into binary values representing the segments input. (Shown in Figure 1.) �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 Input Alphabet Figure 1. Process of recognition Amrouch M. and Y. Es saady have worked on a method using sliding window based on the Hough transform as a feature extraction technique [2]. An inputted image is divided into two windows and then a dominant direction is determined based on the Hough transform and a directional feature vector sequence has been formed. This method is based on continuous HMMs and directional features with an average accuracy of 90.4%.The data set that they worked on is a database of Amazigh printed characters, containing 240 isolated characters. The images of characters are in Gray level of dimensions 96x96 pixels. M. Hanmandlu and O.V. Ramana Murthy [3] have done a study on recognition of Hindi and English numerals. The numerals are represented in the form of exponential membership functions which serve as a fuzzy model. They have achieved an overall recognition rate of 95% for Hindi numerals and 98.4% for English numerals. The data set that they worked on is a database of 5000 samples of numerals for handwritten English numerals. For Hindi they used a database of totally unconstrained handwritten numerals created using the services of a large number of writers, since there is no standard database available at the moment for handwritten Hindi numerals. Nafiz Arica at al. has proposed a method of recognition without pre-processing which he believed leads to loss of necessary information [4]. This has been backed up with a powerful segmentation algorithm with utilization of character boundaries, maxima and minima, slant angle, upper and lower baselines, stroke height and width and ascenders and descenders which improved the search algorithm of the optimal segmentation path, applied on a gray-scale image. The dataset used was the handwritten database of LancesterOslo/Bergen, which contains single author cursive handwriting. In this dataset, 1,000 words with lower-case letters are segmented and used for HMM training and another disjoint set of 2,000 words are used for testing performance of the proposed system. Table 1. Results of recognition for the LOB Dataset TEST DATA SIZE LOB Dataset 2000 LEXICON SIZE 50 1000 30000 40000 92.3 90.8 89.1 88.8 The overall recognition rate of the whole system on word basis for various lexicon sizes is shown in the table above. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 3. Method and Materials The dataset being used in the project is the famous Modified National Institute of Standards and Technology database of handwritten digits [5], as it is the most reliable and largest database of this type. This dataset is taken as a subset of another larger dataset by NIST. The MNIST database of handwritten digits consists of 42000 rows of data. It will be split into a 80/20 ratio for training and test data respectively, so the training data will have 33600 rows and test data will have 8400 rows of data. The digits have been size-normalized and centered in a fixed-size image. The database and the files such as the training set images and labels, and the test set images and labels can be found at: http://yann.lecun.com/exdb/mnist/ The machine learning model used will be a Decision Tree Classifier implemented through the scikit-learn machine learning library in Python [6]. Decision Trees are used in data mining, machine learning and statistics as a predictive modeling approach. The structure of trees is as follows: Class labels are represented as leaves and the conjunctions of features that lead the class labels are represented as branches. The process of operation will be such that the dataset will be inputted as a matrix containing cell inputs from the database as intensity values of pixels of 28x28 images. Table 2. Sample from dataset label pixel0 pixel1 pixel2 pixel3 pixel4 pixel5 pixel6 pixel7 pixel8 pixel9 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 5 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 8 0 0 0 0 0 0 0 0 0 0 9 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 An empty classifier will be created and using the fit method it will be filled with the training data. After the classifier finishes with the training data, we will move on to the rest of the data set, the testing part. Using the predict method we will output the classifier prediction of the handwritten digit from the test dataset along with the actual image of the digit. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 4. Process The process of recognition is as follows: The dataset is imported and separated into two parts with a ratio of 80/20. The train set consists of 33600 and the test set consists of 8400 rows of data. Splitting the dataset: traindata=data[1:33600,1:] train_label=data[1:33600,0] The data and its label are fitted to the model to learn from it. We do this by using the fit method and passing our training set to it. Fitting the training set: clf.fit(traindata,train_label) The user of the system gives an input of the order number he wants to test the system with, from the dataset. That number is taken and a sample with that order number is chosen from the dataset, along with its actual label. Figure 2. Taking input from the user Using the predict method the sample is predicted from the sample and the prediction is outputted. Using the shape method we are taking the sample from a row vector and shaping it as a 28x28 matrix of pixel intensity values. We are then creating a figure, which will be displayed after prediction. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 Using the shape method: d.shape=(28,28) When the figure is created, we are proceeding with the prediction. We will then be using the predict method from the Decision Tree Classifier in the scikit-learn library [7]. Using the predict method along with output of the data: print ("The predicted digit is =", clf.predict( [testdata[number]])) print ("The actual digit is =", actnum) Along with predicting the digit, we will also be outputting the actual label of the sample number that the user chose. An extra feature added is the current certainty of prediction calculation. Certainty of prediction: p=clf.predict(testdata) count=0 for i in range (0,8400): count+=1 if p[i]==actual_label[i] else 0 print ("Certainty of prediction=", (count/8400)*100,"%") For this feature we are taking all numbers in the range of the test data set and using the predict method, as to calculate the success rate of our model on the current test data. Figure 3. The systems’ process from the users’ perspective �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 5. Usage workflow In Figure 4. We can see the workflow according to which the system will be operating. Figure 4. Usage workflow Since the system does not need dataset input from the user, we will just be importing the dataset. The system needs user input, since the user will be choosing the digit that is to be recognized, so he needs to provide the order number from the data. The system then outputs its prediction along with other data such as the actual label and the prediction certainty. This allows the user to analyze the data given to him, and check if the prediction was correct and is the prediction certainty satisfactory. 4. Decision Tree Classifier in scikit-learn A decision tree is a flowchart-like tree structure where an internal node represents a feature (or attribute), the branch represents a decision rule, and each leaf node represents the outcome. The topmost node in a decision tree is known as the root node. It learns to partition on the basis of the attribute value. It partitions the tree in a recursive manner called recursive partitioning. This flowchart-like structure helps you in decision making. It's visualized like a flowchart diagram which easily mimics the human level thinking. That is why decision trees are easy to understand and interpret. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 Figure 5. Decision tree operation diagram 5. Results After processing and thorough testing the model seems to have a success rate of ~85% on the test dataset given to it. The system itself may have some confusion when analyzing similar digits. This occurs because the digits themselves are handwritten and because the data has been gathered from over 250 different writers, and some of them write different digits in a similar manner. An example is shown in Figure 6. where we can see that the system is having trouble predicting number 9, but instead predicts 3. From the image we can see that the digits themselves are quite similar. Figure 6. Wrong prediction of digit 9 as digit 3 �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020214 Different parts of the world write digits differently, so the algorithm would be much more accurate if it would be implemented based on location, and also, if different Machine Learning methods or Ensemble methods would be used, we would surely improve accuracy. Finally the thing that would take the recognition to the next level is image quality, considering that this algorithm has been implemented on a dataset with quite low quality of images. 5. Conclusion It should be noted that this data set is not sufficient for a higher level model, to be used in production, but as its using a small dataset, used for initial training, it has shown to be a pretty successful model and method. If we would train the aforementioned algorithm on a larger dataset with higher image quality, it could be used for real world projects. The confusion of the system may also be affected by the quality of the images in the given dataset, as it is limited to only 28x28 matrices. Future training with a dataset with matrices of larger magnitude may prove more successful. REFERENCES [1] Perwej Y. & Chaturvedi A. -Neural Networks for Handwritten English Alphabet Recognition. 2011 IJCA [2] M. Amrouch, A. Rachidi, M. El Yassa, D. Mammass - Printed amazigh character recognition by a hybrid approach based on Hidden Markov Models and the Hough transform. 2009 IEEE https://scikitlearn.org/stable/modules/generated/sklearn.tree.DecisionTreeClassifier.html [3] M. Hanmandlu, O.V. Ramana Murthy - Fuzzy model based recognition of handwritten numerals. 2007 Pattern Recognition [4] N. Arica, F.T. Yarman-Vural - Optical character recognition for cursive handwriting. 2002 IEEE [5] MNIST handwritten digit database - http://yann.lecun.com/exdb/mnist/ [6] Decision Tree Classification in Python - https://www.datacamp.com/community/tutorials/decision-tree-classification-python [7] sklearn.tree.DecisionTreeClassifier- � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Handwriting digit recognition using Decision Tree Classifiers Author Author Demir Korać, Samed Jukić, Mujo Hadžimehanović Abstract A summary of the resource. The usage of handwritten character recognition has been useful for usage from large to common consumer usage. The transitional period of the handwritten to the digital age can be largely improved by focusing on perfecting handwritten character recognition. This paper and work aims to focus on handwritten digit recognition using the decision tree classifier machine learning method, implemented, trained and tested on the data set gathered from the Modified National Institute of Standards and Technology dataset. The data to be recognized is inputted from a pre-existing reliable set, used both for training and testing, in order to give a fair result. The system is run through a Python script and the data set is stored in CSV format, preprocessed and ready for further usage. Taking into consideration the size of the dataset (42000 rows of data), the system’s overall performance is satisfactory with an accuracy of 85% and outputs the results in an understandable manner. Keywords Keywords. character, decision, handwritten, recognition Identifier An unambiguous reference to the resource within a given context ISSN 2637-2835 Publisher An entity responsible for making the resource available International Burch University, Sarajevo, Bosnia and Herzegovina Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering Date A point or period of time associated with an event in the lifecycle of the resource January, 2020 https://omeka.ibu.edu.ba/files/original/b07ea9e57cba6ae337bfd4515469085d.pdf 1aead1a15145473c159b69bbe91031a6 PDF Text Text Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 Biometrics Based Access Control System Mujo Hadžimehanović1, Dino Kečo1, Demir Korać1 1 International Burch University, Sarajevo, Bosnia and Herzegovina mujo.hadzimehanovic@stu.ibu.edu.ba dino.keco@ibu.edu.ba demir.korac@stu.ibu.edu.ba Abstract – Access control includes attendance checking and intrusion prevention. It is used to protect property, employees and other assets of a company or institution. Since attendance checking and intrusion detection are important segments of many educational institutions and other businesses as well, it is important to make these processes faster, easier and as convenient as possible. Lots of institutions are suffering from unreliable attendance checking methods, so we have decided to use biometrics, more precisely face recognition to automate and improve this overall process. As part of this study the full system has been implemented for recognition of people. As an example of usage in an educational institutions multiple photos will be recorded during the class session, so that in case of students leave class after the first shot, they will be removed from the attendance sheet. All recognized people will be stored in Mongo database as an array of features and later read from database and processed by using Python script for face recognition. All educational institutions are going to have benefits from this study. Benefits would be improving attendance management and security. Keywords - attendance, face, images, recognition 1. Introduction Technology is rapidly improving nowadays and everyday activities are adopting these improvements. Point is to automate these activities and not to lose time performing them. Attendance is a really important part in most organizations such as schools, faculties, companies etc. Today, attendance is performed in various ways. Best way to do it is biometrics. Biometrics is a bioengineering area which is an automated method for person recognition based on its physiological or behavioural characteristics. There are many biometric templates such as fingerprints, face, hand geometry, iris, voice or signature. System is going to use face biometric template because it is the fastest approach and requires no human intervention. This method is better than other biometric methods because these methods are time consuming. There are also lots of systems which are using RFID cards, location based attendance tracking systems, signature based etc. Negative things about these methods are that they can be faked. In RFID and location based systems employees are carrying RFID cards or GPS locators. So, other people can check instead of other employees. There are two main stages of face recognition process and they are face detection and face identification [1]. Recording employees' work hours and their activities, attendance of students in schools are really important components of every company or school. This process is maintained by using signature, fingerprint, iris, RFID or face recognition. System is going to use a camera which captures images of people entering the company or school building. Detected faces will be compared with pictures which are already in the database. If a person's picture is in the database attendance �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 will be checked automatically. Otherwise, the security system is going to be informed that an unrecognized person entered the building. So, this system can also be used as an intrusion detection system. 2. Literature Review Following section contains a presentation of all related work and their methods. Since they have large-scale data with massive noisy labels, X. Wu, R. He, Z. Sun, and T. Tan used a Light CNN framework [2]. Their Light CNN architecture contains Max-Feature-Map to suppress low activation neurons in all layers. Their model was trained on Celeb-1M dataset. In order to handle noisy labeled images, they proposed a semantic bootstrapping method to automatically re-label training data via pre-trained deep networks. For training purposes they used five types of databases. First type is commonly used Labeled Faces in the Wild which consists of ~13,250 images of ~5,750 people. At VR@FAR=0 for Light CNN-29, they achieved 97.50%, while results from all other methods were lower than 70%. Next type of the database are collections of images extracted from Youtube videos which contain YouTube Celebrities (YTC) and Celebrity1000 database. Precision achieved for these datasets is 94.18%. Third type are MegaFace, IJB-A and IJB-B datasets which are challenging and they got 85.13% precision. Cross-domain databases are the fourth type of database. It includes CACD - VS, Multi - PIE and the CASIA NIR - VIS 2.0 database. They achieved 98.55% on CACD, 95.0% on Multi-PIE and on CASIA VR@FAR=0.1% result is further improved from 94.03% to 94.77%. M. Arsenovic, S. Sladojevic, A. Anderla, and D. Stefanovic use Convolutional Neural Networks (CNNs) cascade to detect faces and CNN to generate embeddings of each face [3]. Fact is the best results for larger datasets are achieved by using CNNs, but in their production environment that was not the case. CNN gave the best results for smaller datasets. Accuracy of 95.02% was achieved on a dataset created by authors in the realtime environment. Five employees of the company took pictures of themselves and they used these pictures as a dataset. Model was trained with these 5 pictures. Active annotation and learning framework was used by H. Ye et al [4]. They are starting with face image training set without labels and train a deep neural network iteratively model created was used to choose examples for further manual annotation. After following active learning strategy, Value of Information criterion is derived to actively select candidate annotation images. This model reaches the coverage of 70.7% with a precision of 95%. MSR Image Recognition Challenge by J. Li et al introduces a knowledge base which has an idea to assign each face unique entity key and provide large dataset consisting of about 100,000 famous persons with around 100 images per person (MsCeleb) [5]. Method achieved coverage of 46.1% at 95% precision on the random dataset and 33% at 95% precision on the hard set of their challenge. Authors proposed a method consisting of two stages to learn robust human face representations for effective recognition of human faces. First stage in the training set is cleaning the noisy data because dataset is taken from the internet so images without faces can appear. In order to do so, a deep neural network was trained on existing dataset. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 S. Chintalapati and M. V. Raghunadh used SVM and Bayesian classifier for automated attendance system based on face detection and recognition [6]. They proved that these classifiers are better when compared to other distance classifiers. This system automatically detects the student which enters the classroom and marks the attendance if recognizes him. One of the failures of the system is recognizing faces only up to 30 degrees angle variations. 3. Methods and Materials Dataset to be used is Labeled Faces in the Wild [7] which is a database of face photographs designed for studying the problem of unconstrained face recognition. It contains more than 13,000 pictures collected from the web. Each image has been labeled with the name of the person on it. There are 1680 different persons in images. Fig.1 shows samples from LFW dataset. Fig.1. Samples from dataset These images need to be processed in order to get numerical representation of faces which is called feature vector. Feature vector consists of various numbers in a specific order which can be: height or width of face, width of lips, nose height etc… Final output of processed image needs to be an array with features which is shown in Fig.2. All features are stored in the mongo database for speed improvement. Python script iterates in a folder which has dataset images and stores one by one in a database with image name and features. Face Recognition library with deep learning is going to be used for this project. Deep learning model has an accuracy of 99.38% on Labeled Faces in Wild dataset. Features of face recognition library are finding faces in pictures, finding facial features in pictures and identifying faces in pictures. Once installed face recognition gives us two command line programs: ● face_recognition - recognize face on image ● face_detection - detect face in image Face recognition process consists of two stages. This includes taking and preparing training dataset and integration into existing system. For testing purposes, data was collected at the university. These are images of students which were taken in the first year. Images are preprocessed and inserted into the mongo database by �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 using python script for inserting images. After insertion, facebook images of the same people were taken and tested by using python script for face recognition. Fig.2. Array of features 3.1 Data preprocessing Implemented system is going to use monitoring cameras at the entrance. It means that we could have some kind of network or other problems and taken images could be blurry, so we have to include such images in training dataset, Fig.3. Persons entering the building can be photographed from different angles, so these kind of photos should be included also in training dataset, Fig 4. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 Fig.3. Original and Blurred image Fig.3 shows an example of original and blurred images. If we have perfect conditions we would have a picture like the original one, but if the system experiences network issues we might have a blurry image like the one represented. System has to be ready to respond accordingly to these kinds of issues. Python script was written using OpenCV [8] interface to generate blurry images out of the original ones. Fig.4. Image from front and side In Fig.5 we can see facial features drawn on picture of Pep Guardiola. Most important features are shown: eyes, nose, mouth and chin location. These features are used when recognizing people on images. Face recognition library contains script face_landmarks for detecting facial landmarks and positioning the face based on them. Fig.5. Facial features �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 3.2 Usage Workflow Application usage workflow is represented on Fig.6. Images need to be collected into a single folder, so that insertion helper scripts can be run. For multiple insertions we need to pass a folder of images to script, which iterates through these images, creates encodings and inserts them into database. Single insertion script accepts an image as a parameter, encodes it and inserts into a database. Last step is recognizing images, the script accepts an image which needs to be recognized and iterates through mongoDB collection and looks for matching images. Fig.6. Usage workflow 3.3 Face Recognition Library Face recognition library which we are using is built using dlib’s face recognition with deep learning. We can install library by using a python package installer. Once installed we are provided with two command-line programs : face_recognition and face_detection. Face recognition recognizes faces in a photograph or in a folder of photos. There should be two folders, one containing known people and second which contains photos of people which we want to recognize. Face recognition program is run with two parameters which are the names of these folders. Face detection program finds pixel coordinates of faces. It takes a folder with images as parameter and at the end prints one line for each face that was detected. There is also an option to speed up the overall process by doing a recognition with multiple CPU cores. For example if we have 8 core CPU, we can process 8 times as many images in the same amount of time. Dlib is a toolkit written in C++ and contains ML algorithms and tools for solving real world problems. The most important thing is that dlib is an open source library which enables anyone to use it anywhere, free of any charge. Some of the dlib’s features are Deep Learning, Multiclass SVM, Image Processing etc.. Our library uses Image Processing tool for face recognition built by using deep learning tools from dlib. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 3.4 Helper Scripts There are multiple helper scripts which enable user to insert multiple or single image into database and recognize faces. The most important parts of scripts are represented in the following lines. insertMultiple.py for image in images: current_image = face_recognition.load_image_file("images/" + image) encodings = face_recognition.face_encodings(current_image) if len(encodings) > 0: current_image_encoded = encodings[0] num_of_images+=1 else: print("No faces found in the image " + image) num_of_not_found+=1 continue mydict = { "image": image, "encoding": current_image_encoded.tolist() } x = mycol.insert_one(mydict) print(image + " inserted") Code snippet above loads images from the folder, encodes them and inserts them into mongoDB. We have to provide the name of the folder which contains images and simply run the script. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 faceRecognition.py unknown_image = face_recognition.load_image_file("image.jpg") unknown_face_encoding = face_recognition.face_encodings(unknown_image)[0] known_faces = [] names = [] for x in mycol.find(): known_faces.append(x['encoding']) names.append(x['image']) results = face_recognition.compare_faces(known_faces, unknown_face_encoding) for x in range(len(known_faces)): if results[x] == True: print("Recognized: " + names[x]) else: print("Failed: " + names[x]) Code represented above does face recognition. It takes an image of the person which we want to recognize, encodes it, loops through face encodings from the database and checks if a person exists in the database. 4. Results By using a custom dataset which was collected from our university. Students' images were taken and tested on created scripts. From these tests we have obtained accuracy of 90.9% when testing on images found on Facebook. There were some problems when recognizing people from different angles, but this can be material for further study. Images of people are not shown because they did not agree to publish their images. Since face_recognition python library has a pre-trained model there is no need for additional training. Improvement is that all images are inserted in mongoDB with image name and face encodings array. Fig.5 shows one part of mongoDB record. Python script for inserting images in mongoDB is written and it takes a folder with images and inserts one by one in the database. In our testing environment LFW dataset is used and all images are collected into a single folder. Number of images inserted in the database is 4014. There are also images on which faces are not recognized. Unrecognized images number is 21. So, if we take into consideration that 4014 images are inserted and 21 are unrecognized which means that more than 99% images were recognized. Example of such an image is shown in Fig.6. Execution time of the script is about 35 minutes for LFW Dataset. Final result of this research would be access control application. Application can be installed on Raspberry Pi which has a camera installed. All assets that are necessary for access control application to be fully functional can be installed on Raspberry. These are mongoDB, python and python libraries. Overall process is not so challenging, so that we do not need anything better than Raspberry Pi 3 B+ which is a model that we used while testing the application. �Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020213 5. Conclusion The aim of this study was to make the attendance checking process a lot easier for companies and schools by using biometrics. Every employee or student would be recorded by camera at the entrance and recorded in the system. For educational institutions cameras will be installed in classrooms so that the system can make multiple shots during lessons. This research was successful because it made the recognition process faster by using a document based database which is really fast. This study will bring benefits for multiple groups. Benefit for schools is easier attendance recording and reducing waste of time at the beginning of the classes. Also students will not have a chance to avoid coming to classes because this system will not allow them to cheat. Similar benefit is for companies to track their employees coming and leaving time. Future research suggestions in this field are solving problems if a person is recorded from the side and possibly getting blurry images because of internet connection issues. REFERENCES [1] B. T. Liyew and P. Hazari, “A Survey on Face Recognition based Students Attendance System.” [2] X. Wu, R. He, Z. Sun, and T. Tan, “A Light CNN for Deep Face Representation With Noisy Labels,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 11. pp. 2884–2896, 2018, doi: 10.1109/tifs.2018.2833032. [3] M. Arsenovic, S. Sladojevic, A. Anderla, and D. Stefanovic, “FaceTime — Deep learning based face recognition attendance system,” 2017 IEEE 15th International Symposium on Intelligent Systems and Informatics (SISY). 2017, doi: 10.1109/sisy.2017.8080587. [4] H. Ye et al., “Face Recognition via Active Annotation and Learning,” Proceedings of the 2016 ACM on Multimedia Conference - MM ’16. 2016, doi: 10.1145/2964284.2984059. [5] J. Li et al., “Robust Face Recognition with Deep Multi-View Representation Learning,” Proceedings of the 2016 ACM on Multimedia Conference - MM ’16. 2016, doi: 10.1145/2964284.2984061. [6] S. Chintalapati and M. V. Raghunadh, “Automated attendance management system based on face recognition algorithms,” 2013 IEEE International Conference on Computational Intelligence and Computing Research. 2013, doi: 10.1109/iccic.2013.6724266. [7] “LFW Face Database : Main.” [Online]. Available: http://vis-www.cs.umass.edu/lfw/. [Accessed: 19-Jan-2019]. [8] “OpenCV library.” [Online]. Available: https://opencv.org/. [Accessed: 09-Jan-2019]. � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Biometrics Based Access Control System Author Author Mujo Hadžimehanović, ​Dino Kečo,​ ​Demir Korać​ Abstract A summary of the resource. ​Access control includes attendance checking and intrusion prevention. It is used to protect property, employees and other assets of a company or institution. Since attendance checking and intrusion detection are important segments of many educational institutions and other businesses as well, it is important to make these processes faster, easier and as convenient as possible. Lots of institutions are suffering from unreliable attendance checking methods, so we have decided to use biometrics, more precisely face recognition to automate and improve this overall process. As part of this study the full system has been implemented for recognition of people. As an example of usage in an educational institutions multiple photos will be recorded during the class session, so that in case of students leave class after the first shot, they will be removed from attendance sheet. All recognized people will be stored in Mongo database as an array of features and later read from database and processed by using Python script for face recognition. All educational institutions are going to have benefits from this study. Benefits would be improving attendance management and security. Keywords Keywords. Keywords - attendance, face, images, recognition Identifier An unambiguous reference to the resource within a given context 2637-2835 Publisher An entity responsible for making the resource available International Burch University, Sarajevo, Bosnia and Herzegovina Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering Date A point or period of time associated with an event in the lifecycle of the resource January, 2020 https://omeka.ibu.edu.ba/files/original/a7be93f106bd4655fce2c143192ca565.pdf 671002f6cf69f8a0bc016d089e362b6e Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Transient Stability Analysis on Modified IEEE 14-Bus System Author Author Ermin Šunj, Ammar Arpadžić, Mirza Šarić Abstract A summary of the resource. Power system stability represents an important condition of the safe and efficient operation of the electric power system. This paper presents the transient stability analysis for the case of the new generator grid connection. The analysis is performed on a modified IEEE 14-Bus test system. In total, two cases were analysed. In the first case, the analysis with the maximum installed power of the generator (250 MW) is carried out, while in the second case, the analysis is performed using the optimal generator ratings (75 MW) using the DIgSILENT PowerFactory software. The transient stability analysis was carried out under the three-phase symmetrical faults and the N-1 criterion requirements. The results indicate that power system large disturbances significantly influence system operation and characteristics. This paper demonstrates the importance of transient stability analysis, which is an important part of power system studies and must be included in generator grid connection approval. Keywords Keywords. active power, IEE 14-Bus system, N-1 criterion, reactive power, rotor angle, transient stability Identifier An unambiguous reference to the resource within a given context 2637-2835 Publisher An entity responsible for making the resource available International Burch University, Sarajevo, Bosnia and Herzegovina Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering Date A point or period of time associated with an event in the lifecycle of the resource January, 2020 https://omeka.ibu.edu.ba/files/original/cda47db38a0256d84f45336ef7e1fa5e.pdf 9d17336775d02b9918c005099df3eb63 PDF Text Text Journal of Natural Sciences and Engineering, Vol. 2, (2020) DOI number: 10.14706/JONSAE2020211 Impact of Electric Vehicles in a Grid-to-Vehicle Mode on Voltage Stability Naida Nalo1, Emina Kišija1, Mirza Šarić1 1 International Burch University, Sarajevo, Bosnia and Herzegovina naida.nalo@stu.ibu.edu.ba emina.kisija@stu.ibu.edu.ba mirza.saric@ibu.edu.ba Abstract — With a rapid development and a massive deployment of electric vehicles, the power system is facing many challenges regarding power quality and voltage stability. This paper deals with the impact of electric vehicle in grid-to-vehicle mode depending on different EV penetration levels and point of connection on static voltage stability impact of a real low-voltage distribution network. Based on nine variations created, results showed that connecting vehicles closer to the beginning of the feeders creates a smaller voltage drop, therefore more vehicles can be connected. However, going farther from the feeder causes voltage to go below 0.9 p.u. and eventually leads to instability. Keywords—electric vehicles, grid-to vehicle, static voltage stability. 1. Introduction Power system stability can be defined as the ability of the system to remain in an equilibrium state under normal operating conditions and to regain that equilibrium state after being subjected to a physical disturbance [1]. According to [2] power system stability is defined as a term applied to alternating – current electric power systems, denoting a condition in which the various synchronous machines of the system remain in synchronism, or „in step“, with each other. On the opposite side, instability is defined as a condition involving loss of synchronism or falling „out of step” [2]. However, instability can also occur without the loss of synchronism [1]. Electric vehicles (EVs) are considered to be a promising solution both for reducing air pollution and also as being introduced as a new form of distributed generation when working in a vehicle-to-grid (V2G) mode. Many countries are offering incentives and by doing so, motivating EV owners to charge their vehicles in scheduled times, to help flatten the daily peaks [3]. In the stability calculations, the behavior of the system under the effect of a transient disorder is of interest. Equipment reacts as a system response to a disorder. In each situation, only part of the protection reacts, therefore, the problem must be simplified and the key factors for each type of instability must be defined. �In this project, the problem of voltage stability is investigated in a LV distribution network involving 46 buses and 42 loads. According to different penetration levels of (EVs) and point of connection across the network, nine scenarios were modeled and examined for voltage instability. 1.1 Voltage stability Voltage stability is the ability of the system to maintain acceptable voltage values on all busbars in the system, both in normal operating conditions and after the effects of the disruption. Voltage instability occurs when a disorder, which can be caused by an increase in consumer demand or a change in operating conditions, causes a progressive and uncontrollable voltage drop. The main cause of voltage instability is the inability of the system to respond to reactive power requirements. The core of the problem is usually a decrease in the voltage in the flow of active and reactive power through inductive reactances representing the transmission network [1]. The criterion for voltage stability is that on all busbars in the system, under certain operating conditions, the bus voltage is increasing as injection of reactive power on the same buses is increasing. Therefore, the system is unstable if voltage level is decreasing as reactive power is increasing, at least on one busbar in the system. Voltage stability is a local phenomenon, but its consequences may have a widespread impact. A voltage collapse is far more complex than voltage instability and according to [4], can be explained as an inability of the power system to supply the reactive power or as an excessive absorption of reactive power by the system itself. It can also be defined as a process in which voltage instability causes very low voltage levels in a substantial part of the system. A local voltage collapse can and will lead to a widespread collapse of the power system [4]. 2. Literature review Electric vehicles have experienced a warm welcome by pollution-aware society. Their non-polluting nature helped them gain popularity and become one of the most sold cars in Norway, according to the Norwegian Road Federation [5]. However, deploying large fleets of electric vehicles impacts the load profile of the network since EVs are introduced as additional loads when being connected for charging [3]. A study in [6] focused on the static voltage stability impact of EV charging stations. A cluster load model equivalent to 20 sets of EV chargers was taken into consideration along with the different probability distributions of state of charge (SOC) of the batteries. The authors concluded that charging stations are most likely to cause voltage instability due to the variableness of power during the charging process. Research conducted in [7] focused on the static voltage stability of plug-in EVs with respect to different charging methods. The results showed that voltage stability is closely related to the proportion of the constant impedance and the constant power load. Since EVs were considered as constant power load, the less the initial voltage drop percentage, the more EVs will be allowed to access the distribution network. �Authors of [8] investigated the power quality and dynamic stability aspects of vehicle to grid connection of EVs which uses a bidirectional power flow and allows the EVs to give back to the grid if needed. Their conclusion was that charging and discharging state of the PEV does not affect negatively neither the voltage stability nor frequency since they remain within allowed limits. A study in [9] investigated the impact of high PV penetration in a low-voltage distribution network on voltage stability. In the paper, PV curves were used to analyze the static voltage stability in a test node of an important and possibly critical line. It was shown that the node situated near the end of the network had the weakest PV characteristics due to power loading and the distance from the feeder. However, they concluded that integrating photovoltaic units with 40% penetration level would optimize the voltage stability of that node. Research conducted in [10] analyzes voltage stability with aid of PV curves on an example of a real transmission network. EVs included in the study were all charged during the daily peak load with a six-hour charge time. Results showed that high levels of EV penetration, with the expected annual increase, leads to unacceptably large voltage variations. A new method for analyzing the impact of PEVs in distribution networks was proposed in [11]. As in many other papers, this study confirmed that a small number of vehicles does not create stability issues whereas a large fleet of vehicles causes a greater effect on the grid. Charging strategies as the overall conclusion was highlighted in this paper. A study in [12] investigated an impact of EV charging on voltage variations and unbalance in a real low voltage distribution network. Different scenarios were created to depict several EV penetration levels and load distributions across the network. Results confirmed the work of other papers, showing that point of connection plays an important role to the level of impact of EVs to two analyzed power quality parameters. An analysis, similar to [9], will be conducted in this paper, using PV curves to determine the critical busbars along the two feeders of the low-voltage distribution network. Section III explains the modeled network and created variations, Section IV draws results and Section V draws conclusions. 3. Methods 3.1 Problem formulation Electric vehicles in this project are treated as single-phase loads connected to the network, in a grid-to-vehicle (G2V) mode. Because of the increasing number of EV charging stations being integrated to the power system, analysis of their clustering effect and influence on the static voltage stability have become important and necessary. In this project, analysis of an impact of EV charging on voltage stability is performed on a real example of a part of a distribution network. �3.2 P-V Curves In voltage stability studies, characteristics of interest are the relationships between transmitted power P, receiving end voltage V and reactive power injection Q. P-V and Q-V curves are traditional forms of displaying these relationships. In this project, P-V curves are analyzed. Power-Voltage analysis process includes increasing transfers of power (MW) and monitoring what happens with voltages in the system. This is done by increasing the power system load and, at each increment, power flows are recomputed (P-V curve is non-linear and full power flow solutions are required) until the nose of the PV curve is reached, that is, the maximum transferred power [13]. That point represents the critical voltage because after that, rapid decline of voltage occurs. Therefore, reaching maximum power is highly avoided because operating at or near stability limit risks a large – scale blackout. Power margin between the current operating point and critical voltage is used as voltage stability criterion [14]. 3.3 LV Distribution Network Modeling and Variations In this paper, the analysis was done using the model of 46 – bus LV distribution network, with total of 42 loads distributed along two feeders, modeled in DIgSILENT Power Factory. Modeled network is provided in Appendix 1. Length of the first feeder is 371 m while the length of the second feeder is 253 m. Nine variations were modeled, including: low, medium and high EV penetration levels, at the beginning, in the middle and at the end of the network. List of variations is provided in Table 1. Numbers of EVs included in each variation are presented in Table 2 and Table 3. Table 1. Network variations (penetration-point of connection) Case no. Network Variations 1.1 Low-beginning 1.2 Medium-beginning 1.3 High-beginning 2.1 Low-middle 2.2 Medium-middle 2.3 High-middle 3.1 Low-end 3.2 Medium-end 3.3 High-end 1 2 3 Table 2. Number of EVs in Variations Network Variations Variati on No. 1.1 2.1 3.1 1.2 2.2 3.2 Penetration Level Number of EVs Percentage of penetration level Low 6 ≈15% Medium 12 ≈30% �Table 3. Number of EVs in Variations cont’d Network Variations Variati on No. 1.3 2.3 2.4 Penetration Level Number of EVs Percentage of penetration level High 21 50% 4. Results 4.1 Case 1 - EVs distributed at the beginning First three variations were modeled so that electric vehicles are placed near the beginning of the two feeders. Each variation had a different penetration level of EVs as explained in Table 1. After the load flow calculation was performed, Transmission Network Toolbox was activated, and PV curves were calculated. To see which busbars stay within the allowed limits and which do not, several busbars were selected from the beginning, middle and end of each of two feeders and included in the resulting PV graph. The obtained graphs for Case 1 variations are presented in Figure 1, Figure 2 and Figure 3, respectively. Fig. 1. PV curves for Variation 1.1 �Fig. 2. PV curve for Variation 1.2 Fig. 3. PV curve for Variation 1.3 All busbars whose PV curves are above the voltage value of 0.9 p.u. are acceptable and stable, while those below 0.9 p.u. are not stable and therefore not acceptable. As presented in the graphs, two busbars, plotted in blue and grey, have values below 0.9, which makes them unstable. These two busbars are from the first feeder, situated in the middle and at the very end of the feeder. All busbars from the second feeder stayed within allowed limits, as well as the busbar from the beginning of the first feeder. �4.2 Case 2 – EVs distributed in the middle Three variations examined for the impact of EV charging and placement around the middle of the two feeders were 2.1, 2.2 and 2.3 Number of EVs connected to the feeders are with respect to Table 1. Several busbars were selected and included in resulting PV graph, to depict the voltage stability across the two feeders, that is, to show how stable are busbars from the beginning, middle and end of the two feeders. Results for the abovementioned variations are shown in Figure 4, Figure 5 and Figure 6. Fig. 4. PV curve for Variation 2.1 �Fig. 5. PV curve for Variation 2.2 Fig. 6. PV curve for Variation 2.3 According to results obtained from the PV graph, conclusions similar to those in previous variation can be drawn. All busbars from the second feeder and only the busbar from the very beginning of the first feeder stay within allowed limits of stability, that is above 0.9 p.u. value of voltage, shown in the y-axis. Two busbars from the middle and at the end of the first feeder show instability. �4.3 Case 3 – EVs distributed at the end Last three variations from Figure 2 were modeled to investigate how much EVs connected near the end of the feeders will affect voltage instability of selected busbars across the two feeders. Number of connected vehicles per variation is shown in Table 1. Selected busbars remained the same as those used in the previous six variations. Results obtained are shown in Figure 7, Figure 8 and Figure 9. Fig. 7. PV curve for Variation 3.1 �Fig. 8. PV curve for Variation 3.2 Fig. 9. PV curve for Variation 3.3 Results from the obtained PV graph of the last tested variations show that voltages of the two terminals from the middle and end of the first feeder experience a drop below 0.9 p.u. but gets a more constant value when compared to results of previous variations. All busbars from the second feeder and only one from the very beginning of the first feeder have values greater than 0.9 p.u., making them well within allowed limits of voltage stability. �5. Conclusion The purpose of this paper was to analyze the impact of different EV penetration and points of connection on voltage stability of a distribution network. Load flow analysis was performed on all nine scenarios followed by a PV curve calculation in Transmission Network Toolbox of DIgSILENT. Then, a static voltage stability analysis was performed using PV curves for a number of selected busbars from the beginning, middle and end of the two feeders. The criterium was that all curves above 0.9 p.u. value of voltage were acceptable, and all below show voltage instability. It was found that the length of the feeder, point of connection and level of EV penetration played a crucial part when it comes to voltage stability. All selected busbars from the second feeder remained within allowed limits of voltage values while only one busbar from the beginning of the first feeder was above the limiting value. This was mainly due to the length of the feeder, amount of loading and the distance from the source feeder. For large fleets of EVs being connected and charged at the same time, voltage stability and power quality becomes of crucial importance. Distribution system operators must pay attention to the impacts of charging on power quality and stability of the distribution system, especially if vehicles are in close range, and situated farther from source. If no modifications are to be made to increase the network’s capacity, then only a limited number of vehiclescan be allowed, with reference to the point of connection. A possible solution could be integration of small distributed generators or implementation of renewables, dispersed along the network to decrease voltage variations and increase power quality, especially near the end of the feeders, where critical nodes are. Future work might include analyzing and modeling the impact of connection of photovoltaics or small wind generators in terms of distributed generation, which are expected to improve the voltage levels and overall variations. �APPENDIX 1 �6. References [1] N. Rajaković, Analiza elektroenergetskih sistema II, Elektrotehnički fakultet, 2007 [2] E.W. Kimbark, Power system stability (Vol. 1). John Wiley & Sons, 1995 [3] J.Y. Yong, V.K. Ramachandaramurthy, K.M. Tan, N. Mithulananthan, A Review on the State-Of-Art Technologies of Electric Vehicle, Its Impacts and Prospects, Elsevier, Renewable and Sustainable Energy Review 49 (365-385) 2015 [4] P. Kessel, H. Glavitsch, Estimating the Voltage Stability of A Power System. IEEE Transactions on Power Delivery, 1(3), 346-354, 1986 [5] Electric vehicles are now the majority of cars sold in Norway, (20198, April 1st), Retrieved on 27th of May, from: https://www.autoblog.com/2019/04/01/electric-vehicles-are-now-the-majority-of-cars-sold-in-norway/ [6] M. Zhang, J.H. Zheng, W.Z. Wang, M.T. Dai, Research on Static Voltage Stability Based on EV Charging Station Load Modeling, the international conference on Advanced Power System automation and Protection, 2011 IEEE [7] Y. Zhang, S. Xiaohui et al., Research of Voltage Stability Analysis Method in Distribution Power System with Plug-In Electric Vehicle, PES Asia-Pacific Power and Energy Conference, 2016 IEEE [8] E. Alghsoon, A. Harb, M. Hamdan, M., Power Quality and Stability Impacts of Vehicle To Grid (V2G) Connection, The 8th International Renewable Energy Congress (IREC 2017) [9] M. Ghaffarianfar, A. Hajizadeh, Voltage Stability of Low-Voltage Distribution Grid with High Penetration of Photovoltaic Power Units, Energies 2018, 11(8), 1960, Available at: https://doi.org/10.3390/en11081960 [10] S. Avdaković, A. Bosović, Impact of Charging a Large Number of Electric Vehicles on the Power System Voltage Stability, Elektrotehniki Vestnik,137-142, 2014. [11] Y. Kongjeen, K. Bhumkittipich, Impact of Plug-in Electric Vehicles Integrated into Power Distribution System Based on Voltage-Dependent Power Flow Analysis, Energies 2018. [12] N. Nalo, A. Bosović, M. Musić, Impact of Electric Vehicle Charging on Voltage Profiles and Unbalance on Low Voltage, Advanced Technologies, Systems, and Applications IV – Proceedings of the International Symposium on Innovative and Interdisciplinary Applications of Advanced Technologies (IAT 2019), vol 83. Springer [13] C. Reis, F.M. Barbosa, A Comparison of Voltage Stability Indices. MELECON Mediterranean Electrotechnical Conference (pp. 1007-1010). IEEE, May 2006 [14] C.A. Cazares, Voltage Stability Assessment: Concepts, Practices and Tools. IEEE/PES Power System Stability Subcommittee Special Publication 2002 (SP101PSS). � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Impact of Electric Vehicles in a Grid-to-Vehicle Mode on Voltage Stability Author Author Naida Nalo, Emina Kišija, Mirza Šarić Abstract A summary of the resource. With a rapid development and a massive deployment of electric vehicles, the power system is facing many challenges regarding power quality and voltage stability. This paper deals with the impact of electric vehicle in grid-to-vehicle mode depending on different EV penetration levels and point of connection on static voltage stability impact of a real low-voltage distribution network. Based on nine variations created, results showed that connecting vehicles closer to the beginning of the feeders creates a smaller voltage drop, therefore more vehicles can be connected. However, going farther from the feeder causes voltage to go below 0.9 p.u. and eventually leads to instability. Keywords Keywords. electric vehicles, grid-to vehicle, static voltage stability Identifier An unambiguous reference to the resource within a given context 2637-2835 Publisher An entity responsible for making the resource available International Burch University, Sarajevo, Bosnia and Herzegovina Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering Date A point or period of time associated with an event in the lifecycle of the resource January, 2020 https://omeka.ibu.edu.ba/files/original/3c43bbdca717ab9bb8b214e6318c4941.pdf a85ed28176bdfa2c9a8b13c68a6c6736 PDF Text Text Essentials of Digital Forensics Start Detected security incident with digital devices used Notification LAW Enforcement PR Digital forensic action initiated in written form Security staff notified Preservation Initial Incident type identification Collection Consent form Post-mortem Live acquisition Invoke incident response team Examination Fraud Malware Analysis Unauthorised access Network related incident Outcome satisfied DoS/DDoS Domestic violence NO YES Homicide Managament Reporting Notification End Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic �II �Essentials of Digital Forensics Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic Sarajevo, 2019 III �Authors: Dr. Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic Proofreading: Ana Tankosic Publisher: International Burch University Editor-in-Chief: Dr. Kemal Hajdarević Reviewed by: Dr. Hamid Jahankhani, Dr Jasmin Azemovic and Dr. Colin Pattinson DTP & Design: Dr. Kemal Hajdarevic DTP and Prepress: International Burch University Circulation: electronic copy Place of Publication: Sarajevo Copyright: International Burch University, 2019 Reproduction of this Publication for educational or other non-commercial purposes is authorized without prior permission from the copyright holder. Reproduction for resale or other commercial purposes prohibited without prior written permission of the copyright holder. Disclaimer: While every effort has been made to ensure the accuracy of the information, contained in this publication, International Burch University will not assume liability for writing and any use made of the proceedings, and the presentation of the participating organizations concerning the legal status of any country, territory, or area, or of its authorities, or concerning the delimitation of its frontiers or boundaries. ----------------------------------CIP - Katalogizacija u publikaciji Nacionalna i univerzitetska biblioteka Bosne i Hercegovine, Sarajevo 343.98:004 HAJDAREVIĆ, Kemal Essentials of digital forensics [Elektronski izvor] / Kemal Hajdarevic, Nermin Ziga, Mirza Halilovic. - El. knjiga. - Sarajevo : International Burch University, 2019 Način pristupa (URL): https://omeka.ibu.edu.ba/items/show/3447. - Nasl. sa nasl. ekrana. - Opis izvora dana 11. 7. 2019. ISBN 978-9958-834-66-0 1. Žiga, Nermin 2. Halilović, Mirza COBISS.BH-ID 27750406 ----------------------------------- IV �Table of Contents Author’s Preface ......................................................................................................... XI IMPORTANT DEFINITIONS ......................................................................................XIII PURPOSE OF THIS BOOK........................................................................................... XV COMPUTER FORENSICS AND INFORMATION SECURITY TRAINING COURSES ........ XV JOBS RELATED TO COMPUTER FORENSICS AND INFORMATION SECURITY ............ XVI ORGANISATION OF THE BOOK SECTIONS ............................................................. XVII LEARNING TRACKS ............................................................................................. XVIII 1. Introduction to digital forensics ........................................................................ 1 CHAPTER ABSTRACT .................................................................................................. 1 HISTORY OF FORENSICS.............................................................................................. 1 HISTORY OF DIGITAL FORENSICS ............................................................................... 4 DIGITAL FORENSICS – DEFINITION ............................................................................. 5 DIGITAL EVIDENCE .................................................................................................... 5 DIGITAL VS. COMPUTER FORENSICS .......................................................................... 5 DIGITAL TRANSFORMATION IMPACT ON DIGITAL FORENSICS .................................. 6 AUDIT VS. DIGITAL FORENSIC INVESTIGATION ......................................................... 7 DIGITAL FORENSIC PROCESS ...................................................................................... 8 DIGITAL FORENSIC SCOPE .......................................................................................... 8 Personal computers and servers ............................................................................. 9 Network devices and active components .............................................................. 10 Databases ............................................................................................................. 10 Mobile Devices ..................................................................................................... 11 Digital Images ...................................................................................................... 11 Multimedia .......................................................................................................... 11 Memory ................................................................................................................ 11 FORENSIC INVESTIGATION INITIATION .................................................................... 12 INCIDENT RESPONSE ................................................................................................ 13 SUMMARY ................................................................................................................ 14 KNOWLEDGE ACQUIRED .......................................................................................... 14 V �REVIEW QUESTIONS.................................................................................................. 14 FURTHER READINGS ................................................................................................. 15 VIDEO RESOURCES ................................................................................................... 15 2. Digital forensics – classification ...................................................................... 17 CHAPTER ABSTRACT ................................................................................................ 17 DIGITAL FORENSIC CLASSIFICATION BASED ON DATA SOURCE .............................. 17 Forensics of general computer systems ................................................................ 18 Database forensics ................................................................................................ 19 Forensics of multimedia ....................................................................................... 23 Watermarking ...................................................................................................... 23 Digital signatures ................................................................................................ 23 Mobile device forensics ......................................................................................... 23 Network forensics................................................................................................. 24 SUMMARY ................................................................................................................ 25 KNOWLEDGE ACQUIRED .......................................................................................... 25 REVIEW QUESTIONS.................................................................................................. 25 FURTHER READINGS ................................................................................................. 25 VIDEO RESOURCES ................................................................................................... 26 3. Digital forensics – process ................................................................................ 27 CHAPTER ABSTRACT ................................................................................................ 27 STEPS IN THE DIGITAL FORENSIC INVESTIGATION PROCESS .................................. 27 Preservation ......................................................................................................... 29 Collection ............................................................................................................. 31 Transport ............................................................................................................. 32 Examination ......................................................................................................... 32 Analysis ............................................................................................................... 33 TYPES OF DIGITAL EVIDENCE ANALYSIS................................................................. 33 Media analysis ..................................................................................................... 34 Media management analysis ................................................................................ 34 File system analysis ............................................................................................. 34 Network analysis.................................................................................................. 35 Application analysis ............................................................................................. 35 Operating System (OS) analysis ......................................................................... 36 Executable analysis .............................................................................................. 36 Image analysis ...................................................................................................... 36 VI �Video analysis ...................................................................................................... 36 Memory Analysis ................................................................................................. 37 Reporting.............................................................................................................. 37 DIGITAL EVIDENCE COLLECTION ............................................................................ 38 Live Data collection.............................................................................................. 39 Post-mortem data collection ................................................................................. 41 DATA CONCEALMENT.............................................................................................. 42 Spoliation ............................................................................................................. 42 Encryption ........................................................................................................... 42 Steganography ..................................................................................................... 42 SUMMARY ................................................................................................................ 46 KNOWLEDGE ACQUIRED .......................................................................................... 46 REVIEW QUESTIONS.................................................................................................. 47 FURTHER READINGS ................................................................................................. 47 VIDEO RESOURCES ................................................................................................... 47 4. Digital forensics – tools .................................................................................... 49 CHAPTER ABSTRACT ................................................................................................ 49 DIGITAL FORENSIC TOOLS ....................................................................................... 49 HARDWARE DIGITAL FORENSIC TOOLS AND THEIR USAGE ..................................... 50 Usage of hard disk docking stations ..................................................................... 50 Usage of memory card docking stations ............................................................... 51 Usage of Portable Computer Forensic Lab ........................................................... 51 USAGE OF GENERAL COMPUTER FORENSIC TOOLS................................................. 52 Disk Genius usage ............................................................................................... 52 DD command tool usage ...................................................................................... 53 Busybox usage ...................................................................................................... 54 Hash Calculation ................................................................................................. 54 DATABASE TOOLS USAGE ......................................................................................... 55 Usage of the Oracle LogMiner ............................................................................. 55 Usage of the IBM Guardium Data Protection for Databases .............................. 57 Usage of the DB Browser for SQlite .................................................................... 58 Usage of the Undark - a SQLite data recovery tool .............................................. 59 Usage of the SQLite-Deleted-Records-Parser ...................................................... 60 USAGE OF THE NETWORK FORENSIC TOOLS............................................................ 60 Wireshark usage ................................................................................................... 60 VII �NIKSUN NetDetector usage ............................................................................... 62 Xplico usage ......................................................................................................... 62 USAGE OF THE MOBILE DEVICE FORENSIC TOOLS ................................................... 63 Rooting Tools usage ............................................................................................. 63 Santoku usage ...................................................................................................... 64 AF Logical OSE usage ......................................................................................... 67 Autopsy and the Sleuth Kit usage........................................................................ 67 Ingest Module usage ............................................................................................ 71 Android Analyser module usage .......................................................................... 72 Accessing Partitions ............................................................................................ 73 Timeline ............................................................................................................... 74 Reporting ............................................................................................................. 76 SUMMARY ................................................................................................................ 77 KNOWLEDGE ACQUIRED .......................................................................................... 78 REVIEW QUESTIONS.................................................................................................. 78 FURTHER READINGS ................................................................................................. 79 VIDEO RESOURCES ................................................................................................... 80 5. Simulation of digital forensic cases................................................................. 81 CHAPTER ABSTRACT ................................................................................................ 81 CASE 1: FORENSIC DATA RECOVERY OF FILES ON PC.............................................. 81 CASE 2: FORENSIC INVESTIGATION OF VIBER, VOICE CALL, SMS, AND COCO ON AN ANDROID MOBILE DEVICE .................................................................................. 84 DEFINING THE SCOPE OF THE INVESTIGATION ....................................................... 84 PREPARING THE ENVIRONMENT FOR THE DATA ACQUISITION ............................. 86 Rooting the Device ............................................................................................... 87 Busybox Sideloading ............................................................................................ 91 Determining Partitions and Blocks ..................................................................... 93 ACQUIRING DATA FROM THE EVIDENCE DEVICE ................................................... 95 Logical data acquisition........................................................................................ 95 Physical data acquisition...................................................................................... 98 IMPORTING IMAGE FILE INTO AUTOPSY ............................................................... 100 ANALYSIS OF THE ACQUIRED MOBILE DEVICE DATA .......................................... 100 Analysis of Logically Acquired Data ................................................................. 100 Analysis of the Physically Acquired Data ......................................................... 102 Viber Message and Call Investigation ............................................................... 104 VIII �SMS Message Investigation .............................................................................. 109 GSM Voice Call Investigation ........................................................................... 112 Coco Message Investigation ............................................................................... 114 INVESTIGATION FINDINGS ..................................................................................... 117 ENDING INVESTIGATIONS ...................................................................................... 118 CASE 3: DATABASE FORENSICS – USER COMPLAINTS ON HIGH BILLS ................... 120 CASE 4: DATABASE FORENSICS – SALARIES DATA LEAKAGE ................................ 122 CASE 5: DATABASE FORENSICS – DATA DELETION ................................................ 125 SUMMARY .............................................................................................................. 128 KNOWLEDGE ACQUIRED ........................................................................................ 128 REVIEW QUESTIONS................................................................................................ 129 FURTHER READINGS ............................................................................................... 129 VIDEO RESOURCES ................................................................................................. 129 6. Conclusions ...................................................................................................... 131 CHAPTER ABSTRACT .............................................................................................. 131 Appendix – Consent Form...................................................................................... 133 Appendix – Incident response form ...................................................................... 134 GENERAL DATA ABOUT INCIDENT......................................................................... 134 TYPE OF INCIDENT ................................................................................................. 134 Details for malicious software ............................................................................ 135 DoS / DDoS attack............................................................................................. 135 Details for an unauthorized access: .................................................................... 135 Leakage of data and information in public: ........................................................ 135 Appendix – Digital forensic process ..................................................................... 136 List of Figures ........................................................................................................... 138 List of Tables ............................................................................................................. 141 Acronyms .................................................................................................................. 143 References ................................................................................................................. 145 Index .......................................................................................................................... 159 About authors ........................................................................................................... 163 IX �X �Author’s Preface Information available on Internet Live Stats web site (www.internetlivestats.com) that 40 percent of world’s population is using Internet Media almost daily reports on different cyber and digital security incidents. Many more similar incidents have never been reported or they have been reported years after they had occurred due to the fact that they could have jeopardised ongoing law enforcement investigations or because they could have been embarrassing and thus negatively affect reputation of the victim – organisation or a person. After cyber- or information security incident, the obvious step is to make efforts to minimize losses, establish practices to avoid future similar situations, and punish executioners and/or masterminds of the incident to discourage future attempts. To be able to accomplish the above-mentioned goals it is necessary to understand the nature of the incident, actual losses, and detect, collect, and preserve evidence, as well as to detect and locate executives of attack that led to the cyber incident. A common scientific approach of collecting, preserving, analysing, and reporting criminal cases where computers and digital equipment are used XI �or where they have been an object of the attack is called the digital forensics. If a specific device or software is the object of the forensic investigation process, the scientific approach can be called computer forensics, network forensics, database forensics, etc. There are different areas of digital forensics based on the object of the criminal activity and on technological tools used to commit an attack. Digital forensics can be performed by external forensic service or it can be done in a house. Knowledge about forensic process is very important even if the external forensic knowledge or service is used so that affected organisation is able to monitor external forensic service or to perform forensics internally if there are enough internal resources for such an activity. Some of the first professionals that can detect criminal or fraud activities where computers are involved are computer operators and system or network administrators. Another profession that can have an active role in detecting fraud or abuse of the system resources are internal auditors. Because internal and external auditors have experience, and a broad knowledge of computer and network systems, they can detect criminal activity and perform initial forensic analysis. However, forensics and audit are not the same process, and differences between the two are presented in this book. Not every organisation is obliged to have a regular internal and external audit, or testing for technical vulnerabilities (also called penetration XII �testing), nevertheless, from the experience of organisations which have this type of assurance and from incidents which occurred in the past, regular vulnerability checks are needed. Auditors can be given the task by the top management to analyse a fraudulent or a criminal activity as professionals who already have an in-depth knowledge of the specific system. Furthermore, revealing the information about fraud or crime to the public can bring a negative publicity. That is why it is important for computer professionals, information technology professionals, and internal auditors to understand steps and procedure of the digital forensic investigation process. It is also important for them to understand what a good digital forensic practice should be and what should not be done during the forensic process. The aim of this book is to clarify forensic topics and bring them closer to students, professionals, information security managers, internal auditors, and other IT specialists who want more information about digital forensic process, tools, and activities. Based on Criminal Justice Degree Schools (2019) as well as courses and authors’ experience in teaching, this book also names potential and some already taught courses in computer forensics and information security. Important definitions Data - “factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation, (Data, MerriamWebster, 2019) XIII �Information – “a signal or character (as in a communication system or computer) representing data; the communication or reception of knowledge or intelligence, (Information, Merriam-Webster, 2019) Information technology – “the technology involving the development, maintenance, and use of computer systems, software, and networks for the processing and distribution of data”. (Information technology, MerriamWebster, 2018). Information system (IS) – “an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products… The main components of information systems are computer hardware and software, telecommunications, databases and data warehouses, human resources, and procedures…”, (Information system, Britanica, 2019) Information System (IS) Security – “Refers to the activities, processes, methodologies, frameworks, and standards used for the maintenance of information and information assets confidentiality, integrity, and availability”. (Techopedia, 2018) Forensics – “belonging to, used in, or suitable to courts of judicature or to public discussion and debate” (Forensic, Merriam-Webster, 2018). Digital forensics - includes not only computers but also any digital device, such as digital cameras, flash drives, digital networks, cell phones, IoT. Wiley C. (2019) XIV �Internal auditing - “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (IIA, 2019) Purpose of this book The purpose of this book is to provide an insight into forensics of computer and other digital devices. This is because the world of physical operations and business is changing into digital and the world of Internet wherever possible, thus creating a greater risk of cyber-attacks. In common business surroundings, criminal activities are not something that business owners would like to encounter. Considering that digital world and cyber-attacks are not something that business owners usually come in contact with, they are more often not prepared for the aftermath of the potential incident. They are also unaware of their need for the computer or digital forensics investigation process. Thus, the purpose of this book is to familiarize them with the following: Confidentiality, Integrity, Availability (CIA), Authentication, Authentication, and Audits. Computer Forensics and information Security Training Courses Following are the courses in the field of information security and cyber forensics: - Computer Forensics Essentials - Cybercrime XV �- Current Issues in Cyberlaw - Computer Forensics File Systems - Architecture of Secure Operating Systems - Forensic Analysis in a Windows Environment - Forensic Analysis in a Linux/Unix Environment - Malware and Software Vulnerability Analysis - Network Security - Network Forensics - Mobile Forensics Analysis - Forensic Management of Digital Evidence - Cyber Incident Analysis and Response - Digital Forensics Investigative Techniques - Forensic Management of Digital Evidence - Computer Forensic Ethics - Advanced Topics in Computer Forensics - Information Systems Security Planning and Audit Criminal Justice Degree Schools (2019) Jobs related to computer forensics and information security Based on Criminal Justice Degree Schools (2019) and authors’ experience following are some job titles common in the cyber security industry: - Business Intelligence Analyst - Information Security Auditor - Information System Auditor - Crime Analyst XVI �- Computer Forensics Investigator - Computer Systems Analyst - Cybersecurity Officer - Digital Forensics Investigator - Digital Forensics Specialist - Information Security Officer - Chief Information Security Officer - Information Security Analyst Organisation of the book sections This book is divided into six sections: 1. Introduction to digital forensics 2. Digital forensics – classification 3. Digital forensics – process 4. Digital forensics – tools 5. Simulation of digital forensic cases 6. Conclusions While reading, it is possible to follow different tracks. XVII �Learning tracks It is possible for a reader to acquire a specific set of skills and knowledge on certain paths through different chapters. Chapter Introduction Digital forensics classification Digital forensics process X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Job title Business Intelligence Analyst Information Security Auditor Information System Auditor Crime Analyst Computer Forensics Investigator Computer Systems Analyst Cybersecurity Officer Digital Forensics Investigator Digital Forensics Specialist Information Security Officer Chief Information Security Officer Information Security Analyst XVIII Digital forensics tools Digital forensics cases X X X �XIX ��1. Introduction to digital forensics Chapter abstract Chapter goals: Digital transformation has a great impact on cyber forensics because of new services in place, new technologies, and devices. This chapter presents some general information about the early advancements in forensics, and digital forensics. It also provides the explanation of what the digital evidence is and in what state it can be found. Furthermore, this chapter explains different types of digital forensics as well as the difference between digital forensic analysis types. Digital forensics is usually followed by and triggers incident response process which is also explained in this chapter. Learning outcomes: Learning about one aspect of the forensic history. Knowledge of the core principles of forensics and digital forensics. History of forensics In early societies there was a need to resolve different issues and disputes in an acceptable manner so that conclusions are clear and there is no space for ambiguities. As presented in Figure 1. the English word forensic comes from the Latin word forum and it initially meant “in open court” (Williams A., 2000). �Figure 1. Word “Forensic” explanation (google, 2018) Historians found evidence of the ancient societies’ need for clarification of criminal and other cases in process of finding the truth for the events that happened before, using the science of that time and common knowledge for a better understanding of past events (Williams A., 2000). It was a practice to present evidence to the public for comments and criticism with a goal to make everyone aware of what happened in a specific case. With time, forensic process became a key part of all criminal investigation cases which came later. Forensic process became a key step of every future criminal investigation case, because every criminal case needed a resolution in terms of finding who is responsible for the wrongdoings. Edmond Locard Principle of Exchange (Crime Museum, 2019): “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” 2 �The “something” is the goal of every forensic investigator, and it is crucial to detect and preserve it for the later use in the process of reporting findings. German born scientist Archibald Reiss was the founder of the first academic forensic science program and Institute of forensic science at the University of Lausanne in 1909. (Witte de With, 2019). Through history, forensics as a discipline is perhaps mostly known from the medical pathology cases, however, recent history shows that traffic accident cases, usage of firearms, and digital and computer equipment also became an important area of forensic investigations. One view on history of forensics would certainly include usage of fingerprints found at the crime scene. Because of its uniqueness, the fingerprint became an important resource which is used to authenticate each person. As some other scientific advancements, the fingerprint used for the forensic purposes contributed more than a single inventor (History of Fingerprints, 2018). Recent advancements in computer technology use pictures and videos to identify a person with a high accuracy (Kremic, Subasi, Hajdarevic, 2012). Other important methods used for forensic purposes were blood groupings, and DNA sampling, firearms and bullet comparison, traffic analysis, and other (History of Fingerprints, 2018) as listed below: - Francis Galton, Edmond Locard – study of fingerprints - Leone Lattes – Discovered blood groupings (A, B, AB, & 0) 3 �- Calvin Goddard – Firearms and bullet comparison - Albert Osborn – Developed principles of document examination Due to different areas where scientific forensics can help in solving disputes, different forensic research areas emerged, some of which are named below: - Forensic Pathology – Sudden unnatural or violent deaths - Forensic Anthropology – Identification of human skeletal remains - Forensic Psychiatry – Forensics of psychiatric cases - Forensic Odontology – Dental forensics History of digital forensics Computers are objects of early forensic investigations, and digital forensics is related to all digital equipment, not only computer devices. Today many digital devices that use, store, and communicate digital data are available. All these digital devices are potential candidates for forensic investigation cases. Below is a short history of digital forensic advancements:  1984 FBI Computer Analysis and Response Team (CART) was formed.  1991 International Law Enforcement meeting was held to discuss computer forensics and the need for the standardized approach.  1997 Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards.  2001 Digital Forensic Research Workshop (DFRWS) was established for development of the research roadmap. 4 �Digital forensics – definition Digital forensic investigators use science throughout the entire process of collecting, analysing, and reporting evidence. Digital Forensic Science (DFS) is defined by Digital Forensic Research Workshop (DFRWS, 2001) as: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Digital evidence Heart of every digital forensic investigation is data as evidence upon which the entire potential case is built. When considering types of digital forensics, one approach could be to classify digital forensic analysis based on data sources for digital investigation, because data is crucial for making decisions, navigating through evidence, and producing the digital forensics report. Digital vs. Computer forensics 5 �Digital evidence is the heart of every digital forensic investigation and sometimes the term computer forensics is used to refer to the same process. Computer forensics is related to the forensics of computers and related devices, as well as associated software used on computers. On the other hand, digital forensics has a wider scope which includes digital devices such as smart and cell phones, flash drives, media devices, and digital cameras. The purpose of digital forensics is to determine whether a device is used in a criminal act. Criminal act can be the computer fraud, computer hacking, traffic accidents, illegal pornography distribution, etc. Wiley C. (2019) Digital forensics Computer forenisc Figure 2. Digital and Computer forensic realm Digital transformation impact on digital forensics Digital transformation has an impact on digital forensics because of an increased number of users and digital devices. 6 �These devices are used and sometimes misused in a way that they become objects of criminal investigations. Law enforcement agencies use sources such as personal or business computers and Internet cache history to analyse behaviour of suspects and law offenders with a goal to resolve criminal cases. Audit vs. Digital forensic investigation Having digital devices as means of support for business and everyday life activities poses a risk of using those devices for unlawful or other wrongdoings. To support every activity where digital data exists, there is a need to analyse and investigate how data and digital devices are being used. Two general approaches for analysing and investigating digital evidence and operation with digital data are known as audit and digital forensic investigation. Audit and forensic investigation are not the same and based on Marcella and Mendey’s (2008) comparison, this book presents some major differences between the two investigation processes. TABLE 1. Audit vs. Digital forensic investigation Elements Definition Audit “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (IIA, 2019) Cyber Forensic Investigation “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal…”(DFRWS, 2001) 7 �Objective To determine alignment of organisational operation with law regulations, bylaws, and standards. The scope should be determined during the planning phase and it depends on the audit goals. Planned regular audits or audit by the request of management. To detect digital evidence and identify individuals responsible for the wrongdoing. All digital devices which can be used to document a specific case. Part of the investigation process after an incident in which digital device was used. Methodology Professional Practice of Internal Auditing by The Institute of Internal Auditors. Reporting Reporting to the organisation or company management. Impact Presented in a non-confronted manner, the aim is to help auditee recognise risks and improve performances and level of alignment with law and standards. Available and approved local or international methodology which defines digital forensic steps such as justification for starting the forensic investigation, getting approval for investigation, and steps for conducting forensic investigation on the scene: “…preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources…“ (DFRWS, 2001) Reporting to prosecutor, law enforcement, or the organisational management. It depends on the investigation outcome. Scope Timing Digital forensic process Digital forensic process refers to the identification, preservation, collection, analysis, and reporting of evidence found on any digital device to support investigations and legal actions. Digital forensic scope Scope of digital forensics is not limited to specific technology, hardware, or software component, because digital evidence can be stored in a 8 �database or file, and transferred via different network technologies. Criteria for determining scope of digital forensic investigation can be based on the object of attack or fraud, devices used for fraud or attack, and vector of the attack. Some of these sub-disciplines of digital forensics which determine digital forensics are presented below (Open University, 2018). Personal computers and servers Computer forensic process is performed on computers, laptops, and storage media. PC PC Tap PC Switch PC Monitoring device Computer Forensic Figure 3. Computer forensic Forensic investigators search for digital evidence in directories, files, and logs that can be stored on hard drives, and other media such as removable media used with computer systems. 9 �Network devices and active components Network forensic process includes monitoring and/or capturing, preserving and analysing network traffic, sessions, and other network activities or events in order to discover the source of security attacks, intrusions, or other problem incidents, i.e. worms, virus, or malware attacks, abnormal network traffic, and security breaches. Special care must be taken in collecting forensic data in networks because network traffic has to be captured in order to be analysed. In most cases if the traffic and session are not captured, it is only possible to analyse result of sessions and traffic generated in time before the investigation took place. PC PC Tap PC Switch PC Monitoring device Network Forecisc Figure 4. Network forensics Databases The recovery of information from databases entails the recovery of logs associated with database operations, as well as user and administrator interactions with data stored in database files and logs. 10 �Mobile Devices Mobile device forensics is the process of collecting and analysing electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets, and game consoles. Digital Images Digital image forensics is the process of the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history. Multimedia Multimedia forensics encompasses Digital Video/Image/Audio Forensics which refers to the collection, analysis, and evaluation of sound, image, and video recordings. The science in this sense refers to the establishment of authenticity as to whether a recording is original and whether it has been tampered with, either maliciously or accidentally. Memory Live acquisition or memory forensic process refers to the recovery of evidence from the RAM of a running computer. Triggers for digital forensics Different events trigger digital forensic investigation such as:  Denial of service attacks  Child pornography  Domestic violence  Using organisation’s computer or other equipment for the personal benefit  Computer fraud 11 � Hacking  Blackmail  Extortion  Homicide cases  Missing person  Other cases Events stated above trigger incident response which has to involve digital forensic process. Forensic investigation initiation Common practice for the forensic analysis is that law enforcement initiates the forensic analysis in a written form. Who What Digital forensic analysis goals to detect Where When Figure 4. Forensic analysis goals to detect – who, what, when, where Other possibilities for the initiation of the digital forensics could be company’s or organisation’s management with a goal of performing the 12 �forensic analysis to determine who, what, when, and where is something done with the use of digital equipment (digital assets). Incident response Computer and digital forensics has to be a part of the incident response due to the fact that after each incident, proper actions need to be taken so that the future incidents are prevented, and perpetrators are punished. Preparation Identification Containment Eradiction Recovery Post-Mortem Figure 5. Incident response plan (Banking and Insurance, 2017) 13 �Incident response is performed through predefined stages and it is usually a planned activity (Banking and Insurance, 2017). It contains stages as it is shown in Figure 5: Preparation, Identification, Containment, Eradication, Recovery, Post-Mortem. Some useful information about the recovery phase and post mortem-analysis can be found in the Appendix – Incident response form. Post-mortem is considered to be the initial step of the digital forensic process which is explained in Chapter 3. Summary Digital forensics is a science about investigation where digital equipment is used to acquire relevant data for criminal investigations. On the market, we encounter new devices, software, and services which could be the object or tool for committing a cyber-crime, which in order to be solved requires a specific knowledge to conduct a criminal investigation. Knowledge acquired The difference between different digital forensic types. History of forensics and digital forensics. Review questions 1. Explain the difference between computer and digital forensics. 2. Define digital forensics. 3. What are the types of digital forensics? 4. What is the incident response and what triggers it? 14 �5. Why is digital and computer forensics important? 6. What is digital evidence? 7. What are the basic steps of digital forensics? Further readings - US CERT Cyber forensic, https://www.uscert.gov/sites/default/files/publications/forensic.pdf - A Beginners Guide to Computer Forensic http://ithare.com/a-beginners-guide-to-computer-forensic/ Video resources - How the Feds Caught Russian Mega-Carder Roman Seleznev https://www.youtube.com/watch?v=6Chp12sEnWk&t=2529s - Cyber forensic https://www.youtube.com/watch?v=2D5wTo1adbg - What is cyber forensic https://www.youtube.com/watch?v=lxUN-fOIe00 - What is cyber forensic, Smithsonian Channel https://www.youtube.com/watch?v=BSyi6yMIB0s 15 �16 �2. Digital forensics – classification Chapter abstract Chapter goals: To present different computer and digital forensic types based on data source used for the digital forensic investigation. To explain each recognised class of forensic investigation. Learning outcomes: Knowledge of the core forensic classification and data such as database log files important for conducting the forensic investigation. Digital forensic classification based on data source Based on data source and scope of digital forensic explained in the previous chapter, digital forensics can be classified as following: general computer system forensics, database forensics, forensics of multimedia devices, forensics of general computer systems, mobile device forensics, and network forensics. 17 �Figure 6. Digital and Cyber forensic types Forensics of general computer systems Computer systems are built on components such as motherboards, memory, hard drives, monitors, and DVD. Depending on usage and mobility, systems can be on laptop, home computer, work computer, and server in the enterprise environment. These systems can have an abundance of interesting digitally stored information needed for a potential forensic analysis. Investigators can obtain written documents with dates of creation, e-mail correspondence, pictures, messages, etc. This information can be used to determine the timeline of events and involved actors. (Casey, 2011). 18 �Database forensics Database forensics relies on data stored in databases and files used by database management system (DBMS). Paul M. Wright (2007) defined major sources of evidence in Oracle database which can be considered when performing database forensics: Listener log – This log stores the name of the listener, protocol, and communication port used for accepting connections, nodes allowed to connect to database, database services, and control parameters. Alert log – This log stores starting and halting database, errors connected to data storage, etc. Sqlnet log – The purpose of this log is to keep track of an unsuccessful access to a database. Forensic analyst has to check this log to discover potential unauthorised attempts to access database. This log can provide useful information about the source address of the connection establishment attempt. Redo logs – This log holds history of all changes in a database. Every redo log file has a redo record that represents the change made in a specific block in database (Oracle, pp. 79) if Oracle archiving is activated (Litchfield, 2007). Every change in a database is written on database buffers in the system global area (SGA) memory. Buffers are stored either by issuing COMMIT command, or they are stored every three seconds on a disk in the file known as Online Redo Log by Oracle Log Writer 19 �background process (LGWR). There is a possibility that these logs can be filed up and log files rewritten with new entries. To be able to recover important logs from database and avoid deletion of important logs it is necessary to activate Archive (ARCn) option in a database (Litchfield, 2007). It is possible to check if archiving is turned on by issuing SQL query: SQL> SELECT VALUE FROM V$PARAMETER WHERE NAME = ‘log_archive_start’; VALUE -------TRUE Value TRUE indicates that log archiving is activated, while FALSE indicates that it is not enabled. FGA (Fine Grained Auditing) audit log can be used for collecting data about changes in a database. It tracks commands INSERT, UPDATE, and DELETE, and other changes such as data movement in a database. All detected activities are recorded in audit tables (Oracle Fine Grained Auditing, 2019). Nanda A. and Burleson (2003) wrote: “The ability to check who actually handles objects, not just who has authority is provided by auditing. A good auditing system provides a 20 �process for recording the access to the objects in a storage system, forming an audit trail” (Oracle DBA_FGA_AUDIT_TRAIL, 2019): “Audit trail records created by Fine Grained Auditing can be captured and analysed in Oracle Audit Vault and Database Firewall, automatically alerting the security team about possible malicious activity.” Audit tables contain information presented below (Oracle Fine Grained Auditing, 2019): DB_USER – database user which issued queries in database. SESSION_ID – unique ID session. TRANSACTION_ID – Transaction ID with which object is changed or accessed. OS_USER – Operating system user. USERHOST – name of the computer (host). OBJECT_SCHEMA & OBJECT_NAME – scheme and table. SCN – (System Control Number of the database) – defines when an audit trail was generated. SQL_TEXT – text SQL commands. COMMENT$TEXT – additional comments linked to audit if they exist. EXT_NAME – If users are accessing from the outside, their name is displayed here. TIMESTAMP – date and time of the audit. The following are DBA_AUDIT tables that can be used for the forensic analysis, and which can be listed by issuing SQL query: 21 �SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA%AUDIT%' OR view_name LIKE 'USER%AUDIT%' ORDER by view_name DBA_AUDIT_EXISTS DBA_REPAUDIT_ATTRIBUTE DBA_REPAUDIT_COLUMN DBA_AUDIT_OBJECT DBA_AUDIT_SESSION DBA_STMT_AUDIT_OPTS DBA_AUDIT_STATEME DBA_AUDIT_POLICIES DBA_AUDIT_TRAIL DBA_AUDIT_POLICY_COLUMNS DBA_COMMON_AUDIT_TRAIL DBA_FGA_AUDIT_TRAIL DBA_OBJ_AUDIT_OPTS DBA_PRIV_AUDIT_OPTS USER_AUDIT_SESSION USER_AUDIT_OBJECT USER_AUDIT_STATEMENT USER_AUDIT_TRAIL USER_AUDIT_POLICIES USER_AUDIT_POLICY_COLUMNS USER_OBJ_AUDIT_OPTS USER_REPAUDIT_ATTRIBUTE USER_REPAUDIT_COLUMN Tables above contain data that indicate which, what, where, and when specific user made changes. This information can be used for the forensic analysis of Oracle database. Forensic tools presented in Chapter 4. Digital forensics tools are used for database forensic investigation to find specific evidence in a large volume of data through different files and tables in a database. 22 �Forensics of multimedia Multimedia such as audio, video, and pictures are sources of digital data which can be used for the forensic analysis. Most popular devices that hold multimedia content are smart phones, however, other devices such as gaming consoles, TVs, PDAs, CCTV, other video or audio recording, and even IoT devices are also multimedia devices which can be used for the forensic analysis. Watermarking Watermarking of image is a process of identification of user who created it as well as the original source of that image. Digital signatures Digital signatures are signatures which can be found in an electronic form, and which indicate a specific originator of electronic data. Mobile device forensics Increased usage of mobile devices opens digital forensic area of mobile devices. Computer systems are not only in a form of desktops, laptops, or servers. They are also produced in a form of small computers embedded into smart cards, mobile devices, GPS devices, and car computers. Mobile communication devices can contain personal information, messages, photos, and locations. Navigations systems can reveal location information of a person under the investigation. All those devices are valuable sources of information, especially because embedded devices are 23 �usually small, and used on a daily basis and in the mobile environment (Casey, 2011). Network forensics Modern life is embedded into communication systems by all means. Humans, computers, and sensors all communicate through communication networks. Pieces of information are always left in the system logs, no matter what type of communication is used. Traditional telephone systems and internet service providers can be valuable points for the investigation of the digital evidence. Mobile service providers transfer SMS/MMS messages and mobile internet interconnections, while Internet service providers transfer e-mails. In addition to the exact content of the communication channel, an additional log examination can give more information about who, when, and to whom information is sent (Casey, 2011). Network forensics is performed in order to investigate network flows, network traffic and network connections. To be able to collect and analyse network traffic, traffic has to be recorded and archived for the later use. In most organisations, this approach is not applied because it adds an additional load on the already busy network administrators. Many network devices such as switches, routers, and firewall have basic syslog capabilities which provide network administrators with information about established connections, and device operations. Syslog functionality cannot provide information about data payload inside network packets. 24 �Summary Cyber security is a subset of information security that deals with the security of information stored in a digital form and transferred over communication links. A great part of information security related standards deals with cyber security issues. Almost on a daily basis, media reports reveal cyber security related incidents. After the historical analysis, we can conclude that we will see an increase in incidents of this type, especially as more services and users use digital technology in everyday work and life. Knowledge acquired The difference between digital forensics classification types that includes Forensics of general computer systems, Database forensics, Forensics of multimedia, Watermarking, Digital signatures, Mobile device forensics, Network forensics. Review questions 1. What is watermarking? 2. Name digital and cyber forensic types. 3. What is network forensics? 4. What is mobile device forensics? Further readings - Network forensics https://www.itpro.co.uk/cyber-attacks/31660/what-is-networkforensic 25 �Video resources - Advanced Wireshark Network Forensics – Part 1/3 https://www.youtube.com/watch?v=e_dsGhvq9CU - Network Forensic Data Theft Detection, Under the Hood https://www.youtube.com/watch?v=CYRYmKhz3QI - Mobile Device Forensics https://www.nist.gov/sites/default/files/documents/2017/05/08/aa fs-mobiledeviceforensic.pdf - Forensics, SANS https://www.sans.org/readingroom/whitepapers/forensic/paper/32888 26 �3. Digital forensics – process Chapter abstract Chapter goals: To define digital forensic process which includes Preservation, Handling evidence at crime scene, Collection, Transport, Examination, and Analysis of digital evidence. This chapter briefly explains media analysis, file system analysis, network analysis, application analysis, OS analysis, executables analysis, image analysis video analysis, memory analysis, and reporting. It also provides the explanation regarding digital evidence collection and data concealment. Learning outcomes: Knowledge of core principles of digital forensics, and different types of analysis. Steps in the Digital Forensic Investigation Process In order to successfully show evidence and defend legitimacy of the entire forensic process, it is necessary to perform every step of forensic investigation with sound science methods. Courts will not accept evidence if forensic process was jeopardised with negligence in evidence handling, 27 �preservation, and transportation. Forensic investigators and examiners must be well trained and certified for forensic investigations. All actions in the forensic investigation process have to be well documented through policies and procedures. Every digital forensic investigator or agency has to follow digital forensic steps, so that reports are admissible at the courts of law. Preservation Collection Examination Analysis Reporting Figure 7. Steps in the Digital Forensic Investigation Process 28 �One of the main approaches in forensic investigation is to follow welldefined and accepted digital forensic investigation steps (Kaur and Kaur, 2012): - Preservation - Collection - Examination - Analysis - Reporting. In Appendix – Digital forensic process are presented steps for forensic process. Preservation In the preservation phase, all evidence has to be properly documented to avoid any prior change of the crime scene. Crime scene has to be secured so that nothing is changed when investigators enter the scene. Digital forensic investigators are focused on finding and preserving digital evidence, however, it is also possible that other forensic skills are needed to collect biological samples such as fingerprints, DNA, etc. All mentioned evidence has to be detected, documented, and preserved in the original form, if possible, to avoid jeopardizing data and evidence integrity. Depending on available information it is possible that digital devices are contaminated with hazardous material. In that case other forensic investigation specialists might be needed. 29 �If a device such as PC or a mobile device is found switched off, and somebody turns it on as a part of digital forensic process, they may cause a change of potential evidence on that device, in which case evidence would lose its integrity and it would not be valid (Kaur and Kaur, 2012). Massachusetts Digital Evidence Consortium (2015) explained in their publication that first responders have to perform evidence preservation and collection with a special care. Crime scene has to be investigated with forensic methods only if law enforcement agencies approve such process. All digital evidence such as hard disks has to be secured from the high temperature, high electromagnetic fields, and moisture. This is because such external influence can destroy potential evidence. Forensic investigators are responsible for documenting the crime scene by taking photographs and making video recordings of the scene. It is useful to sketch the scene and keep records about investigators who were on the scene as well as their responsibilities. It is also suggested to ask owners of devices if they are willing to cooperate, and if they give their consent investigators can request passwords, PIN, or other security features. Device owner has to sign consent form with authentication methods and passwords. Owner has to provide information of other possible authentication methods such as face, fingerprint, or other biometric recognition methods used for the authentication. At the end of this book the Appendix – Consent form is an example of the consent form created based on Massachusetts Digital Evidence 30 �Consortium (2015) documentation. If the consent is not given, suspects in many jurisdictions will be fined. The chain of custody has to be kept through the entire process. Digital evidence must be secured at all times, so that all activities performed during seizure, access, storage, and transfer can be completely documented, preserved, and authorized. Documentation which proves all of the above has to be available for the review. It needs to be emphasized that individuals are fully responsible for digital evidence while evidence is in their custody. It is important to determine if devices are switched on or off. If a device is switched on and then switched off, data about active connections or data from volatile memory would be lost. This is a way in which forensic investigators have to check if the device produces vibrations due to HDD operation, other sounds, and lights. Device has to be accessed with caution, by isolating it from networks such as wired, wireless, and GSM. If possible, device has to stay powered to collect all available passwords. If a device is turned off and then switched on, potential evidence would be lost. Thus, the device has to be packed and prepared for the transportation. Collection Collection is the process of detecting and collecting evidence relevant for the forensic investigation. Because most of data is stored on media such 31 �as hard disk, memory cards, and other removable media, it has to be duplicated: cloned and/or copied to media that will be used in the forensic investigation process. Forensic investigators should not change collected evidence, because in that way the investigation process would be compromised. Sources such as seized hard disc have to be secured and kept in custody while investigation is performed with cloned data (Kaur and Kaur, 2012). Transport There is a risk associated with a transport of digital evidence because its confidentiality, integrity, and availability can be jeopardized. Therefore, it is important that digital forensic investigators be well educated and aware of the risk associated with digital evidence transportation. Digital evidence has to be delivered to forensic laboratory in the shortest time period, and protected from external influences depending on inherited weakness of specific digital device or asset (Law Enforcement Cyber Center, 2017). Examination Process that defines which methods and tools have to be used in the digital forensic process is called the examination. Different devices which hold digital evidence may require different tools and methods for acquiring forensic evidence. All activities in the examination process have to be performed on cloned and copied data (Kaur and Kaur, 2012). 32 �Analysis Analysis refers to the process of using examined data and placing findings from the examination stage in the context for the digital forensic report. In the analysis process, available data is used to determine meaning of that data, i.e. how it was created or transferred to or from a device, and what story data tells forensic investigators. In the analysis process, forensic investigator has to acquire information about data ownership, potential hidden data, file, or application. Types of Digital Evidence Analysis Due to a different source and scope of data usage, digital forensic investigators are able to conduct different types of digital forensic investigation (Carrier and Spafford, 2004). Examples of digital forensic analysis reported by Carrier and Spafford (2004) are the following:  “Media analysis  Media management analysis  File system analysis  Network analysis  Application analysis o OS analysis o Executable analysis o Image analysis o Video analysis  Memory analysis” 33 �These types of analysis can be applied to computer as well as mobile devices. Media analysis Media analysis refers to the analysis of storage media. It does not consider any partitions or other operating system-specific structures. Storage media can be USB drive or disk, and SD cards for cameras or mobile devices (Carrier and Spafford, 2004). Media management analysis Media management analysis focuses on media logical organization, such as combining more disks into one logical volume. An example of combining more disks into a logical volume is mirroring of two physical disks into one logical disk. Mirroring disks in such manner means that one chunk of information is written on both disks at the same time. In case of one disk failure, another one continues to operate (Carrier and Spafford, 2004). File system analysis File system analysis is the analysis of the system data inside the disk or deleted files in order to extract the contents of the file (Carrier and Spafford, 2004). File system takes care of the files written across the available partition. In case a file is deleted, it is usually marked deleted, signalling to other processes that location is free to record the next data. When deleted files need to be recovered, special tools can be used to locate file fragments and rebuild them to a useful file. 34 �Network analysis Network analysis refers to the analysis of the data inside protocol layers (Carrier and Spafford, 2004). Network analysers can be used to reconstruct raw data packets into application layer information. Communication level is essential to reconstruct possible scenarios of user or computer interactions, and it is a very valuable source of information. Application analysis This type of analysis analyses data information inside the files and application. Files are created by the user, and format of the content is application-specific such as text documents or photos. Figure 8. Application analysis 35 �Some special types of a common application analysis are: o OS analysis o Executable analysis o Image analysis o Video analysis Operating System (OS) analysis OS analysis is the operating system-specific analysis of the configuration and events during usage (Carrier and Spafford, 2004). OS communicates with hardware and upper layers. All interaction details such as errors, warnings, different types of events as well as configuration, are recorded and stored inside OS compartments. This information can help build the overall digital landscape. Executable analysis Executable files can cause events and they are noticed when executed as processes. Executables such as malwares are common for the analysis during the intrusion investigation (Carrier and Spafford, 2004). Image analysis Image analysis refers to the analysis of the person recorded on image, location, or timestamp. Image analysis includes the analysis of the potential steganography information (Carrier and Spafford, 2004). Video analysis Video files are the subject of the analysis of surveillance cameras, web camera, and smart phone camera. Same as image analysis, video analysis 36 �leads to information about person, location, or timestamp (Carrier and Spafford, 2004). Memory Analysis Memory analysis can reveal very useful information, because it is used for dynamic operations and storage of temporary results. Operating systems use two types of memory: a) The volatile memory (RAM) is a fast memory used for dynamic operations. It stores data until device is switched off. The main function of volatile memory is to store application and system data during runtime, which contain information such as password, usernames, session data, encryption keys, data about activities and network, etc. b) The non-volatile memory refers to the internal storage such as flash memory and equipment extensible storage device known as the SD card. This type is mainly used for static data storage such as application and system data, user settings, and data files. Data is stored even after device restarts or powers off. Reporting Reporting is the final word about findings. Examiner is responsible to write an accurate and complete report on findings and analysis of the digital information and device. In addition to findings and analysis, it is important to have accurately documented steps taken during all phases of the investigation. General suggestions for the information that could be included in the report is the following (National Institute of Justice, 2004):  Identity of the reporting agency  Case identifier or submission number 37 � Case investigator  Identity of the submitter  Date of receipt  Date of report  Descriptive list of items submitted for examination, including serial number, make, and model  Identity and signature of the examiner  Brief description of steps taken during the examination, such as string searches, graphics/image searches, and recovering erased files  Results/conclusions Digital Evidence Collection Every digital forensic investigator must be aware of the entire context of digital surroundings and other sources of evidence at the crime scene. Every digital device, if accessed in an improper manner, can cause data change and evidence loss. Data can be in form of network connections, processes, memory data, and data on hard disk or peripheral memory, or in volatile and non-volatile memory. Data written on mobile device memory cards, hard drive, and external memory storage can be considered as static memory or non-volatile, while data written in RAM is considered as volatile memory. With this in mind, it is important to distinguish states in which data can be found. Furthermore, digital forensic investigator has to be careful in approaching data collection phase. 38 �Computer or other digital devices which are recognised at the crime scene must be approached with care. Crime scene has to be preserved and documented using sketches and photos, and if computer or other digital devices are found, their power status must be checked. Hard drive data will remain on media after a device is powered off and that data can be cloned and duplicated. Data in RAM will disappear after device is turned off. This includes information such as running processes, network connections, and system settings (Nelson, Phillips & Steuart, 2015). This is the way in which two major approaches have to take care of live data and post-mortem data acquisition. Live Data collection Tools for the acquisition of data in volatile memory can copy data from volatile memory and transfer it to the forensic location on non-volatile memory for the later analysis. Data from volatile memory or system can also be copied with the goal to collect information such as established sessions, running processes, network processes, passwords, and connected users. Live acquisition is done if a digital forensic investigator decides to collect all available data in volatile memory from the crime scene. Digital forensic investigator needs to be aware that any access to running system can change data and destroy evidence on that system. Data acquired from volatile or non/volatile memory has to be copied or cloned on a disk which will be used for the forensic analysis. During this 39 �phase, all data dumps must be saved on a separate disk and calculated with hash functions such as SHA512 to be able to have a guaranteed evidence integrity. All results from hash calculation such as SHA512 have to be saved for the later use. Data that can exist in a volatile memory is the following: - Information about running processes, network sessions, and services - Unpacked/decrypted versions of protected programs - Running malware/Trojans - Cloud service information - System information (system uptime, system inventory, etc.) - Information about logged in users - Registry information - Open network connections and content of ARP cache tables - Social networks information - Online communication (Viber, Skype) - History of Web browsing activities - Information about an access to Webmail systems - Decryption keys for encrypted volumes mounted at the time of the capture - Recently viewed images Information about running process, open network connections, and evidence will not remain after the process is completed, which is due to volatile memory data limitations. However, with types of data such as web browsing history, online chats will not disappear instantly after the end of 40 �communication. System or its user can overwrite data (Afonin and Gubanov, 2013). Post-mortem data collection Digital device which is powered off is ready for the post-mortem data acquisition. Only approved tools for data imaging are used for the postmortem forensic data acquisition. For data acquisition it is necessary to make a clone and perform the forensic analysis with cloned and copied data while original media stays intact in the safe place with calculated hash value such as SHA512. Devices which prevent changes on the original device with data are called write blockers. This type of devices disables writing on the original storage media. Direct access to disk plates and memory chips is enabled if a device is damaged. Forensic computer which has tools and ports able to access external devices with cloned data is used for accessing data on the cloned disk. Completeness and accuracy are two critical measurable attributes of the acquisition process. While completeness quantifies whether all the data was acquired, accuracy quantifies the correctness of acquired data. In order to achieve completeness and accuracy in copying data from the original source, bit-for-bit copy and bit-stream duplicate data from the original data source to destination memory location. Bit-for-bit can be used with specialized tools, while bit-stream can be performed with the computer (NIST, 2004). 41 �Data concealment It is not possible to investigate data which is not available and visible to the investigator. Thus, criminals and wrongdoers employ different techniques to destroy and hide evidence (Marcella A. J. and Menendez D., 2008). Spoliation Spoliation is an act of destroying or changing evidence with the goal to make evidence unusable. Encryption Encryption is a process of converting data and files into cryptic form so that data can be accessed only by using passwords for symmetric encryption and using private and secret keys if asymmetric encryption is used. Steganography Steganography is the process of hiding data such as messages into existing files which can be textual files, pictures, and video files. Various tools are being used for performing data concealment in data files. One of the well-known tools for hiding messages in data files is snow tool (SNOW, 2019) which uses whitespace steganography practice. This program is used: “to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built42 �in encryption is used, the message cannot be read even if it is detected.” (SNOW, 2019) For the purpose of explaining the process of hiding the text inside the file, “sample_file.txt” was created with the content shown in Figure 9. Figure 9. Sample_file.txt content Issuing snow command with flags –C program snow compresses the data if concealing, or uncompresses it if extracting the file. (SNOW, 2019) 43 �Figure 10. Creating concealed message in sample_file1.txt content In Figure 11. it is possible to see content of the new file “sample_file1.txt” after issuing the type command. Figure 11. also shows in “cmd” editor that additional space is added but no content is visible. Figure 11. Creating concealed message in sample_file1.txt content 44 �Figure 12. shows an unsuccessful attempt to read a concealed message without the password as well as a successful attempt by providing the password with “-p” flag that is “secret_password.” Figure 12. Reading concealed message in sample_file1.txt content To make it harder for the investigators to find concealed data, it is possible to replace the original with the file which contains a concealed message by deleting the original file, and renaming the file with concealed message with an original file name. Figure 13. shows the size difference between “sample_file.txt” and “sample_file1.txt.” Due to such calculation of files, hash is the technique which can be used to detect if somebody, in person or by using a malicious program, changed the content of the files. 45 �Figure 13. File sizes comparison Summary With a goal to successfully present forensic findings, it is necessary to conduct forensic investigation with care and by the latest forensic investigation advancements. Every forensic investigator has to know that suspects can hide data using different techniques such steganography, encryption, or simply by destroying data. It is important to emphasize that before the analysis, data has to be copied. The preferred action is to clone data from the original media to avoid deletion of the original data. Knowledge acquired Common steps in the digital forensic investigation process that includes Preservation, Collection, Transport, Examination, Analysis. Essential knowledge of types of digital evidence analysis that includes Media analysis, Media management analysis, file system analysis, network 46 �analysis, application analysis, operating system analysis, executable analysis, image analysis, video analysis. Memory Analysis, Reporting. Digital evidence collection that includes Live Data collection Post-mortem data collection and data concealment methods which can be used such as spoliation, encryption, and steganography. Review questions 1. Explain common steps in the digital forensic investigation process. 2. Name digital evidence collection methods? 3. What is image analysis? 4. What is video analysis? Further readings - Digital transformation: online guide to digital business transformation https://www.i-scoop.eu/digital-transformation/ - The Cyber Security Management System: A Conceptual Mapping, SANS Institute InfoSec Reading Room https://www.sans.org/reading-room/whitepapers/basics/cybersecurity-management-system-conceptual-mapping-591 Video resources - Computer Forensic Investigation Process https://www.youtube.com/watch?v=NmuhGa4QekU - Overview of Digital Forensics https://www.youtube.com/watch?v=ZUqzcQc_syE 47 �48 �4. Digital forensics – tools Chapter abstract Chapter goals: To present forensic tools and explain for what purpose they can be used in digital forensic process investigation. Digital forensics covers different technologies and components, hence, different and specialised digital forensic tools exist, namely for database forensics, network forensic, and mobile devices. Learning outcomes: Knowledge of digital forensic tools and how they can be used. Digital Forensic Tools To achieve desired results, scope of the investigation must be defined first. Defining scope will also determine what the investigator is looking for, how to reach those locations and information and which tool has to be used. Concerning forensic tools, there are many ways to reach the same goal. This section will focus only on Android tools needed to perform the necessary steps. 49 �Hardware digital forensic tools and their usage Hardware tools are necessary for accessing data on devices such as hard drives or mobile devices. One of the most important aims is to clone data from original digital devices and provide the exact digital copy which will be used for the investigation. Usage of hard disk docking stations Hard disk docking stations should be in the arsenal of every digital forensic investigator. This type of devices should be able to access different types of disks which can be found in laptops, personal computers, and servers. It should also have the clone function for cloning HDDs without laptop, PC, or server to prevent losing or changing files of suspects. Figure 14. Hard disk docking station (Renkforce, 2019) 50 �Usage of memory card docking stations Many devices such as smart phones, laptops, and CCTV cameras hold SD memory and other types of memory cards which have to be investigated. Figure 15. Memory card docking station (Logilink, 2019) Memory card docking station is used to read data from memory cards taken from the device. Usage of Portable Computer Forensic Lab Figure 16. shows the specialised all-in-one case called Road Master (Road MASSter 2, 2019). 51 �Figure 16. Portable Computer Forensic Lab Road MASSter 2, 2019 The Road Master is capable of high-speed forensic data acquisition operations used to access external devices. Usage of General Computer forensic tools Different hardware and software tools are used to preserve and collect crucial data for the forensic analysis process. Disk Genius usage DiskGenius is a software with functions able to recover partitions and make data backups, and it has other disk utilities required for the disk management. It can manage storage space, deletion acts, and virus attack; it also has the formatting function, and recovers data lost due to the disk corruption, etc., and it provides the backup to prevent data loss. 52 �Figure 17. Disk Genius DD command tool usage Mobile device, computer, or any other digital device found at the crime scene can be a subject of the post-mortem data acquisition. This is a way of collecting data information on devices found switched off. Since a device if off, volatile data in memory is not available, but data stored on a hard drive/solid memory is a very valuable source of information. Investigator must make an image of a hard drive or mobile device solid memory or some other storage devices. Linux command line dd is used to copy the content of a seized device. Example of dd usage is: dd if=/dev/sda of=/dev/sdb and it copies the content from /dev/sda to the /dev/sdb destination. 53 �Busybox usage Busybox is a toolset based on many UNIX utilities. Utilities are combined into a small executable. Busybox provides a usable environment for small or embedded systems. It is very modular, and it is made for limited resources. Busybox set of commands makes access to the system at a lower level making environment more accessible. It is available for download on https://busybox.net/. Hash Calculation Calculation of file hashes must be done immediately after the acquisition of digital information. It ensures the integrity of the collected data. It is usually a solid memory image or a separate file. Linux commands used for generating hash values are sha256sum or sha512sum. SHA256SUM uses 32-bit blocks, while SHA512SUM uses 64-bit blocks. Figure 18. is an example of generating usb_modeswich.conf file using both generators. Figure 18. Calculating Hash Value 54 hash values of �Database tools usage The following passages present tools which can be used for the database forensic process. Usage of the Oracle LogMiner Oracle LogMiner, (2019) is a tool that can be used for digital forensic investigations. Figure 19. Q Capture program works with LogMiner to retrieve changed data IBM Knowledge, Center, 2013 It allows the analysis of changes to be performed in a database, and provides the rollback function for data including errors made by users. Figure 20. shows how with LogMiner it is possible to view and save redo logs, as well as create and execute queries to find specific actions using GUI. It also shows query for a specific time and database user. 55 �Figure 20. View all transactions for user, Nanda A., 2019 As a result, Oracle LogMiner created an initial report which shows database user activity. Figure 21. LogMiner results, Nanda A., 2019 By opening transactions detail, it is possible to see which query a specific user issued. LogMiner can be used for acquiring data on usage of data manipulation language (DML) which is a programming language used in a database for adding (inserting), deleting, and modifying (updating) data. The goal of using the Oracle LogMiner is to find DML statements for the post-mortem forensic investigation. 56 �Figure 22. LogMiner results, Nanda A., 2019 LogMiner can be used for an offline analysis of archived redo logs on a separate database. Usage of the IBM Guardium Data Protection for Databases IBM Guardium (2019) Data Protection for Databases is a forensic tool used to protect database from an unauthorised access. It detects unusual activities on sensitive data. It provides a real-time monitoring and alerts on suspicious activities. Figure 23. IBM Guardium (2019) Navigation Overview IBM Guardium provides a preventive protection, but it can also be used for database forensic investigations which need to show if the user or administrator committed a suspicious or criminal activity. 57 �Figure 24. IBM Guardium (2019) Out of the box creation Usage of the DB Browser for SQlite Even small devices such as mobile phone, tablet, or embedded systems based on Android operating system utilize databases needed for services they are produced for. Regardless of whether data is structured or repeating, Android stores data in the SQLite database. SQlite is an embedded SQL database engine. Unlike other, SQL databases does not have a separate server process, which means it reads and writes directly to disk files. The entire database is contained in a single file located on a disk. Considering that size of the library is approximately 300-500 KB, and it is made to run under a minimal stack space (4KB) and heap (100KB), SQLite is ideal for devices struggling with memory space such as tablets, GPS navigations, MP3 players, etc. It is free for use regardless of being commercial or a free project. Since each Android device consists of more databases of this type, for the forensic investigation, it is helpful to have a tool for a direct access to database. One of such free tools is DB browser for SQLite shown in Figure 25. 58 �Figure 25. DB Browser for SQLite Usage of the Undark - a SQLite data recovery tool Undark is a data recovery tool for SQLite databases. It is useful to retrieve deleted data from the database file. Chances to recover a useful set of data are minimal if database is defragmented and vacuumed. Undark relies on the fact that actual data is not purged immediately when the process of deletion started, because there could be active transactions which could still access the old version of the record. It is rather performed at a later stage when system does periodical checks for the old data record. Download is available at GitHub https://github.com/inflex/undark. Undark capabilities are to: - Retrieve most available records from the SQLite database; - Deposit actual records; - Recover deleted records; 59 �- Retrieve data from a corrupted SQLite database. The command to convert the recovery SQLite database broken.db into recover.csv file format is: undark -i broken.db > recover.csv Recover.csv file will be filled with actual and recovered records from broken.db. Usage of the SQLite-Deleted-Records-Parser This is another useful tool used to recover SQLite deleted records. It is simple to use, but results are valuable in recovering deleted data from an unallocated space. Download is available on https://github.com/mdegrazia/SQLite-Deleted-Records-Parser. Command for its usage is: sqlparse_CLI -p -f source.db -r -o dbreport.txt Usage of the Network forensic tools Different network forensic tools can be used, however data and session traffic have to be captured and stored in order to have all relevant information available for forensic purposes. Wireshark usage Wireshark is a popular tool for capturing and analysis of the network traffic. 60 �Control Port 21 FTP Client Data port 20 FTP Server Figure 26. FTP connection Figure 27. shows the captured Wireshark traffic for the FTP session initiation with an entered username and password as an example of how the unencrypted traffic can be captured for a later analysis. Figure 27. Captured FTP connection with Wireshark 61 �NIKSUN NetDetector usage NIKSUN NetDetector (2019) is capable of a dynamic application recognition, and it has integrated anomaly and signature-based IDS, data leakage prevention, real-time surveillance and application, and session reconstruction. NetDetector web site is the following: https://www.phoenixdatacom.com/product/niksun-netdetector-packetcapture-network-security-forensics/ Figure 28. NIKSUN NetDetector, 2019 Xplico usage Network forensic tool Xplico is an open source software used for the analysis of network sessions. Xplico web site is https://www.xplico.org/ 62 �Figure 29. Xplico (2019) Usage of the Mobile device forensic tools General forensic tools for computer system and database tools can be used to perform the forensic analysis of mobile devices. Rooting Tools usage Investigator needs to decide what type of rooting needs to be performed, with or without a computer. Whatever the choice is, it should produce the same result, which is for a device to be rooted. However, a higher success rate is expected for the computer driven process. If a device needs to be rooted without the computer, a special crafted apk package needs to be downloaded and installed directly to the Android device. Very commonly used tool to root over the computer is Kingo Root (Figure 30). 63 �Figure 30. Kingo Android Root If the rooting process needs to be performed without the computer, then this task can be done with an application named TowelRoot. Software can be downloaded at https://towelroot.com/ Santoku usage Santoku is a Linux based platform used for various security related activities. Operating system comes with the pre-installed platform Software Development Kits (SDK), drivers, and utilities. Santoku auto-detects and sets up new connected mobile devices, saving time for investigation tasks. A graphic User Interface (GUI) tool makes an easy deployment and takes control of mobile applications and investigation tools as shown in Figure 31. 64 �Figure 31. Santoku Linux The installation is free for download at http://santoku-linux.com (Figure 32), and the platform can be installed on hardware or in the virtual environment. Figure 32. Santoku Linux Download 65 �The main aim of Santoku platform is: Mobile Forensics Tools to acquire and analyse data Firmware flashing tools for multiple manufacturers  Imaging tools for NAND, media cards, and RAM  Free versions of some commercial forensic tools  Useful scripts and utilities specifically designed for mobile forensic Mobile Malware Tools for examining mobile malware - Mobile device emulators - Utilities to simulate network services for dynamic analysis - Decompilation and disassembly tools - Access to malware databases Mobile Security Assessment of mobile applications - Decompilation and disassembly tools - Scripts to detect common issues in mobile applications - Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more. 66 �AF Logical OSE usage AFLogical OSE is an open source tool used for a simple logical acquisition of data from the Android device. It can be found already compiled in Santoku Linux distribution (Figure 33). Figure 33. AFLogical OSE Autopsy and the Sleuth Kit usage The Sleuth Kit is an open source digital forensic set with the collection of command line tools. Autopsy is a graphical interface (Figure 34.) for the Sleuth Kit and it provides an easy usage of available tools. It also provides case management, image integrity, keyword searching, and other operations without the need for an external software. 67 �Figure 34. Autopsy Main Operations Screen Image Import and Supported Image Formats Autopsy can analyse raw, dd, or E011 format of disk images and local drives, or a folder of local files. Before the analysis, investigator is required to choose which type of data source is the source of information (Figure 35.). Forensic investigator can select Disk Image or VM File obtained with available methods, attached Local Disk, already prepared Logical Files, or Unallocated Space Image. It is possible to use a file taken out of the disk image section for an additional investigation. 1 The popular commercial forensic suite, EnCase, developed a proprietary format called EnCase Evidence File format. EnCase Evidence Files use the file extension, E01, and are based on the Expert Witness Format (EWF) by ASR Data (Forensicwiki, 2012). These image files are commonly referred to as Expert Witness, E01 or EWF files.- (https://www.sans.org/reading-room/whitepapers/forensic/forensic-images-viewingpleasure-35447,10.1.2018) 68 �Figure 35. Type of Data Source Analysis Features Below is the list of Autopsy features.  Multi-User Cases: Collaborate with fellow examiners on large cases.  Timeline Analysis: Displays system events in a graphical interface to help identify the activity.  Keyword Search: Text extraction and index searched modules enable you to find files which mention specific terms and find regular expression patterns.  Web Artefacts: Extracts web activity from common browsers to help identify user activity.  Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.  LNK File Analysis: Identifies shortcuts and accessed documents.  Email Analysis: Parses MBOX format messages, such as Thunderbird. 69 � EXIF: Extracts geo location and camera information from JPEG files.  File Type Sorting: Group files by their type to find all images or documents.  Media Playback: View videos and images in the application and there is no need for an external viewer.  Thumbnail viewer: Displays thumbnail of images to help view pictures quickly.  Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.  Hash Set Filtering: Filter out good known files using NSRL and flag bad known files using custom hashsets in HashKeeper, md5sum, and EnCase formats.  Tags: Tag files with arbitrary tag names, such as 'bookmark' or 'suspicious', and add comments.  Unicode Strings Extraction: Extracts strings from an unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).  File Type Detection is based on detection of signatures and extension mismatch.  Interesting Files Module will flag files and folders based on name and path.  Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more. (The Sleuth Kit, 2018) 70 �Ingest Module usage Ingest Module is a very helpful and powerful feature. During the initial case setup, it offers selection of needed ingest modules as shown in Figure 36. It identifies files and extracts known data as records. Examples of those records are emails, SMS messages, etc. Analysis of time and disk space may vary depending on how many modules are selected. It is important to have an Android Analyser module selected if an Android device image is an object of the import. Figure 36. Autopsy Ingest Module 71 �Android Analyser module usage This module helps identify files and present data containing contacts, messages and other communications records, web history, web bookmarks etc. It gives an option to manually tag findings for different types of categories such as Child Exploitation. Figure 37. shows which types of categorization can be found on the main screen. Figure 37. Android Analyzer 72 �Accessing Partitions Beside an automatic search for interesting records, it is possible to access image partitions manually. This offers another view to the acquired data, having a flexible approach to the offered data structure. Figure 38. shows all partitions acquired by the physical acquisition. Figure 38. Access to Imaged Partitions 73 �Timeline Timeline option offers a powerful overview of the recorded events in time domain. With filtering options, timeline makes context building in View Mode Counts easier (Figure 39.). Figure 39. Timeline – View Counts Colours represent main types of event categories, File System, Web Activity, and Misc. Types (Figure 40.). This filter is useful when many events are presented, thus allowing the focus on the interesting ones. 74 �Figure 40. Filter Events Categories When the View Mode is set to Details, it is possible to see and pin a potential interesting event. Figure 41. shows SMS and pinned messages. Figure 41. Timeline - View Details 75 �Reporting Autopsy offers an option of generating reports in various formats (Figure 42.). The final report will include either all analysis results or only tagged ones. When a large amount of data is generated, Excel format report gives more flexibility in case that data needs to be exported further. Figure 42. Report Formats Generated report is filled with the case summary as shown in Figure 43. 76 �Figure 43. Report - Case Summary Figure 44. Report - Tagged Images Figure 44. shows a detailed list of Keyword Hits, Tagged Files, Tagged Images, or Tagged Results. Summary Cyber security is a subset of information security which deals with the security of information stored in a digital form and transferred over 77 �communication links. A great part of information security related standards deals with cyber security issues. Almost daily, media reports reveal cyber security related incidents. After the historical analysis, we can conclude that we will see an increase in the frequency of incidents of this type, especially as more services and users use digital technology in their everyday work and life. Knowledge acquired Digital forensics – tools and usage: of hard disk and memory card docking stations, Portable Computer Forensic Lab, usage of general computer forensic tools such as Disk Genius usage, DD command tool usage, Busybox usage. Database tools usage such as the Oracle LogMiner, IBM Guardium Data Protection for Databases, DB Browser for SQlite, Undark - a SQLite data recovery tool, SQLite-Deleted-Records-Parser. Usage of the network forensic tools such as Wireshark usage, NIKSUN NetDetector, Xplico usage. Usage of the mobile device forensic tools such as Rooting Tools usage, Santoku usage, Autopsy and the Sleuth Kit, Ingest Module usage, Android Analyser module and how to access partitions and use reports. Review questions 1. Explain the difference between digital forensics tools. 2. Name tools for each technology? 3. Steps for mobile forensic investigation. 78 �Further readings - Digital transformation: online guide to digital business transformation https://www.i-scoop.eu/digital-transformation/ - United States Secret Service: Best Practices for Seizing Electronic Evidence http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf - National Institute of Justice: Forensic Examination of Digital Evidence: A Guide for Law Enforcement https://www.ncjrs.gov/pdffiles1/nij/199408.pdf - National Institute of Justice: Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition https://www.ncjrs.gov/pdffiles1/nij/219941.pdf - National Institute of Justice: Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders https://www.ncjrs.gov/pdffiles1/nij/227050.pdf - National Institute of Justice: Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors https://www.ncjrs.gov/pdffiles1/nij/211314.pdf - Department of Justice: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations 79 �- http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009. pdf Video resources - Disk Imaging/Acquisition Using Linux DD / DCFLDD command https://www.youtube.com/watch?v=aJp7_OVW2FA - Computer Forensics: fdisk and dd https://www.youtube.com/watch?v=nzRo8gh7wkA - Creating a Disk Image for Forensic Analysis https://www.youtube.com/watch?v=zY1rblisrBQ - Starting a New Digital Forensic Investigation Case in Autopsy 4 https://www.youtube.com/watch?v=WB4xj8VYotk - Processing and analysis of disk images with Autopsy 4 default modules https://www.youtube.com/watch?v=FJqoUakfmdo - 80 NIKSUN Netdetector https://niksun.com/notebook.php �5. Simulation of digital forensic cases Chapter abstract Chapter goals: To present digital forensic investigation cases which deal with the general computer, smart and mobile phones, and databases. To provide an insight into real forensic investigation processes not limited to single technology or a tool. Learning outcomes: Knowledge of the possible ways in which digital forensic cases can be performed explained in different case simulated scenarios offering students a real hands-on experience from presented cases. Case 1: Forensic data recovery of files on PC The goal of the forensic investigation was to find a specific file on a disk on which windows quick-format was performed. There was no need to acquire live data for this process, because disk had already been removed from the PC. 81 �For this purpose, Disk Genius was first used together with the hard disk docking station to clone the original disk to the investigation disk, and then to copy cloned data to the local investigator’s forensic station. Figure 45. Disk Genius access to the investigated hard disk Figure 46. shows how data was copied from the cloned hard disk to the local forensic investigator PC. All folders and files were available and needed file was easy to find. 82 �Figure 46. Disk Genius data copy 83 �Case 2: Forensic investigation of Viber, VOICE CALL, SMS, and Coco on an Android mobile device While working with the law enforcement team as contractors, we came across the case of two harassed persons. They were under the pressure because they were harassed over digital channels such as Global System for Mobile Communications (GSM) call, SMS text message, Viber message and threatening photographs, and Coco messenger. Both of them showed their Android smartphone devices with disturbing content. Everything was documented in the file. Local police arrested the suspect and seized his Android mobile phone while following all the rules and procedures. The android mobile device was labelled and shielded against the radio frequency radiation, thus isolating the source of evidence, and transported to the laboratory. Defining the Scope of the Investigation Scope definition presents an important factor of the investigation. The initial interview with reporting persons discovered some basic information about events such as date and time, content, digital channel etc. Seized device in this particular case was Lenovo A2020a40 running Android operating system version 5.1.1 equipped with GSM SIM card +38761078857. Device did not have any external storage, nor was it 84 �locked or encrypted. USB debugging was enabled. Team collected all available information from the first victim (referred to as person 1). TABLE 2. Reporting Person 1 Data Report 061abcdef SMS message Viber message Viber photo Content Hi beauty, I saw you yesterday. I’m in love with you. Picture of message “Are you afraid of the night?” Viber call Date time of receipt 3.2.2018 15:23 2.2.2018 10:27 3.2.2018 15:29 2.2.2018 10:31 duration 63 sec Team also collected all available information from the second victim (referred to as person 2). TABLE 3. Reporting Person 2 Data Report 062342097 GSM Voice call Content - Coco message Coco message Careful with your door lock You promised me not to leave me alone. Now you will regret. Date time of receipt 2.12.2017 11:37 duration 30 seconds 3.2.2018 15:25 2.2.2018 10:42 Both victims experienced unpleasant calls, messages, and photographs delivered over:  Traditional voice GSM service  Traditional SMS GSM service  Viber Internet service  Coco Internet service First of all, it was necessary to search for the evidence on the seized Android device without knowing whether or not potential digital artefacts were deleted. After an additional analysis, decision was made to search for database files and photographs in both spaces – allocated and especially unallocated – because it was assumed that perpetrator deleted 85 �all or some of the messages/calls/photographs. Goal was to find as much evidence as possible against the attacker. Preparing the Environment for the Data Acquisition Workstation dedicated for the investigation must be equipped with hardware and software needed for the image acquisition. Depending on the type of image data acquisition, some prerequisites must be met. Communication interface for the object of the investigation needs to be ADB connected over the USB port. Since this scope is limited to gathering logical images, some additional steps must be performed beforehand. - Verifying ADB interface - Root the device - Install Busybox set of utilities Verifying ADB Interface The installed ADB connector will act as a link between the workstation and device, and it will be shown in a device manager as presented in Figure 47. If there is a malfunctioning issue, it will be shown at this point. 86 �Figure 47. ADB Driver Verified; Android Device Connected Rooting the Device Device rooting is needed in order to obtain privileges for the full access to a system, or a non-volatile memory landscape. This step is critical to get root privileges for forensic activities. Process requires to:  Connect device to USB  Start the rooting tool When the Android device is connected to the workstation, it will appear in a tray (Figure 48.), as well as in device manager under control panel. Figure 48. Android Device Connected 87 �In order to check adb connection, it is necessary to start the command ADB DEVICES from the following location: C:\Users\<username>\AppData\Local\Android\sdk\platform-tools This is the location where platform tools with adb utility are installed. Figure 49. shows that workstation has been successfully communicated with the mobile device named 8d62f4b5. Figure 49. Successful Communication to Mobile Device over ADB Before using rooting tools, some precautions must be taken. Rooting is a powerful process and it can lead to a damage of phone and/or evidence. If the rooting process is used under normal circumstances, then it immediately leads to the warranty void. Antivirus and firewall setup can interfere with normal operations. Checking and testing connection should be done before the usage. 88 �Starting tool for rooting will show the basic data. Introduction screen shows data about the device and the start button (Figure 50.). If the device is recognized, then the process can be initiated by pressing the “root” button. Figure 50. Lenovo Rooting Start Progress will last for a couple of minutes and will be shown in the application. During the process, device screen will display the status of rooting (Figure 51.). 89 �Figure 51. Device Status During Rooting Process When the process is successfully completed, the message “succeed” will appear. Each brand has its own supporting software, but there are many other applications used for root checking, one of which is the RootChecker. 90 �Figure 52. Lenovo Moto Smart Assistant Device Status Lenovo Moto Smart Assistant was used to check the status of the device (Figure 52.). Busybox Sideloading Since Android is a Linux-based operating system, it is quite useful to have it installed on your device. After checking the adb connection to device, it is necessary to place the .apk busy box file (ru.meefik.busybox_34.apk) within the folder /android-sdk/platform-tools. Adb is available in the same location. In order to sideload the application, run the following command in command line (Figure 53.): 91 �Adb install ru.meefik.busybox_34.apk Figure 53. Sideloading BusyBox Over ADB In order to check if the installation was properly completed, type busybox in the device shell to see whether it starts (Figures 54, and 55.). Available commands will be listed. Figure 54. Starting Busybox In order to use command SHA1SUM from Busybox toolset to calculate hash value of the file ueventd.rc, type #busybox sha1sum ueventd.rc (Figure 55.). 92 �Figure 55. Testing Busybox Tool Sha1sum Determining Partitions and Blocks Since Android is a Linux-based operating system, partitions are organized in the same way as every other Linux OS. Knowledge of partitions, names, and mount points is necessary in order to get to the right place and determine the source of data before the imaging process begins. A simple command to list partitions is: adb shell – to get to the andoid device cat /proc/partitions Running these commands will give an overview of what is happening on the partition level, thus, helping understand which block belongs to which partition name (Figure 56). 93 �Figure 56. Android Block Names Another way to obtain information about dev block names is adb shell ls –la /dev/block/platform/7824900.sdhci/by-name 7824900.sdhci is not a common name for all devices, because it varies. It is also the subject of the investigation. Running the command stated above will show results with more familiar names (Figure 57.). During the imaging process it is important to decide which blocks will be captured and transferred. Usually a whole memory landscape (mmcblk0) is captured and transferred, however, in some special occasions only a single block might need imaging (e.g. mmcblk0p2). Names may vary, and they are subjects of device examination. 94 �Figure 57. Android Partition Names and Blocks Acquiring Data from the Evidence Device Data from a device will be acquired by applying two methods, namely Physical and Logical data acquisition. Logical data acquisition To start the acquisition, Android device must have a debugging option enabled, and working adb. From the Linux command line start the command: aflogical-ose and then enter sudo password (Figure 58.). 95 �Figure 58. Starting AFLogical OSE acquisition Before pressing Enter to pull data on the device, it is necessary to mark interesting logs for acquisition, and then press the “capture” button (Figure 59.). Figure 59. Device Capture Options Data is transferred to the remote folder with data packed in a comma separated value format (Figure 60). 96 �Figure 60. AFLogical OSE Data Extraction and Transfer Acquired data can be found in folder /home/nera/aflogical-data/ (Figure 61). Figure 61. Acquired Data in Remote Folder 97 �Data in this folder shows only what logically exists in the phone records regarding logs we were offered, and which we selected during the initial logical acquisition step. Deleted records are not available. Physical data acquisition In this process, the imaging command of the /dev/block will be issued and at the same time the transfer over adb link using redirection will be initiated. Netcat utility will allow forwarding commands across the adb link. For the imaging process, Linux command dd will be used. Syntax is: dd if=/mountpoint of=/destinationpoint/partitiontype of – Output can be redirected thru netcat (nc) to remote file dd if=/mountpoint | busybox nc –l –p portnumber Obtaining data from the source device will be done through two opened concurrent shells in Santoku investigative workstation (Figure 62.). This process can take some time. In this case, 7818182656 bytes were transferred in 7836.341 seconds (approximately 130 minutes). Remote destination should have enough storage to receive an image. Another important factor is the type of file system being formatted. FAT32 will not be able to accept a file larger than 4GB. 98 �Shows if there is a device present at the adb connection. If the device is present and communication successful, the name will appear. In this case device with name 8d62f4b5 is present. This command setup is forwarding host port 6970 over TCP protocol to remote device port 6970 over TCP (in this case this is the receiving side Santoku Linux – investigative workstations waiting at the SHELL 2) su command on the remote shell Initiate the remote shell to the only connected device Copying content /dev/block/mmcblk0 to remote destination port 6970 using BusyBox Netcat utility Nc is command used to start NetCat utility to transfer data. In this case netcat is receiving data from previously started transfer of mmcblk0 block using dd command on port 6970. Received content will have the name Digital_Evidence_Android_01.dd. This image will be used later, first to calculate the hash value, and then for the forensic analysis. Figure 62. An integrity of the evidence image file In order to maintain integrity check of the obtained image file, hash calculation has to be performed and documented (Figure 63.). Calculated hash value is checked through the entire process, and complete life cycle of evidence. Command issued in the shell is: 99 �Sha256sum Digital_Evidence_Android_01.dd Figure 63. Calculating Hash Value of the Evidence Image Importing Image File into Autopsy Before the analysis starts, collected image file needs to be imported into tool Autopsy 4.5.0. This process can take a while depending on a size of the image file. During the image collection process, dd command is used to collect the whole image of Android device including unallocated space for allowing a deeper analysis. During the initial case creation, option Disk Image or VM File was chosen as a data source. Ingestion module is left with default settings fully marked with all available options. Analysis of the Acquired Mobile Device Data Data acquired with both methods logical and physical will be the subject of the investigation. Analysis of Logically Acquired Data Logical acquisition is simple, and all data acquired from the phone is located in one folder with names which correspond to data (Figure 64). 100 �Figure 64. Files Containing Acquired Data Figure 65. shows the content of the file SMS.csv. Figure 65. Content of SMS File CallLog Calls.csv file contains data about calls. Corresponding records are found in the listing. Figure 66. shows that call is made to number 062342097, date is formatted as EPOCH 2 date time format, and 1512211049405 is 2.12.2017 11:37:29.405., with duration of 30 seconds. Figure 66. Content of CallLog Calls File 2 The Unix epoch (or Unix time or POSIX time or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). 101 �None of the other applications’ log data was retrieved during the logical acquisition using AF Logical OSE tool. Other matches except voice call were found (Table 3. and Table 4.). TABLE 4. Overview of Logically Acquired Data for Reporting Person 1 Report 061abcdef SMS message Viber message Viber call Viber threating photo Content Date/time of receipt Hi beauty, I saw you yesterday. I’m in love with you. 3.2.2018 15:23 Evidence/Logical acquisition found NO 2.2.2018 10:27 2.2.2018 10:31 call duration 1:03 sec NO NO 3.2.2018 15:29 NO Picture of the message “Are you afraid of the night?” TABLE 5. Overview of Logically Acquired Data for Reporting Person 2 Report 062342097 Content Date/time of receipt GSM Voice call - Coco message Careful with your door lock You promised me not to leave me alone. Now you will regret. 2.12.2017 11:37 duration 30 seconds 3.2.2018 15:25 Coco message 2.2.2018 10:42 Evidence/Logical acquisition found YES NO NO Analysis of the Physically Acquired Data Physical analysis begins with the Autopsy tool first. Full Android mobile device image Lenovo_Android05 is imported and ingest module runs on data with task configured at the beginning. Autopsy also searches unallocated space. It could particularly be interesting in case of hiding data or recovering deleted data. 102 �Autopsy mounted 35 partitions (Figure 67.). Partition vol34 – userdata is the place where all applications hold data. Figure 67. Autopsy Mounted Partition from the Evidence Image Table 6. lists collected information about applications in the scope of investigation. TABLE 6. Collected Data about Applications in Investigation Scope Application name Viber SMS Coco msg/voice GSM Telephone dialler Location of application Location of database /data/com.viber.voip /data/com.viber.voip/databases /data/com.android.provi ders/telephony /data/com.instanza.coco voice /data/com.android.provi ders.contacts /data/com.android.providers/telephony/ databases /data/com.instanza.cocovoice/databases /data/com.android.providers.contacts/da tabases Database names Viber_mess ages Mmssms.db 59317329_c oco.db Contacts2.d b 103 �Viber Message and Call Investigation Viber investigation searched for evidence to match data from the table from the beginning of the case. The goal was to prove the existence of digital trail related to Viber. Table 7. shows receiving report from user 061abcdef. TABLE 7. Viber Message and Call Investigation Report 061abcdef Viber message Viber call Content I’m in love with you. Date/time of receipt 2.2.2018 10:27 2.2.2018 10:31 call duration 1:03 sec Viber threating photo Picture of message “Are you afraid of the night?” 3.2.2018 15:29 First of all, we need to locate the proper partition and data path, found in the Viber database (Figure 68.). Figure 68. Viber Database Location and Metadata Searching for the Viber Message – “I’m in love with you” 104 �In order to find the message, database needs to be extracted to the operation folder (right click on database – extract) and then opened in DB Browser for SQLite. Viber database structure is shown in Figure 69. Tables messages and messages_calls will be the subject of analysis because they contain data interesting for the investigation. Figure 69. Viber Database Structure Executing an SQL command over the table messages in database viber_message will yield results which is proof that the message “I’m in love with you” was sent from the phone (Figure 70.). Epoch data 1517563641920 is 2.2.2018 10:27:21.920 105 �Figure 70. Retrieve Data About Message from Table Messages Searching for the call 2.2.2018 10:31; call duration 1:03 sec The following step is to find the trail for Viber call to 061abcdef on 2.2.2018 at 10:31; call duration 1:03 sec. Table message_calls contains data. Executing an SQL command with parameters needed to narrow query will return data which is a proof that the call was made from this phone (Figure 71). Epoch time 1517563892604 is equal to 2.2.2018 10:31:32.604. 106 �Figure 71. Retrieve Data About Calls from Table Messages_Calls Searching for the sent picture of the message “Are you afraid of the night?” The following task is to find the Viber picture/photo of the threatening message “Are you afraid of the night?” sent 3.2.2018 at 15:29. Table messages in viber_messages database shows the record of a deleted message (Figure 72.). Other than date/time value and status of the message, other available data is not in the scope of the investigation. Figure 72. Viber Database Records 107 �Epoch 1517668146820 is 3.2.2018 15:29:06.820 which corresponds to date and time from the initial search table. Another step is to search unallocated space for deleted pictures. Autopsy has a strong engine inspecting files according to the ingest module configuration. Picture was found as a deleted file (Figure 73.). Figure 73. Recovered Deleted Picture Additional data about the file is shown in Figure 74. 108 �Figure 74. Recovered Deleted Picture Metadata SMS Message Investigation The scope of this investigation is database where SMS messages are stored. Initial data we were searching for is shown in Table 8. TABLE 8. SMS Message Investigation Report 061abcdef SMS message Content Hi beauty, I saw you yesterday. Date/time of receipt 3.2.2018 15:23 According to the previous mapping of the application location, SMS messages are stored in database mmssms.db located in /data/com.android.providers/telephony/databases. After the process of database extraction to the operational folder, the examination of the database structure is performed (Figure 75). Table named sms should have data about messages. Other tables were opened, and attributes were checked. Depending on the scope of the investigation, some other tables can be subject to a detailed analysis. 109 �Figure 75. MMSSMS Database Structure Searching for the sms message “Hi beauty, I saw you yesterday” No other tables except the sms table contained the needed records. The investigation shows that records in table sms do not contain data about the message “Hi beauty, I saw you yesterday” (Figure 76.). It is assumed that the message is deleted from the database because executed SQL commands do not retrieve any data on setup condition. Other tools should be used to perform the possible data recovery at database level. 110 �Figure 76. Retrieve Data about Calls from Table SMS SQLite-Deleted-Records-Parser tool could help determine deleted data in database. Start tool with mmssms.db and output file mmssms.txt. After that, the execution message is found in unallocated space (Figure 77.). 111 �Figure 77. Recovered Deleted Database Record GSM Voice Call Investigation The scope of the GSM voice call investigation will be database where data records are stored. Initial data we were searching for is shown in Table 9. TABLE 9. GSM Voice Call Investigation Report 062342097 GSM Voice call Content Date time of receipt - 2.12.2017 11:37 duration 30 seconds Voice call log records can be found in database contact2.db located in /data/com.android.providers.contacts/databases. The structure of database after the extraction to the operational folder is shown in Figure 78. 112 �Figure 78. Contact2 Database Structure Searching for the GSM voice call 2.12.2017 11:37 duration 30 seconds Table calls should have data related to executed call, incoming as well as outgoing call. Executed SQL command retrieves data about call dated in the table at the beginning of the investigation (Figure 79.). Epoch 1512211049405 is 2.12.2017 11:37:29.405. 113 �Figure 79. Retrieve Data About Calls from Table Calls Coco Message Investigation Coco messenger is not a widespread application. It supports messaging and voice communication. According to the previous analysis and application location mapping database, 59317329_coco.db is located in /data/com.instanza.cocovoice/databases. Initial data we were searching for is shown in Table 10. TABLE 10. Coco Message Investigation Report 06234209 7 Coco message Coco message Content Date/time of receipt Careful with your door lock 3.2.2018 15:25 You promised me not to leave me alone. Now you will regret. 2.2.2018 10:42 The structure of database after the extraction to the operational folder is shown in Figure 80. 114 �Figure 80. 59317329_coco Database Structure Searching for the message “Careful with your door lock”. Table ChatMessageModels should have data related to messages. Executed SQL command did not have any data about the message (Figure 81). 115 �Figure 81. Retrieve Data about Chat Message from Table Content SQLite-Deleted-Records-Parser tool retrieved deleted database data from the source file database 59317329_coco.db and output file coco.txt. After that, the execution message was found (Figure 82). Figure 82. Recovered Evidence Message from Deleted Database Record 116 �Searching for the Message “You promised me not to leave me alone. Now you will regret.” Table ChatMessageModels should have data related to messages. Executed SQL command retrieved data about the call dated in the table at the beginning of the investigation (Figure 83). Epoch 1517564524520 is 2.2.2018 10:42:04.520. Figure 83. Retrieve Data about the Message from Table Content Investigation Findings The investigation was completed by summarizing discovered digital artefacts on the perpetrator’s Android mobile device. Quantitative data is shown in Table 11. TABLE 11. Quantitative Data about Found Evidence Viber SMS Coco GSM calls Total Percentage Number of reported/expected digital artefacts 3 1 2 1 7 100% Logically acquired artefacts 0 0 0 1 1 14.2% Physically acquired artefacts 3 1 2 1 7 100% 117 �Summary of data shows that the team proved the existence of the searched data in the mobile device. Investigation started with 7 reported messages/calls/photos. That was the foundation for defining the scope of the investigation and tools needed to carry it out. During processes, two methods of data acquisition were used, namely Logical and Physical data acquisition. It is obvious that using AF Logical OSE tool for the logical acquisition was not enough to obtain the necessary data – especially when data was deleted (SMS) – and other Internet services such as Viber and Coco messenger and deleted photographs. Ending Investigations All collected evidence findings were submitted according to the rules and procedures. The report is handed over to the authorities together with the evidence. The evidence was used in the court. It is not known what happened to the perpetrator. Figure 84. shows the report summary with data about case such as case name, case number, examiner name, time zone, and the location of the taken image. 118 �Figure 84. Report Summary Figure 85. shows tagged files for evidence. Evidence list contains the exact location of evidence within the partition. Figure 85. Report of the Evidence Tagged Files and Locations Report navigation offers grouping of data by categories of keywords hits, tagged files, tagged images, and tagged results. The report showed in Figure 85. included files and images as the evidence trail. 119 �Case 3: Database forensics – user complaints on high bills The complain centre in the Internet provider’s company received the complaint from the customer about high bills at the end of the month. Management ordered forensic analysis, so internal forensic investigators began the forensic analysis on the RACUNI_USER_USER table where customer account details were kept to investigate the potential suspicious activity. The forensic analysis of the table RACUNI_USER_USER should indicate if there was an unauthorized change, and if yes, when and who did the changes. The report with IBM Guardian was created for the given table, and the result of the report is shown in Figure 86. aaa.bbb.cc.dd aaa.bbb.ii.jj aaa.bbb.cc.dd aaa.bbb.ii.jj aaa.bbb.cc.dd aaa.bbb.ii.jj Figure 86. IBM Guradium report for the customer complaints The report shows details indicating that there has been a change in the table, that is, in the set values for MOBILE, FIXED for two customers and INTERNET for one customer. We can notice that DB USER is an unclassified person (attacker) who came from the IP address: aaa.bbb.cc.dd where the service account ESJEDNICE_TST was logged on. 120 �By inspecting a HOST that corresponds to an IP address, it was confirmed that it is a file server of the Internet provider company (BH TELECOM) domain. aaa.bbb.cc.dd aaa.bbb.cc.dd aaa.bbb.cc.dd aaa.bbb.cc.dd aaa.bbb.cc.dd Figure 87. IP resolution Digital forensic investigators detected a criminal attempted to conceal evidence by logging in with a service account on the FILE server. Attacker used the file server to start SQLPLUS tool with the user ATTACKER to access the database and make unauthorized changes in the table. The next logical step in the forensic investigation was to try to find out who was hiding behind the username ATTACKER, or who gave the rights (rights to the database) to the ATTACKER who made the changes in the table. Information is presented in Figure 88. aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj aaa.bbb.ii.cc aaa.bbb.ii.jj Figure 88. Report from IBM Guardium shows ATTACKER creator 121 �User ATTACKER was created by one of the administrators (MIRZA_ADMIN) through SQLPLUS on a local server, and granted through the Oracle Enterprise Manager Tool. Case 4: Database forensics – Salaries data leakage Company management initiated the forensic analysis after salary details were revealed in the media. Due to disclosure of the confidential information, a written request from the management was made to conduct a detailed forensic investigation of the database to determine who and how accessed the table with data about salaries. Fact known by forensic investigators was that there were two tables containing the incriminated data. One table contained data on salaries and another on employee names. The next report in the IBM Guardium tool, which follows the sensitive tables, shows the events related to this case (Figure 89.). aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj Figure 89. IP address, username, and SQL command The first report shows that the undefined user POM_2015 connected to the database using the SQLPLUS tool, from the machine whose IP address is: aaa.bbb.ee.ff where the user is esjednice_stst1, and created tables with contents of the table PLATE (SALARIES) and UPOSLENIC_FIRME (COMPANY_EMPLOYEES). 122 �Figure 90. shows DNS name of PC with address aaa.bbb.ee.ff which determines PC ucionica (classrom1). This is an example of a fraudulent activity where the HOST classroom1 is used to hide database access traces. Another important issue is that the access to tables with salaries and table with names was not direct. Rather, in order to cover tracks, two so-called “help tables” were created (IZVJ_2015 and HR_IZVJ_2015) with data from sensitive tables. aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ee.ff Figure 90. IP Address name resolution From the fact that two additional tables were created for sensitive data access, we can understand that the attacker assumed that there were certain tools which followed the access to the above tables, and tried to obtain data from sensitive tables indirectly. The next step for the forensic team was to go into a deeper analysis of user POM_2015 and tables created by this user which indicated illegal activities on the database. aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ee.ff aaa.bbb.ii.jj Figure 91. View detailed POM_2015 user-related activities 123 �Figure 91. shows the chronological overview of the user POM_2015 and administrator MITZA_DBA criminal activities on the database. After POM_2015 created the auxiliary tables from which s/he collected the information, s/he wiped it out to cover up the evidences. However, the IBM Guardium tool recorded one more item here, which is that in this procedure, a user (in this case, MIRZA_DBA) appeared, which erased the user who committed the criminal activity. Forensic analysis led to very important information indicating a valid trace, i.e., the fact that the administrator (MIRZA_DBA) was actually responsible for the criminal activity (Figure 92.). aaa.bbb.ee.ff aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.gg.hh aaa.bbb.ee.ff aaa.bbb.ee.ff aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj aaa.bbb.ii.jj Figure 92. Details of the report about the creation of the user POM_2015 and granted access rights The forensic analysis presented in the previous report clearly shows when the user was created and in what way, and how he obtained privileges over the tables in order to access the database. In conclusion, we can notice that 124 �the account and tables were deleted in order to try to conceal the proof of the criminal activity. Case 5: Database forensics – data deletion Company’s marketing department discovered that data from a database was deleted and requested the investigation. Human resources also discovered that the column with monthly employees’ salaries in the database table was deleted. Thus, they initiated data recovery from the backup, however, before the procedure of restoring data from the backup, management wanted to report who, what, when, and in what way deleted data from the database. The report generated using IBM Guardium for the table where the data was deleted shows who deleted data, when and how that happened, and which tool was used. aaa.bbb.ee.ff aaa.bbb.ii.jj Figure 93. A forensic report related to deleted data in the table As shown in the IBM Guardium report, the user who is responsible for deleting all data from the table NOVE_USLUGE is TRON555. Figure 94. Report on details of creation and assignment of privileges for the user TRON555 125 �However, when the team tried to further explore the origin of the user, i.e. when it was created and who created it in the IBM Guardium, they failed. The forensic investigator realized that the attacker was well-acquainted with the IBM Guardium system and managed to hide the trace of creating and granting rights to the user who cleared all data in the table. The following forensic analysis showed that the attacker knew that there were users which were not recorded by the IBM Guardium when monitoring changes in the database. These users began the service and they were used to run backup scripts, which were excluded from monitoring through the IBM Guardium tool which was permitted by the management. Figure 95. View exception rules for users who are not treated through IBM Guardium Figure 96. shows that the attacker might have used one of the two mentioned users in order to circumvent the system and thereby attempt to hide the true trail indicating who is responsible for an unauthorized action of deleting data in the table. However, s/he did not consider that the forensic investigator had other methods and tools which could lead to 126 �evidence. By inspecting the redo log file with the LogMiner tool, the requested response indicated which user was behind the user TRON555. Figure 96. LogMiner Detailed report for the creation and permitting access for the TRON555 user However, since this was the service user account, the forensic investigator had to investigate further to see who enabled the user OPER to create and assign rights to users in the database or delete data from the table. The report received through the IBM Guardium gave the answer to this question and at the same time the solution to another request that came from the Human resources regarding deleted data containing salaries from the NAKNADE_USER table. aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj aaa.bbb.gg.hh aaa.bbb.ii.jj Figure 97. Details of the report related to deleting a column in the table 127 �The report shows that the user OPER was created on the computer whose IP address was aaa.bbb.gg.hh and on which the user MIRZAHAL has been registered with the help of the SYS base user. The user OPER was assigned rights to delete the column in the table. The report from logMiner shows that the same user (OPER) was used to create another user (TRON555) who deleted the data from the NOVE_USLUGE table. This test scenario is an indication that an attacker will always search for a "weak point" of the systems, programs, equipment, or devices. Attackers seek weak points in an attempt to hide themselves, thus avoiding any possible liability for the committed crime. Summary Cyber security is a subset of the information security which deals with the security of information stored in digital form and transferred over communication links. A great part of information security related standards deals with cyber security issues. Almost daily, media reports reveal cyber security related incidents. After the historical analysis, we can conclude that we will see an increase in incidents of this type, especially as more services and users use digital technology in their everyday work and life. Knowledge acquired Forensic data recovery of files on PC, forensic data recovery of Viber, voice call, SMS, and Coco on an Android mobile phone. Database 128 �forensic related to user complaints on high bills, salaries data leakage, and data deletion. Review questions 1. How attacker can hide wrongdoings? 2. Location of database on mobile Android phone? Further readings - Digital transformation: online guide to digital business transformation https://www.i-scoop.eu/digital-transformation/ - The Cyber Security Management System: A Conceptual Mapping, SANS Institute InfoSec Reading Room https://www.sans.org/reading-room/whitepapers/basics/cybersecurity-management-system-conceptual-mapping-591 Video resources - The case of the stolen exams https://www.youtube.com/watch?v=1BVG6cmPlPk - Digital Forensics – Famous Cases https://www.youtube.com/watch?v=gPuugbpLOeI 129 �130 �6. Conclusions Chapter abstract Chapter goals: To summarise book goals and review gained knowledge. Cybercrime is much different from the conventional crime related to the physical world. There are a lot of challenges for the law enforcement and organisations who are victims of the cyber-crime. There is not much difference between crimes in cyber and physical space, however, in cyber space there is a lot more data and ways in which criminals could hide it. Also, it is more challenging to perform the digital forensic investigation because specific data can be found in volatile or non/volatile memory. Another challenge is the fact that criminals do not have boundaries, while boundaries between different countries’ jurisdictions exist. Digital forensics is still in the process of development, and is constantly being upgraded with the latest scientific advancements and new practices. Technology progress must be followed by the goal to be ready to face new challenges in form of crime techniques in the cyberspace. Additional professional, legal, and scientific efforts have to be invested to improve the existing practices to combat cyber criminals. It is a professional duty to support activities and develop techniques and infrastructures to fight against the misuse of cyber resources. 131 �This book presents the range of free digital forensic tools which can be used by students as a guide to develop and practice their skills. We presented several simulated cases of digital forensic investigations with documented evidence, and steps which can be followed in similar situations. Furthermore, expert witnesses can present the evidence from real digital forensic cases at the court by following steps and using tools presented in this book, or similar procedures and tools accepted in local and international jurisdiction. Finally, the digital forensic investigator must continuously upgrade knowledge about cases, tools, best practices, and technology. Technology is developing very fast, so even some tools presented in this book might already be outdated, which is why reading and lifelong learning is important for a successful combat against the cyber-crime. 132 �Appendix – Consent Form I, _______________________________(name and surname), (DOB ____/____/____), hereby authorizes __________ ____________________________________, an __________________________________________________ (function title), to take custody and analyse the items detailed below for evidence. I understand that copies of the contents of the items, including all files and data, may be copied and retained for the analysis. I also understand that the analysis of the copies of the media may continue even after the items designated for the analysis are returned. I provide my consent to this analysis freely, willingly, and voluntarily, and with the knowledge that I have the right to refuse to consent. I provide my consent without fear, threat, coercion, or promise of any kind. Device Serial number Additional owner/user details Owner’s printed name Signature Witness’ printed name Signature Witness’ printed name Signature 133 �Appendix – Incident response form General data about incident  System under attack  Incident investigation in progress  Incident closed Required assistance:_________________________________________ Which data, service, project is under an impact: __________________________________________________________ __________________________________________________________ Type of incident  Malicious software  DoS/DDoS attacks  Unauthorized access  Leakage of data and information in public Date and time of the incident: _____________________________________ Brief summary: __________________________________________________________ __________________________________________________________ __________________________________________________________ 134 �Details for malicious software: Source (mail, web page, mobile memory such as USB): ____________________________________________________ Type: (virus, Trojan, worm, spyware, other): __________________________________________________________ __________________________________________________________ DoS / DDoS attack Attack source: __________________________________________________________ Service attacked (OS version, IP address): __________________________________________________________ Type of DoS / DDoS traffic: __________________________________________________________ Details for an unauthorized access: __________________________________________________________ __________________________________________________________ Leakage of data and information in public: 135 �__________________________________________________________ __________________________________________________________ Appendix – Digital forensic process 136 �137 �List of Figures Figure 1. Word “Forensic” explanation (google, 2018) ......................................2 Figure 2. Digital and Computer forensic realm ...................................................6 Figure 3. Computer forensic................................................................................9 Figure 4. Network forensics ..............................................................................10 Figure 4. Forensic analysis goals to detect – who, what, when, where .............12 Figure 5. Incident response plan (Banking and Insurance, 2017) .....................13 Figure 6. Digital and Cyber forensic types........................................................18 Figure 7. Steps in the Digital Forensic Investigation Process ...........................28 Figure 8. Application analysis ...........................................................................35 Figure 9. Sample_file.txt content ......................................................................43 Figure 10. Creating concealed message in sample_file1.txt content .................44 Figure 11. Creating concealed message in sample_file1.txt content .................44 Figure 12. Reading concealed message in sample_file1.txt content .................45 Figure 13. File sizes comparison .......................................................................46 Figure 14. Hard disk docking station (Renkforce, 2019) ..................................50 Figure 15. Memory card docking station (Logilink, 2019) ...............................51 Figure 16. Portable Computer Forensic Lab Road MASSter 2, 2019 ...............52 Figure 17. Disk Genius......................................................................................53 Figure 18. Calculating Hash Value ...................................................................54 Figure 19. Q Capture program works with LogMiner to retrieve changed data IBM Knowledge, Center, 2013 .........................................................................55 Figure 20. View all transactions for user, Nanda A., 2019 ..............................56 Figure 21. LogMiner results, Nanda A., 2019...................................................56 Figure 22. LogMiner results, Nanda A., 2019...................................................57 Figure 23. IBM Guardium (2019) Navigation Overview ..................................57 Figure 24. IBM Guardium (2019) Out of the box creation ...............................58 Figure 25. DB Browser for SQLite ...................................................................59 Figure 26. FTP connection ................................................................................61 Figure 27. Captured FTP connection with Wireshark .......................................61 Figure 28. NIKSUN NetDetector, 2019 ............................................................62 Figure 29. Xplico (2019) ...................................................................................63 Figure 30. Kingo Android Root ........................................................................64 Figure 31. Santoku Linux ..................................................................................65 Figure 32. Santoku Linux Download ................................................................65 Figure 33. AFLogical OSE................................................................................67 Figure 34. Autopsy Main Operations Screen ....................................................68 138 �Figure 35. Type of Data Source ........................................................................69 Figure 36. Autopsy Ingest Module ....................................................................71 Figure 37. Android Analyzer.............................................................................72 Figure 38. Access to Imaged Partitions .............................................................73 Figure 39. Timeline – View Counts ..................................................................74 Figure 40. Filter Events Categories ...................................................................75 Figure 41. Timeline - View Details ...................................................................75 Figure 42. Report Formats ................................................................................76 Figure 43. Report - Case Summary ...................................................................77 Figure 44. Report - Tagged Images ...................................................................77 Figure 45. Disk Genius access to the investigated hard disk ............................82 Figure 46. Disk Genius data copy .....................................................................83 Figure 47. ADB Driver Verified; Android Device Connected..........................87 Figure 48. Android Device Connected ..............................................................87 Figure 49. Successful Communication to Mobile Device over ADB ...............88 Figure 50. Lenovo Rooting Start .......................................................................89 Figure 51. Device Status During Rooting Process ............................................90 Figure 52. Lenovo Moto Smart Assistant Device Status ..................................91 Figure 53. Sideloading BusyBox Over ADB ....................................................92 Figure 54. Starting Busybox..............................................................................92 Figure 55. Testing Busybox Tool Sha1sum ......................................................93 Figure 56. Android Block Names......................................................................94 Figure 57. Android Partition Names and Blocks...............................................95 Figure 58. Starting AFLogical OSE acquisition................................................96 Figure 59. Device Capture Options ...................................................................96 Figure 60. AFLogical OSE Data Extraction and Transfer ................................97 Figure 61. Acquired Data in Remote Folder .....................................................97 Figure 62. An integrity of the evidence image file ............................................99 Figure 63. Calculating Hash Value of the Evidence Image ............................100 Figure 64. Files Containing Acquired Data.....................................................101 Figure 65. Content of SMS File ......................................................................101 Figure 66. Content of CallLog Calls File ........................................................101 Figure 67. Autopsy Mounted Partition from the Evidence Image ..................103 Figure 68. Viber Database Location and Metadata .........................................104 Figure 69. Viber Database Structure ...............................................................105 Figure 70. Retrieve Data About Message from Table Messages ....................106 Figure 71. Retrieve Data About Calls from Table Messages_Calls ................107 Figure 72. Viber Database Records .................................................................107 Figure 73. Recovered Deleted Picture .............................................................108 Figure 74. Recovered Deleted Picture Metadata .............................................109 Figure 75. MMSSMS Database Structure .......................................................110 Figure 76. Retrieve Data about Calls from Table SMS...................................111 Figure 77. Recovered Deleted Database Record .............................................112 Figure 78. Contact2 Database Structure ..........................................................113 139 �Figure 79. Retrieve Data About Calls from Table Calls .................................114 Figure 80. 59317329_coco Database Structure ...............................................115 Figure 81. Retrieve Data about Chat Message from Table Content ................116 Figure 82. Recovered Evidence Message from Deleted Database Record .....116 Figure 83. Retrieve Data about the Message from Table Content ..................117 Figure 84. Report Summary ............................................................................119 Figure 85. Report of the Evidence Tagged Files and Locations .....................119 Figure 86. IBM Guradium report for the customer complaints.......................120 Figure 87. IP resolution ...................................................................................121 Figure 88. Report from IBM Guardium shows ATTACKER creator .............121 Figure 89. IP address, username, and SQL command .....................................122 Figure 90. IP Address name resolution ...........................................................123 Figure 91. View detailed POM_2015 user-related activities ..........................123 Figure 92. Details of the report about the creation of the user POM_2015 and granted access rights........................................................................................124 Figure 93. A forensic report related to deleted data in the table .....................125 Figure 94. Report on details of creation and assignment of privileges for the user TRON555 ........................................................................................................125 Figure 95. View exception rules for users who are not treated through IBM Guardium.........................................................................................................126 Figure 96. LogMiner Detailed report for the creation and permitting access for the TRON555 user ..........................................................................................127 Figure 97. Details of the report related to deleting a column in the table .......127 140 �List of Tables TABLE 1. Audit vs. Digital forensic investigation .................................................. 7 TABLE 2. Reporting Person 1 Data ......................................................................... 85 TABLE 3. Reporting Person 2 Data ......................................................................... 85 TABLE 4. Overview of Logically Acquired Data for Reporting Person 1 ........ 102 TABLE 5. Overview of Logically Acquired Data for Reporting Person 2 ........ 102 TABLE 6. Collected Data about Applications in Investigation Scope .............. 103 TABLE 7. Viber Message and Call Investigation ................................................. 104 TABLE 8. SMS Message Investigation .................................................................. 109 TABLE 9. GSM Voice Call Investigation............................................................... 112 TABLE 10. Coco Message Investigation ............................................................... 114 TABLE 11. Quantitative Data about Found Evidence ....................................... 117 141 �142 �Acronyms ACK Acknowledgement CERT Centre for Emergency Report Team CISA Certified Information Security Auditor CISM Information Security Manager CISP Certified Information Security Professional CISO Chief Information Security Officer CISWG Corporate Information Security Workgroup CSO Chief Security Officer DMZ Demilitarised zone DoS Denial of Service DDoS Distributed Denial of Service DML Data Manipulation Language FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol IA Internal Auditor ICMP Internet Control Message Protocol IDS Intrusion Detection System IP Internet Protocol IPS Intrusion Prevention System IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronic Engineers IPX Internetwork Packet Exchange ISACA Information Systems Audit and Control Association 143 �ISM Information Security Manager ISMS Information Security Management System ISO International Standardisation Organisation ISSEA International Systems Security Engineering Association IT Information Technology KPI Key Performance Indicator LAN Local Area Network MIB Management Information Base NIST National Institute of Standards & Technology NMS Network Management Station OID Object identifier OSI Open System for Interconnection PDCA Plan Do Check Act QoS Quality of Service SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SQL Simple query language SYN Synchronize TCP Transmission Control Protocol UDP User Datagram Protocol UPS Uninterruptable Power Supplies VPN Virtual Private Network WAN Wide Area Network 144 �References AccessData. (2006). White paper: MD5 collision – The effect on Computer Forensics. Available from: https://ad- pdf.s3.amazonaws.com/papers/wp.MD5_Collisions.en_us.pdf Afonin, O. & Gubanov, Y. (2013, May 28). Catching the Ghost: How to Discover Ephemeral Evidence through Live RAM Analysis. Forensic magazine. Available from: http://www.forensicmag.com/article/2013/05/catching-ghost-howdiscover-ephemeral-evidence-through-live-ram-analysis Appazov, A. (2014). Legal Aspects of Cybersecurity. Faculty of Law University of Copenhagen. Retrieve from: http://justitsministeriet.dk/sites/default/files/media/Arbejdsomraader/For skning/Forskningspuljen/Legal_Aspects_of_Cybersecurity.pdf Android. (2017), Application Security, Available https://source.android.com/security/overview/app-security from accessed 25.9.2017 Android. (2017), Platform Architecture, Available https://developer.android.com/guide/platform/index.html#art from accessed 23.12.2017 145 �Ayers, R. Brothers, S and Jansen, W. (2014), Guidelines on Mobile Device Forensics, NIST Special Publication 800-101: Available from http://dx.doi.org/10.6028/NIST.SP.800-101r1, 20.12.2017 [Accessed on 12.01.2019] Banking and Insurance, 2017 Available from: http://en.finance.siapartners.com/20171211/cyber-incident-response-how-strong-yourincident-response-plan, [Accessed on 20.01.2019] Boccaccini, M.T. (2002). What Do We Really Know about Witness Preparation? Behav. Sci. Law 20: 161–189. DOI: 10.1002/bsl.472 Burnette, Michael W. “Forensic Examination of a RIM (BlackBerry) Wireless Device.” June 2002. Available from: http://www.rhlaw.com/ediscovery/Blackberry.pdf (accessed 11.1. 2018) Catts E.P. & Goff M.L. (1992). Forensic entomology in criminal investigations. Annu Rev Entomol. Vol.37:253-272. DOI: 10.1146/annurev.en.37.010192.001345 Carrier, B. and Spafford, E. (2004). An Event-Based Digital Forensic Investigation Framework, The Digital Forensic Research Conference, p23. Available from: https://www.dfrws.org/sites/default/files/session-files/paper-an_eventbased_digital_forensic_investigation_framework.pdf [Accessed on 20.01.2019] Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers 146 �and the Internet (3rd ed.). Elsevier Inc. Available from: http://booksite.elsevier.com/samplechapters/9780123742681/Front_Matt er.pdf 309 [Accessed on 11.02.2019] Cellebrite (2017), Cellebrite's Universal Forensic Extraction Device (UFED), Available from https://www.cellebrite.com/en/home/ (accessed 21.1.2018) Cosic, J., Cosic, Z., & Baca, M. (2011). An ontological approach to study and manage digital chain of custody of digital Evidence, Journal of Information and Organizational Sciences, 35 (1): 1-13 Chow, K.P. & Shenoi S. (2010, January), Advances in Digital Forensics VI. Sixth IFIP WG 11.9 International Conference on Digital Forensics. Cho, W. K. T., & Gaines, B. J. (2007). Breaking the (Benford) Law: Statistical Fraud Detection in Campaign Finance. The American Statistician, 61(3), 218­223. Criminal Justice Degree Schools (2019), Available at: https://www.criminaljusticedegreeschools.com/criminal-justicedegrees/computer-forensic-degree/ [Accessed on 20.02.2019] Crime Museum, 2019 Edmond Locard, Available at: https://www.crimemuseum.org/crime-library/forensicinvestigation/edmond-locard/ [Accessed on 20.02.2019] Data, Merriam-Webster 2019 Available at: https://www.merriam- webster.com/dictionary/data [Accessed on 02.07.2019] 147 �Desertcart. (2018), Palm V Hand held PDA, Available from https://www.desertcart.ae/products/15557437-palm-v-hand-held-pda htm [Accessed on 20.01.2019] Diekmann, A. (2012), Making Use of "Benford's Law" for the Randomized Response Technique, Article in Sociological Methods & Research, DOI: 10.1177/0049124112452525 Available from https://www.researchgate.net/profile/Andreas_Diekmann2/publication/2 69815391_Making_Use_of_Benford%27s_Law_for_the_Randomized_ Response_Technique/links/553bae070cf245bdd766705f.pdf [Accessed on 20.01.2019] (DFRWS, 2001), A Road Map for Digital Forensic Research Available from: http://dfrws.org/sites/default/files/session- files/a_road_map_for_digital_forensic_research.pdf [Accessed on 02.02.2019] Edson, J. (2011, July 25). A Brief History of Forensic Science. Australia’s Science Channel. Available from: http://riaus.org.au/articles/a-briefhistory-of-forensic-science/ [Accessed on 20.12.2018] Forensic, Merriam Webster, 2018, Available at: https://www.merriamwebster.com/dictionary/forensic, [Accessed on 20.12.2018] Forensics and Benford’s Law. (2018), Event https://eventlogxp.com/blog/forensics-and-benfords-law/ 20.1.2018 148 Log Explorer, accessed �Gadgeter (2018), RIM BlackBerry 950 Review, Available from https://thegadgeteer.com/2001/02/26/rim_blackberry_950_review/ accessed 10.1.2018 Google, 2018, Etymology of word Forensic, Available at: https://www.google.ba/search?rlz=1C1AVNC_enBA595BA595&q=fore nsic+etymology&spell=1&sa=X&ved=0ahUKEwi9offs6qPeAhVECyw KHaDMCM8QBQgnKAA&biw=1366&bih=657 [Accessed on 26.10.2018] Grand, J. (2002) pdd: Memory Imaging and Forensic Analysis of Palm OS Devices, https://www.researchgate.net/publication/2490864_pdd_Memory_Imagi ng_and_Forensic_Analysis_of_Palm_OS_Devices (accessed 20.1.2018) History of Fingerprints, (2018) Crime Scene Forensic, LLC, Available at: http://www.crimescene-forensic.com/History_of_Fingerprints.html [Accessed on 01.11.2018] IBM Guardium, (2019) IBM Guardium Data Protection for Databases, Available at: https://www.ibm.com/us-en/marketplace/ibm-guardiumdata-protection [Accessed on 01.11.2018] IBM Knowledge Center, 2013 How a Q Capture program works with the Oracle LogMiner utilit, Available at: https://www.ibm.com/support/knowledgecenter/SSTRGZ_10.2.0/com.ib m.swg.im.iis.repl.qrepl.doc/topics/iiyrqcapclogminercnc_ep.html [Accessed on 15.11.2018] 149 �IDC. (2017), Smartphone OS Market Share, 2017 Q1, Available at: https://www.idc.com/promo/smartphone-market-share/os accessed 5.12.2017 IIA, 2019, Institute of Internal Auditors, 2019, Definition of Internal Auditing, 2019, Available at: https://na.theiia.org/standards- guidance/mandatory-guidance/pages/definition-of-internal-auditing.aspx [Accessed on 20.01.2019] IOCE. (1999). IOCE Principe & Definitions. Available from: https://archives.fbi.gov/archives/about-us/lab/forensicscience-communications/fsc/april2000/swgde.htm [Accessed on 20.01.2019] Information, Merriam-Webster 2019, Available from: https://www.merriam-webster.com/dictionary/information [Accessed on 20.05.2019] Information system, Britanica, 2019, Information system, an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products, 2019 Available from: https://www.britannica.com/topic/information-system [Accessed on 20.01.2019] Information technology, Merriam-Webster, 2018, Available from: https://www.merriam- 150 �webster.com/dictionary/information%20technology, [Accessed on 20.01.2018] Infosec Institute. (2017), Computer Forensics Salary Data, http://resources.infosecinstitute.com/category/computerforensics/introdu ction/computer-forensics-salary-data/#gref accessed 19.12.2017 Kaur, R. & Kaur, A. (2012). Digital Forensics. International Journal of Computer Application (0975-8887), 50(5), 2-4. Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.7882&rep =rep1&type=pdf [Accessed on 20.01.2019] International Telecommunication Union. (2014). Understanding cybercrime: phenomena, challenges and legal response. Report. Available from: http://www.itu.int/en/ITU- D/Cybersecurity/Documents/cybercrime2014.pdf [Accessed on 20.01.2019] Kremic E.; Subasi A.; Hajdarevic K., Face recognition implementation for client server mobile application using PCA, Proceedings of the ITI 2012 34th International Conference on Information Technology Interfaces, Year: 2012 Page s: 435 – 440 Law Enforcement Cyber Center (2017), Available http://www.iacpcybercenter.org/officers/digital-evidence/ at: accessed 15.12.2017 151 �Lee, K. Lee, Y. Lee, H. and Yim, K. (2016), A Brief Review on JTAG Security, 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing DOI 10.1109/IMIS.2016.102 Levin. J, (2015), Android Internals: Power User's View (1st edition), Cambridge: Technologeeks.com Litchfield D., Oracle Forensic Part 1: Dissecting the Redo Logs, An NGSSoftware Insight Security Research (NISR) Publication ©2007 Next Generation Security Software Ltd. Logilink,2019, Available at: http://www.logilink.eu/media/images/produkt/_800/CR0012.png [Accessed on 20.11.2018] Lynch, V.A. & Duval J.B. (2011). Forensic Nursing Science (2nd ed.). Elsevier Mosby p2 Marcella A. J. and Menendez D. Cyber Forensic, Second Edition, Auerbach Publication, 2008 Massachusetts Digital Evidence Consortium, 2015, Digital Evidence Guide for First Responders, Available from: http://www.iacpcybercenter.org/wp- content/uploads/2015/04/digitalevidence-booklet-051215.pdf [Accessed on 20.11.2018] 152 �Nanda A., 2019 Transaction Management with LogMiner and Flashback Data Archive, Available from: http://www.oracle.com/us/solutions/11gtransactionmanagement-092065.html [Accessed on 20.11.2018] Nanda A. and Burleson D.K., Oracle Privacy Security Auditing, Rampant Techpress, 2003 National Institute of Justice. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Available from: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf Nelson, B., Phillips A., & Steuart C. (2015). Guide to Computer Forensics and Investigations (5th ed.). Course Technology. Available from: https://books.google.ba/books?id=PUh9AwAAQBAJ&pg=PA137&dq= what+is+digital+evidence+SWGDE&hl=en&sa=X&ved=0ahUKEwii87 LhrqnRAhUCVhQKHTsIAb4Q6AEIMTAB#v=onepage&q&f=false NIST. (2004). Digital Data Acquisition Tool Specification, Public Review of Version 4.0. Available from: http://www.cftt.nist.gov/Pub-Draft-1DDA-Require.pdf NIKSUN NetDetector, 2018 Available at: https://www.phoenixdatacom.com/product/niksun-netdetector-packetcapture-network-security-forensics/ [Accessed on 20.12.2018] Open University, 2018, Different types of digital forensic, Available at: https://www.open.edu/openlearn/science-maths-technology/digitalforensic/content-section-4.3, [Accessed on 20.12.2018] 153 �(Oracle, pp. 79) Database Administrator's Guide, Available at: https://docs.oracle.com/cd/B28359_01/server.111/b28310/onlineredo001 .htm#ADMIN11302 [Accessed on 15.02.2019] Oracle Fine Grained Auditing, Available at: https://www.oracle.com/technetwork/database/security/index083815.html2019 [Accessed on 18.02.2019] Oracle DBA_FGA_AUDIT_TRAIL Available at: https://docs.oracle.com/cd/B19306_01/server.102/b14237/statviews_311 5.htm#REFRN23075 [Accessed on 18.02.2019] Oracle LogMiner, 2019, Available at: https://www.oracle.com/technetwork/database/features/availability/logm ineroverview-088844.html, [Accessed on 25.03.2019] Pollit, M. (2017, January 15). A history of digital forensics. Available from: https://pdfs.semanticscholar.org/0d15/132439fc1de82724dd06effff5a782 eefeac.pdf Recombu. (2017), Android updates, Available from https://recombu.com/mobile/article/what-is-android-and-what-is-anandroid-phone_M12615.html , accessed 25.09.2017 Renkforce, 2019 Available at: https://www.conrad.com/p/renkforce-rfdocking-06-usb-30-esata-sata-4-ports-hdd-docking-station-1305502 [Accessed on, 14.03.2019] 154 �Road MASSter 2, 2019 Available at: http://dfrt.blogspot.com/2007/01/forensic-tools-hardware.html [Accessed on, 01.03.2019] Roy, NR. Khanna, AK. Aneja, L (2016), Android Phone Forensic: Tools and Techniques International Conference on Computing, Communication and Automation (ICCCA2016) Available from http://ieeexplore.ieee.org/document/7813792/ Ryder, K. (2002). Computer Forensics – We’ve Had an Incident, Who Do We Get to Investigate? SANS Institute InfoSec Reading Room. Available from: https://www.sans.org/reading- room/whitepapers/incident/computer-forensics-weve-incidentinvestigate-652 ShareTechnote. (2017), Android ADB, Available from http://www.sharetechnote.com/html/Android/Android_ADB.html accessed 25.9.2017 Sapir, G.I. (2007, January 2). Qualifying the Expert Witness: A Practical Voir Dire. Forensic magazine. Available from: http://www.forensicmag.com/article/2007/01/qualifying-expert-witnesspractical-voir-dire Singh, N and, Bansal, R. (2015), Analysis of Benford’s Law in Digital Image Forensics, Signal Processing and Communication (ICSC), 2015 International Conference 155 �Sophos. (2018), 2018 Malware Forecast: ransomware hits hard, continues to evolve, Available from https://news.sophos.com/enus/2017/11/02/2018-malware-forecast-ransomware-hits-hard-crossesplatforms/ accessed 6.1.2018 Smith, W. (1867). Dictionary of Greek and Roman Biography and Mythology Vol 1. Boston: Little Brown and Company p209 SNOW, 2019, The SNOW Home Page, Available at: http://www.darkside.com.au/snow/ [Accessed on, 14.03.2019] Startribune. (2018), Minnesota detectives crack the case with digital forensics, Available from http://www.startribune.com/when-teens-wentmissing-digital-forensics-cracked-case/278132541/ accessed 10.1.2018 SWGDE, (2013) Best Practices for Computer Forensic, Scientific Working Group on Digital Evidence, Version: 3.0 (September 14, 2013) Available at: https://www.swgde.org/documents/Archived%20Documents/SWGDE% 20Best%20Practices%20for%20Computer%20Forensic%20v3-0, [Accessed on, 29.10.2018] UNODC. (2013). Comprehensive Study on Cybercrime. Available from: https://www.unodc.org/documents/organizedcrime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213. pdf 156 �UNODC. (2013). Comprehensive Study on Cybercrime. (V.13-80699) Vienna: United nations office on drugs and crime UN. (2000). Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders. (A/CONF.187/10). Available from: https://www.asc41.com/UN_Congress/10th%20UN%20Congress%20on %20the%20Prevention%20of%20Crime/013%20ACONF.187.10%20Cr imes%20Related%20to%20Computer%20Networks.pdf Vandeven, S. (2014). Forensic Images: For Your Viewing Pleasure. SANS Institute InfoSec Reading Room. Available from: https://www.sans.org/reading-room/whitepapers/forensics/forensicimages-viewing-pleasure-35447 [Accessed on, 15.01.2019] Xplico (2019) Available at: http://www.xplico.org/wp- content/uploads/2008/11/xwi_email.png [Accessed on, 29.01.2019] Whitecomb, C.M. (2002). An Historical Perspective of Digital Evidence: A Forensic Scientist’s View. International Journal of Digital Evidence 1(1),1-3 Watson, D.A., Jones, A. (2013). Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements (1st ed.). London: Elsevier / Syngress. Wiley Carol, What Is the Difference Between Computer Forensic & Digital Forensic? Available at: https://careertrend.com/facts-6733855157 �difference-computer-forensic-digital-forensic-.html [Accessed on, 29.01.2019] Williams A., Leaving a trace: Forensic science through history, BBC, Available at: https://www.bbc.com/timelines/zcq2xnb#zgsg4wx, [Accessed on, 29.10.2018] Witte de With, 2019 https://www.wdw.nl/en/participants/rodolphe_archibald_reiss [Accessed on, 29.10.2018] Wright, Paul M. “Oracle forensic” Oracle security best practice, Rampant Techpress; May 2007. Yeatts, T. (2001) Forensics: Solving the Crime, Available from: http://connection.ebscohost.com/c/articles/15721149/chapter-one-jamesmarsh-toxicology 158 �Index A Access control Active attack Administrator and operator logs Applications Architecture Artificial Assessment Asset Attacker Audit Audit logging Authenticity Availability B Business Continuity Business continuity and risk assessment Business continuity management Business continuity planning framework C Change control procedures Change management Clock synchronization COBIT Communication Communications and operations management Compliance Computer Confidentiality Continuity Control of internal processing Control of operational software Control of technical vulnerabilities Controls against malicious code Controls against mobile code Countermeasure Crypto D Denial of service Developing and implementing BCP including information security Disaster DMZ Distance vector E Electronic Electronic messaging Electronic commerce Equipment identification in the network Encryption Escalation F Fault Fault logging Firewall Forensic FTP G Gap analysis Goal, Goals H Hardware Human Human resources HRA HTTP 159 �I O Incident Including information security in the BCM process Information access restriction Information Backup Information security Information security incident management Information systems acquisition, development and maintenance Infrastructure Input data validation Integrity Interruption Intrusion detection IP address IPX ISMS ISO 27000 ITIL OID On-line transactions Output data validation P K Passive attack Password management system Performance Physical and environmental security Policy on the use of cryptographic controls Policy on use of network services Privilege management PRA Proactive Procedure Protection of information systems audit tools Protection of log information Protection of system test data Protocol Publicly available systems Key management KPI Q L Limitation of connection time Local area networks M MAC address Management Media Message integrity Metric, Monitoring system use N Network Network controls Network connection control Network layer Network routing control NMS Non-Reputability 160 QoS Quality Qualitative Quantitative R Recovery Regulation of cryptographic controls Regulatory Remote diagnostic and configuration port protection Responsibilities and procedures Restrictions on changes to software packages Review of user access rights Risk Risk management Router RTGS S SABSA Secure disposal �Secure log-on procedures Security Security of network services Security of system documentation Security requirements analysis and specification Segregation in networks Separation of development, test and operational facilities Server Session time-out SMTP SNMP Software Spyware SQL Switch SYN System acceptance VPN Vulnerability W WAN Web Wide area networks Wireless Worm X XML T TCP / IP Technical compliance checking Technical review of applications after operating system changes Terminal Testing, maintaining and reassessing business continuity plan Threat Trojan U UDP Unicast UPS Use of system utilities User authentication for external connections User identification and authentication User password management User registration Utilities V Virus Virtual Private Network, Visualisation 161 �162 �About authors Kemal Hajdarevic PhD, received B.Sc. from the Faculty of Electrical Engineering, University of Sarajevo, Bosnia and Herzegovina, M.Sc. and PhD from Leeds Metropolitan University/Leeds Beckett University, Leeds, UK. He is currently working at the Central Bank of Bosnia and Herzegovina as a Senior Internal Auditor for information Security and IT projects, and he has a teaching position at the Faculty of Electrical Engineering, University of Sarajevo. Nermin Ziga MSc, received MSc from International Burch University. Nermin is an employee of Raiffeisen Bank, were he works as an Information Security Officer within Raiffeisen Bank’s Security Department. Mirza Halilovic MSc, received MSc and BSc from the Faculty of Electrical Engineering, University of Sarajevo. Mirza is the Head of IT department for monitoring, security, and data protection at BH Telecom d.d. Sarajevo. 163 �164 �Dr. Hamid Jahankhani: The area of “Digital Forensics” and its challenges, is clearly one of the key issues facing both the scientific community, industries and other users alike. Clearly understanding the digital forensics in a step by step format would help the practitioners in this fast paced technology development era. I welcome this new book on "Digital Forensics Essentials" which also aims to address some of the emerging issues. Looking at the table of content there are clearly a number of interesting areas of research and hence this book will undoubtedly help researchers and practitioners alike. To my opinion the scope and coverage of this book adequately represent a balanced review of the digital forensics subject. I feel the primary audience for this book would be Researchers, Practitioners, PhD and Postgraduate students. I highly recommend this book. Dr. Jasmin Azemovic: We are facing turbulent events in cyberspace, and digital forensics is on of dominant research topics which is continuously being updated with the latest scientific advancements. Innovations in digital revolution are evident and this book will help to face new challenges in digital era with goal to fight against crime in the cyberspace and committed with, and against digital infrastructures. Dr. Colin Pattinson: History has shown that, whenever a powerful new technology is developed, the desire to misuse that power soon follows. The field of computer network technology is no exception. Indeed IT misuse, whatever the underlying motivation, must be one of most frequent forms of unwanted activity there is. The ability to determine that an event has taken place, to learn from it and - hopefully - to prevent it occurring again is a prime motivation for a forensic analysis. Understanding of any losses have occurred, and building a legally sustainable case against the perpetrators requires even higher levels of information gathering and retention. It is therefore important that the skills and knowledge necessary to conduct such analysis are available to organisations when needed. This book provides a grounding in the tools and techniques necessary to investigate a range of attacks, showing the importance of a structured, logical and methodical approach. It is recommended for graduate students and those specialising in IT forensics. 1 � Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource BOOKS Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Essentials of Digital Forensics Author Author Kemal Hajdarević, Nermin Ziga and Mirza Halilovic Abstract A summary of the resource. Information available on Internet Live Stats web site (www.internetlivestats.com) that 40 percent of world’s population is using Internet Media almost daily reports on different cyber and digital security incidents. Many more similar incidents have never been reported or they have been reported years after they had occurred due to the fact that they could have jeopardised ongoing law enforcement investigations or because they could have been embarrassing and thus negatively affect reputation of the victim – organisation or a person. Keywords Keywords. digital forensics Publisher An entity responsible for making the resource available International Burch University Date A point or period of time associated with an event in the lifecycle of the resource July, 2019 https://omeka.ibu.edu.ba/files/original/b35517f5a6b3b1b5430cbd3beb65665b.docx 3d88bd71483956752150c8fc8f575fa4 Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource THE RETURN OF THE MODERN Author Author LUKA KORLAET SVEBOR ANDREJEVIC Abstract A summary of the resource. The second half of nineties and twenties were the building Eldorado: the bank loans were shared without any delays to entrepreneurs and apartment buyers. It was built a lot and very uncertainly. Speaking of Zagreb, the slopes of Medvenice were especial ly attractive. That space was built with numerous urban vil las, the smal l multi-storey buildings, which its investors and architects were led by exploation logic and rarely think about quality of floor plans or about environment between buildings. Publisher An entity responsible for making the resource available International Burch University Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering https://omeka.ibu.edu.ba/files/original/d98c62dc674b330134eb6d0d5eec8c89.docx b7b81d52bcb066ce1b2d555ea001830b Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Communication in Smart Homes with Emphasis wn Power Line Communication Author Author Ina Salihović Esma Musić Dejan Jokić Abstract A summary of the resource. Abstract: Power Line Communication (PLC) is a technology that allows consumers to use the already existing wiring infrastructure to exchange information. This paper overviews narrowband PLC in home automation, starting from the basics of power line communication and its advantages compared to wired and Wi-Fi automation systems, data modulation techniques, noise problems, frequency bands, all the way to regulations affecting PLC. The paper is finished off with an overview of three System on Chip (SoC) power line modems from a few different generations, Yitran’s IT800D from 2005, ON Semiconductor’s NCN49597 from 2012, and STMicroelectronics’s ST8500 from 2017. Keywords Keywords. Keywords: Power Line Communication, narrowband PLC, PLC modem, System on Chip Publisher An entity responsible for making the resource available International Burch University Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering https://omeka.ibu.edu.ba/files/original/ced592d00fbb324ea8ec5b8c3f4b59bf.doc 2fed9cf32cceb951fd4ffd11d4bc1b4e Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Review of Traffic Data Analysis for Accident Management Author Author Samir Kurtanovic Nejdet Dogru Zerina Masetic Abstract A summary of the resource. Abstract - In the past decade transportation systems have been augmented with information and communication technology to provide innovative services to the participants in the traffic. This synergy has resulted in safer and more optimized transportation network. In past few decades, newly developed systems in the area of transportation have been collectively called the Intelligent Transportation Systems (ITS). ITS can be defined as a holistic, control and information and communication upgrade of the classical traffic and transportation system that achieves significantly improved performance, traffic flow, more efficient passenger and goods transport, improved traffic safety, comfort and passenger protection, and reduction of environmental pollution. The interest in ITS comes from problems caused by traffic jams, traffic accidents, environmental concerns, congestions, delays and the synergy of latest information technology for simulation, real-time control and communication networks. Traffic accident management is one of the main focus fields of ITS due to the severe consequence that the accidents have. This paper surveys the traffic accident relation studies in ITS. Keywords Keywords. Keywords: Intelligent Transportation System, Accident Detection, Traffic Data Analysis, Traffic Flow Modelling, Traffic Monitoring Publisher An entity responsible for making the resource available International Burch University Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering https://omeka.ibu.edu.ba/files/original/2dca31036e8f1444f307dfc65d47b3b8.docx 44ed7242bd6e58db28a43c8ae6198ec6 Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Journal of Natural Sciences and Engineering Identifier An unambiguous reference to the resource within a given context 2637-2835 DOI Digital object identifier 10.14706 Publisher An entity responsible for making the resource available International Burch University Description An account of the resource Journal of Natural Sciences and Engineering (JONSAE) is a peer-reviewed, biannually published international journal focusing on empirical and theoretical research in all branches of Engineering and Natural Sciences. It is published on the behalf of Faculty of Engineering and Natural Sciences of International Burch University and aims to provide the best content regarding by publishing original research papers, review articles, special issues, feature articles, and book reviews. All manuscript submissions are subject to initial appraisal by the Editor, and, if found suitable for further consideration, to peer review by independent, anonymous referees. All peer review is double-blind and submission is online. The journal welcomes theoretical, applied, interdisciplinary and methodological work, with preference on empirical research, critical approach and problem-solving methods in manuscripts. Language A language of the resource English Dublin Core The Dublin Core metadata element set is common to all Omeka records, including items, files, and collections. For more information see, http://dublincore.org/documents/dces/. Title A name given to the resource Optimal Network Reconfiguration of the Distribution Network for Minimization of Power Loss and Voltage Deviation using NSGA-II Algorithm Author Author Lejla Bandić Naida Nalo Jasmin Kevrić Abstract A summary of the resource. Abstract - For efficient power flow in the distribution system, one of the most important components is the accurate loss and voltage deviation minimization. This work gives an insight into the minimization process of the loss and voltage deviation in the power distribution system by using the network reconfiguration. Non-dominated sorting genetic algorithm – II (NSGA-II) has been used as the tool for solving the problem. The power flow is incorporated with the Genetic Algorithm until the best results are obtained. For power flow calculation, Power System Analysis Toolbox (PSAT) is used, while the whole algorithm was written in MATLAB. The proposed algorithm is tested on a real 10 kV distribution network, Gracanica. Results obtained show that the presented methodology can be efficiently applied to reconfigure distribution networks to select the optimal distribution network topology in order to achieve savings in power losses and improve voltage profile. Keywords Keywords. Keywords - Non-dominated sorting genetic algorithm–II (NSGA-II), reconfiguration, power loss, voltage profile, PSAT. Publisher An entity responsible for making the resource available International Burch University Source A related resource from which the described resource is derived Journal of Natural Sciences and Engineering