Blogs emerged in the late 1990s as a means of publicising personal or group thoughts on World Wide Web in a diary like format. Availability of web publishing tools for computer users without knowledge of computer programming and website building worked as catalyst towards growth of blogging activity in different subjects. There are many blogging platforms options. some of the popular option are ‘WordPress’, ‘Tumblr’, ‘Blogger’, ‘Weebly’, ‘Wix’ and ‘Squarespace’.
This paper will discuss examination of electronic exhibits allegedly seized from a blogger and the artefacts found in them. Computer forensic examiners challenge is to find traces of blogging activity and consider significance of this trace with reference to available technology. However, computer user being human is also an important factor to be considered. Certain Bents of Human mind is also obvious when handling a computer. It may be the way files and folder are named, choice of colors or preference of usernames. Observation of activities and finding trends in them can be very important resources for analysis when combined with results obtained from forensic tools.
The exhibits seized contained one computer CPU and one tablet. Print out of the concerned blog pages as well as some screenshots of face book of the accused were supplied for comparison. The blogging site name ‘xyz’ (name changed as the matter is sub-judices) contained many cartoons with caption. It was suspected that the accused has hosted the website and using a mail address ‘email@example.com’ (address changed as matter is sub-judice) to publish the blog ‘xyz’.
The folder ‘xyz files’ could be found containing files with ‘CSS’, ‘js’ and ‘HTML’ extension as well as loaded_0 file within a
folder ‘my web pages’. In addition to ‘xyz files’ there were other
folders with ‘_files’ as the name of folder in the end. Name of
all these folders was relevant to the subject which was depicted in blog under investigation. Each folder also contained some images with extension ‘jpg’, ‘bmp’ and ‘png’. Some of the images were cartoon relevant to investigation. Some of the images were buttons and other indicators with same color as disputed web page.
There was folder containing cartoons in line with blog under investigation. Some of these cartoons which were images was also available in the supplied print outs of the blog and face book page screenshots. There were folders containing ‘eBooks’ with similar agenda as the blog under investigation. A folder with name ‘blog data’ was available containing files and folders with similar content
The user is passionate about the subject of blog in question which is evident from reference to several resources available in his computer
One email archive ‘outlook.pst’ was available. Personal Storage Table (.pst) is an open proprietary file format used to store copies of messages, calendar events, and other items within
Microsoft software such as Microsoft Outlook. The archive found
to be relevant to ‘firstname.lastname@example.org’ which is different from email
address under investigation
However, Keyword ‘email@example.com’ could be found in
keyword search. It is also observed that the recovered email
from archive relevant to ‘firstname.lastname@example.org’ contained several sent
mails to ‘abc@ gmail.com’ and other email addresses whose
usernames and contents were in synch with the subject of blog
under investigation. But the inbox recovered from archive did
not contain any email received from the email address ‘abc@
gmail.com’ or other emails to which user was sending emails
frequently. Some such emails contained links from blogs other
than blog ‘email@example.com’ under investigation. Though the
contents of these links could not be verified name of the link
indicated the contents may be relevant
The user has contact with ‘‘firstname.lastname@example.org’ and other email
addresses whose usernames and contents were in synch with the
subject of website under investigation. These emails including
‘‘email@example.com’ do not send answer indicates the primary
purpose is not email communication, but, sending records for
some other application. In addition, there is strong indication
that the user of the device has access to these emails on other
devices not under current investigation. Link from other blogs
also indicates he may be a contributor to these blogs.
Chrome auto fill, Chrome bookmarks synchronous to
investigation found. Facebook comments, Facebook pictures
contain words relevant to subject under investigation. The rebuilt
webpages indicate access to editing of relevant Webpages
Chat: The tab contained some ‘WhatsApp’ conversation
regarding the blog and links were sent to contacts from the blog
in question. There is conversation where the user admitted the
fake account id is created by himself.
Email: The emails recovered suggest two email account was
associated to the device. One of them is ‘firstname.lastname@example.org’ another
is email ‘email@example.com’ which is not under investigation. The
email ‘firstname.lastname@example.org’ was also available during earlier keyword
searches in CPU. The activity analytics suggested 8 emails were
sent from ‘email@example.com’ to ‘firstname.lastname@example.org’ whereas one
email was received by ‘ email@example.com’ fro ‘firstname.lastname@example.org’. It is
also observed that the ‘email@example.com’ sent mails to ‘abc@gmail.
com’ and other email addresses whose usernames and contents
were in synch with the subject of blog under investigation.
It is more established at this stage that there is interaction
between the emails which was not available in CPU. Moreover, the
two email addresses being owned by one device substantiates
user has multiple email addresses and uses them selectively
through different devices.
_utmz cookie containing name of the blogging site was
available. _utmz holds information about the way user entered
the website. Value of this cookie was ‘7433012.1463175562. 1.1.
utmcsr=xyz. BlogSpot. in|ut mccn=(referral)|utmcm d=referral
|utmcct=/.’. utmcsr= xyz.blogspot.in. Xyz being name of the blog
site under investigation. In this context it deserves mention that
there are different types of cookies by google:
The first (at least in Google’s naming scheme) cookie is used
to identify unique visitors.
__utmb and __utmc,
These cookies are used to determine sessions. Together they
are able to identify unique sessions.
utmz, identifies traffic sources.
Log in status of all the email could not be confirmed.
However, it is observed that the user is in the habit of creating
PowerPoint files frequently for print going by the creation date
of files. Observation through PowerPoint reveals files one file
containing username and password of 10 email address, 02
Facebook account, 03 blogger account including the account
under investigation could be found.
The artefacts recovered may be considered an eco-system
of activity of the user on electronic devices owned by the user.
The user activities of both devices could be linked to each other
on timeline and contents. Both internet artefacts as well as user
activity has strong roles in decision making which could be
demonstrated by facts of this case
Nalawade, S Bharne, V Mane, (2016) Forensic analysis and evidence collection for web browser activity, 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT), Pune pp.518-522.
K Dhar, Y Pingle, (2016) Digital Forensic Investigations (DFI) using Internet of Things (IoT). 2016 3rd International Conference on Computing for Sustainable Global Development (INDIA.Com), New Delhi, pp. 1443-1447.
Nik Zulkipli, Nurul Huda, Alenezi, Ahmed, Wills, et al. (2017) IoT Forensic: Bridging the Challenges in Digital Forensic and the Internet of Things pp. 315-324.
Bača, Miroslav, Ćosić, Jasmin, Ćosić, et al. (2013) Forensic analysis of social networks (case study). Proceedings of the International Conference on Information Technology Interfaces ITI, pp. 219-223.
Pajouh HH, Javidan, Khaymi, Dehghantanha (2016) A Two-layer Dimension Reduction and Two-tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks, 6750(c) pp. 111.
Zhang ZK, Cho MCY, Wang (2014) IoT Security: Ongoing Challenges and Research Opportunities. In 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications pp. 230-234.
Perumal S, Norwawi NM, Raman V (2015) Internet of Things (IoT) digital forensic investigation model: Top-down forensic approach methodology. In 2015 5th International Conference on Digital Information Processing and Communications (ICDIPC) pp. 19-23.
Oriwoh E, Jazani D, Epiphaniou G, Sant P (2013a) Internet of Things Forensics: Challenges and Approaches. In Proceedings of the 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Work-sharing. ICST.
Ruan K, Carthy J, Kechadi T, Crosbie M (2011) Cloud Forensics. In: Peterson G, Shenoi S. (eds.) Advances in Digital Forensics VII, of the series IFIP Advances in Information and Communication Technology, Springer, Berlin, Heidelberg Pp 361.
Morrison L, Read H, Xynos K, Sutherland I (2017) Forensic Evaluation of an Amazon Fire TV Stick. In: Peterson G, Shenoi S (eds) Advances in Digital Forensics XIII. Volume 511 of the series IFIP Advances in Information and Communication Technology pp. 63- 379.
Liu C, Singhal A, Wijesekera D (2017) Identifying Evidence for Cloud Forensic Analysis. In: Peterson G, Shenoi S. (eds) Advances in Digital Forensics XIII. 410 of the series IFIP Advances in Information and Communication Technology pp. 111-130.
Hegarty RC, Lamb DJ, Attwood A (2014) Digital Evidence Challenges in the Internet of Things. Proceedings of the Tenth International Network Conference (INC 2014) 163-172.
O Shaughnessy S, Keane A (2013) Impact of Cloud Computing on Digital Forensic Investigations. In: Peterson G, Shenoi S (eds) Advances in Digital Forensics IX. Volume 410 of the series IFIP Advances in Information and Communication Technology pp. 291-303.
Ryder S, Le Khac, NA (2016) The End of effective Law Enforcement in the Cloud? To encrypt, or not to encrypt, 9th IEEE International Conference on Cloud Computing, San Francisco, CA, USA.
Lillis D, Becker B, OSullivan T, Scanlon M (2016) Current Challenges and Future Research Areas for Digital Forensic Investigation.
Ariffin A, Slay J, Choo KK (2013) Data Recovery from Proprietary Formatted CCTV Hard Disks Digital Forensics, Chapter in Peterson G, Shenoi S. (eds) Advances in Digital Forensics IX, Volume 410 of the series IFIP Advances in Information and Communication Technology pp. 213-223
Richard G, Le Khac NA, Scanlon M, Kechadi MT (2016) Analytical Approach to the Recovery of Data from CCTV File Systems, The 15th European Conference on Cyber Warfare and Security, Munich, Germany.