Digital Evidence Mission:
Current Research Projects:
Recent Publications:
Partnerships:
Digital Evidence Certification:

Biography:

Philip Craiger has a Ph.D. in industrial psychology from the University of South Florida, with a minor in artificial intelligence (from the Department of Computer Science).  He was a tenured Associate Professor in the Department of Computer Science at the University of Nebraska at Omaha.  While at UNO his research and teaching interests moved to computer information security in 2001. In 2003 he became interested in digital forensics after meeting Special Agent Mark Pollitt (then) the Director of the FBI’s Computer Analysis and Response Team.  Dr. Craiger moved to Orlando in 2004, and serves a dual appointment as a professor in the Department of Engineering Technology, and the Assistant Director for Digital Evidence at the National Center for Forensic Science.

Digital Evidence Mission

Our primary goal is to enhance public safety by assisting the criminal justice system.  We do so by:

• Conducting basic and applied research on digital evidence
• Conducting university courses on digital evidence and digital forensics
• Conducting training in digital forensics for local and state law enforcement agencies.

Our Digital Evidence staff consists of professors from Computer Science, Engineering Technology, law enforcement officers, and undergraduate and graduate students. Our ultimate goal is to assist state and local law enforcement with the computer crime challenges they face.

What is Digital Evidence?

“Digital evidence is information of probative value that is stored or transmitted in a binary form”, (SWGDE, 1998).
This field includes not only computers in the traditional sense but also includes digital audio and video. It includes all facets of crime where evidence may be found in a digital or binary form. Perhaps the most common computer crime in the news is child pornography, but computers are also instrumental in crimes ranging from check fraud to conspiracy to commit murder.

Digital Evidence comes in numerous form factors, such as:

While these are obvious form factors, there are numerous form factors that are not so obvious, such as:

What is Digital Forensics?

Digital forensics involves the identification, collection, preservation, examination, and analysis of digital evidence. It is a technical, computer-related field involved in the collection and examination of evidence from computers, including audio, video, and graphical images.

Educational Opportunities

The proposed 30-credit hour, Master of Science degree in Digital Forensics is composed of two tracks: Professional and Science/Computing, which use common core courses and tailored electives to achieve common educational goals with different focus areas. The professional track is directed toward current professionals in the field who will pursue the degree as part-time students, or those who would like to gain the knowledge and skills required to work as an examiner in the field.  The science/computing track is directed toward those with an interest in the scientific applications and research in the field.  These students will be full-time, conducting research with faculty resulting in a thesis, and may be interested in pursuing a doctoral degree in a related field or law degree afterward.  The MS degree in Digital Forensics addresses a local, state and national need for state-of-the-art education in the area of digital forensics.

The proposed degree is a collaborative effort between various UCF academic departments – Engineering Technology, Electrical Engineering and Computer Science, Forensic Science of Chemistry, Criminal Justice and Legal Studies – and the National Center for Forensic Science. The National Center for Forensic Science is a State of Florida Type II Center and a member of the Department of Justice’s, National Institute of Justice, Forensic Resource Network serving the needs of state and local law enforcement and forensic scientists.

Professional Track Master of Science in Digital Forensics (MSDF), for more information please click here

Graduate Certificate in Computer Forensics (GCCF)

The National Center for Forensic Science and The University of Central Florida are proud to offer a new Graduate Certificate in Computer Forensics (GCCF). This is an exciting multidisciplinary certificate that only requires a Bachelor degree from any accredited university. Find more information about the GCCF. The GCCF consists of five graduate-level courses.

Continuing Education

Students who are not interested in graduate credit, or do not have a bachelor’s degree, can enroll through Continuing Education for the courses and obtain a Continuing Education Certificate for each course. When all 5 courses are completed, they will receive a Certificate in Computer Forensics, the CCF.

What is the difference between the Certificate in Computer Forensics and the Graduate Certificate?
click here to find out 

Undergraduate Courses

CET4885: Digital Investigative Technologies. Taught in the Department of Engineering Technology by Dr. Craiger, College of Engineering and Computer Science. This course takes a technical, legal and practical approach to the study and practice of digital investigative techniques. Topics include: the legal and ethical implications of digital forensics; forensic duplication and data recovery; cryptography, steganography and other types of data hiding; and tools and techniques for investigating computer intrusions.

Training Opportunities

UCF Professors and law enforcement agents conduct training sessions on a variety of digital forensics topics. Unless otherwise noted, these sessions are open to both law enforcement and civilians.

Vendors also hold training classes in our facility in Partnership I.

Research

Virtual Digital Evidence Lab
(Funded by National Institute of Justice, Program Manager Martin Novak)

Currently, the collection, storage, analysis, and presentation of digital evidence occurs in a single geographic location, typically in a small digital evidence lab within the jurisdiction where the electronic crime occurred. This is an inefficient model in that local and state law enforcement agencies typically and unnecessarily duplicate resources that may be available elsewhere. A further problem is that each law enforcement agency must verify and validate examination tools, a process duplicated by all law enforcement agencies for all tools used in digital forensic examinations.

Digital evidence labs of the future will not be constrained to a specific geographic location. Instead we propose the concept of the virtual lab. A virtual lab consists of the tools and resources required for digital forensic examinations, but these resources may be located in various geographic locations, and administered and maintained by different entities (see Figure 1 below). These geographic locations are connected via a high-speed network. Examiners access the virtual lab through a single portal, over the Internet. Examiners can upload evidence for secure storage to one location and analyze the evidence using tools from a second location. Reports could be located at a third location. Prosecutors and attorneys would access the results through the same portal.

The advantages of this new model over the traditional digital evidence lab include:

1. Reducing or eliminating unnecessary duplication of resources (examination machines, digital forensic tools, terabyte storage, secure storage, etc.)

2. Reducing or eliminating unnecessary duplication of tasks (verification and validation of all tools in a single location, etc.).

3. Provide expert assistance through certified digital evidence examiner specialists (e.g., Mac OS X, Solaris, network forensics, etc.).

The largest benefit of virtual labs would be for smaller law enforcement agencies, even more so in rural areas, which often have to decide whether to buy ammunition or computers.

Research questions to be addressed include:

1.       Identifying best methods for authenticating users (examiners, attorneys, prosecutors, etc.) across multiple geographic locations
2.      Identifying best methods for securing transfer of raw and reduced evidence across publicly accessible networks
3.      Identifying bottlenecks in network communications across disparate networks.
4.      Validation and verification of digital forensics tool suites.
5.      Identifying methods for providing remote assistance for examiners.
6.       Estimating storage and network requirements, and identifying salability issues.

Understanding Anti-Forensics

The market has seen a flood of new Windows-based software offering to delete files securely and inhibit their recovery by digital forensics programs. Demand for this software has emerged because traditional file deletion does not actually remove the file data from the media, but rather marks the space as available to be used again. While such secure delete programs often erase the actual contents of the file, most leave behind digital artifacts on the file system. This trace evidence can be used by forensic examiners to determine whether a secure delete program was employed, in addition to providing additional information about the original file (metadata). This paper examines five different programs currently on the market to discern what trace evidence remains after a secure delete operation is performed.

The programs were examined in a forensically sound environment using a standardized protocol. The results were confirmed using several Windows- and Linux-based forensic programs. Analysis showed that each secure delete program left predictable trace evidence when overwriting a file's contents. These traces varied in prominence with some more identifiable than others. In addition to this some of the programs did not completely erase file metadata, making it possible to extract the filename, file size, date created and date deleted in certain instances. While these results are promising they remain preliminary; further testing is needed to determine if these results generalize to other file systems.

Residual data left by a secure delete program in $LogFile. Note the entire contents of the file remained in the $LogFile even though the original contents of the file was deleted by a secure delete program.

Digital Evidence Markup Language
(Funded by National Institute of Justice, Program Manager Martin Novak)

Experts have argued that technologies that allow disparate law enforcement jurisdictions to share crime-related information will greatly facilitate fighting crime. One of these technologies is the Global Justice XML Data Model (GJXDM).

One of its limitations at its current level of development is the lack of a “model,” or a method to model, digital evidence. As a solution the National Center for Forensic Science and the UCF Department of Engineering Technology have proposed the digital evidence markup language (DEML), an extensible plug-in to Global JXDM. Global JXDM is intended to be a data reference model for the exchange of information within the justice and public safety communities (NIJ, 2004). The Global JXDM is a product of the Global Justice Information Sharing Initiative's (Global) Infrastructure and Standards Working Group (ISWG) and was developed by the Global ISWG's XML Structure Task Force (NIJ, 2004).

DEML is a schema based on XML that supports the standardization of digital evidence-related artifacts. Below we provide an overview of DEML. DEML must be built with extensibility and flexibility in mind as technology changes will require consistent and continual changes in the language to appropriately model changes in the technologies used in computer-related crime.

The SWGDE definition of digital evidence was meant to encompass digital artifacts; by definition this excludes certain crime scene-related that might be important to law enforcement for use in arrests and subsequent prosecutions. For instance, hardware and the processes that a criminal uses, which are relevant to the execution of a crime, are not encompassed by this definition of digital evidence. We feel it is important that any artifact or process that may be important in the arrest and prosecution of a criminal should be able to be modeled using DEML.

We decided to use an object-oriented representation for DEML for two reasons. First, we are modeling real-world artifacts and processes that are composed of objects. For instance, workstations are composed of objects -- motherboards, add-on cards, RAM, storage devices, human interface devices, etc. -- each of which is composed of other objects. This fact allows us to the object concept of composition and aggregation to represent both hardware and digital artifacts.

The second reason for an object-oriented representation is the need to develop and maintain an extensible and flexible schema. New technologies will be developed, and the diversity of technologies will increase. A schema built upon object-oriented representation will support the modeling of new and diverse technologies by simply developing new classes (for diverse technologies) or inheritance (inclusion of new technologies built upon old technologies) .

We are using a top-down perspective to develop our object-oriented perspective. Our initial selection included two, somewhat independent, top-tier objects consisting of hardware and digital artifacts. Using these two superclasses as starting points we attempted to model digital evidence using UML class diagrams.
We used our own interpretation and knowledge of hardware, along with the U.S. Secret Services “Best Practices for Seizing Electronic Evidence” (Volume 2) to advise on the on law enforcement interpretations of hardware digital systems.

The figure below illustrates a digital artifact in object-oriented format using UML class diagrams.

OO representation of a digital artifact

Mac OS X Forensics

There are few resources that describe a forensics analysis of an Apple Mac computer. We are working to better understanding various version of Mac OS X, and to develop tools and procedures to conduct a forensics examination of an Apple Mac running Mac OS X.

Portable Electronic Device Forensics

In the past five years no other technology has grown more than personal electronic devices (PEDs). PEDs are typically small, handheld mobile devices with embedded computers chips and memory to store personal information, for instance, personal digital assistants (PDAs), cell phones, wrist watches, and so on. Some of these devices are hybrid devices that perform more than one function. For instance, new hybrid cell phones/PDAs perform those two functions. These generally cause two problems for law enforcement. First is that these devices are often overlooked by law enforcement at the scene of a crime due to ignorance about their functionality. A second problem is that even when seized, there is no PED-based forensic software or hardware to create forensically-sound copy of the contents of the device, or software to perform a logical or physical analysis of the device. We are working to develop tools and procedures that will assist law enforcement in the examination of PEDs.

Game Console Forensics

Microsoft’s Xbox game console is little more than a low-end computer; with nominal effort it can be modified to run additional operating systems, enabling it to store gigabytes worth of non-game related files in addition to allowing it to run various computer services.  Little has been published, however, on the proper forensic procedures to be employed in determining whether an Xbox has been modified, and if so, how to conduct a proper digital forensics investigation.  Given the ubiquity of these devices, it will be important to understand how to identify, image, and examine these systems while reducing the potential for making any changes.  This paper compliments and extends previous work involving the forensic analysis of Xboxes that are running Linux.  We approach the topic from an applied research methodology, providing a set of procedures to be followed during the acquisition and subsequent analysis of an Xbox.

Digital Forensic Examiner Proficiency and Competency Tests

Law enforcement investigators and forensic laboratory examiners must be prepared to respond to the increased use of technology by the criminal element. Digital evidence examiners are being called upon to demonstrate their competencies in court and to their own management. These trends in the digital forensics profession have made it necessary for laboratories, police agencies, and corporate investigative practices to find ways to evaluate the capabilities of their personnel, both individually and as a group. In other forensic sciences, proficiency and competency tests have become a standard method of documenting the knowledge, skills, and abilities of forensic examiners at all levels. However, digital forensics is so new that few standards exist that have been tried and tested by the scientific, law enforcement, and judicial communities. The digital forensics profession is in great need of evaluation and assessment tools that will bring this newest forensic science into the of universally accepted laboratory examination specialties.

Digital Evidence Staff

• Dr. Philip Craiger, CISSP Assistant Director for Digital Evidence & Assistant Professor, Department of Engineering Technology
• Mark Pollitt, M.S. Visiting Professor with a joint appointment with the NCFS and the Department of Engineering
• Dr. Sheau Lang, Associate Professor, Department of Computer Science, GCCF Coordinator
• Eric Walton UCF Police Department, Florida Electronic Crime Team member.
• Chris Marberry, Senior Digital Forensics Research Assistan
• Paul Burke, Senior Digital Forensics Research Assistant

NCFS Publications

With assistance from NCFS, NIJ has produced the following publications:

*Electronic Crime Scene Investigation Guide: a Guide for First Responders
*Forensic Examination of Digital Evidence: A guide for Law Enforcement

Edited Books

P. Craiger and S. Shenoi. Advances in Digital Forensics III, International Federation for Information Processing, New York, 2007.

Refereed Publications

• P. Burke, P. Craiger. Xbox Forensics. Journal of Digital Forensics Practice, New York, Taylor & Francis, 275-282.

• C. Marberry, P. Craiger. CD-R Acquisition Hashes Affected by Write Options. Journal of Digital Forensics Practice, New York, Taylor & Francis, 297-307.

• P. Craiger, P. Burke, and C. Marberry. Forensics Analysis of Phishing Cases Using Open Source and Free Tools. Anti-phishing and Online Fraud. Journal of Digital Forensics Practice, New York, Taylor & Francis, 223-230. P. Burke and P. Craiger, Forensic Analysis of Xbox Consoles. In P. Craiger and S. Shenoi (Eds.), Advances in Digital Forensics III, Springer, New York, to appear.

• C. Marberry and P. Craiger, Burn Options Affect Cryptographic One-way Hashes of CD-R Media. In P. Craiger and S. Shenoi (Eds.), Advances in Digital Forensics III, Springer, New York, to appear.

• P. Craiger and P. Burke, Mac OS X Forensics. In M. Olivier and S. Shenoi (Eds.), Advances in Digital
Forensics II, Springer, New York, to appear.

• P. Burke and P. Craiger, Trace evidence of secure delete programs. In M. Olivier and S. Shenoi (Eds.), Advances in Digital Forensics II. Springer, New York, to appear.

• P. Craiger, Training and Education in Digital Forensics. In J. Barbara (Ed.), Handbook of Digital and Multimedia Evidence. Humana Press, to appear.

• Craiger, P. (to appear). Training and Education in Digital Forensics. In J. Barbara (Ed.), Handbook of Digital and Multimedia Evidence. Humana Press. Invited paper.

• P. Craiger, Computer forensics methods and procedures In H Bigdoli, (Ed), Handbook of Information Security, New York, John Wiley and Sons, 2, pp. 736-755, 2006.

• P. Craiger, M. Pollitt and J. Swauger, Digital Evidence and law enforcement In H Bigdoli, (Ed), Handbook of Information Security, New York, John Wiley and Sons, 2, pp. 739-777, 2006.

• P. Craiger, Recovering digital evidence from Linux systems, In S. Shenoi and M. Pollitt (Eds), Advances in Digital Forensics, New York, Springer, pp. 233-243, 2006.

• P. Craiger, J. Swauger, and C. Marberry, Digital forensic software tool validation In P Kanellis (Ed) Digital Crime and Forensic Science in Cyberspace Idea Group, 91-108, 2006.

• Craiger, J.P., Swauger, J, & Marberry, C. (2005). Digital evidence obfuscation: recovery techniques. Proceedings of the International Society for Optical Engineering. Pp. 587-594.

• Webb, SB III, & Craiger, J.P. (October, 2003) Defensive Battle Stations In Network-Centric Warfare: Rapid-response Computer & Intrusion Forensics. Proceedings of the 6th Annual Systems Engineering Conference, San Diego, CA October, 2003.

• Craiger, P, & Swauger, J (accepted, to appear) Digital forensic software tool validation. In P Kanellis (Ed), Digital Crime and Forensic Science in Cyberspace, Idea Group.

• Craiger, J.P. (2004) Portable forensics with Linux. Proceedings of the Annual Meeting of the Nebraska Academy of Sciences, Lincoln, NE.

• Craiger, J.P., et al (Sept, 2002) An applied course in network forensics Proceedings of the Workshop for Dependable and Secure Systems, University of Idaho, Moscow, Idaho, Sept 23-35.

Professional Conference Presentations

• Craiger, J.P. & Burke, P.K. Mac Forensics: Mac OS X and the HFS+ File System. Second Annual International Federation for Information Processing. Feb. 2, 2006, Orlando, FL.

• Burke, P.K., & Craiger, J.P. Trace evidence of secure delete programs. Second Annual International Federation for Information Processing. Feb. 2, 2006, Orlando, FL.

• Eaglin, R., & Craiger, J.P. (2005). Data Sharing and the Digital Evidence Markup Language. 1st Annual GJXDM Users Conference, Atlanta, GA. (not peer reviewed).

• Craiger, J.P. (February, 2005) Recovering digital evidence from Linux systems 1st Annual Conference of Digital Forensics Working Group of the International Association of Information Professionals Orlando, FL

• Craiger, J.P. (April, 2005) Digital evidence obfuscation: Recovery techniques Meeting of the International Society for Optical Engineering Orlando, FL.

• Craiger, J.P. (January, 2005) Research at the National Center for Forensic Science Annual Meeting of the Forensic Resource Network/Crime Lab Improvement Program Conference Tampa, FL.

• Craiger, J.P. (May 2004) Portable Linux Forensics Presentation accepted for the 26th Annual Department of Energy Conference on Computer Security Training Kansas City MO.

• Craiger, J.P., & Webb, SB (April 2004) Forensics with Linux Presentation for the 8th Annual INFOTEC Conference Omaha, NE

• Craiger, J.P. (April, 2003) Network forensics investigative techniques 25th Annual Department of Energy Conference on Computer Security Training Baltimore MD.

• Gubbels, KA, & Craiger, J.P. (April, 2003) Honeypots for Defense-in-Depth 25th Annual Department of Energy Conference on Computer Security Training Baltimore MD.

• Craiger, J.P. (April, 2003) Computer & network forensics Presentation at the 7th Annual INFOTEC Conference Omaha, NE .

• Gubbels, KA, & Craiger, J.P. (April, 2003) Defense-in-depth with honeypots Presentation at the 7th Annual INFOTEC Conference Omaha, NE

• Craiger, J.P., et al. (Sept, 2002) An applied course in network forensics Paper presented at the Workshop for Dependable and Secure Systems University of Idaho, Moscow, Idaho, Sept 23-35