Forensic Methods and Tools for Web Environments

abstract: The Web is one of the most exciting and dynamic areas of development in today’s technology. However, with such activity, innovation, and ubiquity have come a set of new challenges for digital forensic examiners, making their jobs even more difficult. For examiners to become as effective with evidence from the Web as they currently are with more traditional evidence, they need (1) methods that guide them to know how to approach this new type of evidence and (2) tools that accommodate web environments’ unique characteristics. In this dissertation, I present my research to alleviate the difficulties forensic examiners currently face with respect to evidence originating from web environments. First, I introduce a framework for web environment forensics, which elaborates on and addresses the key challenges examiners face and outlines a method for how to approach web-based evidence. Next, I describe my work to identify extensions installed on encrypted web thin clients using only a sound understanding of these systems’ inner workings and the metadata of the encrypted files. Finally, I discuss my approach to reconstructing the timeline of events on encrypted web thin clients by using service provider APIs as a proxy for directly analyzing the device. In each of these research areas, I also introduce structured formats that I customized to accommodate the unique features of the evidence sources while also facilitating tool interoperability and information sharing.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Using Texture Vector Analysis to Measure Computer and Device File Similarity

Executable programs run on computers and digital devices. These programs are pre-installed by the device vendor or are downloaded or copied from a storage media. It is useful to study file similarity between executable files to verify valid updates, identify potential copyright infringement, identify malware, and detect other abuse of purchased software. An alternative to relying on simplistic methods of file comparison, such as comparing their hash codes to see if they are identical, is to identify the "texture" of files and then assess its similarity between files. To test this idea, we experimented with a sample of 23 Windows executable file families and 1,386 files. We identify points of similarity between files by comparing sections of data in their standard deviations, means, modes, mode counts, and entropies. When vectors are sufficiently similar, we calculate the offsets (shifts) between the sections to get them to align. Using analysis on these shifts, we can measure file similarity efficiently. By plotting similarity vs. time, we track the progression of similarity between files.Prepared for the Naval Postgraduate School, Monterey, CA 93943.Naval Postgraduate SchoolApproved for public release; distribution is unlimited.Approved for public release; distribution is unlimited

Secure Storage Model for Digital Forensic Readiness

Securing digital evidence is a key factor that contributes to evidence admissibility during digital forensic investigations, particularly in establishing the chain of custody of digital evidence. However, not enough is done to ensure that the environment and access to the evidence are secure. Attackers can go to extreme lengths to cover up their tracks, which is a serious concern to digital forensics – particularly digital forensic readiness. If an attacker gains access to the location where evidence is stored, they could easily alter the evidence (if not remove it altogether). Even though integrity checks can be performed to ensure that the evidence is sound, the collected evidence may contain sensitive information that an attacker can easily use for other forms of attack. To this end, this paper proposes a model for securely storing digital evidence captured pre- and post-incident to achieve reactive forensics. Various components were considered, such as integrity checks, environment sandboxing, strong encryption, two-factor authentication, as well as unique random file naming. A proof-of-concept tool was developed to realize this model and to prove its validity. A series of tests were conducted to check for system security, performance, and requirements validation, Overall, the results obtained showed that, with minimal effort, securing forensic artefacts is a relatively inexpensive and reliable feat. This paper aims to standardize evidence storage, practice high security standards, as well as remove the need to create new systems that achieve the same purpose

RGS Proteins and Septins Cooperate to Promote Chemotropism by Regulating Polar Cap Mobility

Background—Septins are well known to form a boundary between mother and daughter cells in mitosis, but their role in other morphogenic states is poorly understood. Results—Using microfluidics and live cell microscopy, coupled with new computational methods for image analysis, we investigated septin function during pheromone-dependent chemotropic growth in yeast. We show that septins colocalize with the regulator of G-protein signaling (RGS) Sst2, a GTPase-activating protein that dampens pheromone receptor signaling. We show further that the septin structure surrounds the polar cap, ensuring that cell growth is directed toward the source of pheromone. When RGS activity is abrogated, septins are partially disorganized. Under these circumstances the polar cap travels toward septin structures and away from sites of exocytosis, resulting in a loss of gradient tracking. Conclusion—Septin organization is dependent on RGS protein activity. When assembled correctly, septins promote turning of the polar cap and proper tracking of a pheromone gradient

From Genes to Ecosystems: Resource Availability and DNA Methylation Drive the Diversity and Abundance of Restriction Modification Systems in Prokaryotes

Together, prokaryotic hosts and their viruses numerically dominate the planet and are engaged in an eternal struggle of hosts evading viral predation and viruses overcoming defensive mechanisms employed by their hosts. Prokaryotic hosts have been found to carry several viral defense systems in recent years with Restriction Modification systems (RMs) were the first discovered in the 1950s. While we have biochemically elucidated many of these systems in the last 70 years, we still struggle to understand what drives their gain and loss in prokaryotic genomes. In this work, we take a computational approach to understand the underlying evolutionary drivers of RMs by assessing ‘big data’ signals of RMs in prokaryotic genomes and incorporating molecular data in trait-based mathematical models. Focusing on the Cyanobacteria, we found a large discrepancy in the frequency of RMs per genome in different environmental contexts, where Cyanobacteria that live in oligotrophic nutrient conditions have few to no RMs and those in nutrient-rich conditions consistently have many RMs. While our models agree with the observation that increased nutrient inputs make the selective pressure of RMs more intense, they were unable to reconcile the high numbers of RMs per genome with their potent defensive properties- a situation of apparent overkill. By incorporating viral methylation, an unavoidable effect of RMs, we were able to explain how organisms could carry over 15 RMs. With this discovery, we then tried and reassess the distribution of methyltransferases, an essential component of RMs that can also have alternate physiological rolls in the cell. We expand on conventional wisdom, that methyltransferases that are widely phylogenetically conserved are associated with global cellular regulation. However, we also find that organisms with high numbers of RMs also have a surprising amount of conservation in the methyltransferases that they carry. This data suggests caution should be used in associating phylogenic signals with functional rolls in methyltransferases as different functional rolls seem to overlap in their phylogenetic signal. Indeed, we suggest trait-based modeling may be the best tool in elucidating why organisms with a high selective pressure to maintain RMs appear to have conserved methyltransferase

AUTOPSY – ENHANCED DISTRIBUTED FORENSIC ANALYSIS

No contexto do mestrado em Cibersegurança e Informática Forense, uma das escolhas para o último ano curricular é a realização de um estágio, sendo este documento o relatório resultante da realização do mesmo. A empresa VOID SOFTWARE, S.A. em concordância com o estudante definiram um plano de trabalho, a realizar durante o decorrer do estágio curricular de 9 meses, com o objetivo de desenvolver uma plataforma de análise forense digital baseada na plataforma Autopsy. Existem bastantes plataformas de análise forense digital, mas o Autopsy é a opção grátis e de código aberto com mais reconhecimento no mercado. A plataforma desenvolvida, e sobre a qual incide este trabalho e por conseguinte este relatório, tem como objetivo complementar a plataforma Autopsy com uma das funcionalidades mais importantes das plataformas de análise forense digital, a colaboração, adaptando a arquitetura da plataforma para um modelo clienteservidor. O desenvolvimento da plataforma decorreu com base nas práticas habituais da empresa, utilizando uma framework ágil e trabalhando com diferentes entidades como designer, tester e product owner

Design and Instantiation of an Interactive Multidimensional Ontology for Game Design Elements – a Design and Behavioral Approach

While games and play are commonly perceived as leisure tools, focus on the strategic implementation of isolated gameful elements outside of games has risen in recent years under the term gamification. Given their ease of implementation and impact in competitive games, a small set of game design elements, namely points, badges, and leaderboards, initially dominated research and practice. However, these elements reflect only a small group of components that game designers use to achieve positive outcomes in their systems. Current research has shifted towards focusing on the game design process instead of the isolated implementation of single elements under the term gameful design. But the problem of a tendency toward a monocultural selection of prominent design elements persists in-game and gameful design, preventing the method from reaching its full potential. This dissertation addresses this problem by designing and developing a digital, interactive game design element ontology that scholars and practitioners can use to make more informed and inspired decisions in creating gameful solutions to their problems. The first part of this work is concerned with the collation and development of the digital ontology. First, two datasets were collated from game design and gamification literature (game design elements and playing motivations). Next, four explorative studies were conducted to add user-relevant metadata and connect their items into an ontological structure. The first two studies use card sorting to assess game theory frameworks regarding their suitability as foundational categories for the game design element dataset and to gain an overview of different viewpoints from which categorizations can be derived. The second set of studies builds on an explorative method of matching dataset entries via their descriptive keywords to arrive at a connected graph. The first of these studies connects items of the playing motivations dataset with themselves, while the second connects them with an additional dataset of human needs. The first part closes with the documentation of the design and development of the tool Kubun, reporting on the outcome of its evaluation via iterative expert interviews and a field study. The results suggest that the tool serves its preset goals of affording intuitive browsing for dedicated searches and serendipitous findings. While the first part of this work reports on the top-down development process of the ontology and related navigation tool, the second part presents an in-depth research of specific learning-oriented game design elements to complement the overall research goal through a complementary bottom-up approach. Therein, two studies on learning-oriented game design elements are reported regarding their effect on performance, long-term learning outcome, and knowledge transfer. The studies are conducted with a game dedicated to teaching correct waste sorting. The first study focuses on a reward-based game design element in terms of its motivatory effect on perfect play. The second study evaluates two learning-enhancing game design elements, repeat, and look-up, in terms of their contribution to a long-term learning outcome. The comprehensive insights gained through the in-depth research manifest in the design of a module dedicated to reporting research outcomes in the ontology. The dissertation concludes with a discussion on the studies’ varying limitations and an outlook on pathways for future research

Preserving Virtual Worlds Final Report

The Preserving Virtual Worlds project is a collaborative research venture of the Rochester Institute of Technology, Stanford University, the University of Maryland, the University of Illinois at Urbana-Champaign and Linden Lab, conducted as part of Preserving Creative America, an initiative of the National Digital Information Infrastructure and Preservation Program at the Library of Congress. The primary goals of our project have been to investigate issues surrounding the preservation of video games and interactive fiction through a series of case studies of games and literature from various periods in computing history, and to develop basic standards for metadata and content representation of these digital artifacts for long-term archival storage

Organising and structuring a visual diary using visual interest point detectors

As wearable cameras become more popular, researchers are increasingly focusing on novel applications to manage the large volume of data these devices produce. One such application is the construction of a Visual Diary from an individual’s photographs. Microsoft’s SenseCam, a device designed to passively record a Visual Diary and cover a typical day of the user wearing the camera, is an example of one such device. The vast quantity of images generated by these devices means that the management and organisation of these collections is not a trivial matter. We believe wearable cameras, such as SenseCam, will become more popular in the future and the management of the volume of data generated by these devices is a key issue. Although there is a significant volume of work in the literature in the object detection and recognition and scene classification fields, there is little work in the area of setting detection. Furthermore, few authors have examined the issues involved in analysing extremely large image collections (like a Visual Diary) gathered over a long period of time. An algorithm developed for setting detection should be capable of clustering images captured at the same real world locations (e.g. in the dining room at home, in front of the computer in the office, in the park, etc.). This requires the selection and implementation of suitable methods to identify visually similar backgrounds in images using their visual features. We present a number of approaches to setting detection based on the extraction of visual interest point detectors from the images. We also analyse the performance of two of the most popular descriptors - Scale Invariant Feature Transform (SIFT) and Speeded Up Robust Features (SURF).We present an implementation of a Visual Diary application and evaluate its performance via a series of user experiments. Finally, we also outline some techniques to allow the Visual Diary to automatically detect new settings, to scale as the image collection continues to grow substantially over time, and to allow the user to generate a personalised summary of their data

Ontology based data warehousing for mining of heterogeneous and multidimensional data sources

Heterogeneous and multidimensional big-data sources are virtually prevalent in all business environments. System and data analysts are unable to fast-track and access big-data sources. A robust and versatile data warehousing system is developed, integrating domain ontologies from multidimensional data sources. For example, petroleum digital ecosystems and digital oil field solutions, derived from big-data petroleum (information) systems, are in increasing demand in multibillion dollar resource businesses worldwide. This work is recognized by Industrial Electronic Society of IEEE and appeared in more than 50 international conference proceedings and journals