An Argumentation-Based Reasoner to Assist Digital Investigation and Attribution of Cyber-Attacks

We expect an increase in the frequency and severity of cyber-attacks that comes along with the need for efficient security countermeasures. The process of attributing a cyber-attack helps to construct efficient and targeted mitigating and preventive security measures. In this work, we propose an argumentation-based reasoner (ABR) as a proof-of-concept tool that can help a forensics analyst during the analysis of forensic evidence and the attribution process. Given the evidence collected from a cyber-attack, our reasoner can assist the analyst during the investigation process, by helping him/her to analyze the evidence and identify who performed the attack. Furthermore, it suggests to the analyst where to focus further analyses by giving hints of the missing evidence or new investigation paths to follow. ABR is the first automatic reasoner that can combine both technical and social evidence in the analysis of a cyber-attack, and that can also cope with incomplete and conflicting information. To illustrate how ABR can assist in the analysis and attribution of cyber-attacks we have used examples of cyber-attacks and their analyses as reported in publicly available reports and online literature. We do not mean to either agree or disagree with the analyses presented therein or reach attribution conclusions

Forensicloud: An Architecture for Digital Forensic Analysis in the Cloud

The amount of data that must be processed in current digital forensic examinations continues to rise. Both the volume and diversity of data are obstacles to the timely completion of forensic investigations. Additionally, some law enforcement agencies do not have the resources to handle cases of even moderate size. To address these issues we have developed an architecture for a cloud-based distributed processing platform we have named Forensicloud. This architecture is designed to reduce the time taken to process digital evidence by leveraging the power of a high performance computing platform and by adapting existing tools to operate within this environment. Forensicloud’s Software and Infrastructure as a Service service models allow investigators to use remote virtual environments for investigating digital evidence. These environments allow investigators the ability to use licensed and unlicensed tools that they may not have had access to before and allows some of these tools to be run on computing clusters

Human decision-making in computer security incident response

Background: Cybersecurity has risen to international importance. Almost every organization will fall victim to a successful cyberattack. Yet, guidance for computer security incident response analysts is inadequate. Research Questions: What heuristics should an incident analyst use to construct general knowledge and analyse attacks? Can we construct formal tools to enable automated decision support for the analyst with such heuristics and knowledge? Method: We take an interdisciplinary approach. To answer the first question, we use the research tradition of philosophy of science, specifically the study of mechanisms. To answer the question on formal tools, we use the research tradition of program verification and logic, specifically Separation Logic. Results: We identify several heuristics from biological sciences that cybersecurity researchers have re-invented to varying degrees. We consolidate the new mechanisms literature to yield heuristics related to the fact that knowledge is of clusters of multi-field mechanism schema on four dimensions. General knowledge structures such as the intrusion kill chain provide context and provide hypotheses for filling in details. The philosophical analysis answers this research question, and also provides constraints on building the logic. Finally, we succeed in defining an incident analysis logic resembling Separation Logic and translating the kill chain into it as a proof of concept. Conclusion: These results benefits incident analysis, enabling it to expand from a tradecraft or art to also integrate science. Future research might realize our logic into automated decision-support. Additionally, we have opened the field of cybersecuity to collaboration with philosophers of science and logicians

Laetoli's lost tracks: 3D generated mean shape and missing footprints.

The Laetoli site (Tanzania) contains the oldest known hominin footprints, and their interpretation remains open to debate, despite over 35 years of research. The two hominin trackways present are parallel to one another, one of which is a composite formed by at least two individuals walking in single file. Most researchers have focused on the single, clearly discernible G1 trackway while the G2/3 trackway has been largely dismissed due to its composite nature. Here we report the use of a new technique that allows us to decouple the G2 and G3 tracks for the first time. In so doing we are able to quantify the mean footprint topology of the G3 trackway and render it useable for subsequent data analyses. By restoring the effectively 'lost' G3 track, we have doubled the available data on some of the rarest traces directly associated with our Pliocene ancestors

Cyber Black Box/Event Data Recorder: Legal and Ethical Perspectives and Challenges with Digital Forensics

With ubiquitous computing and the growth of the Internet of Things, there is vast expansion in the deployment and use of event data recording systems in a variety of environments. From the ships’ logs of antiquity through the evolution of personal devices for recording personal and environmental activities, these devices offer rich forensic and evidentiary opportunities that smash against rights of privacy and personality. The technical configurations of these devices provide for greater scope of sensing, interconnection options for local, near, and cloud storage of data, and the possibility of powerful analytics. This creates the unique situation of near-total data profiles on the lives of others. We examine legal and ethical issues of such in the American and transnational environment

Forensic science in combat of human trafficking

Although Forensic Science has become a crucial part of the investigation of many types of crime, the low number of scientific publications on the usage of Forensic Science to eliminate Human Trafficking or to speed up crime investigation, has given rise to the idea of conducting research on the role of Forensic Science in the investigation of Human Trafficking cases. The following literature review aims at judging the current importance of Forensic Science in solving and preventing Human Trafficking cases, at gathering ideas for the introduction of novel techniques and at identifying gaps of research within this field. For this purpose, a wider view, also addressing socio-economic topics, was applied

Digital forensics research using constraint programming

In this dissertation we present a new and innovative approach to Digital Forensics analysis, based on Declarative Programming approaches, more specifically Constraint Programming methodologies, to describe and solve Digital Forensics problems. With this approach we allow for an intuitive, descriptive and more efficient method to analyze digital equipment data. The work described herein enables the description of a Digital Forensics Problem (DFP) as a Constraint Satisfaction Problem (CSP) and, with the help of a CSP solver, reach a solution to such problem, if it exists, which can be a set of elements or evidences that match the initial problem description; Sumário: Pesquisa em Forense Digital Utilizando Programação por Restrições Nesta dissertação apresentamos uma nova e inovadora abordagem à análise de Forense Digital, baseada em técnicas de Programação Declarativa, mais especificamente em metodologias de Programação por Restrições, para descrever e resolver problemas de Forense Digital. Com esta abordagem, é nos permitida a utilização de um método mais intuitivo, mais descritivo e mais eficiente para analisar dados de equipamentos digitais. O trabalho aqui descrito permite a descrição de um Problema de Forense Digital (PFD) como um Problema de Satisfação de Restrições (PSR) e, com a ajuda de um ”Solver” de PSRs, chegar a uma solução, se existir, que pode ser um conjunto de elementos ou evidências que correspondem à descrição inicial do problema

EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis

Crimes, both physical and cyber, increasingly involve smartphones due to their ubiquity. Therefore, digital evidence on smartphones plays an increasingly important role in crime investigations. Digital evidence could reside in the memory and permanent storage of a smartphone. While we have witnessed significant progresses on memory forensics recently, identifying evidence in the permanent storage is still an underdeveloped research area. Most existing studies on permanent-storage forensics rely on manual analysis or keyword-based scanning of the permanent storage. Manual analysis is costly, while keyword matching often misses the evidentiary data that do not have interesting keywords. In this work, we develop a tool called EviHunter to automatically identify evidentiary data in the permanent storage of an Android device. There could be thousands of files on the permanent storage of a smartphone. A basic question a forensic investigator often faces is which files could store evidentiary data. EviHunter aims to answer this question. Our intuition is that the evidentiary data were produced by apps; and an app's code has rich information about the types of data the app may write to a permanent storage and the files the data are written to. Therefore, EviHunter first pre-computes an App Evidence Database (AED) via static analysis of a large number of apps. The AED includes the types of evidentiary data and files that store them for each app. Then, EviHunter matches the files on a smartphone's permanent storage against the AED to identify the files that could store evidentiary data. We evaluate EviHunter on benchmark apps and 8,690 real-world apps. Our results show that EviHunter can precisely identify both the types of evidentiary data and the files that store them