451 research outputs found
An Argumentation-Based Reasoner to Assist Digital Investigation and Attribution of Cyber-Attacks
We expect an increase in the frequency and severity of cyber-attacks that
comes along with the need for efficient security countermeasures. The process
of attributing a cyber-attack helps to construct efficient and targeted
mitigating and preventive security measures. In this work, we propose an
argumentation-based reasoner (ABR) as a proof-of-concept tool that can help a
forensics analyst during the analysis of forensic evidence and the attribution
process. Given the evidence collected from a cyber-attack, our reasoner can
assist the analyst during the investigation process, by helping him/her to
analyze the evidence and identify who performed the attack. Furthermore, it
suggests to the analyst where to focus further analyses by giving hints of the
missing evidence or new investigation paths to follow. ABR is the first
automatic reasoner that can combine both technical and social evidence in the
analysis of a cyber-attack, and that can also cope with incomplete and
conflicting information. To illustrate how ABR can assist in the analysis and
attribution of cyber-attacks we have used examples of cyber-attacks and their
analyses as reported in publicly available reports and online literature. We do
not mean to either agree or disagree with the analyses presented therein or
reach attribution conclusions
Forensicloud: An Architecture for Digital Forensic Analysis in the Cloud
The amount of data that must be processed in current digital forensic examinations continues to rise. Both the volume and diversity of data are obstacles to the timely completion of forensic investigations. Additionally, some law enforcement agencies do not have the resources to handle cases of even moderate size. To address these issues we have developed an architecture for a cloud-based distributed processing platform we have named Forensicloud. This architecture is designed to reduce the time taken to process digital evidence by leveraging the power of a high performance computing platform and by adapting existing tools to operate within this environment. Forensicloud’s Software and Infrastructure as a Service service models allow investigators to use remote virtual environments for investigating digital evidence. These environments allow investigators the ability to use licensed and unlicensed tools that they may not have had access to before and allows some of these tools to be run on computing clusters
Human decision-making in computer security incident response
Background: Cybersecurity has risen to international importance. Almost every organization will fall victim to a successful cyberattack. Yet, guidance for computer security incident response analysts is inadequate. Research Questions: What heuristics should an incident analyst use to construct general knowledge and analyse attacks? Can we construct formal tools to enable automated decision support for the analyst with such heuristics and knowledge? Method: We take an interdisciplinary approach. To answer the first question, we use the research tradition of philosophy of science, specifically the study of mechanisms. To answer the question on formal tools, we use the research tradition of program verification and logic, specifically Separation Logic. Results: We identify several heuristics from biological sciences that cybersecurity researchers have re-invented to varying degrees. We consolidate the new mechanisms literature to yield heuristics related to the fact that knowledge is of clusters of multi-field mechanism schema on four dimensions. General knowledge structures such as the intrusion kill chain provide context and provide hypotheses for filling in details. The philosophical analysis answers this research question, and also provides constraints on building the logic. Finally, we succeed in defining an incident analysis logic resembling Separation Logic and translating the kill chain into it as a proof of concept. Conclusion: These results benefits incident analysis, enabling it to expand from a tradecraft or art to also integrate science. Future research might realize our logic into automated decision-support. Additionally, we have opened the field of cybersecuity to collaboration with philosophers of science and logicians
Laetoli's lost tracks: 3D generated mean shape and missing footprints.
The Laetoli site (Tanzania) contains the oldest known hominin footprints, and their interpretation remains open to debate, despite over 35 years of research. The two hominin trackways present are parallel to one another, one of which is a composite formed by at least two individuals walking in single file. Most researchers have focused on the single, clearly discernible G1 trackway while the G2/3 trackway has been largely dismissed due to its composite nature. Here we report the use of a new technique that allows us to decouple the G2 and G3 tracks for the first time. In so doing we are able to quantify the mean footprint topology of the G3 trackway and render it useable for subsequent data analyses. By restoring the effectively 'lost' G3 track, we have doubled the available data on some of the rarest traces directly associated with our Pliocene ancestors
Cyber Black Box/Event Data Recorder: Legal and Ethical Perspectives and Challenges with Digital Forensics
With ubiquitous computing and the growth of the Internet of Things, there is vast expansion in the deployment and use of event data recording systems in a variety of environments. From the ships’ logs of antiquity through the evolution of personal devices for recording personal and environmental activities, these devices offer rich forensic and evidentiary opportunities that smash against rights of privacy and personality. The technical configurations of these devices provide for greater scope of sensing, interconnection options for local, near, and cloud storage of data, and the possibility of powerful analytics. This creates the unique situation of near-total data profiles on the lives of others. We examine legal and ethical issues of such in the American and transnational environment
Forensic science in combat of human trafficking
Although Forensic Science has become a crucial part of the investigation of many types of crime, the low number of scientific publications on the usage of Forensic Science to eliminate Human Trafficking or to speed up crime investigation, has given rise to the idea of conducting research on the role of Forensic Science in the investigation of Human Trafficking cases. The following literature review aims at judging the current importance of Forensic Science in solving and preventing Human Trafficking cases, at gathering ideas for the introduction of novel techniques and at identifying gaps of research within this field. For this purpose, a wider view, also addressing socio-economic topics, was applied
Digital forensics research using constraint programming
In this dissertation we present a new and innovative approach to Digital Forensics analysis, based on Declarative
Programming approaches, more specifically Constraint Programming methodologies, to describe and solve
Digital Forensics problems. With this approach we allow for an intuitive, descriptive and more efficient method
to analyze digital equipment data.
The work described herein enables the description of a Digital Forensics Problem (DFP) as a Constraint Satisfaction
Problem (CSP) and, with the help of a CSP solver, reach a solution to such problem, if it exists, which can
be a set of elements or evidences that match the initial problem description; Sumário:
Pesquisa em Forense Digital Utilizando Programação
por Restrições
Nesta dissertação apresentamos uma nova e inovadora abordagem à análise de Forense Digital, baseada em
técnicas de Programação Declarativa, mais especificamente em metodologias de Programação por Restrições,
para descrever e resolver problemas de Forense Digital. Com esta abordagem, é nos permitida a utilização de
um método mais intuitivo, mais descritivo e mais eficiente para analisar dados de equipamentos digitais.
O trabalho aqui descrito permite a descrição de um Problema de Forense Digital (PFD) como um Problema de
Satisfação de Restrições (PSR) e, com a ajuda de um ”Solver” de PSRs, chegar a uma solução, se existir, que pode
ser um conjunto de elementos ou evidências que correspondem à descrição inicial do problema
EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis
Crimes, both physical and cyber, increasingly involve smartphones due to
their ubiquity. Therefore, digital evidence on smartphones plays an
increasingly important role in crime investigations. Digital evidence could
reside in the memory and permanent storage of a smartphone. While we have
witnessed significant progresses on memory forensics recently, identifying
evidence in the permanent storage is still an underdeveloped research area.
Most existing studies on permanent-storage forensics rely on manual analysis or
keyword-based scanning of the permanent storage. Manual analysis is costly,
while keyword matching often misses the evidentiary data that do not have
interesting keywords.
In this work, we develop a tool called EviHunter to automatically identify
evidentiary data in the permanent storage of an Android device. There could be
thousands of files on the permanent storage of a smartphone. A basic question a
forensic investigator often faces is which files could store evidentiary data.
EviHunter aims to answer this question. Our intuition is that the evidentiary
data were produced by apps; and an app's code has rich information about the
types of data the app may write to a permanent storage and the files the data
are written to. Therefore, EviHunter first pre-computes an App Evidence
Database (AED) via static analysis of a large number of apps. The AED includes
the types of evidentiary data and files that store them for each app. Then,
EviHunter matches the files on a smartphone's permanent storage against the AED
to identify the files that could store evidentiary data.
We evaluate EviHunter on benchmark apps and 8,690 real-world apps. Our
results show that EviHunter can precisely identify both the types of
evidentiary data and the files that store them
- …