Android forensics: Automated data collection and reporting from a mobile device

As Android smartphones gain popularity, industry and government will face increasing pressure to integrate them into their environments. The implementation of these devices on an enterprise can save on costs and add capabilities previously unavailable; however, the organizations that incorporate this technology must be prepared to mitigate the associated risks. These devices can contain vast amounts of personal and work-related data that can impact internal investigations, including (but not limited to) those of policy violations, intellectual property theft, misuse, embezzlement, sabotage, and espionage. Physical access has been the traditional method for retrieving data useful to these investigations from Android devices, with the exception of some limited collection abilities in commercial mobile device management systems and remote enterprise forensics tools. As part of this thesis, a prototype enterprise monitoring system for Android smartphones was developed to continuously collect many of the data sets of interest to incident responders, security auditors, proactive security monitors, and forensic investigators. Many of the data sets covered were not found in other available enterprise monitoring tools. The prototype system neither requires root access privileges nor exploiting weaknesses in the Android architecture for proper operation, thereby increasing interoperability among Android devices and avoiding a spyware classification for the system. An anti-forensics analysis on the system was performed to identify and further strengthen areas vulnerable to tampering. The results of this research include the release of the first open-source Android enterprise monitoring solution of its kind, a comprehensive guide of data sets available for collection without elevated privileges, and the introduction of a novel design strategy implementing various Android application components useful for monitoring on the Android platform

Re-compression Based JPEG Forgery Detection and Localization with Optimal Reconstruction

In today’s media–saturated society, digital images act as the primary carrier for majority of information that flows around us. However, because of the advent of highly sophisticated easy–to–use image processing tools, modifying images has become easy. Joint Photographic Experts Group (JPEG) is the most widely used format, prevalent today as a world–wide standard, for compression and storage of digital images. Almost all present–day digital cameras use the JPEG format for image acquisition and storage, due to its efficient compression features and optimal space requirement. In this propose work we aim to detect malicious tampering of JPEG images, and subsequently reconstruct the forged image optimally. We deal with lossy JPEG image format in this paper, which is more widely adopted compared to its lossless counter–part. The proposed technique is capable of detecting single as well as multiple forged regions in a JPEG image. We aim to achieve optimal reconstruction since the widely used JPEG being a lossy technique, under no condition would allow 100% reconstruction. The proposed reconstruction is optimal in the sense that we aim to obtain a form of the image, as close to its original form as possible, apart from eliminating the effects of forgery from the image. In this work, we exploit the inherent characteristics of JPEG compression and re–compression, for forgery detection and reconstruction of JPEG images. To prove the efficiency of our proposed technique we compare it with the other JPEG forensic techniques and using quality metric measures we assess the visual quality of the reconstructed image

Forensic imaging and analysis of Apple iOS devices

In this thesis we present our research on digital forensics on the iOS platform, structured along three areas: forensic imaging; forensic analysis; and anti-forensic techniques. In the field of forensic imaging, we demonstrate that the iPad can control external storage devices attached via USB, using Apple's Camera Connection Kit adapters. This results in a 30x speed boost compared to the traditional Wi-Fi transfer. In terms of forensic analysis, we found that printing documents wirelessly via AirPrint leaves a trace in the device that, when recovered, reveals the full contents of the documents that have been printed. Finally, in terms of anti-forensics, we created a proof-of-concept tool that disables a number of system services used by forensic tools to retrieve data. The tool also applies other hardening measures aimed at preventing the abuse of the services that remain activated.Esta tesis presenta nuestra investigación sobre informática forense en la plataforma iOS, estructurada en tres áreas: adquisición forense; análisis forense; y técnicas anti-forenses. En el campo de adquisición forense, demostramos que el iPad puede controlar dispositivos externos de almacenamiento conectados vía USB, usando los adaptadores del Apple Camera Connection Kit. Esto supone una velocidad de transferencia 30 veces superior a la transferencia vía Wi-Fi. En cuanto al análisis forense, observamos que la impresión inalámbrica de documentos vía AirPrint deja un rastro en el dispositivo que, al ser recuperado, revela el contenido completo de los documentos que hayan sido impresos. Por último, en el ámbito de técnicas anti-forenses implementamos una herramienta como prueba de concepto que deshabilita determinados servicios del sistema usados por las herramientas forenses para extraer datos del dispositivo. La herramienta también aplica otras medidas de seguridad para prevenir la explotación de los servicios que continúen activados.Aquesta tesi presenta la nostra investigació sobre informàtica forense a la plataforma iOS, estructurada en tres àrees: adquisició forense; anàlisi forense; i tècniques antiforenses. En el camp d'adquisició forense, demostrem que l'iPad pot controlar dispositius externs d'emmagatzematge connectats via USB, usant els adaptadors de l'Apple Camera Connection Kit. Això suposa una velocitat de transferència 30 vegades superior a la transferència via Wi-Fi. Pel que fa a l'anàlisi forense, observem que la impressió sense fil de documents a partir d'AirPrint deixa un rastre al dispositiu que, en ser recuperat, revela el contingut complet dels documents que hagin estat impresos. Finalment, en l'àmbit de tècniques antiforenses implementem una eina com a prova de concepte que deshabilita determinats serveis del sistema usats per les eines forenses per a extreure dades del dispositiu. L'eina també aplica altres mesures de seguretat per a prevenir l'explotació dels serveis que continuïn activats.Tecnologías de la información y de rede

Cybersecurity: Past, Present and Future

The digital transformation has created a new digital space known as cyberspace. This new cyberspace has improved the workings of businesses, organizations, governments, society as a whole, and day to day life of an individual. With these improvements come new challenges, and one of the main challenges is security. The security of the new cyberspace is called cybersecurity. Cyberspace has created new technologies and environments such as cloud computing, smart devices, IoTs, and several others. To keep pace with these advancements in cyber technologies there is a need to expand research and develop new cybersecurity methods and tools to secure these domains and environments. This book is an effort to introduce the reader to the field of cybersecurity, highlight current issues and challenges, and provide future directions to mitigate or resolve them. The main specializations of cybersecurity covered in this book are software security, hardware security, the evolution of malware, biometrics, cyber intelligence, and cyber forensics. We must learn from the past, evolve our present and improve the future. Based on this objective, the book covers the past, present, and future of these main specializations of cybersecurity. The book also examines the upcoming areas of research in cyber intelligence, such as hybrid augmented and explainable artificial intelligence (AI). Human and AI collaboration can significantly increase the performance of a cybersecurity system. Interpreting and explaining machine learning models, i.e., explainable AI is an emerging field of study and has a lot of potentials to improve the role of AI in cybersecurity.Comment: Author's copy of the book published under ISBN: 978-620-4-74421-

Web Browser Private Mode Forensics Analysis

To maintain privacy of the end consumers the browser vendors provide a very good feature on the browser called the Private Mode . As per the browser vendors, the Private Mode ensures Cookies, Temporary Internet Files, Webpage history, Form data and passwords, Anti-phishing cache, Address bar and search AutoComplete, Automatic Crash Restore (ACR) and Document Object Model (DOM) storage information is not stored on the system [45]. To put to test the browser vendors claim, I had setup a test to confirm the claims. During the first test the file system was monitored for all reads and writes. On the second test the image of the RAM was taken after the browser was used in private mode. The image was analyzed to check if the RAM contained any data related to the user browsing. The browsers chosen to perform this test were: Internet Explorer, Firefox, Google Chrome and Safari. During the file system monitoring analysis for the browsers in private mode it was found that Google Chrome and Firefox didn\u27t write any data on the file system. Safari wrote data on just a single file called WebpageIcons.db . Internet Explorer wrote browsing data on the file system and then deleted it. This data can be recovered using any recovery tool such as Recuva. During the memory dump based analysis for the browsers in private mode, it was found that browser data was recoverable for all the browsers. Therefore from data privacy perspective Google Chrome and Firefox are safer to use than Safari and Internet Explorer

Security of Forensic Techniques for Digital Images

Digital images are used everywhere in modern life and mostly replace traditional photographs. At the same time, due to the popularity of image editing tools, digital images can be altered, often leaving no obvious evidence. Thus, evaluating image authenticity is indispensable. Image forensic techniques are used to detect forgeries in digital images in the absence of embedded watermarks or signatures. Nevertheless, some legitimate or illegitimate image post-processing operations can affect the quality of the forensic results. Therefore, the reliability of forensic techniques needs to be investigated. The reliability is understood in this case as the robustness against image post-processing operations or the security against deliberated attacks. In this work, we first develop a general test framework, which is used to assess the effectiveness and security of image forensic techniques under common conditions. We design different evaluation metrics, image datasets, and several different image post-processing operations as a part of the framework. Secondly, we build several image forensic tools based on selected algorithms for detecting copy-move forgeries, re-sampling artifacts, and manipulations in JPEG images. The effectiveness and robustness of the tools are evaluated by using the developed test framework. Thirdly, for each selected technique, we develop several targeted attacks. The aim of targeted attacks against a forensic technique is to remove forensic evidence present in forged images. Subsequently, by using the test framework and the targeted attacks, we can thoroughly evaluate the security of the forensic technique. We show that image forensic techniques are often sensitive and can be defeated when their algorithms are publicly known. Finally, we develop new forensic techniques which achieve higher security in comparison with state-of-the-art forensic techniques

Using Principal Component Analysis to Improve Fallout Characterization

Previous research conducted at Lawrence Livermore National Laboratory (LLNL) and the Air Force Institute of Technology (AFIT) has shown a correlation between actinide location and elemental composition in fallout from historic weapons testing. Fifty spherical fallout samples were collected from near ground zero of a surface burst weapons test. The samples were mounted in an aluminum puck then ground and polished to a hemisphere exposing the central plane. Physical morphologies of the samples ranged from clear to opaque with inclusions, voids, and/or uniform characteristics. Spectroscopy data were collected using optical microscopes and scanning electron microscopy (SEM), with radioactivity recorded through autoradiography. Principal component analysis (PCA) was used to quantify the variations within the samples and to determine the correlations between major elemental compositions and the incorporation of unspent nuclear fuel. Principal component analysis identified four statistically significant principal components accounting for 78% of the variations within the spectroscopy data. Principal component analysis was demonstrated as a suitable mathematical approach to solving the complex system of elemental variables while establishing correlations to actinide incorporation within the fallout samples. A model was developed using spot sampling to categorize the samples, identifying three classes of samples. The model correctly identified samples with above average uniform activity, thereby identifying samples with high forensic value for recovery of unspent nuclear fuel. Final analysis of the full elemental composition and the correlation with regions of increased activity for all fifty samples is currently being completed