Detection of malicious VBA macros using machine learning methods

Since their appearance in 1994 in the Concept virus, VBA macros remain a preferred choice for malware authors. There are two main attack techniques when it comes to document-based malware: exploits and VBA macros, with the latter applied in the vast majority of threats. Although Microsoft have added multiple security features in an attempt to protect users against malicious macros, such protections are often easily circumvented by simple social engineering techniques. Anti-virus companies can no longer rely on static signatures due to the rate at which new macro malware is distributed, and thus are tasked with employing a more proactive approach to threat detection. This paper details the literature on machine learning methods for the detection of VBA macro malware. Further, a machine learning system for the detection of VBA macro malware is proposed and evaluated. A Random Forest classifier achieves a true positive detection rate of 98.9875% with a false positive detection rate of 1.07% over a set of 611 mixed (benign and malicious) malware samples

The Advanced Framework for Evaluating Remote Agents (AFERA): A Framework for Digital Forensic Practitioners

Digital forensics experts need a dependable method for evaluating evidence-gathering tools. Limited research and resources challenge this process and the lack of multi-endpoint data validation hinders reliability in distributed digital forensics. A framework was designed to evaluate distributed agent-based forensic tools while enabling practitioners to self-evaluate and demonstrate evidence reliability as required by the courts. Grounded in Design Science, the framework features guidelines, data, criteria, and checklists. Expert review enhances its quality and practicality

Digital forensics trends and future

Nowadays, rapid evolution of computers and mobile phones has caused these devices to be used in criminal activities. Providing appropriate and sufficient security measures is a difficult job due to complexity of devices which makes investigating crimes involving these devices even harder. Digital forensic is the procedure of investigating computer crimes in the cyber world. Many researches have been done in this area to help forensic investigation to resolve existing challenges. This paper attempts to look into trends of applications of digital forensics and security at hand in various aspects and provide some estimations about future research trends in this area

Taxonomy of the Snowden Disclosures

This brief Essay offers a proposed taxonomy of the Snowden Disclosures. An informed discussion on the legality and constitutionality of the emerging cybersurveillance and mass dataveillance programs revealed by former NSA contractor Edward Snowden necessitates the furtherance of cybersurveillance aptitude. This Essay contends, therefore, that a detailed examination of the Snowden disclosures requires not just a careful inquiry into the legal and constitutional framework that guides the oversight of these programs. A close interrogation also requires a careful inquiry into the big data architecture that guides them. This inquiry includes examining the underlying theories of data science and the rationales of big data-driven policymaking that may drive the expansion of big data cybersurveillance. These technological, theoretical, and policymaking movements are occurring within what has been termed by scholars as the National Surveillance State. Better understanding the manner in which intelligence gathering may be shifting away from small data surveillance methods and toward the adoption of big data cybersurveillance methods—and assessing the efficacy of this shift—can factually ground future debates on how best to constrain comprehensive and ubiquitous surveillance technologies at the dawn of the National Surveillance State

Taxonomy of the Snowden Disclosures

This brief Essay offers a proposed taxonomy of the Snowden Disclosures. An informed discussion on the legality and constitutionality of the emerging cybersurveillance and mass dataveillance programs revealed by former NSA contractor Edward Snowden necessitates the furtherance of cybersurveillance aptitude. This Essay contends, therefore, that a detailed examination of the Snowden disclosures requires not just a careful inquiry into the legal and constitutional framework that guides the oversight of these programs. A close interrogation also requires a careful inquiry into the big data architecture that guides them. This inquiry includes examining the underlying theories of data science and the rationales of big data-driven policymaking that may drive the expansion of big data cybersurveillance. These technological, theoretical, and policymaking movements are occurring within what has been termed by scholars as the National Surveillance State. Better understanding the manner in which intelligence gathering may be shifting away from small data surveillance methods and toward the adoption of big data cybersurveillance methods—and assessing the efficacy of this shift—can factually ground future debates on how best to constrain comprehensive and ubiquitous surveillance technologies at the dawn of the National Surveillance State

Introductory Computer Forensics

INTERPOL (International Police) built cybercrime programs to keep up with emerging cyber threats, and aims to coordinate and assist international operations for ?ghting crimes involving computers. Although signi?cant international efforts are being made in dealing with cybercrime and cyber-terrorism, ?nding effective, cooperative, and collaborative ways to deal with complicated cases that span multiple jurisdictions has proven dif?cult in practic

An evaluation of the ‘open source internet research tool’: a user-centred and participatory design approach with UK law enforcement

As part of their routine investigations, law enforcement conducts open source research; that is, investigating and researching using publicly available information online. Historically, the notion of collecting open sources of information is as ingrained as the concept of intelligence itself. However, utilising open source research in UK law enforcement is a relatively new concept not generally, or practically, considered until after the civil unrest seen in the UK’s major cities in the summer of 2011. While open source research focuses on the understanding of bein‘publicly available’, there are legal, ethical and procedural issues that law enforcement must consider. This asks the following mainresearch question: What constraints do law enforcement face when conducting open source research? From a legal perspective, law enforcement officials must ensure their actions are necessary and proportionate, more so where an individual’s privacy is concerned under human rights legislation and data protection laws such as the General Data Protection Regulation. Privacy issues appear, though, when considering the boom and usage of social media, where lines can be easily blurred as to what is public and private. Guidance from Association of Chief Police Officers (ACPO) and, now, the National Police Chief’s Council (NPCC) tends to be non-committal in tone, but nods towards obtaining legal authorisation under the Regulation of Investigatory Powers Act (RIPA) 2000 when conducting what may be ‘directed surveillance’. RIPA, however, pre-dates the modern era of social media by several years, so its applicability as the de-facto piece of legislation for conducting higher levels of open source research is called into question. 22 semi-structured interviews with law enforcement officials were conducted and discovered a grey area surrounding legal authorities when conducting open source research. From a technical and procedural aspect of conducting open source research, officers used a variety of software tools that would vary both in price and quality, with no standard toolset. This was evidenced from 20 questionnaire responses from 12 police forces within the UK. In an attempt to bring about standardisation, the College of Policing’s Research, Identifying and Tracing the Electronic Suspect (RITES) course recommended several capturing and productivity tools. Trainers on the RITES course, however, soon discovered the cognitive overload this had on the cohort, who would often spend more time learning to use the tools than learn about open source research techniques. The problem highlighted above prompted the creation of Open Source Internet Research Tool (OSIRT); an all-in-one browser for conducting open source research. OSIRT’s creation followed the user-centred design (UCD) method, with two phases of development using the software engineering methodologies ‘throwaway prototyping’, for the prototype version, and ‘incremental and iterative development’ for the release version. OSIRT has since been integrated into the RITES course, which trains over 100 officers a year, and provides a feedback outlet for OSIRT. System Usability Scale questionnaires administered on RITES courses have shown OSIRT to be usable, with feedback being positive. Beyond the RITES course, surveys, interviews and observations also show OSIRT makes an impact on everyday policing and has reduced the burden officers faced when conducting opens source research. OSIRT’s impact now reaches beyond the UK and sees usage across the globe. OSIRT contributes to law enforcement output in countries such as the USA, Canada, Australia and even Israel, demonstrating OSIRT’s usefulness and necessity are not only applicable to UK law enforcement. This thesis makes several contributions both academically and from a practical perspective to law enforcement. The main contributions are: • Discussion and analysis of the constraints law enforcement within the UK face when conducting open source research from a legal, ethical and procedural perspective. • Discussion, analysis and reflective discourse surrounding the development of a software tool for law enforcement and the challenges faced in what is a unique development. • An approach to collaborating with those who are in ‘closed’ environments, such as law enforcement, to create bespoke software. Additionally, this approach offers a method of measuring the value and usefulness of OSIRT with UK law enforcement. • The creation and integration of OSIRT in to law enforcement and law enforcement training packages

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

A Survey of Social Network Forensics

Social networks in any form, specifically online social networks (OSNs), are becoming a part of our everyday life in this new millennium especially with the advanced and simple communication technologies through easily accessible devices such as smartphones and tablets. The data generated through the use of these technologies need to be analyzed for forensic purposes when criminal and terrorist activities are involved. In order to deal with the forensic implications of social networks, current research on both digital forensics and social networks need to be incorporated and understood. This will help digital forensics investigators to predict, detect and even prevent any criminal activities in different forms. It will also help researchers to develop new models / techniques in the future. This paper provides literature review of the social network forensics methods, models, and techniques in order to provide an overview to the researchers for their future works as well as the law enforcement investigators for their investigations when crimes are committed in the cyber space. It also provides awareness and defense methods for OSN users in order to protect them against to social attacks