Data flows of classified documents

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2010Nos dias de hoje à medida que a evolução dos produtos e serviços acelera cada vez mais, significa que a informação é hoje uma das mais valiosas propriedades de qualquer empresa. Quanto mais “imaterial” é o produto, tais como serviços, propriedade intelectual e media (vídeo, música, fotografia) mais importante é a questão. Este ciclo de vida acelerado torna a sua exposição maior do que em épocas anteriores, onde o desenvolvimento mais lento permitiu um maior controlo sobre eles e sua exposição. Outros factores são a participação de um número crescente de colaboradores que acedem às informações confidenciais. A crescente digitalização da informação e conectividade entre as diversas entidades num mundo ligado de uma forma rápida faz com que a segurança da informação seja um assunto mais complicado de lidar do que em épocas anteriores. Vários métodos e técnicas foram desenvolvidos para proteger a confidencialidade, integridade, autenticidade e autorização de acesso. Menos atenção tem sido dada para detectar de forma estruturada onde e por quem a segurança da informação pode estar sendo comprometida. Neste projecto propõe-se a usar alguns métodos para marcar e controlar o uso de informações confidenciais no interior das instalações da empresa. Devido à natureza de algumas das técnicas utilizadas, algumas preocupações com a privacidade podem ser levantadas, mas como este é apenas para uso com dados sensíveis que pertencem à companhia essas preocupações poderão ser devidamente contra-argumentadas. Neste trabalho o tipo de documento considerado é o da Microsoft Office Word 2007 que implementa um novo tipo de ficheiro que tem uma natureza aberta ao contrário de versões anteriores de formato binário e fechado. Uma vez que esta é uma ferramenta amplamente utilizada dentro das corporações, justifica-se assim a sua escolha. Outros casos possíveis seriam os ficheiros do Excel e do PowerPoint que também têm uma arquitectura aberta a partir do Office 2007. Fora do mundo do Office, o caso mais significativo são os ficheiros PDF, mas estes requerem uma abordagem completamente diferente devido a uma estrutura também ela muito diferente. Além disso existe para o Office algumas ferramentas que facilitam a implementação da solução. Esta solução destina-se a uma grande empresa de telecomunicações que preenche as considerações iniciais - que comercializa produtos imateriais - Serviços e media possui um considerável volume de propriedade intelectual devido ao seu contínuo apoio na investigação sobre novos produtos e serviços. Esta solução no entanto poderia ser concretizada em qualquer outro tipo de empresa que tenha o seu funcionamento apoiado em dados digitais, como é o caso da grande maioria das empresas de hoje em dia.The present acceleration of the evolution of products and services makes information one of the world’s greatest assets. The more "immaterial" is the product such as services, intellectual property (IP) and media the more important is the matter. This accelerated life cycle makes the exposure of information to threats bigger than in the past, when the slower development permitted a tighter control over the information itself and its exposure. Another contributing factor is the involvement of an increasing number of company collaborators in accessing sensitive information. The increasing digitalization of data and connectivity between entities in a connected and accelerated world makes the security of the information a more complicated subject to deal with than in previous eras. Several methods and techniques have been developed to protect information’s confidentiality, integrity, authenticity and access authorization. Less attention has been given to detect in a structured way where or by whom the information may be leaking out of the company. This project aims to contribute to the solution of this problem of detecting the leakage of sensitive data. For that purpose, the project proposes methods to tag and control the use of sensitive information within the company premises. Due to the nature of some of the techniques proposed, privacy concerns may rise, but since the techniques are for use only with sensitive data that belongs to the company, those concerns are possible to be argued with. In this work the considered document type is Microsoft Office Word 2007 which implements a new file type that has an open nature as opposed to previous binary and closed format versions. Since this is a widely used tool within corporations its choice is well justified. Other possible cases would be Excel and PowerPoint file types that also have an open architecture starting from Office 2007. Outside of the world of Microsoft Office the most prominent case is the pdf files, but those will require a completely different approach as the Office files have some well built tools to implement the intended features. This solution is aimed at a major telecom company that has the concerns mentioned above: it commercializes intangible products - services and media and owns considerable IP due to its ongoing support for the investigation of new products and services. This could nevertheless be deployed in any other type of company that supports its operation by way of electronic data, as is the case in the large majority of today’s enterprises

Computer crimes case simulation and design model : "Kitty" Exploitation and illicit drug activities.

The overall purpose of this graduate project is to provide digital forensics instructors at the University of Central Oklahoma (UCO) with a manually generated computer crimes case simulation that offers students a replicated real-world experience of what it is like being a practicing digital forensic examiner. This simulation offers digital forensic students an opportunity to apply their forensic knowledge and skills in a realistic environment. Secondarily, this project sought to develop a rudimentary computer crimes simulation design model. The case simulation provides scenario/simulation-based learning to future digital forensic students at UCO. The computer crimes simulation design model presents general steps and considerations that should be taken when generating similar digital forensic simulations. The generated simulation portrays typical kitty exploitation and illicit drug activities and consists of two computer crimes case scenarios, two sets of investigative notes, two search warrant affidavits, eight crime scene processing forms, a solution report with associated PowerPoint presentation for the instructors, the digital evidence, a bootable clone of the evidence, and a disk image of the evidence

Thwarting Attacks in Malcode-Bearing Documents by Altering Data Sector Values

Embedding malcode within documents provides a convenient means of attacking systems. Such attacks can be very targeted and difficult to detect to stop due to the multitude of document-exchange vectors and the vulnerabilities in modern document processing applications. Detecting malcode embedded in a document is difficult owing to the complexity of modern document formats that provide ample opportunity to embed code in a myriad of ways. We focus on Microsoft Word documents as malcode carriers as a case study in this paper. To detect stealthy embedded malcode in documents, we develop an arbitrary data transformation technique that changes the value of data segments in documents in such a way as to purposely damage any hidden malcode that may be embedded in those sections. Consequently, the embedded malcode will not only fail but also introduce a system exception that would be easily detected. The method is intended to be applied in a safe sandbox, the transformation is reversible after testing a document, and does not require any learning phase. The method depends upon knowledge of the structure of the document binary format to parse a document and identify the specific sectors to which the method can be safely applied for malcode detection. The method can be implemented in MS Word as a security feature to enhance the safety of Word documents

Prototype Digital Forensics Repository

The explosive growth in technology has led to a new league of a crime involving identity theft, stealing trade secrets, malicious virus attacks, hacking of DVD players, etc. The law enforcement community which has been trained to deal with traditional form of crime, is now being trained in a new realm of Digital Forensics. Forensics investigators have realized that often the most valuable resource available to them is experience and knowledge of fellow investigators. But there is seldom an explicit mechanism for disseminating this knowledge. Hence the same problems and mistakes continue to resurface and the same solutions are re-invented. In this Thesis we design and create a knowledge base, a Digital Forensics Repository, to support the sharing of experiences about the Forensics Investigation Process. It offers capabilities such as submission of lessons, online search and retrieval which will provide a means of querying into an ever increasing knowledge base

Prototype Digital Forensics Repository

The explosive growth in technology has led to a new league of a crime involving identity theft, stealing trade secrets, malicious virus attacks, hacking of DVD players, etc. The law enforcement community which has been trained to deal with traditional form of crime, is now being trained in a new realm of Digital Forensics. Forensics investigators have realized that often the most valuable resource available to them is experience and knowledge of fellow investigators. But there is seldom an explicit mechanism for disseminating this knowledge. Hence the same problems and mistakes continue to resurface and the same solutions are re-invented. In this Thesis we design and create a knowledge base, a Digital Forensics Repository, to support the sharing of experiences about the Forensics Investigation Process. It offers capabilities such as submission of lessons, online search and retrieval which will provide a means of querying into an ever increasing knowledge base

Introductory Computer Forensics

INTERPOL (International Police) built cybercrime programs to keep up with emerging cyber threats, and aims to coordinate and assist international operations for ?ghting crimes involving computers. Although signi?cant international efforts are being made in dealing with cybercrime and cyber-terrorism, ?nding effective, cooperative, and collaborative ways to deal with complicated cases that span multiple jurisdictions has proven dif?cult in practic

Forensic acquisition of file systems with parallel processing of digital artifacts to generate an early case assessment report

A evolução da maneira como os seres humanos interagem e realizam tarefas rotineiras mudou nas últimas décadas e uma longa lista de atividades agora somente são possíveis com o uso de tecnologias da informação – entre essas pode-se destacar a aquisição de bens e serviços, gestão e operações de negócios e comunicações. Essas transformações são visíveis também em outras atividades menos legítimas, permitindo que crimes sejam cometidos através de meios digitais. Em linhas gerais, investigadores forenses trabalham buscando por indícios de ações criminais realizadas por meio de dispositivos digitais para finalmente, tentar identificar os autores, o nível do dano causado e a história atrás que possibilitou o crime. Na sua essência, essa atividade deve seguir normas estritas para garantir que as provas sejam admitidas em tribunal, mas quanto maior o número de novos artefatos e maior o volume de dispositivos de armazenamento disponíveis, maior o tempo necessário entre a identificação de um dispositivo de um suspeito e o momento em que o investigador começa a navegar no mar de informações alojadas no dispositivo. Esta pesquisa, tem como objetivo antecipar algumas etapas do EDRM através do uso do processamento em paralelo adjacente nas unidades de processamento (CPU) atuais para para traduzir multiplos artefactos forenses do sistema operativo Windows 10 e gerar um relatório com as informações mais cruciais sobre o dispositivo adquirido. Permitindo uma análise antecipada do caso (ECA) ao mesmo tempo em que uma aquisição completa do disco está em curso, desse modo causando um impacto mínimo no tempo geral de aquisição

An examination of the Asus WL-HDD 2.5 as a nepenthes malware collector

The Linksys WRT54g has been used as a host for network forensics tools for instance Snort for a long period of time. Whilst large corporations are already utilising network forensic tools, this paper demonstrates that it is quite feasible for a non-security specialist to track and capture malicious network traffic. This paper introduces the Asus Wireless Hard disk as a replacement for the popular Linksys WRT54g. Firstly, the Linksys router will be introduced detailing some of the research that was undertaken on the device over the years amongst the security community. It then briefly discusses malicious software and the impact this may have for a home user. The paper then outlines the trivial steps in setting up Nepenthes 0.1.7 (a malware collector) for the Asus WL-HDD 2.5 according to the Nepenthes and tests the feasibility of running the malware collector on the selected device. The paper then concludes on discussing the limitations of the device when attempting to execute Nepenthes

Analysis and Concealment of Malware in an Adversarial Environment

Nowadays, users and devices are rapidly growing, and there is a massive migration of data and infrastructure from physical systems to virtual ones. Moreover, people are always connected and deeply dependent on information and communications. Thanks to the massive growth of Internet of Things applications, this phenomenon also affects everyday objects such as home appliances and vehicles. This extensive interconnection implies a significant rate of potential security threats for systems, devices, and virtual identities. For this reason, malware detection and analysis is one of the most critical security topics. The used detection strategies are well suited to analyze and respond to potential threats, but they are vulnerable and can be bypassed under specific conditions. In light of this scenario, this thesis highlights the existent detection strategies and how it is possible to deceive them using malicious contents concealment strategies, such as code obfuscation and adversarial attacks. Moreover, the ultimate goal is to explore new viable ways to detect and analyze embedded malware and study the feasibility of generating adversarial attacks. In line with these two goals, in this thesis, I present two research contributions. The first one proposes a new viable way to detect and analyze the malicious contents inside Microsoft Office documents (even when concealed). The second one proposes a study about the feasibility of generating Android malicious applications capable of bypassing a real-world detection system. Firstly, I present Oblivion, a static and dynamic system for large-scale analysis of Office documents with embedded (and most of the time concealed) malicious contents. Oblivion performs instrumentation of the code and executes the Office documents in a virtualized environment to de-obfuscate and reconstruct their behavior. In particular, Oblivion can systematically extract embedded PowerShell and non-PowerShell attacks and reconstruct the employed obfuscation strategies. This research work aims to provide a scalable system that allows analysts to go beyond simple malware detection by performing a real, in-depth inspection of macros. To evaluate the system, a large-scale analysis of more than 40,000 Office documents has been performed. The attained results show that Oblivion can efficiently de-obfuscate malicious macro-files by revealing a large corpus of PowerShell and non-PowerShell attacks in a short amount of time. Then, the focus is on presenting an Android adversarial attack framework. This research work aims to understand the feasibility of generating adversarial samples specifically through the injection of Android system API calls only. In particular, the constraints necessary to generate actual adversarial samples are discussed. To evaluate the system, I employ an interpretability technique to assess the impact of specific API calls on the evasion. It is also assessed the vulnerability of the used detection system against mimicry and random noise attacks. Finally, it is proposed a basic implementation to generate concrete and working adversarial samples. The attained results suggest that injecting system API calls could be a viable strategy for attackers to generate concrete adversarial samples. This thesis aims to improve the security landscape in both the research and industrial world by exploring a hot security topic and proposing two novel research works about embedded malware. The main conclusion of this research experience is that systems and devices can be secured with the most robust security processes. At the same time, it is fundamental to improve user awareness and education in detecting and preventing possible attempts of malicious infections

CSI4FS - A Markerless Augmented Reality Application for Forensic Science Crime Scene Investigation Training

A capstone submitted in partial fulfillment of the requirements for the degree of Doctor of Education in the College of Education at Morehead State University by Ian Levstein on April 9, 2018