Forensically-Sound Analysis of Security Risks of using Local Password Managers

Password managers have been developed to address the human challenges associated with password security, i.e., to solve usability issues in a secure way. They offer, e.g., features to create strong passwords, to manage the increasing number of passwords a typical user has, and to auto-fill passwords, sparing users the hassle of not only remembering but also typing them. Previous studies have focused mainly on the security analysis of cloud-based and browser-based password managers; security of local password managers remains mostly under-explored. This paper takes a forensic approach and reports on a case study of three popular local password managers: KeePass (v2.28), Password Safe (v3.35.1) and RoboForm (v7.9.12). Results revealed that either the master password or the content of the password database could be found unencrypted in Temp folders, Page files or Recycle bin, even after the applications had been closed. Therefore, an attacker or malware with temporary access to the computer on which the password managers were running may be able to steal sensitive information, even though these password managers are meant to keep the databases encrypted and protected at all times

Comparison of recovery requirements with investigation requirements for intrusion management systems

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2002Includes bibliographical references (leaves: 52-54)Text in English; Abstract: Turkish and Englishix, 54 leavesComputer systems resources and all data contained in the system may need to be protected against the increasing number of unauthorized access, manipulation and malicious intrusions. This thesis is concerned with intrusion management systems and specially with their investigation and recovery subsystems. The goals of these systems are to investigate intrusion attempts and recover from intrusions as fast as possible. In order to achieve these goals me should observe the fact that some of the intrusion attempts will be eventually successful should be accepted and necessary precautions should be taken.After an intrusion has taken place, the focus should be on the assessment:looking at what damage has occurred, how it happened, what changes can be made to prevent such attacks in the future. In this thesis, requirements of investigation and recovery process are determined and related guidelines developed. The similarities and differences between these guidelines are explained

Software Engineering Challenges for Investigating Cyber-Physical Incidents

Cyber-Physical Systems (CPS) are characterized by the interplay between digital and physical spaces. This characteristic has extended the attack surface that could be exploited by an offender to cause harm. An increasing number of cyber-physical incidents may occur depending on the configuration of the physical and digital spaces and their interplay. Traditional investigation processes are not adequate to investigate these incidents, as they may overlook the extended attack surface resulting from such interplay, leading to relevant evidence being missed and testing flawed hypotheses explaining the incidents. The software engineering research community can contribute to addressing this problem, by deploying existing formalisms to model digital and physical spaces, and using analysis techniques to reason about their interplay and evolution. In this paper, supported by a motivating example, we describe some emerging software engineering challenges to support investigations of cyber-physical incidents. We review and critique existing research proposed to address these challenges, and sketch an initial solution based on a meta-model to represent cyber-physical incidents and a representation of the topology of digital and physical spaces that supports reasoning about their interplay

The Proceedings of 14th Australian Digital Forensics Conference, 5-6 December 2016, Edith Cowan University, Perth, Australia

Conference Foreword This is the fifth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 11 papers were submitted and following a double blind peer review process, 8 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable. Yours sincerely, Conference Chair Professor Craig Valli Director, Security Research Institut

The Big Data Collection Problem of Little Mobile Devices

There should be little question that mobile device-based data are discoverable if relevant. However, as was the case with ordinary computer-based data a decade or more ago, there is a tendency to believe that there is only one way to collect such data—“forensically.

The Big Data Collection Problem of Little Mobile Devices

There should be little question that mobile device-based data are discoverable if relevant. However, as was the case with ordinary computer-based data a decade or more ago, there is a tendency to believe that there is only one way to collect such data—“forensically.

Forensic investigation of social networking applications

Social networking applications such as Facebook, Twitter and Linkedin may be involved in instances of misuse such as copyright infringement, data protection violations, defamation, identity theft, harassment, and dissemination of confidential information and malware that can affect both organizations and individuals. In this paper we examine the computer forensic process of obtaining digital evidence from social networking applications and the legal aspects of such. Currently there do not appear to be commonly available guidelines for organizations aimed specifically at the computer forensic process of investigation of social networking applications

A Digital Forensic Readiness Approach for e-Supply Chain Systems

The internet has had a major impact on how information is shared within supply chains, and in commerce in general. This has resulted in the establishment of information systems such as esupply chains (eSCs) amongst others which integrate the internet and other information and communications technology (ICT) with traditional business processes for the swift transmission of information between trading partners. Many organisations have reaped the benefits that come from adopting the eSC model, but have also faced the challenges with which it comes. One such major challenge is information security. With the current state of cybercrime, system developers are challenged with the task of developing cutting-edge digital forensic readiness (DFR) systems that can keep up with current technological advancements, such as eSCs. Hence, the research highlights the lack of a well-formulated eSC-DFR approach that can assist system developers in the development of e-supply chain digital forensic readiness systems. The main objective of such a system is that it must be able to provide law enforcement/digital forensic investigators that operate on eSC platforms with forensically sound and readily available potential digital evidence that can expedite and support digital forensics incident-response processes. This approach, if implemented can also prepare trading partners for security incidents that might take place, if not prevent them from occurring. Therefore, the work presented in this research is aimed at providing a procedural approach that is based on digital forensic principles for eSC system architects and eSC network service providers to follow in the design of eSC-DFR tools. The author proposes an eSC-DFR process model and eSC-DFR system architectural design that was implemented as part of this research illustrating the concepts of evidence collection, evidence pre-analysis, evidence preservation, system usability alongside other digital forensic principles and techniques. It is the view of the authors that the conclusions drawn from this research can spearhead the development of cutting-edge eSC-DFR systems that are intelligent, effective, user friendly and compliant with international standards.Dissertation (MEng)--University of Pretoria, 2019.Computer ScienceMScUnrestricte

Digital Forensic Readiness in Mobile Device Management Systems

Mobile devices have become very popular, and virtually everyone owns a smart device. As more employees became owners of smart devices, the organisations were put under pressure to allow employees to use their smart devices for work purposes, or alternatively provide employees with smart devices. Most organisations opted for a Bring Your Own Device policy, where employees use their own smart devices for work purposes, with the organisation reimbursing some of the costs. Adopting such a policy introduced risks into the organisations, since the organisations do not own and do not have direct control over employees' personal devices. One of the most widely used solutions to this problem is Mobile Device Management (MDM) software, which is installed on employees' devices and prevent them from taking actions that may be harmful to the organisation. This leads us to the problem statement of this research. Since MDM systems are purely preventative and devices are not owned by the organisation, it is expensive and sometimes impossible for organisations to retrieve potential evidence from the devices when an incident occurs. This research proposes a model to solve this problem by introducing a digital forensic readiness component into an MDM system. Adding digital forensic readiness to an existing MDM solution reduces costs by collecting evidence when suspicious activity is detected, reducing investigation times and legal costs involved in collecting evidence. A prototype was created to show that the proposed model could be implemented in practice. The prototype shows how this solution can be utilised to collect data from devices and utilise it in an investigation. Finally, the research and prototype are critically evaluated, and the bene ts and shortcomings of such a solution are presented. The author also addresses privacy concerns arising from the data collection component.Dissertation (MSc)--University of Pretoria, 2018.Computer ScienceMScUnrestricte