Proceedings of the 15th Australian Digital Forensics Conference, 5-6 December 2017, Edith Cowan University, Perth, Australia

Conference Foreword This is the sixth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 8 papers were submitted and following a double blind peer review process, 5 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable. Yours sincerely, Conference ChairProfessor Craig ValliDirector, Security Research Institute Congress Organising Committee Congress Chair: Professor Craig Valli Committee Members: Professor Gary Kessler – Embry Riddle University, Florida, USA Professor Glenn Dardick – Embry Riddle University, Florida, USA Professor Ali Babar – University of Adelaide, Australia Dr Jason Smith – CERT Australia, Australia Associate Professor Mike Johnstone – Edith Cowan University, Australia Professor Joseph A. Cannataci – University of Malta, Malta Professor Nathan Clarke – University of Plymouth, Plymouth UK Professor Steven Furnell – University of Plymouth, Plymouth UK Professor Bill Hutchinson – Edith Cowan University, Perth, Australia Professor Andrew Jones – Khalifa University, Abu Dhabi, UAE Professor Iain Sutherland – Glamorgan University, Wales, UK Professor Matthew Warren – Deakin University, Melbourne Australia Congress Coordinator: Ms Emma Burk

INTEGRATION OF INTELLIGENCE TECHNIQUES ON THE EXECUTION OF PENETRATION TESTS (iPENTEST)

Penetration Tests (Pentests) identify potential vulnerabilities in the security of computer systems via security assessment. However, it should also benefit from widely recognized methodologies and recommendations within this field, as the Penetration Testing Execution Standard (PTES). The objective of this research is to explore PTES, particularly the three initial phases: 1. Pre-Engagement Interactions; 2. Intelligence Gathering; 3. Threat Modeling; and ultimately to apply Intelligence techniques to the Threat Modeling phase. To achieve this, we will use open-source and/or commercial tools to structure a process to clarify how the results were reached using the research inductive methodology. The following steps were implemented: i) critical review of the “Penetration Testing Execution Standard (PTES)”; ii) critical review of Intelligence Production Process; iii) specification and classification of contexts in which Intelligence could be applied; iv) definition of a methodology to apply Intelligence Techniques to the specified contexts; v) application and evaluation of the proposed methodology to real case study as proof of concept. This research has the ambition to develop a model grounded on Intelligence techniques to be applied on PTES Threat Modeling phase

Cognitive Machine Individualism in a Symbiotic Cybersecurity Policy Framework for the Preservation of Internet of Things Integrity: A Quantitative Study

This quantitative study examined the complex nature of modern cyber threats to propose the establishment of cyber as an interdisciplinary field of public policy initiated through the creation of a symbiotic cybersecurity policy framework. For the public good (and maintaining ideological balance), there must be recognition that public policies are at a transition point where the digital public square is a tangible reality that is more than a collection of technological widgets. The academic contribution of this research project is the fusion of humanistic principles with Internet of Things (IoT) technologies that alters our perception of the machine from an instrument of human engineering into a thinking peer to elevate cyber from technical esoterism into an interdisciplinary field of public policy. The contribution to the US national cybersecurity policy body of knowledge is a unified policy framework (manifested in the symbiotic cybersecurity policy triad) that could transform cybersecurity policies from network-based to entity-based. A correlation archival data design was used with the frequency of malicious software attacks as the dependent variable and diversity of intrusion techniques as the independent variable for RQ1. For RQ2, the frequency of detection events was the dependent variable and diversity of intrusion techniques was the independent variable. Self-determination Theory is the theoretical framework as the cognitive machine can recognize, self-endorse, and maintain its own identity based on a sense of self-motivation that is progressively shaped by the machine’s ability to learn. The transformation of cyber policies from technical esoterism into an interdisciplinary field of public policy starts with the recognition that the cognitive machine is an independent consumer of, advisor into, and influenced by public policy theories, philosophical constructs, and societal initiatives

Cybercrime: An Investigation of the Attitudes and Environmental Factors that Make People more Willing to Participate in Online Crime

Cybercrime incidence rates are increasing. In order to identify solutions to this problem, the sources of cybercrime need to be identified. This research attempted to identify a potential set of circumstances that create an environment in which people are more likely to engage in cybercrime. There are three aspects to this; (1) Behaviour on the internet – Are people more likely to engage in illicit activities online than in the physical world? (2) Crime Perceptions – Do people perceive cybercrime as being less serious than non-cybercrime? (3) Resources on the Internet – Are people aware of the types of free hacking resources that are available online? In order to address the first question, a review of the existing literature on the matter was carried out and conclusions drawn from it. The Online Disinhibition Effect is a key theory in this matter. Results from this review suggest that people are more likely to engage in illicit activities online than they are in the physical world. Addressing the second question was carried out in two stages. The first was an assessment of some of the free hacking resources that are available online such as tools and educational courses, based on predefined selection criteria. The content or function of these were established and they were rated across a number of factors. This information was fed into a survey to establish awareness of the existence of some of the tool functions, and opinions on course availability. The results from this research indicate that people are aware of the kind of functionality that is available from hacking tools online. The third question was addressed through another section of the survey in which participants were asked to rate the seriousness of 6 crime scenarios, three of which were cybercrimes, and three of which were non-cybercrimes. The same scenarios were used throughout the survey as participants were asked to determine appropriate sentences for each crime, and then judge the actual sentence that the crime was given. Results from this investigation indicate that people do view cybercrime as less serious than noncybercrimes. The results from these three streams of research indicate that they are combining to create an environment in which people more readily engage in cybercrime

Computer Criminal Profiling applied to Digital Investigations

This PhD thesis aims to contribute to the Cyber Security body of knowledge and its Computer Forensic field, still in its infancy when comparing with other forensic sciences. With the advancements of computer technology and the proliferation of cyber crime, offenders making use of computers range from state-sponsored cyber squads to organized crime rings; from cyber paedophiles to crypto miners abusing third-party computer resources. Cyber crime is not only impacting the global economy in billions of dollars annually; it is also a life-threatening risk as society is increasingly dependent on critical systems like those in air traffic control, hospitals or connected cars. Achieving cyber attribution is a step towards to identify, deter and prosecute offenders in the cyberspace, a domain among the top priorities for the UK National Security Strategy. However, the rapid evolution of cyber crime may be an unprecedented challenge in the forensic science history. Attempts to keep up with this pace often result in computer forensic practices limited to technical outcomes, like user accounts or IP addresses used by the offenders. Limitations are intensified when the current cyber security skill shortage contrasts with the vastness of digital crime scenes presented by cloud providers and extensive storage capacities or with the wide range of available anonymizing mechanisms. Quite often, offenders are remaining unidentified, unpunished, and unstoppable. As these anonymising mechanisms conceal offenders from a technological perspective, it was considered that they would not offer the same level of concealment from a behavioural standpoint. Therefore, in addition to the analysis of the state-of-theart of cyber crimes and anonymising mechanisms, the literature of traditional crimes and criminal psychology was reviewed, in an attempt to known what traits of human behaviour could be revealed by the evidence at a crime scene and how to recognize them. It was identified that the subdiscipline of criminology called criminal profiling helps providing these answers. Observing its success rate and benefits as a support tool in traditional investigations, it was hypothesized that a similar outcome could be achieved while investigating cyber crimes, providing that a framework could enable digital investigators to apply criminal profiling concepts in digital investigations. 2 Before developing the framework, the scope of this thesis was delimited to a subset of cyber crimes, consisting exclusively of computer intrusions cases. Also, among potential criminal profiling benefits, the reduction of the suspect pool, case linkage and optimization of investigative efforts were included in the scope. A SSH honeypot experiment based on Cowrie was designed and deployed in a public cloud infrastructure. In its first phase, a single honeypot instance was launched, protected by username and password and accepting connection attempts from any Internet address. Users that were able to guess a valid pair of credentials, after a random number of attempts providing strong passwords, were presented to a simple file system, in which all their interactions within the system were recorded and all downloaded attack tools were isolated and securely stored for their posterior analysis. In the second phase of the experiment, the honeypot infrastructure was expanded to a honeynet with 18 (eighteen) nodes, running in a total of 6 (six) geographic regions and making it possible the analysis of additional variables like location of the “victim” system, perceived influence from directory/file structure/contents and resistance levels to password attacks. After a period of approximately 18 (eighteen) months, more than 7 million connection attempts and 12 million authentication attempts were received by the honeynet, where more than 85,000 were able to successfully log into one of the honeynet servers. Offenders were able to interact with the simulated operating systems and their files, while enabling this research to identify behavioural patterns that proved to be useful not only to group offenders, but also to enrich individual offender profiles. Among these behavioural patterns, the choice of which commands and which parameters to run, the basis of the attack on automated versus manual means, the pairs of usernames and passwords that were provided to try to break the honeypot authentication, their response once a command was not successful, their intent on using specific attack tools and the motivation behind it, any level of caution presented and, finally, preferences for naming tools, temporary files or customized ports were some of the most relevant attributes. Based on the collected data set, such attributes successfully make it possible to narrow down the pools of suspects, to link different honeypot breakins to a same offender and to optimize investigative efforts by enabling the researcher to focus the analysis in a reduced area while searching for evidence. 3 In times when cyber security skills shortage is a concerning challenge and where profiling can play a critical role, it is believed that such a structured framework for criminal profiling within cyber investigations can help to make investigation of cyber crimes quicker, cheaper and more effective

Hackers: cybercriminals or not?

Treball Final de Grau en Criminologia i Seguretat. Codi: CS1044. Curs: 2018-2019The development and constant evolution of new technologies (ICTs) has originated a society that is constantly connected to the Internet. Obviously, this offers advantages, but it also creates important problems. There is always a fraction of people in all societies who act inappropriately, break the law or use illicit means to take advantage of others. The Internet provides a place for cybercriminals and allows them to exist and flourish. These recent years, issues concerning cyber security have received significant attention and have become a priority for many governments, organizations, and industries. Today, the technological advance is continuous and this brings crime new opportunities. One of this is the unauthorized access to computer networks. The current study focuses on this cybercrime, the hackers and the image that society has about them. In particular, a view of hackers that it is intended to distinguish them from cybercriminals and to assist law enforcement in understanding the way hackers think. The paper starts with the definition and history about hackers to continue with computer crimes from a criminology perspective and the way hackers are seen among people. Hacktivism, which is a new way of protest using the Internet, is addressed as well. Also, the paper presents laws, applicable to the computer crime, and highlights the issues about tracking and tracing these types of crimes by comparing United States and Spain

Cyber Law and Espionage Law as Communicating Vessels

Professor Lubin\u27s contribution is Cyber Law and Espionage Law as Communicating Vessels, pp. 203-225. Existing legal literature would have us assume that espionage operations and “below-the-threshold” cyber operations are doctrinally distinct. Whereas one is subject to the scant, amorphous, and under-developed legal framework of espionage law, the other is subject to an emerging, ever-evolving body of legal rules, known cumulatively as cyber law. This dichotomy, however, is erroneous and misleading. In practice, espionage and cyber law function as communicating vessels, and so are better conceived as two elements of a complex system, Information Warfare (IW). This paper therefore first draws attention to the similarities between the practices – the fact that the actors, technologies, and targets are interchangeable, as are the knee-jerk legal reactions of the international community. In light of the convergence between peacetime Low-Intensity Cyber Operations (LICOs) and peacetime Espionage Operations (EOs) the two should be subjected to a single regulatory framework, one which recognizes the role intelligence plays in our public world order and which adopts a contextual and consequential method of inquiry. The paper proceeds in the following order: Part 2 provides a descriptive account of the unique symbiotic relationship between espionage and cyber law, and further explains the reasons for this dynamic. Part 3 places the discussion surrounding this relationship within the broader discourse on IW, making the claim that the convergence between EOs and LICOs, as described in Part 2, could further be explained by an even larger convergence across all the various elements of the informational environment. Parts 2 and 3 then serve as the backdrop for Part 4, which details the attempt of the drafters of the Tallinn Manual 2.0 to compartmentalize espionage law and cyber law, and the deficits of their approach. The paper concludes by proposing an alternative holistic understanding of espionage law, grounded in general principles of law, which is more practically transferable to the cyber realmhttps://www.repository.law.indiana.edu/facbooks/1220/thumbnail.jp

AVOIDIT IRS: An Issue Resolution System To Resolve Cyber Attacks

Cyber attacks have greatly increased over the years and the attackers have progressively improved in devising attacks against specific targets. Cyber attacks are considered a malicious activity launched against networks to gain unauthorized access causing modification, destruction, or even deletion of data. This dissertation highlights the need to assist defenders with identifying and defending against cyber attacks. In this dissertation an attack issue resolution system is developed called AVOIDIT IRS (AIRS). AVOIDIT IRS is based on the attack taxonomy AVOIDIT (Attack Vector, Operational Impact, Defense, Information Impact, and Target). Attacks are collected by AIRS and classified into their respective category using AVOIDIT.Accordingly, an organizational cyber attack ontology was developed using feedback from security professionals to improve the communication and reusability amongst cyber security stakeholders. AIRS is developed as a semi-autonomous application that extracts unstructured external and internal attack data to classify attacks in sequential form. In doing so, we designed and implemented a frequent pattern and sequential classification algorithm associated with the five classifications in AVOIDIT. The issue resolution approach uses inference to educate the defender on the plausible cyber attacks. The AIRS can work in conjunction with an intrusion detection system (IDS) to provide a heuristic to cyber security breaches within an organization. AVOIDIT provides a framework for classifying appropriate attack information, which is fundamental in devising defense strategies against such cyber attacks. The AIRS is further used as a knowledge base in a game inspired defense architecture to promote game model selection upon attack identification. Future work will incorporate honeypot attack information to improve attack identification, classification, and defense propagation.In this dissertation, 1,025 common vulnerabilities and exposures (CVEs) and over 5,000 lines of log files instances were captured in the AIRS for analysis. Security experts were consulted to create rules to extract pertinent information and algorithms to correlate identified data for notification. The AIRS was developed using the Codeigniter [74] framework to provide a seamless visualization tool for data mining regarding potential cyber attacks relative to web applications. Testing of the AVOIDIT IRS revealed a recall of 88%, precision of 93%, and a 66% correlation metric

Cybersecurity: Threats Impacting the Nation

Testimony issued by the Government Accountability Office with an abstract that begins "The nation faces an evolving array of cyber-based threats arising from a variety of sources. These threats can be intentional or unintentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems, and intentional threats can be both targeted and untargeted attacks from a variety of threat sources. Sources of threats include criminal groups, hackers, terrorists, organization insiders, and foreign nations engaged in crime, political activism, or espionage and information warfare. These threat sources vary in terms of the capabilities of the actors, their willingness to act, and their motives, which can include monetary gain or political advantage, among others. Moreover, potential threat actors have a variety of attack techniques at their disposal, which can adversely affect computers, software, a network, an organizations operation, an industry, or the Internet itself. The nature of cyber attacks can vastly enhance their reach and impact due to the fact that attackers do not need to be physically close to their victims and can more easily remain anonymous, among other things. The magnitude of the threat is compounded by the ever-increasing sophistication of cyber attack techniques, such as attacks that may combine multiple techniques. Using these techniques, threat actors may target individuals, businesses, critical infrastructures, or government organizations.

A forensics and compliance auditing framework for critical infrastructure protection

Contemporary societies are increasingly dependent on products and services provided by Critical Infrastructure (CI) such as power plants, energy distribution networks, transportation systems and manufacturing facilities. Due to their nature, size and complexity, such CIs are often supported by Industrial Automation and Control Systems (IACS), which are in charge of managing assets and controlling everyday operations. As these IACS become larger and more complex, encompassing a growing number of processes and interconnected monitoring and actuating devices, the attack surface of the underlying CIs increases. This situation calls for new strategies to improve Critical Infrastructure Protection (CIP) frameworks, based on evolved approaches for data analytics, able to gather insights from the CI. In this paper, we propose an Intrusion and Anomaly Detection System (IADS) framework that adopts forensics and compliance auditing capabilities at its core to improve CIP. Adopted forensics techniques help to address, for instance, post-incident analysis and investigation, while the support of continuous auditing processes simplifies compliance management and service quality assessment. More specifically, after discussing the rationale for such a framework, this paper presents a formal description of the proposed components and functions and discusses how the framework can be implemented using a cloud-native approach, to address both functional and non-functional requirements. An experimental analysis of the framework scalability is also provided.info:eu-repo/semantics/publishedVersio