Detecting Hardware-assisted Hypervisor Rootkits within Nested Virtualized Environments

Virtual machine introspection (VMI) is intended to provide a secure and trusted platform from which forensic information can be gathered about the true behavior of malware within a guest. However, it is possible for malware to escape a guest into the host and for hypervisor rootkits, such as BluePill, to stealthily transition a native OS into a virtualized environment. This research examines the effectiveness of selected detection mechanisms against hardware-assisted virtualization rootkits (HAV-R) within a nested virtualized environment. It presents the design, implementation, analysis, and evaluation of a hypervisor rootkit detection system which exploits both processor and translation lookaside buffer-based mechanisms to detect hypervisor rootkits within a variety of nested virtualized systems. It evaluates the effects of different types of virtualization on hypervisor rootkit detection and explores the effectiveness in-guest HAV-R obfuscation efforts. The results provide convincing evidence that the HAV-Rs are detectable in all SVMI scenarios examined, regardless of HAV-R or virtualization type. Also, that the selected detection techniques are effective at detection of HAV-R within nested virtualized environments, and that the type of virtualization implemented in a VMI system has minimal to no effect on HAV-R detection. Finally, it is determined that in-guest obfuscation does not successfully obfuscate the existence of HAV-R

A MODEL OF DIGITAL PIANO TRAINING SYSTEM TO IMPROVE THE COMPREHENSIVE PERFORMANCE OF PRE-SCHOOL EDUCATION MAJOR SUDENTS: A CASE STUDY AT A PUBLIC UNIVERSITY IN HUNAN, CHINA

The purpose of this study is to improve the digital piano comprehensive teaching level of students majoring in preschool education in Hunan province, China. This is a mixed method research, which includes both qualitative and quantitative data. The researcher conducted semi-structure interviews with 8 digital piano group teachers, it is concluded that the digital piano group teachers seldom use the complete teaching system and effective technology to integrate into the actual teaching activities. The researcher then utilized the TPACK framework, to selected Piano Performance Skills, Digital Piano Teaching level and Basic Music theory as Training and evaluation to construct a Digital Piano Training System (DPTS). The DPTS system was tested at a public university in Hunan  province that offers a digital piano course and has 360 pre-school students, 30 students were selected and given a one-month. After comparing pre and posttest, the results revealed that after receiving the DPTS training system, students have significantly improved in three aspects: Piano Performance Skills, Digital Piano Teaching level and Basic Music theory. Therefore, it was concluded and confirmed that the DPTS was the effective teaching tools in piano teaching for preschool education major students. As the result, the institutions should consider implementing DPTS as one of the piano teaching strategies

Multimedia Distribution Process Tracking for Android and iOS

The crime of illegally filming and distributing images or videos worldwide is increasing day by day. With the increasing penetration rate of smartphones, there has been a rise in crimes involving secretly taking pictures of people's bodies and distributing them through messengers. However, little research has been done on these related issue. The crime of distributing media using the world's popular messengers, WhatsApp and Telegram, is continuously increasing. It is also common to see criminals distributing illegal footage through various messengers to avoid being caught in the investigation network. As these crimes increase, there will continue to be a need for professional investigative personnel, and the time required for criminal investigations will continue to increase. In this paper, we propose a multimedia forensic method for tracking footprints by checking the media information that changes when images and videos shot with a smartphone are transmitted through instant messengers. We have selected 11 of the world's most popular instant messengers and two secure messengers. In addition, we selected the most widely used Android and iOS operating systems for smartphones. Through this study, we were able to confirm that it is possible to trace footprints related to the distribution of instant messengers by analyzing transmitted images and videos. Thus, it was possible to determine which messengers were used to distribute the video when it was transmitted through multiple messengers.Comment: 10 page

An analysis into the exploitation of the post-attendee URL feature in Zoom webinar regarding malware transmission

In response to the COVID-19 pandemic, large businesses and organizations relied on video conferencing applications such as Zoom to maintain public health guidelines due in part to their robust set of features to facilitate productive group events while maintaining social distancing recommendations. While Zoom has many features that can be found in similar video conferencing applications, Zoom also contains a plethora of unique and cutting-edge features to entice modern users. However, when new features are introduced, an inherent risk of vulnerability exploitation has the potential to overshadow the benefits of the feature. One such vulnerable feature within Zoom webinar that is often overlooked is the post-attendee URL, a feature that allows Zoom webinar hosts to set a URL that participants will be redirected to after joining. This study aims to showcase the vulnerabilities of this feature by utilizing URLs of malicious websites and direct download links of files to transmit malware to Zoom webinar participants of the desktop application version of Zoom webinar. This study will also provide an analysis of the residual digital artifacts that are left behind when this feature is utilized to provide digital forensic examiners with the ability to create a comprehensive timeline of events for cases involving this type of attack

An information presentation method based on tree-like super entity component

Information systems are increasingly oriented in the direction of large-scale integration due to the explosion of multi-source information. It is therefore important to discuss how to reasonably organize and present information from multiple structures and sources on the same information system platform. In this study, we propose a 3C (Components, Connections, Container) component model by combining white-box and black-box methods, design a tree-like super entity based on the model, present its construction and related algorithm, and take a tree-like super entity as the information organization method for multi-level entities. In order to represent structural, semi-structural and non-structural data on the same information system platform, an information presentation method based on an editable e-book component has been developed by combining the tree-like super entity component, QQ-style menu and 1/K switch connection component, which has been successfully applied in the Flood Protection Project Information System of the Yangtze River in China. © 2011 Elsevier Inc

Intensional Cyberforensics

This work focuses on the application of intensional logic to cyberforensic analysis and its benefits and difficulties are compared with the finite-state-automata approach. This work extends the use of the intensional programming paradigm to the modeling and implementation of a cyberforensics investigation process with backtracing of event reconstruction, in which evidence is modeled by multidimensional hierarchical contexts, and proofs or disproofs of claims are undertaken in an eductive manner of evaluation. This approach is a practical, context-aware improvement over the finite state automata (FSA) approach we have seen in previous work. As a base implementation language model, we use in this approach a new dialect of the Lucid programming language, called Forensic Lucid, and we focus on defining hierarchical contexts based on intensional logic for the distributed evaluation of cyberforensic expressions. We also augment the work with credibility factors surrounding digital evidence and witness accounts, which have not been previously modeled. The Forensic Lucid programming language, used for this intensional cyberforensic analysis, formally presented through its syntax and operational semantics. In large part, the language is based on its predecessor and codecessor Lucid dialects, such as GIPL, Indexical Lucid, Lucx, Objective Lucid, and JOOIP bound by the underlying intensional programming paradigm.Comment: 412 pages, 94 figures, 18 tables, 19 algorithms and listings; PhD thesis; v2 corrects some typos and refs; also available on Spectrum at http://spectrum.library.concordia.ca/977460

The Comparison Performance of Digital Forensic Tools Using Additional Root Access Options

This research used MiChat and SayHi as materials for forensic investigations using three different tools, namely MOBILedit, Magnet Axiom, and Belkasoft. These three tools will show each performance in the forensic process. We also added a rooting process as an option if data cannot be extracted optimally even when using these three applications. The result of this study shows that the cases studied with processes without root access and with root access have the aim of complementing each other in obtaining evidence. So that these two processes complement each other's shortcomings. The main contribution of this research is a recommendation of a tool based on the best performance shown during the forensic process with rooting access and without rooting access. Based on the comparison, Magnet Axiom is superior with a total of 34 items of data found without root access, while MOBILedit is 30 items and 30 items for Belkasoft. While comparison using root access, Magnet Axiom and MOBILedit are superiors with a total of 36 items found in Magnet Axiom without root access, while MOBILedit is 36 items and 33 items for Belkasoft. Based on the test results, it can be concluded that the recommended tool according to the used scenario is Magnet Axiom

Mobile Forensic Investigation on iOS & Android Smartphones: Case Study Investigation on WhatsApp

Following the exponential growth of information and communication technologies, the smartphone market, as well as advances in wireless data networks (3G and 4G), has accelerated. Mobile apps for social networking and instant messaging have been created by these firms. Other instant messaging (IM) smartphone programs like WhatsApp (WA), Viber, and IMO have also been created. WA is the most widely used instant messaging program. With WA, you can send and receive messages in a variety of formats, including text, voice, video, and documents. Various cybercrime incidents were committed through WA's. WA use leaves several artifacts that may be examined to detect the digital evidence. In addition, iOS and Android are two of the most popular smartphone operating systems. Because of this, the inquiry will involve the use of forensic investigative techniques and methodologies. Forensics on both iOS and Android cellphones were utilized to investigate a digital crime that was believed to have been perpetrated in WA. To conclude the investigation, we analyzed chat logs, phone records, and other media to gather proof. Legal framework and established processes were used to guarantee that evidence was preserved from change or destruction and that the witness's account was acceptable in court throughout the investigative process. It was finally stated that the inquiry and evidence had been presented. As a result, WA forensic artifacts might be evaluated and found effectively utilizing the mobile forensic procedure

Trustworthy IAP: An Intelligent Applications Profiler to Investigate Vulnerabilities of Consumer Electronic Devices

As a typical representative of the Internet of Energy (IoE) intelligent era, consumer electronic (CE) devices continue to evolve at a remarkable pace. Computers, as typical and essential CE devices, have been instrumental in enhancing efficiency, communication, entertainment, and information access. As part of this evolution, a significant trend in computer design focuses on achieving low power consumption while maintaining high performance. For instance, a computer’s central processing unit (CPU) dynamically modulates its output power in response to the varying workload demands of running applications. However, these power efficiency mechanisms may inadvertently introduce implicit patterns into the operational states of CE devices. Particularly, the power consumption of a CE device executing various tasks can manifest distinguishable temporal patterns, thereby exposing potential vulnerabilities. Thus, this work aims to investigate the vulnerabilities of CE devices on power consumption mechanisms. We focus on exploring the possibility of using alternating current (AC) power consumption to infer the running applications on a consumer computer. To achieve that, we construct a physical attack system that employs data acquisition, processing, classification, and inference stages to establish a “profiler" for application profiling. The extensive experiment results on the self-collected power consumption dataset (36 applications) demonstrate the effectiveness of the attacking system