10,185 research outputs found
Calm before the storm: the challenges of cloud computing in digital forensics
Cloud computing is a rapidly evolving information technology (IT) phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host their software applications, organizations are increasingly deploying their infrastructure into remote, virtualized environments, often hosted and managed by third parties. This development has significant implications for digital forensic investigators, equipment vendors, law enforcement, as well as corporate compliance and audit departments (among others). Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several new research challenges addressing this changing context are also identified and discussed
A Forensically Sound Adversary Model for Mobile Devices
In this paper, we propose an adversary model to facilitate forensic
investigations of mobile devices (e.g. Android, iOS and Windows smartphones)
that can be readily adapted to the latest mobile device technologies. This is
essential given the ongoing and rapidly changing nature of mobile device
technologies. An integral principle and significant constraint upon forensic
practitioners is that of forensic soundness. Our adversary model specifically
considers and integrates the constraints of forensic soundness on the
adversary, in our case, a forensic practitioner. One construction of the
adversary model is an evidence collection and analysis methodology for Android
devices. Using the methodology with six popular cloud apps, we were successful
in extracting various information of forensic interest in both the external and
internal storage of the mobile device
HyBIS: Windows Guest Protection through Advanced Memory Introspection
Effectively protecting the Windows OS is a challenging task, since most
implementation details are not publicly known. Windows has always been the main
target of malwares that have exploited numerous bugs and vulnerabilities.
Recent trusted boot and additional integrity checks have rendered the Windows
OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows
Virtual Machines are becoming an increasingly interesting attack target. In
this work we introduce and analyze a novel Hypervisor-Based Introspection
System (HyBIS) we developed for protecting Windows OSes from malware and
rootkits. The HyBIS architecture is motivated and detailed, while targeted
experimental results show its effectiveness. Comparison with related work
highlights main HyBIS advantages such as: effective semantic introspection,
support for 64-bit architectures and for latest Windows (8.x and 10), advanced
malware disabling capabilities. We believe the research effort reported here
will pave the way to further advances in the security of Windows OSes
A forensically-enabled IASS cloud computing architecture
Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures largely due to the dynamic nature of the cloud. Whilst much research has focused upon identifying the problems that are introduced with a cloud-based system, to date there is a significant lack of research on adapting current digital forensic tools and techniques to a cloud environment. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated by the very nature of the multi-tenanted operating environment. Thus, investigators have no option but to rely on cloud providers to acquire evidence, assuming they would be willing or are required to by law. Furthermore, the evidence collected by the Cloud Service Providers (CSPs) is still questionable as there is no way to verify the validity of this evidence and whether evidence has already been lost. This paper proposes a forensic acquisition and analysis model that fundamentally shifts responsibility of the data back to the data owner rather than relying upon a third party. In this manner, organisations are free to undertaken investigations at will requiring no intervention or cooperation from the cloud provider. The model aims to provide a richer and complete set of admissible evidence than what current CSPs are able to provide
Forensic Attacks Analysis and the Cyber Security of Safety-Critical Industrial Control Systems
Industrial Control Systems (ICS) and SCADA (Supervisory Control And Data Acquisition) applications monitor
and control a wide range of safety-related functions. These include energy generation where failures could have
significant, irreversible consequences. They also include the control systems that are used in the manufacture of
safety-related products. In this case bugs in an ICS/SCADA system could introduce flaws in the production of
components that remain undetected before being incorporated into safety-related applications. Industrial Control
Systems, typically, use devices and networks that are very different from conventional IP-based infrastructures.
These differences prevent the re-use of existing cyber-security products in ICS/SCADA environments; the
architectures, file formats and process structures are very different. This paper supports the forensic analysis of
industrial control systems in safety-related applications. In particular, we describe how forensic attack analysis is
used to identify weaknesses in devices so that we can both protect components but also determine the information
that must be analyzed during the aftermath of a cyber-incident. Simulated attacks detect vulnerabilities; a risk-based
approach can then be used to assess the likelihood and impact of any breach. These risk assessments are then used
to justify both immediate and longer-term countermeasures
Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones
We present the forensic analysis of the artifacts generated on Android
smartphones by ChatSecure, a secure Instant Messaging application that provides
strong encryption for transmitted and locally-stored data to ensure the privacy
of its users.
We show that ChatSecure stores local copies of both exchanged messages and
files into two distinct, AES-256 encrypted databases, and we devise a technique
able to decrypt them when the secret passphrase, chosen by the user as the
initial step of the encryption process, is known.
Furthermore, we show how this passphrase can be identified and extracted from
the volatile memory of the device, where it persists for the entire execution
of ChatSecure after having been entered by the user, thus allowing one to carry
out decryption even if the passphrase is not revealed by the user.
Finally, we discuss how to analyze and correlate the data stored in the
databases used by ChatSecure to identify the IM accounts used by the user and
his/her buddies to communicate, as well as to reconstruct the chronology and
contents of the messages and files that have been exchanged among them.
For our study we devise and use an experimental methodology, based on the use
of emulated devices, that provides a very high degree of reproducibility of the
results, and we validate the results it yields against those obtained from real
smartphones
A comparison of forensic evidence recovery techniques for a windows mobile smart phone
<p>Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.</p>
<p>A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to
what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.</p>
<p>This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is
conflicting.</p>
Recommended from our members
Forensically-Sound Analysis of Security Risks of using Local Password Managers
Password managers have been developed to address the human challenges associated with password security, i.e., to solve usability issues in a secure way. They offer, e.g., features to create strong passwords, to manage the increasing number of passwords a typical user has, and to auto-fill passwords, sparing users the hassle of not only remembering but also typing them. Previous studies have focused mainly on the security analysis of cloud-based and browser-based password managers; security of local password managers remains mostly under-explored. This paper takes a forensic approach and reports on a case study of three popular local password managers: KeePass (v2.28), Password Safe (v3.35.1) and RoboForm (v7.9.12). Results revealed that either the master password or the content of the password database could be found unencrypted in Temp folders, Page files or Recycle bin, even after the applications had been closed. Therefore, an attacker or malware with temporary access to the computer on which the password managers were running may be able to steal sensitive information, even though these password managers are meant to keep the databases encrypted and protected at all times
Memory acquisition: A 2-Take approach
When more and more people recognize the value of volatile data, live forensics gains more weight in digital forensics. It is often used in parallel with traditional pull-the-plug forensics to provide a more reliable result in forensic examination. One of the core components in live forensics is the collection and analysis of memory volatile data, during which the memory content is acquired for searching of relevant evidential data or investigating various computer processes to unveil the activities being performed by a user. However, this conventional method may have weaknesses because of the volatile nature of memory data and the absence of original data for validation. This may cause implication to the admissibility of memory data at the court of law which requires strict authenticity and reliability of evidence. In this paper, we discuss the impact of various memory acquisition methods and suggest a 2-Take approach which aims to enhance the confidence level of the acquired memory data for legal proceedings. © 2009 IEEE.published_or_final_versionThe 2009 International Workshop on Forensics for Future Generation Communication Environments (F2GC-09) in conjunction with CSA 2009, Jeju Island, Korea, 10-12 December 2009. In Proceedings of CSA, 2009, p. 1-
- …