Forensic Memory Analysis for Apple OS X

Analysis of raw memory dumps has become a critical capability in digital forensics because it gives insight into the state of a system that cannot be fully represented through traditional disk analysis. Interest in memory forensics has grown steadily in recent years, with a focus on the Microsoft Windows operating systems. However, similar capabilities for Linux and Apple OS X have lagged by comparison. The volafox open source project has begun work on structured memory analysis for OS X. The tool currently supports a limited set of kernel structures to parse hardware information, system build number, process listing, loaded kernel modules, syscall table, and socket connections. This research addresses one memory analysis deficiency on OS X by introducing a new volafox module for parsing file handles. When open files are mapped to a process, an examiner can learn which resources the process is accessing on disk. This listing is useful for determining what information may have been the target for exfilitration or modification on a compromised system. Comparing output of the developed module and the UNIX lsof (list open files) command on two version of OS X and two kernel architectures validates the methodology used to extract file handle information

Applying Memory Forensics to Rootkit Detection

Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system - Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.Comment: 25 pages, 3 figures, 8 tables. Paper presented at the Proceedings of the 9th annual Conference on Digital Forensics, Security and Law (CDFSL), 115-141, Richmond, VA, USA. (2014, May 28-29

Conceptual metaphor in English popular technology and Greek translation

This research project studies the metaphorical conceptualisation of technology in English popular technology magazines and in translation in the respective Greek editions. The focus is on the cognitive linguistic view of metaphor initially presented by Lakoff and Johnson (1980), on the metaphor identification procedure (Pragglejaz Group 2007), and critical metaphor analysis (Charteris-Black 2004). The analysis of the English data identifies 14 main metaphors and 29 submetaphors which contribute to the structure of the target domain of technology. It distinguishes between conventional and novel metaphors, and common and original metaphorical expressions, motivated by correlations in experience between diverse source domains and by the widespread diffusion and impact of technology. The English data also provide insight into the functions of these metaphors in popular technology discourse and reveal evidence to thinking, values and attitudes about technology in the English language. The analysis of the Greek data examines similarities and differences in the conceptualisations between the English and Greek languages and cultures, and finds similarities in the categories of metaphors, frequency of and preference for metaphor use in the source and target languages, and in the majority of metaphorical expressions. Similarities are based on common experiences stemming from experiential co-occurrence or experiential similarity, and on translated experience. Differences are restricted to specific-level metaphors and expressions, motivated by alternative conceptualisations of terminology, cultural specificity and preferential conceptualisations. A set of translation strategies and a number of possible translation effects are also identified. These strategies and effects add to the possibilities of translation variations and the range of translation options, and are used to draw conclusions regarding the similarities and differences between the English and Greek languages and cultures. Consequently, through the identification and description of metaphors in technology magazines and in translation, the study attempts to highlight aspects of the culture of technology, which views technology as a cultural artefact and a producer of its own culture.EThOS - Electronic Theses Online ServiceGreek State Scholarship Foundation (IKY)GBUnited Kingdo

Analyse de maliciels sur Android par l'analyse de la mémoire vive

Les plateformes mobiles font partie intégrante du quotidien. Leur flexibilité a permis aux développeurs d’applications d’y proposer des applications de toutes sortes : productivité, jeux, messageries, etc. Devenues des outils connectés d’agrégation d’informations personnelles et professionnelles, ces plateformes sont perçues comme un écosystème lucratif par les concepteurs de maliciels. Android est un système d’exploitation libre de Google visant le marché des appareils mobiles et est l’une des cibles de ces attaques, en partie grâce à la popularité de celuici. Dans la mesure où les maliciels Android constituent une menace pour les consommateurs, il est essentiel que la recherche visant l’analyse de maliciels s’intéresse spécifiquement à cette plateforme mobile. Le travail réalisé dans le cadre de cette maîtrise s’est intéressé à cette problématique, et plus spécifiquement par l’analyse de la mémoire vive. À cette fin, il a fallu s’intéresser aux tendances actuelles en matière de maliciels sur Android et les approches d’analyses statiques et dynamiques présentes dans la littérature. Il a été, par la suite, proposé d’explorer l’analyse de la mémoire vive appliquée à l’analyse de maliciels comme un complément aux approches actuelles. Afin de démontrer l’intérêt de l’approche pour la plateforme Android, une étude de cas a été réalisée où un maliciel expérimental a été conçu pour exprimer les comportements malicieux problématiques pour la plupart des approches relevées dans la littérature. Une approche appelée l’analyse différentielle de la mémoire vive a été présentée afin de faciliter l’analyse. Cette approche utilise le résultat de la différence entre les éléments présents après et avant le déploiement du maliciel pour réduire la quantité d’éléments à analyser. Les résultats de cette étude ont permis de démontrer que l’approche est prometteuse en tant que complément aux approches actuelles. Il est recommandé qu’elle soit le sujet d’études subséquentes afin de mieux détecter les maliciels sur Android et d’en automatiser son application.Mobile devices are at the core of modern society. Their versatility has allowed third-party developers to generate a rich experience for the user through mobile apps of all types (e.g. productivity, games, communications). As mobile platforms have become connected devices that gather nearly all of our personal and professional information, they are seen as a lucrative market by malware developers. Android is an open-sourced operating system from Google targeting specifically the mobile market and has been targeted by malicious activity due the widespread adoption of the latter by the consumers. As Android malwares threaten many consumers, it is essential that research in malware analysis address specifically this mobile platform. The work conducted during this Master’s focuses on the analysis of malwares on the Android platform. This was achieved through a literature review of the current malware trends and the approaches in static and dynamic analysis that exists to mitigate them. It was also proposed to explore live memory forensics applied to the analysis of malwares as a complement to existing methods. To demonstrate the applicability of the approach and its relevance to the Android malwares, a case study was proposed where an experimental malware has been designed to express malicious behaviours difficult to detect through current methods. The approach explored is called differential live memory analysis. It consists of analyzing the difference in the content of the live memory before and after the deployment of the malware. The results of the study have shown that this approach is promising and should be explored in future studies as a complement to current approaches

An Evaluation of Forensic Tools for Linux : Emphasizing EnCase and PyFlag

Denne masteroppgaven gir en vurdering og sammenligning av flere datakriminaltekniske verktøy, med et spesielt fokus på to spesifikke verktøy. Det første kalles EnCase Forensics og er et kommersielt tilgjengelig verktøy som blir benyttet av politi og myndigheter flere steder i verden. Det andre kalles PyFlag og er et open source alternativ som ble benyttet i det vinnende bidraget til Digital Forensics Research Workshop (DFRWS) i 2008. Selv om verktøyene blir evaluert i sin helhet, vil hovedfokuset ligge på viktig søkefunksjonalitet. Tatt i betraktning at mesteparten av forskningen innen området er basert på Microsoft Windows plattformen, mens mindre forskning har blitt utført angående analyse av Linux systemer, så undersøker vi disse verktøyene hovedsakelig i et Linux miljø. Med disse verktøyene utfører vi datakriminalteknisk utvinning og analyse av realistiske data. I tillegg benyttes et verktøy med navn dd, for å utvinne data fra Linux. Denne masteroppgaven inneholder spesifiserte testprosedyrer, problemer vi støtte på under selve testingen, og de endelige resultatene

A Framework for the Systematic Evaluation of Malware Forensic Tools

Following a series of high profile miscarriages of justice linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008 with a remit to improve the standard of practitioner competences and forensic procedures. It has since moved to incorporate a greater level of scientific practice in these areas, as used in the production of expert evidence submitted to the UK Criminal Justice System. Accreditation to their codes of practice and conduct will become mandatory for all forensic practitioners by October 2017. A variety of challenges with expert evidence are explored and linked to a lack of a scientific methodology underpinning the processes followed. In particular, the research focuses upon investigations where malicious software (‘malware’) has been identified. A framework, called the ‘Malware Analysis Tool Evaluation Framework’ (MATEF), has been developed to address this lack of methodology to evaluate software tools used during investigations involving malware. A prototype implementation of the framework was used to evaluate two tools against a population of over 350,000 samples of malware. Analysis of the findings indicated that the choice of tool could impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts. Three different measures were used to evaluate the framework. The first of these evaluated the framework against the requirements and determined that these were largely met. Where the requirements were not met these are attributed to matters either outside scope or the fledgling nature of the research. Another measure used to evaluate the framework was to consider its performance in terms of speed and resource utilisation. This identified scope for improvement in terms of the time to complete a test and the need for more economical use of disk space. Finally, the framework provides a scientific means to evaluate malware analysis tools, hence addressing the Research Question subject to the level at which ground truth is established. A number of contributions are produced as the output of this work. First there is confirmation for the case for a lack of trusted practice in the field of malware forensics. Second, the MATEF itself, as it facilitates the production of empirical evidence of a tool’s ability to detect malware artefacts. A third contribution is a set of requirements for establishing trusted practice in the use of malware artefact detection tools. Finally, empirical evidence that supports both the notion that the choice of tool can impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts

Digital forensic in security of information system based on Linux and Windows platforms

Digitalna forenzika je multidisciplinarna nauka koja podrazumeva spoj razlicitih naučnih disciplina (računarske nauke, pravo, kriminologija) sa brojnim izazovima u uslovima masovnog generisanja digitalnih podataka (Big Data), virtuelizacije klijentske i serverske strane (Cloud Computng), neusaglašenosti standardizacionih tela i opšteg nedostatka brojnih standarda i eksperata u svim disciplinama. Kako se digitalna forenzika odnosi na sve digitalne urađaje, uža naučna oblast uklјučuje brojne aplikacije digitalne forenzike, kao što su računarska forenzika, forenzika mobilnih uređaja, forenzika na sistemima savremenih automobila, senzorskih mreža itd. U ovom radu je analizirana i primenjena uža naučna oblast računarske forenzike. Opisana je digitalna forenzika računarskih sistema baziranih na Windows i Linux platformi, sa fokusom na određena mesta u implementiranom sistemu proaktivne digitalne forenzike koja mogu ukazati na forenzički relevantne događaje kritične za bezbednost sistema. Opisane su brojne metodologije, tehnologije i tehnike istrage visokotehnološkog kriminala. Proces prikuplјanja podataka i digitalne forenzičke analize „uživo”, detalјno je razmatran. Izvršena je kratka revizija karakteristika i tipično zahtevanih funkcionalnosti softverskih forenzičkih alata, za inicijalni odgovor i oporavak podataka i particija magnetnih diskova. Opisani su i najvažniji digitalni forenzički kompleti alata i njihove osnovne funkcionalnosti. U radu se ističu i najznačajniji elementi kojima treba posvetiti posebnu pažnju prilikom digitalne forenzičke analize u virtuelnom okruženju. Takođe su objašnjeni i najvažniji segmenti samog virtuelnog okruženja i način na koji oni mogu biti značajni alati, za postupak digitalne forenzičke analize. U poslednjem delu ovog rada, fokus je usmeren na ranjivosti Windows i Linux platformi sa prikazanim načinima zlonamernog proboja sistema. Opisane su opšte ranjivosti i specifične ranjivosti koje se odnose samo na Windows, odnosno samo na Linux platforme. Takođe, navedeni su i najčešći načini zlonamernog iskorišćavanja sistema. Ranjivosti računarskih sistema i mreža mogu se odnositi na programe, hardver, konfiguraciju i lјude. Isklјučujući lјude kao najznačajniji i istovremeno najkritičniji faktor u zaštiti informacija, programske ranjivosti se tipično koriste za online direktne napade, ili napade malicioznim programima. Otkrivanje i otklanjanje ranjivosti sistemskih programa je jedan od glavnih cilјeva digitalne forenzike. Pored skuplјanja forenzički relevantnih digitalnih podataka i izgradnje čvrstih digitalnih dokaza o kompjuterskom incidentu ili kriminalu za potrebe pravosudnog sistema, cilј digitalne forenzičke analize je da se iskorišćene ranjivosti trajno otklone i da se incident/protivpravna aktivnost takve vrste više nikada ne ponovi. U tom smislu je doprinos ovog rada veoma značajan. Praktičan primer ispitivanja ranjivosti servisa na Windows i Linux platformama obuhvatio je 80 operativnih sistema. Od tog broja, 51 se odnosi na Windows operativne sisteme, a 29 na Linux operativne sisteme. Dobijeni rezultati su rezultat dvogodišnjeg istraživanja, jer je ispitivanje sistema vršeno u 2011. i 2013. godini. Kroz skeniranje i prikaz ranjivosti difoltno instaliranih Windows i Linux sistema preventivno se otkrivaju ranjivosti koje potencijalno mogu biti iskorišćene od strane bezbednosnih pretnji (maliciozni programi ili zlonamerni napadači) i time ugroziti računarske sisteme i informacije. Proaktivnim otklanjanjem ovih ranjivosti realizuje se preventivna zaštita. Uspostavlјanjem sistema proaktivne forenzike, obezbeđuje se logovanje forenzički relevantnih događaja, tj. tragova pokušaja napada u realnom vremenu, čime se bitno olakšava forenzička istraga u slučaju incidenta ili protivpravne aktivnosti.Digital forensics is a multidisciplinary science which includes different scientific disciplines (computer scineces, law, criminology) with numerous challenges in conditions of digital data mass generating (Big Data), clients and servers virtualisation (Cloud Computng), incompatibility of standardizing bodies and general lack of numerous standards and experts in all of the disciplines. Since digital forensics applies to all of the digital devices, a focused scientific field includes numerous applications of digital forensics, like computer forensics, mobile devices forensics, forensics on modern cars systems, sensor networks etc. The focused scientific field of computer forensics was analyzed and applied in this paper. Digital forensics of computer systems based on Windows and Linux platforms was described, focused on certain points within the implementing system of proactive digital forensics, which can indicate forensically relevant data critical for system's security. Numerous methodologies, technologies and techniques of investigating cyber crime are described. The process of collecting data and "live" digital forensic analyses were considered in detail. A short revision of features was made, as well as of typical demanded functionality of software fonensic tools for an initial answer and recovery of data and partitions of magnetic discs. The most important sets of digital forensic tools and their basic functionalities were also descibed. In the paper, most important elements were listed which need special attention while performing digital forensic analysis in a virtual environment. The most important segments of virtual environment itself were also explained, as well as ways in which they can represent important tools for performing digital forensis analysis. The last chapter of this paper is focused on vulnerabilities of Windows and Linux platforms, with listed ways of malicious system intrusion. General and specific vulnerabilities were described regarding only Windows or only Linux platforms. The most common ways of malicious system abuse were also listed. Computer systems vulnerabilities can be applied on programs, hardware, configuration and staff. Disregarding staff as the most important, but at the same time the most critical factor in protecting information, program vulnerabilities are typically used for online direct attacks or attacks with malicious programs. Detecting and removing vulnerabilities of system programs is one of the digital forensics main goals. Beside collecting forensically relevant digital data and constructing strong digital evidence about computer incident or criminal for the purposes of law, the goal of digital forensic anlysis is to permanently remove abused vulnerabilities and to prevent incidents/illegal actions from repeating. In this sense, this paper is of utmost importance. A practical example of investigating system vulnerabilities on Windows and Linux platforms included 80 operating systems. Out of that, 51 regards Windows operating systems and 29 of them Linux operating systems. The obtained results derive from a two-year research, since system scanning was performed in 2011 and 2013. Through scanning and displaying vulnerabilities of Windows and Linux systems installed by default, vulnerabilities which could potentially be used by security threats (malicious programs or malicious attacks) and potentially endanger computer systems and information, are precautionally removed. By proactive removing of these vulnerabilities, preventive protection is being performed. By establishing the system of proactive forensics, logging of forensically relevant events, i. e. clues for potential attacks within real time are being secured, making it much easier to perform forensic investigation in case of an incident or illegal action