Modelo de análisis forense en aplicaciones de mensajería instantánea para la obtención de evidencia digital

El uso de teléfonos móviles está creciendo constantemente a nivel global, según el informe de la evolución de los suscriptores asociados con teléfonos móviles de la empresa Ericsson. Este informe señala que, para finales del 2022, se estima alrededor de 6.6 billones de suscripciones y se prevé que alcance los 7.8 billones en 2028. Entre las aplicaciones más usadas por esa importante población de suscriptores, se ubican las de mensajería instantánea, según el informe “State of mobile 2023” de la empresa de IA de datos (data.ai). La información almacenada en este tipo de aplicación es variada, almacenan datos como: chats, audios, imágenes, etc. En consecuencia, las dimensiones de la cantidad de información que se pueden obtener de las aplicaciones de mensajería instantánea son gigantescas. En los últimos años, las principales aplicaciones de mensajería instantánea se han enfocado en el cifrado de extremo a extremo, como medida de prevención ante el ataque de los ciberdelincuentes. Según la empresa Kaspersky, en los teléfonos móviles con el sistema Android, se tiene una considerable cantidad de vínculos que contienen software malicioso que son transmitidos mediante aplicaciones de mensajería instantánea como WhatsApp y Telegram, entre otros. Debido a que la información almacenada por las aplicaciones de mensajería instantánea se está convirtiendo en evidencia crucial para obtención de información sobre incidentes de seguridad y en los procesos judiciales, se deben tomar medidas para salvaguardar dicha evidencia, como la cadena de custodia para mantener su trazabilidad e integridad, de manera tal que pueda ser usada. En esta tesis, se presenta un modelo de análisis forense en aplicaciones de mensajería instantánea para la obtención de evidencia digital. Adicionalmente, se muestran diversos marcos de trabajo y modelos, como referentes para la construcción del modelo propuesto. Este modelo tiene como fin conocer, diagnosticar y mejorar el nivel forense en aplicaciones de mensajería instantánea en organizaciones, entidades de estado, entre otras. Por último, también se presentan las prácticas que permitirían brindar mayor robustez a los procesos de las diferentes organizaciones con relación a la seguridad necesaria en el uso de los teléfonos móviles.The use of mobile phones is growing steadily globally, according to the Ericsson company's report on the evolution of subscribers associated with mobile phones. This report indicates that, by the end of 2022, it is estimated that there will be around 6.6 billion subscriptions and it is expected to reach 7.8 billion in 2028. Among the most used applications by this important population of subscribers are instant messaging applications, according to the “State of mobile 2023” report from the data AI company (data.ai). The information stored in this type of application is varied, they store data such as: chats, audios, images, etc. Consequently, the dimensions of the amount of information that can be obtained from instant messaging applications are huge. In recent years, the main instant messaging applications have focused on end-to-end encryption, as a prevention measure against attacks by cybercriminals. According to the company Kaspersky, on mobile phones with Android system, there is a considerable number of links that contain malicious software that are transmitted through instant messaging applications such as WhatsApp and Telegram, among others. Since the information stored in instant messaging applications is becoming crucial evidence for obtaining information about security incidents and in judicial processes, measures must be taken to safeguard said evidence, such as the chain of custody to maintain its traceability and integrity, so that it can be used. In this thesis, a forensic analysis model in instant messaging applications to obtain digital evidence is presented. Additionally, various frameworks and models are shown as references for the construction of the proposed model. The purpose of this model is to understand, diagnose and improve the forensic level in instant messaging applications in organizations, state entities, among others. Finally, the practices that would provide greater robustness to the processes of different organizations in relation to the necessary security in the use of mobile phones are also presented.Trabajo de investigació

UML class diagrams supporting formalism definition in the Draw-Net Modeling System

The Draw-Net Modeling System (DMS) is a customizable framework supporting the design and the solution of models expressed in any graph-based formalism, thanks to an open architecture. During the years, many formalisms (Petri Nets, Bayesian Networks, Fault Trees, etc.) have been included in DMS. A formalism defines all the primitives that can be used in a model (nodes, arcs, properties, etc.) and is stored into XML files. The paper describes a new way to manage formalisms: the user can create a new formalism by drawing a UML Class Diagrams (CD); then the corresponding XML files are automatically generated. If instead the user intends to edit an existing formalism, a "reverse engineering" function generates the CD from the XML files. The CD can be handled inside DMS, and acts an intuitive and graphical "meta-model" to represent the formalism. An application example is presented

The Android Forensics Automator (AnForA): A tool for the Automated Forensic Analysis of Android Applications

Most of our daily activities are carried out by means of mobile applications, that typically generate and store on the device large sets of data. The forensic analysis of these data thus plays a crucial role during an investigation, as it allows to reconstruct the above activities. Manually analyzing these applications is a long, tedious, and error-prone task. In this paper we present the design, implementation, and evaluation of AnForA, a software tool that automates most of the activities that need to be carried out to forensically analyze Android applications, and that has been designed in such a way to yield various important properties, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality. AnForA is based on a dynamic "black box" approach, in which the application to be analyzed is first installed on a virtualized Android device, and then a set of experiments are carried out, in which actions of interest are automatically performed on the application by emulating a human user that interacts with its interface. During the experiments, the file systems of the device storage are actively monitored, so that the data created or modified by each one of these actions can be located and correlated with that action. We have devised a proof-of-concept implementation of AnForA, that we use to assess its ability in achieving its design goals, by analyzing through it several Android applications already studied in the literature, so that we can compare AnForA\u2019s results against those reported in these papers. The results of our evaluation confirm that AnForA greatly simplifies the forensic analysis of Android applications, and exhibits all the properties mentioned above, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality, to a higher extent than previous studies published in the literature