1,296 research outputs found
Incident Analysis & Digital Forensics in SCADA and Industrial Control Systems
SCADA and industrial control systems have been traditionally isolated in physically protected environments. However, developments such as standardisation of data exchange protocols and increased use of IP, emerging wireless sensor networks and machine-to-machine communication mean that in the near future related threat vectors will require consideration too outside the scope of traditional SCADA security and incident response. In the light of the significance of SCADA for the resilience of critical infrastructures and the related targeted incidents against them (e.g. the development of stuxnet), cyber security and digital forensics emerge as priority areas. In this paper we focus on the latter, exploring the current capability of SCADA operators to analyse security incidents and develop situational awareness based on a robust digital evidence perspective. We look at the logging capabilities of a typical SCADA architecture and the analytical techniques and investigative tools that may help develop forensic readiness to the level of the current threat environment requirements. We also provide recommendations for data capture and retention
Survey on remnant data research: the artefacts recovered and the implications in a cyber security conscious world
The prevalence of remnant data in second hand storage media is well documented. Since 2004 there have been ten separate papers released through Edith Cowan University alone. Despite numerous government agencies providing advice on securing personal and corporate information, and news articles highlighting the need for data security, the availability of personal and confidential data on second hand storage devices is continuing, indicating a systemic laissez faire attitude to data security, even in our supposedly cyber security conscious world. The research continues, but there seems to be a lack of correlation of these studies to identify trends or common themes amongst the results. The fact that this type of research continues to be conducted highlights the deficiencies in the methods used to advertise warnings publicised by Government departments and industry experts. Major media organisations seem reluctant to broadcast these warnings, unless there is a bigger story behind the issue. This paper highlights the ongoing issues and provides insight to the factors contributing to this growing trend
On the Reverse Engineering of the Citadel Botnet
Citadel is an advanced information-stealing malware which targets financial
information. This malware poses a real threat against the confidentiality and
integrity of personal and business data. A joint operation was recently
conducted by the FBI and the Microsoft Digital Crimes Unit in order to take
down Citadel command-and-control servers. The operation caused some disruption
in the botnet but has not stopped it completely. Due to the complex structure
and advanced anti-reverse engineering techniques, the Citadel malware analysis
process is both challenging and time-consuming. This allows cyber criminals to
carry on with their attacks while the analysis is still in progress. In this
paper, we present the results of the Citadel reverse engineering and provide
additional insight into the functionality, inner workings, and open source
components of the malware. In order to accelerate the reverse engineering
process, we propose a clone-based analysis methodology. Citadel is an offspring
of a previously analyzed malware called Zeus; thus, using the former as a
reference, we can measure and quantify the similarities and differences of the
new variant. Two types of code analysis techniques are provided in the
methodology, namely assembly to source code matching and binary clone
detection. The methodology can help reduce the number of functions requiring
manual analysis. The analysis results prove that the approach is promising in
Citadel malware analysis. Furthermore, the same approach is applicable to
similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper
appeared in FPS 201
Forensic Attacks Analysis and the Cyber Security of Safety-Critical Industrial Control Systems
Industrial Control Systems (ICS) and SCADA (Supervisory Control And Data Acquisition) applications monitor
and control a wide range of safety-related functions. These include energy generation where failures could have
significant, irreversible consequences. They also include the control systems that are used in the manufacture of
safety-related products. In this case bugs in an ICS/SCADA system could introduce flaws in the production of
components that remain undetected before being incorporated into safety-related applications. Industrial Control
Systems, typically, use devices and networks that are very different from conventional IP-based infrastructures.
These differences prevent the re-use of existing cyber-security products in ICS/SCADA environments; the
architectures, file formats and process structures are very different. This paper supports the forensic analysis of
industrial control systems in safety-related applications. In particular, we describe how forensic attack analysis is
used to identify weaknesses in devices so that we can both protect components but also determine the information
that must be analyzed during the aftermath of a cyber-incident. Simulated attacks detect vulnerabilities; a risk-based
approach can then be used to assess the likelihood and impact of any breach. These risk assessments are then used
to justify both immediate and longer-term countermeasures
You can run but you cannot hide from memory: Extracting IM evidence of Android apps
Smartphones have become a vital part of our business and everyday life, as they constitute the primary communication vector. Android dominates the smartphone market (86.2%) and has become pervasive, running in `smart' devices such as tablets, TV, watches, etc. Nowadays, instant messaging applications have become popular amongst smartphone users and since 2016 are the main way of messaging communication. Consequently, their inclusion in any forensics analysis is necessary as they constitute a source of valuable data, which might be used as (admissible) evidence. Often, their examination involves the extraction and analysis of the applications' databases that reside in the device's internal or external memory. The downfall of this method is the fact that databases can be tampered or erased, therefore the evidence might be accidentally or maliciously modified. In this paper, a methodology for retrieving instant messaging data from the volatile memory of Android smartphones is proposed, instead of the traditional database retrieval. The methodology is demonstrated with the use of a case study of four experiments, which provide insights regarding the behavior of such data in memory. Our experimental results show that a large amount of data can be retrieved from the memory, even if the device's battery is removed for a short time. In addition, the retrieved data are not only recent messages, but also messages sent a few months before data acquisition
Technical and legal perspectives on forensics scenario
The dissertation concerns digital forensic. The expression digital forensic (sometimes called digital forensic science)
is the science that studies the identification, storage, protection, retrieval, documentation, use, and every
other form of computer data processing in order to be evaluated in a legal trial. Digital forensic is a branch of
forensic science. First of all, digital forensic represents the extension of theories, principles and procedures that
are typical and important elements of the forensic science, computer science and new technologies. From this
conceptual viewpoint, the logical consideration concerns the fact that the forensic science studies the legal value
of specific events in order to contrive possible sources of evidence. The branches of forensic science are: physiological
sciences, social sciences, forensic criminalistics and digital forensics. Moreover, digital forensic includes
few categories relating to the investigation of various types of devices, media or artefacts. These categories are:
- computer forensic: the aim is to explain the current state of a digital artefact; such as a computer system,
storage medium or electronic document;
- mobile device forensic: the aim is to recover digital evidence or data from mobile device, such as image, log
call, log sms and so on;
- network forensic: the aim is related to the monitoring and analysis of network traffic (local, WAN/Internet,
UMTS, etc.) to detect intrusion more in general to find network evidence;
- forensic data analysis: the aim is examine structured data to discover evidence usually related to financial
crime;
- database forensic: the aim is related to databases and their metadata.
The origin and historical development of the discipline of study and research of digital forensic are closely
related to progress in information and communication technology in the modern era. In parallel with the changes
in society due to new technologies and, in particular, the advent of the computer and electronic networks, there
has been a change in the mode of collection, management and analysis of evidence. Indeed, in addition to
the more traditional, natural and physical elements, the procedures have included further evidence that although
equally capable of identifying an occurrence, they are inextricably related to a computer or a computer network
or electronic means. The birth of computer forensics can be traced back to 1984, when the FBI and other
American investigative agencies have began to use software for the extraction and analysis of data on a personal
computer. At the beginning of the 80s, the CART(Computer Analysis and Response Team) was created within
the FBI, with the express purpose of seeking the so-called digital evidence. This term is used to denote all the
information stored or transmitted in digital form that may have some probative value. While the term evidence,
more precisely, constitutes the judicial nature of digital data, the term forensic emphasizes the procedural nature
of matter, literally, "to be presented to the Court". Digital forensic have a huge variety of applications. The
most common applications are related to crime or cybercrime. Cybercrime is a growing problem for government,
business and private.
- Government: security of the country (terrorism, espionage, etc.) or social problems (child pornography,
child trafficking and so on).
- Business: purely economic problems, for example industrial espionage.
- Private: personal safety and possessions, for example phishing, identity theft.
Often many techniques, used in digital forensics, are not formally defined and the relation between the technical
procedure and the law is not frequently taken into consideration. From this conceptual perspective, the research
work intends to define and optimize the procedures and methodologies of digital forensic in relation to Italian
regulation, testing, analysing and defining the best practice, if they are not defined, concerning common software.
The research questions are:
1. The problem of cybercrime is becoming increasingly significant for governments, businesses and citizens.
- In relation to governments, cybercrime involves problems concerning national security, such as terrorism
and espionage, and social questions, such as trafficking in children and child pornography.
- In relation to businesses, cybercrime entails problems concerning mainly economic issues, such as
industrial espionage.
- In relation to citizens, cybercrime involves problems concerning personal security, such as identity
thefts and fraud.
2. Many techniques, used within the digital forensic, are not formally defined.
3. The relation between procedures and legislation are not always applied and taken into consideratio
- …