ForEmSys: An integration of live forensic acquisition methods in next generation PPDR systems

Tese no âmbito do Programa de Doutoramento em Ciências e Tecnologias da Informação, apresentada ao Departamento de Engenharia Informática da Faculdade de Ciências e Tecnologia da Universidade de Coimbra.Os dispositivos móveis substituíram os computadores pessoais e portáteis em muitos aspectos da rotina diária das pessoas. Na practica, eles transformaramse em impressões digitais que carregam uma quantidade crítica de informações pessoais, que variam desde conteúdo multimedia e registos de comunicação, a geolocalização e dados de transações eletrônicas. No entanto, o uso de dispositivos móveis não se limita às interacções pessoais de um indivíduo. Os dispositivos móveis podem constituir partes de redes de comunicação corporativas ou dedicadas. As redes corporativas e da emergência como os sistemas de Proteção Pública e Mitigação de Desastres (PPDR), exigem o estabelecimento de um ambiente altamente seguro, para proteger vários bens críticos. Além disso, organizações como a Polícia Judiciária acedem dados de dispositivos móveis de terceiras entidades como provas para investigações criminais. A aquisição e análise forense móvel têm um papel crucial tanto na proteção de um ambiente PPDR contra ataques intencionais ou uso indevido dos utilizadores, como na condução de uma investigação criminal robusta. Esta tese estuda o papel da aquisição e análise forense para sistemas PPDR, introduzindo uma metodologia para perfs digitais automatizados e identifcação de padrões suspeitos a partir de dados e metadados de dispositivos móveis. Três técnicas de computação inteligente, nomeadamente Fuzzy Systems, Redes Neuronais (RNs) e Adaptive Neuro-Fuzzy Inference System (ANFIS) são usadas para construir perfs criminais e identifcar padrões suspeitos em dados e metadados provenientes de chamadas e SMS para três cenários de casos de uso diferentes. Mais especifcamente, os Sistemas Fuzzy servíram como prova de conceito para detectar a deserção de agentes PPDR realizada por SMS. Um cenário mais complexo envolveu o uso de RNs e ANFIS, que foram empregados como meio de identifcação de padrões suspeitos de chamadas e SMS para casos de cyberbullying e de tráfico de droga. Os resultados que foram produzidos durante todas as fases experimentais foram bastante satisfatórios e foram comparados para defnir a técnica mais apropriada para a identifcação de padrões suspeitos.Mobile devices have substituted desktop and portable computers in many aspects of people’s everyday routine. Practically, they have become digital fngerprints that carry a critical amount of personal information, varying from multimedia and communication logs to geolocation and electronic transaction data. Moreover, the usage of mobile devices is not limited to an individual’s personal interactions. The aforementioned devices may also constitute parts of corporate or dedicated communication networks. Enterprise and frst-responder communication networks, such as Public Protection and Disaster Relief (PPDR) systems require the establishment of a highly secured environment, in order to protect various critical assets. Moreover, services such as law enforcement may need to access third-party mobile device data as evidence for criminal investigations. Mobile forensic acquisition and analysis play a crucial role towards both the protection of a PPDR environment against intentional attacks or potential user misuse and the conduction of a robust criminal investigation. The current thesis studies the role of forensic analysis in use cases related to law enforcement investigations by introducing a methodology for automated digital profling and suspicious pattern identifcation from mobile device data and metadata. Three intelligent computation techniques, namely Fuzzy Systems, Neural Networks (NNs) and the Adaptive Neuro-Fuzzy Inference System (ANFIS) are used for constructing criminal profles and identifying suspicious patterns in calls and SMS evidence data and metadata for three different use case scenarios. More specifcally, Fuzzy Systems served as proof-of-concept for detecting PPDR ofcers’ defection performed by SMS. A more complex scenario for call and SMS suspicious pattern identifcation of cyberbullying and low-level drug dealing cases was documented with the use of NNs and ANFIS

Revisiting the Detection of Lateral Movement through Sysmon

This work attempts to answer in a clear way the following key questions regarding the optimal initialization of the Sysmon tool for the identification of Lateral Movement in the MS Windows ecosystem. First, from an expert’s standpoint and with reference to the relevant literature, what are the criteria for determining the possibly optimal initialization features of the Sysmon event monitoring tool, which are also applicable as custom rules within the config.xml configuration file? Second, based on the identified features, how can a functional configuration file, able to identify as many LM variants as possible, be generated? To answer these questions, we relied on the MITRE ATT and CK knowledge base of adversary tactics and techniques and focused on the execution of the nine commonest LM methods. The conducted experiments, performed on a properly configured testbed, suggested a great number of interrelated networking features that were implemented as custom rules in the Sysmon’s config.xml file. Moreover, by capitalizing on the rich corpus of the 870K Sysmon logs collected, we created and evaluated, in terms of TP and FP rates, an extensible Python .evtx file analyzer, dubbed PeX, which can be used towards automatizing the parsing and scrutiny of such voluminous files. Both the .evtx logs dataset and the developed PeX tool are provided publicly for further propelling future research in this interesting and rapidly evolving field

A Survey on Mobile Malware Detection Techniques

Modern mobile devices are equipped with a variety of tools and services, and handle increasing amounts of sensitive information. In the same trend, the number of vulnerabilities exploiting mobile devices are also augmented on a daily basis and, undoubtedly, popular mobile platforms, such as Android and iOS, represent an alluring target for malware writers. While researchers strive to find alternative detection approaches to fight against mobile malware, recent reports exhibit an alarming increase in mobile malware exploiting victims to create revenues, climbing towards a billion-dollar industry. Current approaches to mobile malware analysis and detection cannot always keep up with future malware sophistication [2] [4]. The aim of this work is to provide a structured and comprehensive overview of the latest research on mobile malware detection techniques and pinpoint their benefits and limitations.JRC.E.3-Cyber and Digital Citizens' Securit

Mobile Forensic Data Analysis: Suspicious Pattern Detection in Mobile Evidence

Culprits' identi cation by the means of suspicious pattern detection techniques from mobile device data is one of the most important aims of the mobile forensic data analysis. When criminal activities are related to entirely automated procedures such as malware propagation, predicting the corresponding behavior is a rather achievable task. However, when human behavior is involved, such as in cases of traditional crimes, prediction and detection become more compelling. This paper introduces a combined criminal pro ling and suspicious pattern detection methodology for two criminal activities with moderate to the heavy involvement of mobile devices, cyberbullying and low-level drug dealing. Neural and Neurofuzzy techniques are applied on a hybrid original and simulated dataset. The respective performance results are measured and presented, the optimal technique is selected, and the scenarios are re-run on an actual dataset for additional testing and veri cation