Testing Memory Forensics Tools for the Macintosh OS X Operating System

Memory acquisition is essential to defeat anti-forensic operating-system features and investigate cyberattacks that leave little or no evidence in secondary storage. The forensic community has developed tools to acquire physical memory from Apple’s Macintosh computers, but they have not much been tested. This work tested three major OS X memory-acquisition tools. Although the tools could capture system memory accurately, the open-source tool OSXPmem appeared advantageous in size, reliability, and support for memory configurations and versions of the OS X operating system

Making Sense of Email Addresses on Drives

Drives found during investigations often have useful information in the form of email addresses, which can be acquired by search in the raw drive data independent of the file system. Using these data, we can build a picture of the social networks in which a drive owner participated, even perhaps better than investigating their online profiles maintained by social-networking services, because drives contain much data that users have not approved for public display. However, many addresses found on drives are not forensically interesting, such as sales and support links. We developed a program to filter these out using a Naïve Bayes classifier and eliminated 73.3% of the addresses from a representative corpus. We show that the byte-offset proximity of the remaining addresses found on a drive, their word similarity, and their number of co-occurrences over a corpus are good measures of association of addresses, and we built graphs using this data of the interconnections both between addresses and between drives. Results provided several new insights into our test data

Research on Deception in Defense of Information Systems

This paper appeared in the Command and Control Research and Technology Symposium, San Diego, CA, June 2004.Our research group has been broadly studying the use of deliberate deception by software to foil attacks on information systems. This can provide a second line of defense when access controls have been breached or against insider attacks. The thousands of new attacks being discovered every year that subvert access controls say that such a second line of defense is desperately needed. We have developed a number of demonstration systems, including a fake directory system intended to waste the time of spies, a Web information resource that delays suspicious requests, a modified file-download utility that pretends to succumb to a buffer overflow, and a tool for systematically modifying an operating system to insert deceptive responses. We are also developing an associated theory of deception that can be used to analyze and create offensive and defensive deceptions, with especial attention to reasoning about time using temporal logic. We conclude with some discussion of the legal implications of deception by computers.Approved for public release; distribution is unlimited

Randomised controlled trials in educational research: Ontological and epistemological limitations

Randomised controlled trials (RCTs) are a valued research method in evidence-based practice in medical and clinical settings because they are associated with a particular ontological and epistemological perspective that is situated within a positivist world view. It assumes that environments and variables can be controlled to establish cause-effect relationships. However, current theories of learning suggest that knowledge is socially constructed, and that learning occurs in open systems that cannot be controlled and manipulated as would be required in a RCT. They recognise the importance and influence of context on learning, which positivist research paradigms specifically aim to counter. We argue that RCTs are inappropriate in education research because they force one to take up ontological and epistemological positions in a technical rationalist framework, which is at odds with current learning theory

Making Sense of Email Addresses on Drives

Drives found during investigations often have useful information in the form of email addresses which can be acquired by search in the raw drive data independent of the file system. Using this data we can build a picture of the social networks that a drive owner participated in, even perhaps better than investigating their online profiles maintained by social-networking services because drives contain much data that users have not approved for public display. However, many addresses found on drives are not forensically interesting, such as sales and support links. We developed a program to filter these out using a Naïve Bayes classifier and eliminated 73.3% of the addresses from a representative corpus. We show that the byte-offset proximity of the remaining addresses found on a drive, their word similarity, and their number of co-occurrences over a corpus are good measures of association of addresses, and we built graphs using this data of the interconnections both between addresses and between drives. Results provided several new insights into our test data

The prefrontal cortex achieves inhibitory control by facilitating subcortical motor pathway connectivity

Communication between the prefrontal cortex and subcortical nuclei underpins the control and inhibition of behavior. However, the interactions in such pathways remain controversial. Using a stop-signal response inhibition task and functional imaging with analysis of effective connectivity, we show that the lateral prefrontal cortex influences the strength of communication between regions in the frontostriatal motor system. We compared 20 generative models that represented alternative interactions between the inferior frontal gyrus, presupplementary motor area (preSMA), subthalamic nucleus (STN), and primary motor cortex during response inhibition. Bayesian model selection revealed that during successful response inhibition, the inferior frontal gyrus modulates an excitatory influence of the preSMA on the STN, thereby amplifying the downstream polysynaptic inhibition from the STN to the motor cortex. Critically, the strength of the interaction between preSMA and STN, and the degree of modulation by the inferior frontal gyrus, predicted individual differences in participants’ stopping performance (stop-signal reaction time). We then used diffusion-weighted imaging with tractography to assess white matter structure in the pathways connecting these three regions. The mean diffusivity in tracts between preSMA and the STN, and between the inferior frontal gyrus and STN, also predicted individual differences in stopping efficiency. Finally, we found that white matter structure in the tract between preSMA and STN correlated with effective connectivity of the same pathway, providing important cross-modal validation of the effective connectivity measures. Together, the results demonstrate the network dynamics and modulatory role of the prefrontal cortex that underpin individual differences in inhibitory control

High Frequency of Extra-Pair Paternity in Eastern Kingbirds

Genetic parentage in the socially monogamous and territorial Eastern Kingbird( Tyrannust tyrannus) was examined in a central New York population by multilocus DNA fingerprinting. Extra-pair young were identified in 60% (12 of 20) of nests. Of the 64 nestlings profiled, 42% were sired by extra-pair males, but no cases of conspecific brood parasitism were detected. These results are markedly different from a previous electrophoretic study of the same species in a Michigan population, which reported 39% of nestlings were unrelated to one (typically the mother, quasiparasitismo)r both (conspecificb roodp arasitism) of the putative parents. In the New York population, extra-pairp aternityw as most common among females that returned to breed on a former territory. Among females that were new to a breeding territory, extrapair paternity increased directly with breeding density. Although the power of the tests was low, neither breeding synchrony nor male experience with a breeding territory appeared to be associated with the occurrence of extra-pair young

Analogue of cosmological particle creation in an ion trap

We study phonons in a dynamical chain of ions confined by a trap with a time-dependent (axial) potential strength and demonstrate that they behave in the same way as quantum fields in an expanding/contracting universe. Based on this analogy, we present a scheme for the detection of the analogue of cosmological particle creation which should be feasible with present-day technology. In order to test the quantum nature of the particle creation mechanism and to distinguish it from classical effects such as heating, we propose to measure the two-phonon amplitude via the $2^{\rm nd}$ red side-band and to compare it with the one-phonon amplitude ($1^{\rm st}$ red side-band). PACS: 04.62.+v, 98.80.-k, 42.50.Vk, 32.80.Pj.Comment: 4 pages, 2 figure