On Challenges in Verifying Trusted Executable Files in Memory Forensics

Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. Thememory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, amemory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time

An Evaluation Framework for Comparative Analysis of Generalized Stochastic Petri Net Simulation Techniques

Availability of a common, shared benchmark to provide repeatable, quantifiable, and comparable results is an added value for any scientific community. International consortia provide benchmarks in a wide range of domains, being normally used by industry, vendors, and researchers for evaluating their software products. In this regard, a benchmark of untimed Petri net models was developed to be used in a yearly software competition driven by the Petri net community. However, to the best of our knowledge there is not a similar benchmark to evaluate solution techniques for Petri nets with timing extensions. In this paper, we propose an evaluation framework for the comparative analysis of generalized stochastic Petri nets (GSPNs) simulation techniques. Although we focus on simulation techniques, our framework provides a baseline for a comparative analysis of different GSPN solvers (e.g., simulators, numerical solvers, or other techniques). The evaluation framework encompasses a set of 50 GSPN models including test cases and case studies from the literature, and a set of evaluation guidelines for the comparative analysis. In order to show the applicability of the proposed framework, we carry out a comparative analysis of steady-state simulators implemented in three academic software tools, namely, GreatSPN, PeabraiN, and TimeNET. The results allow us to validate the trustfulness of these academic software tools, as well as to point out potential problems and algorithmic optimization opportunities

Long-term hurricane damage effects on tropical forest tree growth and mortality

Hurricane winds can have large impacts on forest structure and dynamics. To date, most evaluations of hurricane impacts have focused on short-term responses after a hurricane, often lacked pre-hurricane measurements, and missed responses occurring over longer time scales. Here, we use a long-term data set (1974-2009, 35 years) of tree stems ( >3 cm in diameter at 1.3 m aboveground) in four sites (0.35 ha in total) in montane rain forest (∼1600 m elevation) in Jamaica to investigate the patterns of crown damage in individual stems by Hurricane Gilbert in 1988, and how subsequent growth and mortality were affected by hurricane damage, sprouting, and the incidence of multiple stems. Topographical position on a mountain ridge was the best predictor of crown damage, followed by crown size and species identity. The average diameter growth rate of stems that survived the hurricane was greater than that pre-hurricane for the whole 21-yr post-hurricane period. Growth rates of stems with damaged crowns increased less than those with undamaged crowns; differences in growth rate between damaged and undamaged trees disappeared after 11 years. Hurricanedamaged stems had two to eight times higher mortality than undamaged stems for 19 years post hurricane. Many stems sprouted shortly after the hurricane, but few sprouts managed to establish (grow to >3 cm diameter at breast height). However, sprouting and multi-stemming were associated with reduced mortality rate, particularly in damaged trees. From an initial population of 1670 stems in 1974, 54% were still alive in 2009 (21 years after the hurricane). We conclude that despite the high frequency of hurricane damage to tree crowns and the subsequent increased mortality rate in this hurricane-prone tropical montane forest, many stems will be hit and recover from several hurricanes in their lifetimePeer reviewe

The need for structured thoracic robotic training: the perspective of an American Association for Thoracic Surgery surgical robotic fellow

Since the initial experiences with robotic platforms in thoracic surgery (1), the number of procedures performed with this technique have continued to increase (2). Not only have newer trainees demonstrated interest in the field, but former open and VATS surgeons have also become aware of the advantages that the robotic platform provides (1,3). However, although some authors have implemented robotic thoracic surgery safely (4,5) others still consider it inefficient, citing the increased operative time (related to the learning curve), the initial instrument cost, and the lack of appropriate directed training (3)

Tick holocyclotoxins trigger host paralysis by presynaptic inhibition

Ticks are important vectors of pathogens and secreted neurotoxins with approximately 69 out of 692 tick species having the ability to induce severe toxicoses in their hosts. The Australian paralysis tick (Ixodes holocyclus) is known to be one of the most virulent tick species producing a flaccid paralysis and fatalities caused by a family of neurotoxins known as holocyclotoxins (HTs). The paralysis mechanism of these toxins is temperature dependent and is thought to involve inhibition of acetylcholine levels at the neuromuscular junction. However, the target and mechanism of this inhibition remain uncharacterised. Here, we report that three members of the holocyclotoxin family; HT-1 (GenBank AY766147), HT-3 (GenBank KP096303) and HT-12 (GenBank KP963967) induce muscle paralysis by inhibiting the dependence of transmitter release on extracellular calcium. Previous study was conducted using extracts from tick salivary glands, while the present study is the first to use pure toxins from I. holocyclus. Our findings provide greater insight into the mechanisms by which these toxins act to induce paralysis

Photo--assisted current and shot noise in the fractional quantum Hall effect

The effect of an AC perturbation on the shot noise of a fractional quantum Hall fluid is studied both in the weak and the strong backscattering regimes. It is known that the zero-frequency current is linear in the bias voltage, while the noise derivative exhibits steps as a function of bias. In contrast, at Laughlin fractions, the backscattering current and the backscattering noise both exhibit evenly spaced singularities, which are reminiscent of the tunneling density of states singularities for quasiparticles. The spacing is determined by the quasiparticle charge $\nu e$ and the ratio of the DC bias with respect to the drive frequency. Photo--assisted transport can thus be considered as a probe for effective charges at such filling factors, and could be used in the study of more complicated fractions of the Hall effect. A non-perturbative method for studying photo--assisted transport at $\nu=1/2$ is developed, using a refermionization procedure.Comment: 14 pages, 6 figure