Wie repräsentativ sind die Messdaten eines Honeynet?

Zur Früherkennung von kritischen Netzphänomenen wurden in der Vergangenheit viele Arten von verteilten Sensornetze im Internet etabliert und erforscht. Wir betrachten das Phänomen Verteilung von bösartiger Software im Netz'', das punktuell etwa mit dem InMAS-Sensorsystem gemessen werden kann. Unklar war jedoch immer die Frage, wie repräsentativ die Daten sind, die durch ein solches Sensornetz gesammelt werden. In diesem Dokument wird ein methodisches Rahmenwerk beschrieben, mit dem Maßzahlen der Repräsentativität an Messungen von Malware-Sensornetzen geheftet werden können. Als methodischer Ansatz wurden Techniken der empirischen Sozialforschung verwendet. Als Ergebnis ist festzuhalten, dass ein Sensornetz mit mindestens 100 zufällig über den Netzbereich verteilten Sensoren notwendig erscheint, um überhaupt belastbare Aussagen über die Repräsentativität von Sensornetz-Messungen machen zu können

Zur Nutzung von Verkehrsdaten im Rahmen der Vorratsdatenspeicherung

Dieser Bericht entstand aus Anlass einer Anfrage des Bundesverfassungsgerichts im Rahmen der Verfassungsbeschwerden 1 BvR 256/08, 263/08, 586/08. Teil der Anfrage war ein Fragenkatalog, zu dem ich als sachkundiger Dritter Stellung nehmen sollte. Statt einer listenhaften Beantwortung der Fragen habe ich mir erlaubt, die technischen Hintergründe in einer zusammenhängenden Diskussion darzustellen. Der Bezug zu den Fragen aus dem Fragenkatalog, zu denen ich mich sachkundig fühlte, wird im Anhang explizit hergestellt

Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis

Exploits that successfully attack computers are mostly based on some form of shellcode, i.e., illegitimate code that is injected by the attacker to take control of the system. Detecting and extracting such code is the first step to detailed analysis of malware containing illegitimate code. The amount and sophistication of modern malware calls for automated mechanisms that perform such detection and extraction. In this paper we present a novel generic and fully automatic approach to detect the execution of illegitimate code and extract such code upon detection. The basic idea of the approach is to flag critical memory pages as non-executable and use a modified page fault handler to dump corresponding memory pages. We present an implementation of the approach for the Windows platform called CWXDetector. Evaluations using malicious PDF documents as example show that CWXDetector produces no false positives and has a similarly low false negative rate

Evaluating atomicity, and integrity of correct memory acquisition methods

AbstractWith increased use of forensic memory analysis, the soundness of memory acquisition becomes more important. We therefore present a black box analysis technique in which memory contents are constantly changed via our payload application with a traceable access pattern. This way, given the correctness of a memory acquisition procedure, we can evaluate its atomicity and one aspect of integrity as defined by Vömel and Freiling (2012). We evaluated our approach on several memory acquisition techniques represented by 12 memory acquisition tools using a Windows 7 64-bit operating system running on a i5-2400 with 2 GiB RAM. We found user-mode memory acquisition software (ProcDump, Windows Task Manager), which suspend the process during memory acquisition, to provide perfect atomicity and integrity for snapshots of process memory. Cold-boot attacks (memimage, msramdump), virtualization (VirtualBox) and emulation (QEMU) all deliver perfect atomicity and integrity of full physical system memory snapshots. Kernel level software acquisition tools (FTK Imager, DumpIt, win64dd, WinPmem) exhibit memory smear from concurrent system activity reducing their atomicity. There integrity is reduced by running within the imaged memory space, hence overwriting part of the memory contents to be acquired. The least amount of atomicity is exhibited by a DMA attack (inception using IEEE 1394). Further, even if DMA is performed completely in hardware, integrity violations with respect to the point in time of the acquisition let this method appear inferior to all other methods. Our evaluation methodology is generalizable to examine further memory acquisition procedures on other operating systems and platforms

Kapazitätsmessung eines verdeckten Kanals über HTTP

Wir beschreiben die Implementierung eines einfachen verdeckten Zeitkanals über HTTP und evaluieren dessen Kapazität im Internet. Im Experiment kommunizierte ein leicht modifizierter Apache-Webserver mit einem selbst geschriebenen HTTP-Proxy auf der Seite des Clients. Optimiert man den Kanal auf Fehlerfreiheit, können 3 Bit/s übertragen werden; akzeptiert man bis zu 10% Fehler, sind 14 Bit/s möglich. Die einfache Machbarkeit demonstriert erneut die Gefährlichkeit verdeckter Kanäle auch für Heimanwendungen

Dependability Metrics : Research Workshop Proceedings

Justifying reliance in computer systems is based on some form of evidence about such systems. This in turn implies the existence of scientific techniques to derive such evidence from given systems or predict such evidence of systems. In a general sense, these techniques imply a form of measurement. The workshop Dependability Metrics'', which was held on November 10, 2008, at the University of Mannheim, dealt with all aspects of measuring dependability

The Failure Detector Abstraction

This paper surveys the failure detector concept through two dimensions. First we study failure detectors as building blocks to simplify the design of reliable distributed algorithms. More specifically, we illustrate how failure detectors can factor out timing assumptions to detect failures in distributed agreement algorithms. Second, we study failure detectors as computability benchmarks. That is, we survey the weakest failure detector question and illustrate how failure detectors can be used to classify problems. We also highlights some limitations of the failure detector abstraction along each of the dimensions

Design and Implementation of a Documentation Tool for Interactive Commandline Sessions

In digital investigations it is important to document the examination of a computer system with as much detail as possible. Allthough never designed for digital investigations, many experts use the software script to record their whole terminal session while analyzing a target system. We analyze script's deficiencies and present the design and implementation of forscript (forensic script), a software providing additional capabilities and mechanisms for digital investigations

Forensic Analysis of Smartphones: The Android Data Extractor Lite (ADEL)

Due to the ubiquitous use of smartphones, these devices become an increasingly important source of digital evidence in forensic investigations. Thus, the recovery of digital traces from smartphones often plays an essential role for the examination and clarification of the facts in a case. Although some tools already exist regarding the examination of smartphone data, there is still a strong demand to develop further methods and tools for forensic extraction and analysis of data that is stored on smartphones. In this paper we describe specifications of smartphones running Android. We further introduce a newly developed tool – called ADEL – that is able to forensically extract and analyze data from SQLite databases on Android devices. Finally, a detailed report containing the results of the examination is created by the tool. The whole process is fully automated and takes account of main forensic principles. Keywords: Android, Smartphones, Mobile devices, Forensics