Investigating Forensics Values of Windows Jump Lists Data

Starting with Windows 7, Microsoft introduced a new feature to the Windows Operating Systems called Jump Lists. Jump Lists stores information about user activities on the host machine. These activities may include links to the recently visited web pages, applications executed, or files processed. Computer forensics investigators may find traces of misuse in Jump Lists auto saved files. In this research, we investigate the forensics values of Jump Lists data. Specifically, we use several tools to view Jump Lists data on a virtual machine. We show that each tool reveal certain types of information about user’s activity on the host machine. This paper also presents a comparative analysis of the tools’ performances. In addition, we suggest different method of viewing contents of hidden folders, present another approach for deleting files from hidden folders, and propose an innovative way of gaining access to application identification numbers (AppIDs.) Keywords: Windows 7, Jump Lists, operating systems, computer forensics tools, virtual machine, V

Forensics Analysis of Privacy of Portable Web Browsers

Web browser vendors offer a portable web browser option which is considered as one of the features that provides user privacy. Portable web browser is a browser that can be launched from a USB flash drive without the need for its installation on the host machine. Most popular web browsers have portable versions of their browsers as well. Portable web browsing poses a great challenge to computer forensic investigators who try to reconstruct the past browsing history, in case of any computer incidence. This research examines various sources in the host machine such as physical memory, temporary, recent, event files, Windows Registry, and Cache.dll files for the evidential information regarding portable browsing session. The portable browsers under this study include Firefox, Chrome, Safari, and Opera. Results of this experiment show that portable web browsers do not provide user-privacy as they are expected to do. Keywords: computer forensics tools, RAM forensics, volatile memory, forensics artifacts, Registr

RANSOMWARE DETECTION AND PREVENTION USING MEMORY FORENSICS

Ransomware is a special type of malware, which infects a system and limits a user’s access to the system and its resources until a ransom is paid. In the past few years, this malware has become popular among cybercriminals and it is regarded as a billion-dollar industry. Cybercriminals launch ransomware attack to extort money. Some of the most recent well-known ransomware include WannaCry, Petya and Bad Rabbit. WannaCry attacked known Windows network vulnerabilities using various exploits, which allowed an intruder to execute arbitrary code on a targeted system by transmitting customized data packets. WannaCry made global headlines after infecting more than 230,000 systems in over 150 countries and causing an estimated $5 billion in damages. Like WannaCry, Petya used Windows vulnerabilities to propagate itself. It impacted large organizations in multiple countries with billions of dollars damage. Another example of rapidly growing ransomware is Bad Rabbit, which appeared shortly after the WannaCry and Petya ransomware families, made headlines. Bad Rabbit targeted Ukraine’s Ministry of Infrastructure and Kiev’s public transport system. The objective of this research is to use various tools and techniques to hunt ransomware using memory forensics. We create a virtual network environment for ransomware execution and analysis. Through memory analysis we examine the behaviors of various ransomware to examine their activities while they are inside the memory of the infected machine. Based on their behaviors, we propose and implement a framework for detection and prevention of ransomware. The proposed framework monitors the ransomware processes using various Volatility plugins software tool. These plugins examine the ransomware processes and display actions taken by ransomware once they infect the machine. They actions may include encrypting files, renaming themselves to avoid detection by antivirus software, changing file names, etc., Based on these behaviors, we develop the framework for preventing ransomware from spreading and infecting the entire machine. Our proposed framework would complement some of the existing ransomware research in various ways including the environment, the tools, ransomware dataset and the structure

Hacking Experiment Using USB Rubber Ducky Scripting

By leaving your computer unlocked while you are away for seconds can give hackers all the time they need to obtain your personal information from your computer. This paper aims to detail the necessary research and development of a USB Rubber Ducky script, to obtain clear text logon id and passwords from a Windows machine, in mere seconds. Each stage is laid out in sections discussing Ducky script, powershell, Mimikatz, and reenabling the vulnerability by breaking down the attack into two parts for Windows 7 and up operating systems

Assessing Security & Privacy of Online Social Media

In recent years, use of online social media networking (OSMN) such as Facebook, Twitter, Instagram, etc. has become part of people’s routine life activities. OSMN provides Internet users to communicate and collaborate with family, friends, social groups, and other communities. In addition, it is a great tool for people to share text, family photos, their life habits, etc. Unfortunately, many users are unaware of the security risks associated with the use of this technology. The risk may include privacy violation, identity theft, malware, fake profiles, exploiting children, etc. Many OSMN users may accidentally or intentionally expose personal and intimate details about themselves, their friends, and their relationships online. As the use of OSMNs becomes progressively more embedded in users’ daily lives, personal information becomes easily exposed and abused. Information harvesting, by both the OSMN operators and by third-party commercial companies, has recently been identified as a significant security concern for the users as well as for the public. The objective of this research is to investigate and implement ways for mitigating security breaches and privacy violation of OSMN users. Most social media offer their users an option for security settings. However, it is not known whether those setting are effective for keeping user’s personal and shared data private. To evaluate the effectiveness of the privacy settings, we need to know what types of user’s data various OSMN technology keep about their users and where do they save the data. We will use forensics tools and methodology to retrieve user’s data once before the application of security settings and once after the security settings is applied. Based on the outcome of our experiment, recommendation of best practices for mitigating user’s privacy violation and security breaches will be made. Our initial investigation shows that not all the OSMN technology use the same method and location for saving user’s data. Therefore, we focus on three of the most popular technology namely, Facebook, Twitter, and Instagram. Retrieving data from memory will also help forensics investigators to identify criminal or inappropriate activities through online social media networking

An Empirical Analysis of Email Forensics Tools

Emails are the most common service on the Internet for communication and sending documents. Email is used not only from computers but also from many other electronic devices such as tablets; smartphones, etc. Emails can also be used for criminal activities. Email forensic refers to the study of email detail and content as evidence to identify the actual sender and recipient of a message, date/time of transmission, detailed record of email transaction, intent of the sender, etc. Email forensics involves investigation of metadata, keyword, searching, port scanning and generating report based on investigators need. Many tools are available for any investigation that involves email forensics. Investigators should be very careful of not violating user’s privacy. To this end, investigators should run keyword searches to reveal only the relevant emails. Therefore, knowledge of the features of the tool and the search features is necessary for the tool selection. In this research, we experimentally compare the performance of several email forensics tools. Our aim is to help the investigators with the tool selection task. We evaluate the tools in terms of their keyword search, report generation, and other features such as, email format, size of the file accepted, whether they work online or offline, format of the reports, etc. We use Enron email dataset for our experiment