A framework for forensic reconstruction of spontaneous ad hoc networks

Spontaneous ad hoc networks are distinguished by rapid deployment for a specific purpose, with no forward planning or pre-design in their topology. Often these networks will spring up through necessity whenever a network is required urgently but briefly. This may be in a disaster recovery setting, military uses where often the network is unplanned but the devices are pre-installed with security settings, educational networks or networks created as a one-off for a meeting such as in a business organisation. Generally, wireless networks pose problems for forensic investigators because of the open nature of the medium, but if logging procedures and pre-planned connections are in place, past messages, including nefarious activity can often be easily traced through normal forensic practices. However, the often urgent nature of the spontaneous ad hoc communication requirements of these networks leads to the acceptance onto the network of anyone with a wireless device. Additionally, the identity of the network members, their location and the numbers within the network are all unknown. With no centre of control of the network, such as a central server or wireless access point, the ability to forensically reconstruct the network topology and trace a malicious message or other inappropriate or criminal activity would seem impossible. This research aims to demonstrate that forensic reconstruction is possible in these types of networks and the current research provides initial results for how forensic investigators can best undertake these investigations

A Simulation-Based Study of Server Location Selection Rules in Manets Utilising Threshold Cryptography

Truly Ad Hoc wireless networks where a spontaneous formation of a network occurs and there is no prior knowledge of nodes to each other present significant security challenges, especially as entirely online configuration of nodes with encryption keys must be performed. Utilising threshold cryptography in this type of MANET can greatly increase the security by requiring servers to collaborate to form a single Certificate Authority (CA). In this type of CA responsibility for certificate services is shared between a threshold of servers, greatly increasing security and making attack against the CA considerably more difficult. Choosing which nodes to take on the role of a CA server can have a significant impact on the efficiency of the network, and the success of certificate requests. This research uses simulation to test different rules for choosing nodes to become servers based on their location within the network. Results show that choosing the best server location rules for particular configurations is essential in ensuring both robust security and efficient running of the network

A 2013 Study of Wireless Network Security in New Zealand: Are We There Yet?

This research examines the current level of security in wireless networks in New Zealand. A comprehensive wardrive covering the length of the country was made in January 2013 to ensure accurate comparisons from two previous wardrives as well as comparisons between the four main cities and the suburbs can be made. With 16 years since the introduction of the original IEEE 802.11 wireless standard having passed, an examination is made of the current state of wireless security of networks throughout New Zealand and the Auckland suburbs, and where possible compares these results with similar studies undertaken in 2004 and 2011. Additionally, comparisons are made with growth of numbers of access points, security standards implementations and channel selections. This study looks at whether wireless network security has reached the levels hoped for in 1999 when security was built in to the IEEE 802.11a and 802.11b standards and concludes that whilst vastly improved, there is still some way to go. Finally, some recommendations are made as to what still needs to be addressed to ensure efficient and secure communications with wireless networks

The challeges in implementing security in spontaneous ad hoc networks

Mobile Ad Hoc Networks (MANETS) promise much in the ability to rapidly deploy a wireless network in a fashion where no prior planning is needed and the network can be running efficiently and with high security within minutes. Natural disaster response, military, education and business provide areas where MANETS can offer significant advantages in communication where infrastructure networks may take days to set up or may be impossible to implement. This research reviews a selection of MANET protocols to show the progression of the research and the issues that are yet to be addressed. It discusses the challenges to researchers in improving ad hoc schemes to the point where they work in theory and in practice. Areas are highlighted that pose the most significant challenges to developing new security protocols and some food-for-thought is given for those who wish to contribute to this growing area of importance for wireless communication

A centralised platform for digital forensic investigations in cloud-based environments

Forensic investigations of digital media traditionally involve seizing a device and performing a forensic investigation. Often legal and physical obstructions must be overcome so that the investigator has access to the device and the right to secure it for investigation purposes. Taking a forensic image of a hard disk may need to be done in the field but analysis can usually be performed at a later time. With the rapid increase in hard disk size, the acquiring of a forensic image can take hours or days. This poses significant issues for forensic investigators when potential evidence resides in the cloud. What is highly desirable is the ability to perform the acquisition of the image and the data recovery whilst the data remains in the cloud. The comparatively small amount of recovered data can then be downloaded from the cloud. This may solve legal, time and physical obstacles with one relatively simple method. This research describes the development of cloud-based software to perform a digital forensic investigation in the cloud and describes the efficiency of the process under several different configurations utilising Amazon Web Services cloud solutions

Security Analysis And Forensic Investigation Of Home & Commercial Alarm Systemsin New Zealand: Current Research Findings

Alarm systems with keypads, sensors and sirens protect our homes and commercial premises from intruders. The reliability of these systems has improved over the past years but the technology has remained largely as it was 3 decades ago. With simple keypads and generally 4 digit PIN codes used for setting and unsetting the alarms, the main protection against a determined intruder is the necessity to choose robust PIN codes. However, with PIN codes chosen that are generally easy to remember and therefore relatively easy to guess, or numbers chosen to follow a pattern on the keypad, the main protection from these systems lies in the ability to detect an intruder as they approach the keypad. This gives the intruder very little time to try multiple codes meaning the systems are secure because the intruder is detected quickly. This research looks at the choices of PIN codes and the patterns that they often follow, and sets out the forthcoming research that will look at circumventing the safeguards by performing computer driven attacks against the codes when access to the device is possible and when remote access to the device can be made over the telephone system. Additionally, the forensic evidence left behind by an attacker is discussed and how simple enhancements to systems can have significant advantages in enhancing the amount of evidence that can be found. This paper describes the preliminary findings from analysing 700 alarm codes used in alarm systems throughout New Zealand and describes the planned research into alarm system security and forensic evidence remaining after a successful attack by an intruder

Memory forensic data recovery utilising RAM cooling methods

Forensic investigations of digital devices is generally conducted on a seized device in a secure environment. This usually necessitates powering down the device and taking an image of the hard drive or semi-permanent storage in the case of solid state technology. Guidelines for forensic investigations of computers advise that the computer should be shut down by removing the power supply and thereby maintaining the hard disk in the state it was in whilst running. However, valuable forensic evidence often exists in the volatile memory which is lost when this process is followed. The issues of locked accounts on running computers and encrypted files present particular difficulties for forensic investigators who wish to capture a forensic image of the RAM. This research involves freezing RAM removed from a running computer so that it can later be reinserted into an unlocked computer allowing for a forensic image of the RAM to be captured. Three different methods of cooling the RAM are compared, along with varying delays in RAM reinsertion. The results provide a guideline for forensic investigators on how the issues with locked accounts and encryption may be overcome to record this valuable evidence that is otherwise lost

An analysis of chosen alarm code pin numbers & their weakness against a modified brute force attack

Home and commercial alarms are an integral physical security measure that have become so commonplace that little thought is given to the security that they may or may not provide. Whilst the focus has shifted from physical security in the past to cyber security in the present, physical security for protecting assets may be just as important for many business organisations. This research looks at 700 genuine alarm PIN codes chosen by users to arm and disarm alarm systems in a commercial environment. A comparison is made with a study of millions of PIN numbers unrelated to alarms to compare the results in order to allow a prediction of the alarm codes utilised in these systems. Results show that PIN number for alarm codes are often chosen differently than other PIN numbers and an analysis of the alarm codes gives an indication of how users choose codes. The codes are ranked in various groupings and results show that a non-sequential brute force attack against an alarm system using the results of this study greatly reduce the number of codes tried by an attacker before a disarming code is discovered. The results can be used to assist users in choosing codes that are less predictable than the codes that are often chosen today

A forensic examination of several mobile device Faraday bags & materials to test their effectiveness

A Faraday bag is designed to shield a mobile phone or small digital device from radio waves entering the bag and reaching the device, or to stop radio waves escaping through the bag from the device. The effectiveness of these shields is vital for security professionals and forensic investigators who seize devices and wish to ensure that their contents are not read, modified or deleted prior to a forensic examination. This research tests the effectiveness of several readily available Faraday bags. The Faraday bags tested are all available through online means and promise complete blocking of all signals through the bag. Additionally, other materials that can be used if a Faraday bag is not available, such as tin foil and a tin can are tested and compared with the Faraday bags. A selection of common mobile phones from various manufacturers is tested in the shielding material. Additionally, 3G / 4G, WiFi and Bluetooth are tested with the bags and materials on those so equipped devices to ascertain whether the material blocks all signals from communicating technologies on the phones. Results show that performance of the bags is not as promised by most vendors and that in urgent situations other materials at hand may suffice to perform the same function as a Faraday bag

A Forensic Analysis And Comparison Of Solid State Drive Data Retention With Trim Enabled File Systems

Solid State Drives offer significant advantages over traditional hard disk drives. No moving parts, superior resistance to shock, reduced heat generation and increased battery life for laptops. However, they are susceptible to cell failure within the chips. To counter this, wear levelling is used so that cells are utilised for data at approximately the same rate. An improvement to the original wear levelling routine is TRIM, which further enhances the lifetime of the cells by allowing the garbage collection process as one operation rather than an on going process. The advantages of TRIM for the user is that it increases efficiency of the drive’s wear levelling algorithms, meaning quicker access times and longer lifetimes. The basic wear levelling routines have caused significant difficulties for forensic investigators as data is moved to different random locations without user input. Whilst this problem has been examined in past research, the implementation of TRIM has not had much attention. This research examines SSD drives across three TRIM enabled file systems, Windows, Linux and MAC OS X operating systems. The results show that TRIM leaves far less data for forensic investigators than drives without TRIM enabled