Acquisition and Forensic Analysis of Volatile Data Stores

The advent of more witted threats against typical computer systems demonstrates a need for forensic analysis of memory-resident data in addition to the conventional static analysis common today. Some tools are starting to become available to duplicate various types of volatile data stores. Once the data store has been duplicated, current forensic procedures have no vector for extrapolating further information from the duplicate. This thesis is focused on providing the groundwork for performing forensic investigations on the data that is typically stored in a volatile data store, such as system RAM, while creating as small an impact as possible to the state of a system. It is intended that this thesis will give insight to obtaining more post incident response information along with a smaller impact to potential evidence when compared to typical incident response procedures

CGC monitor: A vetting system for the DARPA cyber grand challenge

The article of record as published may be found at https://doi.org/10.1016/j.diin.2018.04.016In PressThe CGC Monitor is available at https://github.com/mfthomps/ cgc-monitor. Analysis results from CFE, generated by the monitor, are at https://github.com/mfthomps/CGC-Analysis.The DARPA Cyber Grand Challenge (CGC) pit autonomous machines against one another in a battle to discover, mitigate, and take advantage of software vulnerabilities. The competitors repeatedly formulated and submitted binary software for execution against opponents, and to mitigate attacks mounted by opponents. The US Government sought confidence that competitors legitimately won their rewards (a prize pool of up to $6.75 million USD), and competitors deserved evidence that all parties operated in accordance with the rules, which prohibited attempts to subvert the competition infrastructure. To support those goals, we developed an analysis system to vet competitor software submissions destined for execution on the competition infrastructure, the classic situation of running untrusted software. In this work, we describe the design and implementation of this vetting system, as well as results gathered in deployment of the system as part of the CGC competition. The analysis system is imple- mented upon a high-fidelity full-system simulator requiring no modifications to the monitored operating system. We used this system to vet software submitted during the CGC Qualifying Event, and the CGC Final Event. The overwhelming majority of the vetting occurred in an automated fashion, with the system automatically monitoring the full x86-based system to detection corruption of operating system execution paths and data structures. However, the vetting system also facilitates investigation of any execution deemed suspicious by the automated process (or indeed any analysis required to answer queries related to the competition). An analyst may replay any software interaction using an IDA Pro plug-in, which utilizes the IDA debugger client to execute the session in reverse. In post-mortem analysis, we found no evidence of attempted infrastructure subversion and further conclude that of the 20 vulnerable software services exploited in the CGC Final Event, half were exploited in ways unintended by the service authors. Six services were exploited due to vulnerabilities accidentally included by the authors, while an additional four were exploited via the author-intended vulnerability, but via an unanticipated path.This work was supported in part by the Defense Advanced Research Projects AgencyAir Force award number FA8750- 12-D-0005Approved for public release; distribution is unlimited

Use of Trusted Software Modules for Emergency-Integrity Display

This report provides summary of the interface, mechanisms and semantics for high integrity display of information in a secure computer system, based on the use of a high assurance separation kernel and trusted software modules in both the application domain and the trusted software domain.Grant number: CNS-0430566 and CNS-0430598.Approved for public release; distribution is unlimited

SecureCore software architecture: Trusted Management Layer (TML) Kernel Extension Module Integration Guide

A mobile computing device has more inherent risk than desktops or most other stationary computing devices. Such mobile devices are typically carried outside of a controlled physical environment, and they must communicate over an insecure medium. The risk is even greater if the data being stored, processed and transmitted by the mobile device is classified. The purpose of the SecureCore research project is to investigate fundamental architectural features required for the trusted operation of mobile computing devices so the security is built-in, transparent and flexible. A building block for the SecureCore project is a Least Privilege Separation Kernel (LPSK). The LPSK together with extension modules provides the security base. Integration of extension modules with the LPSK is described, including coding techniques, and compile and link directions.Funding number: CNS-0430566.Approved for public release; distribution is unlimited

Ultrafast disordering of vanadium dimers in photoexcited VO2

Time-resolved x-ray scattering can be used to investigate the dynamics of materials during the switch from one structural phase to another. So far, methods provide an ensemble average and may miss crucial aspects of the detailed mechanisms at play. Wall et al. used a total-scattering technique to probe the dynamics of the ultrafast insulator-to-metal transition of vanadium dioxide (VO2) (see the Perspective by Cavalleri). Femtosecond x-ray pulses provide access to the time- and momentum-resolved dynamics of the structural transition. Their results show that the photoinduced transition is of the order-disorder type, driven by an ultrafast change in the lattice potential that suddenly unlocks the vanadium atoms and yields large-amplitude uncorrelated motions, rather than occurring through a coherent displacive mechanism.Peer ReviewedPostprint (author's final draft

Providing a Foundation for Analysis of Volatile Data Stores

Some related preliminary work was previously presented at the Third Annual IFIP WG 11.9 International Conference on Digital Forensics in Orlando, FL on January 28-31, 2007.Current threats against typical computer systems demonstrate a need for forensic analysis of memory-resident data in addition to the conventional static analysis common today. Certain attacks and types of malware exist solely in memory and leave little or no evidentiary information on nonvolatile stores such as a hard disk drive. The desire to preserve system state at the time of response may even warrant memory acquisition independent of perceived threats and the ability to analyze the acquired duplicate. Tools capable of duplicating various types of volatile data stores are becoming widely available. Once the data store has been duplicated, current forensic procedures have no method for extrapolating further useful information from the duplicate. This paper is focused on providing the groundwork for performing forensic investigations on the data that is typically stored in a volatile data store, such as system RAM. It is intended that, when combined with good acquisition techniques, it will be shown that it is possible to obtain more post incident response information along with less impact to potential evidence when compared to typical incident response procedures

Next Generation Collaborative Reversing with Ida Pro and CollabREate

A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files all of which quickly diverge, leaving the differences to somehow be reconciled. These methods and existing tools[1] provided a first step towards automated collaboration amongst IDA Pro[2] users, however they suffer from several shortcomings including the fact that tools have failed to keep pace with the evolution of IDA's internal architecture. In this paper the authors present a new collaborative tool, titled collabREate[3], designed to bring nearly effortless collaboration to IDA users

MemCorp: An Open Data Corpus for Memory Analysis

Abstrac

Volatile memory acquisition via warm boot memory survivability

Abstrac