We classify and present established and new attacks on digital forensics tools. In particular, we present the first and surprisingly simple code injection attack on a commercial analysis tool that potentially allows to infiltrate the analysis system. We argue that digital forensics tool testing must mature to cater for malicious adversaries. We also discuss possible countermeasures.
{"title":"Anti-forensics: The Next Step in Digital Forensics Tool Testing","authors":"Martin Wundram, F. Freiling, Christian Moch","doi":"10.1109/IMF.2013.17","DOIUrl":"https://doi.org/10.1109/IMF.2013.17","url":null,"abstract":"We classify and present established and new attacks on digital forensics tools. In particular, we present the first and surprisingly simple code injection attack on a commercial analysis tool that potentially allows to infiltrate the analysis system. We argue that digital forensics tool testing must mature to cater for malicious adversaries. We also discuss possible countermeasures.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116938577","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
One of the major issues in digital forensics is that cyber criminals tend to hide digital evidence before forensic tools are applied to find them. A simple but effective method to evade detection is to embed textual information in a picture such as a screenshot. On the detective's side, we can use Optical Character Recognition (OCR) algorithms to retrieve the textual information from a picture or from a PDF document. However, the main challenges of the current solutions on standalone computers include scalability and performance. In this paper, we present a cloud-based framework which consists of a set of virtual machines and a job management system. We also show the mathematical derivation of our system configurations.
{"title":"Developing a cloud computing based approach for forensic analysis using OCR","authors":"Matthias Trojahn, Lei Pan, Fabian Schmidt","doi":"10.1109/IMF.2013.11","DOIUrl":"https://doi.org/10.1109/IMF.2013.11","url":null,"abstract":"One of the major issues in digital forensics is that cyber criminals tend to hide digital evidence before forensic tools are applied to find them. A simple but effective method to evade detection is to embed textual information in a picture such as a screenshot. On the detective's side, we can use Optical Character Recognition (OCR) algorithms to retrieve the textual information from a picture or from a PDF document. However, the main challenges of the current solutions on standalone computers include scalability and performance. In this paper, we present a cloud-based framework which consists of a set of virtual machines and a job management system. We also show the mathematical derivation of our system configurations.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131236688","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.
{"title":"Forensic Application-Fingerprinting Based on File System Metadata","authors":"S. Kalber, Andreas Dewald, F. Freiling","doi":"10.1109/IMF.2013.20","DOIUrl":"https://doi.org/10.1109/IMF.2013.20","url":null,"abstract":"While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"137 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121549686","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Typically, there is a direct correlation between the time to resolve an incident and the damage sustained by an organization, with faster resolution of the incident resulting in less damage to the organization. Therefore, improving coordination between organizations experiencing the same or related incidents allows faster resolution and hence less damage to each organization. Coordination, however, means more than simply communicating during an incident - effective communication is critical. In this paper we explore how effective communication might be improved by the development of a mental model internalized by the group's technical staff prior to an incident. In this paper, we present the results of an exercise we conducted to determine whether an ad-hoc group of incident responders share a schema for decision making, and, if not, what some of the decision criteria (questions) and types of values (answers) might be that would allow the creation of a shared mental model for incident response.
{"title":"Identifying a Shared Mental Model Among Incident Responders","authors":"Robert Floodeen, J. Haller, Brett C. Tjaden","doi":"10.1109/IMF.2013.21","DOIUrl":"https://doi.org/10.1109/IMF.2013.21","url":null,"abstract":"Typically, there is a direct correlation between the time to resolve an incident and the damage sustained by an organization, with faster resolution of the incident resulting in less damage to the organization. Therefore, improving coordination between organizations experiencing the same or related incidents allows faster resolution and hence less damage to each organization. Coordination, however, means more than simply communicating during an incident - effective communication is critical. In this paper we explore how effective communication might be improved by the development of a mental model internalized by the group's technical staff prior to an incident. In this paper, we present the results of an exercise we conducted to determine whether an ad-hoc group of incident responders share a schema for decision making, and, if not, what some of the decision criteria (questions) and types of values (answers) might be that would allow the creation of a shared mental model for incident response.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127185376","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present a probabilistic (frequentistic) model of trust with efficient Bayesian updating procedures and support of hierarchically structured systems. Trust is highly influenced on information gathered from different sources, like newspaper or scientific reports on the security or vulnerability of computer systems. Assuming text-mining and incident documentation facilities available that provide us with news relevant to a given system, we show how to compile this experience into a stochastic model of trust. In particular, our models admits efficient analysis towards forecasting of possible future issues and the determination of worst-case scenarios for a given security system. We empirically evaluate the sensitivity of the our trust measure based on simulations using a prototype implementation, which closely matches the natural way in which trust is established: it takes a considerably larger lot of positive incidents to outweigh a negative experience. Our model indeed confirms such imbalance. Moreover, as more and more information is going into the trust model, a change of trust in either direction requires an amount of positive or negative experience that almost equals the so-far recorded history. We believe that these effects make the trust model a reasonable choice to resemble the human valuation of trust, while being funded on statistical grounds to be compatible with quantitative or qualitative enterprise risk management.
{"title":"On Bayesian Trust and Risk Forecasting for Compound Systems","authors":"S. Rass, S. Kurowski","doi":"10.1109/IMF.2013.13","DOIUrl":"https://doi.org/10.1109/IMF.2013.13","url":null,"abstract":"We present a probabilistic (frequentistic) model of trust with efficient Bayesian updating procedures and support of hierarchically structured systems. Trust is highly influenced on information gathered from different sources, like newspaper or scientific reports on the security or vulnerability of computer systems. Assuming text-mining and incident documentation facilities available that provide us with news relevant to a given system, we show how to compile this experience into a stochastic model of trust. In particular, our models admits efficient analysis towards forecasting of possible future issues and the determination of worst-case scenarios for a given security system. We empirically evaluate the sensitivity of the our trust measure based on simulations using a prototype implementation, which closely matches the natural way in which trust is established: it takes a considerably larger lot of positive incidents to outweigh a negative experience. Our model indeed confirms such imbalance. Moreover, as more and more information is going into the trust model, a change of trust in either direction requires an amount of positive or negative experience that almost equals the so-far recorded history. We believe that these effects make the trust model a reasonable choice to resemble the human valuation of trust, while being funded on statistical grounds to be compatible with quantitative or qualitative enterprise risk management.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131364431","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Research in the area of memory forensics has been flourishing over the last years, and powerful analysis frameworks such as Volatility have been developed. While these frameworks permit examining a forensic memory snapshot in great detail, they mainly aim at experienced investigators with a thorough knowledge of operating system internals. On the other hand, result correlation and interpretation is especially demanding for personnel with only marginal forensic expertise as they are often found in IT departments of smaller- and medium-sized enterprises. This task becomes even more challenging when attempting to detect traces of sophisticated malicious applications such as rootkits. In this paper, we present rkfinder, a plug-in for the well-known forensic framework DFF, that integrates major capabilities of Volatility into an intuitive and easy-to-use graphical user interface. Rkfinder generates an abstract, tree-like view of the system state, implements checks that are capable of revealing inconsistencies, and automatically highlights suspicious objects that may indicate the presence of a threat. Thereby, potential sources of a system infection are better visible and can be better addressed in the course of incident response.
{"title":"Visualizing Indicators of Rootkit Infections in Memory Forensics","authors":"Stefan Vömel, H. Lenz","doi":"10.1109/IMF.2013.12","DOIUrl":"https://doi.org/10.1109/IMF.2013.12","url":null,"abstract":"Research in the area of memory forensics has been flourishing over the last years, and powerful analysis frameworks such as Volatility have been developed. While these frameworks permit examining a forensic memory snapshot in great detail, they mainly aim at experienced investigators with a thorough knowledge of operating system internals. On the other hand, result correlation and interpretation is especially demanding for personnel with only marginal forensic expertise as they are often found in IT departments of smaller- and medium-sized enterprises. This task becomes even more challenging when attempting to detect traces of sophisticated malicious applications such as rootkits. In this paper, we present rkfinder, a plug-in for the well-known forensic framework DFF, that integrates major capabilities of Volatility into an intuitive and easy-to-use graphical user interface. Rkfinder generates an abstract, tree-like view of the system state, implements checks that are capable of revealing inconsistencies, and automatically highlights suspicious objects that may indicate the presence of a threat. Thereby, potential sources of a system infection are better visible and can be better addressed in the course of incident response.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"145 9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129744257","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Frank Breitinger, Knut Petter Astebol, Harald Baier, C. Busch
The handling of hundreds of thousands of files is a major challenge in today's IT forensic investigations. In order to cope with this information overload, investigators use fingerprints (hash values) to identify known files automatically using blacklists or whitelists. Besides detecting exact duplicates it is helpful to locate similar files by using similarity preserving hashing (SPH), too. We present a new algorithm for similarity preserving hashing. It is based on the idea of majority voting in conjunction with run length encoding to compress the input data and uses Bloom filters to represent the fingerprint. It is therefore called mvHash-B. Our assessment shows that mvHash-B is superior to other SPHs with respect to run time efficiency: It is almost as fast as SHA-1 and thus faster than any other SPH algorithm. Additionally the hash value length is approximately 0.5% of the input length and hence outperforms most existing algorithms. Finally, we show that the robustness of mvHash-B against active manipulation is sufficient for practical purposes.
{"title":"mvHash-B - A New Approach for Similarity Preserving Hashing","authors":"Frank Breitinger, Knut Petter Astebol, Harald Baier, C. Busch","doi":"10.1109/IMF.2013.18","DOIUrl":"https://doi.org/10.1109/IMF.2013.18","url":null,"abstract":"The handling of hundreds of thousands of files is a major challenge in today's IT forensic investigations. In order to cope with this information overload, investigators use fingerprints (hash values) to identify known files automatically using blacklists or whitelists. Besides detecting exact duplicates it is helpful to locate similar files by using similarity preserving hashing (SPH), too. We present a new algorithm for similarity preserving hashing. It is based on the idea of majority voting in conjunction with run length encoding to compress the input data and uses Bloom filters to represent the fingerprint. It is therefore called mvHash-B. Our assessment shows that mvHash-B is superior to other SPHs with respect to run time efficiency: It is almost as fast as SHA-1 and thus faster than any other SPH algorithm. Additionally the hash value length is approximately 0.5% of the input length and hence outperforms most existing algorithms. Finally, we show that the robustness of mvHash-B against active manipulation is sufficient for practical purposes.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115037848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The standard procedure for the acquisition of digital evidence in forensic investigations is to produce a bit-wise 1:1 copy of the original data on a digital storage device. This is often called imaging and becoming a bottleneck in modern digital investigations. The notion of selective imaging was introduced by Turner in 2005 and associated with the decision not to acquire all possible information during the evidence capture process. In this paper, we precisely define the term selective imaging, thereby generalizing the concept to allow acquisition of data objects in any combination and from any level of abstraction. We have implemented this approach as a plugin for the open source Digital Forensics Framework (DFF) using a container format based on the Advanced Forensic Framework 4 (AFF4). We present some design and implementation details as well as a performance evaluation.
{"title":"Selective Imaging Revisited","authors":"Johannes Stüttgen, Andreas Dewald, F. Freiling","doi":"10.1109/IMF.2013.16","DOIUrl":"https://doi.org/10.1109/IMF.2013.16","url":null,"abstract":"The standard procedure for the acquisition of digital evidence in forensic investigations is to produce a bit-wise 1:1 copy of the original data on a digital storage device. This is often called imaging and becoming a bottleneck in modern digital investigations. The notion of selective imaging was introduced by Turner in 2005 and associated with the decision not to acquire all possible information during the evidence capture process. In this paper, we precisely define the term selective imaging, thereby generalizing the concept to allow acquisition of data objects in any combination and from any level of abstraction. We have implemented this approach as a plugin for the open source Digital Forensics Framework (DFF) using a container format based on the Advanced Forensic Framework 4 (AFF4). We present some design and implementation details as well as a performance evaluation.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129318700","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The power industry faces the implementation of smart grids, which will introduce new information security threats to the power automation systems. The ability to appropriately prepare for, and respond to, information security incidents, is of utmost importance, as it is impossible to prevent all possible incidents from occurring. Current trends even show that the power industry is an attractive target for hackers. A main challenge for the power industry to overcome is the differences regarding culture and traditions, knowledge and communication, between ICT staff and power automation staff. This paper presents the background, research method and preliminary results from a case study identifying current practice on information security incident management in the power industry.
{"title":"A Case Study: Preparing for the Smart Grids - Identifying Current Practice for Information Security Incident Management in the Power Industry","authors":"M. B. Line","doi":"10.1109/IMF.2013.15","DOIUrl":"https://doi.org/10.1109/IMF.2013.15","url":null,"abstract":"The power industry faces the implementation of smart grids, which will introduce new information security threats to the power automation systems. The ability to appropriately prepare for, and respond to, information security incidents, is of utmost importance, as it is impossible to prevent all possible incidents from occurring. Current trends even show that the power industry is an attractive target for hackers. A main challenge for the power industry to overcome is the differences regarding culture and traditions, knowledge and communication, between ICT staff and power automation staff. This paper presents the background, research method and preliminary results from a case study identifying current practice on information security incident management in the power industry.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114096945","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper presents a method for evaluating an organization's ability to manage security incidents. The method is based on resilient thinking, and describes how to identify, select and implement early-warning indicators for information security incident management.
{"title":"Forewarned is Forearmed: Indicators for Evaluating Information Security Incident Management","authors":"K. Bernsmed, Inger Anne Tøndel","doi":"10.1109/IMF.2013.14","DOIUrl":"https://doi.org/10.1109/IMF.2013.14","url":null,"abstract":"This paper presents a method for evaluating an organization's ability to manage security incidents. The method is based on resilient thinking, and describes how to identify, select and implement early-warning indicators for information security incident management.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123824891","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: