Christian Hilgers, Holger Macht, Tilo Müller, Michael Spreitzenbarth
As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Android's memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.
{"title":"Post-Mortem Memory Analysis of Cold-Booted Android Devices","authors":"Christian Hilgers, Holger Macht, Tilo Müller, Michael Spreitzenbarth","doi":"10.1109/IMF.2014.8","DOIUrl":"https://doi.org/10.1109/IMF.2014.8","url":null,"abstract":"As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Android's memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.","PeriodicalId":419890,"journal":{"name":"2014 Eighth International Conference on IT Security Incident Management & IT Forensics","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122004608","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper reports on an interview study on information security incident management that has been conducted in organizations operating industrial control systems that are highly dependent on conventional IT systems. Six distribution service operators from the power industry have participated in the study. We have investigated current practice regarding planning and preparation activities for incident management, and identified similarities and differences between the two traditions of conventional IT systems and industrial control systems. The findings show that there are differences between the IT and ICS disciplines in how they perceive an information security incident and how they plan and prepare for responding to such. The completeness of documented plans and procedures for incident management varies. Where documentation exists, this is in general not well-established throughout the organization. Training exercises with specific focus on information security are rarely performed. There is a need to create amore unified approach to information security incident management in order for the power industry to be sufficiently prepared to meet the challenges posed by Smart Grids in the near future.
{"title":"Information Security Incident Management: Planning for Failure","authors":"M. B. Line, Inger Anne Tøndel, M. Jaatun","doi":"10.1109/IMF.2014.10","DOIUrl":"https://doi.org/10.1109/IMF.2014.10","url":null,"abstract":"This paper reports on an interview study on information security incident management that has been conducted in organizations operating industrial control systems that are highly dependent on conventional IT systems. Six distribution service operators from the power industry have participated in the study. We have investigated current practice regarding planning and preparation activities for incident management, and identified similarities and differences between the two traditions of conventional IT systems and industrial control systems. The findings show that there are differences between the IT and ICS disciplines in how they perceive an information security incident and how they plan and prepare for responding to such. The completeness of documented plans and procedures for incident management varies. Where documentation exists, this is in general not well-established throughout the organization. Training exercises with specific focus on information security are rarely performed. There is a need to create amore unified approach to information security incident management in order for the power industry to be sufficiently prepared to meet the challenges posed by Smart Grids in the near future.","PeriodicalId":419890,"journal":{"name":"2014 Eighth International Conference on IT Security Incident Management & IT Forensics","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121466913","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Audio forensics based on fluctuations in the electrical network frequency (ENF) has become one of the major approaches for the authentication of digital audio recordings. Yet little is known about the circumstances and preconditions under which battery-powered devices leave ENF artifacts in their recordings. Our study with multiple mobile recording devices confirms the hypothesis that background noise, generated by mains-powered electronic devices in proximity to the recording device, is a carrier of ENF artifacts. Experiments in an indoor setting suggest a very high robustness and indicate the presence of ENF artifacts even multiple rooms apart from the noise source.
{"title":"The Humming Hum: Background Noise as a Carrier of ENF Artifacts in Mobile Device Audio Recordings","authors":"Niklas Fechner, Matthias Kirchner","doi":"10.1109/IMF.2014.14","DOIUrl":"https://doi.org/10.1109/IMF.2014.14","url":null,"abstract":"Audio forensics based on fluctuations in the electrical network frequency (ENF) has become one of the major approaches for the authentication of digital audio recordings. Yet little is known about the circumstances and preconditions under which battery-powered devices leave ENF artifacts in their recordings. Our study with multiple mobile recording devices confirms the hypothesis that background noise, generated by mains-powered electronic devices in proximity to the recording device, is a carrier of ENF artifacts. Experiments in an indoor setting suggest a very high robustness and indicate the presence of ENF artifacts even multiple rooms apart from the noise source.","PeriodicalId":419890,"journal":{"name":"2014 Eighth International Conference on IT Security Incident Management & IT Forensics","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124347972","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Since the end of the 1990ies side channel attacks became a very prominent branch of cryptography. In other areas of computer security, however, side channels are not well studied. It is the primary goal of this paper to raise the awareness of the community about the potential existence of side channels during a forensic investigation. We present a concept called AFAUC - anti-forensics of data storage by alternative use of communication channels. The general idea is to confuse the investigator by abusing a communication channel for unintended purposes. As a concrete example of AFAUC, we access a storage device through its diagnostic interface to obfuscate data on that device. More precisely, we analyse if it is feasible in practice to abuse an existing communication channel, which was designed for a different purpose, to hide data in an area of a hard disc drive (HDD), which is not accessible by an investigator and which is different from the well-known Host Protected Area and Device Configuration Overlay, respectively. The basic idea is to access the HDD via its diagnostic interface in an unintended manner and to manipulate its size in the firmware setting. We show that this is possible even without any expensive tool for a Samsung HDD. Evaluation including a test in a law enforcement laboratory revealed that the hidden data would not be detected in an ordinary case. Hence AFAUC may be used by skilled, but not well-funded users. Although AFAUC is a classical dual-use technology, we would like to initiate the community to come up with further alternative use cases of communication channels to support users in oppressive countries to defend themselves. In contrast to the underground economy these users are typically not well-funded and thus depend on reliable anti-forensic methods.
{"title":"AFAUC -- Anti-forensics of Storage Devices by Alternative Use of Communication Channels","authors":"Harald Baier, J. Knauer","doi":"10.1109/IMF.2014.11","DOIUrl":"https://doi.org/10.1109/IMF.2014.11","url":null,"abstract":"Since the end of the 1990ies side channel attacks became a very prominent branch of cryptography. In other areas of computer security, however, side channels are not well studied. It is the primary goal of this paper to raise the awareness of the community about the potential existence of side channels during a forensic investigation. We present a concept called AFAUC - anti-forensics of data storage by alternative use of communication channels. The general idea is to confuse the investigator by abusing a communication channel for unintended purposes. As a concrete example of AFAUC, we access a storage device through its diagnostic interface to obfuscate data on that device. More precisely, we analyse if it is feasible in practice to abuse an existing communication channel, which was designed for a different purpose, to hide data in an area of a hard disc drive (HDD), which is not accessible by an investigator and which is different from the well-known Host Protected Area and Device Configuration Overlay, respectively. The basic idea is to access the HDD via its diagnostic interface in an unintended manner and to manipulate its size in the firmware setting. We show that this is possible even without any expensive tool for a Samsung HDD. Evaluation including a test in a law enforcement laboratory revealed that the hidden data would not be detected in an ordinary case. Hence AFAUC may be used by skilled, but not well-funded users. Although AFAUC is a classical dual-use technology, we would like to initiate the community to come up with further alternative use cases of communication channels to support users in oppressive countries to defend themselves. In contrast to the underground economy these users are typically not well-funded and thus depend on reliable anti-forensic methods.","PeriodicalId":419890,"journal":{"name":"2014 Eighth International Conference on IT Security Incident Management & IT Forensics","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131574790","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper presents a case study on current practice of information security incident management in three large organizations. Qualitative interviews, document studies, and a survey have been performed. Our analysis shows that the organizations have plans and procedures in place, however, not all of these are well established throughout the organizations. Some challenges were prominent in all three organizations, which were related to communication, information collection and dissemination, employee involvement, and allocation of responsibilities. This paper presents our main findings from the study, including current practice for incident management and more details on the identified challenges, and some recommendations for further studies in this field.
{"title":"Information Security Incident Management: Identified Practice in Large Organizations","authors":"C. Hove, M. Tarnes, M. B. Line, K. Bernsmed","doi":"10.1109/IMF.2014.9","DOIUrl":"https://doi.org/10.1109/IMF.2014.9","url":null,"abstract":"This paper presents a case study on current practice of information security incident management in three large organizations. Qualitative interviews, document studies, and a survey have been performed. Our analysis shows that the organizations have plans and procedures in place, however, not all of these are well established throughout the organizations. Some challenges were prominent in all three organizations, which were related to communication, information collection and dissemination, employee involvement, and allocation of responsibilities. This paper presents our main findings from the study, including current practice for incident management and more details on the identified challenges, and some recommendations for further studies in this field.","PeriodicalId":419890,"journal":{"name":"2014 Eighth International Conference on IT Security Incident Management & IT Forensics","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131834610","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Up-to-date studies and surveys regarding IT security show, that companies of every size and branch nowadays are faced with the growing risk of cyber crime. Many tools, standards and best practices are in place to support enterprise IT security experts in dealing with the upcoming risks, whereas meanwhile especially small and medium sized enterprises(SMEs) feel helpless struggling with the growing threats. This article describes an approach, how SMEs can attain high quality assurance whether they are a victim of cyber crime, what kind of damage resulted from a certain attack and in what way remediation can be done. The focus on all steps of the analysis lies in the economic feasibility and the typical environment of SMEs.
{"title":"Assuming a State of Compromise: A Best Practise Approach for SMEs on Incident Response Management","authors":"Alexander Harsch, S. Idler, S. Thurner","doi":"10.1109/IMF.2014.13","DOIUrl":"https://doi.org/10.1109/IMF.2014.13","url":null,"abstract":"Up-to-date studies and surveys regarding IT security show, that companies of every size and branch nowadays are faced with the growing risk of cyber crime. Many tools, standards and best practices are in place to support enterprise IT security experts in dealing with the upcoming risks, whereas meanwhile especially small and medium sized enterprises(SMEs) feel helpless struggling with the growing threats. This article describes an approach, how SMEs can attain high quality assurance whether they are a victim of cyber crime, what kind of damage resulted from a certain attack and in what way remediation can be done. The focus on all steps of the analysis lies in the economic feasibility and the typical environment of SMEs.","PeriodicalId":419890,"journal":{"name":"2014 Eighth International Conference on IT Security Incident Management & IT Forensics","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115681085","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
R. Altschaffel, J. Dittmann, Christian Krätzer, Stefan Kiltz
With this paper we aim to support network traffic management and incident management processes. Hence this paper introduces a model to classify different types of internet-based communication and to establish homogenous representations for various forms of internet-based communication. To achieve these aims an approach to project different types of communications onto a comparable template is presented. This hierarchical approach for the classification of electronic communications is both exhaustive (in the sense of considered types of internet-based communication) and expandable (in terms of the level of granularity of the performed communication behaviour modelling as well as the corresponding data modelling).
{"title":"A Hierarchical Model for the Description of Internet-Based Communication","authors":"R. Altschaffel, J. Dittmann, Christian Krätzer, Stefan Kiltz","doi":"10.1109/IMF.2014.12","DOIUrl":"https://doi.org/10.1109/IMF.2014.12","url":null,"abstract":"With this paper we aim to support network traffic management and incident management processes. Hence this paper introduces a model to classify different types of internet-based communication and to establish homogenous representations for various forms of internet-based communication. To achieve these aims an approach to project different types of communications onto a comparable template is presented. This hierarchical approach for the classification of electronic communications is both exhaustive (in the sense of considered types of internet-based communication) and expandable (in terms of the level of granularity of the performed communication behaviour modelling as well as the corresponding data modelling).","PeriodicalId":419890,"journal":{"name":"2014 Eighth International Conference on IT Security Incident Management & IT Forensics","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133928219","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: