首页 > 最新文献

Forensic Science International-Digital Investigation最新文献

英文 中文
volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model volGPT:利用大型语言模型对内存取证中的勒索软件进程进行分流评估
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301756
Dong Bin Oh , Donghyun Kim , Donghyun Kim , Huy Kang Kim

In the face of the harm that ransomware can inflict upon users’ computers, the imperative to efficiently and accurately triage its processes within memory forensics becomes increasingly crucial. However, ransomware perpetrators employ sophisticated techniques, such as process masquerading, to evade detection and analysis. In response to these challenges, we propose a novel ransomware triage method leveraging a Large Language Model (LLM) in conjunction with the Volatility framework, the de-facto standard in memory forensics. We conducted experiments on memory dumps infected by five different ransomware families, utilizing LLM-based approaches. Through extensive experiments, our method named volGPT demonstrated high accuracy in identifying ransomware-related processes within memory dumps. Additionally, our approach exhibited greater efficiency and provided more comprehensive explanations during ransomware triage than other state-of-the-art methods.

面对勒索软件对用户计算机造成的危害,在内存取证中高效、准确地分流勒索软件进程变得越来越重要。然而,勒索软件的实施者采用了复杂的技术(如进程伪装)来逃避检测和分析。为了应对这些挑战,我们提出了一种新颖的勒索软件分流方法,该方法利用大语言模型(LLM),并结合内存取证领域的事实标准--Volatility 框架。我们利用基于 LLM 的方法对五种不同勒索软件家族感染的内存转储进行了实验。通过大量实验,我们名为 volGPT 的方法在识别内存转储中的勒索软件相关进程方面表现出了很高的准确性。此外,与其他最先进的方法相比,我们的方法在勒索软件分流过程中表现出更高的效率,并提供了更全面的解释。
{"title":"volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model","authors":"Dong Bin Oh ,&nbsp;Donghyun Kim ,&nbsp;Donghyun Kim ,&nbsp;Huy Kang Kim","doi":"10.1016/j.fsidi.2024.301756","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301756","url":null,"abstract":"<div><p>In the face of the harm that ransomware can inflict upon users’ computers, the imperative to efficiently and accurately triage its processes within memory forensics becomes increasingly crucial. However, ransomware perpetrators employ sophisticated techniques, such as process masquerading, to evade detection and analysis. In response to these challenges, we propose a novel ransomware triage method leveraging a Large Language Model (LLM) in conjunction with the Volatility framework, the de-facto standard in memory forensics. We conducted experiments on memory dumps infected by five different ransomware families, utilizing LLM-based approaches. Through extensive experiments, our method named volGPT demonstrated high accuracy in identifying ransomware-related processes within memory dumps. Additionally, our approach exhibited greater efficiency and provided more comprehensive explanations during ransomware triage than other state-of-the-art methods.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301756"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000751/pdfft?md5=1146cd1fa02f1199396b49faab24db03&pid=1-s2.0-S2666281724000751-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542316","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
A step in a new direction: NVIDIA GPU kernel driver memory forensics 向新方向迈进:英伟达™(NVIDIA®)GPU 内核驱动程序内存取证
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301760
Christopher J. Bowen , Andrew Case , Ibrahim Baggili , Golden G. Richard III

In the ever-expanding landscape of computation, graphics processing units have become one of the most essential types of devices for personal and commercial needs. Nearly all modern computers have one or more dedicated GPUs due to advancements in artificial intelligence, high-performance computing, 3D graphics rendering, and the growing demand for enhanced gaming experiences. As the GPU industry continues to grow, forensic investigations will need to incorporate these devices, given that they have large amounts of VRAM, computing power, and are used to process highly sensitive data. Past research has also shown that malware can hide its payloads within these devices and out of the view of traditional memory forensics. While memory forensics research aims to address the critical threat of memory-only malware, no current work focuses on video memory malware and the malicious use of the GPU. Our work investigates the largest GPU manufacturer, NVIDIA, by examining the newly released open-source GPU kernel modules for the development of forensic tool creation. We extend our impact by creating symbol mappings between open and closed-source NVIDIA software that enables researchers to develop tools for both “flavors” of software. We specifically focus our research on artifacts found in RAM, providing the foundational methods to detect and map NVIDIA Object Compiler Structures for forensic investigations. As a part of our analysis and evaluation, we examined the similarities between open-and-closed kernel modules by collecting structure sizes and class IDs to understand the similarities and differences. A standalone tool, NVSYMMAP, and Volatility plugins were created with this foundation to automate this process and provide forensic investigators with knowledge involving processes that utilized the GPU.

在不断扩大的计算领域,图形处理器已成为满足个人和商业需求的最基本设备之一。由于人工智能、高性能计算、3D 图形渲染的进步,以及对增强游戏体验日益增长的需求,几乎所有现代计算机都配备了一个或多个专用 GPU。随着 GPU 行业的不断发展,鉴于这些设备拥有大量的 VRAM 和计算能力,并用于处理高度敏感的数据,因此取证调查将需要结合这些设备。过去的研究还表明,恶意软件可以将其有效载荷隐藏在这些设备中,而不在传统内存取证的视野之内。虽然内存取证研究旨在解决纯内存恶意软件的严重威胁,但目前还没有任何研究关注视频内存恶意软件和对 GPU 的恶意使用。我们的工作通过研究新发布的开源 GPU 内核模块,调查了最大的 GPU 制造商英伟达公司,以开发取证工具的创建。我们在开放源代码和封闭源代码的英伟达软件之间创建了符号映射,使研究人员能够为这两种 "口味 "的软件开发工具,从而扩大了我们的影响。我们将研究重点特别放在 RAM 中发现的人工制品上,为取证调查提供了检测和映射英伟达对象编译器结构的基础方法。作为分析和评估的一部分,我们通过收集结构大小和类 ID 来了解开放式和封闭式内核模块之间的异同。在此基础上,我们创建了独立工具 NVSYMMAP 和 Volatility 插件,以自动执行该流程,并为法证调查人员提供涉及使用 GPU 的进程的知识。
{"title":"A step in a new direction: NVIDIA GPU kernel driver memory forensics","authors":"Christopher J. Bowen ,&nbsp;Andrew Case ,&nbsp;Ibrahim Baggili ,&nbsp;Golden G. Richard III","doi":"10.1016/j.fsidi.2024.301760","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301760","url":null,"abstract":"<div><p>In the ever-expanding landscape of computation, graphics processing units have become one of the most essential types of devices for personal and commercial needs. Nearly all modern computers have one or more dedicated GPUs due to advancements in artificial intelligence, high-performance computing, 3D graphics rendering, and the growing demand for enhanced gaming experiences. As the GPU industry continues to grow, forensic investigations will need to incorporate these devices, given that they have large amounts of VRAM, computing power, and are used to process highly sensitive data. Past research has also shown that malware can hide its payloads within these devices and out of the view of traditional memory forensics. While memory forensics research aims to address the critical threat of memory-only malware, no current work focuses on video memory malware and the malicious use of the GPU. Our work investigates the largest GPU manufacturer, NVIDIA, by examining the newly released open-source GPU kernel modules for the development of forensic tool creation. We extend our impact by creating symbol mappings between open and closed-source NVIDIA software that enables researchers to develop tools for both “flavors” of software. We specifically focus our research on artifacts found in RAM, providing the foundational methods to detect and map NVIDIA Object Compiler Structures for forensic investigations. As a part of our analysis and evaluation, we examined the similarities between open-and-closed kernel modules by collecting structure sizes and class IDs to understand the similarities and differences. A standalone tool, NVSYMMAP, and Volatility plugins were created with this foundation to automate this process and provide forensic investigators with knowledge involving processes that utilized the GPU.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301760"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000799/pdfft?md5=1b4ae87eaf8d79a9cfad984d68ffa72b&pid=1-s2.0-S2666281724000799-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542426","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
In the time loop: Data remanence in main memory of virtual machines 在时间循环中虚拟机主内存中的数据重存
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301758
Ella Savchenko, Jenny Ottmann, Felix Freiling

Data remanence in the physical memory of computers, i.e., the fact that data remains temporarily in memory even after power is cut, is a well-known issue which can be exploited for recovering cryptographic keys and other data in forensic investigations. Since virtual machines in many aspects mimic their physical counterparts, we investigate whether data remanence is also observable in virtual machines. Using KVM as an example of virtualization technology, we experimentally show that it is common for a substantial amount of volatile data to remain in the memory of virtual machines after a reboot. In digital forensic analysis scenarios such as malware analysis using virtual machines, our observations imply high risks of evidence contamination if no precautions are taken. So while the symptoms of data remanence in virtual machines are similar to physical machines, the implications for digital forensic analysis appear very different.

计算机物理内存中的数据重现(即断电后数据仍暂时保留在内存中)是一个众所周知的问题,在取证调查中可用于恢复加密密钥和其他数据。由于虚拟机在许多方面都模仿物理机,我们研究了虚拟机中是否也能观察到数据重现。以 KVM 虚拟化技术为例,我们通过实验证明,虚拟机在重启后内存中保留大量易失性数据的情况非常普遍。在使用虚拟机进行恶意软件分析等数字取证分析场景中,我们的观察结果表明,如果不采取预防措施,证据被污染的风险很高。因此,虽然虚拟机中数据残留的症状与物理机类似,但对数字取证分析的影响似乎截然不同。
{"title":"In the time loop: Data remanence in main memory of virtual machines","authors":"Ella Savchenko,&nbsp;Jenny Ottmann,&nbsp;Felix Freiling","doi":"10.1016/j.fsidi.2024.301758","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301758","url":null,"abstract":"<div><p>Data remanence in the physical memory of computers, i.e., the fact that data remains temporarily in memory even after power is cut, is a well-known issue which can be exploited for recovering cryptographic keys and other data in forensic investigations. Since virtual machines in many aspects mimic their physical counterparts, we investigate whether data remanence is also observable in virtual machines. Using KVM as an example of virtualization technology, we experimentally show that it is common for a substantial amount of volatile data to remain in the memory of virtual machines after a reboot. In digital forensic analysis scenarios such as malware analysis using virtual machines, our observations imply high risks of evidence contamination if no precautions are taken. So while the symptoms of data remanence in virtual machines are similar to physical machines, the implications for digital forensic analysis appear very different.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301758"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000775/pdfft?md5=3abed7c8dec7ac120f070d7062098baf&pid=1-s2.0-S2666281724000775-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
TLS key material identification and extraction in memory: Current state and future challenges 记忆中的 TLS 密钥材料识别和提取:现状与未来挑战
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301766
Daniel Baier , Alexander Basse , Jan-Niclas Hilgert , Martin Lambertz

Memory forensics is a crucial part of digital forensics as it can be used to extract valuable information such as running processes, network connections, and encryption keys from memory. The last is especially important when considering the widely used Transport Layer Security (TLS) protocol used to secure internet communication, thus hampering network traffic analysis. Particularly in the context of cybercrime investigations (such as malware analysis), it is therefore paramount for investigators to decrypt TLS traffic. This can provide vital insights into the methods and strategies employed by attackers. For this purpose, it is first and foremost necessary to identify and extract the corresponding TLS key material in memory.

In this paper, we systematize and evaluate the current state of techniques, tools, and methodologies for identifying and extracting TLS key material in memory. We consider solutions from academia but also identify innovative and promising approaches used “in the wild” that are not considered by the academic literature. Furthermore, we identify the open research challenges and opportunities for future research in this domain. Our work provides a profound foundation for future research in this crucial area.

内存取证是数字取证的重要组成部分,因为它可用于从内存中提取运行进程、网络连接和加密密钥等有价值的信息。考虑到广泛使用的传输层安全(TLS)协议用于确保互联网通信安全,从而阻碍了网络流量分析,因此最后一点尤为重要。因此,特别是在网络犯罪调查(如恶意软件分析)中,调查人员必须对 TLS 流量进行解密。这可以为了解攻击者使用的方法和策略提供重要信息。为此,首先必须识别和提取内存中相应的 TLS 密钥材料。在本文中,我们对识别和提取内存中 TLS 密钥材料的技术、工具和方法的现状进行了系统整理和评估。我们考虑了学术界的解决方案,同时也发现了 "野生 "的创新和有前途的方法,但学术文献并未考虑这些方法。此外,我们还确定了该领域未来研究的挑战和机遇。我们的工作为这一关键领域的未来研究奠定了深厚的基础。
{"title":"TLS key material identification and extraction in memory: Current state and future challenges","authors":"Daniel Baier ,&nbsp;Alexander Basse ,&nbsp;Jan-Niclas Hilgert ,&nbsp;Martin Lambertz","doi":"10.1016/j.fsidi.2024.301766","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301766","url":null,"abstract":"<div><p>Memory forensics is a crucial part of digital forensics as it can be used to extract valuable information such as running processes, network connections, and encryption keys from memory. The last is especially important when considering the widely used Transport Layer Security (TLS) protocol used to secure internet communication, thus hampering network traffic analysis. Particularly in the context of cybercrime investigations (such as malware analysis), it is therefore paramount for investigators to decrypt TLS traffic. This can provide vital insights into the methods and strategies employed by attackers. For this purpose, it is first and foremost necessary to identify and extract the corresponding TLS key material in memory.</p><p>In this paper, we systematize and evaluate the current state of techniques, tools, and methodologies for identifying and extracting TLS key material in memory. We consider solutions from academia but also identify innovative and promising approaches used “in the wild” that are not considered by the academic literature. Furthermore, we identify the open research challenges and opportunities for future research in this domain. Our work provides a profound foundation for future research in this crucial area.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301766"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000854/pdfft?md5=a76adc8897d71246d0088ed7c98c0315&pid=1-s2.0-S2666281724000854-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542376","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Hit and run: Forensic vehicle event reconstruction through driver-based cloud data from Progressive's snapshot application 肇事逃逸:通过 Progressive 快照应用程序中基于驾驶员的云数据重建法证车辆事件
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301762
Abdur Rahman Onik , Trevor T. Spinosa , Abdulla M. Asad , Ibrahim Baggili

Driving Insurance Applications (DIAs) have emerged as a valuable resource in the ever-evolving digital landscape. Automobile owners are storing extensive data on driving behaviors and patterns. This study pioneers the forensic analysis of Progressive's Snapshot application, focusing on the extraction and potential forensic use of data that remains inaccessible through the mobile application's interface. In our approach we focused on four research questions: How accurate is location and speed data collected by Progressive Snapshot?, What forensically relevant data can we extract from the Progressive Cloud that is unavailable to the user from the mobile application interface?, Can we employ anti-forensics techniques, specifically fake location data, to create false trip details?, Can we reconstruct a hit-and-run scenario from trip event details? To answer these questions, we developed PyShot, a Python-based open-source tool, to extract data from the Progressive cloud. Our tests confirmed Snapshot's accuracy in recording speed and location. Despite efforts to fake the Global Positioning System (GPS) location, the cloud still maintained accurate records. PyShot revealed more detailed driving data, like dangerous maneuvers and distracted driving, compared to the mobile application. This study also explores the forensic reconstruction of hit-and-run incidents, using a mannequin and focusing on Progressive's server data. Analyzing event categories, geographical coordinates, and timestamps provides insights into the capabilities and constraints of this application in forensic investigations. The findings offer valuable insights into the forensic capability of data retained by DIAs, contributing to their potential use in forensic investigations.

在不断发展的数字环境中,驾驶保险应用程序(DIA)已成为一种宝贵的资源。车主正在存储大量有关驾驶行为和模式的数据。本研究开创性地对 Progressive 的快照应用程序进行了取证分析,重点关注通过移动应用程序界面无法访问的数据的提取和潜在取证用途。在研究过程中,我们重点关注四个研究问题:Progressive Snapshot 收集的位置和速度数据的准确性如何?我们能从 Progressive 云中提取哪些用户无法从移动应用程序界面获取的取证相关数据?为了回答这些问题,我们开发了基于 Python 的开源工具 PyShot,用于从 Progressive 云中提取数据。我们的测试证实了 Snapshot 在记录速度和位置方面的准确性。尽管我们努力伪造全球定位系统(GPS)的位置,但云仍然保持了准确的记录。与移动应用程序相比,PyShot 能显示更详细的驾驶数据,如危险动作和分心驾驶。本研究还探索了肇事逃逸事件的法证重建,使用了一个人体模型,重点关注 Progressive 的服务器数据。通过分析事件类别、地理坐标和时间戳,可以深入了解该应用程序在取证调查中的能力和限制。研究结果为 DIA 所保留数据的取证能力提供了宝贵的见解,有助于其在取证调查中的潜在应用。
{"title":"Hit and run: Forensic vehicle event reconstruction through driver-based cloud data from Progressive's snapshot application","authors":"Abdur Rahman Onik ,&nbsp;Trevor T. Spinosa ,&nbsp;Abdulla M. Asad ,&nbsp;Ibrahim Baggili","doi":"10.1016/j.fsidi.2024.301762","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301762","url":null,"abstract":"<div><p>Driving Insurance Applications (DIAs) have emerged as a valuable resource in the ever-evolving digital landscape. Automobile owners are storing extensive data on driving behaviors and patterns. This study pioneers the forensic analysis of Progressive's Snapshot application, focusing on the extraction and potential forensic use of data that remains inaccessible through the mobile application's interface. In our approach we focused on four research questions: <em>How accurate is location and speed data collected by Progressive Snapshot?</em>, <em>What forensically relevant data can we extract from the Progressive Cloud that is unavailable to the user from the mobile application interface?</em>, <em>Can we employ anti-forensics techniques, specifically fake location data, to create false trip details?</em>, <em>Can we reconstruct a hit-and-run scenario from trip event details?</em> To answer these questions, we developed PyShot, a Python-based open-source tool, to extract data from the Progressive cloud. Our tests confirmed Snapshot's accuracy in recording speed and location. Despite efforts to fake the Global Positioning System (GPS) location, the cloud still maintained accurate records. PyShot revealed more detailed driving data, like dangerous maneuvers and distracted driving, compared to the mobile application. This study also explores the forensic reconstruction of hit-and-run incidents, using a mannequin and focusing on Progressive's server data. Analyzing event categories, geographical coordinates, and timestamps provides insights into the capabilities and constraints of this application in forensic investigations. The findings offer valuable insights into the forensic capability of data retained by DIAs, contributing to their potential use in forensic investigations.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301762"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000817/pdfft?md5=035e3a4196f1a178b3238b8ac6ffe2b3&pid=1-s2.0-S2666281724000817-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542369","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Decrypting IndexedDB in private mode of Gecko-based browsers 在基于 Gecko 的浏览器的私人模式下解密 IndexedDB
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301763
Dohun Kim, Sangjin Lee, Jungheum Park

Various technical and legal issues hinder direct investigation on cloud services, which facilitates alternative approach to investigate services through artifacts left by web browsers. Among diverse web browser artifacts, client-side storages such as IndexedDB have been focused to retrieve contextual information about user behavior. However, analyzing such client-side storages has been difficult in private mode environments, as they were only kept in memory or not supported at all, depending on the browser. Recently, Firefox has started to support IndexedDB storage in private mode by storing encrypted files on disk during private sessions since July 2023. Since then, Gecko-based browsers' effort to support client-side storages through encrypted files on disk has been continued with Tor Browser also began supporting IndexedDB in the same way since October 2023. Meanwhile, the research to utilize those encrypted files on investigation has not progressed much yet. This paper shows how to decrypt client-side storages generated on Gecko-based browsers’ private mode by extracting cipherkeys in memory. Experimental results indicate that when private session is running, our proof-of-concept tool successfully decrypts all encrypted files. Additionally, there is a possibility of recovering data even in an inactive state by utilizing hibernation file on disk.

各种技术和法律问题阻碍了对云服务的直接调查,这为通过网络浏览器留下的人工制品调查服务提供了另一种方法。在各种网络浏览器人工制品中,客户端存储(如 IndexedDB)一直是检索用户行为上下文信息的重点。然而,在私有模式环境中分析这类客户端存储一直很困难,因为根据浏览器的不同,它们只能保存在内存中,或者根本不受支持。最近,自 2023 年 7 月起,火狐浏览器开始在专用模式下支持 IndexedDB 存储,在专用会话期间将加密文件存储在磁盘上。此后,基于 Gecko 的浏览器继续努力通过磁盘上的加密文件支持客户端存储,Tor 浏览器也从 2023 年 10 月开始以同样的方式支持 IndexedDB。与此同时,利用这些加密文件进行调查的研究进展不大。本文展示了如何通过提取内存中的密码密钥来解密基于 Gecko 浏览器隐私模式生成的客户端存储。实验结果表明,当私人会话运行时,我们的概念验证工具能成功解密所有加密文件。此外,通过利用磁盘上的休眠文件,即使在非活动状态下也有可能恢复数据。
{"title":"Decrypting IndexedDB in private mode of Gecko-based browsers","authors":"Dohun Kim,&nbsp;Sangjin Lee,&nbsp;Jungheum Park","doi":"10.1016/j.fsidi.2024.301763","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301763","url":null,"abstract":"<div><p>Various technical and legal issues hinder direct investigation on cloud services, which facilitates alternative approach to investigate services through artifacts left by web browsers. Among diverse web browser artifacts, client-side storages such as IndexedDB have been focused to retrieve contextual information about user behavior. However, analyzing such client-side storages has been difficult in private mode environments, as they were only kept in memory or not supported at all, depending on the browser. Recently, Firefox has started to support IndexedDB storage in private mode by storing encrypted files on disk during private sessions since July 2023. Since then, Gecko-based browsers' effort to support client-side storages through encrypted files on disk has been continued with Tor Browser also began supporting IndexedDB in the same way since October 2023. Meanwhile, the research to utilize those encrypted files on investigation has not progressed much yet. This paper shows how to decrypt client-side storages generated on Gecko-based browsers’ private mode by extracting cipherkeys in memory. Experimental results indicate that when private session is running, our proof-of-concept tool successfully decrypts all encrypted files. Additionally, there is a possibility of recovering data even in an inactive state by utilizing hibernation file on disk.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301763"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000829/pdfft?md5=a48e7d9c315cf91c20d644754844ce83&pid=1-s2.0-S2666281724000829-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542370","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Compiler-provenance identification in obfuscated binaries using vision transformers 使用视觉转换器识别混淆二进制文件中的编译器证明
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301764
Wasif Khan , Saed Alrabaee , Mousa Al-kfairy , Jie Tang , Kim-Kwang Raymond Choo

Extracting compiler-provenance-related information (e.g., the source of a compiler, its version, its optimization settings, and compiler-related functions) is crucial for binary-analysis tasks such as function fingerprinting, detecting code clones, and determining authorship attribution. However, the presence of obfuscation techniques has complicated the efforts to automate such extraction. In this paper, we propose an efficient and resilient approach to provenance identification in obfuscated binaries using advanced pre-trained computer-vision models. To achieve this, we transform the program binaries into images and apply a two-layer approach for compiler and optimization prediction. Extensive results from experiments performed on a large-scale dataset show that the proposed method can achieve an accuracy of over 98 % for both obfuscated and deobfuscated binaries.

提取编译器证明相关信息(如编译器的源代码、版本、优化设置和编译器相关函数)对于二元分析任务(如函数指纹识别、检测代码克隆和确定作者归属)至关重要。然而,混淆技术的存在使自动提取变得复杂。在本文中,我们提出了一种高效、灵活的方法,利用先进的预训练计算机视觉模型来识别混淆二进制文件中的出处。为此,我们将程序二进制文件转换为图像,并采用双层方法进行编译器和优化预测。在大规模数据集上进行的大量实验结果表明,所提出的方法对混淆和去混淆二进制文件的准确率都能达到 98% 以上。
{"title":"Compiler-provenance identification in obfuscated binaries using vision transformers","authors":"Wasif Khan ,&nbsp;Saed Alrabaee ,&nbsp;Mousa Al-kfairy ,&nbsp;Jie Tang ,&nbsp;Kim-Kwang Raymond Choo","doi":"10.1016/j.fsidi.2024.301764","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301764","url":null,"abstract":"<div><p>Extracting compiler-provenance-related information (e.g., the source of a compiler, its version, its optimization settings, and compiler-related functions) is crucial for binary-analysis tasks such as function fingerprinting, detecting code clones, and determining authorship attribution. However, the presence of obfuscation techniques has complicated the efforts to automate such extraction. In this paper, we propose an efficient and resilient approach to provenance identification in obfuscated binaries using advanced pre-trained computer-vision models. To achieve this, we transform the program binaries into images and apply a two-layer approach for compiler and optimization prediction. Extensive results from experiments performed on a large-scale dataset show that the proposed method can achieve an accuracy of over 98 % for both obfuscated and deobfuscated binaries.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301764"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000830/pdfft?md5=4be468a95e1def67152faeccf9135fb9&pid=1-s2.0-S2666281724000830-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542371","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Applying digital stratigraphy to the problem of recycled storage media 将数字地层学应用于再生存储介质问题
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301761
Janine Schneider , Maximilian Eichhorn , Lisa Marie Dreier , Christopher Hargreaves

Previous work has shown that second-hand or even new devices with recycled components can contain remnants of old data. Given a situation where incriminating evidence is found in non-allocated space of such a device, this presents an attribution problem. In archaeology or geology, stratigraphy studies the arrangement of strata, or layers, often used as a dating technique based on the premise that newer layers are situated above older layers. The digital stratigraphy technique applies the concept to digital forensics and considers how data is positioned and overlayed on disk to make inferences about when data was created. This research investigates the extent to which this technique could resolve the data provenance challenge associated with recycled digital storage media. This paper presents an automated file system activity simulation framework that allows creation, deletion and modification actions to be carried out at scale using specific file system drivers. Using this tool, a series of experiments are carried out to gain an understanding of file system driver behaviour and address this practical question of provenance of data in non-allocated space.

以往的工作表明,使用回收组件的二手甚至新设备可能包含旧数据的残余。如果在此类设备的非分配空间中发现罪证,就会产生归属问题。在考古学或地质学中,地层学研究的是地层或地层的排列,通常被用作一种基于较新地层位于较旧地层之上这一前提的年代测定技术。数字地层学技术将这一概念应用于数字取证,并考虑数据在磁盘上的位置和叠加方式,从而推断数据的创建时间。这项研究探讨了这种技术在多大程度上可以解决与回收数字存储介质相关的数据出处难题。本文提出了一个自动文件系统活动模拟框架,允许使用特定文件系统驱动程序大规模执行创建、删除和修改操作。利用这一工具,我们进行了一系列实验,以了解文件系统驱动程序的行为,并解决非分配空间中数据来源这一实际问题。
{"title":"Applying digital stratigraphy to the problem of recycled storage media","authors":"Janine Schneider ,&nbsp;Maximilian Eichhorn ,&nbsp;Lisa Marie Dreier ,&nbsp;Christopher Hargreaves","doi":"10.1016/j.fsidi.2024.301761","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301761","url":null,"abstract":"<div><p>Previous work has shown that second-hand or even new devices with recycled components can contain remnants of old data. Given a situation where incriminating evidence is found in non-allocated space of such a device, this presents an attribution problem. In archaeology or geology, stratigraphy studies the arrangement of strata, or layers, often used as a dating technique based on the premise that newer layers are situated above older layers. The digital stratigraphy technique applies the concept to digital forensics and considers how data is positioned and overlayed on disk to make inferences about when data was created. This research investigates the extent to which this technique could resolve the data provenance challenge associated with recycled digital storage media. This paper presents an automated file system activity simulation framework that allows creation, deletion and modification actions to be carried out at scale using specific file system drivers. Using this tool, a series of experiments are carried out to gain an understanding of file system driver behaviour and address this practical question of provenance of data in non-allocated space.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301761"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000805/pdfft?md5=9ceba658f8535c2ef3a1c49811a879c1&pid=1-s2.0-S2666281724000805-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542427","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Beyond timestamps: Integrating implicit timing information into digital forensic timelines 超越时间戳:将隐含时间信息纳入数字取证时间线
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301755
Lisa Marie Dreier , Céline Vanini , Christopher J. Hargreaves , Frank Breitinger , Felix Freiling

Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical “flat” timeline is thereby extended into a “rich” partial order, which we call hyper timeline. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.

生成时间线,即按照各自的时间戳对事件进行排序,是数字取证调查中常用的一项基本技术。但时间戳并不是时间信息的唯一来源。例如,数据库中嵌入的序列号或位置信息(如日志文件中的行号)通常包含有关事件顺序的隐含信息,而不直接引用时间戳。我们提出的方法可以将这些时间信息整合到数字取证时间线中,方法是将时间信息源分离成不同的时间域,每个时间域都有自己的时间线,然后根据在数字证据中观察到的关系将这些时间线连接起来。经典的 "平面 "时间线由此扩展为 "丰富 "的部分顺序,我们称之为超时间线。我们的技术允许对没有时间戳的事件进行排序,并为识别和描述时间戳不一致(如时间戳篡改引起的不一致)提供了丰富的可能性。
{"title":"Beyond timestamps: Integrating implicit timing information into digital forensic timelines","authors":"Lisa Marie Dreier ,&nbsp;Céline Vanini ,&nbsp;Christopher J. Hargreaves ,&nbsp;Frank Breitinger ,&nbsp;Felix Freiling","doi":"10.1016/j.fsidi.2024.301755","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301755","url":null,"abstract":"<div><p>Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical “flat” timeline is thereby extended into a “rich” partial order, which we call <em>hyper timeline</em>. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301755"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S266628172400074X/pdfft?md5=3d7ed88e17969c0ac894392935750eb9&pid=1-s2.0-S266628172400074X-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141540830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Was the clock correct? Exploring timestamp interpretation through time anchors for digital forensic event reconstruction 时钟是否正确?通过用于数字取证事件重建的时间锚探索时间戳解释
IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301759
Céline Vanini , Christopher J. Hargreaves , Harm van Beek , Frank Breitinger

Timestamps and their correct interpretation play a crucial role in digital forensic investigations, particularly when the objective is to establish a timeline of events a.k.a. event reconstruction. However, the way these timestamps are generated heavily depends on an internal clock, or ‘system time’, from which many are derived. Consequently, when this system time is skewed due to tampering, natural clock drift, or system malfunctions, recorded timestamps will not reflect the actual times the (real-world) events occurred. This raises the question of how to validate the correctness of the system clock when recording timestamps and, if found incorrect, how to determine system clock skew. To address this problem, this paper defines several important concepts such as time anchors, anchoring events, non-anchoring events and time anomalies which can be used to determine if the system time was correct. Using two examples - a Google search and a file creation - and comparing correct and skewed versions of the same set of performed actions, we illustrate the use and potential benefits of time anchors to demonstrate the correctness of the system clock for event reconstruction.

时间戳及其正确理解在数字取证调查中起着至关重要的作用,尤其是当调查的目的是建立事件的时间线(又称事件重建)时。然而,这些时间戳的生成方式在很大程度上取决于内部时钟或 "系统时间",许多时间戳都是从系统时间中生成的。因此,当系统时间因篡改、自然时钟漂移或系统故障而发生偏差时,记录的时间戳将无法反映(真实世界)事件发生的实际时间。这就提出了一个问题:在记录时间戳时,如何验证系统时钟的正确性;如果发现不正确,如何确定系统时钟偏差。为解决这一问题,本文定义了几个重要概念,如时间锚、锚定事件、非锚定事件和时间异常,可用于确定系统时间是否正确。我们使用两个示例--谷歌搜索和文件创建--并比较了同一组已执行操作的正确版本和偏斜版本,说明了时间锚的使用和潜在优势,以证明系统时钟在事件重建中的正确性。
{"title":"Was the clock correct? Exploring timestamp interpretation through time anchors for digital forensic event reconstruction","authors":"Céline Vanini ,&nbsp;Christopher J. Hargreaves ,&nbsp;Harm van Beek ,&nbsp;Frank Breitinger","doi":"10.1016/j.fsidi.2024.301759","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301759","url":null,"abstract":"<div><p>Timestamps and their correct interpretation play a crucial role in digital forensic investigations, particularly when the objective is to establish a timeline of events a.k.a. event reconstruction. However, the way these timestamps are generated heavily depends on an internal clock, or ‘system time’, from which many are derived. Consequently, when this system time is skewed due to tampering, natural clock drift, or system malfunctions, recorded timestamps will not reflect the actual times the (real-world) events occurred. This raises the question of how to validate the correctness of the system clock when recording timestamps and, if found incorrect, how to determine system clock skew. To address this problem, this paper defines several important concepts such as <em>time anchors</em>, <em>anchoring events</em>, <em>non-anchoring events</em> and <em>time anomalies</em> which can be used to determine if the system time was correct. Using two examples - a Google search and a file creation - and comparing correct and skewed versions of the same set of performed actions, we illustrate the use and potential benefits of time anchors to demonstrate the correctness of the system clock for event reconstruction.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"49 ","pages":"Article 301759"},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000787/pdfft?md5=d90b9d227754411bc7a8251bdcae6923&pid=1-s2.0-S2666281724000787-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542422","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
期刊
Forensic Science International-Digital Investigation
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1