Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben

2019 | Buch

A Holistic Forensic Model for the Internet of Things Kapitel lesen Erstes Kapitel lesen

Advances in Digital Forensics XV

15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019, Revised Selected Papers

herausgegeben von: Prof. Gilbert Peterson, Dr. Sujeet Shenoi

Verlag: Springer International Publishing

Buchreihe : IFIP Advances in Information and Communication Technology

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Digital forensics deals with the acquisition, preservation, examination, analysis and presentation of electronic evidence. Computer networks, cloud computing, smartphones, embedded devices and the Internet of Things have expanded the role of digital forensics beyond traditional computer crime investigations. Practically every crime now involves some aspect of digital evidence; digital forensics provides the techniques and tools to articulate this evidence in legal proceedings. Digital forensics also has myriad intelligence applications; furthermore, it has a vital role in cyber security -- investigations of security breaches yield valuable information that can be used to design more secure and resilient systems.

Advances in Digital Forensics XV describes original research results and innovative applications in the discipline of digital forensics. In addition, it highlights some of the major technical and legal issues related to digital evidence and electronic crime investigations. The areas of coverage include: forensic models, mobile and embedded device forensics, filesystem forensics, image forensics, and forensic techniques.

This book is the fifteenth volume in the annual series produced by the International Federation for Information Processing (IFIP) Working Group 11.9 on Digital Forensics, an international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The book contains a selection of fourteen edited papers from the Fifteenth Annual IFIP WG 11.9 International Conference on Digital Forensics, held in Orlando, Florida, USA in the winter of 2019.

Advances in Digital Forensics XV is an important resource for researchers, faculty members and graduate students, as well as for practitioners and individuals engaged in research and development efforts for the law enforcement and intelligence communities.

Inhaltsverzeichnis

Frontmatter

Forensic Models

Frontmatter
A Holistic Forensic Model for the Internet of Things
Abstract
The explosive growth of the Internet of Things offers numerous innovative applications such as smart homes, e-healthcare, smart surveillance, smart industries, smart cities and smart grids. However, this has significantly increased the threat of attacks that exploit the vulnerable surfaces of Internet of Things devices. It is, therefore, immensely important to develop security solutions for protecting vulnerable devices and digital forensic models for recovering evidence of suspected attacks. Digital forensic solutions typically target specific application domains such as smart wearables, smart surveillance systems and smart homes. What is needed is a holistic approach that covers the diverse application domains, eliminating the overhead of employing ad hoc models.
This chapter presents a holistic forensic model for the Internet of Things that is based on the ISO/IEC 27043 international standard. The model has three phases – forensic readiness (proactive), forensic initialization (incident) and forensic investigation (reactive) – that cover the entire lifecycle of Internet of Things forensics. The holistic model, which provides a customizable and configurable environment that supports diverse Internet of Things applications, can be enhanced to create a comprehensive framework.
Lakshminarayana Sadineni, Emmanuel Pilli, Ramesh Babu Battula
Implementing the Harmonized Model for Digital Evidence Admissibility Assessment
Abstract
Standardization of digital forensics has become an important focus area for researchers and criminal justice practitioners. Over the past decade, several efforts have been made to encapsulate digital forensic processes and activities in harmonized frameworks for incident investigations. A harmonized model for digital evidence admissibility assessment has been proposed for integrating the technical and legal determinants of digital evidence admissibility, thereby providing a techno-legal foundation for assessing digital evidence admissibility in judicial proceedings.
This chapter presents an algorithm underlying the harmonized model for digital evidence admissibility assessment, which enables the determination of the evidential weight of digital evidence using factor analysis. The algorithm is designed to be used by judges to determine evidence admissibility in criminal proceedings. However, it should also be useful to investigators, prosecutors and defense lawyers for evaluating potential digital evidence before it is presented in court.
Albert Antwi-Boasiako, Hein Venter

Mobile and Embedded Device Forensics

Frontmatter
Classifying the Authenticity of Evaluated Smartphone Data
Abstract
Advances in smartphone technology coupled with the widespread use of smartphones in daily activities create large quantities of smartphone data. This data becomes increasingly important when smartphones are linked to civil or criminal investigations. As with all forms of digital data, smartphone data is susceptible to intentional or accidental alterations by users or installed applications. It is, therefore, essential to establish the authenticity of smartphone data before submitting it as evidence. Previous research has formulated a smartphone data evaluation model, which provides a methodical approach for evaluating the authenticity of smartphone data. However, the smartphone data evaluation model only stipulates how to evaluate smartphone data without providing a formal outcome about the authenticity of the data.
This chapter proposes a new classification model that provides a grade of authenticity for evaluated smartphone data along with a measure of the completeness of the evaluation. Experimental results confirm the effectiveness of the proposed model in classifying the authenticity of smartphone data.
Heloise Pieterse, Martin Olivier, Renier van Heerden
Retrofitting Mobile Devices for Capturing Memory-Resident Malware Based on System Side-Effects
Abstract
Sophisticated memory-resident malware that target mobile phone platforms can be extremely difficult to detect and capture. However, triggering volatile memory captures based on observable system side-effects exhibited by malware can harvest live memory that contains memory-resident malware. This chapter describes a novel approach for capturing memory-resident malware on an Android device for future analysis. The approach is demonstrated by making modifications to the Android debuggerd daemon to capture memory while a vulnerable process is being exploited on a Google Nexus 5 phone. The implementation employs an external hardware device to store a memory capture after successful exfiltration from the compromised mobile device.
Zachary Grimmett, Jason Staggs, Sujeet Shenoi
A Targeted Data Extraction System for Mobile Devices
Abstract
Smartphones contain large amounts of data that are of significant interest in forensic investigations. In many situations, a smartphone owner may be willing to provide a forensic investigator with access to data under a documented consent agreement. However, for privacy or personal reasons, not all the smartphone data may be extracted for analysis. Courts have also opined that only data relevant to the investigation at hand may be extracted.
This chapter describes the design and implementation of a targeted data extraction system for mobile devices. It assumes user consent and implements state-of-the-art filtering using machine learning techniques. The system can be used to identify and extract selected data from smartphones in real time at crime scenes. Experiments conducted with iOS and Android devices demonstrate the utility of the targeted data extraction system.
Sudhir Aggarwal, Gokila Dorai, Umit Karabiyik, Tathagata Mukherjee, Nicholas Guerra, Manuel Hernandez, James Parsons, Khushboo Rathi, Hongmei Chi, Temilola Aderibigbe, Rodney Wilson
Exploiting Vendor-Defined Messages in the USB Power Delivery Protocol
Abstract
The USB Power Delivery protocol enables USB-connected devices to negotiate power delivery and exchange data over a single connection such as a USB Type-C cable. The protocol incorporates standard commands; however, it also enables vendors to add non-standard commands called vendor-defined messages. These messages are similar to the vendor-specific commands in the SCSI protocol, which enable vendors to specify undocumented commands to implement functionality that meets their needs. Such commands can be employed to enable firmware updates, memory dumps and even backdoors.
This chapter analyzes vendor-defined message support in devices that employ the USB Power Delivery protocol, the ultimate goal being to identify messages that could be leveraged in digital forensic investigations to acquire data stored in the devices.
Gunnar Alendal, Stefan Axelsson, Geir Olav Dyrkolbotn
Detecting Anomalies in Programmable Logic Controllers Using Unsupervised Machine Learning
Abstract
Supervisory control and data acquisition systems have been employed for decades to communicate with and coordinate industrial processes. These systems incorporate numerous programmable logic controllers that manage the operations of industrial equipment based on sensor information. Due to the important roles that programmable logic controllers play in industrial facilities, these microprocessor-based systems are exposed to serious cyber threats.
This chapter describes an innovative methodology that leverages unsupervised machine learning to monitor the states of programmable logic controllers to uncover latent defects and anomalies. The methodology, which employs a one-class support vector machine, is able to detect anomalies without being bound to specific scenarios or requiring detailed knowledge about the control logic. A case study involving a traffic light simulation demonstrates that anomalies are detected with high accuracy, enabling the prompt mitigation of the underlying problems.
Chun-Fai Chan, Kam-Pui Chow, Cesar Mak, Raymond Chan

Filesystem Forensics

Frontmatter
Creating a Map of User Data in NTFS to Improve File Carving
Abstract
Digital forensics and, especially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data where it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512 B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers running Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% to 41% in an NTFS partition. The probability map can be used by a forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficiency of hash-based carving by dynamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster.
Martin Karresand, Asalena Warnqvist, David Lindahl, Stefan Axelsson, Geir Olav Dyrkolbotn
Analyzing Windows Subsystem for Linux Metadata to Detect Timestamp Forgery
Abstract
Timestamp patterns assist forensic analysts in detecting user activities, especially operations performed on files and folders. However, the Windows Subsystem for Linux feature in Windows 10 versions 1607 and later enables users to access and manipulate NTFS files using Linux command-line tools within the Bash shell. Therefore, forensic analysts should consider the timestamp patterns generated by file operations performed using Windows command-line utilities and Linux tools within the Bash shell.
This chapter describes the identification of timestamp patterns of various file operations in stand-alone NTFS and Ext4 filesystems as well as file interactions between the filesystems. Experiments are performed to analyze the anti-forensic capabilities of file timestamp changing utilities – called timestomping tools – on NTFS and Ext4 filesystems. The forensic implications of timestamp patterns and timestomping are also discussed.
Bhupendra Singh, Gaurav Gupta

Image Forensics

Frontmatter
Quick Response Encoding of Human Facial Images for Identity Fraud Detection
Abstract
Advancements in printing and scanning technology enable fraudsters to tamper with identity documents such as identity cards, drivers’ licenses, admit cards, examination hall tickets and academic transcripts. Several security features are incorporated in important identity documents to counter forgeries and verify genuineness, but these features are often lost in printed versions of the documents. At this time, a satisfactory method is not available for authenticating a person’s facial image (photograph) in a printed version of a document. Typically, an official is required to check the person’s image against an image stored in an online verification database, which renders the problem even more challenging.
This chapter presents an automated, low-cost and efficient method for addressing the problem. The method employs printed quick response codes corresponding to low-resolution facial images to authenticate the original and printed versions of identity documents.
Shweta Singh, Saheb Chhabra, Garima Gupta, Monika Gupta, Gaurav Gupta
Using Neural Networks for Fake Colorized Image Detection
Abstract
Modern colorization techniques can create artificially-colorized images that are indistinguishable from natural color images. As a result, the detection of fake colorized images is attracting the interest of the digital forensics research community. This chapter tackles the challenge by introducing a detection approach that leverages neural networks. It analyzes the statistical differences between fake colorized images and their corresponding natural images, and shows that significant differences exist. A simple, but effective, feature extraction technique is proposed that utilizes cosine similarity to measure the overall similarity of normalized histogram distributions of various channels for natural and fake images. A special neural network with a simple structure but good performance is trained to detect fake colorized images. Experiments with datasets containing fake colorized images generated by three state-of-the-art colorization techniques demonstrate the performance and robustness of the proposed approach.
Yuze Li, Yaping Zhang, Liangfu Lu, Yongheng Jia, Jingcheng Liu

Forensic Techniques

Frontmatter
Digital Forensic Atomic Force Microscopy of Semiconductor Memory Arrays
Abstract
Atomic force microscopy is an analytical technique that provides very high spatial resolution with independent measurements of surface topography and electrical properties. This chapter assesses the potential for atomic force microscopy to read data stored as local charges in the cells of memory chips, with an emphasis on simple sample preparation (“delidding”) and imaging of the topsides of chip structures, thereby avoiding complex and destructive techniques such as backside etching and polishing. Atomic force microscopy measurements of a vintage EPROM chip demonstrate that imaging is possible even when sample cleanliness, stability and topographical roughness are decidedly sub-optimal. As feature sizes slip below the resolution limits of optical microscopy, atomic force microscopy offers a promising route for functional characterization of semiconductor memory structures in RAM chips, microprocessors and cryptographic hardware.
Struan Gray, Stefan Axelsson
Timeline Visualization of Keywords
Abstract
Visualizations of communications between actors are typically presented as actor interactions or as plots of the dates and times when the communications occurred. These visualizations are valuable to forensic analysts; however, they do not provide an understanding of the general flow of the discussed topics, which are identified by keywords or keyphrases. The ability to view the content of a corpus as a timeline of discussion topics can provide clues to when certain topics became more prevalent in the discussion, when topics disappeared from the discussion and which topics are outliers in the corpus. This, in turn, may help discover related topics and times that can be used as clues in further analyses. The goal is to provide a forensic analyst with assistance in systematically reviewing data, eliminating the need to manually examine large amounts of communications.
This chapter focuses on the timeline-based visualization of keywords in a text corpus. The proposed technique employs automated keyword extraction and clustering to produce a visual summary of topics recorded from the content of an email corpus. Topics are regarded as keywords and are placed on a timeline for visual inspection. Links are placed between topics as the timeline progresses. Placing topics on a timeline makes it easier to discover patterns of communication about specific topics instead of merely focusing on general discussion patterns. The technique complements existing visualization techniques by enabling a forensic analyst to concentrate on the most interesting portions of a corpus.
Wynand van Staden
DETERMINING THE FORENSIC DATA REQUIREMENTS FOR INVESTIGATING HYPERVISOR ATTACKS
Abstract
Hardware/server virtualization is commonly employed in cloud computing to enable ubiquitous access to shared system resources and provide sophisticated services. The virtualization is typically performed by a hypervisor, which provides mechanisms that abstract hardware and system resources from the operating system. However, hypervisors are complex software systems with many vulnerabilities. This chapter analyzes recently-discovered vulnerabilities associated with the Xen and KVM open-source hypervisors, and develops their attack profiles in terms of hypervisor functionality (attack vectors), attack types and attack sources. Based on the large number of vulnerabilities related to hypervisor functionality, two sample attacks leveraging key attack vectors are investigated. The investigation clarifies the evidence coverage for detecting attacks and the missing evidence needed to reconstruct attacks.
Changwei Liu, Anoop Singhal, Ramaswamy Chandramouli, Duminda Wijesekera
Metadaten
Titel
Advances in Digital Forensics XV
herausgegeben von
Prof. Gilbert Peterson
Dr. Sujeet Shenoi
Copyright-Jahr
2019
Electronic ISBN
978-3-030-28752-8
Print ISBN
978-3-030-28751-1
DOI
https://doi.org/10.1007/978-3-030-28752-8

Premium Partner

    Bildnachweise