Skip to main content
main-content

Über dieses Buch

This book provides a valuable reference for digital forensics practitioners and cyber security experts operating in various fields of law enforcement, incident response and commerce. It is also aimed at researchers seeking to obtain a more profound knowledge of Digital Forensics and Cybercrime. Furthermore, the book is an exceptional advanced text for PhD and Master degree programmes in Digital Forensics and Cyber Security. Each chapter of this book is written by an internationally-renowned expert who has extensive experience in law enforcement, industry and academia.

The increasing popularity in the use of IoT devices for criminal activities means that there is a maturing discipline and industry around IoT forensics. As technology becomes cheaper and easier to deploy in an increased number of discrete, everyday objects, scope for the automated creation of personalised digital footprints becomes greater. Devices which are presently included within the Internet of Things (IoT) umbrella have a massive potential to enable and shape the way that humans interact and achieve objectives. These also forge a trail of data that can be used to triangulate and identify individuals and their actions. As such, interest and developments in autonomous vehicles, unmanned drones and ‘smart’ home appliances are creating unprecedented opportunities for the research communities to investigate the production and evaluation of evidence through the discipline of digital forensics.

Inhaltsverzeichnis

Frontmatter

Emulation Versus Instrumentation for Android Malware Detection

Abstract
In resource constrained devices, malware detection is typically based on offline analysis using emulation. An alternative to such emulation is malware analysis based on code that is executed on an actual device. In this research, we collect features from a corpus of Android malware using both emulation and on-phone instrumentation. We train machine learning models using the emulator-based features and we train models on features collected via instrumentation, and we compare the results obtained in these two cases. We obtain strong detection and classification results, and our results improve slightly on previous work. Consistent with previous work, we find that emulation fails for a significant percentage of malware applications. However, we also find that emulation fails to extract useful features from an even larger percentage of benign applications. We show that for applications that are amenable to emulation, malware detection and classification rates based on emulation are consistently within 1% of those obtained using more intrusive and costly on-phone analysis. We also show that emulation failures are easily explainable and appear to have little to do with malware writers employing anti-emulation techniques, contrary to claims made in previous research. Among other contributions, this work points to a lack of sophistication in Android malware.
Anukriti Sinha, Fabio Di Troia, Philip Heller, Mark Stamp

Towards a Generic Approach of Quantifying Evidence Volatility in Resource Constrained Devices

Abstract
Forensic investigations of the Internet of Things (IoT) is often assumed to be a combination of existing cloud, network, and device forensics. Resource constraints in many of the peripheral things, however, are affecting the volatility of the potential forensic evidence, and evidence dynamics. This represents a major challenge for forensic investigations. In this chapter, we study the dynamics of volatile and non-volatile memory in IoT devices, with the Contiki operating system as an example. We present a way forward to quantifying volatility during the evidence identification phase of a forensic investigation. Volatility is expressed as the expected time before potential evidence disappears. This chapter aims to raise awareness and give a deeper understanding of the impact of IoT resource constraints on volatility and the dynamics of forensic evidence. We exemplify in which way volatility can be quantified for a popular operating system and provide a path forward to generalize this approach. The quantification of the volatility of potential evidence helps investigators to prioritize acquisition and examination tasks to maximize the likelihood of collecting relevant evidence from resource-constrained devices. Our work contributes to establishing a scientific base for evidence volatility and evidence dynamics in IoT devices. It strengthens methods for on-scene triage, event reconstruction, and for assessing the reliability of evidence findings.
Jens-Petter Sandvik, Katrin Franke, André Årnes

Application of Artificial Intelligence and Machine Learning in Producing Actionable Cyber Threat Intelligence

Abstract
Cyber Threat Intelligence (CTI) can be used by organisations to assist their security teams in safeguarding their networks against cyber-attacks. This can be achieved by including threat data feeds into their networks or systems. However, despite being an effective Cyber Security (CS) tool, many organisations do not sufficiently utilise CTI. This is due to a number of reasons such as not fully understanding how to manage a daily flood of data filled with extraneous information across their security systems. This adds an additional layer of complexity to the tasks performed by their security teams who might not have the appropriate tools or sufficient skills to determine what information to prioritise and what information to disregard. Therefore, to help address the stated issue, this paper aims firstly to provide an in-depth understanding of what CTI is and how it can benefit organisations, and secondly to deliver a brief analysis of the application of Artificial Intelligence and Machine Learning in generating actionable CTI. The key contribution of this paper is that it assists organisations in better understanding their approach to CTI, which in turn will enable them to make informed decisions in relation to CTI.
Reza Montasari, Fiona Carroll, Stuart Macdonald, Hamid Jahankhani, Amin Hosseinian-Far, Alireza Daneshkhah

Drone Forensics: The Impact and Challenges

Abstract
Unmanned aerial vehicles (UAV) have surged in popularity over the last few years. With this, crime involving drones has also dramatically increased. Therefore, there is a dire need of successful Drone programmes that significantly would lower the amount of crime being committed involving Drone devices. Drone forensics is a concept that is less well known or documented. Research has shown that there have been Drone Forensic programmes to support the forensics investigations, however, many have failed for a few reasons such as the lack of understanding of the technology or other limited resources. It is also known within the Digital Forensics community that Anti-Forensics techniques are constant threats and hinder investigations, resulting in less convictions. This study aims to ascertain exactly what data can be extracted from UAV devices (Drones), the usefulness of this data, and whether consumers are able to obfuscate the data in efforts to evade detection (i.e. Anti-forensics techniques). A number of primary and secondary datasets have been utilised in this research. Primary data includes carrying out a flight using a UAV device and consequently analysing the resulting data and an interview with a qualified Digital Forensic Analyst. Secondary data was gained from VTO Labs, recommended by NIST which was able to be interrogated in order to deliver interesting results. This study found that Drones have the ability to hold a wealth of evidence that could potentially be very useful to assist forensics investigations. This included the flight path of the Drone, date and time of flight, altitude, home-point and alerts to inform whether the Drone was near restricted airspace such as airports (No Fly Zones). Moreover, it was found that it is possible for the manufacturers to build in Anti-Forensics software into their devices, but it would not be possible for a consumer to utilise such techniques.
S. Atkinson, G. Carr, C. Shaw, S. Zargari

Intrusion Detection and CAN Vehicle Networks

Abstract
In this chapter, we consider intrusion detection systems (IDS) in the context of an automotive controller area network (CAN), which is also known as the CAN bus. We provide a discussion of various IDS topics, including masquerade detection, and we include a selective survey of previous research involving IDS in a CAN network. We also discuss background topics and relevant practical issues, such as data collection on the CAN bus. Finally, we present experimental results where we have applied a variety of machine learning techniques to CAN data. We use both real and simulated data, and we conduct experiments to determine the status of a vehicle from its network packets, as well as to detect masquerading behavior on a CAN network.
Ashraf Saber, Fabio Di Troia, Mark Stamp

Cloud Computing Security: Hardware-Based Attacks and Countermeasures

Abstract
Despite its many technological and economic benefits, Cloud Computing poses complex security threats resulting from the use of virtualisation technology. Compromising the security of any component in the cloud virtual infrastructure will negatively affect the security of other elements and so impact the overall system security. By characterising the diversity of cyber-attacks carried out in the Cloud, this paper aims to provide an analysis of both common and underexplored security threats associated with the cloud from a technical viewpoint. Accordingly, the paper will suggest emerging solutions that can help to address such threats. The paper also offers future research directions for cloud security that we hope can inspire the research community to develop more effective security solutions for cloud systems.
Reza Montasari, Alireza Daneshkhah, Hamid Jahankhani, Amin Hosseinian-Far

Aspects of Biometric Security in Internet of Things Devices

Abstract
This chapter provides detailed insight into the general mechanisms utilized for biometric application in Internet of things devices. The mechanisms and internal working of these biometric technologies presented in this chapter are focused specifically on the applicability in IOT devices. IOT devices incorporates various scanners and sensors to allow the IOT device to biometrically interact with a human being. These scanners and sensors were primary designed to facilitate and ease user interaction with the IOT device in an effort to make the day to day usability of the IOT device faster and easier if you may. It must be noted that every biometric technology has certain strengths, but indeed, also certain noteworthy shortcomings. It is often these shortcomings that get exploited in a security subversion attempt. This chapter introduces and discusses the various biometric technologies used in IOT devices. Attention is given to the software and the hardware aspects of each biometric system. The generic working of these biometric technologies is presented. Attention is given to legacy biometric technology implemented on IOT devices, currently used biometric technology implemented on IOT devices, and finally, possible future biometric applications of biometric technology destined for IOT devices. In conclusion practical examples of biometric subversion on IOT devices such as fingerprint, facial and voice biometric subversion and hacking, will be investigated, discussed and evaluated.
Bobby L. Tait

Evaluating Multi-layer Security Resistance to Adversarial Hacking Attacks on Industrial Internet of Things Devices

Abstract
A primary concern of Industrial Internet of Things (IIoT) users is the threat of loss of valuable Intellectual Property (IP) through insecure operational device security. Whilst robust levels of security are technically possible, the approaches taken to ensure resistance to adversarial attacks can lack practicality in terms of implementation. IIoT devices use constrained hardware which can limit the extent to which data can be stored, processed or communicated and this can potentially increase the vulnerability of a system as additional IIoT devices are introduced. We explore the use of a multi-layer approach to security that produces an exhaust-trail of digital evidence at different levels, depending on the characteristics of the system attack. This approach is then evaluated with respect to common categories of system breach, and a set of characteristics and considerations for system designers is presented.
Hussain Al-Aqrabi, Richard Hill

Establishing Trustworthy Relationships in Multiparty Industrial Internet of Things Applications

Abstract
The uptake of smart devices in the manufacturing industry is accelerating as technological advancements enable hardware to become cheaper and more accessible. A primary concern for manufacturing companies, as well as those in the associated logistics supply chains, is how to establish trust between smart devices, such that the delegation of transactional responsibility and accountability, which is required for Industry 4.0, can be facilitated in a secure and sustainable manner. Trustworthy systems enable enhanced manufacturing operations to occur securely, while also providing a robust audit trail of digital evidence to support any future investigations into allegations of system breaches. This chapter examines a specific type of trust relationship that regularly occurs in supply chains—multiparty authentication—and proposes a framework that encompasses both the human and technical factors that must be considered to engender trustworthy relationships between IIoT devices and organisational operations technology.
Oghenefejiro Bello, Hussain Al-Aqrabi, Richard Hill

IoT Forensics: An Overview of the Current Issues and Challenges

Abstract
The pursuit of cybercrime in an IoT environment often requires complex investigations where the traditional digital forensics methodology may struggle to support the forensics investigators. This is due to the nature of the technologies such as RFID, sensors and cloud computing, used in IoT environments together with the huge volume and heterogeneous information and borderless cyber infrastructure, rising new challenges in modern digital forensics. In the last few years, many researches have been conducted discussing the challenges facing digital forensic investigators and the impact of these challenges bring upon the field. Some of these challenges include the ambiguity of data location, data acquisition, diversity of devices, various data types, volatility of data and the lack of adequate forensics tools. Moreover, while there are many technical challenges in IoT forensics, there are also non-technical challenges such as determining what are IoT devices, how to forensically acquire data and secure the chain of custody among other unexplored areas, including resources required for training or the type of applied forensics tools. A profound understanding of the challenges found in the literature will help the researchers in identifying future research directions and provide some guidelines to support forensics investigators. This study presents a succinct overview of IoT forensics challenges focusing on a typical smart home investigation and a comparison of the existing frameworks to conduct forensics investigations in the IoT environment.
T. Janarthanan, M. Bagheri, S. Zargari

Making the Internet of Things Sustainable: An Evidence Based Practical Approach in Finding Solutions for yet to Be Discussed Challenges in the Internet of Things

Abstract
The Internet of Things (IoT) is well on its way to forming a fully digitalised society. Whilst IoT provides opportunities which other technology cannot, the enormous amount of responsibility also means it can be the key to access critical infrastructure. IoT is insecure by nature, is a gateway to the network, can be deployed in safety-critical areas and can generate substantial amounts of detailed data. Traditional approaches to protecting IoT is inefficient as the very limitations means best practices and standards are ineffective when being applied to the IoT environment. This study argues that work needs to be shifted from security and privacy to consumer safety and software sustainability. The impact of IoT is largely uncertain and the technology is redefining new areas of research which have yet to be addressed. Standards and regulations are an essential part to the integrity of sustainability and safety, but it is clear that they are currently too fragmented and are not able to keep up with the emerging technology. This study aims to highlight the underlying issues which other studies have missed, and to provide solutions which can be applied in future work. In order to let IoT be beneficial we must force organisations and crowd-funded projects to employ secure-by-default into the design phase of their product and only then will IoT be able to thrive into what it should be.
Benjamin Newman, Ameer Al-Nemrat
Weitere Informationen

Premium Partner