Digital Forensics and Cyber Crime

In the field of unstructured memory analysis, the context-unaware detection of function boundaries leads to meaningful insights. For instance, in the field of binary analysis, those structures yield further inference, e.g., identifying binaries known to be bad. However, recent publications discuss different strategies for the problem of function boundary detection and consider it to be a difficult problem. One of the reasons is that the detection process depends on a quantity of parameters including the used architecture, programming language and compiler parameters. Initially a typical memory carving approach transfers the paradigm of signature-based detection techniques from the mass storage analysis to memory analysis. To automate and generalise the signature matching, signature-based recognition approaches have been extended by machine learning algorithms. Recently a review of function detection approaches claims that the results are possibly biased by large portions of shared code between the used samples. In this work we reassess the application of recently discussed machine learning based function detection approaches. We analyse current approaches in the context of memory carving with respect to both their efficiency and their effectiveness. We show the capabilities of function start identification by reducing the features to vectorised mnemonics. In all this leads to a significant reduction of runtime by keeping a high value of accuracy and a good value of recall.

The term anti-forensics refers to any attempt to hinder or even prevent the digital forensics process. Common attempts are to hide, delete or alter digital information and thereby threaten the forensic investigation. A prominent anti-forensic paradigm is hiding data on different abstraction layers, e.g., the filesystem layer. In modern filesystems, private data can be hidden in many places, taking advantage of the structural and conceptual characteristics of each filesystem. In most cases, however, the source code and the theoretical approach of a particular hiding technique is not accessible and thus maintainability and reproducibility of the anti-forensic tool is not guaranteed. In this paper, we present fishy, a framework designed to implement and analyze different filesystem-based data hiding techniques. fishy is implemented in Python and collects various common exploitation methods that make use of existing data structures on the filesystem layer. Currently, the framework is able to hide data within ext4, FAT and NTFS filesystems using different hiding techniques and thus serves as a toolkit of established anti-forensic methods on the filesystem layer. fishy was built to support the exploration and collection of various hiding techniques and ensure the reproducibility and expandability with its publicly available source code. The construction of a modular framework played an important role in the design phase. In addition to the description of the actual framework, its current state, its use, and its easy expandability, we also present some hiding techniques for various filesystems and discuss possible future extensions of our framework.

Cryptocurrencies have gained wide adoption by enthusiasts and investors. In this work, we examine seven different Android cryptowallet applications for forensic artifacts, but we also assess their security against tampering and reverse engineering. Some of the biggest benefits of cryptocurrency is its security and relative anonymity. For this reason it is vital that wallet applications share the same properties. Our work, however, indicates that this is not the case. Five of the seven applications we tested do not implement basic security measures against reverse engineering. Three of the applications stored sensitive information, like wallet private keys, insecurely and one was able to be decrypted with some effort. One of the applications did not require root access to retrieve the data. We were also able to implement a proof-of-concept trojan which exemplifies how a malicious actor may exploit the lack of security in these applications and exfiltrate user data and cryptocurrency.

Over the years there has been a significant increase in the exploitation of the security vulnerabilities of Windows operating systems, the most severe threat being malicious software (malware). Ransomware, a variant of malware which encrypts files and retains the decryption key for ransom, has recently proven to become a global digital epidemic. The current method of mitigation and propagation of malware and its variants, such as anti-viruses, have proven ineffective against most Ransomware attacks. Theoretically, Ransomware retains footprints of the attack process in the Windows Registry and the volatile memory of the infected machine. Digital Forensic Readiness (DFR) processes provide mechanisms for the pro-active collection of digital footprints. This study proposed the integration of DFR mechanisms as a process to mitigate Ransomware attacks. A detailed process model of the proposed DFR mechanism was evaluated in compliance with the ISO/IEC 27043 standard. The evaluation revealed that the proposed mechanism has the potential to harness system information prior to, and during a Ransomware attack. This information can then be used to potentially decrypt the encrypted machine. The implementation of the proposed mechanism can potentially be a major breakthrough in mitigating this global digital endemic that has plagued various organizations. Furthermore, the implementation of the DFR mechanism implies that useful decryption processes can be performed to prevent ransom payment.

Currently on-line gaming represents a severe threat to the forensic community, as criminals have started to use on-line gaming as communication channels instead of traditional channels like WhatsApp or Facebook. In this paper, we describe a methodology developed after conducting an in-depth digital forensic analysis of the central artifacts of a popular video-game - Counter Strike Nexon Zombies video-game (Steam platform) - where valuable artifacts are those that related to the chatting features of the game. For our research we analyzed the network, volatile, and disk captures for two generated cases and focused on chat-feature inside and outside of the in-game rounds and the live chat done through YouTube Live Streaming. Our results provide the forensic community a complete guideline that can be used when dealing with a real criminal case in which there is a Steam video-game involved. Besides the forensic analysis, we found a security vulnerability (session hijacking) which was reported to the game manufacturer as soon it was discovered.

This paper describes a digital forensic investigation and verification model for industrial espionage (DEIV-IE) focusing on insider data thefts at the company level. This model aims to advance the state-of practice in forensic investigation and to verify evidence sufficiency of industrial espionage cases by incorporating the crime specific features and analysis techniques of digital evidence. The model is structured with six phases: file reduction, file classification, crime feature identification, evidence mapping, evidence sufficiency verification, and documentations. In particular, we focus on characterizing crime features that have multiple aspects of commonalities in crime patterns in industrial espionage; and the evidence sufficiency verification that is a verification procedure for digital evidence sufficiency for court decision using these crime features. This model has been developed based on analysis of five industrial espionage cases and the literature review, being validated with three additional cases in terms of the effectiveness of the model.

With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the forensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the background of SSDs during their operation and investigation and also study forensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.

Associations between drive images can be important in many forensic investigations, particularly those involving organizations, conspiracies, or contraband. This work investigated metrics for comparing drives based on the distributions of 18 types of clues. The clues were email addresses, phone numbers, personal names, street addresses, possible bank-card numbers, GPS data, files in zip archives, files in rar archives, IP addresses, keyword searches, hash values on files, words in file names, words in file names of Web sites, file extensions, immediate directories of files, file sizes, weeks of file creation times, and minutes within weeks of file creation. Using a large corpus of drives, we computed distributions of document association using the cosine similarity TF/IDF formula and Kullback-Leibler divergence formula. We provide significance criteria for similarity based on our tests that are well above those obtained from random distributions. We also compared similarity and divergence values, investigated the benefits of filtering and sampling the data before measuring association, examined the similarities of the same drive at different times, and developed useful visualization techniques for the associations.

Ontological data representation and data normalization can provide a structured way to correlate digital artifacts and reduce the amount of data that a forensics investigator needs to process in order to understand the sequence of events that happened on a system. However, ontology processing suffers from large disk consumption and a high computational cost. This paper presents Property Graph Event Reconstruction (PGER), a data normalization and event correlation system that utilizes a native graph database to store event data. This storage method leverages zero index traversals. PGER reduces the processing time of event correlation grammars by up to a factor of 9.9 times over a system that uses a relational database based approach.

While authentication has been widely studied, designing secure and efficient authentication schemes for various applications remains challenging. In this paper, we propose a self-adaptive authentication mechanism, Multi-item Passphrases, which is designed to mitigate offline password-guessing attacks. For example, “11th July 2018, Nanjing, China, San Antonio, Texas, research” is a multi-item passphrase. It dynamically monitors items and identifies frequently used items. Users will then be alerted when there is need to change their passphrases based on the observed trend (e.g., when a term used in the passphrase consists of a popular item). We demonstrate the security and effectiveness of the proposed scheme in resisting offline guessing attacks, and in particular using simulations to show that schemes based on multi-item passphrases achieve higher security and better usability than those using passwords and diceware passphrases.

Computer worms are characterized by rapid propagation and intrusive network disruption. In this work, we analyze the network behavior of five Internet worms: Sasser, Slammer, Eternal Rocks, WannaCry, and Petya. Through this analysis, we use a deep neural network to successfully classify network traces of these worms along with normal traffic. Our hybrid approach includes a visualization that allows for further analysis and tracing of the network behavior of detected worms.