National Security Law Commons^™

Forensic Analysis Of Smartphone Applications For Privacy Leakage, Diana Hintea, Chrysanthi Taramonli, Robert Bird, Rezhna Yusuf

Annual ADFSL Conference on Digital Forensics, Security and Law

Smartphone and tablets are personal devices that have diffused to near universal ubiquity in recent years. As Smartphone users become more privacy-aware and -conscious, research is needed to understand how “leakage” of private information (personally identifiable information – PII) occurs. This study explores how leakage studies in Droid devices should be adapted to Apple iOS devices. The OWASP Zed Attack Proxy (ZAP) is examined for 50 apps in various categories. This study confirms that: (1) most apps transmit unencrypted sensitive PII, (2) SSL is used by some recipient websites, but without corresponding app compliance with SSL, and (3) most apps …

Malware In The Mobile Device Android Environment, Diana Hintea, Robert Bird, Andrew Walker

Annual ADFSL Conference on Digital Forensics, Security and Law

exploit smartphone operating systems has exponentially expanded. Android has become the main target to exploit due to having the largest install base amongst the smartphone operating systems and owing to the open access nature in which application installations are permitted. Many Android users are unaware of the risks associated with a malware infection and to what level current malware scanners protect them. This paper tests how efficient the currently available malware scanners are. To achieve this, ten representative Android security products were selected and tested against a set of 5,560 known and categorized Android malware samples. The tests were carried …

One-Time Pad Encryption Steganography System, Michael J. Pelosi, Gary Kessler, Michael Scott S. Brown

Annual ADFSL Conference on Digital Forensics, Security and Law

In this paper we introduce and describe a novel approach to adaptive image steganography which is combined with One-Time Pad encryption, and demonstrate the software which implements this methodology. Testing using the state-of-the-art steganalysis software tool StegExpose concludes the image hiding is reliably secure and undetectable using reasonably-sized message payloads (≤25% message bits per image pixel; bpp). Payload image file format outputs from the software include PNG, BMP, JP2, JXR, J2K, TIFF, and WEBP. A variety of file output formats is empirically important as most steganalysis programs will only accept PNG, BMP, and possibly JPG, as the file inputs.

Keywords: …

Inferring Previously Uninstalled Applications From Residual Partial Artifacts, Jim Jones, Tahir Khan, Kathryn Laskey, Alex Nelson, Mary Laamanen, Douglas White

Annual ADFSL Conference on Digital Forensics, Security and Law

In this paper, we present an approach and experimental results to suggest the past presence of an application after the application has been uninstalled and the system has remained in use. Current techniques rely on the recovery of intact artifacts and traces, e.g., whole files, Windows Registry entries, or log file entries, while our approach requires no intact artifact recovery and leverages trace evidence in the form of residual partial files. In the case of recently uninstalled applications or an instrumented infrastructure, artifacts and traces may be intact and complete. In most cases, however, digital artifacts and traces are al- …

Covert6: A Tool To Corroborate The Existence Of Ipv6 Covert Channels, Raymond A. Hansen, Lourdes Gino, Dominic Savio

Annual ADFSL Conference on Digital Forensics, Security and Law

Covert channels are any communication channel that can be exploited to transfer information in a manner that violates the system’s security policy. Research in the field has shown that, like many communication channels, IPv4 and the TCP/IP protocol suite have been susceptible to covert channels, which could be exploited to leak data or be used for anonymous communications. With the introduction of IPv6, researchers are acutely aware that many vulnerabilities of IPv4 have been remediated in IPv6. However, a proof of concept covert channel system was demonstrated in 2006. A decade later, IPv6 and its related protocols have undergone major …

Applying Grounded Theory Methods To Digital Forensics Research, Ahmed Almarzooqi, Andrew Jones, Richard Howley

Annual ADFSL Conference on Digital Forensics, Security and Law

Deciding on a suitable research methodology is challenging for researchers. In this paper, grounded theory is presented as a systematic and comprehensive qualitative methodology in the emergent field of digital forensics research. This paper applies grounded theory in a digital forensics research project undertaken to study how organisations build and manage digital forensics capabilities. This paper gives a step-by-step guideline to explain the procedures and techniques of using grounded theory in digital forensics research. The paper gives a detailed explanation of how the three grounded theory coding methods (open, axial, and selective coding) can be used in digital forensics research. …

Using Computer Behavior Profiles To Differentiate Between Users In A Digital Investigation, Shruti Gupta, Marcus Rogers

Annual ADFSL Conference on Digital Forensics, Security and Law

Most digital crimes involve finding evidence on the computer and then linking it to a suspect using login information, such as a username and a password. However, login information is often shared or compromised. In such a situation, there needs to be a way to identify the user without relying exclusively on login credentials. This paper introduces the concept that users may show behavioral traits which might provide more information about the user on the computer. This hypothesis was tested by conducting an experiment in which subjects were required to perform common tasks on a computer, over multiple sessions. The …

Acceleration Of Statistical Detection Of Zero-Day Malware In The Memory Dump Using Cuda-Enabled Gpu Hardware, Igor Korkin, Iwan Nesterow

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we will present new detection methods which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows’ memory content using a new method of Shannon Entropy calculation; methods of …

Current Challenges And Future Research Areas For Digital Forensic Investigation, David Lillis, Brett A. Becker, Tadhg O’Sullivan, Mark Scanlon

Annual ADFSL Conference on Digital Forensics, Security and Law

Given the ever-increasing prevalence of technology in modern life, there is a corresponding increase in the likelihood of digital devices being pertinent to a criminal investigation or civil litigation. As a direct consequence, the number of investigations requiring digital forensic expertise is resulting in huge digital evidence backlogs being encountered by law enforcement agencies throughout the world. It can be anticipated that the number of cases requiring digital forensic analysis will greatly increase in the future. It is also likely that each case will require the analysis of an increasing number of devices including computers, smartphones, tablets, cloud-based services, Internet …

Forensic Analysis Of Ares Galaxy Peer-To-Peer Network, Frank Kolenbrander, Nhien-An Le-Khac, Tahar Kechadi

Annual ADFSL Conference on Digital Forensics, Security and Law

Child Abuse Material (CAM) is widely available on P2P networks. Over the last decade several tools were made for 24/7 monitoring of peer-to-peer (P2P) networks to discover suspects that use these networks for downloading and distribution of CAM. For some countries the amount of cases generated by these tools is so great that Law Enforcement (LE) just cannot handle them all. This is not only leading to backlogs and prioritizing of cases but also leading to discussions about the possibility of disrupting these networks and sending warning messages to potential CAM offenders. Recently, investigators are reporting that they are creating …

Keynote Speaker, Chuck Easttom

Annual ADFSL Conference on Digital Forensics, Security and Law

Conference Keynote Speaker, Chuck Easttom

Tracking Criminals On Facebook: A Case Study From A Digital Forensics Reu Program, Daniel Weiss, Gary Warner

Annual ADFSL Conference on Digital Forensics, Security and Law

The 2014 Digital Forensics Research Experience for Undergraduates (REU) Program at the University of Alabama at Birmingham (UAB) focused its summer efforts on tracking criminal forums and Facebook groups. The UAB-REU Facebook team was provided with a list of about 60 known criminal groups on Facebook, with a goal to track illegal information posted in these groups and ultimately store the information in a searchable database for use by digital forensic analysts. Over the course of about eight weeks, the UAB-REU Facebook team created a database with over 400 Facebook groups conducting criminal activity along with over 100,000 unique users …

Towards A Digital Forensics Competency-Based Program: Making Assessment Count, Rose Shumba

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper describes an approach that UMUC has initiated to revise its graduate programs to a Competency-Based Education (CBE) curriculum. The approach, which is Learning Demonstration (LD) centric, includes the identification of learning goals and competences, identification and description of the LDs, mapping of the LDs to the competences, scripting the LDs, placing the LDs into the respective courses, validating the developed materials, and the development of the open learning resources. Programs in the Cybersecurity and Information Assurance Department, including the Digital Forensics and Cyber Investigations program, are being revised. An LD centric approach to curriculum development helps align programs …

Phishing Intelligence Using The Simple Set Comparison Tool, Jason Britt, Alan Sprague, Gary Warner

Annual ADFSL Conference on Digital Forensics, Security and Law

Phishing websites, phish, attempt to deceive users into exposing their passwords, user IDs, and other sensitive information by imitating legitimate websites, such as banks, product vendors, and service providers. Phishing investigators need fast automated tools to analyze the volume of phishing attacks seen today. In this paper, we present the Simple Set Comparison tool. The Simple Set Comparison tool is a fast automated tool that groups phish by imitated brand allowing phishing investigators to quickly identify and focus on phish targeting a particular brand. The Simple Set Comparison tool is evaluated against a traditional clustering algorithm over a month's worth …

Identifying Common Characteristics Of Malicious Insiders, Nan Liang, David Biros

Annual ADFSL Conference on Digital Forensics, Security and Law

Malicious insiders account for large proportion of security breaches or other kinds of loss for organizations and have drawn attention of both academics and practitioners. Although methods and mechanism have been developed to monitor potential insider via electronic data monitoring, few studies focus on predicting potential malicious insiders. Based on the theory of planned behavior, certain cues should be observed or expressed when an individual performs as a malicious insider. Using text mining to analyze various media content of existing insider cases, we strive to develop a method to identify crucial and common indicators that an individual might be a …

Continuous Monitoring System Based On Systems' Environment, Eli Weintraub, Yuval Cohen

Annual ADFSL Conference on Digital Forensics, Security and Law

We present a new framework (and its mechanisms) of a Continuous Monitoring System (CMS) having new improved capabilities, and discuss its requirements and implications. The CMS is based on the real-time actual configuration of the system and the environment rather than a theoretic or assumed configuration. Moreover, the CMS predicts organizational damages taking into account chains of impacts among systems' components generated by messaging among software components. In addition, the CMS takes into account all organizational effects of an attack. Its risk measurement takes into account the consequences of a threat, as defines in risk analysis standards. Loss prediction is …

Html5 Zero Configuration Covert Channels: Security Risks And Challenges, Jason Farina, Mark Scanlon, Stephen Kohlmann, Nhien-An Le-Khac, Tahar Kechadi

Annual ADFSL Conference on Digital Forensics, Security and Law

In recent months there has been an increase in the popularity and public awareness of secure, cloudless file transfer systems. The aim of these services is to facilitate the secure transfer of files in a peer-to-peer (P2P) fashion over the Internet without the need for centralized authentication or storage. These services can take the form of client installed applications or entirely web browser based interfaces. Due to the P2P nature, there is generally no limit to the file sizes involved or to the volume of data transmitted - and where these limitations do exist they will be purely reliant on …

Measuring Hacking Ability Using A Conceptual Expertise Task, Justin S. Giboney, Jeffrey G. Proudfoot, Sanjay Goel, Joseph S. Valacich

Annual ADFSL Conference on Digital Forensics, Security and Law

Hackers pose a continuous and unrelenting threat to organizations. Industry and academic researchers alike can benefit from a greater understanding of how hackers engage in criminal behavior. A limiting factor of hacker research is the inability to verify that self-proclaimed hackers participating in research actually possess their purported knowledge and skills. This paper presents current work in developing and validating a conceptual-expertise based tool that can be used to discriminate between novice and expert hackers. The implications of this work are promising since behavioral information systems researchers operating in the information security space will directly benefit from the validation of …

Invited Paper - A Profile Of Prolonged, Persistent Ssh Attack On A Kippo Based Honeynet, Craig Valli, Priya Rabadia, Andrew Woodard

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper is an investigation focusing on activities detected by SSH honeypots that utilised kippo honeypot software. The honeypots were located across a variety of geographical locations and operational platforms. The honeynet has suffered prolonged, persistent and attack from a /24 network which appears to be of Chinese geographical origin. In addition to these attacks, other attackers have been successful in compromising real hosts in a wide range of other countries that were subsequently involved in attacking the honeypot machines in the honeynet.

Keywords: Cyber Security, SSH, Secure Shell, Honeypots, Kippo

Inivited Paper - Potential Changes To Ediscovery Rules In Federal Court: A Discussion Of The Process, Substantive Changes And Their Applicability And Impact On Virginia Practice, Joseph J. Schwerha, Susan L. Mitchell, John W. Bagby

Annual ADFSL Conference on Digital Forensics, Security and Law

The Federal Rules of Civil Procedure (FRCP) are subject to a unique process also once used in revising the Federal Rules of Evidence (FRE). Today, this process is followed in revisions of the FRCP, the Federal Rules of Criminal Procedure and the Federal Bankruptcy Rules. This unique rulemaking process differs significantly from traditional notice and comment rulemaking required for a majority of federal regulatory agencies under the Administrative Procedure Act (APA).1 Most notably, rule-making for the federal courts’ procedural matters remain unaffected by the invalidation of legislative veto. It is still widely, but wrongly believed, that the legislative veto was …

On The Network Performance Of Digital Evidence Acquisition Of Small Scale Devices Over Public Networks, Irvin Homem, Spyridon Dosis

Annual ADFSL Conference on Digital Forensics, Security and Law

While cybercrime proliferates – becoming more complex and surreptitious on the Internet – the tools and techniques used in performing digital investigations are still largely lagging behind, effectively slowing down law enforcement agencies at large. Real-time remote acquisition of digital evidence over the Internet is still an elusive ideal in the combat against cybercrime. In this paper we briefly describe the architecture of a comprehensive proactive digital investigation system that is termed as the Live Evidence Information Aggregator (LEIA). This system aims at collecting digital evidence from potentially any device in real time over the Internet. Particular focus is made …

A Review Of Recent Case Law Related To Digital Forensics: The Current Issues, Kelly A. Cole, Shruti Gupta, Dheeraj Gurugubelli, Marcus K. Rogers

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital forensics is a new field without established models of investigation. This study uses thematic analysis to explore the different issues seen in the prosecution of digital forensic investigations. The study looks at 100 cases from different federal appellate courts to analyze the cause of the appeal. The issues are categorized into one of four categories, ‘search and seizure’, ‘data analysis’, ‘presentation’ and ‘legal issues’. The majority of the cases reviewed related to the search and seizure activity.

Keywords: Computer Investigation, Case Law, Digital Forensics, Legal Issues, and Courts

A New Cyber Forensic Philosophy For Digital Watermarks In The Context Of Copyright Laws, Vinod P. Bhattathiripad, Sneha Sudhakaran, Roshna K. Thalayaniyil

Annual ADFSL Conference on Digital Forensics, Security and Law

The objective of this paper is to propose a new cyber forensic philosophy for watermark in the context of copyright laws for the benefit of the forensic community and the judiciary worldwide. The paper first briefly introduces various types of watermarks, and then situates watermarks in the context of the ideaexpression dichotomy and the copyright laws. It then explains the forensic importance of watermarks and proposes a forensic philosophy for them in the context of copyright laws. Finally, the paper stresses the vital need to incorporate watermarks in the forensic tests to establish software copyright infringement and also urges the …

A Survey Of Software-Based String Matching Algorithms For Forensic Analysis, Yi-Ching Liao

Annual ADFSL Conference on Digital Forensics, Security and Law

Employing a fast string matching algorithm is essential for minimizing the overhead of extracting structured files from a raw disk image. In this paper, we summarize the concept, implementation, and main features of ten software-based string matching algorithms, and evaluate their applicability for forensic analysis. We provide comparisons between the selected software-based string matching algorithms from the perspective of forensic analysis by conducting their performance evaluation for file carving. According to the experimental results, the Shift-Or algorithm (R. Baeza-Yates & Gonnet, 1992) and the Karp-Rabin algorithm (Karp & Rabin, 1987) have the minimized search time for identifying the locations of …

Investigating Forensics Values Of Windows Jump Lists Data, Ahmad Ghafarian

Annual ADFSL Conference on Digital Forensics, Security and Law

Starting with Windows 7, Microsoft introduced a new feature to the Windows Operating Systems called Jump Lists. Jump Lists stores information about user activities on the host machine. These activities may include links to the recently visited web pages, applications executed, or files processed. Computer forensics investigators may find traces of misuse in Jump Lists auto saved files. In this research, we investigate the forensics values of Jump Lists data. Specifically, we use several tools to view Jump Lists data on a virtual machine. We show that each tool reveal certain types of information about user’s activity on the host …

An Empirical Comparison Of Widely Adopted Hash Functions In Digital Forensics: Does The Programming Language And Operating System Make A Difference?, Satyendra Gurjar, Ibrahim Baggili, Frank Breitinger, Alice Fischer

Annual ADFSL Conference on Digital Forensics, Security and Law

Hash functions are widespread in computer sciences and have a wide range of applications such as ensuring integrity in cryptographic protocols, structuring database entries (hash tables) or identifying known files in forensic investigations. Besides their cryptographic requirements, a fundamental property of hash functions is efficient and easy computation which is especially important in digital forensics due to the large amount of data that needs to be processed when working on cases. In this paper, we correlate the runtime efficiency of common hashing algorithms (MD5, SHA-family) and their implementation. Our empirical comparison focuses on C-OpenSSL, Python, Ruby, Java on Windows and …

Two Challenges Of Stealthy Hypervisors Detection: Time Cheating And Data Fluctuations, Igor Korkin

Annual ADFSL Conference on Digital Forensics, Security and Law

Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self-uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the …

Hot Zone Identification: Analyzing Effects Of Data Sampling On Spam Clustering, Rasib Khan, Mainul Mizan, Ragib Hasan, Alan Sprague

Annual ADFSL Conference on Digital Forensics, Security and Law

Email is the most common and comparatively the most efficient means of exchanging information in today's world. However, given the widespread use of emails in all sectors, they have been the target of spammers since the beginning. Filtering spam emails has now led to critical actions such as forensic activities based on mining spam email. The data mine for spam emails at the University of Alabama at Birmingham is considered to be one of the most prominent resources for mining and identifying spam sources. It is a widely researched repository used by researchers from different global organizations. The usual process …

Investigative Techniques Of N-Way Vendor Agreement And Network Analysis Demonstrated With Fake Antivirus, Gary Warner, Mike Nagy, Kyle Jones, Kevin Mitchem

Annual ADFSL Conference on Digital Forensics, Security and Law

Fake AntiVirus (FakeAV) malware experienced a resurgence in the fall of 2013 after falling out of favor after several high profile arrests. FakeAV presents two unique challenges to investigators. First, because each criminal organization running a FakeAV affiliate system regularly alters the appearance of their system, it is sometimes difficult to know whether an incoming criminal complaint or malware sample is related to one ring or the other. Secondly, because FakeAV is delivered in a “Pay Per Install” affiliate model, in addition to the ring-leaders of each major ring, there are many high-volume malware infection rings who are all using …

Work In Progress: An Architecture For Network Path Reconstruction Via Backtraced Ospf Lsdb Synchronization, Raymond A. Hansen

Annual ADFSL Conference on Digital Forensics, Security and Law

There has been extensive work in crime scene reconstruction of physical locations, and much is known in terms of digital forensics of computing devices. However, the network has remained a nebulous combination of entities that are largely ignored during an investigation due to the transient nature of the data that flows through the networks. This paper introduces an architecture for network path reconstruction using the network layer reachability information shared via OSPF Link State Advertisements and the routines and functions of OSPF::rt_sched() as applied to the construction of identical Link State Databases for all routers within an Area.