Information Security Commons^™

Sounds Of Silence: A Study Of Stability And Diversity Of Web Audio Fingerprints, Shekhar Chalise

University of New Orleans Theses and Dissertations

Browser fingerprinting presents a grave threat to privacy as it allows user tracking even in private browsing modes. Prior measurement studies on HTML5-based fingerprinting have been limited to Canvas and WebGL but not Web Audio APIs. We aim to fill this gap by conducting the first large-scale systematic study of web audio fingerprints and studying their stability as well as diversity properties. Using MTurk and social media platforms, we collected 8 different audio fingerprints from 694 users.

Firstly, we show that the audio fingerprints are unstable unlike other fingerprinting methods with some users having as many as 20 different fingerprints. …

Convolutional Neural Networks For Deflate Data Encoding Classification Of High Entropy File Fragments, Nehal Ameen

University of New Orleans Theses and Dissertations

Data reconstruction is significantly improved in terms of speed and accuracy by reliable data encoding fragment classification. To date, work on this problem has been successful with file structures of low entropy that contain sparse data, such as large tables or logs. Classifying compressed, encrypted, and random data that exhibit high entropy is an inherently difficult problem that requires more advanced classification approaches. We explore the ability of convolutional neural networks and word embeddings to classify deflate data encoding of high entropy file fragments after establishing ground truth using controlled datasets. Our model is designed to either successfully classify file …

A Domain Specific Language For Digital Forensics And Incident Response Analysis, Christopher D. Stelly

University of New Orleans Theses and Dissertations

One of the longstanding conceptual problems in digital forensics is the dichotomy between the need for verifiable and reproducible forensic investigations, and the lack of practical mechanisms to accomplish them. With nearly four decades of professional digital forensic practice, investigator notes are still the primary source of reproducibility information, and much of it is tied to the functions of specific, often proprietary, tools.

The lack of a formal means of specification for digital forensic operations results in three major problems. Specifically, there is a critical lack of:

a) standardized and automated means to scientifically verify accuracy of digital forensic tools; …

Assessment Of Two Pedagogical Tools For Cybersecurity Education, Pranita Deshpande

University of New Orleans Theses and Dissertations

Cybersecurity is an important strategic areas of computer science, and a difficult discipline to teach effectively. To enhance and provide effective teaching and meaningful learning, we develop and assess two pedagogical tools: Peer instruction, and Concept Maps. Peer instruction teaching methodology has shown promising results in core computer science courses by reducing failure rates and improving student retention in computer science major. Concept maps are well-known technique for improving student-learning experience in class. This thesis document presents the results of implementing and evaluating the peer instruction in a semester-long cybersecurity course, i.e., introduction to computer security. Development and evaluation of …

Leveraging Relocations In Elf-Binaries For Linux Kernel Version Identification, Manish Bhatt

University of New Orleans Theses and Dissertations

In this paper, we present a working research prototype codeid-elf for ELF binaries based on its Windows counterpart codeid, which can identify kernels through relocation entries extracted from the binaries. We show that relocation-based signatures are unique and distinct and thus, can be used to accurately determine Linux kernel versions and derandomize the base address of the kernel in memory (when kernel Address Space Layout Randomization is enabled). We evaluate the effectiveness of codeid-elf on a subset of Linux kernels and find that the relocations in kernel code have nearly 100\% code coverage and low similarity (uniqueness) across various kernels. …

Semantic-Aware Stealthy Control Logic Infection Attack, Sushma Kalle

University of New Orleans Theses and Dissertations

In this thesis work we present CLIK, a new, automated, remote attack on the control logic of a programmable logic controller (PLC) in industrial control systems. The CLIK attack modifies the control logic running in a remote target PLC automatically to disrupt a physical process. We implement the CLIK attack on a real PLC. The attack is initiated by subverting the security measures that protect the control logic in a PLC. We found a critical (zero-day) vulnerability, which allows the attacker to overwrite password hash in the PLC during the authentication process. Next, CLIK retrieves and decompiles the original logic …

Manana: A Generalized Heuristic Scoring Approach For Concept Map Analysis As Applied To Cybersecurity Education, Sharon Elizabeth Blake Gatto

University of New Orleans Theses and Dissertations

Concept Maps (CMs) are considered a well-known pedagogy technique in creating curriculum, educating, teaching, and learning. Determining comprehension of concepts result from comparisons of candidate CMs against a master CM, and evaluate "goodness". Past techniques for comparing CMs have revolved around the creation of a subjective rubric. We propose a novel CM scoring scheme called MAnanA based on a Fuzzy Similarity Scaling (FSS) score to vastly remove the subjectivity of the rubrics in the process of grading a CM. We evaluate our framework against a predefined rubric and test it with CM data collected from the Introduction to …

Automatic Forensic Analysis Of Pccc Network Traffic Log, Saranyan Senthivel

University of New Orleans Theses and Dissertations

Most SCADA devices have a few built-in self-defence mechanisms and tend to implicitly trust communications received over the network. Therefore, monitoring and forensic analysis of network traffic is a critical prerequisite for building an effective defense around SCADA units. In this thesis work, We provide a comprehensive forensic analysis of network traffic generated by the PCCC(Programmable Controller Communication Commands) protocol and present a prototype tool capable of extracting both updates to programmable logic and crucial configuration information. The results of our analysis shows that more than 30 files are transferred to/from the PLC when downloading/uplloading a ladder logic program using …

Lightweight Environment For Cyber Security Education, Vivek Oliparambil Shanmughan

University of New Orleans Theses and Dissertations

The use of physical systems and Virtual Machines has become inefficient and expensive for creating tailored, hands-on exercises for providing cyber security training. The main purpose of this project is to directly address these issues faced in cyber security education with the help of Docker containers. Using Docker, a lightweight and automated platform was developed for creating, sharing, and managing hands-on exercises. With the help of orchestration tools, this platform provides a centralized point to monitor and control the systems and exercises with a high degree of automation. In a classroom/lab environment, this infrastructure enables instructors and students not only …

Forensic Analysis Of G Suite Collaborative Protocols, Shane Mcculley

University of New Orleans Theses and Dissertations

Widespread adoption of cloud services is fundamentally changing the way IT services are delivered and how data is stored. Current forensic tools and techniques have been slow to adapt to new challenges and demands of collecting and analyzing cloud artifacts. Traditional methods focusing only on client data collection are incomplete, as the client may have only a (partial) snapshot and misses cloud-native artifacts that may contain valuable historical information.

In this work, we demonstrate the importance of recovering and analyzing cloud-native artifacts using G Suite as a case study. We develop a tool that extracts and processes the history of …

Towards Real-Time Volatile Memory Forensics: Frameworks, Methods, And Analysis, Joseph T. Sylve

University of New Orleans Theses and Dissertations

Memory forensics (or memory analysis) is a relatively new approach to digital forensics that deals exclusively with the acquisition and analysis of volatile system memory. Because each function performed by an operating system must utilize system memory, analysis of this memory can often lead to a treasure trove of useful information for forensic analysts and incident responders. Today’s forensic investigators are often subject to large case backlogs, and incident responders must be able to quickly identify the source and cause of security breaches. In both these cases time is a critical factor. Unfortunately, today’s memory analysis tools can take many …

Development Of Peer Instruction Material For A Cybersecurity Curriculum, William Johnson

University of New Orleans Theses and Dissertations

Cybersecurity classes focus on building practical skills alongside the development of the open mindset that is essential to tackle the dynamic cybersecurity landscape. Unfortunately, traditional lecture-style teaching is insufficient for this task. Peer instruction is a non-traditional, active learning approach that has proven to be effective in computer science courses. The challenge in adopting peer instruction is the development of conceptual questions. This thesis presents a methodology for developing peer instruction questions for cybersecurity courses, consisting of four stages: concept identification, concept trigger, question presentation, and development. The thesis analyzes 279 questions developed over two years for three cybersecurity courses: …

Malware Analysis And Privacy Policy Enforcement Techniques For Android Applications, Aisha Ibrahim Ali-Gombe

University of New Orleans Theses and Dissertations

The rapid increase in mobile malware and deployment of over-privileged applications over the years has been of great concern to the security community. Encroaching on user’s privacy, mobile applications (apps) increasingly exploit various sensitive data on mobile devices. The information gathered by these applications is sufficient to uniquely and accurately profile users and can cause tremendous personal and financial damage.

On Android specifically, the security and privacy holes in the operating system and framework code has created a whole new dynamic for malware and privacy exploitation. This research work seeks to develop novel analysis techniques that monitor Android applications for …

Practical Application Of Fast Disk Analysis For Selective Data Acquisition, Sergey Gorbov

University of New Orleans Theses and Dissertations

Using a forensic imager to produce a copy of the storage is a common practice. Due to the large volumes of the modern disks, the imaging may impose severe time overhead which ultimately delays the investigation process. We proposed automated disk analysis techniques that precisely identify regions on the disk that contain data. We also developed a high performance imager that produces AFFv3 images at rates exceeding 300MB/s. Using multiple disk analysis strategies we can analyze a disk within a few minutes and yet reduce the imaging time of by many hours. Partial AFFv3 images produced by our imager can …

Detecting Objective-C Malware Through Memory Forensics, Andrew Case

University of New Orleans Theses and Dissertations

Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors.

In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides …

Extracting Windows Event Logs Using Memory Forensics, Matthew Veca

University of New Orleans Theses and Dissertations

Abstract Microsoft’s Windows Operating System provides a logging service that collects, filters and stores event messages from the kernel and applications into log files (.evt and .evtx). Volatility, the leading open source advanced memory forensic suite, currently allows users to extract these events from memory dumps of Windows XP and Windows 2003 machines. Currently there is no support for users to extract the event logs (.evtx) from Windows Vista, Win7 or Win8 memory dumps, and Volatility users have to rely on outside software in order to do this. This thesis discusses a newly developed evtxlogs.py plugin for Volatility, which allows …

Api-Based Acquisition Of Evidence From Cloud Storage Providers, Andres E. Barreto

University of New Orleans Theses and Dissertations

Cloud computing and cloud storage services, in particular, pose a new challenge to digital forensic investigations. Currently, evidence acquisition for such services still follows the traditional approach of collecting artifacts on a client device. In this work, we show that such an approach not only requires upfront substantial investment in reverse engineering each service, but is also inherently incomplete as it misses prior versions of the artifacts, as well as cloud-only artifacts that do not have standard serialized representations on the client.

In this work, we introduce the concept of API-based evidence acquisition for cloud services, which addresses these concerns …

Feature Selection And Clustering For Malicious And Benign Software Characterization, Dalbir Kaur R. Chhabra

University of New Orleans Theses and Dissertations

Malware or malicious code is design to gather sensitive information without knowledge or permission of the users or damage files in the computer system. As the use of computer systems and Internet is increasing, the threat of malware is also growing. Moreover, the increase in data is raising difficulties to identify if the executables are malicious or benign. Hence, we have devised a method that collects features from portable executable file format using static malware analysis technique. We have also optimized the important or useful features by either normalizing or giving weightage to the feature. Furthermore, we have compared accuracy …

Categorization Of Large Corpora Of Malicious Software, Deekshit Kura

University of New Orleans Theses and Dissertations

Malware is computer software written by someone with mischievous or, more usually, malicious and/or criminal intent and specifically designed to damage data, hosts or networks. The variety of malware is increasing proportionally with the increase in computers and we are not aware of newly emerging malware. Tools are needed to categorize families of malware, so that analysts can compare new malware samples to ones that have been previously analyzed and determine steps to detect and prevent malware infections.

In this thesis, I developed a technique to catalog and characterize the behavior of malware, so that malware families, the level of …