| 1. |
- Alendal, Gunnar, et al.
(författare)
-
Exploiting Vendor-Defined Messages in the USB Power Delivery Protocol
- 2019
-
Ingår i: Advances in Digital Forensics XV. - Cham : Springer. - 9783030287511 - 9783030287528 ; , s. 101-118
-
Konferensbidrag (refereegranskat)abstract
- The USB Power Delivery protocol enables USB-connected devices to negotiate power delivery and exchange data over a single connection such as a USB Type-C cable. The protocol incorporates standard commands; however, it also enables vendors to add non-standard commands called vendor-defined messages. These messages are similar to the vendor-specific commands in the SCSI protocol, which enable vendors to specify undocumented commands to implement functionality that meets their needs. Such commands can be employed to enable firmware updates, memory dumps and even backdoors.This chapter analyzes vendor-defined message support in devices that employ the USB Power Delivery protocol, the ultimate goal being to identify messages that could be leveraged in digital forensic investigations to acquire data stored in the devices.© IFIP International Federation for Information Processing 2019
|
|
| 2. |
- Alendal, Gunnar, et al.
(författare)
-
Forensics acquisition – Analysis and circumvention of samsung secure boot enforced common criteria mode
- 2018
-
Ingår i: Digital Investigation. The International Journal of Digital Forensics and Incident Response. - Kidlington : Elsevier. - 1742-2876 .- 1873-202X. ; 24:Suppl., s. S60-S67
-
Tidskriftsartikel (refereegranskat)abstract
- The acquisition of data from mobile phones have been a mainstay of criminal digital forensics for a number of years now. However, this forensic acquisition is getting more and more difficult with the increasing security level and complexity of mobile phones (and other embedded devices). In addition, it is often difficult or impossible to get access to design specifications, documentation and source code. As a result, the forensic acquisition methods are also increasing in complexity, requiring an ever deeper understanding of the underlying technology and its security mechanisms. Forensic acquisition techniques are turning to more offensive solutions to bypass security mechanisms, through security vulnerabilities. Common Criteria mode is a security feature that increases the security level of Samsung devices, and thus make forensic acquisition more difficult for law enforcement. With no access to design documents or source code, we have reverse engineered how the Common Criteria mode is actually implemented and protected by Samsung's secure bootloader. We present how this security mode is enforced, security vulnerabilities therein, and how the discovered security vulnerabilities can be used to circumvent Common Criteria mode for further forensic acquisition. © 2018 The Author(s). Published by Elsevier Ltd on behalf of DFRWS.
|
|
| 3. |
|
|
| 4. |
- Axelsson, Karin, 1968-, et al.
(författare)
-
Reaching Communication Quality in Public E-Forms : A Communicative Perspective on E-Form Design
- 2007
-
Ingår i: Electronic Government. - Berlin, Heidelberg : Springer Berlin/Heidelberg. - 9783540744436 ; , s. 342-353
-
Konferensbidrag (refereegranskat)abstract
- This paper adopts a communication perspective on public electronic forms (e-forms). By doing so we define forms as instruments for communication and, thus, also instruments through which citizens perform different communicative actions towards government agencies. As such instruments, the forms might be more or less useful. The purpose of this paper is to explore what features of an e-form that increase the communication quality. We conduct a theoretical synthesis of three existing approaches for designing information systems. The result is a combined theory on key features of an e-form that make the establishment of communication quality more likely. The result consists of four key concepts, each of which give rise to one set of design principles for communication from the issuer of the e-form to the user (citizen), and one set of design principles for communication from the user (citizen) to the recipient of the e-form.
|
|
| 5. |
- Axelsson, Stefan, 1968
(författare)
-
Combining a Bayesian Classifier with Visualisation: Understanding the IDS
- 2004
-
Ingår i: proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security. - 1581139748
-
Konferensbidrag (övrigt vetenskapligt/konstnärligt)abstract
- Despite several years of intensive study, intrusion detectionsystems still suffer from two key deficiencies: Low detectionrates and a high rate of false alarms. To counteract these drawbacks an interactive detectionsystem based on simple Bayesian statistics combined with avisualisation component is proposed, in the hope that thislets the operator better understand how exactly the intrusion detection system is operating. The resulting system isapplied to the log of a webserver. The combination proved to be effective. The Bayesianclassifier was reasonably effective in learning to differentiatebetween benign and malicious accesses, and the visualisationcomponent enabled the operator to discern when the intrusion detection system was correct in its output and when itwas not, and to take corrective action, re-training the system interactively, until the desired level of performance wasreached.
|
|
| 6. |
- Axelsson, Stefan, 1968
(författare)
-
Understanding Intrusion Detection Through Visualisation
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- With the ever increasing use of computers for critical systems, computer security, the protection of data and computer systems from intentional, malicious intervention, is attracting much attention. Among the methods for defence, intrusion detection, i.e. the application of a tool to help the operator identify ongoing or already perpetrated attacks has been the subject of considerable research in the past ten years. A key problem with current intrusion detection systems is the high number of false alarms they produce. This thesis presents research into why false alarms are and will remain a problem and proposes to apply results from the field of information visualisation to the problem of intrusion detection. This was thought to enable the operator to correctly identify false (and true) alarms, and also aid the operator in identifying other operational characteristics of intrusion detection systems. Four different visualisation approaches were tried, mainly on data from web server access logs. Two direct approaches were tried; where the system puts the onus of identifying the malicious access requests on the operator by way of the visualisation. Two indirect approaches were also tried; where the state of two self learning automated intrusion detection systems were visualised to enable the operator to examine their inner workings. This with the hope that in doing so, the operator would gain an understanding of how the intrusion detections systems operated and whether that level of operation, and the quality of the output, was satisfactory. Several experiments were performed and many different attacks in web access data from publicly available web servers were found. The visualisation helped the operator either detect the attacks herself and more importantly the false alarms. It also helped her determine whether other aspects of the operation of the self learning intrusion detection systems were satisfactory.
|
|
| 7. |
- Axelsson, Stefan, 1968
(författare)
-
Visualisation for intrusion detection hooking the worm
- 2003
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - Berlin, Heidelberg : Springer Berlin Heidelberg. - 1611-3349 .- 0302-9743. - 3540203001 ; 2808, s. 309-325
-
Konferensbidrag (refereegranskat)abstract
- Even though intrusion detection systems have been studied for a number of years several problems remain; chiefly low detection rates and high false alarm rates.Instead of building automated alarms that trigger when a computer security violation takes place, we propose to visualise the state of the computer system such that the operator himself can determine whether a violation has taken place. In effect replacing the "burglar alarm" with a "security camera".In order to illustrate the use of visualisation for intrusion detection purposes, we applied a trellis plot of parallel coordinate visualisations to the log of a small personal web server. The intent was to find patterns of malicious activity from so called worms, and to be able to distinguish between them and benign traffic. Several such patterns were found, including one that was unknown at the time to the security community at large.
|
|
| 8. |
- Axelsson, Stefan, 1968
(författare)
-
Visualising Intrusions: Watching the Webserver
- 2004
-
Ingår i: proceedings of the 19th IFIP International Information Security Conference (SEC2004).
-
Konferensbidrag (refereegranskat)abstract
- Despite several years of intensive study, intrusion detection systems still suffer from a key deficiency: A high rate of false alarms. To counteract this, this paper proposes to visualise the state of the computer system such that the operator can determine whether a violation hastaken place. To this end a very simple anomaly detection inspired log reduction scheme is combined with graph visualisation, and applied to the log of a webserver with the intent of detecting patterns of benign and malicious (or suspicious) accesses. The combination proved to be effective. The visualisation of the output of the anomaly detection system counteracted its high rate of falsealarms, while the anomaly based log reduction helped reduce the log data to manageable proportions. The visualisation was more successful in helping identifying benign accesses than malicious accesses. All the types of malicious accesses present in the log data were found.
|
|
| 9. |
- Gray, Struan, 1965-, et al.
(författare)
-
Digital Forensic Atomic Force Microscopy of Semiconductor Memory Arrays
- 2019
-
Ingår i: Advances in Digital Forensics XV. - Cham : Springer. - 9783030287528 - 9783030287511 ; , s. 219-237
-
Konferensbidrag (refereegranskat)abstract
- Atomic force microscopy is an analytical technique that provides very high spatial resolution with independent measurements of surface topography and electrical properties. This chapter assesses the potential for atomic force microscopy to read data stored as local charges in the cells of memory chips, with an emphasis on simple sample preparation (“delidding”) and imaging of the topsides of chip structures, thereby avoiding complex and destructive techniques such as backside etching and polishing. Atomic force microscopy measurements of a vintage EPROM chip demonstrate that imaging is possible even when sample cleanliness, stability and topographical roughness are decidedly sub-optimal. As feature sizes slip below the resolution limits of optical microscopy, atomic force microscopy offers a promising route for functional characterization of semiconductor memory structures in RAM chips, microprocessors and cryptographic hardware. © IFIP International Federation for Information Processing 2019. Published by Springer Nature Switzerland AG 2019
|
|
| 10. |
|
|
| 11. |
- Karresand, Martin, et al.
(författare)
-
An Empirical Study of the NTFS Cluster Allocation Behavior Over Time
- 2020
-
Ingår i: Forensic Science International: Digital Investigation. - : Elsevier Ltd. - 2666-2817 .- 2666-2825. ; 33
-
Tidskriftsartikel (refereegranskat)abstract
- © 2020 The Author(s)The amount of data to be handled in digital forensic investigations is continuously increasing, while the tools and processes used are not developed accordingly. This especially affects the digital forensic sub-field of file carving. The use of the structuring of stored data induced by the allocation algorithm to increase the efficiency of the forensic process has been independently suggested by Casey and us. Building on that idea we have set up an experiment to study the allocation algorithm of NTFS and its behavior over time from different points of view. This includes if the allocation algorithm behaves the same regardless of Windows version or size of the hard drive, its adherence to the best fit allocation strategy and the distribution of the allocation activity over the available (logical) storage space. Our results show that space is not a factor, but there are differences in the allocation behavior between Windows 7 and Windows 10. The results also show that the allocation strategy favors filling in holes in the already written area instead of claiming the unused space at the end of a partition and that the area with the highest allocation activity is slowly progressing from approximately 10 GiB into a partition towards the end as the disk is filling up.
|
|
| 12. |
- Karresand, Martin, et al.
(författare)
-
Creating a Map of User Data in NTFS to Improve File Carving
- 2019
-
Ingår i: Advances in Digital Forensics XV. - Cham : Springer. - 9783030287528 - 9783030287511 ; , s. 133-158
-
Konferensbidrag (refereegranskat)abstract
- Digital forensics, and espesially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data wher it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers runnign Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% and 41% in an NTFS partition. The probability map can be used by forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficienty of hash-based carving by dinamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster. © IFIP International Federation for Information Processing 2019
|
|
| 13. |
- Karresand, M., et al.
(författare)
-
Disk Cluster Allocation Behavior in Windows and NTFS
- 2020
-
Ingår i: Mobile Networks and Applications. - : Springer. - 1383-469X .- 1572-8153. ; 5:1, s. 248-258
-
Tidskriftsartikel (refereegranskat)abstract
- The allocation algorithm of a file system has a huge impact on almost all aspects of digital forensics, because it determines where data is placed on storage media. Yet there is only basic information available on the allocation algorithm of the currently most widely spread file system; NTFS. We have therefore studied the NTFS allocation algorithm and its behavior empirically. To do that we used two virtual machines running Windows 7 and 10 on NTFS formatted fixed size virtual hard disks, the first being 64 GiB and the latter 1 TiB in size. Files of different sizes were written to disk using two writing strategies and the $Bitmap files were manipulated to emulate file system fragmentation. Our results show that files written as one large block are allocated areas of decreasing size when the files are fragmented. The decrease in size is seen not only within files, but also between them. Hence a file having smaller fragments than another file is written after the file having larger fragments. We also found that a file written as a stream gets the opposite allocation behavior, i. e. its fragments are increasing in size as the file is written. The first allocated unit of a stream written file is always very small and hence easy to identify. The results of the experiment are of importance to the digital forensics field and will help improve the efficiency of for example file carving and timestamp verification. © 2019, The Author(s).
|
|
| 14. |
- Karresand, Martin, et al.
(författare)
-
Using NTFS Cluster Allocation Behavior to Find the Location of User Data
- 2019
-
Ingår i: Digital Investigation. The International Journal of Digital Forensics and Incident Response. - Oxon : Elsevier. - 1742-2876 .- 1873-202X. ; 29:Supplement, s. S51-S60
-
Tidskriftsartikel (refereegranskat)abstract
- Digital forensics is heavily affected by the large and increasing amount of data to be processed. To solve the problem there is ongoing research to find more efficient carving algorithms, use parallel processing in the cloud, and reduce the amount of data by filtering uninteresting files. Our approach builds on the principle of searching where it is more probable to find what you are looking for. We therefore have empirically studied the behavior of the cluster allocation algorithm(s) in the New Technology File System (NTFS) to see where new data is actually placed on disk. The experiment consisted of randomly writing, increasing, reducing and deleting files in 32 newly installed Windows 7, 8, 8.1 and 10 virtual computers using VirtualBox. The result show that data are (as expected) more frequently allocated closer to the middle of the disk. Hence that area should be getting higher attention during a digital forensic investigation of a NTFS formatted hard disk. Knowledge of the probable position of user data can be used by a forensic investigator to prioritize relevant areas in storage media, without the need for a working file system. It can also be used to increase the efficiency of hash-based carving by dynamically changing the sampling frequency. Our findings also contributes to the digital forensics processes in general, which can now be focused on the interesting regions on storage devices, increasing the probability of getting relevant results faster. © 2019 Martin Karresand, Stefan Axelsson, Geir Olav Dyrkolbotn
|
|
| 15. |
- Lopez-Rojas, Edgar, et al.
(författare)
-
Analysis of fraud controls using the PaySim financial simulator
- 2018
-
Ingår i: International Journal of Simulation and Process Modelling. - Olney : InderScience Publishers. - 1740-2123 .- 1740-2131. ; 13:4, s. 377-386
-
Tidskriftsartikel (refereegranskat)abstract
- Fraud controls for financial transactions are needed and required by law enforcement agencies to flag suspicious criminal activity. These controls, however, require deeper analysis of the effectiveness and the negative impact for the legal customers. Owing to the intrinsically private nature of financial transactions, this analysis is often performed after several months of actively using fraud controls. In this paper, we present an analysis of different fraud prevention controls on a mobile money service based on thresholds using a simulator called PaySim. PaySim uses aggregated data from a sample dataset to generate a synthetic dataset that resembles the normal operation of transactions and injects malicious behaviour. With technology frameworks such as agent-based simulation techniques, and the application of mathematical statistics, we show in this paper that the simulated data can be as prudent as the original dataset for setting optimal controls for fraud detection.
|
|
| 16. |
- Nordvik, Rune, et al.
(författare)
-
Generic Metadata Time Carving
- 2020
-
Ingår i: Forensic Science International: Digital Investigation. - Oxford : Elsevier. - 2666-2817 .- 2666-2825. ; 33:S
-
Tidskriftsartikel (refereegranskat)abstract
- Recovery of files can be a challenging task in file system investigations, and most carving techniques are based on file signatures or semantics within the file. However, these carving techniques often only recover the files, but not the metadata associated with the file. In this paper, we propose a novel, generic approach for carving metadata by searching for equal and co-located timestamps. The rationale is that there are some common metadata for files and directories within each file system. Our generic time carver provides potential timestamp locations for repeated timestamps in each metadata structure, identifying potential metadata for files. A semantic parser then filters the results with respect to the specific file system type. In our experiments, extraction of MFT entries in NTFS and inodes in Ext4 had near perfect precision for metadata entries with multiple equivalent timestamps, and for such metadata structures we obtained perfect recall for NTFS. For known file systems, we use the information found within identified metadata to recover files, and by recovering files and their associated metadata we increase the evidential value of recovered files. © 2020 The Author(s)
|
|
| 17. |
- Nordvik, Rune, et al.
(författare)
-
Reverse engineering of ReFS
- 2019
-
Ingår i: Digital Investigation. The International Journal of Digital Forensics and Incident Response. - Kidlington : Elsevier. - 1742-2876 .- 1873-202X. ; 30, s. 127-147
-
Tidskriftsartikel (refereegranskat)abstract
- File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content. Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB. Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x. It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found. © 2019 The Authors
|
|
| 18. |
- Nordvik, Rune, et al.
(författare)
-
Using the Object ID index as an investigative approach for NTFS file systems
- 2019
-
Ingår i: Digital Investigation. The International Journal of Digital Forensics and Incident Response. - Kidlington : Elsevier. - 1742-2876 .- 1873-202X. ; 28:Supplement, s. S30-S39
-
Tidskriftsartikel (refereegranskat)abstract
- When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems using the NTFS file system by using the $ObjId Index to document user activity, and to correlate this index with the corresponding records in the MFT table. This may be the only possible approach when investigating external NTFS storage devices, and is hence a valuable addition to the storage forensics toolbox. © 2019 Rune Nordvik, Fergus Toolan, Stefan Axelsson
|
|
