Detecting Objective-C Malware through Memory Forensics

Case, Andrew

13 May 2016

Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors. In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides a rich set of APIs that malware uses to manipulate and steal data and to perform other malicious activities. The novel memory forensics techniques presented in this thesis deeply examine the state of the Objective-C runtime, identifying a number of suspicious activities, from keystroke logging to pointer swizzling.

Memory Forensics

Objective-C

Malware Analysis

Incident Response

Information Security

EFFECTIVE AND EFFICIENT COMPUTATION SYSTEM PROVENANCE TRACKING

Shiqing Ma (7036475)

02 August 2019

<div><div><div><p>Provenance collection and analysis is one of the most important techniques used in analyzing computation system behaviors. For forensic analysis in enterprise environment, existing provenance systems are limited. On one hand, they tend to log many redundant and irrelevant events causing high runtime and space overhead as well as long investigation time. On the other hand, they lack the application specific provenance data, leading to ineffective investigation process. Moreover, emerging machine learning especially deep learning based artificial intelligence systems are hard to interpret and vulnerable to adversarial attacks. Using provenance information to analyze such systems and defend adversarial attacks is potentially very promising but not well-studied yet.</p><p><br></p><div><div><div><p>In this dissertation, I try to address the aforementioned challenges. I present an effective and efficient operating system level provenance data collector, ProTracer. It features the idea of alternating between logging and tainting to perform on-the-fly log filtering and reduction to achieve low runtime and storage overhead. Tainting is used to track the dependence relationships between system call events, and logging is performed only when useful dependencies are detected. I also develop MPI, an LLVM based analysis and instrumentation framework which automatically transfers existing applications to be provenance-aware. It requires the programmers to annotate the desired data structures used for partitioning, and then instruments the program to actively emit application specific semantics to provenance collectors which can be used for multiple perspective attack investigation. In the end, I propose a new technique named NIC, a provenance collection and analysis technique for deep learning systems. It analyzes deep learning system internal variables to generate system invariants as provenance for such systems, which can be then used to as a general way to detect adversarial attacks.</p></div></div></div></div></div></div>

Applied Computer Science

System Security

Artificial Intelligence (AI)

computer forensics

Missing-ness, history and apartheid-era disappearances: The figuring of Siphiwo Mthimkulu, Tobekile ‘Topsy’ Madaka and Sizwe Kondile as missing dead persons

Moosage, Riedwaan

January 2018

Philosophiae Doctor - PhD / The argument of this dissertation calls for an abiding by missing-ness as it relates to apartheid-era disappearances. I am concerned with the ways in which the category missing is articulated in histories of apartheid-era disappearances through histories seeking to account for apartheid and how that category is enabled and /or constrained through mediating practices, processes and discourses such as that of forensics and history itself. My deployment of a notion of missing-ness therefore is put to work in underscoring notions of history and its relation to a category of missing persons in South Africa as they emerge and are figured through various discursive strategies constituted by and through apartheid’s violence and iterations thereof. I focus specifically on the enforced disappearances of Siphiwo Mthimkulu, Tobekile ‘Topsy’ Madaka and Sizwe Kondile and the vicarious ways in which they have been produced and (re)figured in a postapartheid present. Mthimkulu and Madaka were abducted, tortured, interrogated, killed and their bodies disposed through burning by apartheid’s security police in 1982. In 2007 South Africa’s Missing Persons Task Team exhumed commingled burnt human fragments at a farm, Post Chalmers. After two years of forensic examinations, those remains were identified as most likely those of Mthimkulu and Madaka. Their commingled remains were reburied in 2009 during an official government sanctioned Provincial re-burial. Kondile was similarly abducted in 1981 and after being imprisoned, tortured, interrogated and killed, his physical remains were burnt. The MPTT has been unsuccessful in locating and thus exhuming his remains for re-burial. Sizwe Kondile remains missing. Missing-ness as I evoke it serves to signal the lack and excess as potentiality and instability of histories accounting for the condition and symptom of being missing. The productivity of deploying missing-ness and an abidance to it in the ways I argue is precisely in not explicitly naming it, but rather by holding onto its elusiveness by marking the contours of discourses on absence-presence, those which it simultaneously touches upon and is constitutive of. Articulating it thus is to affirm missing-ness as a question that I argue, be put to work and abided by.

Missing-ness

Apartheid-era

Disappearances

Forensics

South Africa

Le régime des constatations policières sur internet / The system of findings on police internet

Lemoine, Vincent

14 December 2012

Les nouvelles technologies sont de plus en plus utilisées pour la commission des infractions, soit en facilitant la commission de celles-ci, soit elles en sont directement l'objet. Si des dispositions visant à réprimer certains comportements sont apparus dès 1978 avec la Loi dit CNIL, Le législateur n’a pris en compte que tardivement des mesures permettant de faciliter la répression de celles-ci ou de faciliter les actes liés à l'exercice de la police judiciaire. Il s'agit d'un domaine en perpétuel évolution qu'il est difficile d'appréhender surtout lorsqu'il faut allier les obligations juridiques et les impératifs techniques. En effet contrairement à des traces ou indices qui peuvent être appréhendés physiquement sur une scène d’infraction, les données numériques sont quant à elle immatérielles.Elles peuvent être contenues dans un support physique, ou tout simplement être en mouvement sur les réseaux. Si ces données contrairement à toute autre trace peuvent être répliquées à volonté, elles restent extrêmement volatiles si elles ne sont pas recueillies dans des conditions optimales destinées à assurer leur intégrité.Cette thèse a pour objet de faire la démonstration des difficultés d’applicabilité de la procédure pénale au regard des nouvelles technologies notamment au travers du régime des constatations policières sur les supports de stockage et les réseaux numériques.Ce travail de recherche scientifique aborde le principe et le recueil de la preuve numérique sur un support physique et sur les réseaux, mais également la distinction entre les actes techniques et l’expertise aussi bien dans le cadre de l’enquête de Police que dans la phase de l’instruction préparatoire. / New technologies are increasingly being used in the commission of offenses (Felonies and other Violations) either by facilitating the commission or they are directly the vector. If provisions to punish certain behaviors emerged in 1978 with the CNIL said Act, the legislature has considered only late measures to facilitate the prosecution of them to facilitate acts involving the exercise of Law Enforcement investigations.Since it is an area in constant evolution, it is difficult to understand especially when it is necessary to combine the legal obligations and technical requirements. Indeed, unlike traces or clues that can be seized physically on a crime scene, the digital data is in turn intangible.They may be contained in a physical support, or simply be moving over networks. If this data unlike any other track can be infinitely replicated at will, they remain extremely volatile if they are not collected under optimal conditions to ensure their integrity.This thesis aims to demonstrate the difficulties of applicability of the criminal proceedings in relation to new technologies, particularly through the system of Law Enforcement findings on storage media and digital networks.This scientific research addresses the principle and collection process of digital evidence on physical media and networks. It also addresses the distinction between technical tasks and the technical expertise as well as the preliminary phase of the Law Enforcement investigation and the phase being handled by the examining magistrate (judge).

Juge

Forensique

Constatations policieres

Investigation

Judge

Forensics

Police findings

Investigation

Testing of the Phillips dental age estimation tables on a sample of black children from Mpumalanaga, South Africa

Mahlangu, Simpiwe Margaret

January 2011

Magister Scientiae Dentium - MSc(Dent) / A number of dental age estimation methods have been developed over the years ranging from the frequently used age estimation of Demirjian et al (1973) and Moorrees et al (1965) to the less frequently used age estimation methods of Haavikko (1970) and Nolla (1960). Different dental age estimation methods have been used with variable success. These were developed using mainly children of Central and Northern European descent and white North Americans. The results of the above-mentioned dental age estimation methods, when used on South African children, show that the need for adaptation of these methods exists. Phillips has thus developed a dental age estimation table for Nguni children of South Africa, to assist in correcting this discrepancy. OBJECTIVE: To establish if the Phillips dental age estimation developed for Nguni children of South Africa is applicable to children in the region of Mpumalanga. METHOD: Cross sectional study using a stratified random sampling method involving 100 panoramic radiographs of black children up to the age of 14 years, in the region of Mpumalanga. CONCLUSION: This study will determine if Phillips dental age estimation tables developed for South African Nguni children is applicable and accurate in estimating the age of black Mpumalanga children.

Dental forensics

Phillips dental age estimation

Mpumalanga

South Africa

Forensics as a Delay in Stories of Sherlock Holmes : "Although the Series is More Extendedly Delayed by Forensic Elements, the Difference is Not as Significant as Expected"

Junker, Frida

January 2019

The relationship between the development of real life forensics and fiction’s use of it is a close one, and it offers excitement and pleasure to follow investigations and unravel mysteries, clearly, both in real life and fiction. Sir Arthur Conan Doyle’s fictional detective Sherlock Holmes has famously used advanced deductive methods to solve crimes since his first appearance in A Study in Scarlet. The recent explosion of forensic elements within fiction has not passed by unnoticed, raising the question of whether forensic delays are more extendedly used in more recent adaptations of Sherlock Holmes stories, due to the modern range of methods and techniques available. In this essay I show in a comparison of Doyle’s original works about the character Sherlock Holmes, to one of today’s television series; BBC’s Sherlock, that the recent adaptation is interrupted more frequently by forensic investigations, including modern forensic techniques and helpful equipment, which keeps the story from moving forward for a longer period of time, making it a delay. Furthermore, the comparison deals with adaptation theory and shows that the format in which the story is presented is decisive for the result. I conclude that forensic delays are used more extendedly in the contemporary television series Sherlock, due to a more generous range of methods available, but that measuring the extent of forensic delays generally favors the text format.   Keywords: Delay, Sherlock Holmes, Forensics, Development, Format

Delay

Sherlock Holmes

Forensics

Development

Format

Humanities and the Arts

Humaniora och konst

Migration patterns of seminaI fluid components and spermatozoa in semen stains exposed to water and blood

Brown, Lyndsey

17 June 2016

Typically, semen testing involves presumptive and confirmatory tests to determine the region in which a semen stain has been deposited prior to initiating DNA analysis. However, previous research showed that the soluble components of seminal fluid, but not spermatozoa, migrated from their original location on cotton cloth upon exposure to porcine decomposition fluids and rainfall/dew6. This indicates that preliminary testing and detection techniques may result in areas being sampled that will not yield a successful DNA profile. The present study assesses how various amounts of water or blood affect migration patterns of seminal fluid components using traditional serological screening methods as well as DNA analysis. The effects of exposing a semen stain to water over the course of several days are also investigated. The final component of the study evaluates whether the presence of acid phosphatase (AP) Spot reagent had any detrimental effects on subsequent antigen P30 (P30) testing, Kernechtrot Picroindigocarmine (KPIC) sperm staining or DNA analysis. Neat semen was deposited onto swatches from cotton sheets and allowed to dry before being sprayed with 2 mL, 5 mL, or 10 mL of water or blood. The swatches were allowed to dry while lying flat, at 45°, or at 90°. Three of the swatches were sprayed directly with AP Spot reagent to determine any potential interference with subsequent P30 and DNA testing. After the water or blood was dry, the swatches were viewed with an alternate light source (ALS) at 450 nm using orange barrier filter goggles. Three-millimeter fabric punches were collected from each swatch in at least thirteen locations (one from the center of the stain and four at 1 cm, 4 cm, and 7 cm from the perimeter of the stain in multiple directions), and were extracted for two hours prior to testing for the presence of P30. Additional fabric punches were collected from each P30 positive location to be used for DNA analysis. AP testing showed positive results beyond the original semen stain with an average distance of 1-3 cm from the perimeter of the original region of deposition (ORD) for all swatches except those moistened with blood. AP mapping was performed on the swatches moistened with blood and negative results were obtained. Positive P30 results were obtained for all swatches with an average distance of 1-3 cm from the ORD. The angle at which the swatch was positioned influenced the direction(s) that the soluble components migrated; however the amount of water (or blood) the swatch was exposed to had a much greater effect on the distance of migration. Microscopic examination of slides made from the extracts of each fabric punch revealed minimal spermatozoa migration for all swatches; the majority of the samples outside of the ORD showed no spermatozoa, although a few showed a single sperm cell. These findings demonstrate that the soluble components of semen stains that often aid in detection migrated when exposed to moisture, while sperm cells containing genetic material largely remained in their original location. The DNA analysis results confirmed the lack of spermatozoa migration. Full DNA profiles were obtained from within the ORD of the flat and 90° swatches. The samples from outside of the ORD produced either partial profiles (maximum dropout rate of 97%) or no profile. If case circumstances suggest that evidence has been exposed to water, multiple regions should be tested in order to maximize the possibility of identifying semen and obtaining a DNA profile. AP Spot reagent was not found to have detrimental effects on P30 testing, sperm staining or DNA analysis. Therefore, direct application of AP Spot reagent could be used for larger pieces of evidence where the location of a stain is unknown. This would eliminate the careful documentation needed for chemical mapping and the reliance on the transfer of acid phosphatase from one substrate to another.

Biology

Forensics

Migration

Semen

Sexual assault

Sperm

Water

Hash Comparison Module for OCFA

Axelsson, Therese, Melani, Daniel

January 2010

<p>Child abuse content on the Internet is today an increasing problem and difficult to dealwith. The techniques used by paedophiles are getting more sophisticated which means ittakes more effort of the law enforcement to locate this content.</p><p>To help solving this issue, a EU-funded project named FIVES is developing a set oftools to help investigations involving large amounts of image and video material. One ofthese tools aims to help identifying potentially illegal files by hash signatures derived fromusing classification information from another project.</p> / FIVES

Algorithms

database

hash

OCFA

FIVES

Computer Forensics

Computer science

Datalogi

Transmission genetics of pancreatic acinar atrophy in the German Shepherd Dog and development of microsatellite DNA-based tools for canine forensics and linkage analysis

Clark, Leigh Anne

30 September 2004

The domestic dog, Canis lupus familiaris, has emerged as a model system for the study of human hereditary diseases. Of the approximately 450 hereditary diseases described in the dog, half have clinical presentations that are quite similar to specific human diseases. Understanding the genetic bases of canine hereditary diseases will not only complement comparative genetics studies but also facilitate selective breeding practices to reduce incidences in the dog. Whole genome screens have great potential to identify the marker(s) that segregate with canine hereditary diseases for which no reasonable candidate genes exist. The Minimal Screening Set-1 (MSS-1) was the first set of microsatellite markers described for linkage analysis in the dog and was, until recently, the best tool for genome screens. The MSS-2 is the most recently described screening set and offers increased density and more polymorphic markers. The first objective of this work was to develop tools to streamline genomic analyses in the study of canine hereditary diseases. This was achieved through the development of 1) multiplexing strategies for the MSS-1, 2) a multiplex of microsatellite markers for use in canine forensics and parentage assays and 3) chromosome-specific multiplex panels for the MSS-2. Multiplexing is the simultaneous amplification and analysis of markers and significantly reduces the expense and time required to collect genotype information. Pancreatic acinar atrophy (PAA) is a disease characterized by the degeneration of acinar cells of the exocrine pancreas and is the most important cause of exocrine pancreatic insufficiency (EPI) in the German Shepherd Dog (GSD). Although the prognosis for dogs having EPI is typically good with treatment, many dogs are euthanized because the owners are unable to afford the expensive enzyme supplements. The second objective of this work was to determine the mode of transmission of EPI in the GSD and conduct a whole genome screen for linkage. Two extended families of GSDs having PAA were assembled and used to determine the pattern of transmission. The results of this indicate that PAA is an autosomal recessive disease. The multiplexed MSS-1 was used to conduct an initial whole genome screen, although no markers were suggestive of linkage.

canine genetics

pancreatic acinar atrophy

hereditary diseases

linkage

microsatellite

forensics

Concise Analysis of Malware Behavior

Tsai, Hung-Shiuan

10 January 2012

In recent years the popularity of the internet, the network not only providing information to the general users to browse the contents of the site, but also has some network service like e-mail, e-commerce, and social networks. Although these online services are convenient for general users, also provide the possible hackers to abuse these services through the internet to spread malware. As the number of malware is increasing very fast, in order to understand the behavior of malware better, in the research we create a malware analysis environment, after the execute of malware samples to record the behavior of malware, and the behavior of malware to aggregation the original records to provide users with a summary analysis of the behavior. Which lists the important and malware-related behavior, if users need access to more detailed content and then further click to view. In the research, use existing analysis tools and memory forensics technology for analysis. By memory forensics technology that can identify some malware that attempts to hide the behavior in order to detectability. In addition to record the behavior of malware, the present research get the original complex to integrate and simplify log file. The last of analysis generates a summary report, which lists the malware¡¦s main behavior. So that the user can grasp malware to the extent and scope of the impact, if necessary can further see a more complete record. Look forward to control the behavior of malware more easily and efficiently.

Virtual Machine

Memory Forensics

Malware Behavior

Dynamic Analysis

Malware