Global ETD Search

1	Forensic Carving of Wireless Network Information from the Android Linux Kernel Saltaformaggio, Brendan D. 01 May 2012 (has links) Modern smartphones integrate ubiquitous access to voice, data, and email communication and allow users to rapidly handle both personal and corporate business affairs. This is possible because of the smartphone’s constant connectivity with the Internet. Digital forensic investigators have long understood the value of smartphones as forensic evidence, and this thesis seeks to provide new tools to increase the amount of evidence that one can obtain and analyze from an Android smartphone. Specifically, by using proven data carving algorithms we try to uncover information about the phone’s connection to wireless access points in a capture of the device’s volatile memory. Android forensics memory forensics memory analysis Linux
2	Detecting Objective-C Malware through Memory Forensics Case, Andrew 13 May 2016 (has links) Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors. In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides a rich set of APIs that malware uses to manipulate and steal data and to perform other malicious activities. The novel memory forensics techniques presented in this thesis deeply examine the state of the Objective-C runtime, identifying a number of suspicious activities, from keystroke logging to pointer swizzling. Memory Forensics Objective-C Malware Analysis Incident Response Information Security
3	Concise Analysis of Malware Behavior Tsai, Hung-Shiuan 10 January 2012 (has links) In recent years the popularity of the internet, the network not only providing information to the general users to browse the contents of the site, but also has some network service like e-mail, e-commerce, and social networks. Although these online services are convenient for general users, also provide the possible hackers to abuse these services through the internet to spread malware. As the number of malware is increasing very fast, in order to understand the behavior of malware better, in the research we create a malware analysis environment, after the execute of malware samples to record the behavior of malware, and the behavior of malware to aggregation the original records to provide users with a summary analysis of the behavior. Which lists the important and malware-related behavior, if users need access to more detailed content and then further click to view. In the research, use existing analysis tools and memory forensics technology for analysis. By memory forensics technology that can identify some malware that attempts to hide the behavior in order to detectability. In addition to record the behavior of malware, the present research get the original complex to integrate and simplify log file. The last of analysis generates a summary report, which lists the malware¡¦s main behavior. So that the user can grasp malware to the extent and scope of the impact, if necessary can further see a more complete record. Look forward to control the behavior of malware more easily and efficiently. Virtual Machine Memory Forensics Malware Behavior Dynamic Analysis Malware
4	Towards Real-Time Volatile Memory Forensics: Frameworks, Methods, and Analysis Sylve, Joseph T 19 May 2017 (has links) Memory forensics (or memory analysis) is a relatively new approach to digital forensics that deals exclusively with the acquisition and analysis of volatile system memory. Because each function performed by an operating system must utilize system memory, analysis of this memory can often lead to a treasure trove of useful information for forensic analysts and incident responders. Today’s forensic investigators are often subject to large case backlogs, and incident responders must be able to quickly identify the source and cause of security breaches. In both these cases time is a critical factor. Unfortunately, today’s memory analysis tools can take many minutes or even hours to perform even simple analysis tasks. This problem will only become more prevalent as RAM prices continue to drop and systems with very large amounts of RAM become more common. Due to the volatile nature of data resident in system RAM it is also desirable for investigators to be able to access non-volatile copies of system RAM that may exist on a device’s hard drive. Such copies are often created by operating systems when a system is being suspended and placed into a power safe mode. This dissertation presents work on improving the speed of memory analysis and the access to non-volatile copies of system RAM. Specifically, we propose a novel memory analysis framework that can provide access to valuable artifacts orders of magnitude faster than existing tools. We also propose two new analysis techniques that can provide faster and more resilient access to important forensic artifacts. Further, we present the first analysis of the hibernation file format used in modern versions of Windows. This work allows access to evidence in non-volatile copies of system RAM that were not previously able to be analyzed. Finally, we propose future enhancements to our memory analysis framework that should address limitations with the current design. Taken together, this dissertation represents substantial work towards advancing the field of memory forensics. Information Security
5	On Cyber-Physical Forensics, Attacks, and Defenses Rohit Bhatia (8083268) 06 December 2019 (has links) <div>Cyber-physical systems, through various sensors and actuators, are used to handle interactions of the cyber-world with the physical-world. Conventionally, the temporal component of the physical-world has been used only for estimating real-time deadlines and responsiveness of control-loop algorithms. However, there are various other applications where the relationship of the temporal component and the cyber-world are of interest. An example is the ability to reconstruct a sequence of past temporal activities from the current state of the cyber-world, which is of obvious interest to cyber-forensic investigators. Another example is the ability to control the temporal components in broadcast communication networks, which leads to new attack and defense capabilities. These relationships have not been explored traditionally.</div><div><br></div><div>To address this gap, this dissertation proposes three systems that cast light on the effect of temporal component of the physical-world on the cyber-world. First, we present Timeliner, a smartphone cyber-forensics technique that recovers past actions from a single static memory image. Following that, we present work on CAN (Controller Area Network), a broadcast communication network used in automotive applications. We show in DUET that the ability to control communication temporally allows two compromised ECUs, an attacker and an accomplice, to stealthily suppress and impersonate a victim ECU, even in the presence of a voltage-based intrusion detection system. In CANDID, we show that the ability to temporally control CAN communication opens up new defensive capabilities that make the CAN much more secure.</div><div><br></div><div>The evaluation results show that Timeliner is very accurate and can reveal past evidence (up to an hour) of user actions across various applications on Android devices. The results also show that DUET is highly effective at impersonating victim ECUs while evading both message-based and voltage-based intrusion detection systems, irrespective of the features and the training algorithms used. Finally, CANDID is able to provide new defensive capabilities to CAN environments with reasonable communication and computational overheads.</div><div><br></div> Computer System Security Cyber Physical System Controller Area Network Memory Forensics
6	Digital forensics - Performing virtual primary memory extraction in cloud environments using VMI Hjerpe, David, Bengtsson, Henrik January 2018 (has links) Infrastructure as a Service and memory forensics are two subjects which have recently gained increasing amounts of attention. Combining these topics poses new challenges when performing forensic investigations. Forensics targeting virtual machines in a cloud environment is problematic since the devices are virtual, and memory forensics are a newer branch of forensics which is hard to perform and is not well documented. It is, however an area of utmost importance since virtual machines may be targets of, or participate in suspicious activity to the same extent as physical machines. Should such activity require an investigation to be conducted, some data which could be used as evidence may only be found in the primary memory. This thesis aims to further examine memory forensics in cloud environments and expand the academic field of these subjects and help cloud hosting organisations. The objective of this thesis was to study if Virtual Machine Introspection is a valid technique to acquire forensic evidence from the virtual primary memory of a virtual machine. Virtual Machine Introspection is a method of monitoring and analysing a guest via the hypervisor. In order to verify whether Virtual Machine Introspection is a valid forensic technique, the first task was to attempt extracting data from the primary memory which had been acquired using Virtual Machine Introspection. Once extracted, the integrity of the data had to be authenticated. This was done by comparing a hash sum of a file located on a guest with a hash sum of the extracted data. The experiment showed that the two hashes were an exact match. Next, the solidity of the extracted data was tested by changing the memory of a guest while acquiring the memory via Virtual Machine Introspection. This showed that the solidity is heavily compromised because memory acquisition process used was too slow. The final task was to compare Virtual Machine Introspection to acquiring the physical memory of the host. By setting up two virtual machines and examining the primary memory, data from both machines was found where as Virtual Machine Introspection only targets one machine, providing an advantage regarding privacy. Memory forensics Virtual Machine Introspection Cloud computing KVM QEMU Computer Sciences Datavetenskap (datalogi)
7	Password Managers in Digital Forensics Hähni, Sascha David January 2023 (has links) Digital forensics – the scientific process to draw evidence from digital devices confiscated in a criminal investigation – is constantly adapting to technological changes. A current challenge is the widespread use of encryption that makes classical data retrieval methods obsolete. Relevant data must now be retrieved from running devices and without delay, ideally directly at the time of seizure. This requires standardised processes and specialised tools to ensure no data is overlooked, that forensic integrity is maintained, and that encrypted data can be successfully made available to investigators. While research produced many promising results in this field in the last years, there is still much work to be done due to countless different applications, operating systems, and devices that all behave in different ways. This thesis addresses a software category called password managers – applications that store login credentials to different services. Despite the obvious value of password manager data to a criminal investigation, a comprehensive description of a forensic process on how to extract such data has not yet been in the focus of research. The present work addresses this gap and presents a process to extract forensically relevant data from two password manager applications – Bitwarden and KeePass – by extending an existing forensic framework called Vision. Using design science, a forensic extraction process was developed by thoroughly analysing the inner workings of the mentioned password managers. The artefact was named Password Manager Forensics (PMF) and consists of a four-step extraction process with different Python modules to automate the extraction of relevant data. PMF was tested against three scenarios in a laboratory setting to evaluate its applicability in an investigative context. The results show that the artefact is able to extract forensically relevant information related to password managers that would otherwise not be readily available to investigators. PMF is capable to identify and extract relevant files, to extract master passwords from a memory dump, to parse configuration files for relevant data, to brute-force master passwords and PIN codes, to decrypt, extract, and validate password manager vault data, and to create summary reports. PMF is the first comprehensive forensic process to extract relevant data from password managers. This brings new opportunities for digital forensics examiners and a potential to improve the handling of devices that contain password manager data in digital investigations. The current version of PMF only supports Windows desktop applications of Bitwarden and KeePass. Yet, due to the open and flexible architecture of the artefact, further expansion and improvement is possible in future research. Digital Forensics Password Managers Memory Forensics Live Forensics Computer Sciences Datavetenskap (datalogi)
8	Detecting malware in memory with memory object relationships Thomas, DeMarcus M., Sr. 10 December 2021 (has links) Malware is a growing concern that not only affects large businesses but the basic consumer as well. As a result, there is a need to develop tools that can identify the malicious activities of malware authors. A useful technique to achieve this is memory forensics. Memory forensics is the study of volatile data and its structures in Random Access Memory (RAM). It can be utilized to pinpoint what actions have occurred on a computer system. This dissertation utilizes memory forensics to extract relationships between objects and supervised machine learning as a novel method for identifying malicious processes in a system memory dump. In this work, the Object Association Extractor (OAE) was created to extract objects in a memory dump and label the relationships as a graph of nodes and edges. With OAE, we extracted processes from 13,882 memory images that contained malware from the repository VirusShare and 91 memory images created with benign software from the package management software Chocolatey. The final dataset contained 267,824 processes. Two feature sets were created from the processes dataset and used to train classifiers based on four classification algorithms. These classifiers were evaluated against the ZeroR method using accuracy and recall as the evaluation metrics. The experiments showed that both sets of features used to build classifiers were able to beat the ZeroR method for the Decision Tree and Random Forest algorithms. The Random Forest classifier achieved the highest performance by reaching a recall score of almost 97%. malware memory forensics Rekall community detection machine learning Other Computer Engineering
9	Forensic Analysis of WhatsApp on Android Smartphones Thakur, Neha S 06 August 2013 (has links) Android forensics has evolved over time offering significant opportunities and exciting challenges. On one hand, being an open source platform Android is giving developers the freedom to contribute to the rapid growth of the Android market whereas on the other hand Android users may not be aware of the security and privacy implications of installing these applications on their phones. Users may assume that a password-locked device protects their personal information, but applications may retain private information on devices, in ways that users might not anticipate. In this thesis we will be concentrating on one such application called 'WhatsApp', a popular social networking application. We will be forming an outline on how forensic investigators can extract useful information from WhatsApp and from similar applications installed on an Android platform. Our area of focus is extraction and analysis of application user data from non-volatile external storage and the volatile memory (RAM) of an Android device. Information Assurance Security Computer Science Android Application Security Volatile Memory Forensics Computer Engineering Computer Sciences Databases and Information Systems Other Computer Engineering Other Computer Sciences Software Engineering
10	Anti-forensik mot minnesforensik : En litteraturstudie om anti-forensiska metoder mot minnesdumpning och minnesanalys / Anti-forensics against memory forensics : A litterature study about anti-forensic methods against memory dumping and memory analysis Tagesson, Samuel January 2019 (has links) IT-forensiker möter många svårigheter i sitt arbete med att inhämta och analysera data. Brottslingar använder mer och mer anti-forensiska metoder för att gömma bevis som kan användas emot dem. En vanligt förekommande anti-forensisk metod är kryptering. För att IT-forensiker skall kunna komma åt den krypterade informationen kan krypteringsnyckeln hittas i minnet på datorn. Vilket gör att datorns minne blir värdefullt att hämta och analysera. Däremot finns det flera anti-forensiska metoder som en förbrytare kan använda för att förhindra att minnet hämtas eller analyseras. Denna studie utför en systematisk litteraturstudie för att identifiera de aktuella anti-forensiska metoder mot minnesanalys och minnesdumpning på Windows system. Flera metoder tas upp där bland annat operativsystemet modifieras eller inbyggda säkerhetsfunktioner på CPUn används för att förhindra att information hämtas eller analyseras från minnet. / IT forensics face many difficulties in their work of obtaining and analyzing data. Criminals are using more and more anti-forensic methods to hide evidence that can be used against them. One common anti-forensic method is encryption. In order for IT forensics to access the encrypted information, the encryption key can be found in the memory of the computer. This makes the computer's memory valuable to retrieved and analyze. However, there are several anti-forensic methods that a criminal can use to prevent the memory from being retrieved or analyzed. This study performs a systematic literature study to identify the current anti-forensic methods against memory analysis and memory dumping on Windows system. Several methods are addressed where, among other things, the operating system is modified or built-in security functions on the CPU are used to prevent information being retrieved or analyzed from memory. IT-forensic Anti-forensic Memory analysis Memory dumping Memory forensics IT-forensik Anti-forensik Minnesanalys Minnesdumpning Minnesforensik Computer and Information Sciences Data- och informationsvetenskap

Search results