Australian Digital Forensics Conference

Eavesdropping on the Smart Grid

Craig Valli et al. — Thu, 21 Feb 2013 23:51:19 PST

An in-situ deployment of smart grid technology, from meters through to access points and wider grid connectivity, was examined. The aim of the research was to determine what vulnerabilities were inherent in this deployment, and what other consideration issues may have led to further vulnerability in the system. It was determined that there were numerous vulnerabilities embedded in both hardware and software and that configuration issues further compounded these vulnerabilities. The cyber threat against critical infrastructure has been public knowledge for several years, and with increasing awareness, attention and resource being devoted to protecting critical in the structure, it is concerning that a technology with the potential to create additional attack vectors is apparently insecure.

The 2012 Analysis of Information Remaining on Computer Hard Disks Offered for Sale on the Second Hand Market in the UAE

Andy Jones et al. — Thu, 21 Feb 2013 23:51:18 PST

The growth in the use of computers in all aspects of our lives has continued to increase to the point where desktop, laptop, netbook or tablet computers are now almost essential in the way that we communicate and work. As a result of this, and the fact that these devices have a limited lifespan, enormous numbers of computers are being disposed of at the end of their useful life by individuals or/and organisations. As the cost of computing has reduced, the level of ‘consumerisation’ has increased together with the requirement for mobility. This has led to an increasing use of these devices both in the work environment and for personal data, which has resulted in computers containing high levels of both personal and corporate data. Computers have a relatively short life and are replaced on a regular basis. If not properly cleansed of data when they are released into the public domain they may contain data that is sensitive to the organisation or the individual and which may be relatively up to date. This problem is further exacerbated by the increasing popularity and use of smart phones, which may also contain significant storage capacity. This research describes the first survey of data remaining on computer hard disks sold on the second hand market in the United Arab Emirates (UAE). Similar studies have been carried over the last six years in the United Kingdom, Australia, USA, Germany and France. This research was undertaken to gain insight into the volumes of data found on disks purchased in the UAE compared to other regions of the world and to gain an understanding of the relative level of the problem of residual data in the UAE. The study was carried out by Khalifa University of Science, Technology and Research and was sponsored by Verizon Ltd, a security management and consultancy company.The core methodology of the research that was adopted for the study was the same as has been used for the other studies referred to above. The methodology included the acquisition of a number of second hand computer disks from a range of sources and then analysing them to determine whether any data could be recovered from the disk and if so, whether the data that it contained could be used to determine the previous owner or user. If information was found on the disks and the previous user or owner could be identified, the research examined whether it was of a sensitive nature or in a sufficient volume to represent a risk.

Evidence Examination Tools for Social Networks

Brian Cusack et al. — Thu, 21 Feb 2013 23:51:17 PST

Social networking (SNS) involves computer networks and billions of users who interact for a multiplicity of purposes. The web based services allow people to communicate using many media sources and to build relationship networks that have personalized meanings. Businesses and Governments also exploit the opportunity for economical consumer interaction. With the valued use of SNS services also comes the potential for misuse and legal liability. In this paper three software tools are tested in the laboratory to assess the capability of the tools to extract files from the four most popular web browsers while browsers are being used to surf the three most popular SNS sites, Facebook, Twitter, and LinkedIn. The results showed that the capability for evidence extraction differed markedly between tools indicating that the use of a particular tool has a material impact if the files are being extracted for evidential purpose.

The 2012 Investigation into Remnant Data on Second Hand Memory Cards Sold in Australia

Patryk Szewczyk et al. — Thu, 21 Feb 2013 23:51:17 PST

This study investigates the remnant data on memory cards that were purchased through Australian second hand auctions sites in 2012. Memory cards are increasing in capacity and are commonly used amongst many consumer orientated electronic devices including mobile phones, tablet computers, cameras and multimedia devices. This study examined 78 second hand memory cards. The investigation shows that confidential data is present on many of the memory cards and that in many instances there is no evidence to suggest that the seller attempted to erase data. In many instances the sellers are asking the buyer to erase the data on the memory card. It is evident through this research that consumers are not appropriately informed of the dangers of disposing of personal media through second hand auction sites. Subsequently consumers do not take the appropriate actions to remove data.

Forensic Readiness for Wireless Medical Systems

Brian Cusack et al. — Thu, 21 Feb 2013 23:51:16 PST

Wireless medical devices and related information systems are vulnerable to use and abuse by unauthorized users. Medical systems are designed for a range of end users in different professional skill groups and also people who carry the devices in and on their bodies. Open, accurate and efficient communication is the priority for medical systems and as a consequence strong protection costs are traded against the utility benefits for open systems. Flexible security provisions are required and strong forensic capabilities built into the systems to treat the risk. In this paper we elaborate the problem area and discuss potential solutions to ready a medical system for the trade-off of open and secure services.

Secure Key Deployment and Exchange Protocol for Manet Information Management

Brian Cusack et al. — Thu, 21 Feb 2013 23:51:15 PST

Secure Key Deployment and Exchange Protocol (SKYE) is an innovative encryption Key Management Scheme (KMS) based on a combination of features from recent protocols combined with new features for Mobile Ad Hoc Networks (MANETs). The design focuses on a truly ad hoc networking environment where geographical size of the network, numbers of network members and mobility of the members is all unknown before deployment. This paper describes the process of development of the protocol and the application to system design to assure information security and potential evidential retention for forensic purposes. Threshold encryption key management is utilized and simulation results show that security within the network can be increased by requiring more servers to collaborate to produce a certificate for a new member, or by requiring a higher trust threshold along the certificate request chain. The cost of information management (eg. time, processor use and battery use in mobile devices) is also a consideration.

What is the Proper Forensics Approach on Trojan Banking Malware Incidents?

Andri P. Heriyanto — Thu, 21 Feb 2013 23:51:15 PST

Digital forensics procedures should be developed to obtain digital evidence with regard to legal requirements such as admissibility, authenticity, completeness, reliability and believability. On the other hand, Trojan banking malware incident has grown significantly and creates a great threat to online banking users globally. This type of malware is known to use anti-forensic technique to avoid forensic detection. Moreover, there are numerous works and researches that impose the drawbacks on post-mortem forensics approach in dealing with evidence that only resided on non-persistence memory or non-volatile memory. There are works that reveal the disadvantage of live-response approach on incident response that might compromise the evidence as well. For the last four years, there is notably developed on memory forensics approach that focusing on malware incidents. This paper demonstrates the procedures that use three different forensics approaches on three different Trojan banking malware samples: Cridex, ZeuS and SpyEye. The aim of this work is to obtain the proper forensics approach on Trojan banking malware incidents. The paper also uses a network forensics approach to gather and analyse the network-based evidence.

Forensic investigation method and tool based on the user behaviour analysis

Namheun Son et al. — Thu, 14 Jun 2012 00:35:53 PDT

Today, people use a variety of digital devices, and events taking place in them are stored in specific forms mostly including data indicating when each event took place. So far, different methods have been constantly researched and developed to analyse various events, most of which analyse event data unnecessary for a forensic investigation. As a result, investigators should carry out additional work to select data needed for an actual investigation, making the process of analysis more difficult and longer. Besides, since the capacity of storage media gets higher and events become more diversified, such a phenomenon seems gradually worsened. Thus, this paper suggests a timeline-based method of checking 'users' behaviour patterns' at a look by analysing, interpreting and visualizing various user behaviour-based events in a short time, since time information exists in digital devices. Moreover, the range of analyses can be widened since investigators can analyse events through computer and smartphone used most out of all the digital devices, not simply through a single system.

A 2011 investigation into remnant data on second hand memory cards sold in Australia

Patryk Szewczyk et al. — Thu, 14 Jun 2012 00:35:53 PDT

The use of memory cards is widely used in numerous electronic devices including tablet computers, cameras, mobile phones and multimedia devices. Like a USB drive, memory cards are an inexpensive and portable persistent storage solution. Numerous manufactures are incorporating a memory card interface into their product, allowing for a large array of confidential data to be stored. This research aimed to determine the sensitivity, type and amount of data that remained on second hand memory cards post sale. In 2011, over an eight month period, 119 second hand memory cards were randomly purchased from eBay Australia. The findings from the research show that individuals utilise memory cards to store highly sensitive and confidential data, and as per similar previous studies, continually neglect to permanently destroy the data prior to sale.

Acquisition of digital evidence in android smartphones

Andre Morum de L. Simao et al. — Thu, 14 Jun 2012 00:35:52 PDT

From an expert's perspective, an Android phone is a large data repository that can be stored either locally or remotely. Besides, its platform allows analysts to acquire device data, collecting information about its owner and facts that are under investigation. This way, by exploring and cross referencing that rich data source, one can get information related to unlawful acts and its perpetrator. There are widespread and well documented approaches to forensic examining mobile devices and computers. Nevertheless, they are not specific nor detailed enough to examine modern smartphones, since these devices have internal memories whose removal or mirroring procedures are considered invasive and complex, due to difficulties in having direct hardware access. Furthermore, specific features of each smartphone platform have to be considered prior to acquiring its data. In order to deal with those challenges, this paper proposes a method to perform data acquisition of Android smartphones, regardless of version and manufacturer. The proposed approach takes into account existing techniques of computer and cell phone forensic examination, adapting them to specific Android characteristics, its data storage structure, popular applications and the conditions under which the device was sent to the forensic examiner. The method was defined in a broad fashion, not naming specific tools or techniques. Then, it was deployed into the examination of six Android smartphones, addressing different scenarios that an analyst might face, and was validated to perform an entire evidence acquisition.

Data remanence in New Zealand: 2011

Dax Roberts et al. — Thu, 14 Jun 2012 00:35:51 PDT

This paper presents findings from a study of computer data remanence in New Zealand and considers three research questions. Those questions are “What is the level of data remanence in New Zealand?”, “How does it compare with other countries?”, and “Are there industries in New Zealand that are more likely to have data remanence issues?” Computer data remanence is data that remains on a hard disk drive after that hard drive has been prepared for disposal. Typically data remanence research involves purchasing second hand hard drives without knowing the original source and then a variety of tools and techniques are used to determine what if any data remains. That data can range from the mundane such as holiday snapshots, to data of concern such as the credit card details used to book the holiday. This research uses a very similar methodology to the research of an Australian-British led consortium into computer data remanence that has been conducted since 2005 (Jones et al., 2005). For this research, 100 hard drives were sourced from companies based in New Zealand that deal in second hand hard drives. A total of 24 hard drives were found to have identifying information on them and this is consistent with the results of the consortium. When examining “Are there industries in New Zealand that are more likely to have data remanence issues?” there was an effective sample size of 14 hard drives which was not considered to be a large enough sample size to adequately draw conclusions. The data does suggest that schools are likely to be of concern however.

Forensic analysis of the android file system YAFFS2

Darren Quick et al. — Thu, 14 Jun 2012 00:35:50 PDT

The popularity of Android devices has resulted in a requirement for a process to extract and analyse data in a forensically sound manner. There is a wide range of devices which use the Android operating system, and hence a standard process for forensic extraction and analysis for all devices is not possible. Many devices use the Yet Another Flash File System (YAFFS), which introduces an additional layer of forensic requirements. Focussing on the internal storage of a Sony Ericsson Xperia x10i, a process to extract both logical and physical data from the internal NAND memory is possible after gaining super user access. Data was extracted in different formats by using a variety of software processes, such as SuperOneClick, dd, xRecovery, NANDdump, Yaffs2utils and Android Debug Bridge. Analysis of the extracts was then undertaken to determine the type of data available from the different extraction methods, which included Logical file extraction, Physical data with YAFFS spare information, and also without the YAFFS spare data. The analysis showed that the NANDdump has generated a bit-by-bit dump of the internal flash memory.

Can current packet analysis software detect BitTorrent activity or extract files from BTP and μTP traffic streams?

William Pung et al. — Thu, 14 Jun 2012 00:35:49 PDT

BitTorrent is a peer to peer file sharing protocol used to exchange files over the internet, and is used for both legal and illegal activity. Newer BitTorrent client programs are using proprietary UDP based protocols as well as TCP to transmit traffic, and also have the option of encrypting the traffic. This network forensic research examined a number of packet analysis programs to determine whether they could detect such traffic from a packet captures of a complete file transmitted using one of four protocol options. The four states examined were: TCP without encryption, TCP with encryption, μTP without encryption and μTP with encryption, and the six programs investigated were: Network Miner, Tcpxtract, Honeysnap, OpenDPI, Netwitness Investigator and SPID. Of the six programs investigated, none of them were fully able to fully reconstruct a file, with most not even able to detect that the traffic related to BitTorrent usage. The Netwitness Investigator program was able to extract the announce and scrape files. The signature based SPID was able to partly match TCP based torrent traffic, but could not identify μTP traffic. The conclusion is that until new tools are developed, forensic investigators must continue to rely on artifacts created by the BitTorrent clients themselves in order to locate evidence in the event that a crime has been alleged.

An evaluation of data erasing tools

Thomas Martin et al. — Thu, 14 Jun 2012 00:35:48 PDT

The permanent removal of data from computer disks has always been problematic. This has been due, in part, to the lack of availability of tools, and in part due to the misperception by the user that when a file is deleted it is destroyed and cannot be recovered and that when a disk is formatted, the data is destroyed. In this paper, we examine a number of the commonly available tools to determine how effectively they function and whether they achieve the aim of the effective destruction of data

Organisational preparedness for hosted virtual desktops in the context of digital forensics

Nirbhay Jawale et al. — Thu, 14 Jun 2012 00:35:47 PDT

Virtualization in computing has progressed to an extent where desktops can be virtualized and accessed from anywhere. The server hosted model has already surpassed 1% market share of the worldwide professional PC market, with estimates indicating that this is a rapidly growing area. This paper investigates the adequacy of current digital forensic procedures on hosted virtual desktops (HVDs) as there does not appear to be specific methods of locating and extracting evidences from this infrastructure. A hosted virtual desktop deployed in private clouds was simulated to reflect two different computer crime scenarios. It was found that current digital forensic procedures may not be adequate for locating and extracting evidence, since the infrastructure introduces complications such as persistent/non-persisted disk modes and segregating data in a multi-tenant environment.

Component technologies for e-discovery and prototyping of suit-coping system

Youngsoo Kim et al. — Thu, 14 Jun 2012 00:35:47 PDT

As ESI (Electronically Stored Information) is included in extent of evidence that become discovery's target in FRCP(Federal Rules of Civil Procedure) taken effect on December 1, 2006, enterprises been always vexing in several litigations need to adapt systems coping with e-Discovery such as ESI administration or information preservation. In this paper, component technologies for all steps of e-Discovery are described in detail, and as a prototype of preparing system for e-Discovery, agent-based information management and control system being able to manage ESI stored at some computers centrally and respond rapidly on demand, extracting discoveryrelated data using digital forensic technologies, are introduced. Apart from fundamental searching and analysing functions, this system can detect user’s abnormal behaviours, generate forensic images remotely, and have a function of controlling related files.

Visualising forensic data: investigation to court

Ken Fowle et al. — Thu, 14 Jun 2012 00:35:46 PDT

Visualisation is becoming increasingly important for understanding information, such as investigative data (for example: computing, medical and crime scene evidence) and analysis (for example: network capability assessment, data file reconstruction and planning scenarios). Investigative data visualisation is used to reconstruct a scene or item and is used to assist the viewer (who may well be a member of the general public with little or no understanding of the subject matter) to understand what is being presented. Analysis visualisations, on the other hand, are usually developed to review data, information and assess competing scenario hypotheses for those who usually have an understanding of the subject matter. Visualisation represents information that has been digitally recorded (for example: pictures, video and sound), hand written and/or spoken data, to show what may have, could have, did or is believed to have happened. That is why visualising data is an important development in the analysis and investigation realms, as visualisation explores the accuracies, inconsistencies and discrepancies of the collected data and information. One of the primary issues of visualisation is that no matter how coherent the data, there will always be conjecture and debate as to how the information is/has-been visualised and, is it presented in an acceptable and meaningful way. This paper presents a range of examples of where forensic data has been visualised using various techniques and technology, the paper then concludes with a discussion of potential benefits and problems.

Systems architecture for the acquisition and preservation of wireless network traffic

Brian Cusack et al. — Thu, 14 Jun 2012 00:35:45 PDT

Wireless networking provides a ready and cost effective solution for business applications. It has escalated in popularity mainly due to the ability to form computer networks without a wired based infrastructure. However, accompanying the widespread usage also comes the inherent prospect of criminal misuse, including unauthorized application and the launch of system attacks. This paper presents the testing of an innovative Wireless Forensic Model (WFM) system that provides capability for acquisition and preservation of wireless network traffic (802.11) frames by implementing a wireless drone architecture. It is thus a forensic readiness system providing available evidence for forensic investigation. The results show that the tested system has the ability to collect upwards of 90% of all frames, as well as evidence and detection of attacks conducted against the wireless network.

Tracing sources of DOS and DDOS attack: evidential recovery

Brian Cusack et al. — Thu, 14 Jun 2012 00:35:44 PDT

The ability to trace back to the network source of a computer service attack is an important step in locating evidence that may be used to identify and to prosecute those responsible. The instability of the internetwork environments however makes both tracing and justifying the credibility of evidence obtained challenges for investigators. In this research four methods for tracing the sources of attacks are reviewed and one selected for testing in public and open networks. Specifically the Time-To-Live (TTL) field is to be investigated for trace back potential in a method called the hop count distance method. The results show that within the limitations discussed it is possible to locate the origin of an attack back to the nearest router from the source. Furthermore it may be theorised from population demographic data the general location of the attack origin. The purpose of this paper is to demonstrate what may be achieved but then more importantly to mitigate any claims arising for generalisations.

Information leakage through second hand USB flash drives within the United Kingdom

Widya Chaerani et al. — Thu, 14 Jun 2012 00:35:43 PDT

The pervasiveness of flash based USB storage alongside increasing capacity and lowering price points has lead to a documented potential for information leakage. Such a potential is significantly raised when employees are able to use personal devices within a business environment with little regard to safe disposal practices. This study purchased a range of USB storage devices from UK based auction sites to determine what if any data was recoverable. The study found a total of 36136 recoverable files including a range of data detailing private information of previous owners, confidential corporate data, with twenty percent of the purchased USB devices securely wiped before sale.