- KonferenzbeitragAttaking test and online forensics in IPv6 networks(IMF 2008 – IT Incident Management & IT Forensics, 2008) Wu, Liu; Hai-Xin, Duan; Tao, Lin; Xing, Li; Jian-Ping, Wu; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, DirkAlthough IPv6 protocol has considered and implemented more security mechanisms compared with IPv4, there are still many security threatens in Ipv6 Networks. Being one of the key protocols in IPv6, the Internet Control Message Protocol (ICMPv6) suffers from severe security risks. In this paper we construct an IPv6 attacking test system ATS_ICMP_6 exploiting the ICMPv6 Unreachable Message, which shows that the security of IPv6 protocol is still very weak. In the other hand, we has designed and implemented a network forensics prototype 6Foren in IPv6 environment based on the protocol analysis technology, its functions include packet capture, data reconstruct and messages replay etc. the 6Foren can be used as the online digital forensics which support the online forensic of HTTP, FTP, SMTP and POP3 protocols.
- KonferenzbeitragFile type analysis using signal processing techniques and machine learning vs. file Unix Utility for forensic analysis(IMF 2008 – IT Incident Management & IT Forensics, 2008) Mokhov, Serguei A.; Debbabi, Mourad; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, DirkThe Unix file utility determines file types of regular files by examining usually the first 512 bytes of the file that often contain some magic header information or typical header information for binary files or common text file fragments; otherwise, it defers to the OS-dependent stat () system call. It combines that heuristics with the common file extensions to give the final result of classification. While file is fast and small, and its magic database is "serviceable" by expert users, for it to recognize new file types, perhaps with much finer granularity it requires code and/or magic database updates and a patch release from the core developers to recognize new file types correctly. We propose an alternative file-like utility in determining file types with much greater flexibility that can learn new types on the user's side and be integrated into forensic toolkits as a plug-in that relies on the file-like utility and uses signal processing techniques to compute the "spectral signatures" of file types. We present the work-in-progress of the design and implementation of such a tool based on MARF's collection of algorithms and the selection of the best combination and the integration of the tool into a forensic toolkit to enhance the tool, called fileType with the automatic machine learning capabilities of the new file types. We compare the advantages and disadvantages of our approach with the file utility in terms of various metrics and apply the new tool to learn known stego files to attempt to classify potential unknown stego files and compare the results with stegdetect.
- KonferenzbeitragLive forensic acquisition as alternative to traditional forensic processes(IMF 2008 – IT Incident Management & IT Forensics, 2008) Lessing, Marthie; Solms, Basie von; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, DirkThe development of live forensic acquisition in general presents a remedy for some of the problems introduced by traditional forensic acquisition. However, this live forensic acquisition introduces a variety of additional problems, unique to this discipline. This paper presents current research with regards to the forensic soundness of evidence retrieved through live forensic acquisition. The research is based on work done for a PhD Computer Science at the University of Johannesburg.
- Editiertes BuchIMF 2008 – IT Incident Management & IT Forensics(2008) Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, Dirk
- KonferenzbeitragBuilding a runtime state tracing kernel(IMF 2008 – IT Incident Management & IT Forensics, 2008) Chakravarthy, Ananth; Vaidya, Vinay G.; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, DirkA process is run by executing a sequence of instuctions by the processor However it is probable that not all of the instructions are executed as there are hundreds of paths that can be taken by the executable to complete ist execution. The path chosen is dependent on a host of factors like the environment, user input, the platform etc. As such, at any given instant of time, the process might be in any of the possible states Sn after traversing states S1, S2, S3 .. where S1, S2, S3 .....Sn, Sn+1, Sn+2,..SM depict the total M states that can be taken by the executable. There is no mechanism currently inside the LINUX kernel to peek into the state of the process to find out which if these states is it currently in and what are the states it has "traversed" to reach the current state while is is executing. If such an effective tracing can be achieved, it would lead to better operating system security. Other advantages are better logs or even building a verifiable software system. This paper looks at the infrastructure that has been developed to realize such a functionality in the Linux kernel and thereby increase the security of the running process. Of particular mention is the framework that has been developed to peek into the state of a running process as it executes and the various mechanisms that could be used to ascertain the state of the running process.
- KonferenzbeitragNetwork flow security baselining(IMF 2008 – IT Incident Management & IT Forensics, 2008) Tsvetanov, Tsvetomir; Simeonov, Stanislav; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, DirkNetworks are a critical factor in the performance of a modern company. Managing a network is as important as managing any other aspect of a company's performance and security. There are many tools and appliances for monitoring the traffic and analyzing the security aspects of the network flows. They are using different approaches and they rely on different characteristics of the network flows. The network researchers are still working on a common approach for security baselining that might enable early alerts. This paper is focusing on the security baselining based on a simple flow analysis utilizing the flows measurements and the theory of the Markov models.
- KonferenzbeitragInvestigations and prosecution in case of computer crime – Overview of the national and international situation(IMF 2008 – IT Incident Management & IT Forensics, 2008) Silberbach, Fred-Mario; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, Dirk
- KonferenzbeitragIncident management & forensics put in context(IMF 2008 – IT Incident Management & IT Forensics, 2008) Cole, Jack; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, Dirk
- KonferenzbeitragUsing observations of invariant behaviour to detect malicious agency in distributes environments(IMF 2008 – IT Incident Management & IT Forensics, 2008) McEvoy, Thomas Richard; Wolthusen, Stephen; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, DirkDetecting malicious software used for covert ends is problematical because skilled attackers invariably employ stealth mechanisms to conceal the injection and subsequent activity of such software. As a result, the evidence of such incursions, frequently "disappears" once the attack has succeeded. In distributed environments, this difficulty is compounded because of the inherent difficulties in observing the global state of a computation. We propose a novel approach to the detection of potentially malicious activity in distributed environments. We select key data elements, which are chosen on the basis that they are frequently subject to subversion during malicious attacks. We specify their behavior as a partial order of sequences in state, accounting not only for legal and illegal states, but also for less than normative behavior, whose occurrence may indicate the presence of anomalous conditions. We show how we overcome the difficulties of observing state in distributed environments through employing a multiplicity of distinct and independent observer processes and by making use of well-known algorithms to synchronize and order our observations and we demonstrate that we are able to use the resulting data set to make inferences about the presence (or not) of malicious software based on comparisons of observed and expected behaviors.
- KonferenzbeitragFormally specifying operational semantics ans language constructs of forensic lucid(IMF 2008 – IT Incident Management & IT Forensics, 2008) Mokhov, Serguei A.; Paquet, Joey; Debbabi, Mourad; Göbel, Oliver; Frings, Sandra; Günther, Detlef; Nedon, Jens; Schadt, DirkThe Forensic Lucid programming language is being developed for intensional cyberforensic case specification and analysis, including the syntax and operational semantics. In significant part, the language is based on ist predecessor and codecessor Lucid dialects, such as GIPL, Indexical Lucid, Lucx, Objective Lucid, and JOOIP bound by the intensional higher-order logic that is behind them. This work continues to formally specify the operational semantics of the Forensic Lucid language extending the previous ralated work.