Logo des Repositoriums
 

P140 - IMF 2008 – IT-Incident Management & IT Forensics

Autor*innen mit den meisten Dokumenten  

Auflistung nach:

Neueste Veröffentlichungen

1 - 10 von 15
  • Konferenzbeitrag
    Live forensic acquisition as alternative to traditional forensic processes
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Lessing, Marthie; Solms, Basie von
    The development of live forensic acquisition in general presents a remedy for some of the problems introduced by traditional forensic acquisition. However, this live forensic acquisition introduces a variety of additional problems, unique to this discipline. This paper presents current research with regards to the forensic soundness of evidence retrieved through live forensic acquisition. The research is based on work done for a PhD Computer Science at the University of Johannesburg.
  • Konferenzbeitrag
    Attaking test and online forensics in IPv6 networks
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Wu, Liu; Hai-Xin, Duan; Tao, Lin; Xing, Li; Jian-Ping, Wu
    Although IPv6 protocol has considered and implemented more security mechanisms compared with IPv4, there are still many security threatens in Ipv6 Networks. Being one of the key protocols in IPv6, the Internet Control Message Protocol (ICMPv6) suffers from severe security risks. In this paper we construct an IPv6 attacking test system ATS_ICMP_6 exploiting the ICMPv6 Unreachable Message, which shows that the security of IPv6 protocol is still very weak. In the other hand, we has designed and implemented a network forensics prototype 6Foren in IPv6 environment based on the protocol analysis technology, its functions include packet capture, data reconstruct and messages replay etc. the 6Foren can be used as the online digital forensics which support the online forensic of HTTP, FTP, SMTP and POP3 protocols.
  • Konferenzbeitrag
    File type analysis using signal processing techniques and machine learning vs. file Unix Utility for forensic analysis
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Mokhov, Serguei A.; Debbabi, Mourad
    The Unix file utility determines file types of regular files by examining usually the first 512 bytes of the file that often contain some magic header information or typical header information for binary files or common text file fragments; otherwise, it defers to the OS-dependent stat () system call. It combines that heuristics with the common file extensions to give the final result of classification. While file is fast and small, and its magic database is "serviceable" by expert users, for it to recognize new file types, perhaps with much finer granularity it requires code and/or magic database updates and a patch release from the core developers to recognize new file types correctly. We propose an alternative file-like utility in determining file types with much greater flexibility that can learn new types on the user's side and be integrated into forensic toolkits as a plug-in that relies on the file-like utility and uses signal processing techniques to compute the "spectral signatures" of file types. We present the work-in-progress of the design and implementation of such a tool based on MARF's collection of algorithms and the selection of the best combination and the integration of the tool into a forensic toolkit to enhance the tool, called fileType with the automatic machine learning capabilities of the new file types. We compare the advantages and disadvantages of our approach with the file utility in terms of various metrics and apply the new tool to learn known stego files to attempt to classify potential unknown stego files and compare the results with stegdetect.
  • Konferenzbeitrag
    Incident management & forensics put in context
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Cole, Jack
  • Konferenzbeitrag
    Reconstructing people's lives: A case study in teaching forensic computing
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Freiling, Felix C.; Holz, Thorsten; Mink, Martin
    In contrast to the USA and the UK, the academic field of forensic computing is still in ist infancy in Germany. To foster the exchange of experiences, we report on lessons learnt in teaching two graduate level courses in forensic computing at a German university. The focus of the courses was to give a research-oriented introduction into the field. The first course, a regular lecture, was accompanied by two practical exercises: (1) a live-analysis of a compromised honeypot, and (2) a dead-analysis of a set of hard disks purchased on the web. The second course was a labatory course with extensive experiments including forensic analysis of mobile phones. We give an overview over these courses and pay special attention to the reports resulting from the exercises which clearly document the ubiquity of data avilable to forensic analysis.
  • Konferenzbeitrag
    Using observations of invariant behaviour to detect malicious agency in distributes environments
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) McEvoy, Thomas Richard; Wolthusen, Stephen
    Detecting malicious software used for covert ends is problematical because skilled attackers invariably employ stealth mechanisms to conceal the injection and subsequent activity of such software. As a result, the evidence of such incursions, frequently "disappears" once the attack has succeeded. In distributed environments, this difficulty is compounded because of the inherent difficulties in observing the global state of a computation. We propose a novel approach to the detection of potentially malicious activity in distributed environments. We select key data elements, which are chosen on the basis that they are frequently subject to subversion during malicious attacks. We specify their behavior as a partial order of sequences in state, accounting not only for legal and illegal states, but also for less than normative behavior, whose occurrence may indicate the presence of anomalous conditions. We show how we overcome the difficulties of observing state in distributed environments through employing a multiplicity of distinct and independent observer processes and by making use of well-known algorithms to synchronize and order our observations and we demonstrate that we are able to use the resulting data set to make inferences about the presence (or not) of malicious software based on comparisons of observed and expected behaviors.
  • Konferenzbeitrag
    A forensic computing framework to fit any legal system
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Wood, Steven W.
    The demand for examinations of digital evidence is on the rise the world over. The majority of the academic work in this field comes from the United States and is heavily geared towards the American legal system. This makes using such a framework very difficult in other countries where the legal system can be used in any jurisdiction in the world. It is our goal to take the existing state of the practice and add a level of abstraction that will increase its usefulness.
  • Konferenzbeitrag
    Network forensic of partial SSL/TLS encrypted traffic classification using clustering-algorithms
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Wu, Meng-Da; Wolthusen, Stephen D.
    Machine learning tools have long been used in network traffic analysis, but their application to the network forensics domain and ist specific issues has been limited thus far. We investigate the applicability of several common machine learning techniques to identify and classify partial encrypted traffic as may be encountered by forensic investigators confronted only with partial post-hoc traces. Is is highly desirable to identify the types of applications and endpoints using such tunnels to faciliate further forensic investigation. In this paper, we therefore examine several clustering algorithms, namely DBSCAN (Density-Based Spatial Clustering of Application with Noise), K-means, and EM (Expectation-Maximization) with regard to their ability to classify encrypted partial traffic using inter-arrival time and TCP lenght information chosen for its predictive significance. Our experiments demonstrate promising classifiction results.
  • Konferenzbeitrag
    Network infrastructure forensics
    (IMF 2008 – IT Incident Management & IT Forensics, 2008) Lindner, Felix
    Incident identification, response and forensic analysis depend on the ability to extract meaningful evidence from the suspected system. Such tools do not exist for network infrastructure equipment. The significantly increased attack resilience of common general purpose operating systems poses a surprising new challenge to forensics, as attackers will likely shift their attention back towards network infrastructure control. The paper discusses the importance of network equipment forensics, the anatomy of devices and the attack types encountered. Finally a method for performing forensics on a widely used type of network equipment is presented.