A kernel driver modification to visualize and reconstruct data transfer between computer and USB mass storage devices
| dc.contributor.author | Zöllner, Joshua | |
| dc.contributor.author | Petschke, Dmitry | |
| dc.contributor.author | Schinner, Alexander | |
| dc.contributor.author | Weber, Kristin | |
| dc.contributor.author | Mayer, Manuel | |
| dc.date.accessioned | 2021-12-14T10:57:45Z | |
| dc.date.available | 2021-12-14T10:57:45Z | |
| dc.date.issued | 2021 | |
| dc.description.abstract | The aim of this work is to create a completely new method for analysing the physical access to USB mass storage devices and to reconstruct the file access from the logged data. This is achieved by replacing a real USB stick with a full software simulation based on a Raspberry PI Zero using USB gadget mode. To achieve full information, we extended the logging capabilities of the Linux kernel driver. This allows to log position and size of each reading operation at the lowest possible level. For write operation, the written data is logged, too. This enables logging completely independent of the operating system or file system and allows a forensic image to be calculated that has time as an additional dimension. Further advantages of this method are that it is completely undetectable from the host computer and random accesses bypassing a file system can also be logged. A reconstruction of the original file access is shown and the possibilities for new attack vectors are discussed. | en |
| dc.identifier.doi | 10.18420/informatik2021-073 | |
| dc.identifier.isbn | 978-3-88579-708-1 | |
| dc.identifier.pissn | 1617-5468 | |
| dc.identifier.uri | https://dl.gi.de/handle/20.500.12116/37741 | |
| dc.language.iso | en | |
| dc.publisher | Gesellschaft für Informatik, Bonn | |
| dc.relation.ispartof | INFORMATIK 2021 | |
| dc.relation.ispartofseries | Lecture Notes in Informatics (LNI) - Proceedings, Volume P-314 | |
| dc.subject | Digital forensics | |
| dc.subject | Data Transfer | |
| dc.subject | File System Analysis | |
| dc.subject | Protocol Reverse Engineering | |
| dc.subject | Forensic Image | |
| dc.subject | USB Software-Defined Mass Storage Device | |
| dc.title | A kernel driver modification to visualize and reconstruct data transfer between computer and USB mass storage devices | en |
| gi.citation.endPage | 865 | |
| gi.citation.startPage | 857 | |
| gi.conference.date | 27. September - 1. Oktober 2021 | |
| gi.conference.location | Berlin | |
| gi.conference.sessiontitle | Workshop: International Workshop on Digital Forensics (WDF) |
Dateien
Originalbündel
1 - 1 von 1