Swap files Anti-Forensics on Linux

2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast) Pub Date : 2016-11-01 DOI:10.1109/APMEDIACAST.2016.7878175

E. Jadied

{"title":"Swap files Anti-Forensics on Linux","authors":"E. Jadied","doi":"10.1109/APMEDIACAST.2016.7878175","DOIUrl":null,"url":null,"abstract":"Swap file has potentially interesting and rich source of digital evidences. Password, cryptographic key, private data and sensitive data can be found in the swap file. With a simple technique such as string matching, digital evidences can be easily found and identified. There is minimal research on swap file anti-forensics. We found that most of swap file anti-forensics techniques are still vulnerable to live acquisition. So, we propose 2 swap file anti-forensic technique: inject live swap file and fake swap file. Inject live swap file is created by injecting(flooding) fake data to live swap file using a custom script. Fake swap is created by manipulate swap file header then filling swap file with fake artefacts of our choosing. We perform this technique before user begins his/her usual activities. We able to implement Inject live swap file technique but with disadvantage of private and sensitive data leak. Making fake swap file is relatively easy and without data leak. Although these two approaches do not solve the problem of live acquisition, it could confuse, mislead and wasting examiner's time.","PeriodicalId":177765,"journal":{"name":"2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/APMEDIACAST.2016.7878175","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Swap file has potentially interesting and rich source of digital evidences. Password, cryptographic key, private data and sensitive data can be found in the swap file. With a simple technique such as string matching, digital evidences can be easily found and identified. There is minimal research on swap file anti-forensics. We found that most of swap file anti-forensics techniques are still vulnerable to live acquisition. So, we propose 2 swap file anti-forensic technique: inject live swap file and fake swap file. Inject live swap file is created by injecting(flooding) fake data to live swap file using a custom script. Fake swap is created by manipulate swap file header then filling swap file with fake artefacts of our choosing. We perform this technique before user begins his/her usual activities. We able to implement Inject live swap file technique but with disadvantage of private and sensitive data leak. Making fake swap file is relatively easy and without data leak. Although these two approaches do not solve the problem of live acquisition, it could confuse, mislead and wasting examiner's time.

查看原文本刊更多论文

Linux上的反取证交换文件

交换文件具有潜在的有趣和丰富的数字证据来源。密码，加密密钥，私人数据和敏感数据可以在交换文件中找到。通过字符串匹配等简单的技术，可以很容易地找到和识别数字证据。关于交换文件反取证的研究很少。我们发现大多数交换文件反取证技术仍然容易受到实时获取的攻击。因此，我们提出了两种交换文件反取证技术:注入活交换文件和假交换文件。注入实时交换文件是通过使用自定义脚本向实时交换文件注入(泛滥)假数据来创建的。假交换是通过操纵交换文件头，然后用我们选择的假工件填充交换文件来创建的。我们在用户开始他/她的日常活动之前执行此技术。我们能够实现实时交换文件注入技术，但存在隐私和敏感数据泄露的缺点。制作假交换文件相对容易，没有数据泄漏。虽然这两种方法都不能解决实时获取的问题，但会造成混淆、误导和浪费审查员的时间。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 Asia Pacific Conference on Multimedia and Broadcasting (APMediaCast)

自引率

0.00%

发文量