{"title":"Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again","authors":"Igor Korkin","doi":"10.58940/1558-7223.1726","DOIUrl":"https://doi.org/10.58940/1558-7223.1726","url":null,"abstract":"The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128319627","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Sharia Law and Digital Forensics in Saudi Arabia","authors":"Andrew Jones, Fahad Alanazi, Catherine Menon","doi":"10.15394/jdfsl.2018.1568","DOIUrl":"https://doi.org/10.15394/jdfsl.2018.1568","url":null,"abstract":"","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123004294","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A Forensic Enabled Data Provenance Model for Public Cloud","authors":"Md Shariful Haque, T. Atkison","doi":"10.15394/JDFSL.2018.1570","DOIUrl":"https://doi.org/10.15394/JDFSL.2018.1570","url":null,"abstract":"Cloud computing is a newly emerging technology where storage, computation and services are extensively shared among a large number of users through virtualization and distributed computing. This technology makes the process of detecting the physical location or ownership of a particular piece of data even more complicated. As a result, improvements in data provenance techniques became necessary. Provenance refers to the record describing the origin and other historical information about a piece of data. An advanced data provenance system will give forensic investigators a transparent idea about the data’s lineage, and help to resolve disputes over controversial pieces of data by providing digital evidence. In this paper, the challenges of cloud architecture are identified, how this affects the existing forensic analysis and provenance techniques is discussed, and a model for efficient provenance collection and forensic analysis is proposed.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126763009","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pu Ren, Wuyang Shui, Jin Liu, Yachun Fan, Wenshuo Zhao, Mingquan Zhou
{"title":"A Sketch-based Rapid Modeling Method for Crime Scene Presentation","authors":"Pu Ren, Wuyang Shui, Jin Liu, Yachun Fan, Wenshuo Zhao, Mingquan Zhou","doi":"10.15394/jdfsl.2018.1484","DOIUrl":"https://doi.org/10.15394/jdfsl.2018.1484","url":null,"abstract":"The reconstruction of a crime scene plays an important role in digital forensic application. This article integrates computer graphics, sketch-based retrieval, and virtual reality (VR) techniques to develop a low-cost and rapid 3D crime scene presentation approach, which can be used by investigators to analyze and simulate the criminal process. First , we constructed a collection of 3D models for indoor crime scenes using various popular techniques, including laser scanning, imagebased modeling and geometric modeling. Second, to quickly obtain an object of interest from the 3D model database, a sketch-based retrieval method was proposed. Finally, a rapid modeling system that integrates our database and retrieval algorithm was developed to quickly build a digital crime scene. For practical use, an interactive real-time virtual roaming application was developed in Unity 3D and a low-cost VR head-mounted display (HMD). Practical cases have been implemented to demonstrate the feasibility and availability of our method.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124841144","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Automated Man-in-the-Middle Attack Against Wi‑Fi Networks","authors":"Martin Vondrácek, J. Pluskal, O. Ryšavý","doi":"10.15394/JDFSL.2018.1495","DOIUrl":"https://doi.org/10.15394/JDFSL.2018.1495","url":null,"abstract":"Currently used wireless communication technologies suffer security weaknesses that can be exploited allowing to eavesdrop or to spoof network communication. In this paper, we present a practical tool that can automate the attack on wireless security. The developed package called wifimitm provides functionality for the automation of MitM attacks in the wireless environment. The package combines several existing tools and attack strategies to bypass the wireless security mechanisms, such as WEP, WPA, and WPS. The presented tool can be integrated into a solution for automated penetration testing. Also, a popularization of the fact that such attacks can be easily automated should raise public awareness about the state of wireless security.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125633774","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Drone Forensic Analysis Using Open Source Tools","authors":"M. Azhar, T. Barton, Tasmina Islam","doi":"10.15394/JDFSL.2018.1513","DOIUrl":"https://doi.org/10.15394/JDFSL.2018.1513","url":null,"abstract":"Carrying capabilities of drones and their easy accessibility to public have led to an increase in crimes committed using drones in recent years. For this reason, the need for forensic analysis of drones captured from the crime scenes and the devices used for these drones is also paramount. This paper presents the extraction and identification of important artefacts from the recorded flight data as well as the associated mobile devices using open source tools and some basic scripts developed to aid the analysis of two popular drone systems- the DJI Phantom 3 Professional and Parrot AR. Drone 2.0. Although different drones vary in their operations, this paper extends the extraction and analysis of the data from the drones and associated devices using some generic methods which are forensically sound adhering to the guidelines of the Association of Chief Police Officers (ACPO).","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"71 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132904293","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Hierarchical Bloom Filter Trees for Approximate Matching","authors":"David Lillis, Frank Breitinger, M. Scanlon","doi":"10.15394/jdfsl.2018.1489","DOIUrl":"https://doi.org/10.15394/jdfsl.2018.1489","url":null,"abstract":"Bytewise approximate matching algorithms have in recent years shown significant promise in de- tecting files that are similar at the byte level. This is very useful for digital forensic investigators, who are regularly faced with the problem of searching through a seized device for pertinent data. A common scenario is where an investigator is in possession of a collection of \"known-illegal\" files (e.g. a collection of child abuse material) and wishes to find whether copies of these are stored on the seized device. Approximate matching addresses shortcomings in traditional hashing, which can only find identical files, by also being able to deal with cases of merged files, embedded files, partial files, or if a file has been changed in any way. \u0000Most approximate matching algorithms work by comparing pairs of files, which is not a scalable approach when faced with large corpora. This paper demonstrates the effectiveness of using a \"Hierarchical Bloom Filter Tree\" (HBFT) data structure to reduce the running time of collection-against-collection matching, with a specific focus on the MRSH-v2 algorithm. Three experiments are discussed, which explore the effects of different configurations of HBFTs. The proposed approach dramatically reduces the number of pairwise comparisons required, and demonstrates substantial speed gains, while maintaining effectiveness.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-12-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123965870","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Towards a More Representative Definition of Cyber Security","authors":"Daniel Schatz, R. Bashroush, Julie A. Wall","doi":"10.15394/JDFSL.2017.1476","DOIUrl":"https://doi.org/10.15394/JDFSL.2017.1476","url":null,"abstract":"In recent years, ‘Cyber Security’ has emerged as a widely-used term with increased adoption by practitioners and politicians alike. However, as with many fashionable jargon, there seems to be very little understanding of what the term really entails. Although this is may not be an issue when the term is used in an informal context, it can potentially cause considerable problems in context of organizational strategy, business objectives, or international agreements. In this work, we study the existing literature to identify the main definitions provided for the term ‘Cyber Security’ by authoritative sources. We then conduct various lexical and semantic analysis techniques in an attempt to better understand the scope and context of these definitions, along with their relevance. Finally, based on the analysis conducted, we propose a new improved definition that we then demonstrate to be a more representative definition using the same lexical and semantic analysis techniques.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"2013 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-06-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121429280","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kyoung Jea Park, J. Park, Eun-jin Kim, Chang Geun Cheon, Joshua James
{"title":"Anti-Forensic Trace Detection in Digital Forensic Triage Investigations","authors":"Kyoung Jea Park, J. Park, Eun-jin Kim, Chang Geun Cheon, Joshua James","doi":"10.15394/JDFSL.2017.1421","DOIUrl":"https://doi.org/10.15394/JDFSL.2017.1421","url":null,"abstract":"Anti-forensics, whether intentionally to disrupt investigations or simply an effort to make a computer system run better, is becoming of increasing concern to digital investigators. This work attempts to assess the problem of anti-forensics techniques commonly deployed in South Korea. Based on identified challenges, a method of signature-based anti-forensic trace detection is proposed for triage purposes that will assist investigators in quickly making decisions about the suspect digital devices before conducting a full investigation. Finally, a prototype anti-forensic trace detection system is given to demonstrate the practicality of the proposed method.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114062367","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Patrick Tobin, Nhien-An Le-Khac, Mohand Tahar Kechadi
{"title":"Forensic Analysis of Virtual Hard Drives","authors":"Patrick Tobin, Nhien-An Le-Khac, Mohand Tahar Kechadi","doi":"10.15394/JDFSL.2017.1438","DOIUrl":"https://doi.org/10.15394/JDFSL.2017.1438","url":null,"abstract":"The issue of the volatility of virtual machines is perhaps the most pressing concern in any digital investigation involving a virtual machine. Current digital forensics tools do not fully address the complexities of data recovery that are posed by virtual hard drives. It is necessary, for this reason, to explore ways to capture evidence, other than those using current digital forensic methods. Data recovery should be done in the most efficient and secure manner, as quickly, and in an as non-intrusive way as can be achieved. All data in a virtual machine is disposed of when that virtual machine is destroyed, it may not therefore be possible to extract and preserve evidence such as incriminating images prior to destruction. Recovering that evidence, or finding some way of associating that evidence with the virtual machine before destruction of that virtual machine, is therefore crucial. In this paper we present a method for extracting evidence from a virtual hard disk drive in a quick, secure and verifiable manner, with a minimum impact on the drive thus preserving its integrity for further analysis.","PeriodicalId":351663,"journal":{"name":"J. Digit. Forensics Secur. Law","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128349904","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
