Ali Dehghantanha

Forensics investigation challenges in cloud computing environments

Cloud computing discusses about sharing any imaginable entity such as process units, storage devices or software. The provided service is utterly economical and expandable. Cloud computing attractive benefits entice huge interest of both business owners and cyber thefts. Consequently, the “computer forensic investigation” step into the play to find evidences against criminals. As a result of the new technology and methods used in cloud computing, the forensic investigation techniques face different types of issues while inspecting the case. The most profound challenges are difficulties to deal with different rulings obliged on variety of data saved in different locations, limited access to obtain evidences from cloud and even the issue of seizing the physical evidence for the sake of integrity validation or evidence presentation. This paper suggests a simple yet very useful solution to conquer the aforementioned issues in forensic investigation of cloud systems. Utilizing TPM in hypervisor, implementing multi-factor authentication and updating the cloud service provider policy to provide persistent storage devices are some of the recommended solutions. Utilizing the proposed solutions, the cloud service will be compatible to the current digital forensic investigation practices; alongside it brings the great advantage of being investigable and consequently the trust of the client.

SugarSync forensic analysis

Cloud storage services are popular with both individuals and businesses as they offer cost-effective, large capacity storage and multi-functional services on a wide range of devices such as personal computers (PCs), Mac computers, and smart mobile devices (e.g. iPhones). However, cloud services have also been known to be exploited by criminals, and digital forensics in the cloud remains a challenge, partly due to the diverse range of cloud services and devices that can be used to access such services. Using SugarSync (a popular cloud storage service) as a case study, research was undertaken to determine the types and nature of volatile and non-volatile data that can be recovered from Windows 8, Mac OS X 10.9, Android 4 and iOS 7 devices when a user has carried out different activities such as upload and download of files and folders. We then document the various digital artefacts that could be recovered from the respective devices.

Ubuntu One investigation : detecting evidences on client machines

STorage as a Service (STaaS) cloud services have been adopted by both individuals and businesses as a dominant technology worldwide. Similar to other technologies, this widely accepted service can be misused by criminals. Investigating cloud platforms is becoming a standard component of contemporary digital investigation cases. Hence, digital forensic investigators need to have a working knowledge of the potential evidence that might be stored on cloud services. In this chapter, we conducted a number of experiments to locate data remnants of users activities when utilizing the Ubuntu One cloud service. We undertook experiments based on common activities performed by users on cloud platforms including downloading, uploading, viewing, and deleting files. We then examined the resulting digital artifacts on a range of client devices, namely, Windows 8.1, Apple Mac OS X, and Apple iOS. Our examination extracted a variety of potentially evidential items ranging from Ubuntu One databases and log files on persistent storage to remnants of user activities in device memory and network traffic.

Privacy-respecting digital investigation

The forensics investigation requirements are in direct conflict with the privacy rights of those whose actions are being investigated. At the same time, once the private data is exposed it is impossible to `undo its exposure effects should the suspect is found innocent! Moreover, it is not uncommon that during a suspect investigation, private information of other innocent parties becomes apparent to the forensics investigator. These all raise the concern for development of platforms for enforcing privacy boundaries even to authorized forensics investigators. To the best of authors knowledge, there is no practical model for privacy-respecting digital investigation which is capable of considering different jurisdictions requirements and protecting subjects data privacy in line with investigation warrant permissions and data-origin privacy requirements. Privacy-respecting digital forensics as an emerging cross-disciplinary research area is moving toward addressing above issues. In this paper, we first establish needed foundations and describe details of privacy-respecting digital investigation as a cross-disciplinary field of research. Afterwards, we review main research efforts in different research disciplines relevant to the field and elaborate existing research problems. We finalize the paper by looking at potential privacy issues during digital investigation in the light of EU, US, and APEC privacy regulations. The main contributions of this paper are first establishing essential foundations and providing detailed definition of privacy-respecting digital investigation as a new cross-disciplinary field of research, second a review of current state of art in different disciplines relevant to this field, third elaborating existing issues and discussing most promising solutions relevant to these disciplines, and forth is detailed discussion of potential privacy issues in different phases of digital forensics life cycle based on EU,US, and APEC privacy regulations. We hope this paper opens up a new and fruitful avenue in the study, design, and development of privacy respecting forensics investigation as an interdisciplinary field of research.

Investigation of bypassing malware defences and malware detections

Nowadays, malware incident is one of the most expensive damages caused by attackers. Malwares are caused different attacks, so considerations and implementations of malware defences for internal networks are important. In this papers, different techniques such as repacking, reverse engineering and hex editing for bypassing host-based Anti Virus (AV) signatures are illustrated, and the description and comparison of different channels and methods when malware might reach the host from outside the networks are demonstrated. After that, bypassing HTTP/SSL and SMTP malware defences as channels are discussed. Finally, as it is important to find and detect new and unknown malware before the malware gets in to the victims, a new malware detection technique base on honeynet systems is surveyed.

Trends in Android Malware Detection

This paper analyzes different Android malware detection techniques from several research papers, some of these techniques are novel while others bring a new perspective to the research work done in the past. The techniques are of various kinds ranging from detection using host based frameworks and static analysis of executable to feature extraction and behavioral patterns. Each paper is reviewed extensively and the core features of each technique are highlighted and contrasted with the others. The challenges faced during the development of such techniques are also discussed along with the future prospects for Android malware detection. The findings of the review have been well documented in this paper to aid those making an effort to research in the area of Android malware detection by understanding the current scenario and developments that have happened in the field thus far.

Volatile memory acquisition using backup for forensic investigation

Nowadays mobile phones are used all over the world for the communication purposes. The capabilities of these devices are improved during the past few years. Due to their capabilities, mobile devices are used broadly in criminal activities especially in cybercrime. The volatile data stored in mobile phones usually contain important evidences regarding the crime. However, collecting these volatile data in a forensically sound manner would not be easy. This paper proposes a new approach for acquiring the volatile data inside a mobile phone in a forensically sound manner that minimizes the chance of evidence modification or lost.

Towards secure model for SCADA systems

Nowadays, Supervisory Control And Data Acquisition (SCADA) systems have huge influences on the human life. They provide a distance remote controlling, monitoring and information gathering of transmission, production and distribution of every automation systems such as electric power, power plants, refineries, rail transportation, waste and water systems, oil and gas. In this paper, different possible threats, risks and vulnerabilities in the SCADA systems are surveyed, and some mitigation strategies to improve the SCADA security systems are proposed.

VoIP evidence model: A new forensic method for investigating VoIP malicious attacks

Although the invention of Voice over Internet Protocol (VoIP) in communication technology created significant attractive services for its users, it also brings new security threats. Criminals exploit these security threats to perform illegal activities such as VoIP malicious attacks, this will require digital forensic investigators to detect and provide digital evidence. Finding digital evidence in VoIP malicious attacks is the most difficult task, due to its associated features with converged network. In this paper, a Model of investigating VoIP malicious attacks is proposed for forensic analysis. The model formalizes hypotheses through information gathering and adopt a Secure Temporal Logic of Action(S-TLA+) in the process of reconstructing potential attack scenario. Through this processes, investigators can uncover unknown attack scenario executed in the process of attack. Subsequently, it is expected that the findings of this paper will provide clear description of attacks as well as generation of more specified evidences.

Advances of mobile forensic procedures in Firefox OS

The advancement of smartphone technology has nattracted many companies in developing mobile noperating system (OS). Mozilla Corporation recently nreleased Linux-based open source mobile OS, named nFirefox OS. The emergence of Firefox OS has created nnew challenges, concentrations and opportunities for ndigital investigators. In general, Firefox OS is designed nto allow smartphones to communicate directly with nHTML5 applications using JavaScript and newly nintroduced WebAPI. However, the used of JavaScript nin HTML5 applications and solely no OS restriction nmight lead to security issues and potential exploits. nTherefore, forensic analysis for Firefox OS is urgently nneeded in order to investigate any criminal intentions. nThis paper will present an overview and methodology nof mobile forensic procedures in forensically sound nmanner for Firefox OS.