Andreas Dewald

Cujo: efficient detection and prevention of drive-by-download attacks

The JavaScript language is a core component of active and dynamic web content in the Internet today. Besides its great success in enhancing web applications, however, JavaScript provides the basis for so-called drive-by downloads---attacks exploiting vulnerabilities in web browsers and their extensions for unnoticeably downloading malicious software. Due to the diversity and frequent use of obfuscation in these attacks, static code analysis is largely ineffective in practice. While dynamic analysis and honeypots provide means to identify drive-by-download attacks, current approaches induce a significant overhead which renders immediate prevention of attacks intractable. In this paper, we present Cujo, a system for automatic detection and prevention of drive-by-download attacks. Embedded in a web proxy, Cujo transparently inspects web pages and blocks delivery of malicious JavaScript code. Static and dynamic code features are extracted on-the-fly and analysed for malicious patterns using efficient techniques of machine learning. We demonstrate the efficacy of Cujo in different experiments, where it detects 94% of the drive-by downloads with few false alarms and a median run-time of 500 ms per web page---a quality that, to the best of our knowledge, has not been attained in previous work on detection of drive-by-download attacks.

AESSE: a cold-boot resistant implementation of AES

Cold boot attacks exploit the fact that memory contents fade with time and that most of them can be retrieved after a short power-down (reboot). These attacks aim at retrieving encryption keys from memory to thwart disk drive encryption. We present a method to implement disk drive encryption that is resistant to cold boot attacks. More specifically, we implemented AES and integrated it into the Linux kernel in such a way that neither the secret key nor any parts of it leave the processor. To achieve this, we used the SSE (streaming SIMD extensions) available in modern Intel processors in a non-standard way. We show that the performance penalty is acceptable and present a brief security analysis of the system.

ADSandbox: sandboxing JavaScript to fight malicious websites

We present ADSandbox, an analysis system for malicious websites that focusses on detecting attacks through JavaScript. Since, in contrast to Java, JavaScript does not have any built-in sandbox concept, the idea is to execute any embedded JavaScript within an isolated environment and log every critical action. Using heuristics on these logs, ADSandbox decides whether the site is malicious or not. In contrast to previous work, this approach combines generality with usability, since the system is executed directly on the client running the web browser before the web page is displayed. We show that we can achieve false positive rates close to 0% and false negative rates below 15% with a performance overhead of only a few seconds, what is a bit high for real time application, but supposes a great potential for future versions of our tool.

Selective Imaging Revisited

The standard procedure for the acquisition of digital evidence in forensic investigations is to produce a bit-wise 1:1 copy of the original data on a digital storage device. This is often called imaging and becoming a bottleneck in modern digital investigations. The notion of selective imaging was introduced by Turner in 2005 and associated with the decision not to acquire all possible information during the evidence capture process. In this paper, we precisely define the term selective imaging, thereby generalizing the concept to allow acquisition of data objects in any combination and from any level of abstraction. We have implemented this approach as a plugin for the open source Digital Forensics Framework (DFF) using a container format based on the Advanced Forensic Framework 4 (AFF4). We present some design and implementation details as well as a performance evaluation.

Forensic Application-Fingerprinting Based on File System Metadata

While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.

Privacy-preserving email forensics

In many digital forensic investigations, email data needs to be analyzed. However, this poses a threat to the privacy of the individual whose emails are being examined and in particular becomes a problem if the investigation clashes with privacy laws. This is commonly addressed by allowing the investigator to run keyword searches and to reveal only those emails that contain at least some of the keywords. While this could be realized with standard cryptographic techniques, further requirements are present that call for novel solutions: (i) for investigation-tactical reasons the investigator should be able to keep the search terms secret and (ii) for efficiency reasons no regular interaction should be required between the investigator and the data owner. We close this gap by introducing a novel cryptographic scheme that allows to encrypt entire email boxes before handing them over for investigation. The key feature is that the investigator can non-interactively run keyword searches on the encrypted data and decrypt those emails (and only those) for which a configurable number of matches occurred. Our implementation as a plug-in for a standard forensic framework confirms the practical applicability of the approach.

Forensic APFS File Recovery

In forensic computing, especially in the field of postmortem file system forensics, the reconstruction of lost or deleted files plays a major role. The techniques that can be applied to this end strongly depend on the specifics of the file system in question. Various file systems are already well-investigated, such as FAT16/32, NTFS for Microsoft Windows systems and Ext2/3/4 as the most common Linux file systems and HFS/HFS+ for macOS. There also exist tools, such as the famous Sleuthkit by Brian Carrier that provide file recovery features for those file systems by interpreting the file systems internal data structures. APFS is the new file system for Apple devices that is applied by default on all current iOS mobile devices, as well as macOS since High Sierra, and is thus currently rolled out on a large number of devices. However, for APFS, no forensic file recovery methodologies have been developed so far. In this paper, we propose different approaches to identify and recover (deleted) files on an APFS file system. We implemented our approaches as a proof of concept tool and evaluate those against each other and against file carving.

Information leakage behind the curtain: Abusing anti-EMI features for covert communication

We present a new class of covert channels which can be created by utilizing common hardware but that cannot be detected by such. Our idea is to abuse anti-EMI features of a processor to create a covert channel on the physical layer. Thus, the sender uses the invariants in how digital signals are encoded over analog channels to covertly transport information. This leaked data is present on the wire bound connections of the compromised device, but is also by definition present in the vicinity of the device and can be picked up by radio equipment. As the covert channel is present only on the physical layer, the data on all layers above, as well as the timing behavior on those layers is indistinguishable from uncompromised devices.

Characteristic evidence, counter evidence and reconstruction problems in forensic computing

Abstract With the ever increasing number of crimes in which computers or other digital devices are used, digital forensics plays an increasingly important role in todays jurisdiction. The acquisition and investigation of the devices is done by forensic experts, whose reports and personal explanations then form the basis of justice. Because of this great responsibility of the experts, the quality of their investigations has to meet the highest standards. Historically, forensic computing (as digital forensics) developed pragmatically, driven by specific technical needs. Indeed, in comparison with other forensic sciences the field still is rather immature and has many deficits, such as the unclear terminology used in court. In this paper, we introduce notions of (digital) evidence, characteristic evidence, and (characteristic) counter evidence, as well as the definitions of two fundamental forensic reconstruction problems. We show the relation of the observability of the different types of evidence to the solvability of those problems. By doing this, we wish to exemplify the usefulness of formalization in the establishment of a precise terminology. While this will not replace all terminological shortcomings, it (1) may provide the basis for a better understanding between experts, and (2) helps to understand the significance of different types of digital evidence to answer questions in an investigation.

Characteristic Evidence, Counter Evidence and Reconstruction Problems in Forensic Computing

Historically, forensic computing (as digital forensics) developed pragmatically, driven by specific technical needs. Indeed, in comparison with other forensic sciences the field still is rather immature and has many deficits, such as the unclear terminology used in court. In this paper, we introduce notions of (digital) evidence, characteristic evidence, and (characteristic) counter evidence, as well as the definitions of two fundamental forensic reconstruction problems. We show the relation of the observability of the different types of evidence to the solvability of those problems. By doing this, we wish to exemplify the usefulness of formalization in the establishment of a precise terminology. While this will not replace all terminological shortcomings, it (1) may provide the basis for a better understanding between experts, and (2) helps to understand the significance of different types of digital evidence to answer questions in an investigation.