Frank Adelstein

Live forensics: diagnosing your system without killing it first

Live forensics gathers data from running systems, providing additional contextual information that is not available in a disk-only forensic analysis.

Malicious code detection for open firmware

Malicious boot firmware is a largely unrecognized but significant security risk to our global information infrastructure. Since boot firmware executes before the operating system is loaded, it can easily circumvent any operating system-based security mechanism. Boot firmware programs are typically written by third-party device manufacturers and may come from various suppliers of unknown origin. We describe an approach to this problem based on load-time verification of onboard device drivers against a standard security policy designed to limit access to system resources. We also describe our ongoing effort to construct a prototype of this technique for open firmware boot platforms.

Physically locating wireless intruders

Wireless networks, specifically IEEE 802.11, are inexpensive and easy to deploy, but their signals can be detected by eavesdroppers at great distances. Even with existing and new security measures, wireless networks have a higher risk than wired nets. WIDS, wireless intrusion detection system, provides an additional layer of security by combining intrusion detection with physical location determination, using directional antennas. We briefly describe WIDS and present our initial results of remote station location using inexpensive hardware.

FAUST: Forensic artifacts of uninstalled steganography tools

Images and data, such as child pornography and credit card numbers, can be hidden in files through the use of steganography. Many steganography programs are freely available on the Internet. Searching data files for hidden, embedded content through steganalysis is a time-consuming process. Often steganography programs leave traces behind, such as files, directories, or registry keys, even after they have been removed or uninstalled from the system. An alternative to steganalysis is for a forensic investigator to perform a quick search for these telltale indications that steganography has been used. In this paper, we present the results of a study to detect traces left behind after a number of freely available steganography tools were installed, run, and uninstalled.

Archival science, digital forensics, and new media art

Digital archivists and traditional digital forensics practitioners have significant points of convergence as well as notable differences between their work. This paper provides an overview of how digital archivists use digital forensics tools and techniques to approach their work, comparing and contrasting archival with traditional computer forensics. Archives encounter a wide range of digital materials. This paper details a specific example within archival forensics-the analysis of complex, interactive, new media digital artworks. From this, the paper concludes with considerations for future directions and recommendations to the traditional forensics community to support the needs of cultural heritage institutions.

Development of an airborne Internet architecture to support SATS: Trends and issues

NASA is undertaking the development of the Small Aircraft Transportation System (SATS). SATS could play a major role in decreasing the doorstop to destination times for travel and shipping. It is conceived to meet four major objectives: higher volume at non-towered/non-radar airports, lower landing minimums at minimally equipped landing facilities, increased single crew safety and mission reliability, and integrated procedures and systems for integrated fleet operations. SATS is to be prototyped in the 2005 timeframe. A key enabling technology for such a system is the development of an airborne Internet to provide aircraft to ground, ground to ground and aircraft to aircraft communications in support of air traffic management, fleet operations, and passenger support services. A critical first step in attaining the desirable capabilities of an airborne Internet is a well-conceived architecture. The architecture must be robust enough to enable the concept of operations envisioned for the 2025 timeframe yet flexible enough to support prototypes using technology and systems available in the 2005 timeframe. This paper addresses some of the trends and issues involved in developing an airborne Internet capable of achieving this goal. Understanding relationships between these trends, issues and objectives, and functional requirements of the program will allow various participants in this complex program to keep activities in proper perspective. The architecture process provides a robust framework to add functionality, systems and equipment. It must also describe the linkage to the existing National Airspace System.

Bessie: portable generation of network topologies for simulation

The widespread use of computer networking has resulted in considerable attention being paid to a variety of network-related problems, the generation of efficient multicast trees being one. While many algorithms for generation of multicast trees have been proposed their relative effectiveness is difficult to assess. Some algorithms have never been implemented. Many have been simulated, but often using ad-hoc networking modeling and simulation tools, without consistent parameters, making direct comparisons difficult. In this paper we discuss a network topology generation tool named Bessie, written entirely in Java. Bessie generates descriptions of random point-to-point and hierarchical networks, based on user-specified statistical parameters. We introduce a modification to Waxmans (1988) parameters, commonly used in grid-based network topology generators, which eliminates undesirable increases in node degree as the number of nodes in a network increases. The modification improves on proposed fixed scale factors.

A distributed graphics library system

We present a set of library routines that allow easily parallelized graphics rendering routines that require no communication between each parallel task, such as ray‐tracing, to be run efficiently in an environment of distributed workstations. The presentation of the paper focuses on the problems encountered in implementing a distributed system under Unix and proposes solutions to each problem. Specifically, we discuss the challenges involved in overcoming the limits of communicating with a large number of processes in Unix and in providing fault tolerance when using sockets. Technical aspects of the implementation and some additional problems that were encountered are discussed. Finally, we compare the rendering times for a complex image with a renderer using the library and show that the library routines are able to exploit much of the existing parallelism. The library is presented using a graphics application, though the concepts are generic enough to be of use in designing any distributed system under Unix.

Editorial: The proceedings of the Sixth Annual Digital Forensic Research Workshop (DFRWS '06)

This is the proceedings of the Sixth Annual Digital Forensics Research Workshop (DFRWS), held in West Lafayette, Indiana, August 14–16, 2006. This year there were a large number of high-quality submissions, and 16 papers were accepted out of 37 submissions. DFRWS brings academic researchers, investigators and practitioners together, with the goal of fostering cutting edge research in all areas of digital forensics. The workshop provides refereed papers, demonstrations, and challenges that encourage the development of new tools and methods for a young and evolving field. DFRWS uses its ‘‘challenges’’ to set a direction and goals for research. Last year’s challenge involved memory analysis; this year’s is file carving. DFRWS also has a standing challenge on cryptographic hashes to better understand the practical impact of recent weaknesses in MD-5 and SHA-1. It has been a busy year for DFRWS. We are now a 501(c)3 non-profit organization. In addition to the presentations and discussions at the workshop, the organization has created the Common Digital Evidence Storage Format (CDESF) working group to create an open data format that can be used to store multiple types of digital evidence. And for the first time, we published proceedings in print. The field of digital forensics is very dynamic and growing, as is the Digital Forensic Research Workshop. For more information on the workshop, please refer to the website at http:// dfrws.org/about.html. We hope you find the proceedings of this year’s workshop thought-provoking and we hope you will continue to support DFRWS. We look forward to seeing you in the future.