Golden G. Richard

Next-generation digital forensics

The digital forensics community requires new tools and strategies for the rapid turnaround of large forensic targets.

Jini meets UPnP: an architecture for Jini/UPnP interoperability

A service discovery framework provides a collection of protocols for developing dynamic client/server applications, allowing clients to find and use services without any previous knowledge of the locations or characteristics of the services. There are currently many service discovery, technologies available or in development, including Jini, UPnP, SLP, Salutation, Bluetooth SDP, and Ninja. These have similar high-level goals, but quite different architectures. Each software or hardware product utilizing service discovery will typically use only one of these protocols, meaning that clients and services using different technologies will not be able to cooperate. Since it is likely that several protocols will be widely used, there is a need for interoperability frameworks that allow clients and services written using different service discovery technologies to cooperate. This paper presents a Jini/UPnP interoperability framework that allows Jini clients to use UPnP services and UPnP clients to use Jini services, without modification to service or client implementations. As service specifications are typically developed independently for each protocol, a fully automatic interoperability solution is not currently practical, so we introduce service-specific proxies to bridge Jini and UPnP. Our goal is to reduce the amount of effort required to support new service types and our framework includes a substantial amount of support for rapid proxy development. A modest development effort is required to support each new service type, and our initial (and highly unscientific) measurements reveal that the level of effort is typically on the order of one day by a member of our team.

Acquisition and analysis of volatile memory from android devices

Abstract The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators.

Using logging and asynchronous checkpointing to implement recoverable distributed shared memory

Distributed shared memory provides a useful paradigm for developing distributed applications. As the number of processors in the system and running time of distributed applications increase, the likelihood of processor failure increases. A method of recovering processes running in a distributed shared memory environment which minimizes lost work and the cost of recovery is desirable so that long-running applications are not adversely affected by processor failure. A technique for achieving recoverable distributed shared memory which utilizes asynchronous process checkpoints and logging of pages accessed via read operations on the shared address space is presented. The scheme supports independent process recovery without forcing rollback of operational processes during recovery. The method is particularly useful in environments where taking process checkpoints is expensive.<<ETX>>

md5bloom: Forensic filesystem hashing revisited

Hashing is a fundamental tool in digital forensic analysis used both to ensure data integrity and to efficiently identify known data objects. However, despite many years of practice, its basic use has advanced little. Our objective is to leverage advanced hashing techniques in order to improve the efficiency and scalability of digital forensic analysis. Specifically, we explore the use of Bloom filters as a means to efficiently aggregate and search hashing information. In this paper, we present md5bloom-an actual Bloom filter manipulation tool that can be incorporated into forensic practice, along with example uses and experimental results. We also provide a basic theoretical foundation, which quantifies the error rates associated with the various Bloom filter uses along with a simulation-based verification. We provide a probabilistic framework that allows the interpretation of direct, bitwise comparison of Bloom filters to infer similarity and abnormality. Using the similarity interpretation, it is possible to efficiently identify versions of a known object, whereas the notion of abnormality could aid in identifying tampered hash sets.

SCADA Systems: Challenges for Forensic Investigators

When security incidents occur, several challenges exist for conducting an effective forensic investigation of SCADA systems, which run 24/7 to control and monitor industrial and infrastructure processes. The Web extra at http://youtu.be/L0EFnr-famg is an audio interview with Irfan Ahmed about SCADA (supervisory control and data acquisition) systems.

Load-balanced routing through virtual paths: highly adaptive and efficient routing scheme for ad hoc wireless networks

Routing protocols for ad hoc wireless networks consider the path with the minimum number of hops as the optimal path to any given destination. However, this strategy does not balance the traffic load over the network, and may create congested areas. These congested areas greatly degrade the performance of the routing protocols. In this paper, we propose a routing scheme that balances the load over the network by selecting a path based on traffic sizes. We present a simulation study to demonstrate the effectiveness of the proposed scheme.

A Cloud Computing Platform for Large-Scale Forensic Computing

The timely processing of massive digital forensic collections demands the use of large-scale distributed computing resources and the flexibility to customize the processing performed on the collections. This paper describes MPI MapReduce (MMR), an open implementation of the MapReduce processing model that outperforms traditional forensic computing techniques. MMR provides linear scaling for CPU-intensive processing and super-linear scaling for indexing-related workloads.

An architecture for wireless LAN/WAN integration

To allow a seamless integration between wireless LANs and wireless WANs, we developed a full stack adaptation model and a simple subnet architecture that superimposes Mobile-IP on cellular-type wireless LANs. The idea is to use Mobile IP as an integrative layer atop different LAN/WAN networks. While Mobile-IP is widely used in wireless WANs, it is not known how well it performs under a wireless LAN environment, against native MAC-level handoff. Through experimentation using the 802.11 W-LAN, we found that under practical values of handoff frequencies, the performance of Mobile IP based W-LAN handoff is almost identical to the performance of W-LAN handoff. Further performance studies show the suitability of Mobile-IP as an integrative layer in this architecture.

In-Place File Carving

File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amounts of disk space.