Iain Sutherland

Acquiring volatile operating system data tools and techniques

The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.

Adapting integrity enforcement techniques for data reconciliation

Integration of data sources opens up possibilities for new and valuable applications of data that cannot be supported by the individual sources alone. Unfortunately, many data integration projects are hindered by the inherent heterogeneities in the sources to be integrated. In particular, differences in the way that real world data is encoded within sources can cause a range of difficulties, not least of which is that the conflicting semantics may not be recognised until the integration project is well under way. Once identified, semantic conflicts of this kind are typically dealt with by configuring a data transformation engine, that can convert incoming data into the form required by the integrated system. However, determination of a complete and consistent set of data transformations for any given integration task is far from trivial. In this paper, we explore the potential application of techniques for integrity enforcement in supporting this process. We describe the design of a data reconciliation tool (LITCHI) based on these techniques that aims to assist taxonomists in the integration of biodiversity data sets. Our experiences have highlighted several limitations of integrity enforcement when applied to this real world problem, and we describe how we have overcome these in the design of our system.

The 2007 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market

All organisations, whether in the public or private sector, increasingly use computers and other devices that contain computer hard disks for the storage and processing of information relating to their business, their employees or their customers. Individual home users also increasingly use computers and other devices containing computer hard disks for the storage and processing of information relating to their private, personal affairs. It continues to be clear that the majority of organisations and individual home users still remain ignorant or misinformed of the volume and type of information that is stored on the hard disks that these devices contain and have not considered, or are unaware of, the potential impact of this information becoming available to their competitors or to people with criminal intent. This is the third study in an ongoing research effort that is being conducted into the volume and type of information that remains on computer hard disks offered for sale on the second hand market. The purpose of the research has been to gain an understanding of the information that remains on the disk and to determine the level of damage that could, potentially be caused, if the information fell into the wrong hands. The study examines disks that have been obtained in a number of countries to determine whether there is any detectable national or regional variance in the way that the disposal of computer disks is addressed and to compare the results for any other detectable regional or temporal trends.

An empirical examination of the reverse engineering process for binary files

Reverse engineering of binary code file has become increasingly easier to perform. The binary reverse engineering and subsequent software exploitation activities represent a significant threat to the intellectual property content of commercially supplied software products. Protection technologies integrated within the software products offer a viable solution towards deterring the software exploitation threat. However, the absence of metrics, measures, and models to characterize the software exploitation process prevents execution of quantitative assessments to define the extent of protection technology suitable for application to a particular software product. This paper examines a framework for collecting reverse engineering measurements, the execution of a reverse engineering experiment, and the analysis of the findings to determine the primary factors that affect the software exploitation process. The results of this research form a foundation for the specification of metrics, gathering of additional measurements, and development of predictive models to characterize the software exploitation process.

Conflict detection for integration of taxonomic data sources

Over recent years, international initiatives such as the 1993 UN Convention on Biological Diversity have highlighted the need for information about species diversity on a global scale. However, attempts to build global information systems by integrating smaller, independently created biodiversity databases have been hampered by differences in the sets of species names used. Some databases use different names to refer to the same species, while in other cases the same name can be applied to differing definitions of a species, or even entirely different species. The LITCHI project aims to assist biologists in the integration of databases by searching for conflicts within taxonomic checklists (i.e. lists of the species names used in a database and the relationships between them). In order to detect such conflicts, we have created a formal model of taxonomic practice, which describes (amongst other things) what it means for a checklist to be consistent and well-specified. This model has been used as the basis for a prototype tool that uses Prolog to search for naming conflicts within a relational database of checklists. We describe the background to our formal model and show how it has been used to implement the LITCHI system. Our prototype tool is already proving its worth by detecting conflicts and errors within real taxonomic checklists.

Malware and steganography in hard disk firmware

The hard disk drive remains the most commonly used form of storage media in both commercial and domestic computer systems. These drives can contain a vast range of data both of personal value and commercial significance. This paper focuses on two key areas; the potential for the drive operation to be impacted by malicious software and the possibility for the drive firmware to be manipulated to enable a form of steganography. Hard drive firmware is required for the correct operation of the disk drive in particular for dealing with errors arising due to natural wear as the drive ages. Where an area of the drive becomes unreliable due to wear and tear, the disk firmware which monitors the reliability of data access will copy the data from the failing area to a specially designated reserved area. The firmware remaps this data shift so the old data area and the original copy of the data are no longer accessible by the computer operating system. There are now a small number of commercially available devices, intended for data recovery, which can be used to modify the hard drive firmware components. This functionality can be used to conceal code on the disk drive, either as a form of steganography or to potentially include malicious code with the intention to infect or damage software or possibly system hardware. This paper discusses the potential problem generated by firmware being manipulated for malicious purposes.

Global Positioning Systems: Analysis Principles and Sources of Evidence in User Devices

The growing popularity of Global Positioning Systems and other location-based telecommunications service provision provide a further potential source of data for the forensic investigator. Network- or device located information may have evidential value in supporting a case by providing details or proof of visited locations, navigation through particular routes,or communications with third parties. In this paper we focus on the examination of the end users portable device and we highlight the nature and locations where potential evidence may be left behind.

Network Attack Analysis and the Behaviour Engine

Behaviour Engines allow the acquirement of tacit (implicit or none verbalists) knowledge by using an acquire-by-action workflow and provide a direct interaction platform between the domain expert and the evolving project code based on an intuitive justification-conclusion language, thus surpassing legacy policy engines by being a self developing and learning mechanism. This paper seeks to formulate the current state of the art in technology and processes and attempts to merge the application of ontological decision techniques of behaviour engines with network packet capture data, to detect data exfiltration attempts over covert channelling. The final goal of the research will be to develop a behaviour engine/intrusion detection solution for pre-emptive counter-measures to anomalous behaviour from within or without a network.

Employing Penetration Testing as an Audit Methodology for the Security Review of VoIP: Tests and Examples

Purpose – The purpose of this paper is to discuss and amalgamate information security principles, and legal and ethical concerns that surround security testing and components of generic security testing methodologies that can be applied to Voice over Internet Protocol (VoIP), in order to form an audit methodology that specifically addresses the needs of this technology.Design/methodology/approach – Information security principles, legal and ethical concerns are amalgamated that surround security testing and components of generic security testing methodologies that can be applied to VoIP. A simple model is created of a business infrastructure (core network) for the delivery of enterprise VoIP services and the selected tests are applied through a methodically structured action plan.Findings – The main output of this paper is a, documented in detail, testing plan (audit programme) for the security review of a core VoIP enterprise network infrastructure. Also, a list of recommendations for good testing practi...

LITCHI: knowledge integrity testing for taxonomic databases

Summary form only given. The LITCHI project (Logic-based Integration of Taxonomic Conflicts in Heterogeneous Information Systems) aims to develop software to enable the automated detection and, where possible, resolution of conflicts in taxonomic checklists. A taxonomic checklist is a list of the names of species (and other taxa) used within a particular biological database. Since species names are typically used to gain access to data within biological databases, checklists provide a concise representation of the data values that can act as keys when querying such databases. More importantly, species names are also typically used as the join attribute when integrating several biological databases. However, naming of species is a subjective activity, and different scientific communities will have different ideas about the names that should be used for particular species. These conflicts of opinion arise as a result of the subjective nature of the classification process and geographical or historical differences in background knowledge. Some communities may use different names for the same species, while other groups of scientists may use the same name to refer to different species. Often, there is no one right naming scheme, but some consistent set of names must be used if biological databases are to be integrated. Therefore, there is a real need for a tool which will assist biologists in the integration of checklists, prior to the integration of species databases, so that these differences of opinion can be resolved.