Narasimha Shashidhar

Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions

The Internet is an essential tool for everyday tasks. Aside from common use, the option to browse the Internet privately is a desirable attribute. However, this can create a problem when private Internet sessions become hidden from computer forensic investigators in need of evidence. Our primary focus in this research is to discover residual artifacts from private and portable web browsing sessions. In addition, the artifacts must contain more than just file fragments and enough to establish an affirmative link between user and session. Certain aspects of this topic have triggered many questions, but there have never been enough authoritative answers to follow. As a result, we propose a new methodology for analyzing private and portable web browsing artifacts. Our research will serve to be a significant resource for law enforcement, computer forensic investigators, and the digital forensics research community.

Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting

Special purpose trusted computing devices are currently being deployed to offer many services for which the general purpose computing paradigm is unsuitable. The nature of the services offered by many of these devices demand high security and reliability, as well as low cost and low power consumption. Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines currently being used in much of the United States and several other countries, there is a strong need for thorough security evaluation of these devices and the procedures in place for their use. In this work, we first put forth a general framework for special purpose trusted computing devices. We then focus on Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals are a popular e-voting technology with the decided advantage of a user-verified paper trail: the ballot sheets themselves. Still election results are based on machine- generated totals as well as machine-generated audit reports to validate the voting process. In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers. We demonstrate a number of security issues that relate to the machines proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access, we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.

Detecting Phishing Emails the Natural Language Way

Phishing causes billions of dollars in damage every year and poses a serious threat to the Internet economy. Email is still the most commonly used medium to launch phishing attacks [1]. In this paper, we present a comprehensive natural language based scheme to detect phishing emails using features that are invariant and fundamentally characterize phishing. Our scheme utilizes all the information present in an email, namely, the header, the links and the text in the body. Although it is obvious that a phishing email is designed to elicit an action from the intended victim, none of the existing detection schemes use this fact to identify phishing emails. Our detection protocol is designed specifically to distinguish between “actionable” and “informational” emails. To this end, we incorporate natural language techniques in phishing detection. We also utilize contextual information, when available, to detect phishing: we study the problem of phishing detection within the contextual confines of the user’s email box and demonstrate that context plays an important role in detection. To the best of our knowledge, this is the first scheme that utilizes natural language techniques and contextual information to detect phishing. We show that our scheme outperforms existing phishing detection schemes. Finally, our protocol detects phishing at the email level rather than detecting masqueraded websites. This is crucial to prevent the victim from clicking any harmful links in the email. Our implementation called PhishNet-NLP, operates between a user’s mail transfer agent (MTA) and mail user agent (MUA) and processes each arriving email for phishing attacks even before reaching the inbox.

Scalable Secure MJPEG Video Streaming

In todays world, more and more applications are developed for mobile devices and ever-increasing amount of communication happens over mobile devices and mobile networks. Though providing mobility and convenience, mobile devices generally do not offer intensive computations like their wired counterparts. In this paper we propose a set of methods that aims to protect video, specifically Motion JPEG (MJPEG) video streams, using selective data encryption. More precisely, our algorithm selects the most critical pixel information of MJPEG video as the input of encryption to keep itself lightweight while choosing and encrypting additional less-important video information when the environment allows. The proposed method was originated from the fact that JPEG images are encoded using prioritized pixel information. Experiment results show that the proposed algorithm performs well in terms of frame rate and CPU load at playback.

Do Private and Portable Web Browsers Leave Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and Portable Web Browsing Sessions

The Internet is an essential tool for everyday tasks. Aside from common usage, users desire the option to browse the Internet in a private manner. This can create a problem when private Internet sessions become hidden from computer investigators in need of evidence. Our primary focus in this research is to discover residual artifacts from private and portable browsing sessions. In addition, the artifacts must contain more than just file fragments and enough to establish an affirmative link between user and session. Certain aspects of this topic have triggered many questions, but there have not been enough authoritative answers to follow. As a result, we propose a new methodology for analyzing private and portable web browsing artifacts. Furthermore, our research will serve to be a significant resource for law enforcement, computer forensic investigators, and the digital forensics research community.

Two-Pronged Phish Snagging

Phishing causes billions of dollars in damage every year and poses a serious threat to the Internet economy. Among the many possible communication channels, electronic mail still remains the most commonly used medium to launch phishing attacks. In this paper, we present a two dimensional approach to detecting phishing emails. We devise two independent, unsupervised classifiers, namely the link and header classifiers, and two combinations of these classifiers. We show that our schemes significantly outperform the previous unsupervised and supervised phishing detection schemes for emails in the literature. We also utilize contextual information, when available, to detect phishing. Finally, our protocol is designed to detect phishing at the email level rather than detecting fraudulent, masqueraded websites. Our implementation framework called PhishSnag, operates between a users mail transfer agent (MTA) and mail user agent (MUA) and processes each arriving email for phishing attacks even before reaching the inbox.

Digital forensics in social networks and the cloud: Process, approaches, methods, tools, and challenges

As cloud computing and social networks become ubiquitous in our modern world, what come along with the nearly infinite storage and computing power are the security, privacy, and digital forensic challenges. Due to the completely different ways of data storage and processing in the cloud and social networks compared to their traditional counterparts, digital forensics practitioners are in need to establish new forensic process and find novel approaches, methods, and tools to maintain the efficiency and performance of their investigations. This paper examines latest studies of the process, challenges, approaches, methods, and tools of digital forensics in the cloud and social network environments, aiming to provide the audience new perspectives and recommendations in the related fields.

A One-Time Stegosystem and Applications to Efficient Covert Communication

We present the first information-theoretic steganographic protocol with an asymptotically optimal ratio of key length to message length that operates on arbitrary covertext distributions with constant min-entropy. Our results are also applicable to the computational setting: our stegosystem can be composed over a pseudorandom generator to send longer messages in a computationally secure fashion. In this respect our scheme offers a significant improvement in terms of the number of pseudorandom bits generated by the two parties in comparison to previous results known in the computational setting. Central to our approach for improving the overhead for general distributions is the use of combinatorial constructions that have been found to be useful in other contexts for derandomization: almost t-wise independent function families.

Investigating the security and digital forensics of video games and gaming systems: A study of PC games and PS4 console

As video games received rapidly increasing attention, modern video games are often concerned with security and privacy issues. Many such video games and game console systems graciously allow player customization, giving people with malicious intent a new vector to lunch security attacks and exchange secretive messages, which posts new challenges to the society of security and digital forensics. In this research, we investigate the security of four popular PC video games and the Sony PlayStation 4 (PS4) game console. Our study showed that each of these video games has at least one feature that may possibly be exploited by attackers for transmitting secretive information, which is very difficult to be detected using current forensic tools. As for gaming consoles, the hard drive of PS4 console is encrypted and consequently most part of its file system cannot be analyzed using current forensic tools such as AccessDatas Forensic Toolkit (FTK). However, it is still possible to lunch Denial of Service (DoS) and ARP cache poisoning attacks to the console, which may slow down and halt the system and potentially expose security sensitive information. Based on the above findings, we offer recommendations on how and where security professionals and digital investigators may search for hidden data.

Teaching malware analysis: The design philosophy of a model curriculum

The field of malware analysis comprises the art and science of dissecting malicious software using diverse tools and techniques in an effort to comprehend their inner workings so as to mitigate the effects. Clearly, the study and analysis of these tools and techniques fall within the general purview of the broad disciplines of Digital Forensics, Information Assurance, Cyber Security and general principles of Computing Science. In this paper, we explore and discuss the current state of malware analysis courses as they are taught in academic institutions in the U.S. and the world. We contend that there are not very many malware analysis (or closely related) courses being offered in many universities across the U.S. Furthermore, there are several for-profit courses that are taught by online institutions that teach reverse engineering, malware analysis and related topics. Based on our research, we conclude that the domain of malware analysis has effectively been relegated from the academic realm to the domain of the practitioners skill set. It is this exploration that we are interesting in undertaking in this paper. We then proceed to analyze and review some popular textbooks and online training materials for their soundness and efficacy in teaching the subject to substantiate our above mentioned claims. Finally, we conclude by presenting a model curriculum for this subject based on sound pedagogical ideas and methods.