Raymond A. Hansen

A Study on Botnets Utilizing DNS

Botnets represent a major and formidable threat in modern computing, and security researchers are engaged in constant and escalating battle with the writers of such malware to detect and mitigate it. Current advanced malware behaviors include encryption of communications between the botmaster and the bot machines as well as various strategies for resilience and obfuscation. These techniques have taken full advantage of the infrastructure in place to support the increased connectivity between computers around the world. This includes updates and upgrades to DNS that have been leveraged to meet its increased utilization. In this paper, we analyze the current uses of DNS by botnet malware writers and operators and examine possible clues that network administrators and savvy computer users can utilize to identify and or mitigate the threat.

A novel IP telephony course using open-source software

This paper describes the design, delivery, and evaluation mechanisms used for a Voice over IP course that used the open-source tool, Asterisk. This course was first delivered as a concentrated nine-day course. The challenges of delivering and evaluating a course in this manner are discussed, along with potential alternatives to the mechanisms used. A correlation between lecture and laboratory objectives to desired course outcomes is also addressed. Finally, our conclusions and opinions for future works are outlined.

Forensics as a Service: Three-Tier Architecture for Cloud Based Forensic Analysis

Digital forensics is becoming very challenging because of three main reasons: 1) Highly distributed systems under multiple jurisdictions, 2) Big Data handling and 3) Lack of forensic services, in a cloud computing environment. Due to these obstacles, all the digital investigations are becoming time consuming that makes the solutions more expensive. Cloud computing is capable of handling these challenges, but it lacks an architectural level support for forensic analysis that can meet all the legal requirements. Cloud service providers cannot provide solutions to these challenges by offering forensics tools on Software-as-a-Service (SaaS) model. In this paper, we propose a multi-tier cloud architecture for Forensics-as-a-Service (FaaS) capable of handling the aforementioned challenges and introducing a new infrastructure-level forensic support from cloud providers. We will also discuss the improvement in time and cost efficiency of the overall investigation process.

Forensically Sound Retrieval and Recovery of Images from GPU Memory

This paper adopts a method to retrieve graphic data stored in the global memory of an NVIDIA GPU. Experimentation shows that a 24-bit TIFF formatted graphic can be retrieved from the GPU in a forensically sound manner. However, like other types of Random Access Memory, acquired data cannot be verified due to the volatile nature of the GPU memory. In this work a Color Pattern Map Test is proposed to reveal the relationship between a graphic and its GPU memory organization. The mapping arrays derived from such testing can be used to visually restore graphics stored in the GPU memory. Described ‘photo tests’ and ‘redo tests’ demonstrate that it is possible to visually restore a graphic from the data stored in GPU memory. While initial results are promising, more work is still needed to determine if such methods of data acquisition within GPU memory can be considered forensically sound.

Laboratory modules for conducting comparative analysis of 802.11 frames

As wireless networking in the enterprise has gained popularity within recent years, the demand for technical talent has increased in direct proportion to that demand. This has occurred partially due to the complexity of troubleshooting and security issues. Professional wireless networking certification programs have also become popular as a result of the financial incentives associated with this demand. Since the content taught in these professional certifications is an appropriate reflection of the challenges faced in the real world as reported by Fortune magazine and the ChannelWeb network [11], it makes sense to align the content of undergraduate wireless networking courses with that of these certifications. University professors have often taken the approach of teaching 802.11 wireless networks starting from the signal processing layer and immediately transitioning to the higher layers. This process bypasses the Media Access Control (MAC) layer in consequence. Understanding the MAC layer is of utmost importance for understanding wireless network security because it contains the management frames that control both authentication and encryption. In this paper, course modules were created for undergraduates that focus on the 802.11 and 802.3 MAC layers and can be used to facilitate teaching troubleshooting and security concepts for wireless networking with the help of packet sniffers. These modules provide students with the hands-on experience of what is generally illustrated in only text for Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Virtual Private Networking (VPN) as well as troubleshooting skills.

SD-HDFS: Secure Deletion in Hadoop Distributed File System

Sensitive information that is stored in Hadoop clusters can potentially be retrieved without permission or access granted. In addition, the ability to recover deleted data from Hadoop clusters represents a major security threat. Hadoop clusters are used to manage large amounts of data both within and outside of organizations. As a result, it has become important to be able to locate and remove data effectively and efficiently. In this paper, we propose Secure Delete, a holistic framework that propagates file information to the block management layer via an auxiliary communication path. The framework tracks down undeleted data blocks and modifies the normal deletion operation in the Hadoop Distributed File System (HDFS). We introduce CheckerNode, which generates a summary report from all DataNodes and compares the block information with the metadata from the NameNode. If the metadata do not contain the entries for the data blocks, unsynchronized blocks are automatically deleted. However, deleted data could still be recovered using digital forensics tools. We also describe a novel secure deletion technique in HDFS that generates a random pattern and writes multiple times to the disk location of the data block.

Verification of Recovered Digital Evidence on the Amazon Kindle

The Amazon Kindle is a popular e-book reader. This popularity will lead criminals to use the Kindle as an accessory to their crime. Very few Kindle publications in the digital forensics domain exist at the time of this writing. Various blogs on the Internet currently provide some of the foundation for Kindle forensics. For this research each fifth generation Kindle was populated with various types of files a typical user may introduce using one method, the USB interface. The Kindle was forensically imaged with AccessData’s Forensic Toolkit Imager before and after each Kindle was populated. Each file was deleted through the USB interface. Files were retrieved and recovered through the USB interface before and after file deletion. These two sets of files were compared to the original set of files. All files retrieved before deletion matched their original counterpart. Not all files recovered after deletion matched their original counterpart. These steps and procedures followed a similar adaptation of the NIST General Test Methodology for Computer Forensic Tools developed by Leshney (2008) for virtual machines.

Investigating the Security of Nexus 1000V Virtual Switches in VMware ESXi Hypervisors

In this paper, the security posture of two versions of the Cisco Nexus 1000V virtual switch is tested against a set of exploits known to be valid on physical switching infrastructure. Specifically, the Nexus 1000V as implemented with VMwares ESXi hypervisor is examined. The attempted exploits are CAM table overflows, VLAN hopping, Spanning Tree manipulation, ARP poisoning, and Private VLAN attacks. With the exception of Spanning Tree manipulation, the Nexus 1000V is vulnerable to all of the attacks in at least one of the tested release combinations. This leads to a call for additional security considerations when deploying the Nexus 1000V/ESXi combination in data centers and cloud provider networks as intended by their design.

A Wireless Networking Curriculum Model for Network Engineering Technology Programs

Wireless networking is experiencing explosive growth, both in market size and the number of new standards and technologies. Effectively educating students, both at the undergraduate and graduate level, with the abilities to evaluate, implement, and integrate wireless networks should be a key part of any information technology (IT) education program for the foreseeable future. The Computer & Information Technology Department (CIT) at Purdue University is in a unique position to fulfill this educational need through its wireless networking curriculum. This curriculum currently offers three courses within the network engineering technology program, covering topics from 802.11 networking to 3G cellular, wireless network security and manage-ment to WWAN technologies. Each course includes trend analysis of wireless networking in order to effectively prepare students for employment in this area. This paper discusses the existing wireless networking curriculum by providing a brief perspective of previous course content and detailing each current course in the areas of prerequisite knowledge, intended audience, course content, and lecture/laboratory integration.

An Evaluation for High-Speed Handoffs in 802.11-based Data Networks

Handoffs in 802.11-based wireless networks are a critical requirement in todays data networks. The speed at which these handoffs occur is much too slow to enable users to maintain a network session without the loss of connectivity. However, GSM, and other cellular networks, are currently capable of handling handoffs at vehicular rates of travel while still maintaining an existing session. The architectures of both networks are examined and then a limited number of inadequacies of 802.11-based handoffs were examined and contrasted to the performance that currently exists in GSM networks. Spectrum management and a method to integrate these two technologies are not discussed in this paper