The document outlines topics related to computer forensics including types of computer crimes, incident response versus computer forensics, laws related to the field, challenges with prosecution, key aspects of digital evidence like chain of custody and integrity, methods of data acquisition from networks, memory, hard drives and logs, and considerations for courtroom presentation.
Anti forensics-techniques-for-browsing-artifactsgaurang17
Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.
Anti forensics-techniques-for-browsing-artifactsgaurang17
Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.
Slide lists some of the most common tools used for statically analyze Portable Executable(PE) files.
Contents:
REMnux:
Introduction to REMnux
Entropy:
Use of Entropy for malware detection
Un-packing:
UPX
ByteHist
Density Scout
Anomaly Detection:
PEScanner
EXEScan
PEFrame
PEV
Investigation:
Pyew
Bokken
Disassemblers vs Debuggers vs Decompilers:
Commonly used tools
References:
The goal of this white paper is to provide an introduction to the key areas involved in developing an e-discovery capability and to help organizations plan to become better prepared for the rigors of the e-discovery process. Note that the goal of this report is not to offer legal advice or legal opinions on specific legal issues related to e-discovery, and it should not be used in this manner.
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
Power point presentation describes about tools and techniques used for extracting and decoding artifacts from malicious files, forensic discipline in handling infected disk-drives and recovering files from infected images.
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
This tutorial covers variety of tools and techniques to investigate malicious PDF & Doc documents, detecting and extracting Javascript, shellcodes from them and their analysis.
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
Anomalies Detection: Windows OS- Part 1 describes in detail about Malware Investigation steps. It focuses on Identifying process anomalies, RootKit detection,
Electronic Document Management And DiscoveryRonald Coleman
Presentation given as part of Delaware Bar Association Computer Law Section CLE program, "E-Commerce law: Critical Legal and Business Issues."
Many of the particulars of this presentation are relatively obsolete now.
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
Presentation on where digital forensics is going, and disperse accessibility (not the cloud!).
Data will be available everywhere, like a personal Max Headroom avatar to assist you. If you're not protecting data from the ground up (hint, it's not at the servers), then you're not protecting data.
Slide lists some of the most common tools used for statically analyze Portable Executable(PE) files.
Contents:
REMnux:
Introduction to REMnux
Entropy:
Use of Entropy for malware detection
Un-packing:
UPX
ByteHist
Density Scout
Anomaly Detection:
PEScanner
EXEScan
PEFrame
PEV
Investigation:
Pyew
Bokken
Disassemblers vs Debuggers vs Decompilers:
Commonly used tools
References:
The goal of this white paper is to provide an introduction to the key areas involved in developing an e-discovery capability and to help organizations plan to become better prepared for the rigors of the e-discovery process. Note that the goal of this report is not to offer legal advice or legal opinions on specific legal issues related to e-discovery, and it should not be used in this manner.
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
Power point presentation describes about tools and techniques used for extracting and decoding artifacts from malicious files, forensic discipline in handling infected disk-drives and recovering files from infected images.
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
This tutorial covers variety of tools and techniques to investigate malicious PDF & Doc documents, detecting and extracting Javascript, shellcodes from them and their analysis.
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
Anomalies Detection: Windows OS- Part 1 describes in detail about Malware Investigation steps. It focuses on Identifying process anomalies, RootKit detection,
Electronic Document Management And DiscoveryRonald Coleman
Presentation given as part of Delaware Bar Association Computer Law Section CLE program, "E-Commerce law: Critical Legal and Business Issues."
Many of the particulars of this presentation are relatively obsolete now.
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
Presentation on where digital forensics is going, and disperse accessibility (not the cloud!).
Data will be available everywhere, like a personal Max Headroom avatar to assist you. If you're not protecting data from the ground up (hint, it's not at the servers), then you're not protecting data.
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
This is my presentation on "Logs for Information Assurance and Forensics", which was given to 2 of the USMA @ West Point, NY classes in April 2006. It sure was fun! Now I know where all the smart college students are :-)
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
CHAPTER
7
Authentication and
Authorization
One of the most common ways to control access to computer systems is to
identify who is at the keyboard (and prove that identity), and then decide what
they are allowed to do. These twin controls, authentication and authorization,
respectively, ensure that authorized users get access to the appropriate
computing resources, while blocking access to unauthorized users.
Authentication is the means of verifying who a person (or process) is, while
authorization determines what they’re allowed to do. This should always be done
in accordance with the principle of least privilege—giving each person only the
amount of access they require to be effective in their job function, and no more.
Authentication
Authentication is the process by which people prove they are who they say they
are. It’s composed of two parts: a public statement of identity (usually in the form
of a username) combined with a private response to a challenge (such as
a password). The secret response to the authentication challenge can be based on
one or more factors—something you know (a secret word, number, or passphrase
for example), something you have (such as a smartcard, ID tag, or code
generator), or something you are (like a biometric factor like a fingerprint or
retinal print). A password by itself, which is a means of identifying yourself
through something only you should know (and today’s most common form of
challenge response), is an example of single-factor authentication. This is not
considered to be a strong authentication method, because a password can be
intercepted or stolen in a variety of ways—for example, passwords are frequently
written down or shared with others, they can be captured from the system or the
network, and they are often weak and easy to guess.
Imagine if you could only identify your friends by being handed a previously
agreed secret phrase on a piece of paper instead of by looking at them or hearing
their voice. How reliable would that be? This type of identification is often
portrayed in spy movies, where a secret agent uses a password to impersonate
someone the victim is supposed to meet but has never seen. This trick works
precisely because it is so fallible—the password is the only means of identifying
the individual. Passwords are just not a good way of authenticating someone.
Unfortunately, password-based authentication was the easiest type to implement
in the early days of computing, and the model has persisted to this day.
Other single-factor authentication methods are better than passwords. Tokens
and smart cards are better than passwords because they must be in the physical
possession of the user. Biometrics, which use a sensor or scanner to identify
unique features of individual body parts, are better than passwords because they
can’t be shared—the user must be present to log in. However, there are ways to
defeat these methods. Tokens and card ...
Similar to Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011 (20)
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
In the wake of the white supremacist rally in Charlottesville, Virginia and the car attack in the aftermath, normal people wondered what is behind the resurgence of racial extremism. In looking at some of the figureheads of this movement, it was immediately apparent that several fund their operations with bitcoin with several holding thousands of dollars and a few holding millions (as of today's exchange rate). This talk will cover the research efforts into figuring out the adversaries behind the white supremacist movement, who is funding them, and the results of publishing their transactions on a live twitter feed at @neonaziwallets. We will show how they are getting their big money and what can be done to disrupt their activities. This talk will also cover an open-source twitter bot script that can monitor transactions to defined wallets and demonstrate how various exchanges leak information that allow visibility into other altcoins, particularly monero.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
This is a talk given at the MISP summit in Luxembourg on how the Barncat malware configuration uses MISP to share data and the interesting things you can do with a huge body of malware configurations.
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
Its been the year of political breaches. While campaigns are odd entities, there are lessons enterprises can draw from what happened in 2016 to protect their organizations from attacks.
Exploit kits are a critical piece of the malware delivery infrastructure, delivering banking trojans, click fraud engines and ransomware. This small talk will be designed to aid collaboration on a means to tackle these threats with a long-term goal of eventual prosecution of the actors and partners behind exploit kits and their associated malware campaigns. We will discuss the latest research into the backend infrastructure and surveillance techniques of the Nuclear, RIG and Angler exploit kits, to enable all participants to learn what others are doing to stay ahead of them.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
This talk by John Bambenek, "What Small Businesses and Entrepreneurs Need to Know About Cybercrime" was given at IESBGA 2014 on May 30th, 2014 at Illinois State University.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
Every day we hear more and more about credit cards getting stolen, businesses getting hacked and national secrets being pilfered from our government. In this seminar, you’ll learn:
- what threats small businesses need to be aware of
- what threats are hype
- how small businesses can protect themselves in a cost-effective way
- you’ll walk away with 5 things you can do in your small business to be more secure without having to buy a single piece of software
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
2. Agenda
Types of “actionable” computer crime
Incident response vs computer forensics
Laws related to computer crime or forensics
Obstacles to computer crime prosecution
2 key elements of digital evidence
Data acquisition
Forensics: Network, Memory, Hard Drive, Logs
CourtroomUsage
3. Types of “actionable” computer
crime
IdentityTheft
Electronic Fraud (ACH or Credit Card)
Trade Secret / IPTheft
Spamming
Website Defacement / Denial of Service
Unauthorized Access / Misuse of Access
Cyberbulling / Unauthorized Sexting / Etc.
Child Pornography
National Security Issues
4. Incident Response vs. Forensics
Incident response = “Something bad happened, fix it”
Forensics = Acquisition of evidence for potential litigation
Can include e-Discovery
Organizations should have prepared in advance for this decision
Some incidents are not worth pursuing in criminal or civil court
Forensics is much more time-consuming and expensive
In both cases, how someone “got in”, what did they do once
there
May not be concerned with attribution
5. When to do forensics?
When it’s a criminal matter…
When a civil case will likely be prosecuted…
When insurance requires it…
As litigation prevention…
When there is a large $ loss involved…
7. Obstacles to Computer Crime
Prosecution
Ownership of Hardware
Big issue with Cloud Computing
Ownership of Data
Physical Access to Data
Expectation of Privacy
Not supposed to monitor users if they reasonably believe their
actions are private
Chain of Custody / Evidence Preservation
Hard to have a case if chain of custody is broken or evidence has
been corrupted
International Law
8. 2 Key Elements of Digital
Evidence
Chain of Custody
Similar to “physical” evidence
If chain is broken, could end your case
Integrity of Evidence
Digital evidence is much more volatile
Often examining copies… are they “real”?
Suspect could destroy evidence if they are on to you
9. Chain of Custody
Physical possession of data is standard chain of custody
How do you prove chain of custody on electronic
information?
Prevention of evidence contamination
Analyze only digital copies
Use “write-blockers” for physical drives
Difficult for “live system” analysis
Keeping notes for all tasks performed on “live system”
10. Integrity of Evidence
Prevention of evidence contamination
Analyze only copies
Use “write-blockers” for physical drives
Difficult for “live system” analysis
Keeping notes for all tasks performed on “live system”
Use cryptographic “hashing” to prove evidence isn’t
contaminated
11. Cryptographic hashing
Hashing uses an encryption algorithm to generate a pseudo-
random string of text to represent a unique file (or hard drive)
Small changes cause large changes in the hash
Example: “Illinois State Bar Association.” vs “Illinois State Bar
Association!”
MD5:
Acaf1670a9acc228a40f02fe034aea6e vs cb0149671f638b3b7d3e0abd4e40f010
SHA1:
Ee9e70de1206ff87cc2d87d7d660c5cc0ac299cf vs 66d00acfc4ee228443317f1cf19cfb3d69b3ef13
Hash Collisions
Use multiple algorithms to avoid doubt
12. Data Acquisition
In all cases, physical access is required by someone
In “old days” we’d rip power out of computer and take the
system.
Evidence collection now is most “volatile” to least “volatile
Network traffic
Memory
Hard drives
System logs (assuming configured right)
May capture volatile data multiple times
13. Network Forensics
In essence, the same as wiretapping a phone call except
with data
Most network switches allow for capturing live traffic from
a machine
What are you looking for:
Who is talking to this machine
Who is this machine talking to
When is it happening
What is being communicated
Encryption?
15. Memory Forensics
Must be done on a “live” machine, memory disappears
without power
Hibernation / Sleep mode in laptops
Contains:
All running programs (even those deleted from the disk)
Any encryption keys in use (makes for easy decrypting)
In some cases, passwords
Memory is constantly changing
Evidence “changes” over time, may have to work with
multiple memory files
16. Hard Drive Forensics
Can be done on a “live system” or a system that is off
On a “live system” data is constantly changing, which can
be problematic
Involves a bit-copy of a drive into a “virtual drive” file for
examination
Hashes taken before and after to ensure no data is
contaminated
Drive left in safe, all analysis done on copies “virtual drive”
17. Hard Drive Forensics
Hard drives are collections of ones and zeroes, even when
mostly empty
File tables connect files to actual “addresses” on the drive to
where the data that comprises that file is stored and attributes
of the file (like MAC times).
When files are deleted, the actual data still exists. The file is
simply “unlinked” from the addresses it uses on the drive and
those parts of the drive can be later overwritten with new files.
Government standards require multiple “wipes” of a drive to
confirm deletion
Data may hide also in “slack space”
18. Hard Drive Forensics
So you have a drive image, now what?
Index drive for evidence.
Search for all deleted files
Search for all files added, deleted or modified at a certain time
Search files for specific strings
Search for files of a specific type
Examine key system files (configuration files, startup
scripts, system registry)
Depends heavily on the nature of the incident
Iterative process that is more art than science
19. Hard Drive Forensics
MAC times stand for “modified”, “accessed”, “created”
and may also include a deletion time.
All files have MAC times associated with them (even
deleted ones).
These times can help provide a search pattern for
“important” files to an incident. (i.e. if something
happened at 3pm on Jan 11th, you’d look for any file with a
MAC time near that same time).
20. Windows Registry
Windows Operating systems keep a wide variety of
information in the system registry (can be accessed live
using RegEdit command).
Most recently used programs
Most recently entered commands
Most recently viewed documents
Typed URLs in IE
Unique hardware addresses for USB keys accessed on
system
This can be used to create a “timeline” of activity on the
machine
21. Log Forensics
Over 90% of all computer crime incidents where recorded in
system logs
Servers associated with a subject computer may have valuable
information
E-mail logs can show all mail sent from a target computer
DHCP / DNS logs may show when the machine was on and who
it was communicating with
If configured, can show who accessed a machine even if the
machine has had its own logs wiped
Web server logs can show attacks in progress and how servers
were exploited
22. Log Forensics
E-mails all come with headers that give a wealth of
information to identify the sender.
Can show:
IPAddress of sender
Can show all mailservers users
Potentially can show true username of sender
Shows when message really sent
Gives unique message ID which can be used to track
messages in mail server logs
23. E-mail Headers Example
Return-path:dbernardi@frontier.com
Envelope-to: jcb@bambenekconsulting.com
Delivery-date: Wed, 03 Aug 2011 12:06:16 -0500
Received: from out01.dlls.pa.frontiernet.net ([199.224.80.228]) by chicago.bambenekconsulting.com with esmtp (Exim 4.69)
(envelope-from <dbernardi@frontier.com>) id 1Qoetc-0001aE-01 for jcb@bambenekconsulting.com; Wed, 03 Aug 2011
12:06:16 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result:
Av8EAB1/OU4yLK7Y/2dsb2JhbAA/Aw6CP5cljW6COAEFCCACAz4ODQMCDQoBNwIXPgEBBAEdyQ2DPoMEBIdam05V
X-IronPort-AV: E=Sophos;i="4.67,311,1309737600"; d="xml'?rels'?docx'72,48?scan'72,48,208,217,72,48";a="146462351"
Received: from relay01.dlls.pa.frontiernet.net ([199.224.80.244]) by out01.dlls.pa.frontiernet.net with ESMTP; 03 Aug 2011
17:06:14 +0000 X-Previous-IP: 50.44.174.216
Received: from BernardiHome (unknown[50.44.174.216]) by relay01.dlls.pa.frontiernet.net (Postfix) with ESMTPA id
B4A0930C095; Wed, 3 Aug 2011 17:06:12 +0000 (UTC)
From: "don bernardi" <dbernardi@frontier.com>
To: "'Stephanie Beine'" <sbeine@genetictechnologies.com>, "'Rich Kaplan'"
<kapla111@umn.edu>, <experts@forensicDJS.com>, <jharman@genetictechnologies.com>, <jcb@bambenekconsulting.com
>
Cc: "'Jeremy Karlin'" <jkarlin@alcornkarlin.com>, "'Stephen M Komie'" <stephen_m_komie@komie-and-
associates.com>, "'John J. Rekowski'" <jjrekowski@co.madison.il.us>, <rja@dupageco.org>, "'Tiffany Bordenkircher'"
<tbordenkircher@isba.org>, <jheaton@isba.org>
References: <4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com>
In-Reply-To:<4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com>
Subject: nov 18,2011 ISBA seminar
Date: Wed, 3 Aug 2011 12:06:07 -0500
Message-ID: <005c01cc51ff$a43b93e0$ecb2bba0$@com>
MIME-Version:1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005D_01CC51D5.BB658BE0"
X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcwOY1oNT74/g+iGTFi9Z6maxNsonhDmfBEw
Content-Language: en-us
24. File Metadata
Many file types include metadata in them to indicate the
creating user, when modified, etc.
Metadata can be examined even on machines you don’t control
Cell phones can be notorious about including metadata with image
files.
This may even include GPS coordinates of where a picture was
taken.
Office documents (especially with track changes) can show
every person who touched a file
In some cases, can include content that has been “redacted”
when viewed normally.
26. Other data sources
Cell phones (certainly smart phones) are huge data
repositories and can even store a significant amount of
computer files and location data
Tablets and iPads
Online social network content (in particular, media)
Blog comments, forum posts
Webmail accounts
Google
27. Courtroom Usage
How to make the technically complex very simple
Preserve chain of custody and evidence of integrity!
Forensic report
Usually very long, includes boiler plate examples
Executive summary to make it accessible
Either dissuade cross-examination or poke holes in other
side