Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben

2023 | Buch

Forensic Analysis of the iOS Apple Pay Mobile Payment System Kapitel lesen Erstes Kapitel lesen

Advances in Digital Forensics XIX

19th IFIP WG 11.9 International Conference, ICDF 2023, Arlington, Virginia, USA, January 30-31, 2023, Revised Selected Papers

herausgegeben von: Gilbert Peterson, Sujeet Shenoi

Verlag: Springer Nature Switzerland

Buchreihe : IFIP Advances in Information and Communication Technology

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Digital forensics deals with the acquisition, preservation, examination, analysis and presentation of electronic evidence. Computer networks, cloud computing, smartphones, embedded devices and the Internet of Things have expanded the role of digital forensics beyond traditional computer crime investigations. Practically every crime now involves some aspect of digital evidence; digital forensics provides the techniques and tools to articulate this evidence in legal proceedings. Digital forensics also has myriad intelligence applications; furthermore, it has a vital role in cyber security – investigations of security breaches yield valuable information that can be used to design more secure and resilient systems.

This book, Advances in Digital Forensics XIX, is the nineteenth volume in the annual series produced by the IFIP Working Group 11.9 on Digital Forensics, an international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The book presents original research results and innovative applications in digital forensics. Also, it highlights some of the major technical and legal issues related to digital evidence and electronic crime investigations.

This volume contains fourteen revised and edited chapters based on papers presented at the Nineteenth IFIP WG 11.9 International Conference on Digital Forensics held at SRI International in Arlington, Virginia, USA on January 30-31, 2023. A total of 24 full-length papers were submitted for presentation at the conference.

Inhaltsverzeichnis

Frontmatter

Mobile Device Forensics

Frontmatter
Forensic Analysis of the iOS Apple Pay Mobile Payment System
Abstract
Mobile payment systems enable users to complete financial transactions with their smartphones, including contactless payments at retail stores. Because the financial transactions of individuals are indicators of their lifestyles, they are potential sources of data in criminal investigations. The items purchased and even the locations of transactions can constitute valuable evidence. However, mobile payment system data is intended to be interpreted by computer software not human investigators. As a result, a barrier exists between raw application data and their clear interpretations for evidentiary purposes.
This chapter describes research focused on Apple Pay, the leading mobile payment system for mobile debit wallet transactions in the United States. The research has sought to examine the Apple Pay mobile payment system and identify specific sources of forensic artifacts. This includes determining and interpreting the payment card and transaction data residing in the Apple Pay application and syncing across user devices, as well as the implications of deleting Apple Pay application data.
Trevor Nicholson, Darren Hayes, Nhien-An Le-Khac
Forensic Analysis of Android Cryptocurrency Wallet Applications
Abstract
Crypto wallet apps that integrate with blockchains enable users to execute digital currency transactions with quick response codes. In 2021, there were more than 68 million crypto wallet app users [8]. As new crypto wallets and cryptocurrencies enter the market, the number of users will continue to increase. Mobile apps are commonly employed by users to execute cryptocurrency transactions and manage funds. As a result, sensitive information stored in mobile apps constitutes critical evidence in digital forensic investigations.
This chapter describes a forensic analysis method for Android cryptocurrency wallet apps that extracts evidence from the local filesystems and system logs. The results of forensic analyses of 253 real-world Android cryptocurrency wallet apps are interesting. A total of 135 crypto wallet apps store user account information in local filesystems that are accessible by malware. As many as 67 crypto wallet apps access and store user location information in a local database and log files, and twelve crypto wallet apps track the last used times of other applications installed on the devices. The research also reveals that, without resorting to deleted file recovery, various types of evidentiary data can be identified in local filesystems and system logs. Additionally, several types of evidence that were latent in previous studies are shown to be discoverable.
Chen Shi, Yong Guan
An Anti-Fuzzing Approach for Android Apps
Abstract
Extracting evidence pertaining to mobile apps is a key task in mobile device forensics. Since mobile apps can generate more than 19,000 files on a single device, it is time consuming and error prone to manually inspect all the files. Fuzzing tools that programmatically produce interactions with mobile apps are helpful when paired with sandbox environments to study their runtime forensic behavior and summarize patterns of evidentiary data in forensic investigations. However, the ability of fuzzing tools to improve the efficiency of mobile app forensic analyses has not been investigated.
This chapter describes AFuzzShield, an Android app shield that protects apps from being exercised by fuzzers. By analyzing the runtime information of mobile app interaction traces, AFuzzShield prevents real-world apps from being exercised by fuzzers and minimizes the overhead on human usage. A statistical model is employed to distinguish between fuzzer and human patterns; this eliminates the need to perform graphical user interface injections and ensures compatibility with apps with touchable/clickable graphical user interfaces. AFuzzShield verifies mobile app program coverage in situations where apps engage anti-fuzzing technologies. Specifically, it was applied to apps in AndroTest, a popular benchmark app dataset for testing fuzzers. The experimental results demonstrate that applying AFuzzShield significantly impacts mobile app program coverage in terms of reduced evidentiary data patterns.
Chris Chao-Chun Cheng, Li Lin, Chen Shi, Yong Guan
Nintendo 3DS Forensic Examination Tools
Abstract
This chapter describes a suite of digital forensic examination tools for the Nintendo 3DS series of game consoles. The Nintendo 3DS is a handheld game console with capabilities that include video recording, photography, web browsing and network communications. Originally released in 2011, the consoles remain popular, with almost 76 million units sold. Since the consoles can enable illegal activities, they are potential containers of evidence in criminal investigations. Previous research has highlighted the artifacts found on Nintendo 3DS and other similar devices. However, this chapter expands the body of research focused on automating artifact extraction and validation. The extraction and validation efforts would be of interest to forensic practitioners as well as researchers focusing on small-scale embedded devices.
Konstantinos Xynos, Huw Read, Iain Sutherland, Matthew Bovee, Trang Do

Forensic Data Collection

Frontmatter
Revealing Human Attacker Behaviors Using an Adaptive Internet of Things Honeypot Ecosystem
Abstract
Honeypots have been used as decoy devices to understand the dynamics of threats on networks and their impacts. However, the questions of whether and how honeypots can elicit rich human attacker behaviors have not been investigated systematically. These capabilities are especially important for Internet of Things devices given the limited knowledge about attacker goals.
This chapter attempts to answer three questions. Can an Internet of Things honeypot that gradually adapts or increases its emulation sophistication elicit richer human attacker behaviors over time? Is it possible to engage human attackers using dynamically-adapting Internet of Things honeypots? Does the large amount of data captured by honeypots embody patterns that can enable security analysts to understand attacker intentions on Internet of Things devices?
To answer the questions, a new approach is presented for creating an adaptive honeypot ecosystem that gradually increases the sophistication of honeypot interactions with adversaries based on observed data. The approach is employed to design custom honeypots that mimic Internet of Things devices and an innovative data analytics method is applied to identify attacker behavior patterns and reveal attacker goals. The honeypots in the experiments actively observed real-world attacker behaviors and collected increasingly sophisticated attack data over more than three years. In the case of Internet of Things camera honeypots, human attack activities were observed after adapting the honeypots based on previous attacker behaviors. The data analytics results indicate that the vast majority of captured attack activities share significant similarities, and can be clustered to better understand the goals, patterns and trends of Internet of Things attacks in the wild.
Armin Ziaie Tabari, Guojun Liu, Xinming Ou, Anoop Singhal
Towards Direct-Control Data Acquisition by Nano-Probing Non-Volatile Memory Cells
Abstract
This chapter describes a data acquisition method for non-volatile memory that directly interfaces with the floating-gate transistors on a silicon die using nano-probes under a scanning electron microscope. The method involves chip preparation, memory cell reverse engineering, contact point identification and disinterring, following which nano-probes are positioned on control points on the die that are attached to the address, bit and ground lines associated with an individual memory cell. After the connections are established, a highly-sensitive sourcemeter applies voltage in a sweeping pattern to the address lines to enable current to flow between the bit and ground lines. The sourcemeter measures the minuscule current flow in the floating-gate transistor of the targeted memory cell to determine if it stores a zero or one. The research literature does not describe a data acquisition method that actively probes individual memory cells to read data.
Extensive experiments on ATmega328P microcontrollers demonstrate that the chip preparation, memory cell reverse engineering and contact point identification steps are successful. However, after the contact point disinterring step, it was difficult to verify that the contact points were fully exposed and free from contamination and damage. Indeed, the difficulty establishing consistent electrical connections between the nano-probe tips and address, bit and ground lines yielded non-ideal results. Nevertheless, the direct-control data acquisition method for non-volatile memory and the accompanying workflow that customizes a direct-control data acquisition method to a specific microcontroller or memory chip are technically sound.
Shawn McKay, Nathan Hutchins, Steven Baskerville, Sujeet Shenoi

Image and Video Forensics

Frontmatter
Using Perceptual Hashing for Targeted Content Scanning
Abstract
The Internet is increasingly used to disseminate unethical and illegal content. A grave concern is child sexual abuse material that is often disseminated via end-to-end-encrypted channels. Such encryption defeats network- and server-based scanning measures used by law enforcement. A trade-off is to enable confidential communications channels for users and scanning opportunities for law enforcement by employing perceptual-hashing-based targeted content scanning on user devices. This has generated intense discussions between policymakers, privacy advocates and child protection organizations.
This chapter summarizes the current state of reserch in perceptual-hashing-based targeted content scanning with a focus on classical metrics such as false positives, false negatives and privacy aspects. Insights are provided into the most relevant perceptual hashing methods and an attack taxonomy for perceptual-hashing-based targeted content scanning is presented. The complexity in generating false negatives is evaluated and the feasibility of evading perceptual-hashing-based targeted content scanning is demonstrated.
Leon Twenning, Harald Baier, Thomas Göbel
Analysis of Document Security Features
Abstract
Document fraud has been rising for several years, severely impacting individuals, organizations and governments. Security features in documents change significantly when documents are altered or reproduced, clearly identifying them as fraudulent. However, advancements in technology and the availability of special hardware and software enable criminals to create fraudulent documents despite the presence of security features.
It is important to classify document security features to gain insights into their unique characteristics, effectiveness and use cases. The classification supports the analysis of the robustness of document security and steers the development of new and improved security features to combat document fraud. This chapter classifies document security features based on three criteria, security feature types, inspection levels and security levels.
Pulkit Garg, Saheb Chhabra, Garima Gupta, Vishal Srivastava, Gaurav Gupta
Deepfake Detection Using Multiple Facial Features
Abstract
Deepfake digital forgery techniques leverage deep learning to replace faces and modify facial expressions in images and videos. The techniques have been used to produce fake pornography, spread fake news and rumors, influence public opinion and even elections. However, deepfake detection techniques are well behind deepfake generation technology.
This chapter describes a deepfake video detection method that leverages aspect ratios to express multiple facial features. The aspect ratios of facial features are computed for every frame in a video and a time window is used to segment processed frame sequences into multiple short segments, following which pattern matching is employed to identify abnormal expressions that are indicative of deepfakes. Experiments with the FaceForensics++ and Celeb-DF datasets reveal that the proposed method detects deepfake videos effectively. Moreover, the aspect ratio computations improve the ability to detect compressed deepfake videos.
Xinzhe Wang, Duohe Ma, Liming Wang, Zhitong Lu, Zhenchao Zhang, Junye Jiang

Novel Applications

Frontmatter
Identifying Superspreaders by Ranking System Object Instance Graphs
Abstract
Defending enterprise networks is very challenging due to the number of cyber attacks and their complexity. It is critical to understand how attacks occur and propagate in networks. System object instance graphs can reveal attack paths at the system level and help understand attack propagation. The graphs capture dependencies between system object instances such as files, processes and sockets, and help compute the infection probabilities of object instances. Attack paths are revealed by connecting instances with high infection probabilities. However, the graphs can be massive and difficult to comprehend.
Identifying the most important objects in system object instance graphs can enhance the understanding of infection propagation and the impacts. Importance in this context means high infection probabilities and large impacts to other objects. Objects on which other objects are heavily dependent have large impacts and need to be scrutinized. If these objects are infected, they can have huge negative impacts by infecting their dependent objects.
This chapter describes an approach for ranking objects using an extension of the AssetRank algorithm. Security analysts can use the dependency rankings to rapidly identify objects with the greatest impacts. When combined with the infection probabilities, the dependency ranking enables security analysts to prioritize the objects that need attention given limited time and resources. Experimental results demonstrate that the proposed dependency ranking approach successfully determines the objects with the largest impacts.
Rajani Suryavanshi, Xiaoyan Sun, Jun Dai
A Dynamic Malicious Document Detection Method Based on Multi-Memory Features
Abstract
The massive use of Microsoft Office documents underscores the need for effective malicious document detection techniques. Most detection methods characterize document behavior using application programming interface traces or other descriptive information, but ignore memory information due to inherent difficulties. Since many malicious behavior patterns are only manifested in memory, these detection methods are vulnerable to ubiquity evasion attacks. One difficulty in extracting malicious behavior information from memory is that only high-coverage memory dump sequences are meaningful, but no established methods can be employed. Another difficulty is that no efficient method exists for representing the numerous long memory dump sequences associated with malicious document samples.
This chapter describes a multi-memory-feature-based method that leverages memory information to detect malicious documents. The detection method employs a high-coverage memory dump service and a multiple memory dump sequence reduction approach. The memory dump service hooks system application programming interfaces to cover the entire lifetimes of processes while also monitoring the initial Office process and every spawned subprocess. The multiple memory dump sequence reduction approach efficiently represents each memory dump in terms of the difference from its adjacent dump. Ablation experiments demonstrate that the memory dump sequence reduction approach performs best using a long short-term memory classifier, yielding an accuracy of \(98.27\%\). Experiments also demonstrate that the detection method outperforms state-of-the-art methods based on application programming interfaces in terms of accuracy and precision.
Yuanyuan Wang, Gengwang Li, Min Yu, Kam-Pui Chow, Jianguo Jiang, Xiang Meng, Weiqing Huang
Traceable Transformer-Based Anomaly Detection for a Water Treatment System
Abstract
As industrial control system malfunctions caused by attacks become more complex and frequent, anomaly detection and subsequent forensic analyses are more important than ever. When an anomaly is detected, security professionals need to accurately identify the components that are under attack. However, traditional methods do not provide enough traces, which makes it difficult to identify the targeted components.
This chapter describes a traceable anomaly detection method that leverages unsupervised learning using industrial control system component time series data. The method generates customized transformer-encoder classifiers for industrial control system components. The final detection result is ensembled from all the classifier outputs. Experiments with water treatment testbed data indicate that the method achieves good performance with low false positive rates and delays, and strong traceability.
Shenzhi Qin, Yubo Lang, Kam-Pui Chow

Legal Issues and Applications

Frontmatter
Evolution of Global Digital Forensics Laws and Emergent Challenges
Abstract
The proliferation of digital devices in the commission of crimes has presented unique challenges to law enforcement the world over. Academia and industry have developed tools to assist law enforcement in conducting digital forensic investigations. However, inadequate awareness of the legal provisions on the part of law enforcement and the absence of updated laws have resulted in situations where, despite the availability of technological support, offenders could not be prosecuted. It would also be productive if academia and industry could become more aware of the legal provisions governing electronic evidence and the legal challenges to technological solutions.
This chapter discusses the evolution of global laws pertaining to digital forensics with a focus on the admissibility of evidence derived from digital forensic procedures. The chapter also examines emergent challenges in digital forensics and efforts to enhance global cooperation.
Kaushik Thinnaneri Ganesan
A Blockchain Model for Sharing Information in Criminal Justice Systems
Abstract
Criminal justice systems around the world encounter missing case dockets and digital evidence. Problems are also posed by the mechanisms used to share criminal case data, especially email and paper documents that provide exposure to illegal data alteration.
This chapter describes a blockchain model for sharing criminal case data securely and efficiently with authorized criminal justice system entities. The model is implemented using Hyperledger Fabric and promising results were obtained during the simulation experiments. The model enables entities to access criminal case data in real time, which helps speed up the delivery of justice. Moreover, the model improves collaboration among the various entities, especially when it comes to joint operations and investigations involving law enforcement and prosecutors. The model also stores credible evidence because the underlying data is immutable and cannot be deleted.
Pardon Ramazhamba, Hein Venter
Metadaten
Titel
Advances in Digital Forensics XIX
herausgegeben von
Gilbert Peterson
Sujeet Shenoi
Copyright-Jahr
2023
Electronic ISBN
978-3-031-42991-0
Print ISBN
978-3-031-42990-3
DOI
https://doi.org/10.1007/978-3-031-42991-0

Premium Partner

    Bildnachweise