Dabin Joo,Jiwon Lee,Doowon Jeong

DOI: https://doi.org/10.1111/1556-4029.15240

Abstract:Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage.

Jaehyeok Han,Jungheum Park,Hyunji Chung,Sangjin Lee

DOI: https://doi.org/10.48550/arXiv.2002.12506

2020-02-28

Abstract:Telemetry is the automated sensing and collection of data from a remote device. It is often used to provide better services for users. Microsoft uses telemetry to periodically collect information about Windows systems and to help improve user experience and fix potential issues. Windows telemetry service functions by creating RBS files on the local system to reliably transfer and manage the telemetry data, and these files can provide useful information in a digital forensic investigation. Combined with the information derived from traditional Windows forensics, investigators can have greater confidence in the evidence derived from various artifacts. It is possible to acquire information that can be confirmed only for live systems, such as the computer hardware serial number, the connection records for external storage devices, and traces of executed processes. This information is included in the RBS files that are created for use in Windows telemetry. In this paper, we introduced how to acquire RBS files telemetry and analyzed the data structure of these RBS files, which are able to determine the types of information that Windows OS have been collected. We also discussed the reliability and the novelty by comparing the conventional artifacts with the RBS files, which could be useful in digital forensic investigation.

Cryptography and Security

Madhukar Shrestha,Yonghyun Kim,Jeehyun Oh,Junghwan (John) Rhee,Yung Ryn Choe,Fei Zuo,Myungah Park,Gang Qian,Junghwan Rhee

DOI: https://doi.org/10.1007/s44227-023-00014-9

2023-11-15

International Journal of Networked and Distributed Computing

Abstract:Abstract System provenance forensic analysis has been studied by a large body of research work. This area needs fine granularity data such as system calls along with event fields to track the dependencies of events. While prior work on security datasets has been proposed, we found a useful dataset of realistic attacks and details that are needed for high-quality provenance tracking is lacking. We created a new dataset of eleven vulnerable cases for system forensic analysis. It includes the full details of system calls including syscall parameters. Realistic attack scenarios with real software vulnerabilities and exploits are used. For each case, we created two sets of benign and adversary scenarios which are manually labeled for supervised machine-learning analysis. In addition, we present an algorithm to improve the data quality in the system provenance forensic analysis. We demonstrate the details of the dataset events and dependency analysis of our dataset cases.

Brian DeCann,Kirill Trapeznikov

DOI: https://doi.org/10.48550/arXiv.2208.11776

2022-10-26

Abstract:Digital media (e.g., photographs, video) can be easily created, edited, and shared. Tools for editing digital media are capable of doing so while also maintaining a high degree of photo-realism. While many types of edits to digital media are generally benign, others can also be applied for malicious purposes. State-of-the-art face editing tools and software can, for example, artificially make a person appear to be smiling at an inopportune time, or depict authority figures as frail and tired in order to discredit individuals. Given the increasing ease of editing digital media and the potential risks from misuse, a substantial amount of effort has gone into media forensics. To this end, we created a challenge dataset of edited facial images to assist the research community in developing novel approaches to address and classify the authenticity of digital media. Our dataset includes edits applied to controlled, portrait-style frontal face images and full-scene in-the-wild images that may include multiple (i.e., more than one) face per image. The goals of our dataset is to address the following challenge questions: (1) Can we determine the authenticity of a given image (edit detection)? (2) If an image has been edited, can we \textit{localize} the edit region? (3) If an image has been edited, can we deduce (classify) what edit type was performed? The majority of research in image forensics generally attempts to answer item (1), detection. To the best of our knowledge, there are no formal datasets specifically curated to evaluate items (2) and (3), localization and classification, respectively. Our hope is that our prepared evaluation protocol will assist researchers in improving the state-of-the-art in image forensics as they pertain to these challenges.

Computer Vision and Pattern Recognition,Multimedia

Branislav Bosansky,Dominik Kouba,Ondrej Manhal,Thorsten Sick,Viliam Lisy,Jakub Kroustek,Petr Somol

DOI: https://doi.org/10.48550/arXiv.2209.03188

2022-09-06

Abstract:There is a limited amount of publicly available data to support research in malware analysis technology. Particularly, there are virtually no publicly available datasets generated from rich sandboxes such as Cuckoo/CAPE. The benefit of using dynamic sandboxes is the realistic simulation of file execution in the target machine and obtaining a log of such execution. The machine can be infected by malware hence there is a good chance of capturing the malicious behavior in the execution logs, thus allowing researchers to study such behavior in detail. Although the subsequent analysis of log information is extensively covered in industrial cybersecurity backends, to our knowledge there has been only limited effort invested in academia to advance such log analysis capabilities using cutting edge techniques. We make this sample dataset available to support designing new machine learning methods for malware detection, especially for automatic detection of generic malicious behavior. The dataset has been collected in cooperation between Avast Software and Czech Technical University - AI Center (AIC).

Cryptography and Security,Artificial Intelligence,Machine Learning

Tzu-Yi Fan,Tun-Chi Tsai,Cheng-Hsin Hsu,Fanqi Liu,Nalini Venkatasubramanian

DOI: https://doi.org/10.1145/3486611.3486662

2021-01-01

Abstract:Windows play an important role in modern buildings. Getting to know the window states, e.g., open vs. close, is an enabler of many smart city applications, such as energy conservation and emergency response. In this work, we collect the very first multi-modal (RGB, thermal, depth, LiDAR, and ultrasound) window dataset named WinSet at various distances and angles. Multiple window types and heterogeneous window states are considered, such as openness (open vs. close), human behind (with vs. without), and lighting (on vs. off). Although our WinSet dataset has many usage scenarios, we concretize two sample ones: (i) analysis of state distinguishability using different sensor modalities and (ii) algorithms to detect open windows. We believe sharing WinSet and its collection procedure with the engineering and research communities will stimulate many creative smart city applications.

Tieming Chen,Qijie Song,Xuebo Qiu,Tiantian Zhu,Zhiling Zhu,Mingqi Lv

2023-10-02

Abstract:Recently, APT attacks have frequently happened, which are increasingly complicated and more challenging for traditional security detection models. The system logs are vital for cyber security analysis mainly due to their effective reconstruction ability of system behavior. existing log collection tools built on ETW for Windows suffer from working shortages, including data loss, high overhead, and weak real-time performance. Therefore, It is still very difficult to apply ETW-based Windows tools to analyze APT attack scenarios. To address these challenges, this paper proposes an efficient and lossless kernel log collector called Kellect, which has open sourced with project at <a class="link-external link-http" href="http://www.kellect.org" rel="external noopener nofollow">this http URL</a>. It takes extra CPU usage with only 2%-3% and about 40MB memory consumption, by dynamically optimizing the number of cache and processing threads through a multi-level cache solution. By replacing the TDH library with a sliding pointer, Kellect enhances analysis performance, achieving at least 9 times the efficiency of existing tools. Furthermore, Kellect improves compatibility with different OS versions. Additionally, Kellect enhances log semantics understanding by maintaining event mappings and application callstacks which provide more comprehensive characteristics for security behavior analysis. With plenty of experiments, Kellect demonstrates its capability to achieve non-destructive, real-time and full collection of kernel log data generated from events with a comprehensive efficiency of 9 times greater than existing tools. As a killer illustration to show how Kellect can work for APT, full data logs have been collected as a dataset Kellect4APT, generated by implementing TTPs from the latest ATT&CK. To our knowledge, it is the first open benchmark dataset representing ATT&CK technique-specific behaviors, which could be highly expected to improve more extensive research on APT study.

Software Engineering

Shishir Kumar Shandilya,Chirag Ganguli,Ivan Izonin,Prof Atulya Kumar Nagar

DOI: https://doi.org/10.1016/j.dib.2022.108771

2022-11-24

Abstract:To determine the effectiveness of any defense mechanism, there is a need for comprehensive real-time network data that solely references various attack scenarios based on older software versions or unprotected ports, and so on. This presented dataset has entire network data at the time of several cyber attacks to enable experimentation on challenges based on implementing defense mechanisms on a larger scale. For collecting the data, we captured the network traffic of configured virtual machines using Wireshark and tcpdump. To analyze the impact of several cyber attack scenarios, this dataset presents a set of ten computers connected to Router1 on VLAN1 in a Docker Bridge network, that try and exploit each other. It includes browsing the web and downloading foreign packages including malicious ones. Also, services like File Transfer Protocol (FTP) and Secure Shell (SSH) were exploited using several attack mechanisms. The presented dataset shows the importance of updating and patching systems to protect themselves to a greater extent, by following attack tactics on older versions of packages as compared to the newer and updated ones. This dataset also includes an Apache Server hosted on a different subset of VLAN2 which is connected to the VLAN1 to demonstrate isolation and cross- VLAN communication. The services on this web server were also exploited by the previously stated ten computers. The attack types include Distributed Denial of Service, SQL Injection, Account Takeover, Service Exploitation (SSH, FTP), DNS and ARP Spoofing, Scanning and Firewall Searching and Indexing (using Nmap), Hammering the services to brute-force passwords and usernames, Malware attacks, Spoofing, and Man-in-the-Middle Attack. The attack scenarios also show various scanning mechanisms and the impact of Insider Threats on the entire network.

Syed Sohaib Karim,Mehreen Afzal,Waseem Iqbal,Dawood Al Abri

DOI: https://doi.org/10.1016/j.dib.2024.110290

2024-03-05

Abstract:The novel dataset called Linux-APT Dataset 2024 captures Advanced Persistent Threat (APT) attacks along with other latest and sophisticated payloads. Existing datasets lacks latest attacker's techniques and procedures, APTs tactics and configuration to capture maximum Linux log sources to observe the working and behaviour of an APT in a detailed manner. The environment which supported us in capturing the logs is composed of Linux machines and a centralized logging system configured appropriately to captures and detect all possible events and logs for an APT and other complex intrusion. Unlike Microsoft Windows, Linux logging system are investigated enough and usually systems relies on limited log sources but for an APT, all possible log sources should be evaluated and added to completely analyse the behaviour, trajectory, and operation of an APT. To keep the dataset up to date and realistic, recent payloads and APTs are emulated in the environment. A well-known cyber-security framework 'MITRE ATT&CK' is utilised to map the behaviour and operation in a generalized manner after capturing the events and logs. This dataset can be used for training and conducting a variety of experiments to build as well as design the solutions for detecting most recent intrusions and APT attacks for Linux System.

Herschel Bowling,Kathryn Seigfried-Spellar,Umit Karabiyik,Marcus Rogers

DOI: https://doi.org/10.1111/1556-4029.15208

Abstract:Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.

Yijun Quan,Chang-Tsun Li,Yujue Zhou,Li Li

DOI: https://doi.org/10.48550/arXiv.2004.10469

2020-05-07

Abstract:Device fingerprints like sensor pattern noise (SPN) are widely used for provenance analysis and image authentication. Over the past few years, the rapid advancement in digital photography has greatly reshaped the pipeline of image capturing process on consumer-level mobile devices. The flexibility of camera parameter settings and the emergence of multi-frame photography algorithms, especially high dynamic range (HDR) imaging, bring new challenges to device fingerprinting. The subsequent study on these topics requires a new purposefully built image dataset. In this paper, we present the Warwick Image Forensics Dataset, an image dataset of more than 58,600 images captured using 14 digital cameras with various exposure settings. Special attention to the exposure settings allows the images to be adopted by different multi-frame computational photography algorithms and for subsequent device fingerprinting. The dataset is released as an open-source, free for use for the digital forensic community.

Computer Vision and Pattern Recognition,Cryptography and Security,Multimedia,Image and Video Processing

Fatemeh Mansouri Hanis,Mehdi Teimouri

DOI: https://doi.org/10.1186/s13104-019-4837-4

2019-12-01

BMC Research Notes

Abstract:Abstract Objectives Classification of textual file formats is a topic of interest in network forensics. There are a few publicly available datasets of files with textual formats. Therewith, there is no public dataset for file fragments of textual file formats. So, a big research challenge in file fragment classification of textual file formats is to compare the performance of the developed methods over the same datasets. Data description In this study, we present a dataset that contains file fragments of five textual file formats: Binary file format for Word 97–Word 2003, Microsoft Word open XML format, portable document format, rich text file, and standard text document. This dataset contains the file fragments in three different languages: English, Persian, and Chinese. For each pair of file format and language, 1500 file fragments are provided. So, the dataset of file fragments contains 22,500 file fragments.

Fabian Faust,Aurélien Thierry,Tilo Müller,Felix Freiling

DOI: https://doi.org/10.48550/arXiv.2012.02573

2020-12-03

Abstract:In contrast to the common habit of taking full bitwise copies of storage devices before analysis, selective imaging promises to alleviate the problems created by the increasing capacity of storage devices. Imaging is selective if only selected data objects from an image that were explicitly chosen are included in the copied data. While selective imaging has been defined for post-mortem data acquisition, performing this process live, i.e., by using the system that contains the evidence also to execute the imaging software, is less well defined and understood. We present the design and implementation of a new live Selective Imaging Tool for Windows, called SIT, which is based on the DFIR ORC framework and uses AFF4 as a container format. We discuss the rationale behind the design of SIT and evaluate its effectiveness.

Other Computer Science

Zlatan Morić,Vedran Dakić,Ana Kapulica,Damir Regvart

DOI: https://doi.org/10.3390/electronics13224546

IF: 2.9

2024-11-27

Electronics

Abstract:This article delves into Microsoft Azure's cyber forensic capabilities, focusing on the unique challenges in cloud security incident investigation. Cloud services are growing in popularity, and Azure's shared responsibility model, multi-tenant nature, and dynamically scalable resources offer unique advantages and complexities for digital forensics. These factors complicate forensic evidence collection, preservation, and analysis. Data collection, logging, and virtual machine analysis are covered, considering physical infrastructure restrictions and cloud data transience. It evaluates Azure-native and third-party forensic tools and recommends methods that ensure effective investigations while adhering to legal and regulatory standards. It also describes how AI and machine learning automate data analysis in forensic investigations, improving speed and accuracy. This integration advances cyber forensic methods and sets new standards for future innovations. Unified Audit Logs (UALs) in Azure are examined, focusing on how Azure Data Explorer and Kusto Query Language (KQL) can effectively parse and query large datasets and unstructured data to detect sophisticated cyber threats. The findings provide a framework for other organizations to improve forensic analysis, advancing cloud cyber forensics while bridging theoretical practices and practical applications, enhancing organizations' ability to combat increasingly sophisticated cybercrime.

engineering, electrical & electronic,computer science, information systems,physics, applied

Reyhane Fakouri,Mehdi Teimouri

DOI: https://doi.org/10.1186/s13104-019-4812-0

2019-11-27

BMC Research Notes

Abstract:Abstract Objectives File fragment classification of image file formats is a topic of interest in network forensics. There are a few publicly available datasets of files with image formats. Therewith, there is no public dataset for file fragments of image file formats. So, a big research challenge in file fragment classification of image file formats is to compare the performance of the developed methods over the same datasets. Data description In this study, we present a dataset that contains file fragments of ten image file formats: Bitmap, Better Portable Graphics, Free Lossless Image Format, Graphics Interchange Format, Joint Photographic Experts Group, Joint Photographic Experts Group 2000, Joint Photographic Experts Group Extended Range, Portable Network Graphic, Tagged Image File Format, and Web Picture. Corresponding to each format, the dataset contains the file fragments of image files with different compression settings. For each pair of file format and compression setting, 800 file fragments are provided. Totally, the dataset contains 25,600 file fragments.

Vincent Falconieri

DOI: https://doi.org/10.48550/arXiv.1908.02449

2019-08-07

Abstract:Security analysts need to classify, search and correlate numerous images. Automatic classification tools improve the efficiency of such tasks. However, the main resources to develop these tools are datasets, which are introduced and provided by the present paper, for the specific cases of visual correlation of phishing and onion websites. CIRCL's Open-Source tools are the sources of these screenshots, which had been manually verified against personal information leaks. Usage examples of these datasets are proposed in the current paper. These researches directions are, however, not the main contribution of the paper. The main contribution is the availability of the two datasets.

Cryptography and Security

Ekraam Sabir,Soumyaroop Nandi,Wael AbdAlmageed,Prem Natarajan

DOI: https://doi.org/10.48550/arXiv.2108.12961

2021-08-30

Abstract:Research in media forensics has gained traction to combat the spread of misinformation. However, most of this research has been directed towards content generated on social media. Biomedical image forensics is a related problem, where manipulation or misuse of images reported in biomedical research documents is of serious concern. The problem has failed to gain momentum beyond an academic discussion due to an absence of benchmark datasets and standardized tasks. In this paper we present BioFors -- the first dataset for benchmarking common biomedical image manipulations. BioFors comprises 47,805 images extracted from 1,031 open-source research papers. Images in BioFors are divided into four categories -- Microscopy, Blot/Gel, FACS and Macroscopy. We also propose three tasks for forensic analysis -- external duplication detection, internal duplication detection and cut/sharp-transition detection. We benchmark BioFors on all tasks with suitable state-of-the-art algorithms. Our results and analysis show that existing algorithms developed on common computer vision datasets are not robust when applied to biomedical images, validating that more research is required to address the unique challenges of biomedical image forensics.

Computer Vision and Pattern Recognition

Yongjian Lou,Peng Wang,Ming Xu,Ning Zheng

DOI: https://doi.org/10.1109/ICISE.2009.351

2009-01-01

Abstract:Rapidly retrieving valuable information is vital in computer forensic, especially information with respect to the computer system itself. Attentions on the system information such as registry and event log have increasingly promoted the forensic researches. Event log is a very import file in computer, which contains a large amount of available information about what happened on the system observed, but current forensic tool on event log only can repair corrupted log files and has no effect on the situation that event log file has been fragmented. To address this problem, this paper presents an algorithm which allows search for windows event log file data fragments based solely on their data contents, without the need of any meta data. The algorithm is based on searching the signature in log file combining with computing the entropy difference between neighboring clusters. A tool was developed to automate recovery and parse of Windows NT5 (XP and 2003) event logs for computer forensic. This tool automates repair of multiple event logs and parse the recovered files without user intervention. The evaluation of this method shows an average accuracy of 82.5%, with lower false positive.

Chang Liu,Rebecca Saul,Yihao Sun,Edward Raff,Maya Fuchs,Townsend Southard Pantano,James Holt,Kristopher Micinski

2024-05-07

Abstract:Binary code is pervasive, and binary analysis is a key task in reverse engineering, malware classification, and vulnerability discovery. Unfortunately, while there exist large corpuses of malicious binaries, obtaining high-quality corpuses of benign binaries for modern systems has proven challenging (e.g., due to licensing issues). Consequently, machine learning based pipelines for binary analysis utilize either costly commercial corpuses (e.g., VirusTotal) or open-source binaries (e.g., coreutils) available in limited quantities. To address these issues, we present Assemblage: an extensible cloud-based distributed system that crawls, configures, and builds Windows PE binaries to obtain high-quality binary corpuses suitable for training state-of-the-art models in binary analysis. We have run Assemblage on AWS over the past year, producing 890k Windows PE and 428k Linux ELF binaries across 29 configurations. Assemblage is designed to be both reproducible and extensible, enabling users to publish "recipes" for their datasets, and facilitating the extraction of a wide array of features. We evaluated Assemblage by using its data to train modern learning-based pipelines for compiler provenance and binary function similarity. Our results illustrate the practical need for robust corpuses of high-quality Windows PE binaries in training modern learning-based binary analyses. Assemblage can be downloaded from

Cryptography and Security,Machine Learning

Juan A Herrera-Silva,Myriam Hernández-Álvarez

DOI: https://doi.org/10.3390/s23031053

2023-01-17

Abstract:Ransomware-related cyber-attacks have been on the rise over the last decade, disturbing organizations considerably. Developing new and better ways to detect this type of malware is necessary. This research applies dynamic analysis and machine learning to identify the ever-evolving ransomware signatures using selected dynamic features. Since most of the attributes are shared by diverse ransomware-affected samples, our study can be used for detecting current and even new variants of the threat. This research has the following objectives: (1) Execute experiments with encryptor and locker ransomware combined with goodware to generate JSON files with dynamic parameters using a sandbox. (2) Analyze and select the most relevant and non-redundant dynamic features for identifying encryptor and locker ransomware from goodware. (3) Generate and make public a dynamic features dataset that includes these selected parameters for samples of different artifacts. (4) Apply the dynamic feature dataset to obtain models with machine learning algorithms. Five platforms, 20 ransomware, and 20 goodware artifacts were evaluated. The final feature dataset is composed of 2000 registers of 50 characteristics each. This dataset allows for a machine learning detection with a 10-fold cross-evaluation with an average accuracy superior to 0.99 for gradient boosted regression trees, random forest, and neural networks.