IFIP WG 11.9 ICDF 2022 - Two Papers accepted
23 Dezember 2021
The article On Realistic and Configurable Synthesis of Malware Traces on Windows Systems, based on the master thesis of our student Martin Lukner from the Universität der Bundeswehr München, was accepted. The paper will be presented at the IFIP WG 11.9 2022 International Conference on Digital Forensics fully virtual in January 2022.
Authors: Martin Lukner, Thomas Göbel and Harald Baier
Abstract:
Malware constitutes a long-term challenge for the operation of contemporary IT systems. In order to handle this challenge, both experts (who are able to deal with infected systems) and tools (e.g., algorithms, software to automatically detect malware) are needed. In order to train experts and tools and keep them up-to-date, a tremendous amount of realistic, present-day training data is necessary. Unfortunately, there is a large gap in training data compared to its actual demand, especially in the area of digital forensic images containing recent malware due to different reasons (e.g., privacy, competitive advantage, intellectual property rights, secrecy). A promising and evolving solution to provide recent, realistic corpora constitute data set synthesis frameworks. However, none of the publicly available frameworks yet provides the possibility to create realistic malware traces in a customisable way (i.e., the traces can be configured to meet individual needs). In this paper we present a concept, implementation, and evaluation to provide such a synthesis framework to generate traces for the Windows operating system. Our work is based on a configurable extension of the data set synthesis framework hystck. We make use of a client-server model and are able to generate coherent malware traces on three levels: in RAM, on the hard disk as well as in the network. As evaluation scenario we provide a typical malware infection to exfiltrate data. We evaluate the whole synthetic malware operation life cycle and show that the a priori configured malware traces actually exist on all three levels as desired and may hence be investigated as usual by digital forensic experts and tools.
The second paper that was accepted at IFIP WG 11.9 ICDF is Out of the Dark - On Actual Data Distribution in Mobile Devices and the Need to Obtain Realistic Mobile Forensic Corpora.
This paper was written as a cooperation between CODE at Universität der Bundeswehr München and ZITiS München (Central Office for Information Technology in the Security Sector).
Authors: Patrik Gonçalves, Andreas Attenberger and Harald Baier
Abstract:
Mobile devices like smartphones accompany our daily lives and play an important role in contemporary forensic investigations. As a consequence, digital forensic examiners like law enforcement officers are confronted with large amounts of mobile devices to be forensically
extracted and analyzed. In the scope of education and training of mobile forensic experts and the development and evaluation of mobile forensic tools, a capacious amount of realistic mobile data is necessary. Unfortunately, different barriers like secrecy (e.g., based on official secrets) lead to a large discrepancy of availability of digital forensics training
data. More precisely, real mobile data sets are typically not available for public use and actual available mobile test data are sparse and often unrealistic. Furthermore, the digital forensics community lacks knowledge about actual data distributions on real mobile devices. In this paper we present and discuss a survey of interviews with law enforcement officers from two countries to specify ’typical’ mobile data on smartphones based on their professional experience in digital forensic investigations. As a result, we provide an overview of the data distribution on smartphones as found with current forensic tools. Additionally, we subdivide the typical data into the well-known forensic classes ’relevant’ and ’irrelevant’, respectively. Our goal is to emphasize and ease the creation of individual mobile forensic test data. Further, we assess current problems and needs by mobile forensic experts to derive possible future research topics.