IMF 2024 - Two papers accepted

16 September 2024

Our article on Data Synthesis is Going Mobile – On Community-driven Dataset Generation for Android Device was accepted at IMF 2024. This article presents a novel approach for the automatic generation of forensically sound Android smartphone dumps, which completely controls the GUI of the smartphone and is based on Android Studio and Android View Client. The paper will be presented at the 13th International Conference on IT Security Incident Management & IT Forensics (IMF) 2024 in Saarbrücken, Germany in September 2024.

Authors: Markus Demmel and Thomas Göbel (Universität der Bundeswehr München), Patrik Gonçalves (Zentrale Stelle für Informationstechnik im Sicherheitsbereich (ZITiS)), Harald Baier (Universität der Bundeswehr München)

Abstract:

Personal electronic devices such as smartphones and smartwatches have become indispensable daily companions, collecting a multitude of personal and sensitive data. As a result, they are of paramount importance in digital forensic examinations. However, there is a lack of publicly available and ready-to-use digital forensic datasets, especially in mobile forensics. This work presents a concept and an open-source proof-of-concept implementation, which simplifies and automates the creation of mobile forensic datasets within the scope of the Android operating system. In contrast to previous approaches, which populate the most common databases of an Android device, our concept is based on community-driven playbooks and makes use of interaction with the actual smartphone GUI. Hence, we are able to generate coherent and realistic traces as they occur in real-world human usage. Our proof-of-concept implementation is based on the standard Android emulation environment and borrows tools from the user interface testing community. Our evaluation shows that our approach actually generates realistic Android datasets. For instance, we can generate traces that cannot be simulated by gestures (e.g., changing the GPS position or triggering incoming phone calls). Recording the actual data synthesis process allows users to either create and share their own playbooks (i.e., the exact instructions for the data synthesis process rather than having to share the full image) or reproduce Android images with different scenarios using playbooks previously created and shared by the community.

 

Furthermore, our article on Causal Inconsistencies are Normal in Windows Memory Dumps (too) was accepted at IMF 2024. This article performs a systematic assessment of causal inconsistencies in memory dumps taken on a Windows 10 machine using the kernel-level acquisition tool WinPmem. The paper will be presented at the 13th International Conference on IT Security Incident Management & IT Forensics (IMF) 2024 in Saarbrücken, Germany in September 2024.

Authors: Lisa Rzepka (Universität der Bundeswehr München), Jenny Ottmann and Felix Freiling (Friedrich-Alexander-Universität Erlangen-Nürnberg), Harald Baier (Universität der Bundeswehr München)

Abstract: 

Main memory contains valuable information for criminal investigations, e.g., process information or keys for disk encryption. Taking snapshots of memory is therefore common practice during a digital forensic examination. Inconsistencies in such memory dumps can, however, hamper their analysis. In this paper, we perform a systematic assessment of causal inconsistencies in memory dumps taken on a Windows 10 machine using the kernel-level acquisition tool WinPmem. We use two approaches to measure the quantity of inconsistencies in Windows 10: (1) causal inconsistencies within self-injected memory data structures using a known methodology transferred from the Linux operating system, and (2) inconsistencies in the memory management data structures of the Windows kernel using a novel measurement technique based on properties of the virtual address descriptor (VAD) tree. Our evaluation is based on a dataset of more than 180 memory dumps. As a central result, both types of inconsistency measurement reveal that a high number of inconsistencies is the norm rather than the exception. We also correlate workload and execution time of the memory acquisition tool to the number of inconsistencies in the respective memory snapshot. By controlling these factors it is possible to (somewhat) control the level of inconsistencies in Windows memory dumps.

Aktuelles

NordSec 2024 - Paper accepted

We will present our work on Do-it-yourself drones in Karlstad (Sweden) at the NordSec 2024.

ForTrace Workshop @ DFRWS APAC 2024

We are offering a workshop at DFRWS APAC 2024 on our data synthesis framework ForTrace.

IWODF 2024 - Paper accepted

Our paper on "Scenario-based Data Set Generation for Use in Digital Forensics: A Case Study" was accepted for presentation at the IWODF (INFORMATIK) 2024.

Vortrag des Forschungsinstituts CODE auf der 31. DFN-CERT Konferenz in Hamburg

Als externer Doktorand stellte Michael Mundt die Arbeit "Gib dem Dino Futter – adaptive Detektion von Bedrohungen in KRITIS-Netzwerken mittels Open-Source-Forensik" auf der 31. DFN-CERT Konferenz am 30./31. Januar vor.

ForTrace Workshop @ DFRWS EU 2024

We will present our research on the ForTrace data synthesis framework for digital forensics at the DFRWS EU 2024.

DFRWS EU 2024 - Two papers accepted

Our two papers on "Hypervisor-based Data Synthesis: On its Potential to Tackle the Curse of Client-side Agent Remnants in Forensic Image Generation" and "Ubi est indicium? On Forensic Analysis of the UBI File System" were accepted for presentation at the DFRWS EU 2024.