SADFE 2020 Accepted Papers with Abstracts

Wayne Henry and Gilbert Peterson. Exploring Provenance Needs in Software Reverse Engineering

Abstract:

Reverse engineers are in high demand in digital forensics for their ability to investigate malicious cyberspace threats. This group faces unique challenges due to the security-intensive environment, such as working in isolated networks, a limited ability to share files with others, immense time pressure, and a lack of cognitive support tools supporting the iterative exploration of binary executables. This paper presents an exploratory study that interviewed experienced reverse engineers' work processes, tools, challenges, and visualization needs. The findings demonstrate that engineers have difficulties managing hypotheses, organizing results, and reporting findings during their analysis. By considering the provenance support techniques of existing research in other domains, this study contributes new insights about the needs and opportunities for reverse engineering provenance tools.

Ao Shen and Kam Pui Chow. Time and Location Topic Model for analyzing Lihkg forum data

Abstract:

Many online crimes leave traces on social media platforms and online forums. These traces are buried in millions of messages or posts, such as regular posts, information, advertisements, and so on. If the proper extraction and analysis of criminal characteristics are all manual operations, they require much more time and effort. In the traditional text characteristic analysis, the common word segmentation tools do not match the needs in special fields and special words (such as proper nouns, dialects, acronyms, metaphors, and so on). As a result, we use the Lihkg online forum from August 1st to October 10th, 2019 as a corpus, and propose a topic vectorization method based on character embedding and Chinese word segmentation, using MLP (multi-layer perceptron) neural network for location topic model with empirical experiment research. The result proves that the method and the model can correctly identify the time and the location of criminal rally activities by learning the existing location corpus. It can also improve the traditional investigation and monitoring method, and provide theoretical support and application examples for public opinion monitoring, crime prevention, and crime investigation.

Tobias Groß, Richard Dirauf and Felix Freiling. Systematic Analysis of Browser History Evidence

Abstract:

Traces of browser usage are an important piece of digital evidence in many law cases. In the literature, it is usually assumed that the entries in the browser history and the browser cache reliably indicate which URL was accessed and at which time this was done. Using the market leaders Google Chrome and Mozilla Firefox as examples, and comparing our results with older versions of Internet Explorer, we show that this exact correspondence between stored URL and real URL on the one side and the stored timestamp and the real time of the action is not always true. On the contrary, it is rather common that browsers record the timestamp of a user action several seconds after the action really happened. It can even happen that browsers sometimes record a different domain than the domain that was actually visited. The basis for our insights was a large-scale experiment using an automatic deployment of virtual machines, resulting in a dataset of considerable size.

Donginn Kim, Vafa Andalibi and L. Jean Camp. Fingerprinting Edge and Cloud Services in IoT

Abstract:

Man in the middle (MITM) and masquerade attacks are major concern for Internet of Things (IoT) security. There are multiple examples of real-world scenarios where the Edge network is compromised as a result of vulnerabilities. Such events happen at remote points beyond the users' control and knowledge. Therefore, when IoT devices interact with an Edge service, the integrity or authentication of that service is not guaranteed. As such, Fog nodes could be subject to MITM attacks, and IoT devices attempting to connect to Edge services may be subverted by such attacks. In this paper we present a privacy-friendly solution to detect MITM attacks targeting theFog nodes and networks on the user’s side by implementing a localized Edge fingerprinting service that validates the integrity of the remote servers.

Patrick Duessel, Sven Dietrich, Shoufu Luo, Michael Meier and Ulrich Flegel. Tracing Privilege Misuse Through Behavioral Anomaly Detection in Geometric Spaces

Abstract:

Privilege misuse is a common technique used by insiders to ex-filtrate proprietary information or sabotage organizations. Although operating systems provide means to log security-related activities indicators of compromise are often difficult to detect due to the often proprietary nature of logging mechanisms in place - rendering the analysis of log files a daunting task. In this contribution we present a format-agnostic approach to detect privilege misuse based on rule-free user activity models learned over security audit logs typically provided by servers. We investigate language model based feature types (i.e. token grams, temporal token grams and attributed token grams) using One-Class Support Vector Machines (OC-SVM). We conduct experiments on synthetic as well as real-world data collected on Microsoft Windows 2008 servers to investigate the effect of feature types and similarity measures and demonstrate usability of this approach for privilege misuse detection as part of an insider threat detection program.

Jesse B. Crawford and Yong Guan. Knowing your Bitcoin Customer: Money Laundering in the Bitcoin Economy

Abstract:

Cryptocurrencies like Bitcoin have the potential advantages to break traditional financial barriers, which have attracted great interests from civilian users, financial and online commercial industry, and researchers. However, a recent study reported that approximately one-quarter of Bitcoin users and one-half of Bitcoin transactions are associated with illicit activity. Around US$72 billion of unlawful activity per year involves Bitcoin, which is close to the scale of the U.S. and European markets for illegal drugs. We have made an effort to understand and try our best to exhaustively discover Bitcoin mixing or tumbling services (essentially money laundering mechanisms) which exist or had existed. In our study, 69 services were identified, and evaluation of the public discussion around these services reveals certain trends in Bitcoin user understanding of privacy issues and enforcement of anti-money laundering regulation. Sp far, Law enforcement interference with Bitcoin laundering services is uncommon, while our study showed that most services failed due to lack of user trust. Trust is perhaps the greatest challenge amongst Bitcoin anonymization services, as many services that have existed appear to be outright scams, and even legitimate services sometimes disappear with user funds. We will report other observations and discussions at the end of the paper.

Radina Stoykova and Katrin Franke. Standard representation for digital forensic processing

Abstract:

This paper discusses the lack of reliability and reproducibility validation in digital forensics for a criminal trial. It is argued that this challenge can be addressed with standard data-representation for digital evidence. The representation must include reproducibility documentation on processing operations including automation, human interaction, and investigation steps. Analyzed are two blueprint articles – the CASE specification language for cyber-investigations [1] and the WANDA data standard for the documenting semi-automated hand-writing examination [2]. These two generic frameworks are studied for their granularity to support reproducibility testing by representing: (i) artefact characteristics, forensic – tool parameters and input – output logic; (ii) human and tool data interpretation; and (iii) parallel-running forensic tasks or chains of processes. Proposed is the integration of WANDA-based schema as CASE expression. The utility of such integration is demonstrated as a new module in CASE designed to meet the high standard of proof and scientific validation typically required in criminal investigations and trials. The expression ensures compliance without overburdening digital forensic practitioners.