Forensic carving of network packets and associated data structures

Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.     

The Linux FAT32 allocator and file creation order reconstruction

The allocation algorithm of the Linux FAT32 file system driver positions files on disk in such a way that their relative positions reveal information on the order in which these files have been created. This provides an opportunity to enrich information from (carved) file fragments with time information, even when such file fragments lack the file system metadata in which time-related information is usually to be found.Through source code analysis and experiments the behaviour of the Linux FAT allocator is examined. How an understanding of this allocator can be applied in practice is demonstrated with a case study involving a TomTom GPS car navigation device. In this case, time information played a crucial role. Large amounts of location records could be carved from this device's flash storage, yielding insight into the locations the device has visited—yet the carved records themselves offered no information on when the device had been at the locations. Still, bounds on the records' time of creation could be inferred when making use of filesystem timestamps related to neighbouring on-disk positions.Finally, we perform experiments which contrast the Linux behaviour with that of Windows 7. We show that the latter differs subtly, breaking the strong relation between creation order and position.     

Dynamic recreation of kernel data structures for live forensics

The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live investigation, physical memory collection and preservation, is available, the tools for completing the remaining steps remain incomplete. First-generation memory analyzers performed simple string and regular expression operations on the memory dump to locate data such as passwords, credit card numbers, fragments of chat conversations, and social security numbers. A more in-depth analysis can reveal information such as running processes, networking information, open file data, loaded kernel modules, and other critical information that can be used to gain insight into activity occurring on the machine when a memory acquisition occurred. To be useful, tools for performing this in-depth analysis must support a wide range of operating system versions with minimum configuration. Current live forensics tools are generally limited to a single kernel version, a very restricted set of closely related versions, or require substantial manual intervention.This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed. Currently, this capability is used within a tool called RAMPARSER that is able to simulate commands such as ps and netstat as if an investigator were sitting at the machine at the time of the memory acquisition. Other applications of the developed capabilities include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest.     

Robust Linux memory acquisition with minimal target impact

Software based Memory acquisition on modern systems typically requires the insertion of a kernel module into the running kernel. On Linux, kernel modules must be compiled against the exact version of kernel headers and the exact kernel configuration used to build the currently executing kernel. This makes Linux memory acquisition significantly more complex in practice, than on other platforms due to the number of variations of kernel versions and configurations, especially when responding to incidents. The Linux kernel maintains a checksum of kernel version and will generally refuse to load a module which was compiled against a different kernel version. Although there are some techniques to override this check, there is an inherent danger leading to an unstable kernel and possible kernel crashes. This paper presents a novel technique to safely load a pre-compiled kernel module for acquisition on a wide range of Linux kernel versions and configuration. Our technique injects a minimal acquisition module (parasite) into another valid kernel module (host) already found on the target system. The resulting combined module is then relinked in such a way as to grant code execution and control over vital data structures to the acquisition code, whilst the host module remains dormant during runtime.     

Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224–233]

Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.     

Filling the gap of formal institutions: the effects of Guanxi network on corruption in reform-era China

Corruption exists around the world and throughout the human history, but societies undergoing rapid modernization and institutional transition tend to be more susceptible to this problem. This article analyzes the corruption-facilitating roles of guanxi network under transition. It argues that when deficient political and economic institutions hamper the effective flow of information and resources and when fast structural changes generate uncertainty, people can resort to guanxi network, an informal institution, to overcome these difficulties and advance their private interests. Using empirical evidence from reform-era China, this article demonstrates how the communication, exchange, and normative functions of guanxi network enhance the opportunities, means, and incentives for public officials to engage in corruption, especially transactional corruption through particularistic ties.     

FACE: Automated digital evidence discovery and correlation

Digital forensic tools are being developed at a brisk pace in response to the ever increasing variety of forensic targets. Most tools are created for specific tasks – filesystem analysis, memory analysis, network analysis, etc. – and make little effort to interoperate with one another. This makes it difficult and extremely time-consuming for an investigator to build a wider view of the state of the system under investigation. In this work, we present FACE, a framework for automatic evidence discovery and correlation from a variety of forensic targets. Our prototype implementation demonstrates the integrated analysis and correlation of a disk image, memory image, network capture, and configuration log files. The results of this analysis are presented as a coherent view of the state of a target system, allowing investigators to quickly understand it. We also present an advanced open-source memory analysis tool, ramparser, for the automated analysis of Linux systems.     

A general strategy for differential forensic analysis

The dramatic growth of storage capacity and network bandwidth is making it increasingly difficult for forensic examiners to report what is present on a piece of subject media. Instead, analysts are focusing on what characteristics of the media have changed between two snapshots in time. To date different algorithms have been implemented for performing differential analysis of computer media, memory, digital documents, network traces, and other kinds of digital evidence. This paper presents an abstract differencing strategy and applies it to all of these problem domains. Use of an abstract strategy allows the lessons gleaned in one problem domain to be directly applied to others.     

Don’t Occupy This Movement: Thinking Law in Social Movements

Reflecting on the Occupy movement, particularly Occupy Wall Street, this article begins by addressing two major questions: how are social movements understood by legal academics; and how do social movements engage with law? Our aim is to present an alternative frame to understanding law and social movements. We draw on the work of Jean-Luc Nancy to explore law as both present and constituted in the coming together of persons in common which occurs in social movements. While the Occupy movement does engage with a form of law that is legislated and enacted through the government and legal system of a nation-state, the movement also forms and enacts law as part of its own processes. In this article we shift perspectives and attempt to think law within social movements. This involves a critical reading of some dominant approaches that explore social movements and law. Rather than situate our discussion within boundaries that seek to identify what is inside or outside a law and legal system that is determined and enforced by a nation-state (government and judicial system), our discussion of law involves a re-thinking of law. This law is part of a constant negotiation and it is involved in the dynamic processes of movements. Law involves establishing a limit and tracing this limit, but this limit is un-working itself as soon as it is constituted. The Occupy movements live law by existing not outside the law, but by rethinking the role and function of law in the movement and processes of community.     

FACE: Automated digital evidence discovery and correlation

Digital forensic tools are being developed at a brisk pace in response to the ever increasing variety of forensic targets. Most tools are created for specific tasks – filesystem analysis, memory analysis, network analysis, etc. – and make little effort to interoperate with one another. This makes it difficult and extremely time-consuming for an investigator to build a wider view of the state of the system under investigation. In this work, we present FACE, a framework for automatic evidence discovery and correlation from a variety of forensic targets. Our prototype implementation demonstrates the integrated analysis and correlation of a disk image, memory image, network capture, and configuration log files. The results of this analysis are presented as a coherent view of the state of a target system, allowing investigators to quickly understand it. We also present an advanced open-source memory analysis tool, ramparser, for the automated analysis of Linux systems.     

Leaving timing-channel fingerprints in hidden service log files

Hidden services are anonymously hosted services that can be accessed over an anonymity network, such as Tor. While most hidden services are legitimate, some host illegal content. There has been a fair amount of research on locating hidden services, but an open problem is to develop a general method to prove that a physical machine, once confiscated, was in fact the machine that had been hosting the illegal content. In this paper we assume that the hidden service logs requests with some timestamp, and give experimental results for leaving an identifiable fingerprint in this log file as a timing channel that can be recovered from the timestamps. In 60 min, we are able to leave a 36-bit fingerprint that can be reliably recovered. The main challenges are the packet delays caused by the anonymity network that requests are sent over and the existing traffic in the log from the actual clients accessing the service. We give data to characterize these noise sources and then describe an implementation of timing-channel fingerprinting for an Apache web server based hidden service on the Tor network, where the fingerprint is an additive channel that is superencoded with a Reed–Solomon code for reliable recovery. Finally, we discuss the inherent tradeoffs and possible approaches to making the fingerprint more stealthy.     

Overcoming barriers to technology transfer between small business assistance agencies and their clients: Third world style

This paper presents the results of an empirical examination of the methods small business assistance agencies in the Dominican Republic use to overcome technology transfer barriers. The availability and the methods agencies use to access the world's business knowledge are examined, as well as how the agencies disseminate the information to clients. The discussion identifies barriers that inhibit the flow of client information between (1) the knowledge pool and the agencies and (2) the agencies and the client. The strategies that agencies use to overcome barriers are characterized as push or pull, and informal or formal. Pull strategies begin with marketplace need and work toward the technology to solve the problem. Push strategies begin with specific business information and work toward its acceptance and use in the marketplace by clients. Personal interviews were conducted in Spanish with heads of the 13 assistance agencies in the country. Survey participants were asked about the processes, procedures, and techniques they used to gain and transfer business skills. The study identifies specific activities in which the agencies engage in order to effectively overcome barriers to the transfer of business knowledge.     

Trust in the information society

Trust is an important feature for all users of the Internet who rely on the safety and security of network technologies and systems for their daily lives. Trust, or the lack of it, has also been identified by the European Commission’s Digital Agenda as a major barrier to further development of the information society in Europe. One of the areas in which concerns have been raised is in relation to children’s safety online. As a result, substantial efforts have been made by policymakers and by the industry to build greater trust and confidence in online digital safety. This paper examines what trust means in the context of children’s use of the Internet. Should policy on trust enhancement, for instance, include children’s own trust in the technologies or services they use or is it sufficient to seek to reinforce parental and adult confidence that children can be adequately protected? What is required to build that trust from either perspective? Does it need, or should it include a relationship of trust between parents and children? To tease out these questions further, the paper examines current European Union policy frameworks on digital safety, particularly industry responses to the call for a more trusted Internet environment for children, and argues that technical solutions to be effective need to carefully balance a number of competing objectives and to be sufficiently grounded in evidence of parental and child experience of the Internet.     

How about me? The scope of personal information under the Australian Privacy Act 1988

A recent Australian Federal Court decision has raised the issue of the scope of information protected under the Australian Privacy Act 1988. The Court failed to adequately address this question, leaving Australians unsure as to whether sections of their information, such as the IP addresses allocated to their mobile devices, will be considered personal information under the Act. The main consideration the Court dealt with was what it means for information to be “about” an individual. In this paper I address two questions: a) how is information determined to be “about” an individual under the Act; and b) how should this determination be made in the future? I conclude that currently available guidance from the courts, the Australian Information Commissioner and scholarly commentary are inadequate to enable individuals, organisations and agencies to consistently make such determinations. Accordingly I draw on approaches to this question taken in Canada, New Zealand, the European Union and the United Kingdom to argue that the definition should be broadly interpreted in a technologically-aware manner. This will help to ensure that personal information is more comprehensively protected under the Privacy Act.     

The roles of non-state actors in climate change governance: understanding agency through governance profiles

Globalization processes have rendered non-state actors an integral part of global governance. The body of literature that has examined non-state actor involvement in global governance has focused mainly on whether and how non-state actors can influence states. Less attention has been paid to the comparative advantages of non-state actors to answer questions about agency across categories of non-state actors, and more precisely what governance activities non-state actors are perceived to fulfil. Using unique survey material from two climate change conferences, we propose that different categories of non-state actors have distinct governance profiles. We further suggest that the different governance profiles are derived from particular power sources and that agency is a function of these profiles. The study thereby contributes to a strand in the literature focusing on the authority of non-state actors in climate governance and broadens the methodological toolkit for studying the “governors” of global governance.     

Social Creativity in Olympic Medal Counts: Observing the Expression of Ethnocentric Fairness

Although fairness rules provide a basis for conflict resolution, social and psychological processes can lead people to use these rules flexibly to allow their own groups to compare favorably relative to other groups. In two studies, we examined the expression of such ethnocentric fairness in the context of the Olympic Games. Participants rated the fairness of different methods of determining relative rankings of countries’ performances. Results showed that participants used fairness rules flexibly in ways likely to enhance the relative standing of their own country. Thus, even in this context of normative intergroup harmony, fairness rules can be a basis for intergroup conflict. We conclude that fairness rules are best understood as dynamic constructions reflecting the realities of social life and identity-related processes involved in negotiating that social life.     

War and democracy in ancient Greece

In the present paper we analyse some of the preconditions for the emergence of democracy in Ancient Greece. For democracy to emerge in Ancient Greece a combination of several enabling factors proved decisive: the development of new military tactic, the phalanx, marked by the appearance of a new type of heavy infantry warrior, the hoplite, who owned individually some property, i.e. land, sufficient to permit him to finance his weaponry and a city-state culture. We describe the emergence of this new type of warrior, link this emergence to the establishment of individual property rights and show how this brought about a military revolution, exemplified in a new tactical formation, the phalanx. We then proceed by showing how the attitudes and learning processes made necessary by this new type of warfare were transformed in the civic values and virtues that shaped democratic institutions. Our thesis can thus be briefly termed as the “military cum city-state” explanation of democracy.     

How virtual are virtual economies? An exploration into the legal, social and economic nature of virtual world economies

Virtual world economies are undoubtedly increasing in growth, participation and importance. Their macroeconomic impact has already been seen as important in the real world economies; however its governance and jurisdiction is unclear. This paper will argue that virtual economies are not actually as virtual as they first appear to be. Secondly the paper argues that because of the real world effects and impacts virtual world economies can have, they should be applicable to real world jurisdictions and regulations. The question that is therefore posed is in which jurisdiction should the legal backbone be placed? The paper will be divided into several parts. Firstly, a background of what virtual worlds are, and what they mean in linguistic definition. Secondly, a review of law economics and history shall be considered to determine that what is once considered ‘other worldly’ is accepted as the norm. Thirdly, the paper will consider a virtual world economy, namely that of Second Life to establish the real world impacts that virtual world economies can have. Fourthly, the paper will consider two case studies of financial crisis occurring in the virtual worlds and the synergies we can draw from the real world. Finally, the paper will conclude with the proposition that legal governance is required and will enable what is already a lucrative business to flourish further within the realms of possibility and not virtually.