MEGA: A tool for Mac OS X operating system and application forensics

Computer forensic tools for Apple Mac hardware have traditionally focused on low-level file system details. Mac OS X and common applications on the Mac platform provide an abundance of information about the user's activities in configuration files, caches, and logs. We are developing MEGA, an extensible tool suite for the analysis of files on Mac OS X disk images. MEGA provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. It can also help investigators to assess FileVault encrypted home directories. MEGA support tools are under development to interpret files written by common Mac OS applications such as Safari, Mail, and iTunes.     

MEGA: A tool for Mac OS X operating system and application forensics

Computer forensic tools for Apple Mac hardware have traditionally focused on low-level file system details. Mac OS X and common applications on the Mac platform provide an abundance of information about the user's activities in configuration files, caches, and logs. We are developing MEGA, an extensible tool suite for the analysis of files on Mac OS X disk images. MEGA provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. It can also help investigators to assess FileVault encrypted home directories. MEGA support tools are under development to interpret files written by common Mac OS applications such as Safari, Mail, and iTunes.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

BodySnatcher: Towards reliable volatile memory acquisition by software

Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring the contents of volatile memory from arbitrary operating systems in a manner that provides point in time atomic snapshots of the host OS volatile memory. Additionally the method is more resistant to subversion due to its reduced attack surface. Our method is to inject an independent, acquisition specific OS into the potentially subverted host OS kernel, snatching full control of the host's hardware. We describe an implementation of this proposal, which we call BodySnatcher, which has demonstrated proof of concept by acquiring memory from Windows 2000 operating systems.     

A novel method of automated skull registration for forensic facial approximation

Modern forensic facial reconstruction techniques are based on an understanding of skeletal variation and tissue depths. These techniques rely upon a skilled practitioner interpreting limited data. To (i) increase the amount of data available and (ii) lessen the subjective interpretation, we use medical imaging and statistical techniques. We introduce a software tool, reality enhancement/facial approximation by computational estimation (RE/FACE) for computer-based forensic facial reconstruction. The tool applies innovative computer-based techniques to a database of human head computed tomography (CT) scans in order to derive a statistical approximation of the soft tissue structure of a questioned skull. A core component of this tool is an algorithm for removing the variation in facial structure due to skeletal variation. This method uses models derived from the CT scans and does not require manual measurement or placement of landmarks. It does not require tissue-depth tables, can be tailored to specific racial categories by adding CT scans, and removes much of the subjectivity of manual reconstructions.     

Virtopsy,a new imaging horizon in forensic pathology: virtual autopsy by postmortem multislice computed tomography (MSCT) and magnetic resonance imaging (MRI)--a feasibility study

Using postmortem multislice computed tomography (MSCT) and magnetic resonance imaging (MRI), 40 forensic cases were examined and findings were verified by subsequent autopsy. Results were classified as follows: (I) cause of death, (II) relevant traumatological and pathological findings, (III) vital reactions, (IV) reconstruction of injuries, (V) visualization. In these 40 forensic cases, 47 partly combined causes of death were diagnosed at autopsy, 26 (55%) causes of death were found independently using only radiological image data. Radiology was superior to autopsy in revealing certain cases of cranial, skeletal, or tissue trauma. Some forensic vital reactions were diagnosed equally well or better using MSCT/MRI. Radiological imaging techniques are particularly beneficial for reconstruction and visualization of forensic cases, including the opportunity to use the data for expert witness reports, teaching, quality control, and telemedical consultation. These preliminary results, based on the concept of "virtopsy," are promising enough to introduce and evaluate these radiological techniques in forensic medicine.     

Leveraging virtual machine introspection with memory forensics to detect and characterize unknown malware using machine learning techniques at hypervisor

The Virtual Machine Introspection (VMI) has emerged as a fine-grained, out-of-VM security solution that detects malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS). Specifically, it functions by the Virtual Machine Monitor (VMM), or hypervisor. The reconstructed semantic details obtained by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, the existing out-of-VM security solutions require extensive manual analysis. In this paper, we propose an advanced VMM-based, guest-assisted Automated Internal-and-External (A-IntExt) introspection system by leveraging VMI, Memory Forensics Analysis (MFA), and machine learning techniques at the hypervisor. Further, we use the VMI-based technique to introspect digital artifacts of the live guest OS to obtain a semantic view of the processes details. We implemented an Intelligent Cross View Analyzer (ICVA) and implanted it into our proposed A-IntExt system, which examines the data supplied by the VMI to detect hidden, dead, and dubious processes, while also predicting early symptoms of malware execution on the introspected guest OS in a timely manner. Machine learning techniques are used to analyze the executables that are mined and extracted using MFA-based techniques and ascertain the malicious executables. The practicality of the A-IntExt system is evaluated by executing large real-world malware and benign executables onto the live guest OSs. The evaluation results achieved 99.55% accuracy and 0.004 False Positive Rate (FPR) on the 10-fold cross-validation to detect unknown malware on the generated dataset. Additionally, the proposed system was validated against other benchmarked malware datasets and the A-IntExt system outperforms the detection of real-world malware at the VMM with performance exceeding 6.3%.     

Surface granularity as a discriminating feature of illicit tablets

In this paper we propose an innovative methodology for automated profiling of illicit tablets by their surface granularity; a feature previously unexamined for this purpose. We make use of the tiny inconsistencies at the tablet surface, referred to as speckles, to generate a quantitative granularity profile of tablets. Euclidian distance is used as a measurement of (dis)similarity between granularity profiles. The frequency of observed distances is then modelled by kernel density estimation in order to generalize the observations and to calculate likelihood ratios (LRs). The resulting LRs are used to evaluate the potential of granularity profiles to differentiate between same-batch and different-batches tablets. Furthermore, we use the LRs as a similarity metric to refine database queries. We are able to derive reliable LRs within a scope that represent the true evidential value of the granularity feature. These metrics are used to refine candidate hit-lists form a database containing physical features of illicit tablets. We observe improved or identical ranking of candidate tablets in 87.5% of cases when granularity is considered.     

Extraction of forensically sensitive information from windows physical memory

Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called “application/protocol fingerprints”. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.     

Dynamic recreation of kernel data structures for live forensics

The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live investigation, physical memory collection and preservation, is available, the tools for completing the remaining steps remain incomplete. First-generation memory analyzers performed simple string and regular expression operations on the memory dump to locate data such as passwords, credit card numbers, fragments of chat conversations, and social security numbers. A more in-depth analysis can reveal information such as running processes, networking information, open file data, loaded kernel modules, and other critical information that can be used to gain insight into activity occurring on the machine when a memory acquisition occurred. To be useful, tools for performing this in-depth analysis must support a wide range of operating system versions with minimum configuration. Current live forensics tools are generally limited to a single kernel version, a very restricted set of closely related versions, or require substantial manual intervention.This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed. Currently, this capability is used within a tool called RAMPARSER that is able to simulate commands such as ps and netstat as if an investigator were sitting at the machine at the time of the memory acquisition. Other applications of the developed capabilities include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest.     

Using every part of the buffalo in Windows memory analysis

All Windows memory analysis techniques depend on the examiner's ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20% of all the virtual addresses in use point to so called “invalid” pages that cannot be found using a naive method for address translation. This paper explains virtual address translation, enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. By using every available page, every part of the buffalo as it were, the examiner can better recreate the state of the machine as it existed at the time of imaging.     

Decoding the APFS file system

File systems have always played a vital role in digital forensics and during the past 30–40 years many of these have been developed to suit different needs. Some file systems are more tightly connected to a specific Operating System (OS). For instance HFS and HFS+ have been the file systems of choice in Apple devices for over 30 years.Much has happened in the evolution of storage technologies, the capacity and speed of devices has increased and Solid State Drives (SSD) are replacing traditional drives. All of these present challenges for file systems. APFS is a file system developed from first principles and will, in 2017, become the new file system for Apple devices.To date there is no available technical information about APFS and this is the motivation for this article.     

Anti-forensic resilient memory acquisition

Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks.     

An Optimized Centrifugal Method for Separation of Semen from Superabsorbent Polymers for Forensic Analysis

Connection of a perpetrator to a sexual assault is best performed through the confirmed presence of semen, thereby proving sexual contact. Evidentiary items can include sanitary napkins or diapers containing superabsorbent polymers (SAPs), complicating spermatozoa visualization and DNA analysis. In this report, we evaluated the impact of SAPS on the current forensic DNA workflow, developing an efficient centrifugal protocol for separating spermatozoa from SAP material. The optimized filtration method was compared to common practices of excising the top layer only, resulting in significantly higher sperm yields when a core sample of the substrate was taken. Direct isolation of the SAP‐containing materials without filtering resulted in 20% sample failure; additionally, SAP material was observed in the final eluted DNA samples, causing physical interference. Thus, use of the described centrifugal‐filtering method is a simple preliminary step that improves spermatozoa visualization and enables more consistent DNA yields, while also avoiding SAP interference.     

Forensic carving of network packets and associated data structures

Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Improving Children’s Interviewing Methods? The Effects of Drawing and Practice on Children’s Memories for an Event

In the present experiment, we were interested in the effects of drawings and practice on children’s memory performance. Younger (6/7-year-olds; n = 37) and older (11/12-year-olds; n = 44) children were presented with two videos that differed in complexity. Half of the children had to practice recalling an experienced event (i.e., last holiday) before remembering the two videos. The other half was not presented with such practice. Then, all children had to tell what they could still recollect about the first video. For the second video, all children were allowed to draw and tell during the recollection of the event. As expected, we found that for the complex video, making a drawing increased the completeness of children’s statements, but also reduced the accuracy of their statements. Although we found that including practice reduced the completeness of statements, it did not negatively impact the accuracy of children’s memory reports. Taken together, our results imply that interviewers should be cautious in using drawings as an interviewing method as it might elevate the production of incorrect information.