OBA2: An Onion approach to Binary code Authorship Attribution

A critical aspect of malware forensics is authorship analysis. The successful outcome of such analysis is usually determined by the reverse engineer's skills and by the volume and complexity of the code under analysis. To assist reverse engineers in such a tedious and error-prone task, it is desirable to develop reliable and automated tools for supporting the practice of malware authorship attribution. In a recent work, machine learning was used to rank and select syntax-based features such as n-grams and flow graphs. The experimental results showed that the top ranked features were unique for each author, which was regarded as an evidence that those features capture the author's programming styles. In this paper, however, we show that the uniqueness of features does not necessarily correspond to authorship. Specifically, our analysis demonstrates that many “unique” features selected using this method are clearly unrelated to the authors' programming styles, for example, unique IDs or random but unique function names generated by the compiler; furthermore, the overall accuracy is generally unsatisfactory. Motivated by this discovery, we propose a layered Onion Approach for Binary Authorship Attribution called OBA2. The novelty of our approach lies in the three complementary layers: preprocessing, syntax-based attribution, and semantic-based attribution. Experiments show that our method produces results that not only are more accurate but have a meaningful connection to the authors' styles.     

Anti-forensic resilient memory acquisition

Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks.     

A survey of main memory acquisition and analysis techniques for the windows operating system

Traditional, persistent data-oriented approaches in computer forensics face some limitations regarding a number of technological developments, e.g., rapidly increasing storage capabilities of hard drives, memory-resident malicious software applications, or the growing use of encryption routines, that make an in-time investigation more and more difficult. In order to cope with these issues, security professionals have started to examine alternative data sources and emphasize the value of volatile system information in RAM more recently. In this paper, we give an overview of the prevailing techniques and methods to collect and analyze a computer's memory. We describe the characteristics, benefits, and drawbacks of the individual solutions and outline opportunities for future research in this evolving field of IT security.     

27个常染色体AIM-SNP的筛选和验证

目的构建27个常染色体AIM-SNP组合用于未知个体种族来源推断。方法通过对Hap Map数据库中描述祖先遗传信息标记的908个AIMs位点(非洲、欧洲、东亚人群)筛选,选出27个AIMs位点组合,利用相关软件同时与数据库908个AIMs不同子集合的分析进行对比,验证其推断祖先来源的可行性。结果应用本研究27个AIMs的SNP多态性分析方法可以正确推断未知样品祖先起源,估算祖先成分比例。结论本研究建立的常染色体27个AIMs的SNP多态性分析方法可准确推断来自于欧洲、非洲、东亚3大祖先血统个体的祖先来源,是SNP多态性分析用于个体种族来源推断的一种有效方法,在法医实践中可以用于DNA检验中未知DNA供者洲际人群祖先来源推断。     

Scalable code clone search for malware analysis

Reverse engineering is the primary step to analyze a piece of malware. After having disassembled a malware binary, a reverse engineer needs to spend extensive effort analyzing the resulting assembly code, and then documenting it through comments in the assembly code for future references. In this paper, we have developed an assembly code clone search system called ScalClone based on our previous work on assembly code clone detection systems. The objective of the system is to identify the code clones of a target malware from a collection of previously analyzed malware binaries. Our new contributions are summarized as follows: First, we introduce two assembly code clone search methods for malware analysis with a high recall rate. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we present a scalable system with a database model to support large-scale assembly code search. Finally, experimental results on real-life malware binaries suggest that our proposed methods can effectively identify assembly code clones with the consideration of different scenarios of code mutations.     

Out of sight,but not out of mind: Traces of nearby devices' wireless transmissions in volatile memory

An IEEE 802.11 wireless device can leave traces of its presence in the volatile memories of nearby wireless devices. While the devices need to be in radio range of each other for this to happen, they do not need to be connected to the same network—or to any network at all. Traces appear in the form of full wire-type frames; a residue of the signals in the ether. We examine types of information that can be extracted from such residual frames and explore the conditions under which traces develop and persist. Their availability is determined by factors in both in the external environment (the types of signals in the ether) and the internal environment (the configuration and particulars of a device's wifi stack). To isolate some of these factors, we have created memory dumps of devices in various environments and configurations. Analysis of the dumps has offered insights into the conditions determining creation and decay of the traces. The results indicate that they will be available in a limited number of real-world scenarios. We conclude with practical advice on triaging and preservation.     

A study of user data integrity during acquisition of Android devices

At the time of this writing, Android devices are widely used, and many studies considering methods of forensic acquisition of data from Android devices have been conducted. Similarly, a diverse collection of smartphone forensic tools has also been introduced. However, studies conducted thus far do not normally guarantee data integrity required for digital forensic investigations. Therefore, this work uses a previously proposed method of Android device acquisition utilizing ‘Recovery Mode’. This work evaluates Android Recovery Mode variables that potentially compromise data integrity at the time of data acquisition. Based on the conducted analysis, an Android data acquisition tool that ensures the integrity of acquired data is developed, which is demonstrated in a case study to test tool's ability to preserve data integrity.     

预防犯罪--城市空间设计的新理念--论城市空间设计与犯罪学理论的不断融合

随着城市化进程的加速,城市空间设计与犯罪现象之间的联系日益紧密,这引起了各国犯罪学家的普遍关注。美国芝加哥学派的“同心圆理论”,从城市空间设计角度探讨犯罪原因做出的初步尝试。此后,为寻求犯罪预防,奥斯卡·纽曼提出“可防御空间”,成功地将城市空间设计与犯罪学理论融合在一起。在前人研究的基础上,结合中国城市化的现状,本文从城市空间设计的角度提出建立“层进式城市空间防范模式”,以更好地达到预防犯罪的效果。     

A comparison of forensic evidence recovery techniques for a windows mobile smart phone

Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.     

The effect of ionizing gamma radiation on natural and synthetic fibers and its implications for the forensic examination of fiber evidence

Circumstances of criminal activities involving radioactive materials may mean fiber evidence recovered from a crime scene could have been exposed to materials emitting ionizing radiation. The consequences of radiation exposed fibers on the result of the forensic analysis and interpretation is explored. The effect of exposure to 1-1000 kGy radiation doses in natural and synthetic fibers was noticeable using comparative forensic examination methods, such as optical microscopy, microspectrophotometry, and thin-layer chromatography. Fourier transform infrared spectroscopy analysis showed no signs of radiation-induced chemical changes in any of the fiber structures. The outcome of the comparative methods highlights the risk of "false negatives" associated in comparing colors of recovered fibers that may have been exposed to unknown radiation doses. Consideration of such results supports the requirement to know the context, including the environmental conditions, as much as possible before undertaking a forensic fiber examination.     

小区停车位权属分析

物权法草案第六稿确定了业主对小区的停车位享有优先使用权,尊重了业主的利益和开发商的利益.但其停车位的归属采用约定的方式作为优先的选择方式,虽体现了意思自治,但不利于保护业主的利益,应采用法定方式优先,以约定为补充.     

27-plex SNPs复合扩增检测体系构建与应用评价

目的建立27个常染色体SNPs复合检测体系,用于未知个体种族来源推断。方法通过对Hap Map数据库中描述祖先(非洲、欧洲、东亚)的遗传标记信息分析,选出27个SNPs位点,构建27个SNPs复合扩增体系;采用该体系对17个不同祖先人群的1 164份样本进行测试,得到的分型数据和在Hap Map数据库查询到的11个相关人群的数据;采用据聚类分析方法(K=3)进行祖先成分和匹配率计算,分析推算样品9947A的祖先来源,并进行体系性能验证。结果该体系可以进行单一和混合人群的种族来源和种族成分推断,来自新疆的人群遗传成分呈现在欧洲与东亚祖先之间连续分布,样品9947A祖先成分和匹配率与相关文献分析结果一致。浓度最低为0.1ng/μL时27个等位基因均可正确判型。结论本文构建的27-plex SNPs复合体系可以精确推断非洲、欧洲、东亚血统的个体祖先起源,且对欧亚混合人群(欧洲/东亚)有较好的推断能力,可在相关研究和实践中选择使用。     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

From walls to membranes: fortress polis and the governance of urban public space in 21st century Britain

Drawing on the work of Paul Virilio, this paper addresses changes in the architectural and legal topography of the urban landscape through an examination of regulatory patterns, which increasingly intensify governance through, and as, ‘control’. Such regulation is ambivalent in that it cuts across many traditionally discrete regimes of power melding them into new forms with new effects; as a consequence it is no longer sufficient to think in terms of such distinctions as private/public, civil/criminal, and so on. This paper argues that a concern with patterns of enclosure and privatisation in our urban centres must now be placed within the context of changes in architectural practice and technology, which the authors term ‘open architecture’, and the embedding of governance through partnership, which give particular emphasis to the use of dematerialised and diffused modes of control. The paper utilises Virilio’s history and image of the fortress, which he tracks from a material form to a dematerialised form, to envisage these developments and to provide the foundation for an understanding of the importance of the development of practices of surveillance into, what the authors term, ‘total registration’ as a feature and function of governance through ‘control’.