共查询到20条相似文献,搜索用时 15 毫秒
1.
A critical aspect of malware forensics is authorship analysis. The successful outcome of such analysis is usually determined by the reverse engineer's skills and by the volume and complexity of the code under analysis. To assist reverse engineers in such a tedious and error-prone task, it is desirable to develop reliable and automated tools for supporting the practice of malware authorship attribution. In a recent work, machine learning was used to rank and select syntax-based features such as n-grams and flow graphs. The experimental results showed that the top ranked features were unique for each author, which was regarded as an evidence that those features capture the author's programming styles. In this paper, however, we show that the uniqueness of features does not necessarily correspond to authorship. Specifically, our analysis demonstrates that many “unique” features selected using this method are clearly unrelated to the authors' programming styles, for example, unique IDs or random but unique function names generated by the compiler; furthermore, the overall accuracy is generally unsatisfactory. Motivated by this discovery, we propose a layered Onion Approach for Binary Authorship Attribution called OBA2. The novelty of our approach lies in the three complementary layers: preprocessing, syntax-based attribution, and semantic-based attribution. Experiments show that our method produces results that not only are more accurate but have a meaningful connection to the authors' styles. 相似文献
2.
Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks. 相似文献
3.
A survey of main memory acquisition and analysis techniques for the windows operating system 总被引:1,自引:0,他引:1
Traditional, persistent data-oriented approaches in computer forensics face some limitations regarding a number of technological developments, e.g., rapidly increasing storage capabilities of hard drives, memory-resident malicious software applications, or the growing use of encryption routines, that make an in-time investigation more and more difficult. In order to cope with these issues, security professionals have started to examine alternative data sources and emphasize the value of volatile system information in RAM more recently. In this paper, we give an overview of the prevailing techniques and methods to collect and analyze a computer's memory. We describe the characteristics, benefits, and drawbacks of the individual solutions and outline opportunities for future research in this evolving field of IT security. 相似文献
4.
5.
Memory analysis has been successfully utilized to detect malware in many high profile cases. The use of signature scanning to detect malicious tools is becoming an effective triaging and first response technique. In particular, the Yara library and scanner has emerged as the defacto standard in malware signature scanning for files, and there are many open source repositories of yara rules. Previous attempts to incorporate yara scanning in memory analysis yielded mixed results. This paper examines the differences between applying Yara signatures on files and in memory and how yara signatures can be developed to effectively search for malware in memory. For the first time we document a technique to identify the process owner of a physical page using the Windows PFN database. We use this to develop a context aware Yara scanning engine which can scan all processes simultaneously using a single pass over the physical image. 相似文献
6.
目的构建27个常染色体AIM-SNP组合用于未知个体种族来源推断。方法通过对Hap Map数据库中描述祖先遗传信息标记的908个AIMs位点(非洲、欧洲、东亚人群)筛选,选出27个AIMs位点组合,利用相关软件同时与数据库908个AIMs不同子集合的分析进行对比,验证其推断祖先来源的可行性。结果应用本研究27个AIMs的SNP多态性分析方法可以正确推断未知样品祖先起源,估算祖先成分比例。结论本研究建立的常染色体27个AIMs的SNP多态性分析方法可准确推断来自于欧洲、非洲、东亚3大祖先血统个体的祖先来源,是SNP多态性分析用于个体种族来源推断的一种有效方法,在法医实践中可以用于DNA检验中未知DNA供者洲际人群祖先来源推断。 相似文献
7.
The Windows Common Controls is a library which facilitates the construction of GUI controls commonly used by Windows applications. Each control is an extension of the basic ‘window’ class. The difference in the extension results in one control over another; for example, an Edit control as opposed to a Button control. The basic window class is documented by Microsoft and the generic information about a Window can be extracted, but this is of very limited use. There is no documentation and very little research into how these extensions are laid out in memory. This paper demonstrates how the extension bytes for the Edit control can be parsed leading to identification of previously unobtainable data which reveal information about the state of the control at runtime. Most notably, the undo buffer, that is, text that was previously present in the control can be recovered – an aspect which traditional disk forensics would simply not provide. The paper explains why previous attempts to achieve similar goals have failed, and how the technique could be applied to any control from the Windows Common Controls library. 相似文献
8.
The Virtual Machine Introspection (VMI) has emerged as a fine-grained, out-of-VM security solution that detects malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS). Specifically, it functions by the Virtual Machine Monitor (VMM), or hypervisor. The reconstructed semantic details obtained by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, the existing out-of-VM security solutions require extensive manual analysis. In this paper, we propose an advanced VMM-based, guest-assisted Automated Internal-and-External (A-IntExt) introspection system by leveraging VMI, Memory Forensics Analysis (MFA), and machine learning techniques at the hypervisor. Further, we use the VMI-based technique to introspect digital artifacts of the live guest OS to obtain a semantic view of the processes details. We implemented an Intelligent Cross View Analyzer (ICVA) and implanted it into our proposed A-IntExt system, which examines the data supplied by the VMI to detect hidden, dead, and dubious processes, while also predicting early symptoms of malware execution on the introspected guest OS in a timely manner. Machine learning techniques are used to analyze the executables that are mined and extracted using MFA-based techniques and ascertain the malicious executables. The practicality of the A-IntExt system is evaluated by executing large real-world malware and benign executables onto the live guest OSs. The evaluation results achieved 99.55% accuracy and 0.004 False Positive Rate (FPR) on the 10-fold cross-validation to detect unknown malware on the generated dataset. Additionally, the proposed system was validated against other benchmarked malware datasets and the A-IntExt system outperforms the detection of real-world malware at the VMM with performance exceeding 6.3%. 相似文献
9.
Reverse engineering is the primary step to analyze a piece of malware. After having disassembled a malware binary, a reverse engineer needs to spend extensive effort analyzing the resulting assembly code, and then documenting it through comments in the assembly code for future references. In this paper, we have developed an assembly code clone search system called ScalClone based on our previous work on assembly code clone detection systems. The objective of the system is to identify the code clones of a target malware from a collection of previously analyzed malware binaries. Our new contributions are summarized as follows: First, we introduce two assembly code clone search methods for malware analysis with a high recall rate. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we present a scalable system with a database model to support large-scale assembly code search. Finally, experimental results on real-life malware binaries suggest that our proposed methods can effectively identify assembly code clones with the consideration of different scenarios of code mutations. 相似文献
10.
Brett Eterovic‐Soric M.S. Kim‐Kwang Raymond Choo Ph.D. Sameera Mubarak Ph.D. Helen Ashman Ph.D. 《Journal of forensic sciences》2017,62(4):1054-1070
In this paper, we review literature on antiforensics published between 2010 and 2016 and reveal the surprising lack of up‐to‐date research on this topic. This research aims to contribute to this knowledge gap by investigating different antiforensic techniques for devices running Windows 7, one of the most popular operating systems. An approach which allows for removal or obfuscation of most forensic evidence is then presented. Using the Trojan software DarkComet RAT as a case study, we demonstrate the utility of our approach and that a Trojan Horse infection may be a legitimate possibility, even if there is no evidence of an infection on a seized computer's hard drive. Up‐to‐date information regarding how forensic artifacts can be compromised will allow relevant stakeholders to make informed decisions when deciding the outcome of legal cases involving digital evidence. 相似文献
11.
Elrick D 《Journal of forensic sciences》2012,57(1):103-107
When theft of a physical item occurs it is detectable by the fact that the object is missing, however, when the theft of a digital item occurs it can go unnoticed as exact replicas can be created. The original file is left intact but valuable information has been absconded. One of the challenges facing digital forensic examiners is detecting when files have been copied off of a computer system in some fashion. While certain methods do leave residual evidence behind, CD Burning has long been held as a copying method that cannot be identified. Through testing of the burning process and close examination of the New Technology File System (NTFS), artifacts from the master file table in the various versions of Microsoft Windows, markers have been found that are associated with copying or \"burning\" files to CD or DVD. Potential evidence that was once overlooked may now be detectable. 相似文献
12.
An IEEE 802.11 wireless device can leave traces of its presence in the volatile memories of nearby wireless devices. While the devices need to be in radio range of each other for this to happen, they do not need to be connected to the same network—or to any network at all. Traces appear in the form of full wire-type frames; a residue of the signals in the ether. We examine types of information that can be extracted from such residual frames and explore the conditions under which traces develop and persist. Their availability is determined by factors in both in the external environment (the types of signals in the ether) and the internal environment (the configuration and particulars of a device's wifi stack). To isolate some of these factors, we have created memory dumps of devices in various environments and configurations. Analysis of the dumps has offered insights into the conditions determining creation and decay of the traces. The results indicate that they will be available in a limited number of real-world scenarios. We conclude with practical advice on triaging and preservation. 相似文献
13.
At the time of this writing, Android devices are widely used, and many studies considering methods of forensic acquisition of data from Android devices have been conducted. Similarly, a diverse collection of smartphone forensic tools has also been introduced. However, studies conducted thus far do not normally guarantee data integrity required for digital forensic investigations. Therefore, this work uses a previously proposed method of Android device acquisition utilizing ‘Recovery Mode’. This work evaluates Android Recovery Mode variables that potentially compromise data integrity at the time of data acquisition. Based on the conducted analysis, an Android data acquisition tool that ensures the integrity of acquired data is developed, which is demonstrated in a case study to test tool's ability to preserve data integrity. 相似文献
14.
随着城市化进程的加速,城市空间设计与犯罪现象之间的联系日益紧密,这引起了各国犯罪学家的普遍关注。美国芝加哥学派的“同心圆理论”,从城市空间设计角度探讨犯罪原因做出的初步尝试。此后,为寻求犯罪预防,奥斯卡·纽曼提出“可防御空间”,成功地将城市空间设计与犯罪学理论融合在一起。在前人研究的基础上,结合中国城市化的现状,本文从城市空间设计的角度提出建立“层进式城市空间防范模式”,以更好地达到预防犯罪的效果。 相似文献
15.
Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting. 相似文献
16.
Circumstances of criminal activities involving radioactive materials may mean fiber evidence recovered from a crime scene could have been exposed to materials emitting ionizing radiation. The consequences of radiation exposed fibers on the result of the forensic analysis and interpretation is explored. The effect of exposure to 1-1000 kGy radiation doses in natural and synthetic fibers was noticeable using comparative forensic examination methods, such as optical microscopy, microspectrophotometry, and thin-layer chromatography. Fourier transform infrared spectroscopy analysis showed no signs of radiation-induced chemical changes in any of the fiber structures. The outcome of the comparative methods highlights the risk of "false negatives" associated in comparing colors of recovered fibers that may have been exposed to unknown radiation doses. Consideration of such results supports the requirement to know the context, including the environmental conditions, as much as possible before undertaking a forensic fiber examination. 相似文献
17.
18.
目的建立27个常染色体SNPs复合检测体系,用于未知个体种族来源推断。方法通过对Hap Map数据库中描述祖先(非洲、欧洲、东亚)的遗传标记信息分析,选出27个SNPs位点,构建27个SNPs复合扩增体系;采用该体系对17个不同祖先人群的1 164份样本进行测试,得到的分型数据和在Hap Map数据库查询到的11个相关人群的数据;采用据聚类分析方法(K=3)进行祖先成分和匹配率计算,分析推算样品9947A的祖先来源,并进行体系性能验证。结果该体系可以进行单一和混合人群的种族来源和种族成分推断,来自新疆的人群遗传成分呈现在欧洲与东亚祖先之间连续分布,样品9947A祖先成分和匹配率与相关文献分析结果一致。浓度最低为0.1ng/μL时27个等位基因均可正确判型。结论本文构建的27-plex SNPs复合体系可以精确推断非洲、欧洲、东亚血统的个体祖先起源,且对欧亚混合人群(欧洲/东亚)有较好的推断能力,可在相关研究和实践中选择使用。 相似文献
19.
《Digital Investigation》2014,11(4):273-294
A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge. 相似文献
20.
From walls to membranes: fortress polis and the governance of urban public space in 21st century Britain 总被引:1,自引:0,他引:1
Drawing on the work of Paul Virilio, this paper addresses changes in the architectural and legal topography of the urban landscape
through an examination of regulatory patterns, which increasingly intensify governance through, and as, ‘control’. Such regulation
is ambivalent in that it cuts across many traditionally discrete regimes of power melding them into new forms with new effects;
as a consequence it is no longer sufficient to think in terms of such distinctions as private/public, civil/criminal, and
so on. This paper argues that a concern with patterns of enclosure and privatisation in our urban centres must now be placed
within the context of changes in architectural practice and technology, which the authors term ‘open architecture’, and the
embedding of governance through partnership, which give particular emphasis to the use of dematerialised and diffused modes
of control. The paper utilises Virilio’s history and image of the fortress, which he tracks from a material form to a dematerialised
form, to envisage these developments and to provide the foundation for an understanding of the importance of the development
of practices of surveillance into, what the authors term, ‘total registration’ as a feature and function of governance through
‘control’.
相似文献
Nathan MooreEmail: |