Showing papers in "Digital Investigation in 2015"

TL;DR: This paper studied 100 research works published between 2010 and 2014 with the perspective of feature selection in mobile malware detection, and categorizes available features into four groups, namely, static features, dynamic features, hybrid features and applications metadata.

TL;DR: A permission-based Android malware detection system that uses static analysis to characterize and classify Android applications as benign or malicious, and results show that APK Auditor is able to detect most well-known malwares and highlights the ones with a potential in approximately 88% accuracy with a 0.925 specificity.

TL;DR: The issues in cloud computing are described using the phases of traditional digital forensics as the base and for each phase of the digital forensic process, a list of challenges and analysis of their possible solutions are included.

TL;DR: This work shows which features of these instant messaging applications leave evidentiary traces allowing for suspect data to be reconstructed or partially reconstructed, and whether network forensics or device forensics permits the reconstruction of that activity.

TL;DR: This work describes how it was able to decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination.

TL;DR: DFBotKiller, a negative reputation system that considers the history of both suspicious group activities and suspicious failures in DNS traffic to detect domain-flux botnets, and can make a good trade-off between the detection and false alarm rates.

TL;DR: The impact of forensic drivers and major design principles like security, privacy and transparency on the design and implementation of a centralized digital forensics service are explored.

TL;DR: This work summarizes the strengths and weaknesses of existing schemas, and proposes the open-source CybOX schema as a foundation for storing and sharing digital forensic information and introduces and leverages initial steps of a Unified Cyber Ontology (UCO) effort to abstract and express concepts/constructs that are common across the cyber domain.

TL;DR: SIGMA, a technique for identifying reused functions in binary code by matching traces of a novel representation of binary code, namely, the Semantic Integrated Graph (SIG), is proposed and Experimental results show that the approach yields promising results.

TL;DR: A Bilingual Sentiment Analysis Lexicon (BiSAL) for cyber security domain, which consists of a Sentiment Lexicon for ENglish (SentiLEN and SentiLAR), that can be used to develop opinion mining and sentiment analysis systems for bilingual textual data from Dark Web forums is presented.

TL;DR: This work attempts hash-based carving with a target file database of roughly a million files and discovers an unexpectedly high false identification rate resulting from common data structures in Microsoft Office documents and multimedia files.

TL;DR: This study presents BinComp, a practical approach which, analyzes the syntax, structure, and semantics of disassembled functions to extract compiler provenance and demonstrates that BinComp is efficient in terms of both computational resources and time.

TL;DR: This paper introduces an approach based on a three-layered ontology, called ORD2I, to represent any digital events, associated with a set of operators to analyse the resulting timeline and to ensure the reproducibility of the investigation.

TL;DR: The benchmarks' results show that the proposed method outperforms the adaptive PRNU denoising methods for various cameras including compact and smartphone in terms of speed and image quality and the experimental analysis shows that it is possible to impede source camera identification byPRNU noise suppression even under extreme attack conditions.

TL;DR: This paper presents a universal tool that seamlessly supports many different databases, rebuilding table and other data content from any remaining storage fragments on disk or in memory, and empirically verify the tool's ability to recover both deleted and partially corrupted data directly from the internal storage of different databases.

TL;DR: This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data to provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts.

TL;DR: An updated model is proposed-a weighted arc circumplex model-that is designed to represent the multidimensional nature of contemporary hacker types by offering a means of visually representing multiple motivations simultaneously.

TL;DR: This paper introduces Andro-AutoPsy, an anti-malware system based on similarity matching of malware-centric and malware creator-centric information that detects and classify malware samples into similar subgroups by exploiting the profiles extracted from integrated footprints.

TL;DR: This work proposes a new acquisition method based on analyzing the firmware update protocols of Android smartphones that is superior to existing forensic methods in terms of the integrity guarantee, acquisition speed, and physical dump with screen-locked smartphones (USB debugging disabled).

TL;DR: A variety of firmware manipulation techniques are illustrated and methods for identifying firmware-level threats in the course of memory forensic investigations are proposed and implemented into well-known open-source memory forensic tools.

TL;DR: This study proposes a customized associative classification technique, a popular data mining method, to address the authorship attribution problem, which models the unique writing style features of a person, measures the associativity of these features and produces an intuitive classifier.

TL;DR: The paper provides a survey of the default logging preferences in some of the popular database management systems and identifies the information that a database log should contain in order to be useful for reconstruction.

TL;DR: An analysis of iPhone's CurrentPowerlog.powerlogsystem file and Android device 'buffer logs', along with their associated residual data, are provided, both of which can potentially be used to establish mobile phone usage at the time of, or leading up to, a motor vehicle accident.

TL;DR: The proposed framework identifies spam campaigns on-the-fly and labels and scores the campaigns as well as gathers various information about them and provides law enforcement officials with a powerful platform to conduct investigations on cyber-based criminal activities.

TL;DR: Experimental results on real-life malware binaries suggest that the proposed methods can effectively identify assembly code clones with the consideration of different scenarios of code mutations, and allow malware analysts to discover both exact and inexact clones at different token normalization levels.

TL;DR: Sifting collectors challenge many conventional notions about forensic acquisition and may help tame the volume challenge by enabling examiners to rapidly acquire and easily store large disks without sacrificing the many benefits of imaging.

TL;DR: This work proposes to extract structural features from the Abstract Syntax Tree (AST) to describe the coding style of an author and shows that the specifically designed features indeed improve the authorship attribution of scripting code to programmers.

TL;DR: A digital forensics study on the field of Smart TV is imperative and new procedures for acquiring, analysing and investigating a Smart TV are proposed.

TL;DR: This work shows that using simple byte-value histograms, one can retain enough information about the opcodes within a sample to classify the target architecture with high accuracy, and discusses heuristic-based features that exploit information within the operands to determine endianess.

TL;DR: This work introduces a novel cryptographic scheme that allows to encrypt entire email boxes before handing them over for investigation and can non-interactively run keyword searches on the encrypted data and decrypt those emails (and only those) for which a configurable number of matches occurred.