Mobile users can open program in new tab for better viewing.

Open program in new tab

Day 1 15/10/2020
Room #1

Welcome Address by the General Chair 09:00 - 09:10

starts at 9:00 Boston time

Welcome address by EAI 09:10 - 09:20

Keynote Dr. Nicole Beebe 09:20 - 10:00

Title: Insider Threat – Who, Why, and the Role Dig

Break 10:15 - 10:30

15 minutes

SYMPOSIUM SESSION 1: Digital Forensics 10:30 - 12:00

Chair: Makan Pourzandi; Discussants:
10:30 - 11:05
Make Remote Forensic Investigations Forensic Again: Increasing the Evidential Value of Remote Forensic Investigations

Abstract. Due to the increasing use of encrypted communication and anonymous services, many countries introduced new regulations that allow law enforcement to perform remote forensic investigations. During such investigations, law enforcement agencies secretly obtain remote access to a suspect’s computer to search for and collect evidence, including full copies of the (unencrypted) communication data. In this paper, we argue that the evidential value of the acquired evidence can be substantially increased by two technical methods: (1) employing integrity verification techniques offered by secure hardware, and (2) exfiltrating the decryption key of encrypted communication only in order to decrypt communication obtained by lawful interception. To prove the practicality of both methods, we design and implement TEE-BI, a solution for Trusted Execution Environment-based introspection. We deploy TEE-BI on an Android-based hardware platform featuring an ARM TrustZone and demonstrate the stealthy extraction of Secure Sockets Layer encryption keys from an Android userland application. We evaluate the effectiveness, performance, and compatibility of our prototype and argue that it provides a much higher level of evidential value than (the known) existing remote forensic software systems.
Authors: Marcel Busch (Friedrich-Alexander-University Erlangen-Nuremberg), Nicolai Florian (Friedrich-Alexander-University Erlangen-Nuremberg), Fabian Fleischer (Friedrich-Alexander-University Erlangen-Nuremberg), Christian Rueckert (Friedrich-Alexander-University Erlangen-Nuremberg), Christoph Safferling (Friedrich-Alexander-University Erlangen-Nuremberg), Felix Freiling (Friedrich-Alexander-University Erlangen-Nuremberg),
Hide Authors & Abstract

Show Authors & Abstract
11:05 - 11:25
An Intelligence Criminal Tracker for Industrial Espionage: Applying Digital Data Acquired Onsite to Target Criminals

Numerous digital devices impede the effectiveness of the first on-site digital forensic investigation. An investigator faces significant challenges in conducting preliminary examinations of many devices collecting only the devices relevant to a crime, within the limited time available, where a high volume of data is co mingled. Such problems are aggravated by IT technology which can make criminal activities more complex for specific crimes. Particularly, the investigation of industrial espionage basically requires significant levels of expertise and a full data recovery on an entire device so as to reconstruct intertwined criminal behaviors. To address this challenge, this paper proposes a tool for a real-time data acquisition of digital devices on-site, typical for industrial espionage. By the discovery of certain criminal patterns this tool will enable investigators: a) to decide which device is relevant to a crime amongst others; b) to conduct a real-time data acquisition from a device measured "relevant"; c) to perform intelligence data analytics, resulting in the generation of an ordered list of potential criminals and alleged criminal activities; d) to decide which device should be taken to a laboratory due to the further need for investigation; and e) to figure out what the next steps for the investigation are. In this paper we address the tool’s prototype and operational processes along with the analytical methods, followed by one case study in applicability of the tool.
Authors: jieun dokko (The Supreme Prosecutors' Office in South Korea), Michael Shin (Texas Tech), Sooyoung Park (The Supreme Prosecutor's Office in South Korea),
Hide Authors & Abstract

Show Authors & Abstract
11:25 - 12:00
Remote air-gap Live forensics

This paper describes a solution to build a scalable means to perform remote live forensics, which introduces minimal and traceable changes to the airgap systems. The solution can respect the air-gap and not introduce network connectivity to the air-gap systems. It provides a central management system with the solution; this allows the solution to be used in an incident across multiple systems. Full traceable actions, built in the solution, allow the investigator to respect the second ACPO rule during the live forensics. The solution introduces low impact changes to aim for maximum stability and preservation of evidence during the investigation of the air-gap system. The solution needs to be operational with minimal interaction behind the keyboard. In this paper, it will compare and benchmark other industry solutions with proposed solution in this research.
Authors: Tom Van der Mussele (DFIRe Lab, School of Computer Science, University College Dublin, Ireland), Pavel Gladyshev (DFIRe Lab, School of Computer Science, University College Dublin, Ireland), Babak Habibnia (DFIRe Lab, School of Computer Science, University College Dublin, Ireland,),
Hide Authors & Abstract

Show Authors & Abstract

Lunch 12:00 - 12:30

30 minutes

SYMPOSIUM SESSION 2: Cyber-physical System Forensics 12:30 - 14:15

Chair: Pavel Gladyshev; Discussants: Dr. Alexey Chilikov, Shaikh Akib Shahriyar
12:30 - 13:05
Android Dumpsys Analysis to Indicate Driver Distraction

Police officers investigating car accidents have to consider the driver’s interaction with a mobile device as a possible cause. The most common activities such as calling or texting can be identified directly via the user inter-face or from the traffic metadata acquired from the Internet Service Provider (ISP). However, ‘offline activities’, such as a simple home button touch to wake up the screen, are invisible to the ISP and leave no trace at the user interface. A possible way to detect this type of activity could be analysis of system level data. However, security countermeasures may limit the scope of the acquired artefacts. This paper introduces a non-intrusive analysis method which will ex-tend the range of known techniques to determine a possible cause of driver distraction. All Android dumpsys services are examined to identify the scope of evidence providers which can assist investigators in identifying the driver’s intentional interaction with the smartphone. The study demonstrates that it is possible to identify a driver’s activities without access to their personal content. The paper proposes a minimum set of requirements to construct a timeline of events which can clarify the accident circumstances. The analysis includes online activities such as interaction with social media, calling, texting, and offline activities such as user authentication, browsing the media, taking pictures, etc. The applicability of the method are demonstrated in a synthetic case study
Authors: Lukas Bortnik (NATO CCDCOE), Arturs Lavrenovs (NATO CCDCOE),
Hide Authors & Abstract

Show Authors & Abstract
13:05 - 13:40
A Digital Forensic Approach for Optimizing the Investigation of Hit-And-Run Accidents

We present a novel digital forensic approach that facilitates the investigation of hit-and-run accidents. Based on wheel speeds gathered by forensic data loggers, our approach provides a priority ranking of the suspects in order to optimize further investigations. For this, we propose two investigation steps to get key information about a suspect's trip. First, we analyze the likely traveled routes of a suspect to determine whether the suspect could have been at the accident location. Second, we analyze the driving behavior of the suspect in terms of aggressiveness, since aggressive driving behavior is a major reason for traffic accidents. Our evaluation with real driving experiments shows that our approach is suitable for analyzing likely routes and driving behavior in order to prioritize suspects in an investigation.
Authors: Marian Waltereit (University of Duisburg-Essen), Maximilian Uphoff (RheinByteSystems GmbH), Peter Zdankin (University of Duisburg-Essen), Viktor Matkovic (University of Duisburg-Essen), Torben Weis (University of Duisburg-Essen),
Hide Authors & Abstract

Show Authors & Abstract
13:40 - 14:15
Evidence gathering in IoT criminal investigation

The Internet of Things (IoT) is a new paradigm. It enables communication between physical "things" through a common and distributed architecture. It is based on objects deeply rooted in the intimate lives of users. It constantly scans this physical world and interact with it. It bears witness to past events. It is therefore a rich source of information for criminal investigation. The collection of evidence from the connected infrastructure is a decisive phase of the success of the police investigation. It consists of removing objects from their initial environment and placing them in a controlled and secured area. This action allows the evidence to be preserved for later examination. It is crucial but it is nevertheless difficult. It can alter or destroy valuable data during manipulation. Moreover, the difficulty lies in the heterogeneous nature of the devices and their strong dependence on the environment. This paper focuses on the collection of IoT devices at the local level, linked to an investigative strategy. It presents several tools and methods to retrieve the objects. It proposes to evaluate its relevance in a use case.
Authors: François BOUCHAUD (IRCGN - Forensic science laboratory, Gendarmerie Nationale), Thomas VANTROYS (Univ. Lille, CNRS, Centrale Lille, UMR 9189 - CRIStAL F-59000 Lille, France), Gilles GRIMAUD (Univ. Lille, CNRS, Centrale Lille, UMR 9189 - CRIStAL F-59000 Lille, France),
Hide Authors & Abstract

Show Authors & Abstract

Break 14:15 - 14:30

15 minutes

SYMPOSIUM SESSION 3: Event Reconstruction In Digital Forensics 14:30 - 16:05

Chair: Pavel Gladyshev; Discussants: Stig F. Mjølsnes, Dr. Alexey Chilikov
14:30 - 15:00
Efficient Fingerprint Matching for Forensic Event Reconstruction

Forensic investigations usually utilize log files to reconstruct previous events on computing systems. Using standard log files as well as traces of system calls, we analyze what traces are left by different events on a GNU/Linux server that runs different common services like an SSH server, Wordpress, Nextcloud and Docker containers. Based on these traces, we calculate characteristic fingerprints of these events that can later be matched to other log files to detect them. We develop a matching algorithm and examine the different parameters that influence its performance both in terms of event detectability and detection time. We also examine the effect of using different subsets of system calls to improve matching efficiency.
Authors: Tobias Latzo,
Hide Authors & Abstract

Show Authors & Abstract
15:00 - 15:35
On Reliability of JA3 Hashes for Fingerprinting Mobile Applications

In recent years, mobile communication became more secure due to TLS encapsulation. TLS enhances user security by encrypting transmitted data, on the other hand it limits network monitoring and data capturing which is important for digital forensics. When observing mobile traffic today most transmissions are encapsulated by TLS. Encrypted packets obsolete traditional methods for device or user fingerprinting that require visibility of protocol headers of HTTP, IMAP, SMTP, IM, etc. As reaction to data encryption, new methods like TLS fingerprinting have been researched. These methods observe TLS parameters which are exchanged in open form before establishment of a secure channel. TLS parameters can be used for identification of a sending application. Nevertheless, with constant evolution of TLS protocol suites, it is not easy to create a unique and stable TLS fingerprints for forensic purposes. In addition, content advertisement and tracking plugins contribute to "a communication noise" which limits utilization of TLS fingerprinting. This paper presents experiments with JA3 hashes that are used for TLS fingerprinting of network applications. In our work we focus on fingerprinting mobile applications, stability, reliability and uniqueness of JA3 fingerprints. The study also discusses use cases of application of JA3 fingerprints in digital forensics.
Authors: Petr Matousek (Brno University of Technology), Ondrej Rysavy (Brno University of Technology), Ivana Burgetova (Brno University of Technology), Malombe Victor (Strathmore University),
Hide Authors & Abstract

Show Authors & Abstract
15:35 - 16:05
Modelling GOP structure effects on ENF-based video forensics

Electricity is transported through the network as alternate current, usually at a carrier frequency (50/60 Hz) which is known as Electric Network Frequency (ENF). In practice, ENF fluctuates around the nominal value because of changes in the supply and demand of power over the time. These fluctuations are conveyed by the light that is emitted by sources connected to the power grid. Captured by video recordings, such localized variations can be exploited as digital watermarks in order to position a video in time (e.g. timestamping) and space, as well as to verify its integrity. However, the encoded format for acquired videos will alter the shape of ENF extracted from video frames. This paper provides an analytical model for characterizing the effects of group of pictures (GOP) structure adopted by the most widespread video encoders. The model is assessed through an experimental evaluation campaign, by analyzing different working conditions and by showing how the information from the GOP can contribute to the extraction of ENF from video frames.
Authors: Pasquale Ferrara (European Commission - Joint Research Centre), Gerard Draper Gil (European Commission - Joint Research Centre), Ignacio Sanchez (European Commission - Joint Research Centre), Henrik Junklewitz (European Commission - Joint Research Centre), Laurent Beslay (European Commission - Joint Research Centre),
Hide Authors & Abstract

Show Authors & Abstract
Day 2 16/10/2020
Room #1

Best Paper Award 09:00 - 09:10

Announced by the Program Chair, Makan Pourzandi

SYMPOSIUM SESSION 4: Emerging Topics In Forensics 09:10 - 10:45

Chair: Makan Pourzandi; Discussants: Dr. P. Vinod Bhattathiripad
09:10 - 09:40
Adapting to local conditions: Similarities and differences in anonymous online market between Chinese and English Speaking Communities

In this paper, we have conducted a comparative analysis of anonymous online market between Chinese and English speaking communities. First, we collect public data of multiple Chinese and English anonymous online markets. Then, we conduct a comparative analysis of the Chinese and English anonymous online markets from three aspects: market operation mechanism, market security mechanism, and goods sales situation. We find that Chinese and English anonymous online markets are both affected by factors such as market demand and relevant laws and regulations, and there are differences in the goods sales situation. In contrast, English anonymous online markets are relatively mature in market operation mechanism and market security mechanism, while Chinese anonymous online markets are still on their developing stage. We finally discuss the impact of law enforcement agencies' crackdown on Chinese and English anonymous online markets, as well as the focus and methods of Chinese and English anonymous online market governance.
Authors: Gengqian Zhou (Tsinghua University), Jianwei Zhuge (Tsinghua University),
Hide Authors & Abstract

Show Authors & Abstract
09:40 - 10:15
Effective Medical Image Copy-Move Forgery Localization Based on Texture Descriptor

Identifying the authenticity and locating tampering regions of medical images are significant challenges. Active tampering localization approaches decrease visual quality of medical images and may lead to misdiagnosis. Existing passive forensics algorithms are not good at medical images. In this paper, we propose an effective and robust copy-move forgery localization algorithm for medical images called MITD-CMFL. Considering that texture structure information is complex and important for medical images, we obtain textural images from noise-reduced images by utilizing texture descriptor to gain more accurate features. It is difficult to extract a sufficient number of feature points with strong representation ability in smooth regions to characterize textures, we extract SIFT keypoints in texture images and decrease the contrast threshold. The experiments conducted on tampered DDSM dataset show the pixel-level F1 of MITD-CMFL reaches up to 95.07% under plain copy-move attack, and the method has superior performance even under typical image transformations compared to the state-of-the-art algorithms.
Authors: Jiaqi Shi (Nankai University, China), Gang Wang (Nankai University, China), Ming Su (Nankai University, China), Xiaoguang Liu (Nankai University, China),
Hide Authors & Abstract

Show Authors & Abstract
10:15 - 10:45
Neural Representation Learning Based Binary Code Authorship Attribution

Authorship attribution on binary code is of great value in applications such as malware analysis, software forensics and code theft detection. Existing approaches adopting the traditional machine learning way to train classifiers for authorship attribution extracts and selects features on the basis of a deep analysis and understanding (which are generally conducted by domain experts) of the coding languages as well as programmers' coding habits, showing limitations in the attribution accuracy and granularity. Inspired by the recent great successes of neural network and representation learning in various program analysis tasks, this study proposes NMPI (Neural Modeling based Programmer Identification) to achieve fine-grained program authorship attribution by analyzing on the binary codes of individual functions from the perspective of sequence modeling and structural modeling. To evaluate the performance of NMPI model, a large dataset consisting of 268796 functions collected from Google CodeJam is constructed. The extensive experimental evaluation shows that NMPI can successfully capture different programmers' coding-styles left in the binary code, achieving 91% accuracy for the function-level binary code authorship attribution task.
Authors: ZhongMin Wang (Xi'an University of Posts and Telecommunications, Xi’an, China.), Zhen Feng (Xi'an University of Posts and Telecommunications, Xi’an, China.), ZhenZhou Tian (Xi'an University of Posts and Telecommunications, Xi’an, China.),
Hide Authors & Abstract

Show Authors & Abstract

Break 10:45 - 11:00

15 minutes

SYMPOSIUM SESSION 5: Cybersecurity and Digital Forensics 11:00 - 12:15

Chair: Daryl Johnson; Discussants: Dr. Prakash, Dr. George Markowsky
11:00 - 11:35
A Partial Approach to Intrusion Detection

The need for intrusion detection continues to grow with the advancement of new and emerging devices, the increase in the vectors of attack these bring, and their computational limitations. This work examines the suitability of a traditional data mining approach that is often overlooked in intrusion detection, partial decision trees, on the up to date CICIDS 2017 dataset. The approach was evaluated against recent deep learning results and shows that the partial decision tree outperformed these deep learning techniques for the detection of DDoS and Portscan attacks. Further analysis of the complete dataset has been performed using this partial technique. The creation of a reduced feature version of the dataset is proposed using PCA and is evaluated using a partial decision tree. It shows that a ten feature version of the dataset can produce a detection rate of 99.4% across the twelve classes, with a 77% reduction in training time.
Authors: John Sheppard (WIT),
Hide Authors & Abstract

Show Authors & Abstract
11:35 - 11:55
Retracing the Flow of the Stream: Investigating Kodi Streaming Services

Kodi is of one of the world’s largest open-source streaming platforms for viewing video content. Kodi was originally developed for the Microsoft XBox, distributed as XBox Media Center (XBMC), and has been ported to all major operating systems from Windows to Linux and can even be installed on many television systems. Kodi is able to play a wide assortment of video formats seamlessly. Easily installed Kodi add-ons facilitate access to online pirated videos and streaming content by facilitating the user to search and view copyrighted videos with a basic level of technical knowledge. In some countries, there have been paid child sexual abuse organisations publishing/streaming child abuse material to an international paying clientele. Open source software used for viewing videos from the Internet, such as Kodi, is being exploited by criminals to conduct their activities. However, there is a very little research on the forensic acquisition and analysis of Kodi generated evidence. Hence, in this paper, we describe a new method to quickly locate Kodi artefacts and gather information for a successful prosecution. We also evaluate our approach on different platforms with Windows, Android and Linux based Operating systems. Our experiments show the file location, artefacts and a history of viewed content including their locations from the Internet. Our approach will serve as a resource to forensic investigators to examine Kodi or similar streaming platforms.
Authors: Samuel Todd Bromley (Royal Canadian Mounted Police), John Sheppard (Waterford Institute of Technology), Mark Scanlon (University College Dublin), Nhien-An Le-Khac (University College Dublin),
Hide Authors & Abstract

Show Authors & Abstract
11:55 - 12:15
Cybersecurity Methodology for Specialized Behavior Analysis

Analyzing attacker behavior and generating realistic models to accurately capture the realities of cybersecurity threats is a very challenging task for researchers. Psychological personality and profiling studies provide a broad understanding of personality traits, but lack a level of interactive immersion that enables observers to collect concrete cybersecurity-relevant behavioral data. Participant’s intricate actions and interactions with real computer systems are seldom captured in any cybersecurity studies. These data are especially important for creating strategies for defense. Game Theory (GT) modeling techniques, for example, mostly represent attackers and defenders assuming rational and optimal decision-making. Human attackers, however, are not always rational and are not optimal. Our work focuses on capturing human actions and decisions to provide an empirical basis for these types of models. We provide a practical methodology that helps bridge the gap between theory and practice by facilitating construction, experimentation, and data collection for repeatable and scalable human experimentation with realistic cybersecurity scenarios. While our methodology is platform agnostic, we describe state of the art technologies that may be used to satisfy the objectives of each of the stages of the methodology.
Authors: Edgar Padilla (The University of Texas at El Paso), Jaime Acosta (CCDC Army Research Laboratory), Christopher Kiekintveld (The University of Texas at El Paso),
Hide Authors & Abstract

Show Authors & Abstract

Closing remarks 12:15 - 12:30