Andreas Dewald scite author profile

Freiling

2013

While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.

Cujo

2010

e JavaScript language is a core component of active and dynamic web content in the Internet today. Besides its great success in enhancing web applications, however, JavaScript provides the basis for drive-by downloads-attacks exploiting vulnerabilities in web browsers and their extensions for unnoticeably downloading malicious so ware. Due to the diversity and frequent use of obfuscation in these JavaScript attacks, static code inspection proves ine ective in practice. While dynamic analysis and honeypots provide means to identify drive-by-download attacks, current approaches induce a signi cant overhead which renders immediate prevention of attacks intractable.In this paper, we present C , a system for automatic detection and prevention of drive-by-download attacks. Embedded in a web proxy, C transparently inspects web pages and blocks delivery of malicious JavaScript code. Static and dynamic code features are extracted on-the-y and analysed for malicious patterns using e cient techniques of machine learning. We demonstrate the e cacy of C in di erent experiments, where it detects % of the drive-by downloads with few false alarms and a median run-time of ms per web page-a quality that, to the best of our knowledge, has not been attained in previous work on detection of drive-by-download attacks. C= "Classi cation of Unknown JavaScript Objects"

AFEIC: Advanced forensic Ext4 inode carving

Seufert

2017

Privacy-preserving email forensics

Armknecht

2015

a b s t r a c tIn many digital forensic investigations, email data needs to be analyzed. However, this poses a threat to the privacy of the individual whose emails are being examined and in particular becomes a problem if the investigation clashes with privacy laws. This is commonly addressed by allowing the investigator to run keyword searches and to reveal only those emails that contain at least some of the keywords. While this could be realized with standard cryptographic techniques, further requirements are present that call for novel solutions: (i) for investigation-tactical reasons the investigator should be able to keep the search terms secret and (ii) for efficiency reasons no regular interaction should be required between the investigator and the data owner. We close this gap by introducing a novel cryptographic scheme that allows to encrypt entire email boxes before handing them over for investigation. The key feature is that the investigator can non-interactively run keyword searches on the encrypted data and decrypt those emails (and only those) for which a configurable number of matches occurred. Our implementation as a plug-in for a standard forensic framework confirms the practical applicability of the approach.

A Forensic Email Analysis Tool Using Dynamic Visualization

Stadlinger¹,

Dewald²

2017

JDFSL

Communication between people counts to the most important information of today's business. As a result, in case of forensic investigations in big companies, analysis of communication data in general and especially email, as the still most widely used business communication platform with an immense and still growing volume, is a typical task in digital forensics. One of the challenges is to identify the relevant communication partners and structures in the suspects surrounding as quickly as possible in order to react appropriately and identify further targets of evaluation. Due to the amount of emails in typical inboxes, reading through all the mails renders impractical. Therefore, forensic investigators need tools that support them in quickly receiving an impression of a suspect's email communication, identifying the relevant communication partners, and realizing communication patterns in single or even multiple email accounts. We introduce an open source forensic email analysis tool that provides exactly by means of a responsive and interactive graph visualization of email data supported by statistical information.

Selective Imaging Revisited

Stüttgen

Freiling

2013

Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries

Block

2019

Linux memory forensics: Dissecting the user space process heap

Block

2017