Temperature and heat flux at residential surfaces due to solar-beam radiative selectivity, geography/climate, insulation/structural configuration, humidity, and sky condition

2013

Digital Investigation

In this paper we propose novel approaches to the problem of classifying high entropy file fragments. Although classification of file fragments is central to the science of Digital Forensics, high entropy types have been regarded as a problem. Roussev and Garfinkel (2009) argue that existing methods will not work on high entropy fragments because they have no discernible patterns to exploit. We propose two methods that do not rely on such patterns. The NIST statistical test suite is used to detect randomness in 4 KiB fragments. These test results were analysed using an Artificial Neural Network (ANN). Optimum results were 91% and 82% correct classification rates for encrypted and compressed fragments respectively. We also use the compressibility of a fragment as a measure of its randomness. Correct classification was 76% and 70% for encrypted and compressed fragments respectively. We show that newer more efficient compression formats are more difficult to classify. We have used subsets of the publicly available 'GovDocs1 Million File Corpus' so that any future research may make valid comparisons with the results obtained here.

show abstract

Evaluation of live forensic techniques in ransomware attack mitigation

Forensic Science International: Digital Investigation

2020

Ransomware continues to grow in both scale, cost, complexity and impact since its initial discovery nearly 30 years ago. Security practitioners are engaged in a continual "arms race" with the ransomware developers attempting to defend their digital infrastructure against such attacks. Recent manifestations of ransomware have started to employ a hybrid combination of symmetric and asymmetric encryption to encode user's files. This paper describes an investigation that tried to determine if the techniques currently employed in the field of digital forensics could be leveraged to discover the encryption keys used by these types of malicious software thus mitigating the effects of a ransomware attack. Memory was captured from a system infected by ransomware and its contents was examined using live forensic tools, with the intent of identifying the symmetric encryption keys being used. NotPetya, Bad Rabbit and Phobos hybrid ransomware samples were tested during the investigation. If keys were discovered, the following two steps were also performed. Firstly, a timeline was manually created by combining data from multiple sources to illustrate the ransomware's behaviour as well as showing when the encryption keys were present in memory and how long they remained there. Secondly, an attempt was made to decrypt the files encrypted by the ransomware using the found keys. In all cases, the investigation was able to confirm that it was possible to identify the encryption keys used. A description of how these found keys were then used to successfully decrypt files that had been encrypted during the execution of the ransomware is also given. The resulting generated timelines provided a excellent way to visualise the behaviour of the ransomware and the encryption key management practices it employed, and from a forensic investigation and possible mitigation point of view, when the encryption keys are in memory.

show abstract

Evaluation of TFTP DDoS amplification attack

Sieklik

2016

Computers & Security

NapierOne: A modern mixed file data set alternative to Govdocs1

Forensic Science International: Digital Investigation

2022

Differential area analysis for ransomware attack detection within mixed file datasets

2021

Computers & Security

Review of Current Ransomware Detection Techniques

2021

Fast contraband detection in large capacity disk drives

Penrose

2015

Digital Investigation