Evading DoH via Live Memory Forensics for Phishing Detection and Content Filtering

Varshney, Gaurav; Iyer, Padmavathi; Atrey, Pradeep K.; Misra, Manoj

doi:10.1109/comsnets51098.2021.9352935

Cited by 6 publications

(4 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When an e-mail is transmitted, it contains the source, content, actual sender and recipient information, date/time, protocols, and server information. E-mail forensics is the process of collecting evidence from e-mails, as e-mail is an electronic communication over the internet that carries messages to deliver files, documents, and other transaction items [42]. It can be an e-mail service, a webmail, or a local mailbox [43], [44].…”

Section: E-mail Forensic Analysismentioning

confidence: 99%

Bilgisayarla İşlenen Suçlara Hızlı Müdahale, İnceleme, Analiz ve Raporlama Süreçlerinin Yeni Nesil Adli Bilişim Yöntemleri İle Etkin Yönetimi

ALKAN,

DOGRU,

ATACAK

2023

Journal of Polytechnic

View full text Add to dashboard Cite

Because of the exponential growth in the volume and speed of attack vectors, the rapid growth of computer crimes, the corporate attack surface and the enormous volumes of data, preventing the cyber-attacks has become very difficult. In terms of forensics, classical forensic methods in a traditional approach which include removing the disk, gettng its image and examining the image takes a lot of time with the increasing amount of data so that this situation leads to make quick intervention too difficult against cyber attack and it takes a lot of time. For example, on average, getting an image of harddisk which include 20 terabyte capacity takes 2 days of time. As a solution, with a special tool (Binalyze AIR) that collects only evidentiary documents getting hash of all evidences (Disk Proof, Proof of Memory, Proof of Scanner, Proof of NTFS, Proof of Log, Proof of Network, Proof of Event Logs, Proof of WMI, Proof of Process Execution, etc.) and collects only the documents that have the quality of evidence, thus this process can be completed in a very short time. It provides effective management of crime scene investigation and fast response to crimes committed by computer, investigation, analysis and reporting processes blocked with traditional forensic methods and offers an innovative solution to the scientific literature. In summary, in this study, the results obtained by using modern forensic techniques (Binalyze AIR and Binalyze Tactical software) are presented in comparison with classical forensic methods.

show abstract

Section: E-mail Forensic Analysismentioning

confidence: 99%

Bilgisayarla İşlenen Suçlara Hızlı Müdahale, İnceleme, Analiz ve Raporlama Süreçlerinin Yeni Nesil Adli Bilişim Yöntemleri İle Etkin Yönetimi

ALKAN,

DOGRU,

ATACAK

2023

Journal of Polytechnic

View full text Add to dashboard Cite

show abstract

“…[78]. RAM allows accessing data in such a way to produce transparent information, which could not be possible otherwise [79], [80]. This can help to reveal hidden processes, malware trying to hide information, toolkits.…”

Section: B File System Forensicsmentioning

confidence: 99%

“…A few years back, digital forensics procedures were mainly based on Static analysis of the system. The typical step to perform static analysis was "pulling the plug" so that information on the disk does not change [121], [80]. With the advancement of technology (i.e., the increased storage capacity of the disk, etc.)…”

Section: ) Live Memory Forensicsmentioning

confidence: 99%

A Comprehensive Survey on Computer Forensics: State-of-the-Art, Tools, Techniques, Challenges, and Future Directions

et al. 2022

View full text Add to dashboard Cite

With the alarmingly increasing rate of cybercrimes worldwide, there is a dire need to combat cybercrimes timely and effectively. Cyberattacks on computing machines leave certain artifacts on target device storage that can reveal the identity and behavior of cyber-criminals if processed and analyzed intelligently. Forensic agencies and law enforcement departments use several digital forensic toolkits, both commercial and open-source, to examine digital evidence. The proposed research survey focuses on identifying the current state-of-the-art digital forensics concepts in existing research, sheds light on research gaps, presents a detailed introduction of different computer forensic domains and forensic toolkits used for computer forensics in the current era. The proposed survey also presents a comparative analysis based on the tool's characteristics to facilitate investigators in tool selection during the forensics process. Finally, the proposed survey identifies and derives current challenges and future research directions in computer forensics.

show abstract

“…In addition to profiling the user behaviors by analyzing encrypted DNS traffic on the network, G. Varshney et al [112] showed that how they can obtain DoH lookups before they get encrypted by passively monitoring the RAM usage on the client devices. Although it provides an opportunity for organizations to reinforce their security measures leveraging DNS content inspection, malicious actors can also utilize this method to violate user privacy which is assumed to be well protected by DNS encryption.…”

Section: Profiling User Activity By Analyzing Encrypted Dns Trafficmentioning

confidence: 99%

A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference Techniques

Lyu,

Gharakheili,

Sivaraman

2022

Preprint

View full text Add to dashboard Cite

The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.CCS Concepts: • Networks → Application layer protocols; Naming and addressing; • Security and privacy → Security protocols; Malware and its mitigation.

show abstract

Evading DoH via Live Memory Forensics for Phishing Detection and Content Filtering

Cited by 6 publications

References 8 publications

Bilgisayarla İşlenen Suçlara Hızlı Müdahale, İnceleme, Analiz ve Raporlama Süreçlerinin Yeni Nesil Adli Bilişim Yöntemleri İle Etkin Yönetimi

Bilgisayarla İşlenen Suçlara Hızlı Müdahale, İnceleme, Analiz ve Raporlama Süreçlerinin Yeni Nesil Adli Bilişim Yöntemleri İle Etkin Yönetimi

A Comprehensive Survey on Computer Forensics: State-of-the-Art, Tools, Techniques, Challenges, and Future Directions

A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference Techniques

Contact Info

Product

Resources

About