IFIP WG 11.9 ICDF 2024 - Paper accepted and presented

8 Januar 2024

Our article on Usable and Assessable Generation of Forensic Data Sets Containing Anti-Forensic Traces at the Filesystem Level was accepted and presented at the IFIP WG 11.9 International Conference on Digital Forensics (ICDF) 2024. The article presents a novel approach to automatically generate forensically relevant (anti-forensic) traces on the file system level and combine these file system dumps with other relevant traces generated in the operating system. The paper was presented at the IFIP WG 11.9 ICDF 2024 on January 5th 2024 in New Delhi (India).

 

Authors: Thomas Göbel, Harald Baier and Jan Türr (Universität der Bundeswehr München)

Abstract:

Digital forensics and anti-forensics are important parts of cybersecurity as they provide vital information used to create preventive and reactive measures. To enable digital forensic tool validation as well as meaningful educational study materials and research in these fields, diverse and realistic data sets are needed, which reflect anti-forensic measures, too. However, due to different reasons like privacy issues or legal obstacles data sets are more and more synthesised. This work contributes threefold to the improvement of the digital forensic process by assessing anti-forensic measures on the file system level and providing a usable proof of concept to synthesise appropriate data sets containing anti-forensic activities. First, we provide an in-depth analysis of anti-forensic data hiding techniques within the evolving Linux-based btrfs file system. Second, we provide a proof of concept to generate anti-forensic traces on the file system level within a post-mortem storage device data set. Our proof of concept links two existing frameworks, namely the data synthesis framework ForTrace and the anti-forensic data hiding framework fishy. As a result, we provide a usable data synthesis tool that is able to generate anti-forensic data hiding traces for the three common file systems NTFS, ext4, and btrfs, and in combination also provides essential other data synthesis functionality to simulate the normal behaviour of the operating system. As a third contribution, we introduce three attacker models to assess the respective anti-forensic data hiding techniques. Overall, we provide a usable possibility to generate data sets that reflect anti-forensic artefacts as potentially used by attackers.

Aktuelles

Vortrag des Forschungsinstituts CODE auf der 31. DFN-CERT Konferenz in Hamburg

Als externer Doktorand stellte Michael Mundt die Arbeit "Gib dem Dino Futter – adaptive Detektion von Bedrohungen in KRITIS-Netzwerken mittels Open-Source-Forensik" auf der 31. DFN-CERT Konferenz am 30./31. Januar vor.

ForTrace Workshop @ DFRWS EU 2024

We will present our research on the ForTrace data synthesis framework for digital forensics at the DFRWS EU 2024.

DFRWS EU 2024 - Two papers accepted

Our two papers on "Hypervisor-based Data Synthesis: On its Potential to Tackle the Curse of Client-side Agent Remnants in Forensic Image Generation" and "Ubi est indicium? On Forensic Analysis of the UBI File System" were accepted for presentation at the DFRWS EU 2024.

AICSEC 2023 - Paper accepted

We will present our work on "Scalable Image Clustering to screen for self-produced CSAM" in Bratislava at the AICSEC 2023.

NordSec 2023 - Paper accepted

We will present our work on WhatsApp Stickers in Oslo at the NordSec 2023.

DFRWS USA 2023 - PAPER ACCEPTED

Our paper Combining AI and AM - Improving Approximate Matching through Transformer Networks was accepted at the DFRWS USA 2023.