Held virtually once again in response to the COVID-19 pandemic, the Digital Forensics Research Workshop Virtual Europe (DFRWS-EU) embodied its vision of cultivating an inclusive, transdisciplinary approach in both program and activities by featuring 10 of the 29 research paper submissions it received from 17 countries.
In his welcoming address on Tuesday, March 30, conference chair Mark Scanlon, of the University College Dublin, reflected that DFRWS-EU isn’t just a research conference, but also affords social networking opportunities that can help form connections and spur new research. To that end, future DFRWS events are expected to combine physical and online components.
The keynote addresses: encryption, Emotet, and Hafnium
During “The encryption challenge: an eternal search for the light switch in the dark?” Dr. Nicole van der Meulen, senior strategic analyst at Europol’s European Cybercrime Centre (EC3), described a decade’s worth of complicated considerations around “going dark.”
Referring extensively to EC3’s “Second report of the observatory function on encryption,” van der Meulen described what she called a “larger framework of challenges” to data access from a law enforcement perspective. These include the fact that it’s often difficult to illustrate claims that encryption stymies criminal cases because a mechanism doesn’t exist to track this.
“Balance” between competing interests may not be realistic given encryption technology, van der Meulen added, and this already complex arena will only be further complicated by quantum encryption — and decryption — possibilities. On the other hand, better collaboration between stakeholders, particularly partners from the research and industry communities, could help to identify solutions.
Collaboration between stakeholders was also a topic in the following day’s keynote, “Emotet: The ‘king’ is dead – is he?” Linda Bertram, Public Prosecutor at the Prosecutor General’s Office Frankfurt am Main – Center for Combatting Cybercrime (ZIT) and Andre Dornbusch, Team Leader Cybercrime Investigations with the Federal Criminal Police Office (BKA), described the two and a half years of intensive investigations that led to the takeover and dismantling of the Emotet malware infrastructure.
While Dornbusch talked about some of the technical challenges associated with the takeover and finding suspects, Bertram covered legal challenges, including liaising with multiple prosecutors and judges across this “umbrella case” comprising 10 major individual cases
Strong partnerships were key to the investigation, not just within Germany, but also worldwide, including police in Europe, the United States, Canada, and Ukraine. However, said Dornbusch, these partnerships are important to mirror on the judicial side as well as private industry, which frequently has resources to analyze malware and trace suspects that government does not.
In the conference’s third and final keynote, “An Investigation of the Microsoft Exchange Vulnerability Used by Hafnium,” Steven Adair, president at Volexity, talked about this “hot off the presses” compromise: a zero-day exploit that allowed Chinese APT actor Hafnium to download e-mails at will and, ultimately, execute full remote code on Exchange servers worldwide.
Adair described Volexity’s initial discovery of the anomalous traffic that piqued responders’ suspicions, and the trail to the primary vulnerability. By seeking a common link across multiple victim systems, Volexity responders were eventually able to start piecing together a story using the memory artifacts they found — in spite of Hafnium’s stealth.
As the attack escalated, additional artifacts from different types of logs, files from web directories, and master file table (MFT) entries all provided key pieces to investigating and mitigating this “catastrophic” attack, and while Microsoft’s eventual patch worked, Adair expressed concern about the possibility for future business email compromise attacks.
Papers & Presentations
The papers accepted at DFRWS this year were divided into five segments: novel device forensics, flash memory forensics, instant messenger forensics, digital forensics concepts, and AI for digital forensics. Short presentations and extended abstracts were also featured.
Novel Device Forensics
Kevin Klaus Gomez Buquerin presented research he coauthored with Christopher Corbett and Hans-Joachim Hof, “A Generalized Approach to Automotive Forensics.” What their paper called “the rapidly increasing proportion of software and security based implementations” in modern vehicles, they argued, leaves gaps in existing digital forensics processes.
Focusing on the implications of automated driving, the research offered an updated process, tested on a state-of-the-art vehicle and relying on its on-board diagnostics interface, diagnostics over internet protocol, and unified diagnostic services for communication instead of additional in-vehicle intrusion detection systems or event data recorders.
Frederick Barr-Smith then presented “Dead Man’s Switch: Forensic Autopsy of the Nintendo Switch.” Coauthored with Danny Rigby, Sash Rigby, Tom Farrant, Benjamin Leonard-Lagarde, and Frederick Sibley-Calder, the research produced both software that automates the NAND memory dump and extraction process, and modules for the Autopsy forensic software to automate ingestion and analysis processes.
Describing their investigation of this popular handheld gaming console and associated social networking, media consumption and internet connectivity, Barr-Smith said a NAND dump of several devices resulted in a number of different forensic artifacts, including personally identifiable information, network connection history and connected displays.
Flash Memory Forensics
Winner of this year’s Best Student Paper Award, “In Search of Lost Data: A Study of Flash Sanitization Practices” reported the results of the first large-scale study on chip reuse for USB flash drives. Janine Schneider presented the research she authored together with Immanuel Lautner, Denise Moussa, Julian Wolf, Nicole Scheler, Felix Freiling, Jaap Haasnoot, Hans Henseler, Simon Malik, Holger Morgenstern and Martin Westman.
They confirmed the use of poor sanitization practices on 12 percent of 614 USB flash drives sold as originals on the low-cost Chinese market. The “non-trivial user data” they found on these devices resulted in a “non-negligible probability” that any data — including incriminating files — already existed on the drive at the time of purchase.
Following Schneider’s talk was winner of the Best Paper Award, “One Key to Rule Them All: Recovering the Master Key from RAM to break Android’s File-Based Encryption.” Tobias Groß presented a new key recovery method tailored for file-based encryption (FBE), the result of research he conducted along with Marcel Busch and Tilo Müller.
The research was designed to close a gap in forensic access to encrypted Android disks in the wake of Google’s switch from full disk encryption (FDE) to FBE as its platform’s standard encryption method. Because this implementation rendered some forensic tools ineffective, Groß et al.’s research extended both The Sleuth Kit (TSK) and the Plaso framework to decrypt and extract artifacts from FBE-enabled EXT4 images and partitions.
Instant Messenger Forensics
Matthew Sorell presented “Ghost Protocol – Snapchat as a Method of Surveillance,” a way to obtain multimedia-associated metadata from the web-based Snap Map portal for open-source intelligence purposes. The research Sorell conducted together with Richard Matthews and Kieren Lovell focused on the way Snapchat presents Snaps on a publicly accessible map — used to monitor social unrest in Minneapolis, Minnesota related to the death of George Floyd.
Sorell also demonstrated how this technique could be used as a distributed surveillance system, supplementing traditional CCTV footage. Noting that the process could be vulnerable to database poisoning attacks due to “heavy reliance on trust” in the geolocation metadata and the resolution of uploaded media, the authors strongly advocated for method verification and validation.
Another gap-filling paper, “Forensic Analysis of Artifacts in the Matrix Protocol and Riot.IM application,” offered a forensic approach to analyzing forensic artifacts from the new, open source Matrix instant messaging (IM) protocol and the platform that uses it, Riot.im.
Because the Matrix protocol is now used on a variety of other IM platforms, including public servers, said presenter Guido Schipper, the research he worked on together with Rudy Seelt and Nhien-An Le-Khac was designed to add to existing IM forensics literature.
Digital Forensics Concepts
Introducing UEberForensIcs — a forensic UEFI application that makes it easy to acquire memory from a computer’s firmware, not unlike cold boot attacks — was “Bringing Forensic Readiness to Modern Computer Firmware,” presented by Tobias Latzo.
Latzo’s research together with Florian Hantke, Lukas Kotschi and Felix Freiling focused on the UEFI, “a pre-installed tiny operating system” which has displaced legacy PC-BIOS in booting an operating system. Because the operating system calls some UEFI code during runtime, the researchers observed — and demonstrated — how it could be relied on for forensic purposes.
Miguel Martín-Pérez presented “Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms.” Developed together with Ricardo Rodríguez and Frank Breitinger, the method relies on terminology proposed by NIST SP 800-168 to categorize “fuzzy” or similarity hashing algorithms allowing easier description and comparisons.
The research argues that because these comparisons are central to understanding algorithms’ benefits as well as weaknesses, the ability to compare and contrast an increasing variety of them is crucial. In addition, it helps developers fortify the algorithms themselves against attack.
AI for Digital Forensics
A pre-recorded video supplied by researcher Joachim Sester, “A Comparative Study of Support Vector Machine and Neural Networks for File Type Identification using n-gram analysis” (and supplemented by a live Q&A with coauthor Scanlon), in neural network (NN) and support vector machine (SVM) classifiers to compare the two.
This was important new research given reliance on the classifiers for file type identification, used in anti-virus and firewall software as well as forensic cybercrime investigations. In their experiments with two NNs and four SVMs, Sester, Scanlon, Darren Hayes, and Nhien-An Le-Khac used the classifiers’ n-grams analysis feature to determine that the SVM-based approaches performed better than the NN, but that scalability remained a challenge.
“Vec2UAge: Enhancing Underage Age Estimation Performance through Facial Embeddings” focused on a specific aspect of AI: facial recognition, and its subset, age estimation. Felix Anda spoke about a novel regression-based model, Vec2UAge, which he developed together with Edward Dixon, Elias Bou-Harb, Nhien-An Le-Khac and Mark Scanlon building on research presented at DFRWS-EU 2020.
Anda noted that although automated facial age estimation has increasing relevance in digital forensics, a continuing lack of accurately labelled age datasets — particularly for underage images — reduces the tools’ performance accuracy. Another challenge is skin tone detection given open source datasets whose demographic representation is limited.
Extended Abstracts
The variability of Internet of Things (IoT) devices renders most conventional digital forensic processes obsolete for those devices, according to Juan Manuel Castelo Gómez, Javier Carrillo Mondéjar, José Roldán Gómez and José Luis Martínez Martínez in their paper “Developing an IoT Forensic Methodology. A Practical Concept Proposal,” which proposed “a concept methodology for conducting IoT investigations which uses a generic forensic model as a reference.”
Selective imaging — as opposed to collecting full bitwise copies of storage devices — has been possible in “dead box” forensics for several years. However, live selective imaging hasn’t been as thoroughly researched. That’s what Fabian Faust, Aurélien Thierry, Tilo Müller and Felix Freiling sought to change with their new Selective Imaging Tool for Windows (SIT), which Faust presented in “Selective Imaging of File System Data on Live Systems.”
Phishing for information or money on largely anonymous darknets, such as the Tor network, is a rampant problem that lacks definition. Martin Steinebach described attacker techniques in “Phishing Detection on Tor Hidden Services,” along with metrics to detect phishing pages automatically. He also explored whether existing solutions designed to detect and mitigate phishing on clearnets could transfer to darknets.
Short Presentations
A forthcoming paper will explore “Digital traces of walking, driving and other movements on iPhones,” an update of research conducted two years ago by Jan Peter van Zandwijk and Abdul Boztas of the Netherlands Forensic Institute (NFI). They are examining the new timestamped WhatsApp logfiles and cache_encryptedC.db on the iOS Health app.
Cagatay Yürekli spoke about “Implementing a Software System for Comparing an Incident Timeline with Known Indicators of Compromise” — integrating Plaso, log2timeline, and SOF-ELK to explore threat intelligence stored in NATO’s Malware Information Sharing Platform (MISP).
Mattia Epifani is known for his extensive forensic work on the iOS platform, but this time extended it to “Forensic Analysis of the Raspberry PI 400,” which relies on a traditional Linux file system. Epifani walked listeners through some of the system’s interesting directories, including \etc\passwd and \etc\shadow, \etc\timezone, \etc\keyboard, and \etc\locale among others.
Riscure’s Erwin Intveld and Peter Zuijdervliet then wrapped the session with “Glitching the KeepKey hardware wallet,” describing how they used electronic interference to disrupt the crypto wallet’s voltage and thus influence its software decisions. Their research resulted in unlock privileges, privilege escalation, memory dumps, and the ability to retrieve key material, including code dumps, and to change the device’s PIN.
The Workshops
Four workshops — two on Monday, and two on Thursday — were offered:
- Women in Forensic Computing
- Digital Forensic Research: The Challenges of the Next 10 Years
- Digging Deeper With Velociraptor
- CASE Adoption – Lessons, Solutions, and Roadmap Updates
Women in Forensic Computing
Organized by Hyunji Chung (Korea University) and Felix Freiling (FAU), this free workshop / bootcamp had a dual objective: increase interest and technical confidence in digital forensic science as a career or research field, while highlighting women’s contributions to the field.
Relying on a sequence of women-led presentations over three hours, the workshop was open to all interested applicants. It introduced some fundamental and current concepts, allowed for hands-on experience, and featured a session on ideas for increasing the awareness and appreciation of women in forensic computing.
Digital forensic research: the challenges of the next 10 years
Based on Simson Garfinkel’s 2010 “Digital Forensics Research: The Next 10 Years,” this workshop — led by researchers Graeme Horsman and Virginia Franqueira — combined retrospective with future thinking, using the lessons of the past decade as a foundation for predicting developments during the decade ahead.
Participants identified a number of insights and needs. Horsman said to expect a survey to become available in July. Participants of the DFRWS EU and US events will receive access to quantitative data, followed by a consultation period for a new paper in draft; a followup presentation will be offered at the next DFRWS-EU in 2022.
Digging Deeper With Velociraptor
Mike Cohen of Velocidex Enterprises led attendees through the open source DFIR framework, Velociraptor (recently acquired by Rapid7). The scenario-based workshop explored techniques for incident response in a large enterprise network, not just to determine how many endpoints are compromised, but also to scale threat hunting.
These techniques included ways to expose critical forensic artifacts such as process analysis, low level NTFS analysis, evidence of execution, and event log collection and analysis. Proactive hunting for common forensic artifacts — via Velociraptor’s endpoint monitoring — using low level forensic analysis, along with the offline Velociraptor collector, were also covered.
CASE Adoption – Lessons, Solutions, and Roadmap Updates
The week’s final workshop was designed to prepare participants to implement CASE/UCO 1.0, which is scheduled for an August release. Encouraging strategic adoption of specific aspects — file systems, images and videos, or messaging apps / mobile devices — Casey said now is the time to start implementation, as waiting until the 1.0 release would result in a “heavy lift.”
Moderator Eoghan Casey said Logicube, Atola, Magnet Forensics, and Cellebrite have all signed on to implement CASE. Some workshop demos covered Cellebrite-specific processes including UFEDtoCASE — a standard evidence representation exchange — and translating commercial tool output. Additionally, cross-border information sharing, chain of custody competency with regard to handling urgent digital evidence, CASE/UCO ontology alignment, a validation toolkit, open source tools’ adoption of CASE/UCO, and the roadmap to v1.0 were all covered.
Special events and other features
The DFRWS Forensic Rodeo is a “friendly, but fierce, capture-the-flag style forensics competition.” Lasting about 90 minutes and fully virtual, this year’s competition challenged participant teams to identify evidence of both file downloads from a website hosting illegal material, and anti-forensic activity. A short debriefing and prize ceremony followed the rodeo.
The Pub Quiz held Wednesday evening, likewise virtual, was conducted a little differently this year than last. Rather than Zoom, it was hosted in a Gather Town “pub,” a spatial videoconferencing platform. This platform made it easier for participants to interact, including team formation, though, attendees could listen to the quiz without participating.
The Lightning Talks
Moderated by Daryl Pfeif, these six-minute sessions offer one platform for researchers to talk about work more rapidly than it’s being published. To that end, Tuesday’s first talk was from Adrien Vincart talking about how Jira database log activity could assist with incident response.
Jessica Hyde then shared some DFIR Review statistics, noting an increase from the site’s first full year as a “rolling journal”: 28 submissions resulting in 11 publications. Most, said Hyde, have to do with iOS and Android research. She additionally called for both more submissions and more volunteer reviewers to help support the site.
On Wednesday, Aikaterini Kanta spoke about context-based decryption for law enforcement. Updating her research in a similar talk at last year’s DFRWS-EU, Kanta described her statistical analysis of 3.9 billion passwords. In the process of creating a framework to evaluate password cracking wordlist quality, Kanta called for collaborators to work with.
Chris Hargreaves then provided some of the output from the “Law Enforcement and Academia” Birds of a Feather session the previous day. Key points included two potential avenues for student projects: frameworks and artifact research seeded by practitioners. Hargreaves also expressed the need to share completed projects in a way that ensures they aren’t “lost in university archives.”
The Birds of a Feather sessions
Besides Hargreaves’ session, other “Birds of a Feather” breakout groups included artificial intelligence in digital forensics, patterns of life forensics, cryptocurrency privacy coins and tokens, and a follow-up to the “Challenges in Digital Forensics” workshop.
Some of the questions that came up in Tuesday’s “AI in Digital Forensics” session included:
- What are the specifics of AI in digital forensics?
- Does digital forensics pose challenges to AI which are overlooked in the broader AI community?
- To that end, do we need a dedicated forum for AI in digital forensics, or for forensics practitioners to join a general AI conference?
Also discussed was the need to have large enough datasets to train on in order to avoid bias, improve explainability and admissibility in court, and ultimately, confidence in AI-based results.
Wednesday’s “Challenges” session got more granular and future-thinking about specific technologies — and the potential need for more specialization — including a predicted shift from wearable to mainstream implanted devices, the widespread use of serious virtual reality (VR)-based applications, and AI based / autonomous systems “everywhere,” among others.
Also discussed was the broader challenge of access to data given encryption, identity verification, and cloud storage. These access challenges can hamper not just investigation, but also tool and data validation. How digital forensics professionals might be able to influence legislation to represent industry interests was a related topic.
Other March-published research
In “The UK forensic science regulator: Fit for purpose?” authors Emmanuel Nsiah Amoako and Carole McCartney, of the Northumbria University School of Law, argued that the FSR role in its current form cannot be considered “fit for purpose” without evidence of regulation’s impact. They outlined five demands on forensic service providers, along with five corresponding objectives of the FSR to support and enhance FSPs’ ability to meet these demands.
Forensic Science International: Synergy published two pieces that focus on traditional forensic science, but may be instructive to digital forensics as well.
First, American Academy of Forensic Sciences (AAFS) authors Linton Mohammed, Mary McKiel, Kenneth Aschheim, Gregory Berg, and Lucy Davis responded to a paper whose criticism of Organization of Scientific Area Committee (OSAC) standards we covered in November’s research roundup.
As well, “A new systematic approach of teaching and learning of forensic science for interdisciplinary students: A step towards renovating the forensic education system” by Ritesh Kumar Shukla of Ahmedabad University in Gujarat (India) explored how the use of different pedagogies could improve both teacher deliverables and student engagement, especially given time constraints and complexity of information.
At Forensic Science International: Digital Investigation, “Forensic Exploration on Windows File History,” authored by Jisung Choi, Jungheum Park, and Sangjin Lee at Korea University’s School of Cybersecurity, proposed a detailed three-step examination procedure for file history-related artifacts. The authors offered a summary table of these artifacts from multiple sources, analyzed the impacts of four potential anti-forensic actions, and developed an automated tool.
At the Journal of Digital Forensics, Security, and Law, Purdue University’s Fahad E. Salamh, Umit Karabiyik, and Marcus Rogers published “A Constructive DIREST Security Threat Modeling for Drone as a Service.” Modifying the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges) threat model to meet DaaS security assessment needs, the authors proposed DIREST to enhance drones’ security and provide consistency in digital forensic procedures.
Finally, in “Social Media Footprint Awareness,” researchers Emily Crawford, KC Malinda Hlordsz, and Diogo Ribeiro of the Leahy Center at Champlain University investigated how user activity impacts one’s digital footprint. Part of their ongoing research is to examine Instagram, Facebook, and Tumblr algorithms that recommend posts and ads, whether deleting posts affects each platform’s algorithms, and how much footprint remains following data deletion.
