Information Forensics - Digital forensics is essential when performing in-depth crime investigations and evidence extraction, especially in the field of the Internet of Things, where there is a ton of information every second boosted with latest and smartest technological devices. However, the enormous growth of data and the nature of its complexity could constrain the data examination process since traditional data acquisition techniques are not applicable nowadays. Therefore, if the knowledge gap between digital forensics and the Internet of Things is not bridged, investigators will jeopardize the loss of a possible rich source of evidence that otherwise could act as a lead in solving open cases. The work aims to introduce examples of employing the latest Internet of Things forensics approaches as a panacea in this regard. The paper covers a variety of articles presenting the new Blockchain, fog, and video-based applications that can aid in easing the process of digital forensics investigation with a focus on the Internet of Things. The results of the review indicated that the above current trends are very promising procedures in the field of Internet of Things digital forensics and need to be explored and applied more actively.

Information Forensics - Access control includes authorization of security administrators and access of users. Aiming at the problems of log information storage difficulty and easy tampering faced by auditing and traceability forensics of authorization and access in cross-domain scenarios, we propose an access control auditing and traceability forensics method based on Blockchain, whose core is Ethereum Blockchain and IPFS interstellar mail system, and its main function is to store access control log information and trace forensics. Due to the technical characteristics of blockchain, such as openness, transparency and collective maintenance, the log information metadata storage based on Blockchain meets the requirements of distribution and trustworthiness, and the exit of any node will not affect the operation of the whole system. At the same time, by storing log information in the blockchain structure and using mapping, it is easy to locate suspicious authorization or judgment that lead to permission leakage, so that security administrators can quickly grasp the causes of permission leakage. Using this distributed storage structure for security audit has stronger anti-attack and anti-risk.

Information Forensics - With the inundation of more cost effective and improved flight performance Unmanned Aerial Vehicles (UAVs) into the consumer market, we have seen more uses of these for both leisure and business purposes. As such, demand for digital forensic examination on these devices has seen an increase as well. This research will explore and discuss the forensic examination process on one of the more popular brands of UAV in Singapore, namely DJI. The findings are from the examination of the exposed File Transfer Protocol (FTP) channel and the extraction of the Data-at-Rest on the memory chip of the drone. The extraction was done using the Chip-Off and Chip-On technique.

Information Forensics - With large advancements in image display technology, recapturing high-quality images from high-fidelity LCD screens becomes much easier. Such recaptured images can be used to hide image tampering traces and fool some intelligent identification systems. In order to prevent such a security loophole, we propose a recaptured image detection approach based on generalized central difference convolution (GCDC) network. Specifically, by using GCDC instead of vanilla convolution, more detailed features can be extracted from both intensity and gradient information from an image. Meanwhile, we concatenate the feature maps from multiple GCDC modules to fuse low-, mid-, and high-level features for higher performance. Extensive experiments on three public recaptured image databases demonstrate the superior of our proposed method when compared with the state-of-the-art approaches.

Information Forensics - Frame deletion forensics has been a major area of video forensics in recent years. The detection effect of current deep neural network-based methods outperforms previous traditional detection methods. Recently, researchers have used residual features as input to the network to detect frame deletion and have achieved promising results. We propose an IReF (Improved Residual Feature) by analyzing the effect of residual features on frame deletion traces. IReF preserves the main motion features and edge information by denoising and enhancing the residual features, making it easier for the network to identify the tampered features. And the sparse noise reduction reduces the storage requirement. Experiments show that under the 2D convolutional neural network, the accuracy of IReF compared with residual features is increased by 3.81 \%, and the storage space requirement is reduced by 78\%. In the 3D convolutional neural network with video clips as feature input, the accuracy of IReF features is increased by 5.63\%, and the inference efficiency is increased by 18\%.

Information Forensics - There are a large number of illegal websites on the Internet, such as pornographic websites, gambling websites, online fraud websites, online pyramid selling websites, etc. This paper studies the use of crawler technology for digital forensics on illegal websites. First, a crawler based illegal website forensics program is designed and developed, which can detect the peripheral information of illegal websites, such as domain name, IP address, network topology, and crawl key information such as website text, pictures, and scripts. Then, through comprehensive analysis such as word cloud analysis, word frequency analysis and statistics on the obtained data, it can help judge whether a website is illegal.

Information Forensics - WhatsApp is one of the rare applications that has managed to become one of the most popular instant messaging applications all over the world. While inherently designed for simple and fast communication, privacy features such as end-to-end encryption have made confidential communication easy for criminals aiming to commit illegal acts. However, as it meets many daily communication and communication needs, it has a great potential to be digital evidence in interpersonal disputes. In this study, in parallel with the potential of WhatsApp application to contain digital evidence, the abuse of this situation and the manipulation method of multimedia files, which may cause wrong decisions by the judicial authorities, are discussed. The dangerous side of this method, which makes the analysis difficult, is that it can be applied by anyone without the need for high-level root authority or any other application on these devices. In addition, it is difficult to detect as no changes can be made in the database during the analysis phase. In this study, a controlled experimental environment was prepared on the example scenario, the manipulation was carried out and the prepared system analysis was included. The results obtained showed that the evidence at the forensic analysis stage is open to misinterpretation.

Information Forensics - As an important branch of computer forensics, network forensics technology, whether abroad or at home, is in its infancy. It mainly focuses on the research on the framework of some forensics systems or some local problems, and has not formed a systematic theory, method and system. In order to improve the network forensics sys-tem, have a relatively stable and correct model for refer-ence, ensure the authenticity and credibility of network fo-rensics from the forensics steps, provide professional and non professional personnel with a standard to measure the availability of computer network crime investigation, guide the current network forensics process, and promote the gradual maturity of network forensics theories and methods, This paper presents a fuzzy decision tree reason-ing method for network forensics analysis.

Information Forensics - With the advent of information and communication technology, the digital space is becoming a playing ground for criminal activities. Criminals typically prefer darkness or a hidden place to perform their illegal activities in a real-world while sometimes covering their face to avoid being exposed and getting caught. The same applies in a digital world where criminals prefer features which provide anonymity or hidden features to perform illegal activities. It is from this spirit the Darkweb is attracting all kinds of criminal activities conducted over the Internet such as selling drugs, illegal weapons, child pornography, assassination for hire, hackers for hire, and selling of malicious exploits, to mention a few. Although the anonymity offered by Darkweb can be exploited as a tool to arrest criminals involved in cybercrime, an in-depth research is needed to advance criminal investigation on Darkweb. Analysis of illegal activities conducted in Darkweb is in its infancy and faces several challenges like lack of standard operating procedures. This study proposes progressive standard operating procedures (SOPs) for Darkweb forensics investigation. We provide the four stages of SOP for Darkweb investigation. The proposed SOP consists of the following stages; identification and profiling, discovery, acquisition and preservation, and the last stage is analysis and reporting. In each stage, we consider the objectives, tools and expected results of that particular stage. Careful consideration of this SOP revealed promising results in the Darkweb investigation.

Security incident handling and response are essen-tial parts of every organization's information and cyber security. Security incident handling consists of several phases, among which digital forensic analysis has an irreplaceable place. Due to particular digital evidence being recorded at a specific time, timelines play an essential role in analyzing this digital evidence. One of the vital tasks of the digital forensic investigator is finding relevant records in this timeline. This operation is performed manually in most cases. This paper focuses on the possibilities of automatically identifying digital evidence pertinent to the case and proposes a model that identifies this digital evidence. For this purpose, we focus on Windows operating system and the NTFS file system and use outlier detection (Local Outlier Factor method). Collected digital evidence is preprocessed, transformed to binary values, and aggregated by file system inodes and names. Subsequently, we identify digital records (file inodes, file names) relevant to the case. This paper analyzes the combinations of attributes, aggregation functions, local outlier factor parameters, and their impact on the resulting selection of relevant file inodes and file names.

Operating systems have various components that produce artifacts. These artifacts are the outcome of a user’s interaction with an application or program and the operating system’s logging capabilities. Thus, these artifacts have great importance in digital forensics investigations. For example, these artifacts can be utilized in a court of law to prove the existence of compromising computer system behaviors. One such component of the Microsoft Windows operating system is Shellbag, which is an enticing source of digital evidence of high forensics interest. The presence of a Shellbag entry means a specific user has visited a particular folder and done some customizations such as accessing, sorting, resizing the window, etc. In this work, we forensically analyze Shellbag as we talk about its purpose, types, and specificity with the latest version of the Windows 11 operating system and uncover the registry hives that contain Shellbag customization information. We also conduct in-depth forensics examinations on Shellbag entries using three tools of three different types, i.e., open-source, freeware, and proprietary tools. Lastly, we compared the capabilities of tools utilized in Shellbag forensics investigations.

Malware detection and analysis can be a burdensome task for incident responders. As such, research has turned to machine learning to automate malware detection and malware family classification. Existing work extracts and engineers static and dynamic features from the malware sample to train classifiers. Despite promising results, such techniques assume that the analyst has access to the malware executable file. Self-deleting malware invalidates this assumption and requires analysts to find forensic evidence of malware execution for further analysis. In this paper, we present and evaluate an approach to detecting malware that executed on a Windows target and further classify the malware into its associated family to provide semantic insight. Specifically, we engineer features from the Windows prefetch file, a file system forensic artifact that archives process information. Results show that it is possible to detect the malicious artifact with 99% accuracy; furthermore, classifying the malware into a fine-grained family has comparable performance to techniques that require access to the original executable. We also provide a thorough security discussion of the proposed approach against adversarial diversity.

Forensic Science comprises a set of technical-scientific knowledge used to solve illicit acts. The increasing use of mobile devices as the main computing platform, in particular smartphones, makes existing information valuable for forensics. However, the blocking mechanisms imposed by the manufacturers and the variety of models and technologies make the task of reconstructing the data for analysis challenging. It is worth mentioning that the conclusion of a case requires more than the simple identification of evidence, as it is extremely important to correlate all the data and sources obtained, to confirm a suspicion or to seek new evidence. This work carries out a systematic review of the literature, identifying the different types of existing image acquisition and the main extraction and encryption methods used in smartphones with the Android operating system.

Virtual Private Networks (VPNs) have become a communication medium for accessing information, data exchange and flow of information. Many organizations require Intranet or VPN, for data access, access to servers from computers and sharing different types of data among their offices and users. A secure VPN environment is essential to the organizations to protect the information and their IT infrastructure and their assets. Every organization needs to protect their computer network environment from various malicious cyber threats. This paper presents a comprehensive network security management which includes significant strategies and protective measures during the management of a VPN in an organization. The paper also presents the procedures and necessary counter measures to preserve the security of VPN environment and also discussed few Identified Security Strategies and measures in VPN. It also briefs the Network Security and their Policies Management for implementation by covering security measures in firewall, visualized security profile, role of sandbox for securing network. In addition, a few identified security controls to strengthen the organizational security which are useful in designing a secure, efficient and scalable VPN environment, are also discussed.

Malicious software (malware) poses a significant threat to the security of our networks and users. In the ever-evolving malware landscape, Excel 4.0 Office macros (XL4) have recently become an important attack vector. These macros are often hidden within apparently legitimate documents and under several layers of obfuscation. As such, they are difficult to analyze using static analysis techniques. Moreover, the analysis in a dynamic analysis environment (a sandbox) is challenging because the macros execute correctly only under specific environmental conditions that are not always easy to create. This paper presents SYMBEXCEL, a novel solution that leverages symbolic execution to deobfuscate and analyze Excel 4.0 macros automatically. Our approach proceeds in three stages: (1) The malicious document is parsed and loaded in memory; (2) Our symbolic execution engine executes the XL4 formulas; and (3) Our Engine concretizes any symbolic values encountered during the symbolic exploration, therefore evaluating the execution of each macro under a broad range of (meaningful) environment configurations. SYMBEXCEL significantly outperforms existing deobfuscation tools, allowing us to reliably extract Indicators of Compromise (IoCs) and other critical forensics information. Our experiments demonstrate the effectiveness of our approach, especially in deobfuscating novel malicious documents that make heavy use of environment variables and are often not identified by commercial anti-virus software.

SDN represents a significant advance for the telecom world, since the decoupling of the control and data planes offers numerous advantages in terms of management dynamism and programmability, mainly due to its software-based centralized control. Unfortunately, these features can be exploited by malicious entities, who take advantage of the centralized control to extend the scope and consequences of their attacks. When this happens, both the legal and network technical fields are concerned with gathering information that will lead them to the root cause of the problem. Although forensics and incident response processes share their interest in the event information, both operate in isolation due to the conceptual and pragmatic challenges of integrating them into SDN environments, which impacts on the resources and time required for information analysis. Given these limitations, the current work focuses on proposing a framework for SDNs that combines the above approaches to optimize the resources to deliver evidence, incorporate incident response activation mechanisms, and generate assumptions about the possible origin of the security problem.

With the rapid development of information science and technology, the role of the Internet in daily life is becoming more and more important, but while bringing speed and convenience to the experience, network security issues are endless, and fighting cybercrime will be an eternal topic. In recent years, new types of cyberattacks have made defense and analysis difficult. For example, the memory of network attacks makes some key array evidence only temporarily exist in physical memory, which puts forward higher requirements for attack detection. The traditional memory forensic analysis method for persistent data is no longer suitable for a new type of network attack analysis. The continuous development of memory forensics gives people hope. This paper proposes a network attack detection model based on memory forensic analysis to detect whether the system is under attack. Through experimental analysis, this model can effectively detect network attacks with low overhead and easy deployment, providing a new idea for network attack detection.

There is an increase in interest and necessity for an interoperable and efficient railway network across Europe, creating a key distribution problem between train and trackside entities’ key management centres (KMC). Train and trackside entities establish a secure session using symmetric keys (KMAC) loaded beforehand by their respective KMC using procedures that are not scalable and prone to operational mistakes. A single system would simplify the KMAC distribution between KMCs; nevertheless, it is difficult to place the responsibility for such a system for the whole European area within one central organization. A single system could also expose relationships between KMCs, revealing information, such as plans to use an alternative route or serve a new region, jeopardizing competitive advantage. This paper proposes a scalable and decentralised key management system that allows KMC to share cryptographic keys using transactions while keeping relationships anonymous. Using non-interactive proofs of knowledge and assigning each entity a private and public key, private key owners can issue valid transactions while all system actors can validate them. Our performance analysis shows that the proposed system is scalable when a proof of concept is implemented with settings close to the expected railway landscape in 2030.

Efficient large-scale biometric identification is a challenging open problem in biometrics today. Adding biometric information protection by cryptographic techniques increases the computational workload even further. Therefore, this paper proposes an efficient and improved use of coefficient packing for homomorphically protected biometric templates, allowing for the evaluation of multiple biometric comparisons at the cost of one. In combination with feature dimensionality reduction, the proposed technique facilitates a quadratic computational workload reduction for biometric identification, while long-term protection of the sensitive biometric data is maintained throughout the system. In previous works on using coefficient packing, only a linear speed-up was reported. In an experimental evaluation on a public face database, efficient identification in the encrypted domain is achieved on off-the-shelf hardware with no loss in recognition performance. In particular, the proposed improved use of coefficient packing allows for a computational workload reduction down to 1.6% of a conventional homomorphically protected identification system without improved packing.

Intrusion detection for Controller Area Network (CAN) protocol requires modern methods in order to compete with other electrical architectures. Fingerprint Intrusion Detection Systems (IDS) provide a promising new approach to solve this problem. By characterizing network traffic from known ECUs, hazardous messages can be discriminated. In this article, a modified version of Fingerprint IDS is employed utilizing both step response and spectral characterization of network traffic via neural network training. With the addition of feature set reduction and hyperparameter tuning, this method accomplishes a 99.4% detection rate of trusted ECU traffic.

As the nature of the website, the EJBCA digital signatures may have vulnerabilities. The list of web-based vulnerabilities can be found in OWASP's Top 10 2021. Anticipating the attack with an effective and efficient forensics application is necessary. The concept of digital forensic readiness can be applied as a pre-incident plan with a digital forensic lifecycle pipeline to establish an efficient forensic process. Managing digital evidence in the pre-incident plan includes data collection, examination, analysis, and findings report. Based on this concept, we implemented it in designing an information system that carries out the entire flow, provides attack evidence collection, visualization of attack statistics in executive summary, mitigation recommendation, and forensic report generation in a physical form when needed. This research offers an information system that can help the digital forensic process and maintain the integrity of the EJBCA digital signature server web.

In this paper, we propose a novel watermarking-based copy deterrence scheme for identifying data leaks through authorized query users in secure image outsourcing systems. The scheme generates watermarks unique to each query user, which are embedded in the retrieved encrypted images. During unauthorized distribution, the watermark embedded in the image is extracted to determine the untrustworthy query user. Experimental results show that the proposed scheme achieves minimal information loss, faster embedding and better resistance to JPEG compression attacks compared with the state-of-the-art schemes.