International Workshop on Child Online Safety and Harms
Jul 31, 2024
SR05
08:45
—
16:45
Workshop Chairs
→
Virginia N. L. Franqueira
→
Tatiana Ringenberg
→
Jayati Dev
→
Brian N. Levine
Accepted Paper
Forensic Analysis of Artifacts from Microsoft’s Multi-Agent LLM Platform AutoGen
Clinton Walker
(Louisiana State University, United States), Taha Gharaibeh
(Louisiana State University, United States), Ruba Alsmadi
(Louisiana State University, United States), Cory Hall
(MITRE, United States), Ibrahim Baggili
(Louisiana State University, United States)
Full Paper
Innovations in technology bring new challenges that need to be addressed, especially in the field of technical artifact discovery and analysis that enables digital forensic practitioners. Digital forensic analysis of these innovations is a constant challenge for digital investigators. In the rapidly evolving landscape of Artificial Intelligence ( AI), keeping up with the digital forensic analysis of each new tool is a difficult task. New, advanced Large Language Model (LLM)s can produce human-like artifacts because of their complex textual processing capabilities. One of the newest innovations is a multi-agent LLM framework by Microsoft called AutoGen. AutoGen enables the creation of a team of specialist LLM-backed agents where the agents "chat" with each other to plan, iterate, and determine when a given task is complete. Typically one of the agents represents the human user while the other agents work autonomously after the human gives each agent a responsibility on the team. Thus, from a digital forensics perspective, it is necessary to determine which artifacts are created by the human user and which artifacts are created by the autonomous agents. Analysis in this work indicates that the current implementation of AutoGen has little in artifacts for attribution outside of particular memory artifacts, yet has strong indicators of usage in disk and network artifacts. Our research provides the initial account on the digital artifacts of the LLM technology AutoGen and first artifact examination for a LLM framework.
Forensic Investigation of Humanoid Social Robot: A Case Study on Zenbo Robot
Farkhund Iqbal
(Zayed University, United Arab Emirates), Abdullah Kazim
(Zayed University, United Arab Emirates), Aine MacDermott
(Liverpool John Moores University, Liverpool, UK, United Kingdom), Richard Ikuesan
(Zayed University, United Arab Emirates), Musaab Hassan
(University of Science and Technology of Fujairah, United Arab Emirates), Andrew Marrington
(Zayed University, United Arab Emirates)
Full Paper
Internet of Things (IoT) plays a significant role in our daily lives as interconnection and automation positively impact our societal needs. In contrast to traditional devices, IoT devices require connectivity and data sharing to operate effectively. This interaction necessitates that data resides on multiple platforms and often across different locations, posing challenges from a digital forensic investigator’s perspective. Recovering a full trail of data requires piecing together elements from various devices and locations. IoT-based forensic investigations include an increasing quantity of objects of forensic interest, the uncertainty of device relevance in terms of digital artifacts or potential data, blurry network boundaries, and edgeless networks, each of which poses new challenges for the identification of significant forensic artifacts. One example of the positive societal impact of IoT devices is that of Humanoid robots, with applications in public spaces such as assisted living, medical facilities, and airports. These robots use IoT to provide varying functionality but rely heavily on supervised learning to customize their utilization of the IoT to various environments. A humanoid robot can be a rich source of sensitive data about individuals and environments, and this data may assist in digital investigations, delivering additional information during a crime investigation. In this paper, we present our case study on the Zenbo Humanoid Robot, exploring how Zenbo could be a witness to a crime. In our experiments, a forensic examination was conducted on the robot to locate all useful evidence from multiple locations, including root-level directories using logical acquisition.
Blue Skies from (X’s) Pain: A Digital Forensic Analysis of Threads and Bluesky
Joseph Brown
(Louisiana State University, United States), Abdur Rahman Onik
(Louisiana State University, United States), Ibrahim Baggili
(Louisiana State University, United States)
Full Paper
This paper presents a comprehensive digital forensic analysis of the social media platforms Threads and Bluesky, juxtaposing their unique architectures and functionalities against X. This research fills a gap in the extant literature by offering a novel forensic analy- sis of Threads and Bluesky, based on established techniques. Mobile forensic analysis of both platforms yielded few results. Network analysis produced a variety of artifacts for Bluesky, including plain- text passwords. Threads proved to be robust, and a presentation of its security and API flow is presented. A detailed depiction of the forensic analysis performed for this paper is presented to aid future investigators.
Give Me Steam: A Systematic Approach for Handling Stripped Symbols in Memory Forensics of the Steam Deck
Ruba Alsmadi
(Louisiana State University, United States), Taha Gharaibeh
(Louisiana State University, United States), Andrew Webb
(Louisiana State University, United States), Ibrahim Baggili
(Louisiana State University, United States)
Full Paper
The Steam Deck, developed by Valve, combines handheld gaming with desktop functionality, creating unique challenges for digital forensics due to its Linux-based SteamOS and its stripped symbol tables. This research addresses how to conduct reliable memory forensics on the Steam Deck. Employing the ~\ac{LiME} and Volatility 3, we acquire and analyze volatile memory, a process complicated by Steam's stripped symbol table that obscures forensic reconstruction of memory structures. Our approach reconstructs these symbols and adapts forensic tools to the Steam Deck’s architecture. Our results include the successful generation and validation of symbol tables and the patching of profiles to align with system configurations. During gameplay, we observed a significant increase in platform-related and game-related processes, highlighting the system's dynamic operation while gaming. These findings contribute to improving forensic methodologies for similar Linux-based devices, enhancing our capability to extract valuable forensic data from modern gaming consoles.
Don’t, Stop, Drop, Pause: Forensics of CONtainer CheckPOINTs (ConPoint)
Taha Gharaibeh
(Louisiana State University, United States), Steven Seiden
(Louisiana State University, United States), Mohamed Abouelsaoud
(Louisiana State University, United States), Elias Bou-Harb
(Louisiana State University, United States), Ibrahim Baggili
(Louisiana State University, United States)
Full Paper
In the rapidly evolving landscape of cloud computing, containerization technologies such as Docker and Kubernetes have become instrumental in deploying, scaling, and managing applications. However, these containers pose unique challenges for memory forensics due to their ephemeral nature. As memory forensics is a crucial aspect of incident response, our work combats these challenges by acquiring a deeper understanding of the containers, leading to the development of a novel, scalable tool for container memory forensics. Through experimental and computational analyses, our work investigates the forensic capabilities of container checkpoints, which capture a container's state at a specific moment in time. We introduce \textit{ConPoint}, a tool created for the collection of these checkpoints. We focused on three primary research questions: \textit{What is the most forensically sound approach for checkpointing a container's memory and filesystem?}, \textit{How long does the volatile memory evidence reside in memory?}, and \textit{How long does the checkpoint process take on average to complete?} Our proposed approach allowed us to successfully take checkpoints, and recover all intentionally planted artifacts, that is artifacts generated at runtime from the tested container checkpoints. Our experiments determined the average time for checkpointing a container to be 0.537 seconds by acquiring a total of $(n=45)$ checkpoints from containers running different databases. The proposed work demonstrates the pragmatic feasibility of implementing checkpointing as an overarching strategy for container memory forensics and incident response.
Sabrina Friedl
(University of Regensburg, Germany), Charlotte Zajewski
(Universität Regensburg, Germany), Günther Pernul
(Universität Regensburg, Germany)
Full Paper
Sustainability has become a crucial aspect of modern society and research. The emerging fusion of digital spaces with societal functions highlights the importance of sustainability. With digital technologies becoming essential, cybersecurity and digital forensics are gaining prominence. While cybersecurity's role in sustainability is recognized, sustainable practices in digital forensics are still in their early stages. This paper presents a holistic view of innovative approaches for the sustainable design and management of digital forensics concerning people, processes, and technology. It outlines how these aspects contribute to sustainability, which aligns with the core principles of economic viability, social equity, and environmental responsibility. As a result, this approach provides novel perspectives on the development of sustainability in the field of digital forensics.
ScaNeF-IoT: Scalable Network Fingerprinting for IoT Device
Tadani Nasser Alyahya
(University of Southampton School of Electronics and Computer Science , United Kingdom), Leonardo Aniello
(University of Southampton School of Electronics and Computer Science , United Kingdom), Vladimiro Sassone
(University of Southampton School of Electronics and Computer Science , United Kingdom)
Full Paper
Recognising IoT devices through network fingerprinting contributes to enhancing the security of IoT networks and supporting forensic activities. Machine learning techniques have been extensively utilised in the literature to optimize IoT fingerprinting accuracy. Given the rapid proliferation of new IoT devices, a current challenge in this field is around how to make IoT fingerprinting scalable, which involves efficiently updating the used machine learning model to enable the recognition of new IoT devices. Some approaches have been proposed to achieve scalability, but they all suffer from limitations like large memory requirements to store training data and accuracy decrease for older devices.
In this paper, we propose ScaNeF-IoT, a novel scalable network fingerprinting approach for IoT devices based on online stream learning and features extracted from fixed-size session payloads. Employing online stream learning allows to update the model without retaining training data. This, alongside relying on fixed-size session payloads, enables scalability without deteriorating recognition accuracy. We implement ScaNeF-IoT by analysing TPC/UDP payloads and utilising the Aggregated Mandrian Forest as the online stream learning algorithm. We provide a preliminary evaluation of ScaNeF-IoT accuracy and how it is affected as the model is updated iteratively to recognise new IoT devices. Furthermore, we compare ScaNeF-IoT accuracy with other IoT fingerprinting approaches, demonstrating that it is comparable to the state of the art and does not worsen as the classifier model is updated, despite not requiring to retain any training data for older IoT devices.
Timestamp-based Application Fingerprinting in NTFS
Michael Galhuber
(Wittur Group, Austria), Robert Luh
(St. Pölten University of Applied Sciences, Austria)
Full Paper
The NTFS file system contains crucial (meta-)information that plays a significant role in forensic analysis. Among these details are the eight file timestamps, which serve as the foundation for constructing a reliable timeline. However, beyond their temporal significance, these timestamps also harbor valuable clues. Specifically, the patterns of file handling by user programs are reflected in these timestamps. By analyzing these "fingerprint" patterns, it becomes possible to identify the applications responsible for creating and editing files. This discovery facilitates event reconstruction in digital forensics investigations.
In this study, we explore the extent to which timestamp patterns can be harnessed for application fingerprinting. Our approach involves creating classification models based on neural networks and evaluating their performance using established machine learning metrics. The results demonstrate that analyzing user file timestamps allows us to associate and narrow down potential user programs for specific file types and applications. By automating this process, we significantly reduce the analysis phase duration in forensic investigations, providing relief to resource-constrained IT forensic experts. This novel application fingerprinting method enables swift initial assessments of programs involved in cybercrime incidents.
Manipulating the Swap Memory for Forensic Investigation
Maximilian Olbort
(FernUniversität in Hagen, Germany), Daniel Spiekermann
(FH Dortmund, Germany), Jörg Keller
(FernUniversität in Hagen, Germany)
Full Paper
Swap memory plays a critical role in modern operating systems' memory management. This paper explores the potential for manipulating swap memory to alter memory content at runtime and thereby control the behaviour of the target system. While conventional memory security techniques typically focus on preventing runtime manipulation of memory pages, they often overlook the moment when pages are swapped and later reloaded into memory. Therefore, we investigate the feasibility of manipulating swap memory and describe the necessary steps of extracting involved memory areas as well as techniques to force swapping of relevant processes. We verify this theoretical concept with a prototype implementing a manipulation of memory of a given program.
Using DNS Patterns for Automated Cyber Threat Attribution
Cristoffer Leite
(Eindhoven University of Technology, Netherlands), Jerry Den Hartog
(Eindhoven University of Technology, Netherlands), Daniel Ricardo dos Santos
(Forescout Technologies, Netherlands)
Full Paper
Linking attacks to the actors responsible is a critical part of threat analysis. Threat attribution, however, is challenging. Attackers try to avoid detection and avert attention to mislead investigations. The trend of attackers using malicious services provided by third parties also makes it difficult to discern between attackers and providers. Besides that, having a security team doing manual-only analysis might overwhelm analysts. As a result, the effective use of any trustworthy information for attribution is paramount, and automating this process is valuable. For this purpose, we propose an approach to perform automated attribution with a source of reliable information currently underutilised, the DNS patterns used by attackers. Our method creates recommendations based on similar patterns observed between a new incident and already attributed attacks and then generates a list of the most similar attacks. We show that our approach can, at ten recommendations, achieve 0.8438 precision and 0.7378 accuracy. We also show that DNS patterns have a short lifespan, allowing their utility even in more recent knowledge bases.
A Quantitative Analysis of Inappropriate Content, Age Rating Compliance, and Risks to Youth on the Whisper Platform
Jeng-Yu Chou
(University of Massachusetts Amherst, United States), Brian Levine
(University of Massachusetts Amherst, United States)
Full Paper
We perform an in-depth, quantitative examination of a prominent app by studying the content it sends to users, including minors. Whisper is a popular app that encourages interactions among anonymous users posting short confessional-style texts overlaid on images. We instrumented a system to collect Whisper data over a nine-week period, consisting of 23,516 unique posts. We trained classifiers to detect sexual content appearing in the text content of these posts, estimating 23\% contain sexual content, including requests to meet up for sex with strangers. Whisper's lowest age rating is set for children 13 and older. Our characterization of the collected Whisper data yielded insight into the content circulating the social media platform such as frequency of posts with detected sexual content, community behavior, and age rating compliance. Our data collection and annotation methodology yielded insight into the limitations of accurately detect age-inappropriate content and potential dangers apps may pose to children.
International Workshop on Child Online Safety and Harms to be held in conjunction with the 19th International Conference on Availability, Reliability and Security
The opportunities that online services and communication provide to children (i.e., individuals under 18 years of age) are endless – e.g., for socialisation, entertainment and education. However, the potential for harm affecting their safety, wellbeing, privacy and security are proportionally high. This workshop invites studies from different disciplines and perspectives to better understand problems and trade-offs, propose new age-appropriate solutions, mitigate harms, evaluate existing approaches, and discuss practical or research challenges. We welcome novel contributions in the format of position papers, research papers, and empirical papers (e.g., case studies) involving stakeholders such as researchers, industry practitioners, policy makers, safeguarding professionals, and NGO advocates.
Best Paper
The best paper award will be sponsored by the Institute of Cyber Security for Society (iCSS), University of Kent, UK. The decision criterion will consider both the paper quality and the oral presentation quality.
Keynote COSH
Mediatized Childhood: Navigating the Opportunities and Risks in an Ever-Connected World
Today, children are immersed in and exposed to media from the moment of their birth or even before (e.g., through ultrasound pictures shared on Social Media). Childhood under these circumstances can be termed a mediatized childhood, with media such as tablet computers, smartphones, and their applications being ubiquitous. Throughout childhood, media function not only as tools for communication and networking but also as status symbols, sources of orientation and means of self-representation. Consequently, they exert a significant influence on children's identity formation. The effects of a mediatized childhood on the young are complex and contingent upon various contextual factors, with education being particularly noteworthy. Numerous studies have shown that the extent to which children benefit from media in their development often relies on their parents' level of education. Depending on such circumstances, as well as situational factors, one and the same phenomenon can manifest both as an opportunity and a risk. For instance, while social media can foster social inclusivity by connecting people, it can also facilitate destructive communication, such as hate speech or cyberbullying. Media literacy, defined as the ability to use media in a responsible, safe, and self-determined way, is regarded as pivotal for maximizing benefits and mitigating harm. However, such competencies do not naturally develop through media usage alone. Children require active support and guidance in their media practices. This responsibility cannot be solely delegated to parents, who are indeed crucial role models and co-educators, but also demands heightened attention and prioritization on the political agenda.
About the Speaker
Caroline Roth-Ebner is an associate professor at the University of Klagenfurt, Austria. Her primary research areas include mediatization processes across various domains, particularly the mediatization of childhood and office work. She investigates children and youth media usage and the commercialization and mediatization of childhood, focusing on qualitative research methods. She has contributed to discussions on children's media consumption environments and parental mediation, as evidenced by her publication in Communications in 2022. Her habilitation thesis in 2014 examined the mediatization of office work, while her doctoral thesis in 2007 explored youth perceptions of a TV casting show.
Topics of interest include, but are not limited to
03/05
Characteristics of children’s usage of online services/platforms according to age range
Age-appropriate design and auditing
Assessment of risks and harms posed to children online
Trade-offs between different goals, e.g., privacy vs. safety, risks vs. children rights
Age estimation, recognising child users, and discriminating children of different age range
Children’s data privacy and protection
Evaluation of existing mitigations and solutions to protect children online
Education of children about cyber security and online safety
Pedagogy and empirical evaluation of practices for cyber security education of children
Challenges of research involving children
Regulations and jurisdictional issues related to protection of children online
Workshop Chairs
04/05
Workshop Chairs
Virginia N. L. Franqueira
University of Kent, UK
Tatiana Ringenberg
Purdue University, US
Jayati Dev
Comcast Cyber Security Research, US
Brian N. Levine
University of Massachusetts Amherst, US
Program Commitee
Oshrat Ayalon
|
University of Haifa, IL
Clay Shields
|
Georgetown University, US
Neidi De Carvalho
|
UNICEF, NL
Diana Freed
|
Brown University, US
Tracee Green
|
University of Kent, UK
Shelby Grossman
|
Stanford Internet Observatory, US
Veronika Kalmus
|
University of Tartu, EE
Juliane Kloess
|
University of Birmingham, UK
Shujun Li
|
University of Kent, UK
Rebecca Portnoff
|
Thorn, US
Chad Steel
|
George Mason University, US
Bryce Westlake
|
San Jose State University, US
Christine Trueltzsch-Wijnen
|
Salzburg University of Education, AT & Charles University, CZ
Submission
05/05
Submission Guidelines
The submission guidelines valid for the workshop are the same as for the ARES conference.
