WSDF

Internet of Things (IoT) plays a significant role in our daily lives as interconnection and automation positively impact our societal needs. In contrast to traditional devices, IoT devices require connectivity and data sharing to operate effectively. This interaction necessitates that data resides on multiple platforms and often across different locations, posing challenges from a digital forensic investigator’s perspective. Recovering a full trail of data requires piecing together elements from various devices and locations. IoT-based forensic investigations include an increasing quantity of objects of forensic interest, the uncertainty of device relevance in terms of digital artifacts or potential data, blurry network boundaries, and edgeless networks, each of which poses new challenges for the identification of significant forensic artifacts. One example of the positive societal impact of IoT devices is that of Humanoid robots, with applications in public spaces such as assisted living, medical facilities, and airports. These robots use IoT to provide varying functionality but rely heavily on supervised learning to customize their utilization of the IoT to various environments. A humanoid robot can be a rich source of sensitive data about individuals and environments, and this data may assist in digital investigations, delivering additional information during a crime investigation. In this paper, we present our case study on the Zenbo Humanoid Robot, exploring how Zenbo could be a witness to a crime. In our experiments, a forensic examination was conducted on the robot to locate all useful evidence from multiple locations, including root-level directories using logical acquisition.

This paper presents a comprehensive digital forensic analysis of the social media platforms Threads and Bluesky, juxtaposing their unique architectures and functionalities against X. This research fills a gap in the extant literature by offering a novel forensic analy- sis of Threads and Bluesky, based on established techniques. Mobile forensic analysis of both platforms yielded few results. Network analysis produced a variety of artifacts for Bluesky, including plain- text passwords. Threads proved to be robust, and a presentation of its security and API flow is presented. A detailed depiction of the forensic analysis performed for this paper is presented to aid future investigators.

The Steam Deck, developed by Valve, combines handheld gaming with desktop functionality, creating unique challenges for digital forensics due to its Linux-based SteamOS and its stripped symbol tables. This research addresses how to conduct reliable memory forensics on the Steam Deck. Employing the ~\ac{LiME} and Volatility 3, we acquire and analyze volatile memory, a process complicated by Steam's stripped symbol table that obscures forensic reconstruction of memory structures. Our approach reconstructs these symbols and adapts forensic tools to the Steam Deck’s architecture. Our results include the successful generation and validation of symbol tables and the patching of profiles to align with system configurations. During gameplay, we observed a significant increase in platform-related and game-related processes, highlighting the system's dynamic operation while gaming. These findings contribute to improving forensic methodologies for similar Linux-based devices, enhancing our capability to extract valuable forensic data from modern gaming consoles.

In the rapidly evolving landscape of cloud computing, containerization technologies such as Docker and Kubernetes have become instrumental in deploying, scaling, and managing applications. However, these containers pose unique challenges for memory forensics due to their ephemeral nature. As memory forensics is a crucial aspect of incident response, our work combats these challenges by acquiring a deeper understanding of the containers, leading to the development of a novel, scalable tool for container memory forensics. Through experimental and computational analyses, our work investigates the forensic capabilities of container checkpoints, which capture a container's state at a specific moment in time. We introduce \textit{ConPoint}, a tool created for the collection of these checkpoints. We focused on three primary research questions: \textit{What is the most forensically sound approach for checkpointing a container's memory and filesystem?}, \textit{How long does the volatile memory evidence reside in memory?}, and \textit{How long does the checkpoint process take on average to complete?} Our proposed approach allowed us to successfully take checkpoints, and recover all intentionally planted artifacts, that is artifacts generated at runtime from the tested container checkpoints. Our experiments determined the average time for checkpointing a container to be 0.537 seconds by acquiring a total of $(n=45)$ checkpoints from containers running different databases. The proposed work demonstrates the pragmatic feasibility of implementing checkpointing as an overarching strategy for container memory forensics and incident response.

Sustainability has become a crucial aspect of modern society and research. The emerging fusion of digital spaces with societal functions highlights the importance of sustainability. With digital technologies becoming essential, cybersecurity and digital forensics are gaining prominence. While cybersecurity's role in sustainability is recognized, sustainable practices in digital forensics are still in their early stages. This paper presents a holistic view of innovative approaches for the sustainable design and management of digital forensics concerning people, processes, and technology. It outlines how these aspects contribute to sustainability, which aligns with the core principles of economic viability, social equity, and environmental responsibility. As a result, this approach provides novel perspectives on the development of sustainability in the field of digital forensics.

Recognising IoT devices through network fingerprinting contributes to enhancing the security of IoT networks and supporting forensic activities. Machine learning techniques have been extensively utilised in the literature to optimize IoT fingerprinting accuracy. Given the rapid proliferation of new IoT devices, a current challenge in this field is around how to make IoT fingerprinting scalable, which involves efficiently updating the used machine learning model to enable the recognition of new IoT devices. Some approaches have been proposed to achieve scalability, but they all suffer from limitations like large memory requirements to store training data and accuracy decrease for older devices.

In this paper, we propose ScaNeF-IoT, a novel scalable network fingerprinting approach for IoT devices based on online stream learning and features extracted from fixed-size session payloads. Employing online stream learning allows to update the model without retaining training data. This, alongside relying on fixed-size session payloads, enables scalability without deteriorating recognition accuracy. We implement ScaNeF-IoT by analysing TPC/UDP payloads and utilising the Aggregated Mandrian Forest as the online stream learning algorithm. We provide a preliminary evaluation of ScaNeF-IoT accuracy and how it is affected as the model is updated iteratively to recognise new IoT devices. Furthermore, we compare ScaNeF-IoT accuracy with other IoT fingerprinting approaches, demonstrating that it is comparable to the state of the art and does not worsen as the classifier model is updated, despite not requiring to retain any training data for older IoT devices.

The NTFS file system contains crucial (meta-)information that plays a significant role in forensic analysis. Among these details are the eight file timestamps, which serve as the foundation for constructing a reliable timeline. However, beyond their temporal significance, these timestamps also harbor valuable clues. Specifically, the patterns of file handling by user programs are reflected in these timestamps. By analyzing these "fingerprint" patterns, it becomes possible to identify the applications responsible for creating and editing files. This discovery facilitates event reconstruction in digital forensics investigations.

In this study, we explore the extent to which timestamp patterns can be harnessed for application fingerprinting. Our approach involves creating classification models based on neural networks and evaluating their performance using established machine learning metrics. The results demonstrate that analyzing user file timestamps allows us to associate and narrow down potential user programs for specific file types and applications. By automating this process, we significantly reduce the analysis phase duration in forensic investigations, providing relief to resource-constrained IT forensic experts. This novel application fingerprinting method enables swift initial assessments of programs involved in cybercrime incidents.

Swap memory plays a critical role in modern operating systems' memory management. This paper explores the potential for manipulating swap memory to alter memory content at runtime and thereby control the behaviour of the target system. While conventional memory security techniques typically focus on preventing runtime manipulation of memory pages, they often overlook the moment when pages are swapped and later reloaded into memory. Therefore, we investigate the feasibility of manipulating swap memory and describe the necessary steps of extracting involved memory areas as well as techniques to force swapping of relevant processes. We verify this theoretical concept with a prototype implementing a manipulation of memory of a given program.

Linking attacks to the actors responsible is a critical part of threat analysis. Threat attribution, however, is challenging. Attackers try to avoid detection and avert attention to mislead investigations. The trend of attackers using malicious services provided by third parties also makes it difficult to discern between attackers and providers. Besides that, having a security team doing manual-only analysis might overwhelm analysts. As a result, the effective use of any trustworthy information for attribution is paramount, and automating this process is valuable. For this purpose, we propose an approach to perform automated attribution with a source of reliable information currently underutilised, the DNS patterns used by attackers. Our method creates recommendations based on similar patterns observed between a new incident and already attributed attacks and then generates a list of the most similar attacks. We show that our approach can, at ten recommendations, achieve 0.8438 precision and 0.7378 accuracy. We also show that DNS patterns have a short lifespan, allowing their utility even in more recent knowledge bases.

We perform an in-depth, quantitative examination of a prominent app by studying the content it sends to users, including minors. Whisper is a popular app that encourages interactions among anonymous users posting short confessional-style texts overlaid on images. We instrumented a system to collect Whisper data over a nine-week period, consisting of 23,516 unique posts. We trained classifiers to detect sexual content appearing in the text content of these posts, estimating 23\% contain sexual content, including requests to meet up for sex with strangers. Whisper's lowest age rating is set for children 13 and older. Our characterization of the collected Whisper data yielded insight into the content circulating the social media platform such as frequency of posts with detected sexual content, community behavior, and age rating compliance. Our data collection and annotation methodology yielded insight into the limitations of accurately detect age-inappropriate content and potential dangers apps may pose to children.