Digital Forensics and Cyber Crime

Quantum communication, a field of applied quantum physics, is closely tied to quantum teleportation and quantum information processing, with a primary focus on leveraging the laws of quantum mechanics to secure communication systems. An intriguing application within this field is the protection of information channels from unauthorized eavesdropping through the implementation of quantum cryptography. Quantum key distribution (QKD) represents the most advanced and well-known application of quantum cryptography. QKD utilizes quantum mechanical effects for cryptographic tasks and breaking cryptographic systems. This study aims to explore the potential of employing quantum mechanics laws to enhance the security of communication systems. The QKD system operates on a simple principle, where two parties, Alice (the sender) and Bob (the receiver), utilize individual photons randomly polarized to represent bits 0 and 1, respectively. These photons are used to transmit a series of random numbers, serving as cryptographic keys. The parties are connected via classical and quantum channels, with Alice generating a random stream of qubits transmitted through the quantum channel. By performing classical operations over the classical channel, Alice and Bob verify if any eavesdropping attempts have occurred during qubit transfer. The presence of an eavesdropper is identified through the imperfect correlation between the two sets of bits obtained after qubit transmission. A vital aspect of robust encryption schemes is the utilization of true randomness, which can be easily generated using quantum optics. Quantum communication holds promising applications in diverse sectors, including banking, government, industry, and military domains. This research seeks to investigate the possibilities of leveraging quantum mechanics laws to fortify communication systems’ security.

When conducting a criminal investigation, accessing mobile phone data is crucial for law enforcement. However, encryption mechanisms and user locks are becoming increasingly complex and more challenging for forensic examiners. Although there are tools that can perform brute-force attacks to crack passwords on mobile phones, it becomes difficult when faced with alphanumeric passwords. The challenge is not only the algorithm but also the use of a customized dictionary. It is impractical to use a complete dictionary with all possible combinations as the attack conditions are very restrictive, and the time it takes to crack the password becomes too long depending on its length. In this article, we present a learning framework based on a set of dictionaries, variation rules, and fragment permutations. Dictionaries are organized from different perspectives of personal data, open sources, and groups of contexts. The naming and ordering of the dictionary help digital forensics examiners strategize and improve their chances of success in cracking alphanumeric passwords.

Password manager and vault applications can be used by users to select strong passwords as well as storing user credentials locally or in the cloud. Such apps have been studied by various security researchers, for example in identifying potential vulnerabilities and bugs, as well as proposing techniques to forensically recover artifacts of interest/relevance to an investigation, which is also the focus of this paper. Specifically, we review the extant literature on the security and forensics of password manager and vault applications with the objective of identifying existing limitations and challenges.

Secret sharing schemes are used as a tool in many cryptographic protocols including revocable electronic cash, electronic voting, cloud computing and key management in sensor networks. But the existing post-quantum secret sharing schemes are all based on Shamir’s (t, n) threshold scheme, there is currently no post-quantum secret sharing scheme based on the Chinese Remainder Theorem (CRT), so we construct a verifiable lattice-based secret sharing scheme using some number theory methods and interaction methods. Furthermore, we prove our scheme is safe in the post-quantum era. Finally, we compare our scheme with other schemes. And the comparison shows that our scheme is more efficient and occupies less memory.

As bioinformation authentication gains prominence, the significance of audio data in industries such as speech recognition intensifies, with audio storage becoming a pivotal concern for data protection. Existing audio tampering solutions fail to identify the producing device. This paper introduces an innovative method employing physical unclonable function (PUF) and audio features for identifying recording equipment and detecting tampered areas in judicial authentication within the Industrial Internet-of-Things (IIoT). The method comprises two components: the recording device, which generates an audio fingerprint using audio features and a PUF-determined random number seed, and the server, which registers, analyzes, and verifies the fingerprint. The unique, tamper-resistant PUF response is generated only when a server-provided challenge is initiated. The proposed audio fingerprint, evaluated using the Carioca 1 database and NXP LPC54S018-EVK-provided PUF functionality, enables varying tamper area identification accuracy and achieves 100% original device identification, resisting replay, cloning, and brute force attacks.

The speech videos of public figures, such as movie celebrities and world leaders, have an extensive influence on the Internet. However, the authenticity of these videos is often difficult to ascertain. These videos may have been carefully imitated by comedians or manipulated using Deepfake methods, which creates significant obstacles for the video forensics of specific characters. Moreover, the vast amount of data on social networking platforms renders manual screening impractical. To specifically address this issue, we present SHIELD, which stands for Specialized dataset for Hybrid blInd forEnsics of worLd leaDers. Unlike most previous public Deepfake datasets that only contain Deepfake samples, this dataset exquisitely includes a collection that can quickly test this issue, encompassing both impersonator and Deepfake videos. We provide a detailed dataset production process and conduct an elaborate experiment under the hybrid blind detection scenario. Our findings reveal the limitations of existing methods, demonstrate the potential of identity-based models, and illustrate the increased challenges posed by SHIELD.

Cross-architecture binary code similarity detection plays an important role in different security domains. In view of the low accuracy and poor scalability of existing cross-architecture detection technologies, we propose Optir-SBERT, which is the first technology to detect cross-architecture binary code similarity based on optimized LLVM IR. At the same time, we design a new data set BinaryIR, which is more diverse and provides a benchmark data set for subsequent research work based on LLVM IR. In terms of cross-architecture binary code similarity detection, the accuracy of Optir-SBERT reaches 94.38%, and the contribution of optimization is 3.99%. In terms of vulnerability detection, the average accuracy of Optir-SBERT reach 93.9%, and the contribution of optimization is 7%. The results are better than existing state-of-the-art (SOTA) cross-architecture detection technologies. In order to improve the efficiency of vulnerability detection in realistic scenarios, we introduced a file-level vulnerability identification mechanism on the basis of Optir-SBERT. The new model Optir-SBERT-F saved 45.36% of the detection time on the premise of a slight decrease in detection F value, which greatly improves the efficiency of vulnerability detection.

Heap security has become a serious threat in recent years. To address the problem of heap vulnerabilities that are hard to detect and mitigate, this paper proposes a new heap protection scheme using shadow page tables. This scheme builds on the traditional idea of page permission and designs a novel shadow page table structure that stores the virtual address and random value of each object. This enables checking the boundaries and validity of heap objects, and effectively detects various types of heap-related attacks, such as heap overflow, use-after-free, invalid free, and double free. In addition, the scheme adopts a dynamic system call addition method, which is not dependent on specific runtime environments or kernel modifications, and has high scalability and portability. Experimental evaluation on various applications shows that our proposed scheme is effective in detecting many types of heap vulnerabilities, providing more comprehensive security with low performance overhead than comparable solutions.

Pivoting days in a campus network. Through NetFlow monitoring, we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive visualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment.

Progressive Web Applications produce false negative results when scanned with security vulnerability scanners. In this paper the authors investigate the causes behind vulnerability scanners missing simple vulnerabilities when being used on Progressive Web Applications (PWAs).

Moreover, an analysis of the caveats of only having fully automated vulnerability scans and manual pentests, without a semi-automatic tool covering the gap between the two, will be performed. An explanation of how such tool has been built will be delivered at the end of the paper.

Over the last two decades, there has been significant growth in the drone industry with the emergence of Unmanned Aerial Vehicles (UAVs). Despite their affordability, the lack of security measures in commercial UAVs has led to numerous threats and vulnerabilities. In addition, software, and hardware complexity in UAVs also trigger privacy and security issues as well as cause critical challenges for government, industry and academia. Meanwhile, malicious activities have increased, including stealing confidential data from UAVs and hijacking UAVs. These attacks are not only illegitimate but also appear to be increasing in frequency and sophistication. In addition, the current defence mechanisms for counterattacks are not sustainable for two reasons: they either demand strict firmware updates for all of the system’s devices, or they demand the deployment of a variety of advanced hardware and software. This paper proposes a Medium Interaction Honeypot-Based Intrusion Detection System (MIHIDS) to protect UAVs. Our system assists in detecting active intruders in a specific range (radio frequency) and provides details of attacking technologies to exploit UAVs. Our system is a passive lightweight, signature-based MIHIDS that is simple to integrate into UAV without requiring changes in network configuration or replacement of current hardware or software. The performance assessment demonstrates that in a typical network situation, our proposed framework can identify MitM, Brute-force, and DE-authentication attacks with a maximum detection time of 60 s. Under normal network scenarios, a minimum True Positive Rate (TPR) and performance efficiency is 93% to 95% during a short-distance detector.

The power attack is a type of side-channel attack that involves measuring the power consumption of a device to extract secret information. By analyzing power consumption variations, an attacker can deduce the secret key used in the operation. In a class-imbalanced dataset, where the number of samples in one class is much smaller than the other, the power consumption patterns during cryptographic operations may be different for each class. The BorderLine-SMOTE data enhancement scheme was used to generate synthetic samples near the boundaries or at a greater distance from the existing samples, and through these modifications it helps to increase the diversity of the synthetic samples and reduce the risk of overfitting. XGBoost is then used as a classifier to classify the power curves. To evaluate the efficacy of the proposed method, it was applied to the DPA V4 dataset. The results indicated that the original data, when augmented using the Borderline-SMOTE + XGBoost approach, exhibited a substantial improvement in classification precision of up to 34%, outperforming DUAN’s method.

As the use of authenticator applications for two-factor authentication (2FA) has become increasingly common, there is a growing need to assess the security of these applications. In this paper, we present a security analysis of authenticator applications that are widely used on various platforms, such as Google Authenticator, Microsoft Authenticator, and Authy. Our analysis includes an examination of the security features of these applications (e.g., level of protection) as well as the communication protocols used between the applications and the servers. Our results show that these applications have significant vulnerabilities that could compromise the security of the authentication process. Specifically, we found that some authenticator applications store sensitive data, such as secret keys, in plain text, making them vulnerable to attacks. Overall, our findings indicate that there is a need for better security practices in the design and implementation of authenticator applications. We recommend that developers follow best practices for secure coding and use well-established cryptographic algorithms to generate one-time codes.

Due to the rapid development of information technology in this century, APT attacks(Advanced Persistent Threat) occur more frequently. The best way to combat APT is to quickly extract and integrate the roles of the attack events involved in the report from the APT reports that have been released, and to further perceive, analyze and prevent APT for the relevant security professionals. With the above issues in mind, an event extraction model for APT attack is proposed. This model, which is called APTBert, uses targeted text characterization results from the security filed text generated by the APTBert pre-training model to feed into the multi-head self-attention mechanism neural network for training, improving the accuracy of sequence labelling. At the experiment stage, on the basis of 1300 open source APT attack reports from security vendors and forums, we first pre-trained an APTBert pre-training model. We ended up annotating 600 APT reports with event roles, which were used to train the extraction model and evaluate the effect of event extraction. Experiment results show that the proposed method has better performance in training time and F1(77.4%) as compared to traditional extraction methods like BiLSTM.

Deception-Based Cyber Defense technology involves deploying various elements within a network to deliberately mislead and deceive potential attackers, enabling the early detection and warning of cyber-attacks in their nascent stages. However, there is a lack of systematic research on defensive effectiveness, applicability in different scenarios, and potential synergies with other defense mechanisms of various deception technologies. To address this research gap, this study incorporates negative rewards within the CyberBattleSim platform to simulate the consequences imposed on adversaries when encountering deception techniques. We then assess the efficacy of diverse cyber deception strategies through the cumulative reward trend of attackers. Furthermore, we simulated the combined deployment of different deception technologies and the deployment of deception technology in distinct network scenarios, to evaluate the synergistic impact of deception technologies when coupled with other defensive measures and explore the suitable application scenarios of deception technology. The outcomes of multiple experiments conducted on the CyberBattleSim platform demonstrate that deception technology can impact attackers by delaying or preventing penetration and the combination of distinct deception techniques can yield varying enhancements in defense effectiveness. Additionally, the combination of Shock Trap and honeypot technology can maximize the defense effect.

To protect Android applications from reverse engineering, more and more adversarial analysis techniques are proposed, such as packing, encryption, obfuscation, etc. As one of the most advanced techniques for obfuscation, code virtualization at the dex bytecode level has evolved from hiding meta information to protect executable instructions. However, previous approaches are proved to have a certain degree of vulnerability at the directive opcode replacement. In this paper, we present DynVMDroid, a reinforcement system based on code virtualization to protect Android applications from reverse engineering. DynVMDroid consists of two components, a reinforcement engine and a custom runtime environment. The reinforcement engine disrupts the inherent structural order and extends the length of the original instructions from key methods, converting them into virtual code in Android applications. The custom runtime environment dynamically recovering the virtual instructions to ensure the protected application work properly. To verify its performance and compatibility, we have applied DynVMDroid to 10 applications. In addition, various attack methods have been adopted on the protected applications to validate their security. Our experimental results show that the applications protected by DynVMDroid perform correctly and effectively against common reverse analysis techniques with acceptable performance losses.

In 2022, Li et al. [1] proposed a quantum secure and non-interactive identity-based aggregate signature protocol from lattices. In the end of their paper, they claimed that their scheme has key escrow problem. Based on this fact, we improve their scheme and propose a lattice-based certificateless aggregate signature protocol (L-CASP). Furthermore, our scheme has same signature size as Li et al. scheme and can avoid key escrow problem. Finally, we prove that our scheme is existentially unforgeable against adaptive chosen message attacks (EUF-CMA) under type I adversary and a type II adversary in the random oracle model (ROM).

The propagation of code from one process to another is an important aspect of many malware families and can be achieved, for example, through code injections or the launch of new instances. An in-depth understanding of how and when malware uses interprocess code propagations would be a valuable aid in the analysis of this threat, since many dynamic malware analysis and unpacking schemes rely on finding running instances of malicious code. However, despite the prevalence of such propagations, there is little research on this topic. Therefore, in this work, we aim to extend the state-of-the-art by measuring both the behavior and the prevalence of interprocess code propagations of malicious software. We developed a method based on API-tracing for measuring code propagations in dynamic malware analysis. Subsequently, we implemented this method into a proof-of-concept implementation as a basis for further research. To gain more knowledge on the prevalence of code propagations and the code propagation techniques used, we conducted a study using our implementation on a real-world data set of 4853 malware samples from 1747 families. Our results show that more than a third (38.13%) of the executables use code propagation, which can be further classified into four different topologies and 24 different code propagation techniques. We also provide a list of the most significant representative malware samples for each of these topologies and techniques as a starting point for researchers aiming to develop countermeasures against code propagation.

With the development of the mobile Internet, mobile devices have been extensively promoted and popularized. Android, as the current popular mobile intelligent operating system, has encountered problems such as the explosive growth of Android malware while bringing convenience to users. The traditional Android malware detection methods have some problems, such as low detection accuracy and difficulty in detecting unknown malware. This paper proposes an Android malware detection method named Android malware detection method based on graph convolutional neural network (AGCN) based on the graph convolutional network (GCN) to solve the above problems. Firstly, we divide the Android software datasets according to family and software features and construct a directed network topology graph. At the same time, the permission features of APK files are extracted and vectorized. Then, we use GCN to learn the features of Android APK files… Finally, we compare AGCN with a multilayer perceptron (MLP), long and short-term memory (LSTM) neural network, bi-directional long and short-term memory (bi-LSTM) neural network, and deep confidence neural network (DCNN) for experiments. Experimental results show that the model has an accuracy of 98.55% for malware detection, demonstrating the detection method’s effectiveness.

The increasing number of attacks against the Internet of Things (IoT) has made IoT forensics critically important for reporting and mitigating cyber incidents and crimes. However, the heterogeneity of IoT environments and the complexity and volume of IoT data present significant challenges to forensic practitioners. The advent of question answering (QA) systems and large language models (LLM) offers a potential solution to accessing sophisticated IoT forensic knowledge and data. In light of this, we propose ForensiQ, a framework based on knowledge graph question answering (KGQA), to help investigators navigate complex IoT forensic artifacts and cybersecurity knowledge. Our framework integrates knowledge graphs (KG) into the IoT forensic workflow to better organize and analyze forensic artifacts. We also have developed a novel KGQA model that serves as a natural-language user interface to the IoT forensic KG. Our evaluation results show that, compared to existing KGQA models, ForensiQ demonstrates higher accuracy in answering natural language questions when applied to our experimental IoT forensic KG.

Recently, people have become interested in embedding technology in their bodies to augment themselves with new abilities. For example, a person may embed a chip in their hand to wirelessly lock and unlock a door. Subdermal augmentation implants, the implant technology that can add these new abilities to a user, are increasing in popularity. With this new technology comes a variety of new forensics and security challenges. In our work, we conceive a modified forensics approach for augmentation implants, which includes device discovery and its associated forensic acquisition and memory analysis. First, we explore three device discovery methods: implant chip reading, X-Ray detection and the use of metal detectors. We then share a case study by implementing an augmentation implant authentication system, acquiring and analyzing its memory. Our results show that when an implant is installed in raw chicken meat, that X-Ray scanners are capable of not only unveiling it, but revealing the exact type of implant to a trained analyst. In the case of metal detectors, only one of the implants were detected, and our results indicate deeply installed implants (1.5 cm or more below the skin) are undetectable. In the case of using RFID and NFC scanners to read compatible chips, we found we could detect the implants up to 1.6 cm and 1.0 cm respectively. We also examined the potential legal and ethical issues surrounding augmentation implant forensics, highlighting cases in which surgical removal could potentially be legally mandated.

Quantum computers pose a significant danger to cyber security. If major fault-tolerant, quantum computers are built, the most extensively used cryptography techniques would fail. The present level of analysis, in terms of quantum technologies and applications, is still in its infancy. The researchers have a hazy view of how to prepare for future quantum computing breakthroughs, particularly in cyber security. The powerful quantum computers capable of breaching current cryptography protections are yet a decade or more away. History has demonstrated that transitioning to quantum-resistant techniques for classical cryptography will most likely take a quantifiable amount of time. In this paper, a comparative analysis of modern cryptographic algorithms concerning quantum computing is performed and its impact on cyber security has been reviewed.