Scroll Top

DIGITAL FORENSICS

When the security of a system is broken or put into question, Digital Forensics is the discipline that can help to determine what happened. Digital Forensics science arises because of the evolution of technology and as such should continue progressing in order to cover the analysis of new use cases for the prosecution of cybercriminals. For instance, the inclusion of the Internet of Things (IoT) paradigm brings to the cybercrime scene countless heterogeneous devices for which there are no well-defined digital forensics techniques to acquire and analyse the digital evidence. Some solutions have emerged during the past few years, but they are still very specific and difficult to serve as a common framework for the digital forensic community. Some processes for digital forensics require stopping or interrupting the services in the platforms to be analysed. However, as an intrinsic part of the new scenarios, there are multiple systems that cannot be interrupted or from which the digital evidence cannot be acquired easily because the interfaces or the protocols used are proprietary or unknown. Also, with the increasing number of devices and also the massive use of social networks and applications, the volume of data to be analysed during a digital investigation can increase considerably. New solutions to correlate data and demonstrate the provenance of the digital evidence becomes critical. In this regard, one of the current challenges to be investigated is data normalisation for digital evidence management, a problem that is also affecting to current SIEMs. While there are novel solutions for digital forensics, these are below its potential; new solutions must be designed in order to take advantage of Open Source Intelligence (OSINT) and Threat Intelligence services.

Research lines

Previous research lines

IoT-Forensics

IoT Forensics is the term coined to describe a new branch of computer forensics dedicated to the particular features and requirements of digital investigations in Internet of Things (IoT) scenarios.

The IoTest (EXPLORA) project is focused on this topic. In particular, there are three directions within this research topic at NICS lab. First, the definition of “Digital Witness” has been formalised in different proposals [1]. This definition includes a discussion about the feasibility of this approach considering the embedded anti-tampering solutions with cryptographic capabilities available in multiple devices (e.g. TPM, secure element) together with the requirements for digital evidence collection considering multiple standards. Second, an important part of this solution is to promote the citizen collaboration towards their personal devices. Considering the nature of the digital witness approach, there are several privacy issues that must be considered. In order to cover these, privacy has been widely analysed [2], also defining a solution to enable an anonymous witnessing approach. Furthermore, this analysis reflected that there is a lack of solutions to consider privacy and digital forensics tradeoffs, in particular in IoT-Forensics. In order to provide a solution the PRoFIT framework is defined in [3]. Moreover, this model is used to adapt the digital witness in order to balance privacy and digital forensics requirements based on the context of a digital investigation [4]. In [5], we analysed diverse privacy-aware digital forensics solutions and challenges.

Part of the efforts in this specific topic are meant to test the approach in realistic scenarios. To this end, its viability is being studied to solve different problems within the proactive 5G security in the digital forensic field, such as: [6] and [7]. Also, as a proof of concept, a prototype of digital witness has been developed for Android systems. The solution has been named SELVIA and its source code is available at GitHub.

 
Technical Resources: Digital Forensics

NICS Lab has one laboratory isolated from the rest of the University of Malaga, used for the development of prototypes and security tests of those projects and research works with other teams, subject to confidential requirements. NICS Lab has diverse malware and forensic tools and computing resources that help to fulfill these tasks, such as: reverse engineering, virtualized execution of malware, digital evidence recovery and analysis, memory, hard disk and network traffic forensics. For this purpose, NICS Lab has top quality software tools like IDA Pro, Encase Forensic Deluxe and AccessData Forensic Toolkit. We also have a wide set of development kits for analysing wireless communications, operating in different frequencies and covering protocols like ZigBee, Bluetooth Low Energy, 6LoWPAN, RFID, NFC and SDR transceptors, etc. Also tools for analysing serial communications, Modbus, Rs-232, USB and Ethernet.

All these tools and resources are also used for deploying new use cases used for training professionals in various specialization courses.

References

  1. Ana Nieto and Rodrigo Roman and Javier Lopez (2016): Digital Witness: Safeguarding Digital Evidence by using Secure Architectures in Personal Devices. In: IEEE Network, pp. 12-19, 2016, ISSN: 0890-8044.
  2. Ana Nieto and Ruben Rios and Javier Lopez (2017): Digital Witness and Privacy in IoT: Anonymous Witnessing Approach. In: 16th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom 2017), pp. 642-649, IEEE IEEE, Sydney (Australia), 2017, ISSN: 2324-9013.
  3. Ana Nieto and Ruben Rios and Javier Lopez (2017): A Methodology for Privacy-Aware IoT-Forensics. In: 16th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom 2017), pp. 626-633, IEEE IEEE, Sydney (Australia), 2017, ISSN: 2324-9013.
  4. Ana Nieto and Ruben Rios and Javier Lopez (2018): IoT-Forensics meets Privacy: Towards Cooperative Digital Investigations. In: Sensors, vol. 18, no. 492, 2018, ISSN: 1424-8220.
  5. Ana Nieto and Ruben Rios and Javier Lopez (2019): Privacy-Aware Digital Forensics. In: Security and Privacy for Big Data, Cloud Computing and Applications, The Institution of Engineering and Technology (IET), United Kingdom, 2019, ISBN: 978-1-78561-747-8.
  6. Ana Nieto and Antonio Acien and Gerardo Fernandez (2018): Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation. In: Mobile Networks and Applications (MONET), pp. 881-889, 2018, ISSN: 1383-469X.
  7. Ana Nieto and Antonio Acien and Javier Lopez (2018): Capture the RAT: Proximity-based Attacks in 5G using the Routine Activity Theory. In: The 16th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC 2018), pp. 520-527, IEEE IEEE, Athens, Greece, 2018, ISBN: 978-1-5386-7518-2.