hh.sePublications
Change search
Link to record
Permanent link

Direct link
BETA
Axelsson, Stefan
Publications (8 of 8) Show all publications
Karresand, M., Warnqvist, Å., Lindahl, D., Axelsson, S. & Dyrkolbotn, G. O. (2019). Creating a Map of User Data in NTFS to Improve File Carving. In: Gilbert Peterson & Sujeet Shenoi (Ed.), Gilbert Peterson & Sujeet Shenoi (Ed.), Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019,Revised Selected Papers. Paper presented at 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019 (pp. 133-158). Cham: Springer
Open this publication in new window or tab >>Creating a Map of User Data in NTFS to Improve File Carving
Show others...
2019 (English)In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019,Revised Selected Papers / [ed] Gilbert Peterson & Sujeet Shenoi, Cham: Springer, 2019, p. 133-158Conference paper, Published paper (Refereed)
Abstract [en]

Digital forensics, and espesially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data wher it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers runnign Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% and 41% in an NTFS partition. The probability map can be used by forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficienty of hash-based carving by dinamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster. © IFIP International Federation for Information Processing 2019

Place, publisher, year, edition, pages
Cham: Springer, 2019
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 569
Keywords
File carving, hash-based carving, partition content map, NTFS
National Category
Other Computer and Information Science
Identifiers
urn:nbn:se:hh:diva-41111 (URN)10.1007/978-3-030-28752-8_8 (DOI)2-s2.0-85071431317 (Scopus ID)978-3-030-28752-8 (ISBN)978-3-030-28751-1 (ISBN)
Conference
15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019
Available from: 2019-12-04 Created: 2019-12-04 Last updated: 2020-01-10Bibliographically approved
Gray, S. & Axelsson, S. (2019). Digital Forensic Atomic Force Microscopy of Semiconductor Memory Arrays. In: Gilbert Peterson & Sujeet Shenoi (Ed.), Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019, Revised Selected Papers. Paper presented at 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019 (pp. 219-237). Cham: Springer
Open this publication in new window or tab >>Digital Forensic Atomic Force Microscopy of Semiconductor Memory Arrays
2019 (English)In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019, Revised Selected Papers, Cham: Springer, 2019, p. 219-237Conference paper, Published paper (Refereed)
Abstract [en]

Atomic force microscopy is an analytical technique that provides very high spatial resolution with independent measurements of surface topography and electrical properties. This chapter assesses the potential for atomic force microscopy to read data stored as local charges in the cells of memory chips, with an emphasis on simple sample preparation (“delidding”) and imaging of the topsides of chip structures, thereby avoiding complex and destructive techniques such as backside etching and polishing. Atomic force microscopy measurements of a vintage EPROM chip demonstrate that imaging is possible even when sample cleanliness, stability and topographical roughness are decidedly sub-optimal. As feature sizes slip below the resolution limits of optical microscopy, atomic force microscopy offers a promising route for functional characterization of semiconductor memory structures in RAM chips, microprocessors and cryptographic hardware. © IFIP International Federation for Information Processing 2019. Published by Springer Nature Switzerland AG 2019

Place, publisher, year, edition, pages
Cham: Springer, 2019
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 569
Keywords
Atomic force microscopy, memory chip delidding, surface imaging
National Category
Other Computer and Information Science
Identifiers
urn:nbn:se:hh:diva-41118 (URN)10.1007/978-3-030-28752-8_12 (DOI)2-s2.0-85071508585 (Scopus ID)978-3-030-28752-8 (ISBN)978-3-030-28751-1 (ISBN)
Conference
15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019
Available from: 2019-12-04 Created: 2019-12-04 Last updated: 2020-01-10Bibliographically approved
Alendal, G., Axelsson, S. & Dyrkolbotn, G. O. (2019). Exploiting Vendor-Defined Messages in the USB Power Delivery Protocol. In: Peterson, Gilbert & Shenoi Sujeet (Ed.), Gilbert Peterson & Sujeet Shenoi (Ed.), Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019, Revised Selected Papers. Paper presented at 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019 (pp. 101-118). Cham: Springer
Open this publication in new window or tab >>Exploiting Vendor-Defined Messages in the USB Power Delivery Protocol
2019 (English)In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019, Revised Selected Papers / [ed] Gilbert Peterson & Sujeet Shenoi, Cham: Springer, 2019, p. 101-118Conference paper, Published paper (Refereed)
Abstract [en]

The USB Power Delivery protocol enables USB-connected devices to negotiate power delivery and exchange data over a single connection such as a USB Type-C cable. The protocol incorporates standard commands; however, it also enables vendors to add non-standard commands called vendor-defined messages. These messages are similar to the vendor-specific commands in the SCSI protocol, which enable vendors to specify undocumented commands to implement functionality that meets their needs. Such commands can be employed to enable firmware updates, memory dumps and even backdoors.

This chapter analyzes vendor-defined message support in devices that employ the USB Power Delivery protocol, the ultimate goal being to identify messages that could be leveraged in digital forensic investigations to acquire data stored in the devices.

© IFIP International Federation for Information Processing 2019

Place, publisher, year, edition, pages
Cham: Springer, 2019
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 569
Keywords
digital forensics
National Category
Other Computer and Information Science
Identifiers
urn:nbn:se:hh:diva-41120 (URN)10.1007/978-3-030-28752-8_6 (DOI)2-s2.0-85071507105 (Scopus ID)978-3-030-28751-1 (ISBN)978-3-030-28752-8 (ISBN)
Conference
15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019
Available from: 2019-12-04 Created: 2019-12-04 Last updated: 2020-01-10Bibliographically approved
Nordvik, R., Georges, H., Toolan, F. & Axelsson, S. (2019). Reverse engineering of ReFS. Digital Investigation. The International Journal of Digital Forensics and Incident Response, 30, 127-147
Open this publication in new window or tab >>Reverse engineering of ReFS
2019 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 30, p. 127-147Article in journal (Refereed) Published
Abstract [en]

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content. Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB. Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x. It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found. © 2019 The Authors

Place, publisher, year, edition, pages
Kidlington: Elsevier, 2019
Keywords
digital forensics, ReFS, File system
National Category
Other Computer and Information Science
Identifiers
urn:nbn:se:hh:diva-41107 (URN)10.1016/j.diin.2019.07.004 (DOI)000488201900013 ()2-s2.0-85071032823 (Scopus ID)
Available from: 2019-12-04 Created: 2019-12-04 Last updated: 2019-12-06Bibliographically approved
Karresand, M., Axelsson, S. & Dyrkolbotn, G. O. (2019). Using NTFS Cluster Allocation Behavior to Find the Location of User Data. Paper presented at 19th DFRWS conference, Portland, OR, USA, July 14-17, 2019. Digital Investigation. The International Journal of Digital Forensics and Incident Response, 29(Supplement), S51-S60
Open this publication in new window or tab >>Using NTFS Cluster Allocation Behavior to Find the Location of User Data
2019 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 29, no Supplement, p. S51-S60Article in journal (Refereed) Published
Abstract [en]

Digital forensics is heavily affected by the large and increasing amount of data to be processed. To solve the problem there is ongoing research to find more efficient carving algorithms, use parallel processing in the cloud, and reduce the amount of data by filtering uninteresting files. Our approach builds on the principle of searching where it is more probable to find what you are looking for. We therefore have empirically studied the behavior of the cluster allocation algorithm(s) in the New Technology File System (NTFS) to see where new data is actually placed on disk. The experiment consisted of randomly writing, increasing, reducing and deleting files in 32 newly installed Windows 7, 8, 8.1 and 10 virtual computers using VirtualBox. The result show that data are (as expected) more frequently allocated closer to the middle of the disk. Hence that area should be getting higher attention during a digital forensic investigation of a NTFS formatted hard disk. Knowledge of the probable position of user data can be used by a forensic investigator to prioritize relevant areas in storage media, without the need for a working file system. It can also be used to increase the efficiency of hash-based carving by dynamically changing the sampling frequency. Our findings also contributes to the digital forensics processes in general, which can now be focused on the interesting regions on storage devices, increasing the probability of getting relevant results faster. © 2019 Martin Karresand, Stefan Axelsson, Geir Olav Dyrkolbotn

Place, publisher, year, edition, pages
Oxon: Elsevier, 2019
Keywords
Digital forensics, File carving, Partition content map, Allocation algorithm, NTFS
National Category
Other Computer and Information Science
Identifiers
urn:nbn:se:hh:diva-41110 (URN)10.1016/j.diin.2019.04.018 (DOI)000475407000007 ()2-s2.0-85069550388 (Scopus ID)
Conference
19th DFRWS conference, Portland, OR, USA, July 14-17, 2019
Note

Funding sponsor: Research Council of Norway programme IKTPLUSS, under the research and development project Ars Forensica Funding number: 248094/O70

Available from: 2019-12-04 Created: 2019-12-04 Last updated: 2019-12-04Bibliographically approved
Nordvik, R., Toolan, F. & Axelsson, S. (2019). Using the Object ID index as an investigative approach for NTFS file systems. Digital Investigation. The International Journal of Digital Forensics and Incident Response, 28(Supplement), S30-S39
Open this publication in new window or tab >>Using the Object ID index as an investigative approach for NTFS file systems
2019 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 28, no Supplement, p. S30-S39Article in journal (Refereed) Published
Abstract [en]

When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems using the NTFS file system by using the $ObjId Index to document user activity, and to correlate this index with the corresponding records in the MFT table. This may be the only possible approach when investigating external NTFS storage devices, and is hence a valuable addition to the storage forensics toolbox. © 2019 Rune Nordvik, Fergus Toolan, Stefan Axelsson

Place, publisher, year, edition, pages
Kidlington: Elsevier, 2019
Keywords
User activity, NTFS, Object ID
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-39450 (URN)10.1016/j.diin.2019.01.013 (DOI)000465506500005 ()2-s2.0-85064883237 (Scopus ID)
Available from: 2019-05-22 Created: 2019-05-22 Last updated: 2019-06-07Bibliographically approved
Lopez-Rojas, E., Axelsson, S. & Baca, D. (2018). Analysis of fraud controls using the PaySim financial simulator. International Journal of Simulation and Process Modelling, 13(4), 377-386
Open this publication in new window or tab >>Analysis of fraud controls using the PaySim financial simulator
2018 (English)In: International Journal of Simulation and Process Modelling, ISSN 1740-2123, E-ISSN 1740-2131, Vol. 13, no 4, p. 377-386Article in journal (Refereed) Published
Abstract [en]

Fraud controls for financial transactions are needed and required by law enforcement agencies to flag suspicious criminal activity. These controls, however, require deeper analysis of the effectiveness and the negative impact for the legal customers. Owing to the intrinsically private nature of financial transactions, this analysis is often performed after several months of actively using fraud controls. In this paper, we present an analysis of different fraud prevention controls on a mobile money service based on thresholds using a simulator called PaySim. PaySim uses aggregated data from a sample dataset to generate a synthetic dataset that resembles the normal operation of transactions and injects malicious behaviour. With technology frameworks such as agent-based simulation techniques, and the application of mathematical statistics, we show in this paper that the simulated data can be as prudent as the original dataset for setting optimal controls for fraud detection.

Place, publisher, year, edition, pages
Olney: InderScience Publishers, 2018
Keywords
Multi-agent-based simulation, MABS, financial fraud, mobile money, fraud detection, synthetic data
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-36643 (URN)10.1504/IJSPM.2018.10014984 (DOI)
Available from: 2018-04-19 Created: 2018-04-19 Last updated: 2018-08-20Bibliographically approved
Alendal, G., Dyrkolbotn, G. O. & Axelsson, S. (2018). Forensics acquisition – Analysis and circumvention of samsung secure boot enforced common criteria mode. Digital Investigation. The International Journal of Digital Forensics and Incident Response, 24(Suppl.), S60-S67
Open this publication in new window or tab >>Forensics acquisition – Analysis and circumvention of samsung secure boot enforced common criteria mode
2018 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 24, no Suppl., p. S60-S67Article in journal (Refereed) Published
Abstract [en]

The acquisition of data from mobile phones have been a mainstay of criminal digital forensics for a number of years now. However, this forensic acquisition is getting more and more difficult with the increasing security level and complexity of mobile phones (and other embedded devices). In addition, it is often difficult or impossible to get access to design specifications, documentation and source code. As a result, the forensic acquisition methods are also increasing in complexity, requiring an ever deeper understanding of the underlying technology and its security mechanisms. Forensic acquisition techniques are turning to more offensive solutions to bypass security mechanisms, through security vulnerabilities. Common Criteria mode is a security feature that increases the security level of Samsung devices, and thus make forensic acquisition more difficult for law enforcement. With no access to design documents or source code, we have reverse engineered how the Common Criteria mode is actually implemented and protected by Samsung's secure bootloader. We present how this security mode is enforced, security vulnerabilities therein, and how the discovered security vulnerabilities can be used to circumvent Common Criteria mode for further forensic acquisition. © 2018 The Author(s). Published by Elsevier Ltd on behalf of DFRWS.

Place, publisher, year, edition, pages
Kidlington: Elsevier, 2018
Keywords
Common criteria, CC mode, Mobile security, Mobile device management, Forensic acquisition, Smart phone, Samsung secure boot
National Category
Computer Sciences Embedded Systems Computer Systems Telecommunications
Identifiers
urn:nbn:se:hh:diva-36642 (URN)10.1016/j.diin.2018.01.008 (DOI)000428307900008 ()
Projects
Ars Forensica
Note

Funding: Research Council of Norway programme IKTPLUSS, under the R&D project Ars Forensica grant agreement 248094/O70.

Available from: 2018-04-19 Created: 2018-04-19 Last updated: 2018-04-20Bibliographically approved
Organisations

Search in DiVA

Show all publications