hh.sePublications
Change search
Refine search result
1 - 9 of 9
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Alendal, Gunnar
    et al.
    Norwegian University of Science and Technology, Gjovik, Norway.
    Axelsson, Stefan
    Norwegian University of Science and Technology, Gjovik, Norway.
    Dyrkolbotn, Geir Olav
    Norwegian University of Science and Technology, Gjovik, Norway.
    Exploiting Vendor-Defined Messages in the USB Power Delivery Protocol2019In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019, Revised Selected Papers / [ed] Gilbert Peterson & Sujeet Shenoi, Cham: Springer, 2019, p. 101-118Conference paper (Refereed)
    Abstract [en]

    The USB Power Delivery protocol enables USB-connected devices to negotiate power delivery and exchange data over a single connection such as a USB Type-C cable. The protocol incorporates standard commands; however, it also enables vendors to add non-standard commands called vendor-defined messages. These messages are similar to the vendor-specific commands in the SCSI protocol, which enable vendors to specify undocumented commands to implement functionality that meets their needs. Such commands can be employed to enable firmware updates, memory dumps and even backdoors.

    This chapter analyzes vendor-defined message support in devices that employ the USB Power Delivery protocol, the ultimate goal being to identify messages that could be leveraged in digital forensic investigations to acquire data stored in the devices.

    © IFIP International Federation for Information Processing 2019

  • 2.
    Alendal, Gunnar
    et al.
    NTNU, Gjøvik, Norway.
    Dyrkolbotn, Geir Olav
    NTNU, Gjøvik, Norway & Norwegian Defence Cyber Academy (NDCA), Jørstadmoen, Norway.
    Axelsson, Stefan
    Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS).
    Forensics acquisition – Analysis and circumvention of samsung secure boot enforced common criteria mode2018In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 24, no Suppl., p. S60-S67Article in journal (Refereed)
    Abstract [en]

    The acquisition of data from mobile phones have been a mainstay of criminal digital forensics for a number of years now. However, this forensic acquisition is getting more and more difficult with the increasing security level and complexity of mobile phones (and other embedded devices). In addition, it is often difficult or impossible to get access to design specifications, documentation and source code. As a result, the forensic acquisition methods are also increasing in complexity, requiring an ever deeper understanding of the underlying technology and its security mechanisms. Forensic acquisition techniques are turning to more offensive solutions to bypass security mechanisms, through security vulnerabilities. Common Criteria mode is a security feature that increases the security level of Samsung devices, and thus make forensic acquisition more difficult for law enforcement. With no access to design documents or source code, we have reverse engineered how the Common Criteria mode is actually implemented and protected by Samsung's secure bootloader. We present how this security mode is enforced, security vulnerabilities therein, and how the discovered security vulnerabilities can be used to circumvent Common Criteria mode for further forensic acquisition. © 2018 The Author(s). Published by Elsevier Ltd on behalf of DFRWS.

  • 3.
    Gray, Struan
    et al.
    Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS), Centre for Research on Embedded Systems (CERES).
    Axelsson, Stefan
    Norwegian University of Science and Technology, Gjovik, Norway.
    Digital Forensic Atomic Force Microscopy of Semiconductor Memory Arrays2019In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019, Revised Selected Papers, Cham: Springer, 2019, p. 219-237Conference paper (Refereed)
    Abstract [en]

    Atomic force microscopy is an analytical technique that provides very high spatial resolution with independent measurements of surface topography and electrical properties. This chapter assesses the potential for atomic force microscopy to read data stored as local charges in the cells of memory chips, with an emphasis on simple sample preparation (“delidding”) and imaging of the topsides of chip structures, thereby avoiding complex and destructive techniques such as backside etching and polishing. Atomic force microscopy measurements of a vintage EPROM chip demonstrate that imaging is possible even when sample cleanliness, stability and topographical roughness are decidedly sub-optimal. As feature sizes slip below the resolution limits of optical microscopy, atomic force microscopy offers a promising route for functional characterization of semiconductor memory structures in RAM chips, microprocessors and cryptographic hardware. © IFIP International Federation for Information Processing 2019. Published by Springer Nature Switzerland AG 2019

  • 4.
    Karresand, M.
    et al.
    Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjovik, Norway.
    Axelsson, Stefan
    Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS).
    Dyrkolbotn, G. O.
    Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjovik, Norway.
    Disk Cluster Allocation Behavior in Windows and NTFS2019In: Mobile Networks and Applications , ISSN 1383-469X, E-ISSN 1572-8153Article in journal (Refereed)
    Abstract [en]

    The allocation algorithm of a file system has a huge impact on almost all aspects of digital forensics, because it determines where data is placed on storage media. Yet there is only basic information available on the allocation algorithm of the currently most widely spread file system; NTFS. We have therefore studied the NTFS allocation algorithm and its behavior empirically. To do that we used two virtual machines running Windows 7 and 10 on NTFS formatted fixed size virtual hard disks, the first being 64 GiB and the latter 1 TiB in size. Files of different sizes were written to disk using two writing strategies and the $Bitmap files were manipulated to emulate file system fragmentation. Our results show that files written as one large block are allocated areas of decreasing size when the files are fragmented. The decrease in size is seen not only within files, but also between them. Hence a file having smaller fragments than another file is written after the file having larger fragments. We also found that a file written as a stream gets the opposite allocation behavior, i. e. its fragments are increasing in size as the file is written. The first allocated unit of a stream written file is always very small and hence easy to identify. The results of the experiment are of importance to the digital forensics field and will help improve the efficiency of for example file carving and timestamp verification. © 2019, The Author(s).

  • 5.
    Karresand, Martin
    et al.
    Norwegian University of Science and Technology (NTNU), Gjorvik, Norway & Intelligence, Surveillance and Reconnaissance (C4ISR), Swedish Defence Research Agency (FOI), Sweden.
    Axelsson, Stefan
    Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS). Norwegian University of Science and Technology (NTNU), Gjorvik, Norway.
    Dyrkolbotn, Geir Olav
    Norwegian University of Science and Technology (NTNU), Gjorvik, Norway.
    Using NTFS Cluster Allocation Behavior to Find the Location of User Data2019In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 29, no Supplement, p. S51-S60Article in journal (Refereed)
    Abstract [en]

    Digital forensics is heavily affected by the large and increasing amount of data to be processed. To solve the problem there is ongoing research to find more efficient carving algorithms, use parallel processing in the cloud, and reduce the amount of data by filtering uninteresting files. Our approach builds on the principle of searching where it is more probable to find what you are looking for. We therefore have empirically studied the behavior of the cluster allocation algorithm(s) in the New Technology File System (NTFS) to see where new data is actually placed on disk. The experiment consisted of randomly writing, increasing, reducing and deleting files in 32 newly installed Windows 7, 8, 8.1 and 10 virtual computers using VirtualBox. The result show that data are (as expected) more frequently allocated closer to the middle of the disk. Hence that area should be getting higher attention during a digital forensic investigation of a NTFS formatted hard disk. Knowledge of the probable position of user data can be used by a forensic investigator to prioritize relevant areas in storage media, without the need for a working file system. It can also be used to increase the efficiency of hash-based carving by dynamically changing the sampling frequency. Our findings also contributes to the digital forensics processes in general, which can now be focused on the interesting regions on storage devices, increasing the probability of getting relevant results faster. © 2019 Martin Karresand, Stefan Axelsson, Geir Olav Dyrkolbotn

  • 6.
    Karresand, Martin
    et al.
    Norwegian University of Science and Technology, Gjovik, Norway.
    Warnqvist, Åsalena
    National Forensic Centre, Swedish Police Authority, Linköping, Sweden.
    Lindahl, David
    Swedish Defence Research Agency, Linköping, Sweden.
    Axelsson, Stefan
    Norwegian University of Science and Technology, Gjovik, Norway.
    Dyrkolbotn, Geir Olav
    Norwegian University of Science and Technology, Gjovik, Norway.
    Creating a Map of User Data in NTFS to Improve File Carving2019In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019,Revised Selected Papers / [ed] Gilbert Peterson & Sujeet Shenoi, Cham: Springer, 2019, p. 133-158Conference paper (Refereed)
    Abstract [en]

    Digital forensics, and espesially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data wher it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers runnign Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% and 41% in an NTFS partition. The probability map can be used by forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficienty of hash-based carving by dinamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster. © IFIP International Federation for Information Processing 2019

  • 7.
    Lopez-Rojas, Edgar
    et al.
    NTNU, Gjøvik, Norway.
    Axelsson, Stefan
    Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS).
    Baca, Dejan
    3M-Commerce, Ericsson AB, Karlskrona, Sweden.
    Analysis of fraud controls using the PaySim financial simulator2018In: International Journal of Simulation and Process Modelling, ISSN 1740-2123, E-ISSN 1740-2131, Vol. 13, no 4, p. 377-386Article in journal (Refereed)
    Abstract [en]

    Fraud controls for financial transactions are needed and required by law enforcement agencies to flag suspicious criminal activity. These controls, however, require deeper analysis of the effectiveness and the negative impact for the legal customers. Owing to the intrinsically private nature of financial transactions, this analysis is often performed after several months of actively using fraud controls. In this paper, we present an analysis of different fraud prevention controls on a mobile money service based on thresholds using a simulator called PaySim. PaySim uses aggregated data from a sample dataset to generate a synthetic dataset that resembles the normal operation of transactions and injects malicious behaviour. With technology frameworks such as agent-based simulation techniques, and the application of mathematical statistics, we show in this paper that the simulated data can be as prudent as the original dataset for setting optimal controls for fraud detection.

  • 8.
    Nordvik, Rune
    et al.
    Norwegian University of Science and Technology, Trondheim, Norway & Norwegian Police University College, Oslo, Norway.
    Georges, Henry
    Norwegian University of Science and Technology, Trondheim, Norway.
    Toolan, Fergus
    Norwegian Police University College, Oslo, Norway.
    Axelsson, Stefan
    Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS). Norwegian University of Science and Technology, Trondheim, Norway.
    Reverse engineering of ReFS2019In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 30, p. 127-147Article in journal (Refereed)
    Abstract [en]

    File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content. Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB. Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x. It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found. © 2019 The Authors

  • 9.
    Nordvik, Rune
    et al.
    Norwegian University of Science and Technology, Trondheim, Norway & Norwegian Police University College, Oslo, Norway.
    Toolan, Fergus
    Norwegian Police University College, Oslo, Norway.
    Axelsson, Stefan
    Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS). Norwegian University of Science and Technology, Trondheim, Norway.
    Using the Object ID index as an investigative approach for NTFS file systems2019In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 28, no Supplement, p. S30-S39Article in journal (Refereed)
    Abstract [en]

    When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems using the NTFS file system by using the $ObjId Index to document user activity, and to correlate this index with the corresponding records in the MFT table. This may be the only possible approach when investigating external NTFS storage devices, and is hence a valuable addition to the storage forensics toolbox. © 2019 Rune Nordvik, Fergus Toolan, Stefan Axelsson

1 - 9 of 9
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf