Forensic Memory Dump Analysis And Recovery Of The Artefacts Of Using Tor Bundle Browser The Need

Similar documents
An Introduction to Incident Detection and Response Memory Forensic Analysis

Tor. Tor Anonymity Network. Tor Basics. Tor Basics. Free software that helps people surf on the Web anonymously and dodge censorship.

Network Forensics and Privacy Enhancing Technologies living together in harmony

Freeware Live Forensics tools evaluation and operation tips

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

MEMORY FORENSICS VINH THE NGUYEN 1. Setting up the environment. Vinh The Nguyen. Computer Science, Texas Tech University

ANALYSIS AND VALIDATION

You are the internet

GCIA. GIAC Certified Intrusion Analyst.

IP address. When you connect to another computer you send it your IP address.

CNT Computer and Network Security: Privacy/Anonymity

Windows Forensics Advanced

Remote Device Mounting Service

Organisational preparedness for hosted virtual desktops in the context of digital forensics

IDENTIFYING VOLATILE DATA FROM MULTIPLE MEMORY DUMPS IN LIVE FORENSICS

Tracing VNC And RDP Protocol Artefacts on Windows Mobile and Windows Smartphone for Forensic Purpose

Process Dump Analyses

ADSL Router Forensics Part 2: Acquiring Evidence

and the Forensic Science CC Spring 2007 Prof. Nehru

Testing the Date Maintenance of the File Allocation Table File System

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

Evidence Examination Tools for Social Networks

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

DIS10.3:CYBER FORENSICS AND INVESTIGATION

Running Head: IPHONE FORENSICS 1. iphone Forensics Jaclyn Sottilaro Monica Figueroa-Santos Antonina Spinella Saint Leo University

Voice over IP: Forensic Computing Implications

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Metrics for Security and Performance in Low-Latency Anonymity Systems

Detecting Lateral Movement through Tracking Event Logs (Version 2)

The 2010 Personal Firewall Robustness Evaluation

Issues in Information Systems Volume 19, Issue 1, pp , 2018

Darknet an where it is taking the law

Denial of Service, Traceback and Anonymity

Gujarat Forensic Sciences University

Host Website from Home Anonymously

Report For Algonquin Township Highway Department

Hashing Techniques for Mobile Device Forensics

Volatile Data Acquisition & Analysis

SPECIAL ISSUE, PAPER ID: IJDCST-09 ISSN

Anonymous Communication and Internet Freedom

The Battle Against Anonymous Browsing: The Security Challenges Presented by Tor

Anonymous Communication and Internet Freedom

Physical Memory Forensics for Files and Cache. Jamie Butler and Justin Murdock

Attribute-based encryption with encryption and decryption outsourcing

Deanonymizing Tor. Colorado Research Institute for Security and Privacy. University of Denver

Acknowledgments About the Authors

A SIMPLE INTRODUCTION TO TOR

CYBER RESILIENCE & INCIDENT RESPONSE

Tor Networking Vulnerabilities and Breaches. Niketan Patel

Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003

Let s Talk About Threat Intelligence

Carding Forum Carding Credit Cards Cardmafia

Privacy defense on the Internet. Csaba Kiraly

Welcome Pwn: Almond Smart Home Hub Forensics

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Anonymous communications: Crowds and Tor

Training for the cyber professionals of tomorrow

Anonymity. Assumption: If we know IP address, we know identity

Digital Forensics Lecture 01- Disk Forensics

Seceon s Open Threat Management software

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

[PDF] Download â Tor Browser: The 2016 Guide (Ensure. Page 3

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

FBI Tor Overview. Andrew Lewman January 17, 2012

Digital Forensics Lecture 02- Disk Forensics

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

After Conversation - A Forensic ICQ Logfile Extraction Tool

Structural Analysis of the Log Files of the ICQ Client Version 2003b

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

COLLECTING EVIDENCE IN A CORPORATE INTRANET ENVIRONMENT

A framework for forensic reconstruction of spontaneous ad hoc networks

Police Technical Approach to Cyber Threats

Cyber security tips and self-assessment for business

Does the use of MIMO Technology used by n Reduce or Increase the Impact of Denial of Service Attacks?

Leading hackers down the garden path

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018


Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Anonymous Communications

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Pocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment

Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

USING SEARCH ENGINES TO ACQUIRE NETWORK FORENSIC EVIDENCE

Blue Team Handbook: Incident Response Edition

Standard: Event Monitoring

Red Leaves implant - overview

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

Summary. January 31, Jo Lim. Chief Operations and Policy Officer. Dear Jo,

FORENSICS CYBER-SECURITY

Toward Improving Path Selection in Tor

Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems

A Response Strategy Model for Intrusion Response Systems

Incident Play Book: Phishing

CE Advanced Network Security Anonymity II

Financial Forensic Accounting

COMMON ISSUES AFFECTING SECURITY USABILITY

Transcription:

Edith Cowan University Research Online Australian Digital Forensics Conference Conferences, Symposia and Campus Events 2013 Forensic Memory Dump Analysis And Recovery Of The Artefacts Of Using Tor Bundle Browser The Need Divya Dayalamurthy Edith Cowan University, ddayalam@our.ecu.edu.au DOI: 10.4225/75/57b3c7f3fb86e Originally published in the Proceedings of the 11th Australian Digital Forensics Conference. Held on the 2nd-4th December, 2013 at Edith Cowan University, Perth, Western Australia This Conference Proceeding is posted at Research Online. http://ro.ecu.edu.au/adf/122

FORENSICMEMORYDUMPANALYSISANDRECOVERYOFTHEARTEFACTSOFUSINGTOR BUNDLEBROWSER THENEED DivyaDayalamurthy SchoolofComputerandSecurityScience EdithCowanUniversity,Perth,Australia ddayalam@our.ecu.edu.au Abstract The Onion Routing (TOR) project is a network of virtual tunnels that facilitates secure, private communicationsontheinternet.arecentarticlepublishedin TheRegistry claimsthattorbundle browser usage has increased in recent years; statistics show that in January 2012, there were approximately 950,000 users globally and now in August 2013 that figure is estimated to have reached1,200,000users.thereportalsoillustratesthattheunitedstatesofamericaandtheunited Kingdom are major contributors towards the massive increase in TOR usage. Similarly, other countrieslikeindiaandbrazilhaveincreasedusageto32,000and85,000respectively.thisresearch paper will be an introduction and identifies the need for research in this area, and provides a literature review on existing research. The objective of this paper is to discuss the existing methodologiesforanalysingforensicartefactsfromramfromtheuseofthetorbrowserbundle and to propose a synthesized forensic analysis framework that can be used for analysing TOR artefacts. Keywords Darknet,TOR,TAILS,Cybercrime INTRODUCTION Cyberwarzone reports claim that darknet contains index of more than 70,000 websites hosted illegallywhicharenotvisibletonormalinternetuser.someoftheanonymousbrowsersaretor bundlebrowser,relakks,wasteagain,andfreenetthatcanbeusedforestablishingconnectionto darknet.asinstallationandusageoftheanonymousbrowsersisverysimpleanduserfriendly,there isaamountofusersaccessingdarknetsforunethicalorillegalactivities(fachkhaetal.,2012). Oneofthemainreasonsforthisspikeisbecausetheyprovidefreedomofspeechtotheusersand alsoencryptsthetraffic,thushidingtheidentityoftheuserstosomeextent.atthesametime,this has become a great benefit for cybercriminals and unethical users for accessing all the available illegalservicesorhostedhiddenlinks.thereforethiseasyaccesstodarknethashikedcrimerates involving illegal activities such as online drug dealing, child pornography, hidden wiki hosting devices,crimeasaservice(sharwood,2013). AccordingtothearticlebyCyberwarzone,reportsclaimthatdarknetcontainsnearly600TBofdata and 500 times larger than normal internet visibility(cwz, 2013). As the majority of the content availableareillegalonlinestores,assassins,drugdealers,stolengoodssale,andmediumforterrorist communications;thismakesdarknetcontentmoredangeroustosurf. Inthiscurrentscenario,whenauserusesTORbundlebrowserforaccessingillegalinformation,the lackof monitoring control makes it difficult to forensically detect and identify the traffic. The significanceofthestudyisrequiredtodevelopaforensicsoundmethodologytodetecttorbundle browserusagefrommemorydumpofthewindowsmachine.thisenablesanalysisandrecoveryof theartefactsusingtorbundlebrowserfororganizationorevenjurisdictionpurpose(murdoch& Danezis, 2005). However, recent arrest of The Silk Road founder has given additional hope of identifyingtheusersaccessingdarknetforillegalpurposes. 71

Many authors have perused studies and research on darknet and different ways for establishing connectionthroughmanyanonymousbrowsers.thisincludesdetectionoftortrafficonnetwork infrastructure, detecting TOR traffic on a windows operating system, and general memory dump analysis.buttherewerenoproperresearchbeingaimedtocovermemorydumpforensicspecifically foranalysingartefactsoftorbundlebrowserusage.thus,thereisahugegapinthisareawithout beingexplored andthisresearchwillfocustoaddressthisgapandaimstoproposeamethodology whichsynthesizesmemorydumpforensicanalysisanddetectionoftorbundlebrowserartefacts. TORBUNDLEBROWSER THEWORKING TORusesamethodologycalledonionroutingconsistingofTORrelays,volunteersTORservers,exit nodes. When a user installs the TOR bundle browser and runs it; it automatically establishes connectionandisreadyfortheuser.figure1,illustratesthetorbundlebrowserconsistingofthree componentsforsendingencryptedtraffic,namelyanentrynode,amiddleman,andanexitnode. Whenauserinitiatesaconnectionitfirstreachestheentrynodeandisthensentthroughmultiple middleman nodes which volunteers to this traffic and goes to the exist node and then to the destinationserver.torusespublickeyforencryptingthetransmittingmessagesformultiplelayers until the exit nodes. However, the traffic from the exit node to the destination server is unencrypted(biryukov,pustogarov,&weinmann,2013). Figure1:TORbundleBrowserWorking On analysing the TOR bundle browser operation and workings, it is evident that when a user establishes TCP connection it highly impossible to detect the traffic since it has multilayer of encryption.hence,detectingthetortraffichasalwaysbeenextremelyimportantfromasecurity perspectiveandforensicrecoveryperspectiveaswell. Published research available on TOR bundle browser memory dump forensic analysis is currently verylimited.existingresearchisavailablefor: Generalmemorydumpforensicanalysisandrecovery. MonitoringordetectionofTORbrowserinanetwork. There is a huge gap in this area and this research aims to address this gap using the proposed forensicprocess. 72

EXISTINGDETECTIONMETHODSAVAILABLE ArtefactsfromOperatingSystem InreferencetotheresearchpaperbyRunaA.Sandvik(2013),theauthorhasillustratedtheforensic analysis and documented traceable evidence that TOR bundle browser can leave in a windows machine. The author has also analysed and recorded the directory path of TOR bundle browser artefacts acquired from windows OS. From the research paper, the path or directories with TOR artefactsidentifiedwerethefollowing: PrefetchfolderC:\Windows\Prefetch\. Thumbnailcachememory WindowsPagingFile WindowsRegistry{Sandvik,2013#49}. A similar analysis was performed by Andrew Case on DeAnonymizing Live CDs through Physical Memory Analysis,where the author has discussed different forensic techniques for recovery of usingtheamnesicincognitolive System(TAILS)(Case,n.d.).TheTAILSisaLIVEoperatingsystem (Linux)bootablefromDVDoranyportabledevice.Allinternetconnectionisestablishedandtrafficis forcedtopassthroughtornetwork.inthispaper,theauthorhascoveredsmallsectionsoninitial memorydumpanalysisforforensicallyretrievingartefacts.theauthorillustratesthatpythonscripts canbeusedtoanalysespecifictordatastructureswhereinformationregardingtheartefactsare stored.however,theauthorhasn tprovedthescript spracticalworkabilityforartefactsrecovery {Case, n.d. #50}(Dodge, Mullins, Peterson, & Okolica, 2010)(Sutherland, Evans, Tryfonas, & Blyth, 2008). ArtefactsfromNetworkTraffic AstheTORbundlebrowserencryptsallpossibletrafficsentthroughTORentrynode,middleman, andexitnodesbyaddinghighlevelmultilayerencryptioneachtimeitpassesthroughamiddleman node.detectingthetortrafficandanykindofproxyusageishighlyessentialonnetworkforensic perspective.(fachkhaetal.,2012)(berthier&cukier,2008). AuthorJohnBrozycki,intheresearchpaper DetectingandPreventingAnonymousProxyusage has penned down the techniques that could be used for detecting any anonymous proxies by using SNORTrules.Forthispurpose,theauthorusedVidaliapackage atorpackageforestablishingtor connections.theauthorclaimsthatusingthebelowsnortruleasgiveninfigure2,candetecttor bundlebrowsertraffic{brozycki,2008#36}(mizoguchi,fukushima,kasahara,hori,&sakurai,2010). Figure2:SNORTruledevelopedbyJohnBrozycki AsimilarmethodwasalsosupportedbyDavid ssnortrule(figure3),founderofseclitsblog.the authorstatedthatitcouldalsodetectthetorbrowserusage.however,therewerenotanyproven resultsdocumentedinthepaper. Figure3:SNORTruledevelopedbyDavid {Brozycki,2008#36} 73

Furthermore,Sambuddhoetal(SambuddhoChakravarty)hasperformedresearchondetectingTOR trafficusingdecoys.forthisresearch,theauthoruseddecoytraffic(bait)fordetectingtheproxy connectionsincludingtorbundlebrowsertraffic.inthispaper,theauthorshavecreatedmanybait servers and made the servers available in the TOR network. This implementation has been performed by using IMAP and SMTP servers and entice credentials have been created so that cybercriminalscanbeattractedtoaccesstheirservicesintheirhostedservers.figure4,illustrates the Rogueexitnode whichactsasabaitfortorusers,allthetrafficpassingthroughrogueexit node is recorded. This setup was kept online or active for duration of ten months and different activitiestryingtocompromisetheserversusinghttpsessionhijackingattacksweremonitoredand recorded. Figure4:Decoytrafficfordetectingtheproxyconnections(SambuddhoChakravarty,2011) Theauthorstatesthatthisresearchpaperwillbebeneficialtoidentifyandanalysethebehaviour andstatisticofactivitiesontherogueexitnode.asstatedearlier,thetrafficfromandtoexitnodes aretheonlyunencryptedtrafficbythetornetwork.however,whenpassingthroughtherogueexit node; this setup can collect statistics and particulars of the hosts connecting through that compromisedexitnodeanditcannottraceothermiddlemannodes(previoushops)involvedinthe TORnetworkrouting.ThismethodrevealstheIPaddressofthehostsenteringtheexitnodebutnot the actual IP address of the machine or even any of the middleman nodes involved in the TOR network(xuefeng,yong,&xiamu,2008). Maliciousbrowserplugins In August 2013, it was confirmed that attackers had exploited the vulnerability in TOR bundle browser Firefox plugin which can disclose the source IP address of the TOR users. This malicious codewasinjectedfromadarknethostcalled FreedomHosting,theuserswhovisitedthishidden servicewebsitewerecompromisedasitexploitsthememorymanagementvulnerabilityinfirefox browser(goodin,2013).thismaliciousjavascriptwouldmakefirefoxsendauniqueidentifiertoa public server by which the source IP address can be traced back. I addition to this, a reverse engineering security specialist claimed that this malicious code reveals some of the IP address in Reston,Virgina(POULSEN,2013). However, if the TOR user does not visit that compromised hosted website then, the chance of FirefoxpluginbeingexploitediscomparativelylowtodetecttheTORartefacts.Ontheotherhand, thereishighpossibilityofretrievingsignificantforensicevidenceoftorbundlebrowserartefacts fromawindowsmachineusingthe MemoryDump.Thenextsectionwillaimntoprovideliterature reviewonmemorydumpforensicanalysis(brozycki,2008). 74

MEMORYDUMPANALYSIS Whymemorydumpanalysis Memory dump analysis has always been a critical and interesting area for forensic investigations. The information stored in the memory of the computer has significant importance. For example, whenacybercriminalusesbootablelivecdorusbsuchastailswithawindowsorlinuxoperating system,thennosignificantinformationisstoredinthephysicalhostcomputer.thisisbecausethe machinebootsfromthecdorportableusbwithselfcontainedharddriveandevenifthephysical computeriscapturedandforensicallyanalysednotmuchevidencecanberetrieved. Consider,asuspectusesTAILSforconnectingtosomeillegaldarknetwebsite.Inthisscenario,allthe internetconnectionsestablishedfromthatmachineareforcedtogothroughthetornetworkwith multilevelencryptionandthustheidentityoftheuserishiddentosomeextent leavingbehindno potentialevidence.thus,retrievingthememorydumpfromthesuspectmachineandanalysingit forensicallycouldprovidemoreforensicevidenceoftorbundlebrowserusage(aljaedi,lindskog, Zavarsky,Ruhl,&Almari,2011). Whatinformationarestoredinmemorydump? Theglimpseoftheinformationstoredinthememorydumparegivenbelow: Allthedetailsabouttheimageincludingdate,time,andCPUusagearerecorded. Processes,processID allrunningprocessintheoperatingsystem. Network connections what network connections were available at the time of memory dumpcaptured. DLLs,memorymaps,objects,encryptionkeys. Programs,hiddenprograms,rootkits,promiscuouscodes. Registryinformationoftheoperatingsystem. APIfunctions,systemcalltables. Graphiccontents. Asthememorydumpcontainssignificantinformation,analysingitforensicallywillhelptodetect, recoverandanalyseartefactsoftorbundlebrowserusage. TOOLS AND TECHNIQUES AVAILABLE FOR RETRIEVING DIFFERENT TYPE OF EVIDENCE FROM MEMORYDUMP Extractionofgraphiccontent InreferencetotheresearchpaperbyStephanetal(2011),theauthorsillustratedtheprocess(figure 5) for extracting the graphic content information from the memory dump of windows based machine(kiltz,hoppe,&dittmann,2009).inaddition,theauthorsalsodevelopedaforensicmodel (figure 6) used for this research. The extraction process (figure 5) used by Stephan et al (2011) involves strategic preparation, operational preparation, data gathering, data investigation, data analysis,andfinaldocumentationwithevidencepresentation. Strategic Preparation Operational Preparation DataGathering Data Investigation DataAnalysis Documentation Figure5:ExtractionProcessofgraphiccontentfrommemorydump 75

Figure6:Stephanetal(2011)proposedForensicmodel Figure 6, illustrates the proposed forensic model with different data type for extracting graphic content. According to the author, forensically relevant data types are hardware data, raw data, detailsaboutdata,configurationdata,communicationprotocoldata,processdata,sessiondata,and userdata.inaddition,theothertoolsusedtoretrievethegraphiccontentfromthememorydump wereirfanviewandvolatilityframework(kiltzetal.,2009)(mcree). Volatilitymemoryanalysis Inlinewiththisanalysis,thevolatilitystoragemediumplaysavitalpartinthissection.Thisisalso termed as temporary memory in some area of research which stores information about running process, process ID, DLLs information and other forensic evidences. According to the paper TechniquesandToolsforRecoveringandAnalysingDatafromVolatileMemory (Amari)published bysansinstitutetheauthorclaimspossiblewaystoacquirethememoryaslistedbelow: Hardwarebasedacquisition: This process requiresthe computerto besuspendedanddma (direct memoryaccess)is used to obtainthecopyofthememorydump. Softwarebasedacquisition: Thismethodiseasierandmoreuserfriendlyforacquiringthevolatilememoryusingsoftwaresuch asmemorydumpordd.thistechniqueiswidelyusedintheforensicanalysisarea.inaddition,the authorhasexplainedhowthevolatilememoryworksinwindowsandlinuxoperatingsystems.he claimsthatthememorymapfilescanberecoveredbyviewingtherootofthevadtreewhichstores specificinformationabouttheprocesses,events,applicationerrors,logs.theothersignificantarea inwindowsbasedsystemformemoryanalysisis controlarea whichcouldhelpinretrievingthe informationregardingthefilenamesanddatastored.similarly,inlinuxsystemthedatastructureis termedasinode.furthermore,thepaperalsodocumentstheavailablememoryforensictoolsthat canbeusedforvolatilitymemoryanalysis.(amari)(mrdovic,huseinovic,&zajko,2009) 76

A similar memory dump analysis using volatility framework was performed by Chad Tilbury and cheatsheetwasdevelopednamed MemoryForensicsCheatsheetv1.1.Inthispaper,theauthor documented the different commands that can be used to trace different types of artefacts using volatilityframeworkasshownintable1(tilbury,n.d.) VolatilityFrameworkonmemorydumpanalysis RegistryAnalysisArtefacts RootkitArtefacts NetworkArtefacts RogueProcessArtefacts PromiscuousModeArtefacts PromiscuousProcessandDrivers Hivelist #vol.pyhivelist Hivedump#vol.pyhivedump o0xe1a14b60 Printkey#vol.pyprintkey K Userassist#vol.pyuserassist Hashdump#vol.pyhashdump y0x8781c008 s0x87f6b9c8 Psxview #vol.pypsxview Driverscan#vol.pydriverscan Apihooks#vol.pyapihooks Ssdt#vol.pyssdt egrep v Driverirp#vol.pydriverirp rtcpip Idt#vol.pyidt Connections #vol.pyconnections Connscan#vol.pyconnscan Sockets#vol.pysockets Sockscan#vol.pysockscan Netscan#vol.pynetscan Pslist #vol.pypslist Psscan#vol.pypsscan Pstree#vol.pypstree Malfind #vol.pymalfinddumpdir./output_dir Ldrmodules#vol.pyldrmodules p868v Dlldump #vol.pydlldumpdumpdir./output rmetsrv Moddump#vol.pymoddumpdumpdir./output rgaopdx Procmemdump#vol.pyprocmemdumpdumpdir./out p868 Memdump#vol.pymemdump dumpdir./output p868 Table1:MemoryForensicsCheatsheetv1.1byChadTilbury RecoveringWindowsregistryinformationfrommemorydump Windows registry is significant area for recovering and analysing potential evidence about each event on a windows machine. Shuhui Zhang et al (2011) have proposed a method for recovering windowsregistryinformationfromthememorydump.figure7istheproposedflowchartbyshuhui Zhangetal(2011)forextractingtheHIVEfilesfromthememorydump.SincetheHivefilescontain all the necessary information including metadata, handles, objects, keys, data structures and file mapswhicharepotentiallysignificantforforensicmemoryanalysis. 77

Figure7:ProposedMethodologyforrecoveringWindowsRegistryArtefacts (Shuhui,Lianhai,&Lei,2011) AsimilarpaperwaswrittenbyFarmeretal(n.d.)onforensicanalysisofwindowsregistry.However, inthisresearchpaper,theauthorshaveillustratedforensicanalysisbydirectlyviewingthewindows registryandnotanalysingfromthememorydump.theauthorhaveanalysedanddocumentedthe possibleevidencesthatcouldberecoveredfromwindowsregistrysuchas: RegistryHiveLocations MRULists(MostRecentlyUsedList) WirelessNetworksdetails Networkdetails LANcomputerconnectedthroughthemachine Portabledevicesconnected ArtefactsofIE Windowspasswords IMchatdetails 78

LiteratureReviewMatrix MemoryDumpAnalysis TORBrowserDetection Windows WindowsRegistryOSAnalysis Volatile Memory Data Analysis Volatility Framework NetworkDetectionAnalysis OtherOperatingsystemforensicanalysis Table2:LiteratureReviewMatrix Researchareacovered Researchareawithscopeoryettoexplore! Table 2 shows summarization of the literature review on techniques available for retrieving TOR bundle browser artefacts. It is evident that many researchers have explored the techniques for recoveringevidenceoftortrafficonnetworksandbysettingupbaitexitnode(rogueexitnode). Similarly,researcheshavecarriedonretrievingtheartefactsofTORusagefromWindowsandLinux operating systems. However, no research materials were found on recovering and analysing artefactsoftorbundlebrowserfromthememorydumpofawindowsmachine.tomoveforward withthisproject,thislackofcoverage,orgapwillbeaddressedandamethodologywillbeproposed toanalysethetorbundlebrowserartefactsfromthememorydumpofawindowsmachine. 79

THEORITICALFRAMEWORK Figure8illustratesthetheoreticalframeworkofhowtheresearch/experimentwillbeperformedtoanalysethememorydumptorecovertheartefactsof TORbundlebrowserusage.Inaddition,themainagendaistogenerateasynthesismethodologybycombiningTORbundlebrowserdetectionandmemory dumpanalysis. Figure8:MemoryDumpAnalysisforArtefactsofusingTORBundleBrowser InitialStage SetupPhase CapturingEvidence Analysis Evidence Presentation Setup Windows Setup Windows InstallTOR Bundle Browser SendEncrypted P2P messages Capturethe memory dump Analysingusing Volatility RegistryHIVES Analysingusing Mandiant Memoryze WindowsRegistry Recovery Windowspath details Window s Registry TOR WindowsGraphic content recovery 80

1. InitialPhase Twowindowsvirtualmachineswillbeconfigured. 2. SetupPhase The PC will be installed with latest version of TOR bundle browser for this project. Communications will be established via TOR network to the two machines and illegal hidden serviceswillnotbeexamined.forthisreason,boththeendpointsaresetupbytheauthorand onlythetornetworkisbeingusedtoroutetraffic. 3. CapturingEvidence Aftersuccessfullysendingencryptedmessagesfromendpointtoother,eachofthePC smemory will be captured and memory dump will be created using software Dumpit in a forensically soundmanner.thecreatedmemorydumpwillbehashedtomaintainingintegrityandcopieswill bemadebeforeperformingtheanalysisusingforensictools. 4. Analysis Analysis and examination will be performed using memory dump forensic tools such as the volatility framework and Mandiant Memoryze analyser for analysing TOR bundle browser artefacts.inaddition,asstatedbystephanetal(2011)thewindowsgraphiccontentevidencein referencetotortrafficwillbeanalysed.furthermore,shuhuizhangetal(2011)methodology forrecoveringthewindowsregistryinformationfromthememorydumpwillbeperformedand logeventrunningsheetasgivenintable3willbemaintainedcapturingalltheevents. Table3:SampleLogEventRunningSheet Date Time Comments ActionTakenBy Investigator1 5. EvidencePresentation ThissectionwillaintoprovidetheartefactsandevidencefromregistryHIVES,windowsdirectory, andwindowsregistrydetails.theevidenceandartefactsthatwereidentifiedandrecoveredfrom thepreviousanalysisstepwillbepresentedinforensicreportmanner.alltherecoveredevidence willbehashedandlogofeventswillshowtheanalysisflowfollowedbytheauthor.finally,the evidencerecoveredfromvolatilityframeworkandmandiantmemoryzewillbedocumented(refer table4). Table4:SampleEvidencePresentationsheet Date Time Filename Investigator PathFound HashValue MD5 SHA1 EvidenceFile EvidenceComments 81

ResearchFramework Figure10:ProposedResearchEnvironmentforthisProject Figure 10 illustrates the proposed research environment setup for perusing this project. In this scenario,twoendpointsarebearrangedbytheauthor,oneoftheendpointsisamachinewith windows operating system and the second end point will be a windows web server. Both the windows machines will be installed with TOR bundle browser with appropriate plugins. Once the setupiscompleted,thewindowsmachinewillaccessfilesorcommunicatewiththewebserverand routeonlytortraffic.asdepictedintheabovefigure10,thecommunicationbetweenthewindows machineandwebserveriscarriedby volunteered TORnodesinthe TOR network. Theseare the machineallovertheworldwithtorbundlebrowserinstalled.afteraccessingthefilesusingtor network,thememorydumpofthewindowsmachinewillbecapturedinforensicallysoundmanner using dumpit software.finally,thememorydumpwillbeanalysedandartefactsoftorbundle browser and any other suspicious proxy traffic will be recorded and presented in the evidence presentationsection. LIMITATIONS AcurrentlimitationinTORbundlebrowserdetectionresearchisthatthereaislackofestablished researchdrivenmethodsavailableforretrievingandrecoveringtorartefactsfrommemorydump. This area is so new, that there is no material or and have been no experiments conducted by industryandresearchersonanalysingandretrievingartefactsevidencefrommemorydumpoftor browserusage.achallengeforthisresearchistoaddressthislimitationasthisresearchwillbefirst ofitskind,andtoestablishmethodologiesfortestingandresearch. 82

FUTUREWORK Due to the limitations and time constraints the proposed methodology hasn t been implemented andtested.asafuturework,theproposedmethodologywillbetestedasillustratedintheforensic processandevidencewillbepresentedinthenextpaperasaprototypemodel. CONCLUSION Thismainobjectiveofthispaperwastopresenttheneedofresearchinmemorydumpanalysison detectingtorbundlebrowser.thiswouldbefirststeptodetecttheusageoftorfromthephysical machine.oncetheproposedsynthesismethodologyisdevelopedandtested;thiscanalsobeused byorganisationsformonitoring,analysingorprovidingevidenceforusingtorbundlebrowser.this areaneedsmoreattentionandmoreresearchwillbeperformedoncethismethodologyhasbeen developed. REFERENCES Amari,Kristine.TechniquesandToolsforRecoveringandAnalyzing DatafromVolatileMemory. CWZ.(2013).Guide:Howtofindthedarknetordeepweb. Kiltz,S.,Hoppe,T.,&Dittmann,J.(2009,57July2009).Anewforensicmodelanditsapplicationto thecollection,extractionandlongtermstorageofscreencontentoffamemorydump.paper presentedatthedigitalsignalprocessing,200916thinternationalconferenceon. Mrdovic, S., Huseinovic, A., & Zajko, E. (2009, 2931 Oct. 2009). Combining static and live digital forensicanalysisinvirtualenvironment.paperpresentedattheinformation,communication andautomationtechnologies,2009.icat2009.xxiiinternationalsymposiumon. SambuddhoChakravarty,GeorgiosPortokalidis,MichalisPolychronakis,andAngelosD.Keromytis. (2011).DetectingTraffcSnoopinginTorUsingDecoys. Sharwood,Simon.(2013).SilentCircleshuttersemailservice. Shuhui,Zhang,Lianhai,Wang,&Lei,Zhang.(2011,1113March2011).Extractingwindowsregistry information from physical memory. Paper presented at the Computer Research and Development(ICCRD),20113rdInternationalConferenceon. Tilbury,Chad.(n.d.).MemoryForensicsCheatSheetv1.1. 83

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback