Browsing by Author "Morris, Sarah"

Now showing 1 - 15 of 15
  • Thumbnail Image
    ItemOpen Access
    Analysis of Android malware detection techniques: a systematic review
    (Society of Digital Information and Wireless Communications, 2019-09-30) Ashawa, Moses Aprofin; Morris, Sarah
    The emergence and rapid development in complexity and popularity of Android mobile phones has created proportionate destructive effects from the world of cyber-attack. Android based device platform is experiencing great threats from different attack angles such as DoS, Botnets, phishing, social engineering, malware and others. Among these threats, malware attacks on android phones has become a daily occurrence. This is due to the fact that Android has millions of user, high computational abilities, popularity, and other essential attributes. These factors influence cybercriminals (especially malware writers) to focus on Android for financial gain, political interest, and revenge. This calls for effective techniques that could detect these malicious applications on android devices. The aim of this paper is to provide a systematic review of the malware detection techniques used for android devices. The results show that most detection techniques are not very effective to detect zero-day malware and other variants that deploy obfuscation to evade detection. The critical appraisal of the study identified some of the limitations in the detection techniques that need improvement for better detection.
  • Thumbnail Image
    ItemOpen Access
    Analysis of mobile malware, evolution and infection strategies: a systematic review
    (NAUSS, 2021-12-30) Ashawa, Moses; Morris, Sarah
    The open-source and popularity of Android attracts hackers and has multiplied security concerns targeting devices. As such, malware attacks on Android are one of the security challenges facing society. This paper presents an analysis of mobile malware evolution between 2000-2020. The paper presents mobile malware types and in-depth infection strategies malware deploys to infect mobile devices. Accordingly, factors that restricted the fast spread of early malware and those that enhance the fast propagation of recent malware are identified. Moreover, the paper discusses and classifies mobile malware based on privilege escalation and attack goals. Based on the reviewed survey papers, our research presents recommendations in the form of measures to cope with emerging security threats posed by malware and thus decrease threats and malware infection rates. Finally, we identify the need for a critical analysis of mobile malware frameworks to identify their weaknesses and strengths to develop a more robust, accurate, and scalable tool from an Android detection standpoint. The survey results facilitate the understanding of mobile malware evolution and the infection trend. They also help mobile malware analysts to understand the current evasion techniques mobile malware deploys.
  • Thumbnail Image
    ItemOpen Access
    An analysis of the structure and behaviour of the Windows 7 operating system thumbnail cache
    (University of Strathclyde, Glasgow, 2011-06-28) Morris, Sarah; Chivers, Howard
    Operating systems such as Windows 7 implement a thumbnail cache structure to store visual thumbnails and associated metadata. There is no standard implementation of a thumbnail cache or its functions, which has led developers to implement their own structures and behaviour. The artefacts present within a thumbnail cache are of interest to a forensic analyst as they can provide information on files within the system which may be of use to the investigation. This research investigates the structure and behaviour of the thumbnail cache implemented in Windows 7 and shows that as well as storing information relating to visual thumbnails the cache also stores the names of networked computers, GUIDs relating to system artefacts and allocated drive letter information. It also shows that due to the behaviour of the cache, information such as records relating to files which are no longer on the system may be available, proving interesting forensic evidence.
  • Thumbnail Image
    ItemOpen Access
    Android Permission Classifier: a deep learning algorithmic framework based on protection and threat levels
    (Wiley, 2021-05-05) Ashawa, Moses; Morris, Sarah
    Recent works demonstrated that Android is the fastest growing mobile OS with the highest number of users worldwide. Android's popularity is facilitated by factors such as ease of use, open‐source, and cheap to purchase compared to mobile OS like iOS. The widespread of Android has brought an exponential increase in the complexity and number of malicious applications targeting Android. Malware deploys different attack vectors to exploit Android vulnerability and attack the OS. One way to thwart malware attacks on Android is the use of Android security patches, antivirus software, and layer security. However, the fact that the permission request dynamic is different from other attack vectors, makes it difficult to identify which permission request is malicious or not especially when constructing permission request profiles for Android users. The aforementioned challenge is tackled by our research. This article proposed a framework called Android Permission Classifier for the classification of Android malware permission requests based on threat levels. This article is the first to classify Android permission based on their protection and threat levels. With the framework, out of the 113 permissions extracted, 23 were classified as more dangerous. Our model shows classification accuracy of 97% and an FPR value of 0.2% with high diversity capacity when compared with the performance of those of other similar existing method
  • Thumbnail Image
    ItemOpen Access
    Bayesian Network Probability tables for Thumbnail Cache Identification
    (Cranfield University, 2018-03-07 09:46) Morris, Sarah
    Bayesian Network and Probability tables for Identatron. These are used for cluster sized thumbnail cache file fragment identification.
  • Thumbnail Image
    ItemOpen Access
    Cheap as chips: an accessible chip off acquisition method for ball grid array (BGA) integrated circuits in digital investigations
    (Elsevier, 2022-11-11) Hadgkiss, Melissa; Morris, Sarah; Paget, Stacey; Ventress, Adrian; Norris, Karl
    Chip off acquisition has steadily been used in digital investigations as an advanced data acquisition technique. This method has typically been reserved for devices where less invasive methods have been unsuccessful in data recovery. After a review of available literature, limited publications were found to define and discuss a detailed chip off methodology, especially using accessible and low-cost equipment. Therefore, demonstrating a lack of knowledge share and standardisation in this space. This paper creates a methodology for chip off acquisition, that examiners can follow, using an array of equipment. The methodology was developed using accessible resources in a variety of formats and experimental research. Once constructed the method was tested in a collection of scenarios and utilised in research and consultancy. This demonstrated areas where the method was positively implemented and areas where updates could improve the overall success of the methodology. Following the evaluation, a 6-stage process was formulated: deconstruction, identification, removal, restoration, determine and perform.
  • Thumbnail Image
    ItemOpen Access
    A critical comparison of Brave Browser and Google Chrome forensic artefacts
    (Association of Digital Forensics, Security and Law, 2022-03-01) Berham, Stuart; Morris, Sarah
    Digital forensic practitioners are tasked with the identification, recovery, and analysis of Internet browser artefacts which may have been used in the pursuit of committing a civil or criminal offence. This research paper critically compares the most downloaded browser, Google Chrome, against an increasingly popular Chromium browser known as Brave, said to offer privacy-by-default. With increasing forensic caseloads, data complexity, and requirements for method validation to satisfy ISO 17025 accreditation, recognising the similarities and differences between the browsers, developed on the same underlying technology is essential. The paper describes a series of conducted experiments and subsequent analysis to identify artefacts created as part of normal user browsing activity. Analysis of the artefacts found that Brave and Chrome share almost identical data structures, with on-disk artefact recovery successful, even for deleted data. The outcome of this research, based upon the results, serves to enrich understanding and provide best practice for practitioners and software developers, respectively responsible for examining Chromium artefacts for use in evidence production and developing new forensic tools and techniques.
  • Thumbnail Image
    ItemOpen Access
    Host-based detection and analysis of Android malware: implication for privilege exploitation
    (Infonomics Society, 2019-06-30) Ashawa, Moses; Morris, Sarah
    The Rapid expansion of mobile Operating Systems has created a proportional development in Android malware infection targeting Android which is the most widely used mobile OS. factors such Android open source platform, low-cost influence the interest of malware writers targeting this mobile OS. Though there are a lot of anti-virus programs for malware detection designed with varying degrees of signatures for this purpose, many don’t give analysis of what the malware does. Some anti-virus engines give clearance during installations of repackaged malicious applications without detection. This paper collected 28 Android malware family samples with a total of 163 sample dataset. A general analysis of the entire sample dataset was created given credence to their individual family samples and year discovered. A general detection and classification of the Android malware corpus was performed using K-means clustering algorithm. Detection rules were written with five major functions for automatic scanning, signature enablement, quarantine and reporting the scan results. The LMD was able to scan a file size of 2048mb and report accurately whether the file is benign or malicious. The K-means clustering algorithm used was set to 5 iteration training phases and was able to classify accurately the malware corpus into benign and malicious files. The obtained result shows that some Android families exploit potential privileges on mobile devices. Information leakage from the victim’s device without consent and payload deposits are some of the results obtained. The result calls proactive measures rather than proactive in tackling malware infection on Android based mobile devices.
  • Thumbnail Image
    ItemOpen Access
    Modeling correlation between android permissions based on threat and protection level using exploratory factor plane analysis
    (MDPI, 2021-11-30) Ashawa, Moses; Morris, Sarah
    The evolution of mobile technology has increased correspondingly with the number of attacks on mobile devices. Malware attack on mobile devices is one of the top security challenges the mobile community faces daily. While malware classification and detection tools are being developed to fight malware infection, hackers keep deploying different infection strategies, including permissions usage. Among mobile platforms, Android is the most targeted by malware because of its open OS and popularity. Permissions is one of the major security techniques used by Android and other mobile platforms to control device resources and enhance access control. In this study, we used the t-Distribution stochastic neighbor embedding (t-SNE) and Self-Organizing Map techniques to produce a visualization method using exploratory factor plane analysis to visualize permissions correlation in Android applications. Two categories of datasets were used for this study: the benign and malicious datasets. Dataset was obtained from Contagio, VirusShare, VirusTotal, and Androzoo repositories. A total of 12,267 malicious and 10,837 benign applications with different categories were used. We demonstrate that our method can identify the correlation between permissions and classify Android applications based on their protection and threat level. Our results show that every permission has a threat level. This signifies those permissions with the same protection level have the same threat level.
  • No Thumbnail Available
    ItemOpen Access
    Modelling Relationship of Android Permission Request Variables with Bayesian Correlation
    (Cranfield University, 2020-12-11 09:09) Aprofin Ashawa, Moses; Morris, Sarah
    This tables contains the estimated correlation using the Pearson, Spearman's rho, and Kendall's tau-b. The tables show the estimated correlation that exists between Android permission requests variables in collected malware dataset
  • Thumbnail Image
    ItemOpen Access
    Purple dawn: dead disk forensics on Google's Fuchsia operating system
    (Elsevier, 2021-09-20) Jarrett, Matt; Morris, Sarah
    Fuchsia is the project name for a “modular, capability-based” operating system currently being developed by Google. There is speculation that Fuchsia may be a successor to the Android OS or a replacement for several other operating systems currently supported by the organisation. This paper examines the file systems found in this operating system and provides a breakdown of the content and structure of the unique volume manager and other partitions found on system. The findings outlined in this paper should allow digital investigators to expedite their understanding of the underlying data found on the platform. This paper also highlights how the zxcrypt encryption subsystem may inhibit the ability of practitioners to carry out an investigation of the MinFS partition. As Fuchsia is still in development, these findings are reliant on there not being significant changes made to structure of partitions examined. There remain unanswered questions regarding the content of the BootFS disk image found in the ZIRCON partition and the structure of entries within the Slice Allocation Table in the FVM.
  • Thumbnail Image
    ItemOpen Access
    Sifting through the ashes: Amazon Fire TV stick acquisition and analysis
    (Elsevier, 2019-01-14) Hadgkiss, Melissa; Morris, Sarah; Paget, Stacey
    The Amazon Fire TV Stick is a popular device that is the centre of entertainment for many homes. Its collection of functions and features generates a considerable amount of data, giving this device the potential to be included in a multiple investigations. Highlighting a clear requirement for a forensic analysis of the device. Previous research of smart entertainment devices focuses on the larger areas of the market including Smart TV's, smart speakers and smart watches. All have provided potential forensic artefacts that can be used in investigations. However, data is often acquired using methods that can compromise the forensics of the data. An Amazon Fire TV Stick was populated with data following a methodology that captured the multiple uses of the device. A chip off acquisition method was then applied to acquire a forensic image. Analysis demonstrated there were a number of artefacts recoverable relating to the system, users and Kodi. The majority of the relevant artefacts identified were located in SQLite3 databases and XML files.
  • Thumbnail Image
    ItemOpen Access
    Social Media User Relationship Framework (SMURF)
    (Association of Digital Forensics, Security and Law, 2021-02-16) David, Anne; Morris, Sarah; Appleby-Thomas, Gareth J.
    The use of social media has spread through many aspects of society, allowing millions of individuals, corporate as well as government entities to leverage the opportunities it affords. These opportunities often end up being exploited by a small percentage of the user community who use it for objectionable or unlawful activities; for example, trolling, cyber bullying, grooming, luring. In some cases, these unlawful activities result in investigations where swift retrieval of critical evidence required in order to save a life. This paper presents a proof of concept (PoC) framework for social media user attribution. The framework aims to provide digital evidence that can be used to substantiate user activity in live triage investigations. This paper highlights the use of live triage as a viable technique for the investigation of social media activity, contextualizing user activity and attributing actions to users. It discusses the reliability of artefacts other than the communications content as a means of drawing inferences about user social media activity, taking into account the proportionality and relevance of such evidence
  • Thumbnail Image
    ItemOpen Access
    A two-stage model for social network investigations in digital forensics
    (Association of Digital Forensics, Security and Law, 2020-08-20) David, Anne; Morris, Sarah; Appleby-Thomas, Gareth J.
    This paper proposes a two-stage model for identifying and contextualizing features from artefacts created as a result of social networking activity. This technique can be useful in digital investigations and is based on understanding and the deconstruction of the processes that take place prior to, during and after user activity; this includes corroborating artefacts. Digital Investigations are becoming more complex due to factors such as, the volume of data to be examined; different data formats; a wide range of sources for digital evidence; the volatility of data and the limitations of some of the standard digital forensic tools. This paper highlights the need for an approach that enables digital investigators to prioritize social network artefacts to be further analysed; determine social connections in the context of an investigation e.g. a user’s social relationships, how recovered artefacts came to be, and how they can successfully be used as evidence in court
  • Thumbnail Image
    ItemOpen Access
    We're making a list and we're checking it twice, gonna find out what makes digital forensic examiners suffice
    (Wiley, 2023-04-30) Morris, Sarah; Hadgkiss, Melissa; David, Anne; Guinness, John; Frewin, Charles
    Digital forensic examinations have grown in breadth and depth at a currently unsustainable rate. Digital Investigations now feature in around 90% of criminal cases, demonstrating that digital evidence is crucial to forensic investigations. Due to the high number of cases, most law enforcement units have significant backlogs of devices waiting for analysis. As the field of Digital Investigation has grown, it is no longer solely related to criminal investigations, with the techniques also supporting civil, private, and corporate activities. Given the evident challenges, it is logical that more digital forensic experts are needed to keep pace with the field's complexities and demands. Identifying what characteristics and skills make a digital forensic expert enables an evaluation to ensure that any new staff are fit for purpose. There is a growth in academic, civil, corporate, and intelligence-based activity within the field. Each area defines their standards, field scope, and expertise level. Still, as any case has the potential to become a matter of criminal investigation, surely the focus needs to be on the standards required to ensure evidence is admissible for that purpose. As expertise levels can vary, it is also necessary to challenge the level at which an expert is defined and the implications of this decision. By identifying what makes an expert in this unique forensic science area, it is possible to explore the potential challenges the field faces in obtaining, retaining, and training staff.