GR Semicolon EN

Show simple item record

dc.contributor.author
Dimotikalis, Panagiotis
en
dc.date.accessioned
2016-05-06T08:21:03Z
dc.date.available
2016-05-07T00:00:13Z
dc.date.issued
2016-05-06
dc.identifier.uri
https://repository.ihu.edu.gr//xmlui/handle/11544/14500
dc.rights
Default License
dc.title
Memory Forensics and Bitcoin mining malware
en
heal.type
masterThesis
el
heal.secondaryTitle
Expanding the Volatility Framework for recovering Bitcoin keys and addresses from RAM acquired from multiple Operating Systems
en
heal.creatorID.email
panagiotis.dimotikalis@ihu.edu.gr
heal.keywordURI.LCSH
Digital forensics
heal.keywordURI.LCSH
Forensic sciences--Data processing
heal.keywordURI.LCSH
Electronics in criminal investigation
heal.keywordURI.LCSH
Computer crimes--Investigation
heal.keywordURI.LCSH
Computer security
heal.keywordURI.LCSH
Information technology--Security measures
heal.keywordURI.LCSH
Data protection
heal.keywordURI.LCSH
Computer crimes
heal.keywordURI.LCSH
Internet fraud
heal.language
en
el
heal.access
free
el
heal.license
http://creativecommons.org/licenses/by-nc/4.0
el
heal.references
[1] N. Losses, “Estimating the Global Cost of Cybercrime,” McAfee, Cent. Strateg. Int. Stud., 2014. [2] “Cyber crime costs global economy $445 bn annually.” [Online]. Available: http://www.telegraph.co.uk/technology/internet-security/10886640/Cyber-crimecosts- global-economy-445-bn-annually.html. [Accessed: 16-Jun-2015]. [3] E. Mills, “Cybercrime Cost Firms $1 Trillion Globally,” 2009. [4] D. Huang, “Profit-driven abuses of virtual currencies,” Univ. California, San Diego, 2013. [5] H. Dharmdasani, “Botnets and Crypto Currency-Effects of Botnets on the Bitcoin Ecosystem,” 2013. [6] K. Poulsen, “New malware steals your bitcoin,” 2011. [7] A. Chiang, “Bitcoin-mining Malware is rising in APAC region,” 2013. [Online]. Available: http://apac.trendmicro.com/apac/aboutus/ newsroom/releases/articles/20131224091333.html. [Accessed: 10-Sep-2015]. [8] M. Spagnuolo, F. Maggi, and S. Zanero, “Bitiodine: Extracting intelligence from the bitcoin network,” Financ. Cryptogr. Data …, 2014. [9] L. Abrams, “CryptoLocker Ransomware Information Guide and FAQ,” Viitattu, 2013. [10] P. Outbreaks, “Malicious-Advertising Attacks Inflict Ransomware on Victims,” ieeexplore.ieee.org. [11] H. Orman, “The Morris worm: A fifteen-year perspective,” IEEE Secur. Priv., 2003. [12] R. Morris, “The Morris Worm source code,” 1988. [Online]. Available: http://www.foo.be/docs-free/morris-worm/worm/. [Accessed: 16-Oct-2015]. [13] Microsoft, “The Evolution of Malware and the Threat Landscape – a 10-Year review,” 2012. [14] C. Shannon and D. Moore, “The spread of the witty worm,” Secur. Privacy, IEEE, 2004. [15] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” Secur. Privacy, IEEE, 2011. [16] N. Falliere, L. Murchu, and E. Chien, “W32. stuxnet dossier,” White Pap. Symantec Corp., Secur. …, 2011. -84- [17] J. M. Kizza, Guide to Computer Network Security. London: Springer London, 2015. [18] M. Ligh, A. Case, J. Levy, and A. Walters, The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. 2014. [19] M. Ligh, S. Adair, B. Hartstein, and M. Richard, Malware analyst’s cookbook and DVD: tools and techniques for fighting malicious code. 2010. [20] M. Sikorski and A. Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. 2012. [21] A. Case, “Mac Memory Analysis with Volatility,” DFIR Summit, 2012. [Online]. Available: https://reverse.put.as/wp-content/uploads/2011/06/sas-summit-macmemory- analysis-with-volatility.pdf. [Accessed: 24-Aug-2015]. [22] M. KA, “Linux Memory Diff Analysis using Volatility,” 2015. [Online]. Available: http://malware-unplugged.blogspot.in/2015/09/linux-memory-diffanalysis- using.html. [Accessed: 25-Sep-2015]. [23] A. Case, “Mac Memory Analysis with Volatility,” 2011. [Online]. Available: https://digital-forensics.sans.org/summit-archives/2012/mac-memory-analysiswith- volatility.pdf. [Accessed: 24-Aug-2015]. [24] A. F. Hay, “Forensic Memory Analysis for Apple OS X.” [Online]. Available: https://reverse.put.as/wp-content/uploads/2011/06/FORENSIC-MEMORYANALYSIS- FOR-APPLE-OS-X.pdf. [Accessed: 24-Aug-2015]. [25] J. Seitz, Gray Hat Python: Python programming for hackers and reverse engineers. 2009. [26] Z. Shaw, “Learn Python the hard way,” 2010. [27] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Consulted, 2008. [28] J. DAVIS, “The Crypto-Currency,” The New Yorker, 2011. [Online]. Available: http://www.newyorker.com/magazine/2011/10/10/the-crypto-currency. [Accessed: 11-Dec-2015]. [29] A. Antonopoulos, Mastering Bitcoin: unlocking digital cryptocurrencies. 2014. [30] R. McMillan, “Ex-Googler Gives the World a Better Bitcoin | WIRED,” Wired, 2013. [Online]. Available: http://www.wired.com/2013/08/litecoin/. [Accessed: 11-Dec-2015]. [31] A. Greenberg, “Darkcoin, the Shadowy Cousin of Bitcoin, Is Booming | WIRED,” Wired, 2013. [Online]. Available: http://www.wired.com/2014/05/darkcoin-isbooming/. [Accessed: 11-Dec-2015]. [32] M. Swan, Blockchain: Blueprint for a New Economy. 2015. [33] J. Bearman, “The Untold Story of Silk Road, Part 1 | WIRED,” 2015. [Online]. Available: http://www.wired.com/2015/04/silk-road-1/. [Accessed: 23-Aug- 2015]. [34] M. Moser, R. Bohme, and D. Breuker, “An inquiry into money laundering tools in the Bitcoin ecosystem,” eCrime Res. Summit ( …, 2013. [35] A. Kujawa, “Potentially Unwanted Miners,” Malwarebytes Unpacked, 2013. -85- [Online]. Available: https://blog.malwarebytes.org/fraudscam/ 2013/11/potentially-unwanted-miners-toolbar-peddlers-use-your-system-tomake- btc/. [Accessed: 05-Dec-2015]. [36] J. Cannel, “Cryptolocker Ransomware: What You Need to Know,” Malwarebytes Unpacked, 2013. [37] G. O’Gorman and G. McDonald, Ransomware: a growing menace. 2012. [38] J. Ami-Narh and P. Williams, “Digital forensics and the legal system: A dilemma of our times,” Aust. Digit. Forensics Conf., 2008. [39] S. Vömel and J. Stüttgen, “An evaluation platform for forensic memory acquisition software,” Digit. Investig., 2013. [40] “Welcome to Python.org.” [Online]. Available: https://www.python.org/. [Accessed: 17-Oct-2015]. [41] Volatility Foundation, “An advanced memory forensics framework.” . [42] “ForensicsWiki.” [Online]. Available: http://forensicswiki.org/wiki/Main_Page. [Accessed: 25-Aug-2015]. [43] A. Walters and N. Petroni, “Volatools: integrating volatile memory forensics into the digital investigation process. Blackhat Hat DC 2007,” 2007. [44] D. Olenick, “Apple iOS And Google Android Smartphone Market Share Flattening: IDC - Forbes,” Forbes.com LLC, 2015. [Online]. Available: http://www.forbes.com/sites/dougolenick/2015/05/27/apple-ios-and-googleandroid- smartphone-market-share-flattening-idc/2/. [Accessed: 17-Oct-2015]. [45] Cem Gurkok, “The Volatility Foundation - Open Source Memory Forensics | 2014,” 2014. [Online]. Available: http://www.volatilityfoundation.org/#!2014/cjpn. [Accessed: 25-Aug-2015]. [46] MoonSols, “MoonSols Windows Memory Toolkit | MoonSols.” [Online]. Available: http://www.moonsols.com/windows-memory-toolkit/. [Accessed: 24- Aug-2015]. [47] J. Stuettgen, “OSXPmem - pmem - The OSX Pmem memory acquisition tool. - Pmem is a suite of memory acquisition tools. - Google Project Hosting.” [Online]. Available: https://code.google.com/p/pmem/wiki/OSXPmem. [Accessed: 24- Aug-2015]. [48] R. Endsley, “Physical Memory Analysis with the LiME Linux Memory Extractor,” 2012. [Online]. Available: https://www.linux.com/learn/tutorials/565969- physical-memory-analysis-with-the-lime-linux-memory-extractor. [Accessed: 24- Aug-2015]. [49] S. K. Paul Rubin, David MacKenzie, “dd(1): convert/copy file - Linux man page.” 2010. [50] Brendan Dolan-Gavitt, “pdbparse, a GPL-licensed library for parsing Microsoft PDB files.” 2015. [51] B. Dolan-Gavitt, “Brendan Dolan-Gavitt -- Home.” [Online]. Available: http://www.cc.gatech.edu/~brendan/. [Accessed: 18-Oct-2015]. [52] VolatilityTeam, “VolatilityTeam - volatility - Volatility Development Team - An -86- advanced memory forensics framework,” 2012. [Online]. Available: https://code.google.com/p/volatility/wiki/VolatilityTeam. [Accessed: 02-Nov- 2015]. [53] C. Gurkok, “What’s in your silicon?: Hooking IDT in OS X and Detection,” 2013. [Online]. Available: http://siliconblade.blogspot.gr/2013/07/idt-hooks-anddetecting- them-in-osx.html. [Accessed: 03-Dec-2015]. [54] C. Gurkok, “What’s in your silicon?: Back to Defense: Finding Hooks in OS X with Volatility,” 2013. [Online]. Available: http://siliconblade.blogspot.gr/2013/07/back-to-defense-finding-hooks-in-osx. html. [Accessed: 03-Dec-2015]. [55] C. Gurkok, “What’s in your silicon?: Offensive Volatility: Messing with the OS X Syscall Table,” 2013. [Online]. Available: http://siliconblade.blogspot.gr/2013/07/offensive-volatility-messing-with-osx. html. [Accessed: 03-Dec-2015]. [56] L. Bilge and T. Dumitras, “Before we knew it: an empirical study of zero-day attacks in the real world,” Proc. 2012 ACM Conf. …, 2012. [57] L. Foundation, “2014 Enterprise End User Report,” 2014. [Online]. Available: https://www.linuxfoundation.org/publications/linux-foundation/linux-end-usertrends- report-2014. [Accessed: 04-Dec-2015]. [58] M. Butler, “Android: Changing the mobile landscape,” Pervasive Comput. IEEE, 2011. [59] M. Fontanini, “Average coder: Linux rootkit implementation,” 2011. [Online]. Available: http://average-coder.blogspot.gr/2011/12/linux-rootkit.html. [Accessed: 04-Dec-2015]. [60] S. McCarty, “Architecting Containers Part 1: Why Understanding User Space vs. Kernel Space Matters | Red Hat Enterprise Linux Blog,” Red Hat Enterprize Linux Blog, 2015. [Online]. Available: http://rhelblog.redhat.com/2015/07/29/architecting-containers-part-1-user-spacevs- kernel-space/. [Accessed: 04-Dec-2015]. [61] P. Mochel, “The sysfs filesystem,” Linux Symp., 2005. [62] A. Case, “Analyzing Linux Kernel Rootkits with Volatility,” OMFW, 2012. [Online]. Available: http://volatility-labs.blogspot.gr/2012/10/omfw-2012- analyzing-linux-kernel.html. [Accessed: 05-Dec-2015]. [63] P. Wardle, “Malware Persistence on OS X Yosemite | USA 2015 RSA Conference,” 2015. [Online]. Available: https://www.rsaconference.com/events/us15/agenda/sessions/1591/malwarepersistence- on-os-x-yosemite. [Accessed: 31-Aug-2015]. [64] P. Wardle, “Virus Bulletin : VB2014 - Methods of malware persistence on Mac OS X,” 2014. [Online]. Available: https://www.virusbtn.com/conference/vb2014/abstracts/Wardle.xml. [Accessed: 31-Aug-2015]. [65] A. Case and G. Richard, “Advancing Mac OS X rootkit detection,” Digit. Investig., 2015. -87- [66] Virtualcurrency.com, “The current Bitcoin acceptance market - Payments Cards & Mobile,” 2014. [Online]. Available: http://www.paymentscardsandmobile.com/current-bitcoin-acceptance-market/. [Accessed: 19-Aug-2015]. [67] K. McMillan, “Gaming Company Fined $1M for Turning Customers Into Secret Bitcoin Army | WIRED,” Wired, 2013. [Online]. Available: http://www.wired.com/2013/11/e-sports/. [Accessed: 05-Dec-2015]. [68] P. Dimotikalis, “Bitcoin mining: The stupid way - Gi0’s Blog,” 2013. [Online]. Available: http://giot.is/bitcoin-mining-the-stupid-way/. [Accessed: 24-Aug- 2015]. [69] P. Dimotikalis, “Lets Talk Bitcoin - Ponzis, Malware, and the Hashing Cartel,” Let’s Talk Bitcoin, 2013. [Online]. Available: https://letstalkbitcoin.com/e27- ponzis-malware-and-the-hashing-cartel/. [Accessed: 05-Dec-2015]. [70] B. Carrier and J. Grand, “A hardware-based memory acquisition procedure for digital investigations,” Digit. Investig., 2004. [71] X. Chen, J. Andersen, and Z. Mao, “Towards an understanding of antivirtualization and anti-debugging behavior in modern malware,” … Networks With …, 2008. [72] K. Kendall and C. McMillan, “Practical malware analysis,” Black Hat Conf. USA, 2007. [73] O. Bach, “Tinba: World’s Smallest Malware Has Big Bag of Nasty Tricks,” Security Intelligence IBM, 2015. [Online]. Available: https://securityintelligence.com/tinba-worlds-smallest-malware-has-big-bag-ofnasty- tricks/. [Accessed: 10-Dec-2015]. [74] J. Kirk, “The Darlloz Linux worm diversifies to mine cryptocurrencies | Computerworld,” ComputerWorld, 2014. [Online]. Available: http://www.computerworld.com/article/2488828/malware-vulnerabilities/thedarlloz- linux-worm-diversifies-to-mine-cryptocurrencies.html. [Accessed: 10- Dec-2015].
el
heal.recordProvider
School of Science and Technology, MSc in Information & Communication Technology Systems
el
heal.publicationDate
2016-05-06
heal.abstract
Crime in the digital world has become a daily occurrence. Criminals adopt to new technologies with a faster pace than we are, people defending against new threats, giving them the advantage against unsuspecting victims. Their advantage is not due to their superiority; Offence has to succeed only once to be considered successful while defence has to succeed every single time to not be considered a failure. Defending successfully against multiple threats using innovative technologies is hard and can only be achieved with careful planning and effective applying of knowledge acquired by examining those threats. Digital forensics is the epitome of this. Investigators need to have a firm grasp of up-to-date threats and how to locate and neutralize them. Memory forensics are the cornerstone of digital forensics. In recent years, memory acquisition and preservation of the state of a system when suspicious activity is undergoing, is the number one priority by every digital forensics investigator. To improve the capabilities of the investigator, in this thesis we examine the current threats associated with malware and the newly introduced technology of digital currencies, by proposing a series of enhancements to one of the most complete set of tools for memory analysis, the Volatility Framework.
en
heal.tableOfContents
Abstract .......................................................................................................................... iii Contents .......................................................................................................................... iv 1 Chapter 1 - Introduction ..........................................................................................1 1.1 BACKGROUND ....................................................................................................1 1.2 PROBLEM STATEMENT ......................................................................................1 1.3 RESEARCH QUESTION .......................................................................................4 1.4 METHODOLOGY: DESIGNING A VOLATILITY FRAMEWORK PLUGIN ..............5 1.5 THESIS OUTLINE ................................................................................................6 2 Chapter 2 – Literature Review ................................................................................7 2.1 DIGITAL CURRENCIES .......................................................................................7 2.1.1 Definition and functionality .................................................................7 2.1.2 Types of Digital Currencies ................................................................10 2.1.3 Present Status ......................................................................................11 2.2 BITCOIN MALWARE ........................................................................................12 2.2.1 Definition .............................................................................................12 2.2.2 Types of Malware ................................................................................13 2.2.3 Evolution and Present Status .............................................................14 2.3 MEMORY FORENSICS ......................................................................................15 2.3.1 Forensic Tools .....................................................................................15 2.3.2 Importance of Memory Forensics ......................................................17 3 Chapter 3 - The Volatility Framework .................................................................19 3.1 DEFINITION ......................................................................................................19 3.2 BRIEF HISTORY AND OVERVIEW ....................................................................19 3.3 STRUCTURE AND FUNCTIONALITY ..................................................................21 3.4 EXISTING PLUGINS ..........................................................................................32 3.5 PLUGIN CASE STUDIES ....................................................................................34 3.5.1 Windows ..............................................................................................34 3.5.2 Linux ...................................................................................................41 -v- 3.5.3 OS X .....................................................................................................46 3.6 BITCOIN MALWARE CASE STUDY ...................................................................50 3.7 INSTALLATION AND SETTING UP A TEST ENVIRONMENT ................................53 3.7.1 Memory Dumps ...................................................................................56 4 Chapter 4 - Design and Development of a Volatility Framework Plugin ..........62 4.1 SETTING UP THE TEST BED ..............................................................................62 4.1.1 Operating Systems and Platforms ......................................................62 4.1.2 Hardware Requirements .....................................................................67 4.1.3 Software Requirements .......................................................................68 4.2 A BITCOIN PLUGIN FOR THE VOLATILITY FRAMEWORK ...............................70 5 Chapter 5 - Evaluation of the proposed plugin ....................................................73 5.1 ANALYSIS OF THE CODE ..................................................................................73 5.2 CASE STUDY AND EVALUATION OF THE PLUGIN .............................................77 5.3 STRONG AND WEAK POINTS OF THE IMPLEMENTATION .................................79 6 Chapter 6 - Conclusions .........................................................................................81 6.1 SUMMARY ........................................................................................................81 6.2 CONTRIBUTION ................................................................................................82 6.3 FUTURE DEVELOPMENT ..................................................................................82 7 Bibliography ............................................................................................................83 8 Appendix A ..............................................................................................................88
en
heal.advisorName
Katos, Vasilis
en
heal.committeeMemberName
Berberidis, Christos
en
heal.academicPublisher
IHU
en
heal.academicPublisherID
ihu
el
heal.numberOfPages
128
el


This item appears in the following Collection(s)

Show simple item record

Related Items