Prof. Dr.-Ing. Andreas Dewald

September 10, 2020 by Prof. Dr.-Ing. Andreas Dewald

How can data from fitness trackers be obtained and analyzed with a forensic approach?

The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center [1], every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can also be seen in criminal proceedings, as there exist more and more cases where these devices provide evidence.

Which useful evidential information fitness trackers collect and how to analyze them forensically was part of a paper that we presented at WACCO 2020 this year [2]. The goal was to develop an open source program to support investigators analyzing data that fitness trackers provide and to give a general approach on how to analyze fitness trackers.

Continue reading “How can data from fitness trackers be obtained and analyzed with a forensic approach?”

Misc

July 18, 2019 by Prof. Dr.-Ing. Andreas Dewald

Emotet at Heise, Emotet there, Emotet everywhere – Dissection of an Incident

After the Emotet Incident at Heise, where ERNW has been consulted for Incident Response, we decided to start a blogpost series, in which we want to regularly report on current attacks that we observe. In particular we want to provide details about the utilized pieces of malware, different stages, and techniques used for the initial infection and lateral movement. We hope that this information might help you to detect ongoing incidents, apply countermeasures, and in the best case to figure out proactive countermeasures and security controls beforehand.

Continue reading “Emotet at Heise, Emotet there, Emotet everywhere – Dissection of an Incident”

Misc

October 18, 2018 by Prof. Dr.-Ing. Andreas Dewald

Comparison of our tool afro (APFS file recovery) with Blackbag Blacklight and Sleuthkit

At this years ARES conference, Jonas Plum (Siemens) and me (Andreas Dewald, ERNW Research GmbH) published a paper about the forensic analysis of APFS, file system internals and presented different methodologies for file recovery. We also publicly released a tool implementing our presented approaches, called afro (APFS file recovery).

Continue reading “Comparison of our tool afro (APFS file recovery) with Blackbag Blacklight and Sleuthkit”

Breaking

September 13, 2017 by Prof. Dr.-Ing. Andreas Dewald

FireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode

We recently identified a security issue in FireEye AX 5400, that also affected other products. We responsibly disclosed the bug to FireEye and a fix that addresses the issue has been released with version 7.7.7. The fix was also merged into the common core and is available as 8.0.1 for other products (i.e. FireEye EX).

The related release notes can be found here:

FireEye announced to post a 2017 Q3 notice with credit to us, too.

Continue reading “FireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode”

Misc

February 1, 2017 by Prof. Dr.-Ing. Andreas Dewald

White Paper on Incident Handling First Steps, Preparation Plans, and Process Models

We just published my Whitepaper about First Steps, Preparation Plans, and Process Models for Incident Handling, that I wrote to pass the time between Christmas and New Year. The whitepaper sums up information that I consider to be useful to prepare for IT security incidents as a conclusion from the incidents in which we supported over the past year. Continue reading “White Paper on Incident Handling First Steps, Preparation Plans, and Process Models”

Events

January 11, 2017 by Prof. Dr.-Ing. Andreas Dewald

First dedicated Forensic Computing Training at TR17

I am looking forward to our newly introduced dedicated Forensic Computing Training at TR17!
We will start the first day with a detailed background briefing about Forensic Computing as a Forensic Science, Digital Evidence, and the Chain of Custody. The rest of the workshop we will follow the Order of Volatility starting with the analysis of persistent storage using file system internals and carving, as well as RAID reassembly with lots of hands-on case studies using open source tools. As a next step, we will smell the smoking gun in live forensics exercises. Depending on your preferences we will then dig a bit into memory forensics and network forensics. Continue reading “First dedicated Forensic Computing Training at TR17”

Breaking

October 5, 2016 by Prof. Dr.-Ing. Andreas Dewald

DameWare Vulnerability

In course of a recent research project, I had a look at SolarWinds DameWare, which is a commercial Remote Access Software product running on Windows Server. I identified a remote file download vulnerability in the download function for the client software that can be exploited remotely and unauthenticated and that allows to download arbitrary files from the server that is running the software.

Continue reading “DameWare Vulnerability”

Breaking

July 28, 2016 by Prof. Dr.-Ing. Andreas Dewald

New Ransomware-Wave Analysis

In the context of a customer project, we examined a new variant of the Locky ransomware. As in the meantime stated by a law enforcement agency, this has been part of a large wave of attacks hitting various enterprises in the night from Tuesday (2016-07-26) to Wednesday.

As an initial attack vector, the attackers use emails with an attachment that probably even uses a 0day exploit, that enables the payload to be executed already when displayed in the MS Outlook preview.

The ransomware encrypts accessible documents and threatens victims to pay a ransom in order to be able decrypt the files. Further, the malware uses accessible network shares/drives for further spreading.

Further information is following in the next section.

It might help to create filtering rules based on the mentioned file names, hash values, URLs, and IP addresses that are named in the rest of this report.

Continue reading “New Ransomware-Wave Analysis”

Events

April 8, 2016 by Prof. Dr.-Ing. Andreas Dewald

Summary GI Sicherheit

This is a short summary of selected talks (i.e. those that I found the most interesting of those I was able to personally attend) of the GI Sicherheit 2016.

First of all, congratulations to Dr. Fabian Yamaguchi, who received an award (the GI Promotionspreis) for his PhD thesis “Pattern-Based Vulnerability Discovery“!
His work presents an “approach for identifying vulnerabilities which combines techniques from static analysis, machine learning, and graph mining to augment the analyst’s abilities rather than trying to replace her” by identifying and highlighting patterns of potential vulnerabilities in source code.
Continue reading “Summary GI Sicherheit”

Events

March 31, 2016 by Prof. Dr.-Ing. Andreas Dewald

DFRWS EU 2016 Summary

In this article, I want to provide a concise sum-up of the (to me) most interesting talks of this year’s DFRWS EU (http://www.dfrws.org/2016eu/).

Eoghan Casey, one of most famous pioneers in digital forensics, and David-Olivier Jaquet-Chiffelle, professor in police science at University of Lausanne, gave a keynote that emphasized the need for theoretical fundamental basis research in the field of digital forensics, which I fully agreed on, as this was exactly what I addressed in some of my former research.

Michael Cohen and Arkadiusz Socala received the best paper award for their work “Automatic Profile generation for live Linux Memory analysis“, which was indeed very interesting and the article is worth reading.

Continue reading “DFRWS EU 2016 Summary”