Designing a cluster-based covert channel to evade disk investigation and forensics

Khan, Hassan; Javed, Mobin; Khayam, Syed Ali; Mirza, Fauzan

doi:10.1016/j.cose.2010.10.005

Cited by 36 publications

(26 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent research related to slack space has examined the use of file fragmentation to hide data in FAT partitions [10]. FragFS [14] uses slack space in $MFT entries to hide data, leveraging the fact that $MFT entries commonly have a fixed length of 1,024 bytes per entry.…”

Section: Related Workmentioning

confidence: 99%

Quantifying Windows File Slack Size and Stability

Mulazzani

Neuner

Kieseberg

et al. 2013

Advances in Digital Forensics IX

View full text Add to dashboard Cite

Slack space can be used to hide data from the operating system and other users. While some forms of data hiding are easily detectable, others are subtle and require an experienced forensic practitioner to discover the hidden data. The amount of data that can be hidden varies with the type of slack space and environmental parameters such as filesystem block size and partition alignment. This paper evaluates the amount of file slack space available in Windows systems and the stability of slack space over time with respect to system updates. Measurements of the file slack for eighteen versions of Microsoft Windows with the NTFS filesystem reveal that many of the files change very little during system updates and are, thus, highly suitable for hiding data. A model is presented for estimating the amount of data that can be hidden in the file slack space of Windows filesystems of arbitrary size.

show abstract

Section: Related Workmentioning

confidence: 99%

Quantifying Windows File Slack Size and Stability

Mulazzani

Neuner

Kieseberg

et al. 2013

Advances in Digital Forensics IX

View full text Add to dashboard Cite

show abstract

“…Indirect technique substituted the symbols with the property of the packets whereas the direct technique directly embeds the data into the field of the packet [5]. The subsequent study in this paper is based on indirect method refer to packet lengths.…”

Section: Introductionmentioning

confidence: 99%

Indirect DNS covert channel based on name reference for minima length distribution

Omar

Ahmedy

Ngadi

2011

ICIMU 2011 : Proceedings of the 5th International Conference on Information Technology &Amp; Multimedia

View full text Add to dashboard Cite

Covert Channels is the methods to conceal a message in network communications. Until now, covert channels based on packet length produce abnormal packet length when the size of the packets' length is minima. Standard DNS request has minima range in length, which is could not support by previous packet length covert channels. Abnormal packet length, especially in normal DNS requests will expose the covert channels to network security perimeter. Therefore, it motivated the study to propose a method based on reference matrix to hide the secret message in DNS request. Standard DNS requests' packet was collected from campus network. The proposed and the previous packet length covert channels were compared to standard DNS requests. The comparisons were done through percentages and frequency range of length and statistical T-test. The results show that, there is no significant different between the packet lengths of standard DNS request and propose covert, which outperform the previous packet length covert channels.

show abstract

“…Castiglione et al [6] proposed an asynchronous covert channel to deploy robust secret communication through spam e-mails. Khan et al [9] designed a cluster-based covert channel to evade disk investigation and forensics attempts. The proposed covert channel does not require additional storage on the filesystem and hence minimizes the likelihood of detection.…”

Section: Introductionmentioning

confidence: 99%

Covert channel communication through physical interdependencies in cyber-physical infrastructures

García

Senyondo

McLaughlin³

et al. 2014

2014 IEEE International Conference on Smart Grid Communications (SmartGridComm)

View full text Add to dashboard Cite

Increasing efforts are being made in securing the communication infrastructure used in electric power systems. On the surface, this should greatly reduce the chances of successfully executing the type of coordinated and distributed cyber attacks necessary to cause large-scale failures. However, existing communications security schemes in power control systems only consider explicit communications. In this paper, we show that there is a rich set of covert communication channels available to attackers for use in coordinating large scale attacks against power grids. Specifically, we present PHYCO, a novel covert channel that leverages physical substrates, e.g., line loads, within a power system, to transmit information between compromised device controllers. Using PHYCO, two compromised controllers that are miles apart can coordinate their efforts by manipulating relays to modify the power network's topology. This can be done without requiring the use of any explicit communication channels, e.g., power line communications, and can evade intrusion detection sensors aimed at overt traffic. We have evaluated PHYCO using real-world programmable logic controllers on a realistic simulated power grid. Our results show that PHYCO can bypass existing intrusion detection sensors as well as physical inspections by carefully crafting covert communications to have minimal exterior consequences within normal operating thresholds.

show abstract

Designing a cluster-based covert channel to evade disk investigation and forensics

Cited by 36 publications

References 10 publications

Quantifying Windows File Slack Size and Stability

Quantifying Windows File Slack Size and Stability

Indirect DNS covert channel based on name reference for minima length distribution

Covert channel communication through physical interdependencies in cyber-physical infrastructures

Contact Info

Product

Resources

About