mcarve carving attributed dump sets
play

mCarve: Carving attributed dump sets Sjouke Mauw University of - PowerPoint PPT Presentation

Jan 16, 2023 •147 likes •512 views

mCarve: Carving attributed dump sets Sjouke Mauw University of Luxembourg sjouke.mauw@uni.lu http://satoss.uni.lu/sjouke/ (joint work with Ton van Deursen, Saa Radomirovi c) Sjouke Mauw Carving attributed dump sets (1/30) Public

  1. mCarve: Carving attributed dump sets Sjouke Mauw University of Luxembourg sjouke.mauw@uni.lu http://satoss.uni.lu/sjouke/ (joint work with Ton van Deursen, Saša Radomirovi´ c) Sjouke Mauw Carving attributed dump sets (1/30)

  2. Public transportation cards easily hacked Luxembourg: e-go card Sjouke Mauw Carving attributed dump sets (2/30)

  3. All you need is. . . . . . a reader, a laptop, publicly available software, a Ton. Sjouke Mauw Carving attributed dump sets (3/30)

  4. But decrypting the card is just the first step “What do all these bits and bytes mean?” Sjouke Mauw Carving attributed dump sets (4/30)

  5. Manual analysis needed “Is the number-of-rides-left stored here?” Sjouke Mauw Carving attributed dump sets (5/30)

  6. Manual analysis is labour intensive “Hmm, not sure about that.” Sjouke Mauw Carving attributed dump sets (6/30)

  7. Existing problem from digital forensics Carving = recover data from a memory dump of a device Sjouke Mauw Carving attributed dump sets (7/30)

  8. Our problem is different 1. Not one single dump, but a series of dumps. 2. For every dump we know some attributes, e.g. ■ card “identity”, ■ date-of-purchase, ■ type-of-card, ■ rides-left, ■ time-of-use. Sjouke Mauw Carving attributed dump sets (8/30)

  9. Standard carving tools don’t apply Sjouke Mauw Carving attributed dump sets (9/30)

  10. Research question Develop a methodology to answer: ■ Are these attributes encoded in the dumps? ■ Where? ■ With which encoding? Assumptions: 1. All dumps of same length. 2. Attributes are stored at the same location in every dump. (can be relaxed) 3. Encoding of attribute is deterministic and injective. Sjouke Mauw Carving attributed dump sets (10/30)

  11. Central notion: attribute mapping ■ a ∈ A an attribute (e.g. rides-left ) ■ s ∈ B n a dump (i.e. a bit string of length n ) ■ S ⊆ B n a dump set ■ s | I substring of dump s , restricted to I ⊆ [0 , n ) ■ val a ( s ) the value of attribute a for dump s (e.g. val rides-left ( s ) = 5 ) ■ e ( val a ( s )) an injective encoding of the value of attribute a as a bit string (e.g. 5 is encoded as 0101 ) Sjouke Mauw Carving attributed dump sets (11/30)

  12. Central notion: attribute mapping ■ a ∈ A an attribute (e.g. rides-left ) ■ s ∈ B n a dump (i.e. a bit string of length n ) ■ S ⊆ B n a dump set ■ s | I substring of dump s , restricted to I ⊆ [0 , n ) ■ val a ( s ) the value of attribute a for dump s (e.g. val rides-left ( s ) = 5 ) ■ e ( val a ( s )) an injective encoding of the value of attribute a as a bit string (e.g. 5 is encoded as 0101 ) An attribute mapping determines for every attribute the bit positions where the attribute is stored. An attribute mapping for S is a function f : A → P ([0 , n )) , such that for all a ∈ A there exists an encoding e with ∀ s ∈ S s | f ( a ) = e ( val a ( s )) . Sjouke Mauw Carving attributed dump sets (11/30)

  13. Research question formalized Given a set of dumps s ∈ S and a set of attributes a ∈ A and their values val a ( s ) , find all possible attribute mappings f . Sjouke Mauw Carving attributed dump sets (12/30)

  14. Example Finding the rides-left attribute. rides-left dump 010100100111010000100 4 s 1 001100100001010010110 4 s 2 101110101011010100011 5 s 3 001010110111011011011 6 s 4 111010110011011001100 6 s 5 Sjouke Mauw Carving attributed dump sets (13/30)

  15. Example Finding the rides-left attribute. rides-left dump encoding 01010 0100 111 0100 00100 0100 4 s 1 00110 0100 001 0100 10110 0100 4 s 2 10111 0101 011 0101 00011 0101 5 s 3 00101 0110 111 0110 11011 0110 6 s 4 11101 0110 011 0110 01100 0110 6 s 5 Two possibilities for this encoding: ■ f ( rides-left ) = [5 , 8] ■ f ( rides-left ) = [12 , 15] Sjouke Mauw Carving attributed dump sets (14/30)

  16. Example Finding the rides-left attribute. rides-left dump encoding 010 1001 00111010000100 1001 4 s 1 001 1001 00001010010110 1001 4 s 2 101 1101 01011010100011 1101 5 s 3 001 0101 10111011011011 0101 6 s 4 111 0101 10011011001100 0101 6 s 5 And for another encoding ■ f ( rides-left ) = [3 , 6] Sjouke Mauw Carving attributed dump sets (15/30)

  17. Observations ■ Commonalities : If two dumps have the same attribute value, then the dumps must be identical at the positions of f ( a ) . ■ Dissimilarities : If two dumps have a different attribute value, then the dumps differ in at least one bit at the positions of f ( a ) . Idea : Use this to restrict the search for attribute mappings, independently of the encoding. Sjouke Mauw Carving attributed dump sets (16/30)

  18. 1. Commonalities A bundle is a collection of dumps with the same attribute value. bundles ( a, S ) = {{ s ∈ S | val a ( s ) = d } | d ∈ type ( a ) } The common set determines which bits in the dumps of a dump set are equal if the attribute values are equal. � { i ∈ [0 , n ) | ∀ s,s ′ ∈ b s i = s ′ common ( a, S ) = i } . b ∈ bundles ( a,S ) Sjouke Mauw Carving attributed dump sets (17/30)

  19. Example: common set Determine common set ( * ) per bundle and combine. rides-left dump 010100100111010000100 4 s 1 001100100001010010110 4 s 2 *..******..*****.**.* 101110101011010100011 5 s 3 ********************* 001010110111011011011 s 4 6 111010110011011001100 6 s 5 ..*******.******.*... Sjouke Mauw Carving attributed dump sets (18/30)

  20. Example: common set Determine common set ( * ) per bundle and combine. rides-left dump 010100100111010000100 4 s 1 001100100001010010110 4 s 2 *..******..*****.**.* 101110101011010100011 5 s 3 ********************* 001010110111011011011 s 4 6 111010110011011001100 6 s 5 ..*******.******.*... ...******..*****.*... common Conclusion: rides-left must be encoded within the *-ed bits. Sjouke Mauw Carving attributed dump sets (18/30)

  21. Example: common set Determine common set ( * ) per bundle and combine. rides-left dump 010100100111010000100 4 s 1 001100100001010010110 4 s 2 *..******..*****.**.* 101110101011010100011 5 s 3 ********************* 001010110111011011011 s 4 6 111010110011011001100 6 s 5 ..*******.******.*... ...******..*****.*... common Conclusion: rides-left must be encoded within the *-ed bits. Complexity: O ( n · | S | ) Sjouke Mauw Carving attributed dump sets (18/30)

  22. 2. Dissimilarities The dissimilarity set contains all subsets I of [0 , n ) such that if the attribute value of any pair of dumps differs, I has a bit that differs. dissim ( a, S ) = { I ⊆ [0 , n ) | ∀ s,s ′ ∈ S ( val a ( s ) � = val a ( s ′ ) = ⇒ ∃ i ∈ I s i � = s ′ i ) } We can optimize this by taking one representative of each bundle. Sjouke Mauw Carving attributed dump sets (19/30)

  23. Example: dissimilarity set rides-left dump 01 0100100111010000100 4 s 1 10 1110101011010100011 5 s 3 00 1010110111011011011 6 s 4 **................... Sjouke Mauw Carving attributed dump sets (20/30)

  24. Example: dissimilarity set rides-left dump 0 101 00100111010000100 4 s 1 1 011 10101011010100011 5 s 3 0 010 10110111011011011 6 s 4 **................... .***................. Sjouke Mauw Carving attributed dump sets (21/30)

  25. Example: dissimilarity set rides-left dump 010100100111010000100 4 s 1 101110101011010100011 5 s 3 001010110111011011011 6 s 4 **................... .***................. ..**................. ...**................ ....****............. .....****............ ......***............ .......**............ etc. Sjouke Mauw Carving attributed dump sets (22/30)

  26. Example: dissimilarity set rides-left dump 010100100111010000100 4 s 1 101110101011010100011 5 s 3 001010110111011011011 6 s 4 **................... .***................. ..**................. ...**................ ....****............. .....****............ ......***............ .......**............ etc. Conclusion: the encoding of rides-left must include at least one of the starred intervals. Sjouke Mauw Carving attributed dump sets (22/30)

  27. Example: dissimilarity set rides-left dump 010100100111010000100 4 s 1 101110101011010100011 5 s 3 001010110111011011011 6 s 4 **................... .***................. ..**................. ...**................ ....****............. .....****............ ......***............ .......**............ etc. Conclusion: the encoding of rides-left must include at least one of the starred intervals. Complexity: O ( n 2 | S | + n | S | log | S | ) Sjouke Mauw Carving attributed dump sets (22/30)

  28. Main theorem Let A be an attribute set and let f be an attribute mapping for dump set S ⊆ B n , then ∀ a ∈ A ∃ I ∈ dissim ( a,S ) I ⊆ f ( a ) ⊆ common ( a, S ) . Sjouke Mauw Carving attributed dump sets (23/30)

  29. Example: common + dissim Assuming 4 bits, 4 remaining possibilities. rides-left dump 010100100111010000100 4 s 1 001100100001010010110 4 s 2 101110101011010100011 5 s 3 001010110111011011011 6 s 4 111010110011011001100 6 s 5 ...****.............. ....****............. .....****............ ............****..... Sjouke Mauw Carving attributed dump sets (24/30)

  30. Application: e-go card ■ Developed prototype tool. ■ Collected 68 dumps from 7 cards. ■ Wrote down attributes for each dump: rides-left, card-type, license-plate, swipe-time, swipe-date, etc. Sjouke Mauw Carving attributed dump sets (25/30)

Recommend

Tom Ceriani- Chainsaw Carving Tools and Technology- Update Dawna Ceriani- Production Carving &

Tom Ceriani- Chainsaw Carving Tools and Technology- Update Dawna Ceriani- Production Carving &

Tom Ceriani- Chainsaw Carving Tools and Technology- Update Dawna Ceriani- Production Carving & the Quick Carve Dawna and Tom Ceriani, Boot Jack, Mtn, PA are one of the few husband and wife chainsaw carving teams in our country. Tom

575 views • 21 slides
Chainsaw 201 - Safety, always, safety -Gasoline Powered Carving Equipment -Carving Efficiently

Chainsaw 201 - Safety, always, safety -Gasoline Powered Carving Equipment -Carving Efficiently

Chainsaw 201 - Safety, always, safety -Gasoline Powered Carving Equipment -Carving Efficiently and Effectively: a bear bench in an hour! -Be Inspired by Everything You See! TIM KLOCK, Altoona, PA.. Prerequisites: Chainsaw 101

330 views • 7 slides
Dump Stoppers Program Development 2002: Funding from USFS to clean up dump sites on

Dump Stoppers Program Development 2002: Funding from USFS to clean up dump sites on

Dump Stoppers Program Development 2002: Funding from USFS to clean up dump sites on forestlands Developed partnerships: County, Federal, State, non- profits, private forestland owners, and more The Dump Stoppers Program began

562 views • 28 slides
XPOC XPOC external post-operational checks for the LHC beam dump for the LHC beam dump LBDS

XPOC XPOC external post-operational checks for the LHC beam dump for the LHC beam dump LBDS

XPOC XPOC external post-operational checks for the LHC beam dump for the LHC beam dump LBDS Audit, 28/ 01/ 2008 Gallet Eric, AB/ BT 1 XPOC: Goal C G l Verify that the dump was correctly V if th t th d tl executed Launch

114 views • 10 slides
Beam Dump & Cooling Beam Dump & Cooling Introduction (Location, Access & Driving

Beam Dump & Cooling Beam Dump & Cooling Introduction (Location, Access & Driving

Beam Dump & Cooling Beam Dump & Cooling Introduction (Location, Access & Driving Parameter) Components (Graphite, Iron, Aluminium) Cooling System Layout Installation NBI 2003 - Beam Dump and Cooling 11/ 11/ 2003 1 1 Present

410 views • 20 slides
Trigger Synchronisation Unit LHC Beam Dump System LHC Beam Dump System Technical Audit Topics

Trigger Synchronisation Unit LHC Beam Dump System LHC Beam Dump System Technical Audit Topics

Trigger Synchronisation Unit LHC Beam Dump System LHC Beam Dump System Technical Audit Topics Topics Requirements Architecture Architecture Timing unit Dump request client interface D li i f Dump request management

400 views • 14 slides
A Photon Dump Study for ILC Undulator Positron Source Yu Morikawa 2017/9/20 1 ILC Beam Dumps

A Photon Dump Study for ILC Undulator Positron Source Yu Morikawa 2017/9/20 1 ILC Beam Dumps

A Photon Dump Study for ILC Undulator Positron Source Yu Morikawa 2017/9/20 1 ILC Beam Dumps : Electron Beam Dump : Positron Beam Dump Photon Dump Total 15 Beam dumps in ILC . Beam dumps are classified into 5 types. Type Power Purpose

587 views • 32 slides
Job Carving and Negotiation Thursday, November 9, 2017 Advancing your professional career

Job Carving and Negotiation Thursday, November 9, 2017 Advancing your professional career

Job Carving and Negotiation Thursday, November 9, 2017 Advancing your professional career Improving Employment outcomes of job seekers Agenda v Announcements v How did last month go? v Employment consultant sharing v Job carving and negotiation

942 views • 20 slides
Seam Carving: problem: target many devices How to Rescale scaling? cropping? seam

Seam Carving: problem: target many devices How to Rescale scaling? cropping? seam

Changing Image Size while keeping content intact Seam Carving: problem: target many devices How to Rescale scaling? cropping? seam carving! P Pictures CS 176 Winter 2011 CS 176 Winter 2011 1 2 Basic Idea Seams in Action

598 views • 8 slides
BRO FILE CARVING Using scripts to scarf files from pcaps and the wire by Bill Stackpole File

BRO FILE CARVING Using scripts to scarf files from pcaps and the wire by Bill Stackpole File

BRO FILE CARVING Using scripts to scarf files from pcaps and the wire by Bill Stackpole File carving Common desire to extract files from network stream Tools (tcpextract / network miner / etc) can do this Usually w/out protocol

555 views • 19 slides
Memory Forensics of a Java Card Dump jean-louis.lanet@inria.fr Cardis 2014 Paris Nov. 5-7 2014

Memory Forensics of a Java Card Dump jean-louis.lanet@inria.fr Cardis 2014 Paris Nov. 5-7 2014

Memory Forensics of a Java Card Dump jean-louis.lanet@inria.fr Cardis 2014 Paris Nov. 5-7 2014 Episode 2 Previous episode: how to obtain a dump Hypothesis Find the code Reverse it Conclusion Memory Dump At that time we

719 views • 15 slides
MySQL Record Carving Esan Wit 1 Leendert van Duijn 1 Supervisor: Kevin Jonkers 2 1 SNE University

MySQL Record Carving Esan Wit 1 Leendert van Duijn 1 Supervisor: Kevin Jonkers 2 1 SNE University

Introduction Goal Background Approach Results Conclusion MySQL Record Carving Esan Wit 1 Leendert van Duijn 1 Supervisor: Kevin Jonkers 2 1 SNE University of Amsterdam 2 Fox-IT February 5, 2014 MySQL Record Carving Esan Wit, Leendert van

426 views • 19 slides
Seam Carving for Content-Aware Finding Optimal Seams Image Resizing Optimal Seams Order

Seam Carving for Content-Aware Finding Optimal Seams Image Resizing Optimal Seams Order

Seam Carving for Image Resizing Overview Definitions Seam Carving for Content-Aware Finding Optimal Seams Image Resizing Optimal Seams Order Results Video Synopsis Ricardo David Casta neda Marin Experiments References Computer

609 views • 44 slides
Experimental study of electrostatic residual ion dump A.A.Panasenkov, E.D.Dlougach NRC

Experimental study of electrostatic residual ion dump A.A.Panasenkov, E.D.Dlougach NRC

National Research Centre KURCHATOV INSTITUTE Experimental study of electrostatic residual ion dump A.A.Panasenkov, E.D.Dlougach NRC Kurchatov Institute, Moscow, Russia NIBS-2018 1 Reference design of the Residual Ion Dump (RID) for the

326 views • 15 slides
PRESENTATION ON FAILURE OF BELLY DUMP TRAILERS Peter Airey 1 ABSTRACT: There are some forensic

PRESENTATION ON FAILURE OF BELLY DUMP TRAILERS Peter Airey 1 ABSTRACT: There are some forensic

PRESENTATION ON FAILURE OF BELLY DUMP TRAILERS Peter Airey 1 ABSTRACT: There are some forensic investigations which cross the boundaries between Mechanical and Structural Engineering. The investigation of the failures within Belly Dump

340 views • 4 slides
DSRIP Learning Collaborative 12/10/2015 Utilizing Coleman Model, attributed inpatients are

DSRIP Learning Collaborative 12/10/2015 Utilizing Coleman Model, attributed inpatients are

DSRIP Learning Collaborative 12/10/2015 Utilizing Coleman Model, attributed inpatients are identified for program placement. Expanding to include attributed patients discharged from any hospital by using the Camden HIE Lourdes

143 views • 13 slides
Can we do something cool with edges already? S. Avidan and A. Shamir Seam Carving for

Can we do something cool with edges already? S. Avidan and A. Shamir Seam Carving for

Can we do something cool with edges already? S. Avidan and A. Shamir Seam Carving for Content-Aware Image Resizing SIGGRAPH 2007 Paper: http://www.win.tue.nl/~wstahw/edu/2IV05/seamcarving.pdf Sanja Fidler CSC420: Intro to Image Understanding 1

877 views • 41 slides
Exercise 1: Energy Deposition FLUKA Advanced Course Exercise 1a Study case Beam dump of a

Exercise 1: Energy Deposition FLUKA Advanced Course Exercise 1a Study case Beam dump of a

Exercise 1: Energy Deposition FLUKA Advanced Course Exercise 1a Study case Beam dump of a proton-therapy facility Goal Evaluate the peak and total energy deposition on the dump Requirements Beam settings: 200 MeV protons;

525 views • 5 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
Mixing pattern quantification in node-attributed networks Salvatore Citraro A brief context (of

Mixing pattern quantification in node-attributed networks Salvatore Citraro A brief context (of

Mixing pattern quantification in node-attributed networks Salvatore Citraro A brief context (of my work) Feature-rich networks ( Interdonato et al. 2019) More information as a complement to the topology e.g. node-attributed networks Improve

631 views • 22 slides
Ti Tim Kl Klock ock SawNut Altoona, Pa Topics: Carving Safety. Chainsaw Maintenance.

Ti Tim Kl Klock ock SawNut Altoona, Pa Topics: Carving Safety. Chainsaw Maintenance.

Ti Tim Kl Klock ock SawNut Altoona, Pa Topics: Carving Safety. Chainsaw Maintenance. Choice of Wood. Design. Blocking .Forming. Finer Details. Finishing. Marketing. Tims Takeaways Bi Bio

761 views • 15 slides
Publishing Attributed Social Graphs with Formal Privacy Guarantees Zach Jorgensen Graham Cormode

Publishing Attributed Social Graphs with Formal Privacy Guarantees Zach Jorgensen Graham Cormode

Publishing Attributed Social Graphs with Formal Privacy Guarantees Zach Jorgensen Graham Cormode g.cormode@warwick.ac.uk Ting Yu Releasing Attributed Graph Data Social Network Analysis has a wide range of applications Marketing, disease

232 views • 8 slides
SPS Beam Dump Facility Project Introduction & SHiP M. Calviani (CERN) on behalf of the BDF

SPS Beam Dump Facility Project Introduction & SHiP M. Calviani (CERN) on behalf of the BDF

SPS Beam Dump Facility Project Introduction & SHiP M. Calviani (CERN) on behalf of the BDF Project team Outlook Introduction to Physics Beyond Colliders Beam Dump Facility within PBC The SHiP Experiment BDF design and main

636 views • 28 slides
Enhancing Voxel Carving by Capture Volume Calculations International Conference on Image

Enhancing Voxel Carving by Capture Volume Calculations International Conference on Image

Group on Human Motion Analysis Enhancing Voxel Carving by Capture Volume Calculations International Conference on Image Processing 2010 Tobias Feldmann, Karsten Brand, Annika W orner | February 23, 2011 G ROUP ON H UMAN M OTION A NALYSIS (G O

580 views • 54 slides

More recommend