Tor network forensics and hidden service deanonymization

The cybernetics revolution of the last years improved a lot our lives, having an immediate access to services and a huge amount of information over the Internet. Nowadays the user is increasingly asked to insert his sensitive information on the Internet, leaving its traces everywhere. But there are some categories of people that cannot risk to reveal their identities on the Internet. Even if born to protect U.S. intelligence communications online, nowadays Tor is the most famous low-latency network, that guarantees both anonymity and privacy of its users. The aim of this thesis project is to well understand how the Tor protocol works, not only studying its theory, but also implementing those concepts in practice, having a particular attention for security topics. In order to run a Tor private network, that emulates the real one, a virtual testing environment has been configured. This behavior allows to conduct experiments without putting at risk anonymity and privacy of real users. We used a Tor patch, that stores TLS and circuit keys, to be given as inputs to a Tor dissector for Wireshark, in order to obtain decrypted and decoded traffic. Observing clear traffic allowed us to well check the protocol outline and to have a proof of the format of each cell. Besides, these tools allowed to identify a traffic pattern, used to conduct a traffic correlation attack to passively deanonymize hidden service clients. The attacker, controlling two nodes of the Tor network, is able to link a request for a given hidden server to the client who did it, deanonymizing him. The robustness of the traffic pattern and the statistics, such as the true positive rate, and the false positive rate, of the attack are object of a potential future work.

Towards Automation in Digital Investigations : Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations. Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging. This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching. In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays. Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

Proposta metodologica per acquisizione e verificabilita di dati in rete trasmessi in maniera cifrata

Lo sviluppo di tecnologie informatiche e telematiche comporta di pari passo l’aumento di dispositivi informatici e di conseguenza la commissione di illeciti che richiedono l’uso di tecniche dell’informatica forense. Infatti, l'evoluzione della tecnologia ha permesso la diffusione di sistemi informatici connessi alla rete Internet sia negli uffici che nelle case di molte famiglie: il miglioramento notevole della velocità di connessione e della potenza dei dispositivi comporta l’uso di un numero sempre maggiore di applicazioni basate sul web 2.0, modificando lo schema classico d’uso del mezzo e passando da utente “lettore” a utente “produttore”: si potrebbe quasi porre la domanda “Chi non ha mai scritto un commento su un social network? Chi non ha mai caricato un video su una piattaforma di video sharing? Chi non ha mai condiviso un file su un sito?”. Il presente lavoro si propone di illustrare le problematiche dell’acquisizione del traffico di rete con particolare focus sui dati che transitano attraverso protocolli cifrati: infatti, l’acquisizione di traffico di rete si rende necessaria al fine di verificare il contenuto della comunicazione, con la conseguenza che diventa impossibile leggere il contenuto transitato in rete in caso di traffico cifrato e in assenza della chiave di decifratura. Per cui, operazioni banali nei casi di traffico in chiaro (come la ricostruzione di pagine html o fotografie) possono diventare estremamente impegnative, se non addirittura impossibile, quando non si sono previsti appositi accorgimenti e in assenza di idonei strumenti. Alla luce di tali osservazioni, il presente lavoro intende proporre una metodologia completa di acquisizione e uno strumento software che agevoli il lavoro di ricostruzione, e quindi verifica, dei dati contenuti nel traffico catturato, anche cifrato. Infine, verranno mostrati dei casi esemplificativi nei quali tale metodologia si rende opportuna (o meglio, necessaria) con test di ricostruzione dei dati eseguiti con il tool SSLTrafficReader.

Foundational forensic techniques for cellular and ad hoc multi-hop networks

The Internet has become an integral part of our nation’s critical socio-economic infrastructure. With its heightened use and growing complexity however, organizations are at greater risk of cyber crimes. To aid in the investigation of crimes committed on or via the Internet, a network forensics analysis tool pulls together needed digital evidence. It provides a platform for performing deep network analysis by capturing, recording and analyzing network events to find out the source of a security attack or other information security incidents. Existing network forensics work has been mostly focused on the Internet and fixed networks. But the exponential growth and use of wireless technologies, coupled with their unprecedented characteristics, necessitates the development of new network forensic analysis tools. This dissertation fostered the emergence of a new research field in cellular and ad-hoc network forensics. It was one of the first works to identify this problem and offer fundamental techniques and tools that laid the groundwork for future research. In particular, it introduced novel methods to record network incidents and report logged incidents. For recording incidents, location is considered essential to documenting network incidents. However, in network topology spaces, location cannot be measured due to absence of a ‘distance metric’. Therefore, a novel solution was proposed to label locations of nodes within network topology spaces, and then to authenticate the identity of nodes in ad hoc environments. For reporting logged incidents, a novel technique based on Distributed Hash Tables (DHT) was adopted. Although the direct use of DHTs for reporting logged incidents would result in an uncontrollably recursive traffic, a new mechanism was introduced that overcome this recursive process. These logging and reporting techniques aided forensics over cellular and ad-hoc networks, which in turn increased their ability to track and trace attacks to their source. These techniques were a starting point for further research and development that would result in equipping future ad hoc networks with forensic components to complement existing security mechanisms.

Foundational Forensic Techniques for Cellular and Ad Hoc Multi-hop Networks

The Internet has become an integral part of our nation's critical socio-economic infrastructure. With its heightened use and growing complexity however, organizations are at greater risk of cyber crimes. To aid in the investigation of crimes committed on or via the Internet, a network forensics analysis tool pulls together needed digital evidence. It provides a platform for performing deep network analysis by capturing, recording and analyzing network events to find out the source of a security attack or other information security incidents. Existing network forensics work has been mostly focused on the Internet and fixed networks. But the exponential growth and use of wireless technologies, coupled with their unprecedented characteristics, necessitates the development of new network forensic analysis tools. This dissertation fostered the emergence of a new research field in cellular and ad-hoc network forensics. It was one of the first works to identify this problem and offer fundamental techniques and tools that laid the groundwork for future research. In particular, it introduced novel methods to record network incidents and report logged incidents. For recording incidents, location is considered essential to documenting network incidents. However, in network topology spaces, location cannot be measured due to absence of a 'distance metric'. Therefore, a novel solution was proposed to label locations of nodes within network topology spaces, and then to authenticate the identity of nodes in ad hoc environments. For reporting logged incidents, a novel technique based on Distributed Hash Tables (DHT) was adopted. Although the direct use of DHTs for reporting logged incidents would result in an uncontrollably recursive traffic, a new mechanism was introduced that overcome this recursive process. These logging and reporting techniques aided forensics over cellular and ad-hoc networks, which in turn increased their ability to track and trace attacks to their source. These techniques were a starting point for further research and development that would result in equipping future ad hoc networks with forensic components to complement existing security mechanisms.

Mem Tri: Memory Forensics Triage Tool

This work explores the development of MemTri. A memory forensics triage tool that can assess the likelihood of criminal activity in a memory image, based on evidence data artefacts generated by several applications. Fictitious illegal suspect activity scenarios were performed on virtual machines to generate 60 test memory images for input into MemTri. Four categories of applications (i.e. Internet Browsers, Instant Messengers, FTP Client and Document Processors) are examined for data artefacts located through the use of regular expressions. These identified data artefacts are then analysed using a Bayesian Network, to assess the likelihood that a seized memory image contained evidence of illegal activity. Currently, MemTri is under development and this paper introduces only the basic concept as well as the components that the application is built on. A complete description of MemTri coupled with extensive experimental results is expected to be published in the first semester of 2017.

Structural Connectivity Of The Default Mode Network And Cognition In Alzheimer׳s Disease.

Disconnectivity between the Default Mode Network (DMN) nodes can cause clinical symptoms and cognitive deficits in Alzheimer׳s disease (AD). We aimed to examine the structural connectivity between DMN nodes, to verify the extent in which white matter disconnection affects cognitive performance. MRI data of 76 subjects (25 mild AD, 21 amnestic Mild Cognitive Impairment subjects and 30 controls) were acquired on a 3.0T scanner. ExploreDTI software (fractional Anisotropy threshold=0.25 and the angular threshold=60°) calculated axial, radial, and mean diffusivities, fractional anisotropy and streamline count. AD patients showed lower fractional anisotropy (P=0.01) and streamline count (P=0.029), and higher radial diffusivity (P=0.014) than controls in the cingulum. After correction for white matter atrophy, only fractional anisotropy and radial diffusivity remained significantly lower in AD compared to controls (P=0.003 and P=0.05). In the parahippocampal bundle, AD patients had lower mean and radial diffusivities (P=0.048 and P=0.013) compared to controls, from which only radial diffusivity survived for white matter adjustment (P=0.05). Regression models revealed that cognitive performance is also accounted for by white matter microstructural values. Structural connectivity within the DMN is important to the execution of high-complexity tasks, probably due to its relevant role in the integration of the network.

Can We Predict The Clinical Outcomes Of Genitourinary Trauma Patients And Offer Them An Evidence-based Support? The Case For Telemedicine Network.

32

[gait Speed, Grip Strength And Self-rated Health Among The Elderly: Data From The Fibra Campinas Network, São Paulo, Brazil].

The article seeks to investigate patterns of performance and relationships between grip strength, gait speed and self-rated health, and investigate the relationships between them, considering the variables of gender, age and family income. This was conducted in a probabilistic sample of community-dwelling elderly aged 65 and over, members of a population study on frailty. A total of 689 elderly people without cognitive deficit suggestive of dementia underwent tests of gait speed and grip strength. Comparisons between groups were based on low, medium and high speed and strength. Self-related health was assessed using a 5-point scale. The males and the younger elderly individuals scored significantly higher on grip strength and gait speed than the female and oldest did; the richest scored higher than the poorest on grip strength and gait speed; females and men aged over 80 had weaker grip strength and lower gait speed; slow gait speed and low income arose as risk factors for a worse health evaluation. Lower muscular strength affects the self-rated assessment of health because it results in a reduction in functional capacity, especially in the presence of poverty and a lack of compensatory factors.

Going Beyond Seizure Control: Can Pharmacotherapy Help To Restore Cognitive Network Function?

83

Whole Cortical And Default Mode Network Mean Functional Connectivity As Potential Biomarkers For Mild Alzheimer's Disease.

The search for an Alzheimer's disease (AD) biomarker is one of the most relevant contemporary research topics due to the high prevalence and social costs of the disease. Functional connectivity (FC) of the default mode network (DMN) is a plausible candidate for such a biomarker. We evaluated 22 patients with mild AD and 26 age- and gender-matched healthy controls. All subjects underwent resting functional magnetic resonance imaging (fMRI) in a 3.0 T scanner. To identify the DMN, seed-based FC of the posterior cingulate was calculated. We also measured the sensitivity/specificity of the method, and verified a correlation with cognitive performance. We found a significant difference between patients with mild AD and controls in average z-scores: DMN, whole cortical positive (WCP) and absolute values. DMN individual values showed a sensitivity of 77.3% and specificity of 70%. DMN and WCP values were correlated to global cognition and episodic memory performance. We showed that individual measures of DMN connectivity could be considered a promising method to differentiate AD, even at an early phase, from normal aging. Further studies with larger numbers of participants, as well as validation of normal values, are needed for more definitive conclusions.

[strategies For Integration Of Health Care Practices And Sanitary Surveillance In The Context Of The Implementation Of Rede Cegonha - A Brazilian Mother And Infant Health Care Network].

Mother and infant mortality has been the scope of analysis throughout the history of public health in Brazil and various strategies to tackle the issue have been proposed to date. The Ministry of Health has been working on this and the Rede Cegonha strategy is the most recent policy in this context. Given the principle of comprehensive health care and the structure of the Unified Health System in care networks, it is necessary to ensure the integration of health care practices, among which are the sanitary surveillance actions (SSA). Considering that the integration of health care practices and SSA can contribute to reduce mother and infant mortality rates, this article is a result of qualitative research that analyzed the integration of these actions in four cities in the State of São Paulo/Brazil: Campinas, Indaiatuba, Jaguariúna and Santa Bárbara D'Oeste. The research was conducted through interviews with SSA and maternal health managers, and the data were evaluated using thematic analysis. The results converge with other studies, identifying the isolation of health care practices and SSA. The insertion of SSA in collectively-managed areas appears to be a potential strategy for health planning and implementation of actions in the context under scrutiny.

[child Protection Network And The Intersector Implementation Of The Circle Of Security As Alternatives To Medication].

To describe the clinical history of a child with aggressive behavior and recurring death-theme speech, and report the experience of the team of authors, who proposed an alternative to medication through the establishment of a protection network and the inter-sector implementation of the circle of security concept. A 5-year-old child has a violent and aggressive behavior at the day-care. The child was diagnosed by the healthcare center with depressive disorder and behavioral disorder, and was medicated with sertraline and risperidone. Side effects were observed, and the medications were discontinued. Despite several actions, such as talks, teamwork, psychological and psychiatric follow-up, the child's behavior remained unchanged. A unique therapeutic project was developed by Universidade Estadual de Campinas' Medical School students in order to establish a connection between the entities responsible for the child's care (daycare center, healthcare center, and family). Thus, the team was able to develop a basic care protection network. The implementation of the inter-sector circle of security, as well as the communication and cooperation among the teams, produced very favorable results in this case. This initiative was shown to be a feasible and effective alternative to the use of medication for this child.

[access To Information About How To Prevent Oral Problems Among School Children In The Public School Network].

The scope of this study is to identify the prevalence of access to information about how to prevent oral problems among schoolchildren in the public school network, as well as the factors associated with such access. This is a cross-sectional and analytical study conducted among 12-year-old schoolchildren in a Brazilian municipality with a large population. The examinations were performed by 24 trained dentists and calibrated with the aid of 24 recorders. Data collection occurred in 36 public schools selected from the 89 public schools of the city. Descriptive, univariate and multiple analyses were conducted. Of the 2510 schoolchildren included in the study, 2211 reported having received information about how to prevent oral problems. Access to such information was greater among those who used private dental services; and lower among those who used the service for treatment, who evaluated the service as regular or bad/awful. The latter use toothbrush only or toothbrush and tongue scrubbing as a means of oral hygiene and who reported not being satisfied with the appearance of their teeth. The conclusion drawn is that the majority of schoolchildren had access to information about how to prevent oral problems, though access was associated with the characteristics of health services, health behavior and outcomes.

The Psychedelic State Induced By Ayahuasca Modulates The Activity And Connectivity Of The Default Mode Network.

The experiences induced by psychedelics share a wide variety of subjective features, related to the complex changes in perception and cognition induced by this class of drugs. A remarkable increase in introspection is at the core of these altered states of consciousness. Self-oriented mental activity has been consistently linked to the Default Mode Network (DMN), a set of brain regions more active during rest than during the execution of a goal-directed task. Here we used fMRI technique to inspect the DMN during the psychedelic state induced by Ayahuasca in ten experienced subjects. Ayahuasca is a potion traditionally used by Amazonian Amerindians composed by a mixture of compounds that increase monoaminergic transmission. In particular, we examined whether Ayahuasca changes the activity and connectivity of the DMN and the connection between the DMN and the task-positive network (TPN). Ayahuasca caused a significant decrease in activity through most parts of the DMN, including its most consistent hubs: the Posterior Cingulate Cortex (PCC)/Precuneus and the medial Prefrontal Cortex (mPFC). Functional connectivity within the PCC/Precuneus decreased after Ayahuasca intake. No significant change was observed in the DMN-TPN orthogonality. Altogether, our results support the notion that the altered state of consciousness induced by Ayahuasca, like those induced by psilocybin (another serotonergic psychedelic), meditation and sleep, is linked to the modulation of the activity and the connectivity of the DMN.