TY - CONF
T1 - DBling
T2 - 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA
AU - Mabey, Mike
AU - Doupe, Adam
AU - Zhao, Ziming
AU - Ahn, Gail Joon
N1 - Funding Information:
We are grateful to Alex Nelson for his useful comments while this work was in progress. We also thank the anonymous reviewers whose comments and suggestions have significantly improved the paper. This work was supported in part by grants from the U.S. Department of Defense Information Assurance Scholarship Program and the Center for Cybersecurity and Digital Forensics at Arizona State University. The information reported here does not reflect the position or the policy of the funding agency or project sponsor.
Publisher Copyright:
© 2016 The Authors. Published by Elsevier Ltd.
PY - 2016
Y1 - 2016
N2 - Researchers have developed forensic analysis techniques for so many types of digital media that there is a procedure for almost every digital media that a law enforcement officer may encounter at a crime scene. However, a new type of device has started to gain momentum in the consumer market: web thin clients. These web thin clients are characterized by native support for basic web browsing, yet other functionality relies on a combination of web applications and web storage. In fact, these devices are so different from other types of computing and storage devices that virtually all of the techniques forensic examiners and researchers typically use do not apply. The most popular web thin client, Chrome OS, has additional forensic challenges: (1) all data associated with users is encrypted, (2) Chrome OS correctly uses TPM and Secure Boot, and (3) user data is stored on the device and in the cloud. In this work, we present a novel approach to extract residual evidence stored on Chrome OS devices that successfully bypasses these challenges. Specifically, we are able to determine which extensions and apps are installed on an encrypted Chrome OS device, without breaking or otherwise extracting the encryption keys. Our framework, called dbling, generates signatures or fingerprints of extension and app code that persist after encryption, and we are able to use these fingerprints to identify the installed extensions and apps. We create fingerprints of 160,025 extensions for Chrome OS, we measure the uniqueness of these fingerprints, and we perform a case study by installing 14 extensions on a Chrome OS device and attempt to find their fingerprints.
AB - Researchers have developed forensic analysis techniques for so many types of digital media that there is a procedure for almost every digital media that a law enforcement officer may encounter at a crime scene. However, a new type of device has started to gain momentum in the consumer market: web thin clients. These web thin clients are characterized by native support for basic web browsing, yet other functionality relies on a combination of web applications and web storage. In fact, these devices are so different from other types of computing and storage devices that virtually all of the techniques forensic examiners and researchers typically use do not apply. The most popular web thin client, Chrome OS, has additional forensic challenges: (1) all data associated with users is encrypted, (2) Chrome OS correctly uses TPM and Secure Boot, and (3) user data is stored on the device and in the cloud. In this work, we present a novel approach to extract residual evidence stored on Chrome OS devices that successfully bypasses these challenges. Specifically, we are able to determine which extensions and apps are installed on an encrypted Chrome OS device, without breaking or otherwise extracting the encryption keys. Our framework, called dbling, generates signatures or fingerprints of extension and app code that persist after encryption, and we are able to use these fingerprints to identify the installed extensions and apps. We create fingerprints of 160,025 extensions for Chrome OS, we measure the uniqueness of these fingerprints, and we perform a case study by installing 14 extensions on a Chrome OS device and attempt to find their fingerprints.
KW - Chrome OS
KW - Digital forensics
KW - Forensics on encrypted data
KW - Web thin clients
UR - http://www.scopus.com/inward/record.url?scp=85068712176&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85068712176&partnerID=8YFLogxK
U2 - 10.1016/j.diin.2016.04.007
DO - 10.1016/j.diin.2016.04.007
M3 - Paper
AN - SCOPUS:85068712176
SP - S55-S65
Y2 - 7 August 2016 through 10 August 2016
ER -