Posts

Überwachung in modernen Fahrzeugen Abstract Moderne Fahrzeuge verfügen über eine Vielzahl von Sensoren sowohl zur Umfeld- als auch zur Innenraumwahrnehmung. Fahrzeuge kommunizieren mit Cloud-Diensten der Hersteller ebenso wie mit Smartphones der Insassen. Der Artikel zeigt anhand einer fahrzeugforensischen Untersuchung eines Tesla Autopilot-Steuergeräts die Schwierigkeiten bei der Beurteilung des Datenschutzniveaus in modernen Fahrzeugen. Journal Datenschutz und Datensicherheit - DuD Volume 45 Links Paper URL DOI

A Generalized Approach to Automotive Forensics Abstract In the past years, software became an essential topic in modern vehicles, e.g., with the rise of more and more complex driver assistance systems. The advent of automated driving will drive this trend even further. Today, accident investigation, as well as warranty claim analysis, need to take into consideration an analysis of the rapidly increasing proportion of software and security based implementations as part of modern vehicles, the so-called digital forensics. This paper evaluates the general feasibility of digital forensics on a state-of-the-art vehicle. To do so, we analyzed current digital forensics techniques on a state-of-the-art vehicle to constitute gaps in the automotive forensics process used on in-vehicle sys- tems. We present a general process for automotive forensics to close existing gaps and implemented it on a state-of-the-art vehicle in an in-vehicle device manipulation scenario. The implementation uses the on-board diagnostics interface, the diagnostics over internet protocol, as well as the unified diagnostic services for communication. Our implementation requires automotive Ethernet at the diagnostic interface. Our research shows future directions for efficient automotive forensic as well as the exemplary feasibility of automotive forensic analysis on state-of-the-art vehicles without the need for additional in- vehicle components such as intrusion detection systems or event data recorders. ...

Where is my Ransom? Hunting for Ransomware Gangs using radare2 and Yara Abstract ansomware gangs have gotten better and more aggressive over the past years. Their used malware is well developed and some offer ransomware-as-a-service. Specific threat actors publish the collected data, if victims do not pay the demanded ransom. This evolvement made this area an interesting research domain for me. My goal is to collect the newest samples of specific ransomware gangs and understand the different actors. I aim to share IOCs, TTPs and other insights with the community. My research should allow people, companies and other institutions to protect themselves from ransomware attacks. At the beginning of this project, I started to analyse samples from different reports by hand. To do this, I used Cutter. This task was very time consuming. In addition, I was not able to gain new insights after analysing a few samples for a specific group. The collected IOCs and TTPs were already know. So I was not able to generate benefit for anyone. So I started to raise the following question: How am I able to collect new samples for specific groups? I identified two options: First, by waiting for new incidents and the corresponding reports. Second, by hunting for ransomware gangs. Obviously, the first option is not very expedient. So I decided to hunt using Yara. I used VirusTotal and Hybrid Analysis to perform my hunts. In my talk, I will quickly explain the goal of Yara and its capabilities. In addition, I will quickly go over the syntax and present best practices I learned after failing miserably at the beginning (more in my example section of the talk). Next, I will explain how I created Yara rules using different tools around r2 (especially Cutter). I will illustrate this for two rules: The maze and clop ransomware. For each rule, I will go in detail how I created and tested them. In addition, I will explain, how I miserably failed at the beginning and what I learned during the journey. ...

Automotive DoIP and forensic analysis for automotive Our presentation about automotive DoIP and forensic capabilities arround it. Christopher Corbett & Kevin Gomez Buquerin from Audi talks about Automotive DoIP and forensic analysis for automotive systems at CS3STHLM 2019. Presentation from the 6th Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems, Stockholm, Sweden, 21–24 October 2019. Conference CS3STHLM 2019