Honeypot Fun

At the Legal Informatics and Forensic Science Institute, we are preparing to do some research on IoT smart homes. Part of that is setting up a slightly-less-secure system. I run some honeypots on my home networks, but I was interested to see what is coming in to the known University IP range.
</div><div class="separator" style="clear: both; text-align: center;"></div><div>I had an extra Raspberry Pi laying around, and decided to run cowrie (kippo) SSH honeypot. Mostly because it is very fast to set up, gives you an idea of where attacks are coming from, and also gives a list of usernames and passwords that people are trying. More on the setup of cowrie later.</div><div>
</div><div>After putting cowrie online, it took 28 minutes before the first connection. This is actually longer than I expected. Possibly because the IP was up before, but port 22 was not open.</div><div>
</div><div>After 12 hours, login attempts from the following addresses:</div><div>
</div><div><table> <thead><tr> <th class="tg-yw4l">Login Attempts</th> <th class="tg-yw4l">IP Address</th> <th class="tg-yw4l">Country</th> </tr></thead> <tbody><tr> <td class="tg-yw4l">1</td> <td class="tg-yw4l"></td><td class="tg-yw4l">Russia</td> </tr><tr> <td class="tg-yw4l">3</td> <td class="tg-yw4l"></td><td class="tg-yw4l">Russia</td> </tr><tr> <td class="tg-yw4l">9</td> <td class="tg-yw4l"></td><td class="tg-yw4l">France</td> </tr><tr> <td class="tg-yw4l">18</td> <td class="tg-yw4l"></td><td class="tg-yw4l">Germany</td> </tr><tr> <td class="tg-yw4l">40</td> <td class="tg-yw4l"></td><td class="tg-yw4l">Indonesia</td> </tr><tr> <td class="tg-yw4l">41</td> <td class="tg-yw4l"></td><td class="tg-yw4l">Ukraine</td> </tr><tr> <td class="tg-yw4l">91</td> <td class="tg-yw4l"></td><td class="tg-yw4l">Russia</td> </tr><tr> <td class="tg-yw4l">126</td> <td class="tg-yw4l"></td><td class="tg-yw4l">Ukraine</td> </tr><tr> <td class="tg-yw4l">336</td> <td class="tg-yw4l"></td> <td class="tg-yw4l">India</td> </tr></tbody></table>
Remember that the country doesn’t actually mean anything. These could be proxies, tor, hacked servers, etc.

The top usernames and passwords are not very surprising.

<table class="tg"><tbody><tr> <th class="tg-yw4l">Tries</th> <th class="tg-yw4l">Username / Password</th> </tr><tr> <td class="tg-yw4l">21</td> <td class="tg-yw4l">[root/123456]</td> </tr><tr> <td class="tg-yw4l">19</td> <td class="tg-yw4l">[root/default]</td> </tr><tr> <td class="tg-yw4l">18</td> <td class="tg-yw4l">[admin/support]</td> </tr><tr> <td class="tg-yw4l">18</td> <td class="tg-yw4l">[admin/default]</td> </tr><tr> <td class="tg-yw4l">18</td> <td class="tg-yw4l">[admin/123123]</td> </tr><tr> <td class="tg-yw4l">8</td> <td class="tg-yw4l">[root/admin]</td> </tr><tr> <td class="tg-yw4l">6</td> <td class="tg-yw4l">[admin/admin]</td> </tr><tr> <td class="tg-yw4l">5</td> <td class="tg-yw4l">[test/test]</td> </tr><tr> <td class="tg-yw4l">5</td> <td class="tg-yw4l">[support/support]</td> </tr><tr> <td class="tg-yw4l">5</td> <td class="tg-yw4l">[root/qwerty]</td> </tr></tbody></table></div>
Probably the most interesting thing is that the first attack was that the first attack was trying some sort of buffer-overflow. Although they were connecting to SSH and sending (weird) user/pass combinations, after the connection was rejected they were sending really long strings. I suspect it is some sort of honeypot detection, or it exploits certain versions of SSH? Not sure.

Anyway, for a 1 hour project it is easy and interesting. Definitely something that students could do in an afternoon.

1 min read

Postdoctoral Positions Available at Hallym University, South Korea

Hello everyone! We have an opportunity for singledoctoral research positions. Positions with the Legal Informatics and Forensic Science Institute at Hallym University provide support for up to 5 years. Applicants must have obtained a PhD no more than 5 years ago. A background in criminal justice or computer science is preferred. If you are interested, please email your CV and a short introduction to [email protected] by 20th April, 2016.

Please forward to anyone that may be interested.

~1 min read

[CFP] ICDF2C Submission date extended!

ICDF2C 2016 in New York has extended its call for papers until April 25th!

Call for papers for the 8th International Conference on Digital
Forensics and Cyber Crime (ICDF2C)
Conference Dates: September 28 - 30, 2016
Location: Manhattan, New York
*Paper Submission: Monday April 25th, 2016 (any time zone)* EXTENDED!

The International Conference on Digital Forensics and Cyber Crime
(ICDF2C) brings together leading researchers, practitioners, and
educators from around the world to advance the state of the art in
digital forensic and cyber crime investigation. ICDF2C 2016 will be held
September 28 - 30, 2016 in Manhattan, New York. We invite contributions
for completed research papers, research-in-progress papers, industrial
talks, panel and tutorial proposals, and round table discussions.
Research papers are evaluated through a double-blind, peer-reviewing
process and accepted research papers will be published in a special
issue of the Journal of Digital Forensics, Security and Law (JDFSL).

JDFSL is an open access journal with a solid indexing including Thomson
Reuters ISI Web of Science. Accepted papers will be indexed in: a)
Google Scholar b) DBLP c) ProQuest d) EBSCO Host to name a few. Articles
will be available for readers online at no cost given the open access
nature of the journal. To learn more about JDFSL you can visit:

This year, we have two themes that we intend to embrace. Authors are
encouraged to submit papers relating to these themes:
• Usage and implications of machine learning in digital forensics
• Big data and digital forensics

The Internet has made it easier to perpetrate crimes by providing
criminals an avenue for launching attacks with relative anonymity. The
increased complexity of global communication and networking
infrastructure and devices makes investigation of cybercrimes difficult.
Clues of illegal activities are often buried in large volumes of data
that need to be sifted through in order to detect crimes and collect
evidence. The field of digital forensics and cybercrime investigation
has become very important for law enforcement, national security, and
information assurance. Digital forensics and cybercrime investigations
are multidisciplinary areas that encompass law, computer science,
finance, telecommunications, data analytics, policing and more. ICDF2C
brings together practitioners and researchers from diverse fields
providing opportunities for business and intellectual engagement among

The following topics highlight the conference's theme:
• Anti Forensics and Anti-Anti Forensics
• Big Data and Digital Forensics
• Business Applications of Digital Forensics
• Civil Litigation Support
• Cloud Forensics
• Cyber Crime Investigations
• Cyber Criminal Psychology and Profiling
• Cyber Culture & Cyber Terrorism
• Data hiding and steganography
• Database Forensics
• Digital Forensic Science
• Digital Forensic Tool Testing and validation
• Digital Forensic Trends
• Digital Forensics & Law
• Digital Forensics and Error rates
• Digital Forensics novel algorithms
• Digital Forensics Process & Procedures
• Digital Forensics Standardization & Accreditation
• Digital Forensics Techniques and Tools
• Digital Forensics Triage
• e-Discovery
• Hacking
• Incident Response
• Information Warfare & Critical Infrastructure Protection
• Law Enforcement and Digital Forensics
• Machine learning and Digital Forensics
• Malware & Botnets
• Mobile / Handheld Device & Multimedia Forensics
• Money Laundering
• Network forensics
• New chip-off techniques
• Novel Digital Forensics Training programs
• Online Fraud
• Programming Languages and Digital Forensics
• SCADA Forensics
• Sexual Abuse of Children on Internet
• Software & Media Piracy
• Theoretical Foundations of Digital Forensics
• Traditional Criminology applied to Digital Forensics
• Philosophical accounts for Cyber Crime and Digital Forensics

_Research papers & presentation proposals:_
Submission deadline: Monday, 25 April, 2016 (any time zone) *extended*
Notification of Acceptance: Friday, 1 July, 2016
Camera-ready Version: Monday, 1 August, 2014

_Other Submissions (industry talks, panel discussion or workshops): _
Submission deadline: Friday, 1 July 2016
Notification of Acceptance: Friday, 15 July 2016

Papers describing original unpublished research are solicited. Submissions must not be concurrently under review by a conference, journal or any other venue that has proceedings. Papers in the topic areas discussed are preferred, although contributions outside those topics may also be of interest. Please feel free at any time to contact the conference general chair if you have questions regarding your submission.
  • Completed Research Papers: No longer than 14 pages (including abstract, figures, tables and references) must be formatted using JDFSL template (see Formatting / Templates on http://www.jdfsl.org/for-authors).
  • Presentation Proposals (e.g., to present work in progress): No longer than 1 page (12pt, any format). Accepted proposals will get a 15min presentation slot as well as the chance to present work during the singleer session.
  • Papers / proposals must be submitted only through Easychair.org by going to: https://www.easychair.org/conferences/?conf=icdf2c2016.

All submitted research papers will be judged based on their quality through double-blind reviewing. Authors' names must not appear in the paper. All other submissions should be sent via email to the conference general chairs ({FBreitinger, IBaggili} at newhaven.edu).

Accepted papers will be published in a special issue of the Journal of Digital Forensics, Security and Law (http://www.jdfsl.org).

Submissions can be made in a number of categories: industrial talks, panel and tutorial proposals, workshops and round table discussions. Please follow the following guidelines in preparing your submission.
  • Industrial Talk: Typically a 1,000 word description of the proposed talk. All talks must be vendor neutral.
  • Round Table Discussion: Typically a 1,000 word synopsis of the topic area.
  • Panel Proposals: Typically a 1,000 word description, identifying the panelists to be involved.
  • Workshop Proposal: Typically a 1,000 word synopsis about the content of the workshop.
  • Tutorial Proposals: Typically a 1,000 word description of topic(s), potential speakers, program length, and potential audience. Also, include proposer resume(s).

All proposals should be submitted to the general chairs ({FBreitinger, IBaggili} at newhaven.edu).

Timothy Vidas, Carnegie Mellon University
Ping Ji, CUNY - John Jay College of Criminal Justice
Spiridon Bakers, Michigan Technological University
Ibrahim Baggili, University of New Haven
Neil Rowe, U.S. Naval Postgraduate School
Kim-Kwong Raymond Choo, University of South Australia
Irfan Ahmed, University of New Orleans
Nation Agarwal, University of Arkansas at Little Rock
Long Guan, Iowa State University
Martin Olivier, University of Pretoria
Michael Losavio, University of Louisville
David Dampier, Mississippi State University
Chien An Le Khac, University College Dublin
Honggang Zhang, University of Massachusetts Boston
K P Chow, University of Hong Kong
AndrewMarrington, Zayed University
Nicole Beebe, The University of Texas at San Antonio
Joshua I. James, Digital Forensic Investigation Research Laboratory
Pavel Gladyshev, University College Dublin
Petr Matousek, Brno University of Technology
Ahmed F.Shosha,  University College Dublin
Christian Winter, Fraunhofer Gesellschaft
Martin Schmiedecker, SBA Research
Farmhand Iqbal, Zayed University
Mark Scanlon, University College Dublin
ThomasKemmerich, University of Bremen, IS-Bremen
KathrynSeigfried-Spellar, Purdue University
Sting Mjolsnes, Norwegian Univ. of Science and Technology NTNU
Michał Rzepka, MSH Consulting
Vassal Roussev, University of New Orleans
4 min read

[CFP] Journal of Digital Forensics Security and Law

The Journal of Digital Forensics, Security and Law published its first issue in the 1st quarter of 2006 and is now calling for papers in, or related to, the following areas for Volume 11 (2016). This list is provided as a means to guide authors, however, we are open to accept other topics that relate to cyber security and forensics.
  • Business Applications of Digital Forensics
  • Civil/Criminal Litigation Support
  • Cloud Forensics
  • Curriculum
  • Cyber Crime Investigations
  • Cyber Criminal Psychology and Profiling
  • Cyber Culture and Cyber Terrorism
  • Data Hiding and Steganography
  • Database Forensics
  • Digital Forensic Trends
  • Digital Forensics and Law
  • Digital Forensics and Error Rates
  • Digital Forensics Novel Algorithms
  • Digital Forensics Process and Procedures
  • Digital Forensics Standardization and Accreditation
  • Digital Forensics Techniques and Tools
  • BigData and Digital Forensics
  • e-Discovery
  • Hacking
  • Incident Response
  • Information/Cyber Warfare & Critical Infrastructure Protection
  • Law Enforcement and Digital Forensics
  • Machine learning and Digital Forensics
  • Malware and Botnets
  • Mobile/Handheld Device and Multimedia Forensics
  • Money Laundering
  • Digital Forensics Triage
  • Digital Forensic Science
  • Digital Forensic Tool Testing and validation
Submission Requirements
All manuscripts should be word-processed (letter or correspondence-quality font) and should be submitted in PDF, Word or RTF formats. Submissions have to be made through the JDFSL OJS Submission System at http://ojs.jdfsl.org/.
To ensure a blinded review process, the following information should be excluded from the submission:
  • Authors Names section
  • Biography section
  • Acknowledgments section (if it contains information identifying the authors).
  • If an article is accepted, author(s) must provide a version in either Microsoft Word or LaTeX with graphics (figures) in GIF, TIF, or PowerPoint formats. Permissions for reprinted material are the sole responsibility of the author(s) and must be obtained in writing prior to publication. 
JDFSL Submission Evaluation Criteria
Manuscripts submitted are expected to be:
  • new and original,
  • well organized and clearly written,
  • of interest to the academic and research communities,
  • not published previously, and
  • not under consideration for publication in any other journal or book
Articles published in or under consideration for other journals should not be submitted.
  • Significantly enhanced versions of manuscripts previously published may be considered. Authors need to seek permission from the publishers of such previous publications.
  • Papers awaiting presentation or already presented at conferences must be significantly enhanced (ideally, taking advantage of feedback received at the conference) in order to receive consideration. If the paper has been presented previously at a conference or other professional meeting, this fact, the date, and the sponsoring organization should be listed in a footnote on the first page.
  • Funding sources should be acknowledged in the Acknowledgements section.
The journal Web site is located at http://www.jdfsl.org.   If you have questions, please contact the editor of the JDFSL who may be reached via email at [email protected]

Aims & Scope

The mission of JDFSL is to publish original research and comments about digital forensics and its relationship to security and law. Contributions are particularly welcome which analyze the results of interdisciplinary research. Publications will include the results of research and case studies that advance the curriculum, practice and understanding of digital forensics methods and techniques to support efficient and effective investigations.
The peer-reviewed, multidisciplinary Journal of Digital Forensics, Security and Law (JDFSL) focuses on the advancement of the field by publishing the state of the art in both basic and applied research conducted worldwide. We purposefully chose to use the word cyber in our tagline, instead of digital to emphasize the cyber culture surrounding computing, and the word cyber also extends itself beyond the technical domain of computing. The Journal???s main aims are to open up the landscape for innovation and discussion, and to continuously bridge the gap between the science and practice of cyber forensics, security and law. This journal encourages both scientists and practitioners to share their discoveries and experiences. 
JDFSL is of interest to the following stakeholders: cyber forensic/security scientists, cyber security/forensic practitioners, law enforcement officers, lawyers, any governmental agencies with interest in national and local security, and private sector organizations. The Journal will publish the following types of articles:
<ul type="disc"><li class="MsoNormal">Research articles: These articles should have a strong contribution to the state of the art in cyber forensics/security science. Research could be either applied or basic. Although we anticipate that most of the research that will be published will primarily be computer science centric, the Journal strongly encourages topics that stem from other disciplines such as psychology, sociology, business, accounting, law, philosophy, linguistics, education, criminal justice, political science, social science, and ethics, to participate in the advancement of cyber forensic science. We have no preference on the type of methodology used in the research, as long as the work is both methodologically and scientifically grounded.</li></ul><ul type="disc"><li class="MsoNormal">Open Peer Commentaries: To ensure that there is constant discussion and deliberations in this field, JDFSL encourages experts in the domain to submit commentaries on the state of the art in the field through open peer commentaries. Commentaries seek to provide a critical and/or alternative perspective on the state of the art in cyber forensics/security. For a commentary to be accepted for publication, it should meet one or more of the following criteria: <ul type="circle"><li class="MsoNormal">The contribution should offer significant insight into work that has been published in JDFSL.</li><li class="MsoNormal">Novel findings substantially contradict well-established research, theory, and practice.</li><li class="MsoNormal">It provides insight into bridging the gap between the science and practice of cyber forensics security.</li><li class="MsoNormal">It critiques findings of seminal work, research, or practice in the domain.</li><li class="MsoNormal">It offers significant contribution by consolidating findings in research and practice.</li><li class="MsoNormal">It improves the multidisciplinary nature of the domain.</li><li class="MsoNormal">It reviews and provides insight into both tools and methods used in cyber forensics.</li></ul></li></ul>
<ul type="disc"><li class="MsoNormal">Book Reviews: The Journal provides a place for peers to share their opinions and reviews of published books in the field of cyber forensics and security science.</li></ul>

4 min read

[CFP] JDFSL Special issue on Cyberharassment Investigation: Advances and Trends

JDFSL Special issue on Cyberharassment Investigation: Advances and Trends.

Anecdotal evidence indicates that cyber harassment is becoming more prevalent as the use of social media becomes increasingly widespread, making geography and physical proximity irrelevant. Cyberharassment can take different forms (e.g., cyberbullying, cyberstalking, cybertrolling), and be motivated by the objectives of inflicting distress, exercising control, impersonation, and defamation. Investigation of these behaviours is particularly challenging because it involves digital evidence distributed across the digital devices of both alleged offenders and victims, as well as online service providers, sometimes over an extended period of time. As a result, little is currently known about the modus operandi of offenders.

This special issue invites original contributions from researchers and practitioners which focus on the state-of-the-art and state-of-the-practice of digital forensic investigation of cyberharassment of all kinds.  We particularly encourage multidisciplinary contributions that can help examiners to be more effective and efficient in cyberharassment investigations.
Topics of interest include, but are not limited to:
-Offender psychology and profiling
-Cyberharassment victimology
-Methodologies and process models specific to cyberharassment investigation
-Tools and techniques for dealing with the types of digital evidence encountered in cyberharassment investigation
-Cyberharassment indicators
-Challenges and particularities of different modalities of cyberharassment
-Trends and typologies of cyberharassment

Important dates:
-Paper Submission:                 1 June 2016
-Notification of Initial Decision: 30 June 2016
-Revision due:                     31 July 2016
-Notification of Final Decision:   31 August 2016
-Final Manuscript Due:             30 September 2016
-Publication Date:                 31 October 2016

Author instructions:
The submissions must be blind and original (i.e., must not have been published or be under review by any other publisher). Authors should refer to the following link for instructions: http://www.jdfsl.org/for-authors. The option “Cyberharassment Special Issue” must be selected as article type on JDFSL OJS Submission System.  Further queries can be directed to the guest editors.

Guest Editors:
Dr Joanne Bryce
School of Psychology
University of Central Lancashire

Dr Virginia Franqueira
College of Engineering and Technology
University of Derby

Dr Andrew Marrington
College of Technological Innovation
Zayed University

About JDFSL:

<div style="font-family: -webkit-standard;">The Journal of Digital Forensics, Security and Law (JDFSL) is a peer-reviewed, multidisciplinary journal focussing on the advancement of the cyber forensics field through the publication of both basic and applied research. JDFSL is a no-fee open access publication, indexed in EBSCOhost, ProQuest, DOAJ, DBLP, arXiv, OAJI, ISI Web of Science, Google Scholar, and other databases. JDFSL is published by the Association of Digital Forensics, Security and Law.</div>

1 min read