Street, Parkville, Victoria 3010, Australia a r t i c l e i n f o

Author’s personal copy Universal serial bus based software attacks and protection solutions Dung Vu Pham a, Ali Syed a, Malka N. Halgamuge b,* a School of Computing and Mathematics, Charles Sturt University, Study Centre Melbourne, Victoria 3000, Australia b Department of Civil and Environmental Engineering, Department of Electrical and Electronic Engineering, The University of Melbourne, Grattan Street, Parkville, Victoria 3010, Australia a r t i c l e i n f o Article history: Received 12 January 2010 Received in revised form 26 January 2011 Accepted 17 February 2011 Keywords: USB Flash drive Autorun Hack tool Malware a b s t r a c t Information security risks associated with Universal Serial Bus (USB) storage devices have been serious issues since 2003, which marked the wide adoption of USB technologies in the computing industry, especially in corporate networks. Due to the insecure design and the open standards of USB technologies, attackers have successfully exploited various vulnerabilities in USB protocols, USB embedded security software, USB drivers, and Windows Autoplay features to launch various software attacks against host computers and USB devices. The purposes of this paper are: (i) to provide an investigation on the currently identified USB based software attacks on host computers and USB storage devices, (ii) to identify the technology enablers of the attacks, and (iii) to form taxonomy of attacks. The results show that a multilayered security solution framework involving software implementations at the User Mode layer in the operating systems can help eliminate the root cause of the problem radically. ª 2011 Elsevier Ltd. All rights reserved. 1. Introduction Universal Serial Bus (USB) is a communication standard which has been widely adopted in the computing industry for the last few years for replacing serial and parallel ports. USB offers a number of advantages such as high data processing speed, hot swapping, plug-and-play (PnP), and self-power supplying to peripherals which helps it quickly gain the popularity. The implementation of USB allows a wide range of different electronic devices to connect to computers such as mice, keyboards, PDAs, gamepads, joysticks, scanners, printers, digital cameras, personal media players, flash drives, and external hard drives. However, the popularity of USB interface capable devices has resulted in increased risks to information security of both host computers and USB devices. In this research, we investigate all the currently identified USB based software attacks, and develop a conceptual security framework for protecting host computers and USB drives from USB based software attacks. In details, the following aspects are considered:  Software attacks on host computers by USB based malware such as worms, viruses, and Trojan horses, and USB based hack tools.  Software attacks on USB drives by hack tools.  A security framework for protecting both USB drives and host computers against USB based software attacks. 2. Previous work Previous researches have been conducted in three areas: (1) USB based software attacks on host computers, (2) software * Corresponding author. E-mail address: [email protected] (M.N. Halgamuge). available at journal homepage: d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 1742-2876/$ e see front matter ª 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2011.02.001 Author’s personal copy attacks on USB devices, and (3) protection measures and best practices for preventing USB based software attacks. 2.1. USB based software attacks on host computers USB based software attacks on host computers refer to software attacks launched from USB devices against host computers. Such attacks analyzed in previous researches can be categorized into online attack mode referring to the attacks launched from USB drives which are inserted into running computers, and offline attack mode which happens when attackers manage to boot the target computers from their crafted USB drives. 2.1.1. Online attack mode Among the attacks on host computers, data theft has been the biggest concern related to USB devices in corporate environments since 2005 when USB 2.0 devices became popular. Data theft is normally conducted using various simple ad hoc programmed utilities which are capable of silently downloading some specific data files from host computers into USB drives (Alzarouni, 2006; Fabian, 2007). In 2006 and 2007, there was a substantial increase in the frequency and the level of complexity of USB based software attacks on computers, especially networked computers. The ad hoc programmed hack tools, automatically launched from USB drives were capable of doing many kinds of data manipulation on computer systems such as changing registry settings, installing backdoors and other malicious codes, stealing confidential information, and even downloading the system page file from a running computer to a USB drive (Alzarouni, 2006; Lee et al., 2007). Cryptography attacks were also common during the period with the support of USB drives and some ad hoc programmed hack tools which are capable of exploiting operating systems’ data encryption keys, Open SSH, and Apache HTTPS servers (Harrison and Xu, 2007). After the USB 2.0 standard, the U3 revolution becoming popular in 2007 has made U3 (USB) drives ultimate hacking tools. The applications installed in U3 drives can be executed withouthavingto be installedonhostcomputers. Attackers can simply craft theirown U3 ISO images with necessary hack tools to replace the original U3 ISO images on U3 drives, and take advantage of the technology to launchmulti-payloadattackson the target computers (Alzarouni, 2006; Lee et al., 2007). In 2008, a utility was developed to allow manipulating the information on inserted USB devices stored in Windows registry. It was suggested that when such a utility is used in combination with other malicious codes, it creates an additional protection layer for the attackers who employ USB devices as attack tools (Thomas and Morris, 2008). Although the idea of manipulating Windows registry by utilities or malware was not new, it did suggest another possibility of software attacks using USB devices. Obviously, skilled attackers can further improve the idea to help them clear their tracks or create obfuscating information on the host computers after completing their attacks. 2.1.2. Offline attack mode The enabler for offline attack mode comes from the “boot from USB” capability of the recent motherboards and Preinstallation Environment (PE) tools such as Windows PE and Bart PE. These PE tools make it possible for the cores of some Windows editions such as Windows XP and Vista to be installed on and boot from USB drives. Later on, miscellaneous toolkits such as antivirus software, data recovery, hard-drive diagnostics, zip software, web browsers, secure file transfer protocol (FTP), word processing, registry editor, product key viewer, network configuration, and remote desktop client tools are bundled into bootable USB drives (Gibson and Dyar, 2007). Although the “boot from USB” feature was originally designed for computer administration purposes, bootable USB drives are also very powerful hack tools. With the aid of a few hundred-megabyte USB 2.0 drives, an attacker can boot the target computer from the USB drive and dump all the data from the host computer to the USB drive within half an hour. Even with cryptography, the cryptographic key materials stored in computer memory (RAM) were successfully retrieved with the aid of a bootable USB drive and a tiny plug-in of a few kilobytes in an experiment in 2008 (Halderman et al., 2008). Moreover, such these attacks do not cause any damage to the host’s operating system or data, and neither requires the host operating system’s accounts. 2.2. Software attacks on connected USB drives Similar to the data stored in host computers, data stored on USB drives and even secure USB flash drives are also vulnerable to differe
nt kinds of software attacks. USB drive securitysoftware bugs and the insecure nature of the communication channels between the USB devices and host computers make many password-protected and even fingerprint-protected USB drives vulnerable to software attacks. On password-protected USB drives such as Safeboot Phantom and MXI MXP Stealth, weak passwords result in successful brute force attacks. On fingerprint-protected USB drives such as the Bio- SlimDisk iCool drives, imported fingerprints can be easily deleted with the support of a crafted program. This allows attackers to import their own fingerprints and compromise the security measures (Jeong et al., 2007; Bakker et al., 2007). The other type of attack on such devices is security protection bypass which is conducted by exploiting vulnerabilities in the security software of USB drives. Successfully exploiting the vulnerabilities allows attackers to have direct access to the data stored in secure partition of the devices (Jeong et al., 2007). 2.3. USB based malware USB based malware is the most common type of USB based software attack. However, this type of attack has not been addressed in any of the previous papers. While attacks analyzed in the previous researches are normally targetspecific and manually triggered, attacks by USB based malware are fully automated and do not normally have specific targets. USB based malware is supposed to be accounted for the majority of all USB based software attacks. However, this threat vector has not received enough attention and further work on this type of attacks is necessary. d i g i t a l inves t i ga t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 173 Author’s personal copy 2.4. Currently proposed protection measures The proposed solutions for secure use of USB technologies in previous researches can be categorized into three categories: data access control, USB port access control, and security policies. Among the three types of solutions, data access control is probably the most interesting, feasible and widely adopted. Data access control allows the use of USB devices while it maintains definite security levels. The commonly proposed data access control solutions include disabling Autorun, limiting user privileges, encrypting the stored data on both communication ends, restricting access to vital data on critical servers, monitoring access to servers, and limiting the size of data transferable to USB drives (Alzarouni, 2006). USB port access control involves disabling USB ports physically, or disabling USB port by firmware and operating system settings and third party utilities. In some organizations, USB ports on computers are physically disabled by glue which is the last recommended solution. Disabling USB ports by Basic Input Output System (BIOS) settings, Windows registry, and Group Policy settings are some other options. Many researchers recommend deploying third party utilities such as NetWrix USB Blocker, DeviceLock, and Zlock to apply USB port access privileges to specific users, user groups, and even USB device classes such as Palm, and USB phones (Alzarouni, 2006; Fabian, 2007). Acceptable Use Policy (AUP) is also commonly referred to as management solutions for USB security issues. AUPs are normally implemented with security education and training programs to provide users with essential understanding on secure use of information systems, regulate users’ actions, and provide procedures for managing security incidents (Fabian, 2007). AUPs are generally cost-effective management solutions which can be implemented in any corporate environment. 2.5. Unresolved issues in the proposed solutions There were some disadvantages and unresolved issues in the proposed solutions in the previous papers which affect the solutions’ efficiency and effectiveness. Firstly, there are some disadvantages in the proposed solutions because important factors such as business efficiency, investment and maintenance costs, end users, and personal computers were not considered in any of these solutions. Data access control and USB interface access control are obstacles to business efficiency and potentially become a burden of IT budget in terms of both software license and maintenance costs. End users and personal computers (PC) were not considered in any of the proposed solutions. In reality, AUP and other corporate policies are not applicable to PC users. Moreover, complicated system configurations and additional costs for third party software are not likely to be accepted by PC users. Secondly, due to the lack of root-cause analysis of these attacks, the technology enabler of these attack vectors were not identified. Therefore, the proposed solutions tended to fix the consequences of the vulnerabilities in USB security software, Windows Autoplay features, Windows driver security model, and USB interface management feature instead of addressing these vulnerabilities directly. Attacks automatically launched from USB storage devices such as data theft and multipayload attacks simply exploit the vulnerability in Windows Autoplay features. This vulnerability comes from the lack of a built-in security mechanism inside Windows Autoplay features. Similarly, due to the lack of a security mechanism for USB interface, computer malware can spread back and forth between USB drives and internal drives. Although both USB interface is designed for data exchange between computers and their outside environments, it is left open to external environment without any security protection mechanism. Attacks on USB drivers were possible due to the lack of driver signing enforcement which allows un-identified drivers to be injected into Windows kernel. However, the proposed solutions do not directly address any of these vulnerabilities. Thirdly, there was a lack of a complete taxonomy of USB based software attacks and a framework for addressing USB based software attacks in the previous researches. Each of the provided solutions are designed for addressing some of the currently identified attack vectors in specific scenarios only and therefore tend to left out other attack vectors. Finally, the attacks and proposed solutions were evaluated in the contexts of Windows XP and the earlier x86 versions while their successors such as Windows 7 x86 and x64 have been in place for a while, and will soon be popular in both office and home environments. 3. Attacks by USB based malware 3.1. USB based malware The terms “USB based malware” in this paper refers to computer worms, virus, Trojan horses, spyware, adware, and root kits which are specially designed to exploit Windows Autoplay features to replicate over USB drives and launch attacks against host computers and computer systems. Although the term “USB based malware” has been mentioned on the world wide web as computer malware spreading via USB drives, this concept does not differentiate the malware that is purposely designed for spreading via USB drives from the malware that is designed for replicating via any means of media. Many worms can spread via many means of media including USB drives, floppy drives, compact discs, and network shares, however, they do not exploit the Autoplay features. Such worms are not considered as USB worms in the scope of this paper. The majority of the malicious codes mentioned in this research are referred to as W32/Autorun by security firms such as Symantec, Microsoft, and McAfee. W32/ Autorun does not include all the malicious codes that exploit Autoplay features. This research takes into account any malware which does exploit Autoplay features. Windows Autoplay features were designed for providing appropriate software response to hardware actions initiated by computer users. The features are available in version 1 and version 2. Version 1 was designed for Windows 98 and Windows 2000. Version 2 was improved from version 1 to support to support multimedia contents and devices and is available on Windows XP, Windows 2003, Windows Vista, Windows 2008, and Windows 7. The features operate based on 174 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 Author’s person
al copy Autorun.inf files located in the root folders in removable drives. Autorun.inf files can be compiled via any ANSI text editor such as Notepad. The typical components of an Autorun. inf include four commands: icon, open, shell, and shell/verb. These commands are used to automatically launch applications in removable drives when the drives are inserted into computers. USB based malware is designed to exploit the Autoplay features by creating Autorun.inf files to automatically launch its copies specified by the open and shell commands. Fig. 1 shows the typical content of an Autorun.inf file created by USB based malware. Icon command specifies the icon file for the executable files triggered by Autorun.inf file. This icon can be anything that looks familiar and legitimate to users. Open command specifies the file to be executed when Autoplay.inf is loaded by the Autoplay features, and in this case it specifies a copy of the malware. Shellexecute command was introduced in Windows Me and 2000. It is also used to specify a file to be executed by Windows Autoplay. However, it also allows applications to run with their associated files. Both open and shellexecute commands are used to ensure that the malware can be executed under any version of Windows. Shell\auto command specifies the default item in USB drive shortcut menu activated when users right-click on the drive icon. In this case, the default item is used to activate the malware.exe file. 3.2. Analysis of USB based malware’s common profile Because of the trend in reengineering malware to exploit the Autoplay features (Thomas et al., 2009), the attack profile of USB based malware tend to get closer to that of malware in all categories. However, due to the huge quantity of the malicious codes and the lack of statistics from security firms, we only analyze the common profile of the top USB based malware which was accounted for the major portion of activities by the malware in this category in the period of September 2007 to October 2009 as reported by Microsoft, Trend Micro, Symantec, McAfee, Norman, and Kaspersky. The data on the profile each malicious code were obtained from the malware definition databases of Microsoft Malware Protection Center, Kaspersky Lab, Symantec, Sophos, Trend Micro, McAfee, and Norman Security Center. The collected data include name, type, date detected, aliases, alert level, technical analysis, files created, system folder infection, registry update, auto startup mechanism, replication media, Autorun.inf file, file infection, and payload. The data are then analyzed by descriptive statistics tools. A list of these malicious codes is included in Table A1 in the Appendix of this paper. 3.3. The development trend of USB based malware As USB drives become popular, malware is redesigned to replicate through this vector. The trend from 2007 to March 2009 shows a consistent increase in the number of backdoors, bots, password stealers, and parasitic viruses redesigned to spread via USB drives (Thomas et al., 2009). By the end of March 2009, 20 million unique malicious codes had been detected by McAfee Avert Lab (Paget, November 20, 2009). More than half a million were Autorun malware created in the period from April 2007 to April 2009. The number of Autorun malware had exceeded 1.2 million by October 2009 (Marcus et al., 2009; McAfee Threats Report, 2009). Fig. 2 illustrates the development trends of Autorun malware and malware of all categories for the period of October 2007 to October 2009. The stack bars show the development trends of Autorun malware and malware of all categories in quantity, and the two lines show the development patterns the malware in development percentages. In Fig. 3, the graph illustrates co-relational relationships between the development of Autorun malware and its supporting factors including the availability of USB drives, the maturity of Windows operating system supporting Autorun v2, and the maturity of USB technologies. Autorun malware started to develop in the last quarter of 2007 when Windows XP reached its pick of market maturity and USB 2.0 flash drives got into its last period of product growth phase. The sharp increases in the quantity of USB flash drives shipped worldwide and the world market share of Windows XP and later versions in the period of October 2008 to October 2009 also led to the sharp increase of Autorun malware in the period reflected in both Figs. 2 and 3. In Fig. 2, the overall graph trend shows a consistent development relationship between Autorun malware and malware of all categories in each quarter and the overall period with slightly higher development rates for Autorun malware in the year 2009. The reason for such a relationship could be explained in Fig. 3 which illustrates Autorun malware’s development trend in relation to its supporting factors including the quantity of USB flash Fig. 1 e A typical Autorun.inf file created by USB based malware. Fig. 2 e Malware development trend for the period of 10/ 2007e10/2009, data source: (Paget, 2009; MCAfee Avert Labs, 2009). d i g i t a l inves t i ga t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 175 Author’s personal copy drives sold, market share of operating systems supporting USB PnP and Autoplay v2, USB standard maturity level, U3 and boot from USB technologies. 4. Attacks on host computers Attacks on host computers involve buffer overflow attacks on USB drivers, data theft attacks on host computers, multipayload attacks using U3 and portable hack tools, and offline cold boot attacks. 4.1. Attacks on USB driver Buffer overflow attack on the vulnerabilities in USB 2.0 drivers in computer operating systems is the most primitive type of USB based software attacks which was first mentioned in 2005 (Roberts, 2005). The problem comes from the weakness in the design of earlier USB 2.0 devices where firmware was designed with little care for security and validations. Attackers could program their USB drivers to exploit the vulnerabilities and escalate privileges on any operating system such as Windows, Linux, and OS/2 (Roberts, 2005). However, such problems on Windows platform have not yet been confirmed by Microsoft or computer OEMs. In 2009, the same problem was detected again in Auerswald Linux’s USB driver. Attackers who have physical access to Linux computers can use their crafted USB drives to execute arbitrary code on the computers at the kernel level and take control over the systems (Vega, 2009). Fortunately, this attack vector is not common, possibly due to the requirements of physical access to the target computers and knowledge in USB driver programming. 4.2. Data theft attacks on host computers Data theft with the support of USB drives has been a serious issue in corporate networks for the last few years, especially after USB 2.0 standard became popular in 2004. The common payload of data theft is intended to steal business data and sometimes personal data such as credit card information left in cache memory. This attack vector utilizes some simple scripts written in Perl, MS DOS batch script, or VBScript, with some readymade tools freely available in the Internet. Sometimes, Windows built-in utilities such as xcopy.exe, robocopy. exe, or copy command are also utilized. Most of these scripts are designed to exploit the Autoplay features. As the attack process is conducted in non-console mode or in the background as a Windows process, it is totally transparent to users. The common functions provided by readymade tools used in such attacks include data query (Pod slurping), data copy (xcopy.exe), simple mail transfer protocol (SMTP) clients, data compression (rar.exe), and secure socket layer (SSL) client (Stunnel). The combined payload of these tools allows attackers to locate the necessary data on host computers and save the data to their USB drives, or compress and send the data through an SSL channel to their FTP servers or mailboxes. Such attack techniques are not always effective in many scenarios on Windows operating systems that support User Account Control (UAC) feature. UAC is a security feature which is available in Windows Vista,
Windows 2008, and Windows 7. This feature monitors all processes and activities Fig. 3 e The development of USB based malware in relation to its supporting technologies, data sources (Chance, 2005; W3chools, 2009). 176 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 Author’s personal copy on the computer, and protects the system files and settings from abnormal access by both Windows built-in processes and applications. When UAC is turned on (by default), all processes are run under standard user rights and permissions. Access to systems files and settings, and folders where users do not have permissions will trigger security alerts and privilege escalation requests. Abnormal activities by unsigned applications such as hack tools and malware will trigger UAC’s security alerts. Some dangerous hack tools mentioned in this paper such as SwitchBlade, GonZors Blade, Amish Blade, Password Dump, Ethereal, Network Password Recovery, and White Hat Payload all trigger UAC’s security alerts. The threats from this attack vector still exist when attackers use signed applications in combination with their scripts to run attacks in the background which is very similar to that of system administrators’ scripts for data backup. The following scripts in Figs. 4,5 and 6 exploit the Autoplay features to secretly copy files in user’s Document folder to the inserted USB drive, compressed and encrypted with password using copy command, rar.exe, and hstart.exe. Fig. 4 shows the content of Autorun.inf file in the root folder of the USB drive. Fig. 5 shows the content of trigger.bat file located in a hidden folder in the USB drive. This file loads the payload file (xcp.bat) using hidden start tool with “/noconsole” option which force the xcp.bat to run without a console making the attack process transparent to the users. Fig. 6 shows the content of xcp.bat containing the attack payloads which copy all files in the Documents folder to a folder called “STOLENDATA” in the attacker’s USB drive. The copied data is further compressed and encrypted with password by rar.exe utility and saved under the file name stolendata.dat leaving no trace for users. However, when the UAC setting is set to high, any of such processes will not be created in the background. A notification of process failure will be popped-up calling for users’ attention. 4.3. Multi-payload attacks by U3 hack tools U3 is an open standard developed to provide users with application mobility through an application platform available in U3 drives whereby U3 applications can be installed on and run from U3 drives independently from host computers. In a U3 drive, a small partition located at the beginning of the drive is marked as a CDFS (CD file system) partition so that Windows recognizes it as a CD rather than a removable drives. U3 applications are self-contained applications run from the CDFS partition without having to be installed on the host computers, modify the registry, or reserve computer resources. While the Autoplay feature for removable drives is disabled on Windows 7, it is still enabled for the CDFS partition. U3 technology is supported on Windows platform for Windows 2000 SP4 and the later on both x64 and x86 versions. Attackers of this vector have a large and flexible range of hack tools to deploy on U3 drives. They can customize their own ISO images with necessary hack tools and malware to install in the CDFS partitions to exploit the Autoplay feature which is available for CDFS partitions or directly run the hack tools from the U3 Launchpad. Some commonly known hack tools available in U3 format (.u3p) are USB Switchblade, U3 Incident Response Switchblade, USB Hacksaw, USB Pocket Knife, Nmap, Ethereal, Wireshark, Showtraf, TCPDump, Nemesis and John the Ripper, HTTP RAT, Anonymizer, and Data Recovery. Among these tools, Switchblade is a very dangerous toolkit consisting of several hack tools capable of recovering important information from Windows systems such as passwords (SAM, messenger clients, web browsers cache), LSA Secret, service, system and port information. USB SwitchBlade is available in two versions developed by Hak5 community and GonZor. USB SwitchBlade developed by Hak5 community is now available in several sub-versions by Kapowdude, Gandalf, Silivrenion, and Amish. The codes of these sub-versions are adjusted by Hak5 member and are slightly different form each others. However, the payloads remain the same and they all trigger UAC. The later version developed by GonZor is more powerful and is capable of overwriting programs on U3 CDFS partitions. As these partitions are read only, antivirus programs cannot delete the installed hack tools on detection. Beside Switchblade, U3 Incident Response Switchblade was developed to support the process of evidence gathering in security incidents. This tool gathers information on accounts, groups, networking (such as IP, DNS cache, ARP table, NetBIOS, routing information, firewall state and rules), and services status. Generally, these tools are now all detected and blocked by many antivirus programs. However, U3 development kit is open to public assisting U3 application developers. Attackers can also compile hack tools to .u3p format in many circumstances. There are also U3 compilers such as Package Factory which allows people to recompile many applications to .u3p format. Some popular utilities compiled to .u3p format include disk management tools (Partition Magic, Symantec Ghost), registry tools (Clean Registry, Registry Mechanic), anonymous surfing (Anonymizer, HTTP RAT), data recovery (Data Recovery, Pro Data Recovery, Easy Recovery), Web browsers (Firefox, Opera), torrent clients (eMule, FlashGet, Utorrent), instant messengers (Pidgin, MSN Messenger, Yahoo Messenger), password recovery, script editors (Notepad), OpenOffice, virtual DVD (Virtual CD), ISO compliers and CD burners (Ultra ISO, Nero), data compression and encryption (WinRar), and antivirus(Avast, Dr Web Cureit). Fig. 4 e The crafted Autorun.inf file. Fig. 5 e trigger.bat file used to launch the payload in no console mode. Fig. 6 e xcp.bat contains the actual attack payloads. d i g i t a l inves t i ga t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 177 Author’s personal copy 4.4. Offline cold boot attack The original concept of booting up from USB used a lightweight edition of Windows XP from CDs for the administrative purposes such as data rescue, operating system repair from serious crashes, or virus scanning. This was first possible when Microsoft released Windows PE 1.0 for Windows XP and Windows 2003 in 2002. When USB 2.0 drives became popular and boot from USB became a default feature of computer mainboards, dumping Windows to USB drives became popular in 2006, especially with the support of Bart PE. Windows PE 2.0 (for Windows Vista, Windows, 2008), and 3.0 (for Windows 7) also support boot from USB at quite low system requirements making such solutions popular. After Windows PE, boot from USB has now been possible on various Linux distributions such as Knoppix, Ubuntu, Linux Mint, and Kubuntu. Cold boot attack from USB is the most dangerous among all attack vectors analyzed in this paper. After a cold boot from a USB drive, the target computer will be under control of the operating systems running on the attacker’s USB drive. Attackers have absolute freedom to do whatever they want on their operating systems and on the victims’ computers, even on computer with encrypted volumes. Moreover, there are a few distributions of these lightweight operating systems shipped with a variety of hack tools including data recovering, data backup, encryption and decryption, secure FTP, SAM editing, network configuration, remote desktop, password retrieval, and key viewer. Some of these versions are Super WinPEwas and Paragon HDD Manager. These versions can be downloaded easily from torrent networks. This allows people with little technical knowledge to participate in this attack vector. Finally, because the operating systems run on attackers’ external USB drives, there is generally no trac
e left on victim computers after cold boot attacks. 5. Attacks on USB storage devices Software attacks on USB drives include exploiting the insecure USB protocol to attack the communication channels between USB devices and host computers, attacks on USB security software, and data theft. 5.1. Attack on USB protocol This attack vector utilizes USB protocol analyzers such as USBlyzer, Advanced USB Port Monitor, and USB Trace to analyze and decode the communication channel between USB devices and host computers to obtain information on transport between the devices and the host computers, such as password for the security software on the USB drives. The common functions of such utilities include data monitoring, logging, decoding, and saving by protocol and packet analysis. The enabler of this attack vector is the insecure USB protocol which transmits data between USB devices and host computers in an unencrypted format. This vulnerability has been exploited in many scenarios allowing attackers to successfully obtain the passwords of password-protected USB drives which do not support data encryption on transport (Halderman et al., 2008). 5.2. Attack on security software on secure USB drives Exploiting vulnerabilities in USB security software is the most common attack vector targeting secure USB drives. The two main drivers for this attack vector are password recovery and business data recovery. Moreover, there are also some facilitators behind this attack vector. The first one is the ease of access to USB product documentations and software development kits consisting of source codes, header files, and other related information about the EEPROM content of USB devices. The second factor is all USB standards from 1.0 to 3.0 are open standards provided by the USB Forum and freely available for public access. Lastly, USB standards are rather simple and insecure. It does not require too much knowledge about electronic engineering or programming to be able to design and assemble USB devices, and write USB drivers for the devices. Vulnerabilities in USB drives’ security software resulted in security protection bypass on both password-protected and fingerprint-protected USB drives. This allows attackers to have direct access to the protected data partition. A common exploit is buffer overflow attack on the security software conducted by sending known erroneous packets to the USB software (Bakker et al., 2007). When buffer overflow attack cannot be employed, password brute-force attack is another option. As many secure USB drives do not support self-locked mechanisms activated after a number of wrong password attempts, attackers can simply run password brute-force attack until the valid password is found (Bakker et al., 2007). Although password brute-force attack is generally not feasible with strong passwords of more than 9 characters created from a combination of capital characters, lower case characters, numbers, and special characters, such passwords are rarely implemented by users. 5.3. Data theft attack on USB drives Similar to data theft attacks on computers, data theft attacks on USB drives are mainly conducted with the aid of hack tools running as processes which silently wait for inserted USB drives and upload data from the drives to the host computer or send the data to a remote mailbox or FTP server. The two representative hack tools for this category are USBDumper and USB Hacksaw. USBDumper is a small utility running in the background as a process listening for connected USB drives. On detection of inserted USB drives, the process starts uploading data from the drive to the host computer transparently to the users. USB Hacksaw is improved from USBDumper. This version combines Stunnel, Blat, and Gmail with USBDumper. The data from USB drives will first be uploaded to a folder on the host computer where it is compressed by rar.exe, before being sent to a Gmail account by Blat in an SSL channel created by Stunnel. The mechanism is very simple using available utilities in the Internet and some simple batch files. Essentially, the tools can be different nevertheless they have the same mechanism as that of Dumper and Hacksaw. Even though many of these tools can be detected by antivirus 178 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 Author’s personal copy programs, this attack vector is hard to prevent. These tools can be re-coded easily in various scripting languages such as VBScript, batch scripting, and Perl. The attack processes can also be scheduled by operating system task schedulers. This makes the chance for success higher because the action patterns are very similar to those of administrative tasks scheduled by system administrators. Moreover, if the attacks happen on attackers’ computers, security features are normally disabled allowing the attacks to happen smoothly. 6. USB based malware common profile USB based worms account for the major portion of USB based malware mainly due to the capability of exploiting the Autoplay feature to replicate. Each of these worms comes in large families of up to hundreds of variants such as Pushbot family with more than 420 variants which have very similar infection mechanisms and payloads. This can somehow be explained by the availability of USB malware construction kits in the Internet. Fig. 7 shows the common profile of the analyzed USB based malware which has been simplified with the focus on the replication mechanism via USB devices and the payload. At the beginning of an attack cycle when an infected USB drive is inserted into a computer, the Autoplay feature will trigger the Autorun.inf which activates the malware. The very first action done by such malware is to install its copies into the system folders on the host computer. Windows registry will then be updated to allow these copies to be started with the operating system. Many of the analyzed worms update the HKLM\Software\ Microsoft\Windows\CurrentVersion\Run key to make their copies start with Windows at Windows startup. After the copies are loaded, Process Explorer and Windows Task Manager will show their process locations as inside system folders making users confuse them with legitimate processes. These processes actively listen for inserted USB drives to replicate themselves by installing their copies and creating Autorun.inf files on the media. The worms can work as botnet clients or further codes will be silently downloaded from remote servers and installed on the infected computers making the computers clients of the worm authors’ botnets. The majority of the analyzed malware are designed for creating botnets and participating in DDoS attacks. Such a payload is also the common payload for the malware of all categories in the period of 2008e2009 (Marcus et al., 2009). 7. Solution The security framework illustrated in Fig. 8 is a conceptual model which helps mitigate the identified USB based software attacks. The model consists of seven concentric layers where three threat layers and three protection layers are arranged one after another. The identified attacks are categorized into Fig. 7 e The simplified common profile of USB based malware. Fig. 8 e Security framework for mitigating USB based software attacks. d i g i t a l inves t i ga t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 179 Author’s personal copy threat layers, and protection measures are categorized into the corresponding protection layers to achieve the best protection results. The inner protection layers are designed for mitigating the attacks from the outer threat layers and therefore an attack may be mitigated by one or multiple security measures at one or more protection layers. The core layer contains operating system files and settings, data on host computers, and data in USB drives. The goal of this framework is to protect the core layer from USB based software attacks located in the three threat layers. The security measures proposed in the three protection layers in the framework are aimed at resolving the problem root causes of the identified attacks. Table 1 summarizes the solution framework in the format of a solution mat
rix. 7.1. The first threat and first protection layer The first threat layer includes multi-payload attacks using U3 hack tools, USB based malware, and data theft attacks. Attacks from this layer are normally handled effectively by the security measures in the first protection layer because most malware scanners would recognize the involvement of malware and hack tools in these attacks. Windows XP SP2 and later versions are equipped with some free anti-malware solutions including Windows Defender, Microsoft Security Essentials (MSE), and Windows Firewall. Windows Defender, previously known as Microsoft Antispyware, is a spyware and adware scanner available via Windows update without any maintenance effort. MSE is an anti-malware program which provides real-time protection and auto-update like many other antimalware programs in the market. A test conducted by AVTest. org in October 2009 showed that MSE achieved 98.44 per cent detection rate using malware signature based detection (Pham et al., 2010). Moreover, as malicious codes tend to communicate with servers in the Internet, Windows Firewall is an effective measure which blocks such communication and prevents the malware from completing its attack cycle. In terms of hack tools, the results of our experiment with over 3800 hack tools and hack toolkits including the most common USB based hack tools listed in Table 2 below demonstrated that most of these hack tools can be detected by the common antivirus software. Many of these hack tools can be directly executed from USB drives or compiled to portable format using compilation tools such as Package factory VMware ThinApp, Landesk Application Virtualization, Ceedo, and InstallFree. More importantly, all the critical USB based hack tools such as GonZors SwitchBlade, USB Pocket Knife, USB Hacksaw, USBDumper, and Port Slurp can be detected by all of these antivirus software. A list of these USB hack tools can be found at Table A2 and the categories of the payloads of these hack tools and hack toolkits are listed Table A3 the Appendix of this paper. Beside malware scanners, UAC, AppLocker, and Parse Autorun are recommended security features for Windows Vista and later editions. UAC is a built-in feature first available in Windows Vista. This feature actively monitors process activities and prevents abnormal access to system files and settings which resemble common malware behaviors. Some hack tools such as USB SwitchBlade and Network Password Recovery were possible on Windows XP and the earlier edition. However, these hack tools will now trigger Windows security alert activated by UAC when they try to access system files and settings. AppLocker is a new feature of Windows 2008 R2 and Windows 7 which allows administrators to have control over the execution of specific applications and scripts based on specific computers, users and user groups, and the Table 1 e Solution matrix. Attack category Technology enabler as problem root cause Attack/problem & threat layer Protection solutions & Protection layer Attacks by USB based malware No security management mechanism for USB interfacea Layer 1: Malware can spread back and forth between USB drives and internal drives. Layer 1: AppLocker, antivirus software, firewall, UAC. No security mechanism for Windows Autoplay featuresb Layer 1: This USB worm possiblec Layer 1: Parse Autorun Attacks on host computers No security mechanism for Windows Autoplay featuresb Layer 1: Hack tools can be activated automatically on USB drive insertion. Layer 1: Parse Autorun No security management mechanism for USB interfacea Layer 1: Hack tools can be executed from USB drives which are external drives. Layer 1: AppLocker, antivirus software, firewall, UAC Data is left unprotected when the operating system is offline Layer 2: Offline cold boot attacks. Layer 2: Volume encryption Driver signing is not enforced Layer 3: This makes USB driver injection possible. Layer 3: Enforcing driver signing with standardized USB drivers. USB driver is located in kernel mode layer Layer 3: Attacker gain system privilege once USB driver injection is completed. Layer 3: Completely move USB driver to User Mode layer. Attacks on USB storage devices No standardized USB security software Layer 3: USB security software attacks: buffer overflow and password brute force attacks Layer 3: Standardize USB driver and security software. No security mechanism for USB protocol Layer 3: Attack on USB protocol Layer 3: Standardize USB driver and security software a USB drives are not properly managed as “external” devices and thus there is no “firewall” between USB drives and computer internal drives. b Windows Autoplay features automatically loads any files including malware as specified in Autorun.inf files. c USB worm is capable of self-replicating due to Windows Autoplay features. 180 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 Author’s personal copy file locations. Moreover, AppLocker also supports application execution permissions based on the application’s valid digital signatures and therefore unsigned applications including malware and other malicious codes will be blocked from execution (Pham et al., 2010). Therefore, AppLocker can be a useful tool for network administrators in enterprise environments to prevent malware and hack tools’ execution while allowing the execution of specific legitimate applications. However, the use of AppLocker is rather complicated to basic users and this feature is not available to all Windows editions. In this paper, we propose Parse Autorun as an additional feature for Windows which fix the vulnerability in Windows Autoplay features. This feature prevents unsigned executable files called by Autorun.inf from being activated. Fig. 9 shows the proposed algorithm for Parse Autorun. When a removable drive with an Autorun.inf file at the root folder is inserted, Autoplay features will activate Parse Autorun which parses the Autorun.inf file for execution commands such as open, shellexecute, and shell\auto to locate executable files called by the Autorun.inf file. The executable files are checked by application signature and if they are signed, they can be executed by Windows Autoplay. If they are not signed application, they will be scanned by available antimalware software such as MSE and they will not be executed automatically. This generally helps avoid a lot of attack scenarios which are transparent to victims because attackers will have to manually locate the executable files which are normally hidden in different places in USB drives to trigger the attacks. Moreover, the result of our experiment also show that on-demand scans provide much better protection results than real-time protection method which is only activated when the hack tools are triggered. Therefore, Parse Autorun will provide better protection results than leaving the hack tools to be detected by Antivirus software on activation. Generally, the main role of the first protection layer is to prevent malicious programs and scripts from executing and Table 2 e USB hack tools detection by commonly used Antivirus software. Antivirus software (definition update: May 10, 2010) Detection ranking Comments Kaspersky Internet Security 2010 Fair Detect all critical hack tools Norton Internet Security 2010 Fair Detect all critical hack tools MacAfee Total Protection 2010 Fair Detect all critical hack tools F-Secure Internet Security Good Detect all critical hack tools and some other tools ESET NOD32 Antivirus Good Detect all critical hack tools and some other tools Microsoft Security Essentials Fair Detect all critical hack tools TrendMicro Internet Security Pro 2010 Good Detect all critical hack tools and some other tools Bit Defender Internet Security 2010 Very good Detect most of the hack tools AVG Internet Security 9.0 Very good Detect most of the hack tools Fig. 9 e Parse Autorun algorithm. d i g i t a l inves t i ga t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 181 Author’s personal copy accessing critical system locations such as system32 folder and Windows Registry. 7.2. The second threat and sec
ond protection layer Encryption is the best solution for cold boot attacks where the involvement of physical security measures is not possible. Encryption prevents attackers from breaching the confidentiality and integrity of the information stored on the host computer and USB drive in case they manage to have access to the encrypted data. The recommended technologies are volume based encryption solutions such as BitLocker and TrueCrypt which encrypt the whole data volumes. Microsoft Windows supports two volume encryption solutions including BitLocker introduced in Windows Vista and 2008, and BitLocker To Go in Window 7. BitLocker To Go also supports data encryption for removable drives in FAT format which is a good solution for data on USB drives. Currently, BitLocker is identified as vulnerable to cold boot attacks where the attackers manage to obtain the encryption key in the computer DRAM (Halderman et al., 2008). However, this attack method is rather complex and requires the involvement of cooling chemical which can be applied on computer memory to cool down the DRAM to 50 C. Obviously, to conduct this attack, attackers will need to unlock the computer case which is not easy in scenario that the computer cases are locks. Moreover, the encryption-key reconstruction process is rather complex requiring time and advanced technical knowledge, and on the other hand, there has been no readymade toolkit for this job identified by this time. 7.3. The third threat and third protection layer The third protection layer deals with software attacks on USB security software and USB driver. In reality, attacks on USB security software have been possible due to the lack of standardization in security design for USB devices. Table 3 summarizes our proposed solutions to secure USB software. The common vulnerabilities for buffer overflow attacks are due to the lack of input validation which allows attackers to send erroneous packets to the software to cause buffer overflow. A standardized validation module for USB security software is much simpler than that for Web applications and therefore totally possible. Keyloggers may be a threat to password enabled USB drives, though it has not yet been mentioned. Keyloggers can be mitigated by Virtual Keyboard with randomized keyboard layout for every session. Moreover, password brute force attacks can be simply mitigated by a self-lock counter which automatically stops accepting further log-in attempts after a specific number of failed attempts. USB protocol attack is probably the most difficult issue up to now. Our proposed solution involves the use of asymmetric encryption to encrypt and decrypt the data passed between USB devices and host computers. This generally avoids encryption key capturing problem happening to symmetric encryption solution and also avoid password capturing on transmission between the computer and the USB drive which is the common vulnerability of some USB drives by ATP Electronics, Samsung Electronics, Samsung Pleomax, LG Electronics, and Imation (Jeong et al., 2007). However, this requires effort to standardize the micro-chip for USB drives which contain the encryption key pair and cryptography software. In terms of USB driver, the implementation of USB driver should be moved to User Mode which prevents privilege escalation in case attackers manage to complete buffer overflow attack on the driver. The previous buffer overflow attacks on Windows USB driver, though not yet confirmed by Microsoft, were possible on Windows XP and the earlier versions however not on Windows Vista and later versions. This can be explained by Microsoft driver model in Windows Vista and the later editions, particularly the User Mode driver model. Fig. 10 illustrates the USB driver model for Windows Vista. In Fig. 10, the drivers for USB devices provided by hardware vendors are located in User Mode layer where access to system resources is limited to user right and privileges only. This model is applied to Windows Vista and the later. However, in previous Windows version such as Windows XP and Windows 2003, USB driver was located in Kernel Mode layer where it has unlimited access to system resources. Therefore, successfully committing USB drivers will give attackers system rights and privileges. On the other hand, crafted USB drivers could be injected into Windows kernel was due to the lack of driver signing enforcement in Windows XP and other 32-bit editions. The enforcement of signed drivers will prevent unsigned drivers from being injected to Fig. 10 e Windows USB driver architecture, adapted from (Architecture of the User Mode Driver Framework, 2007). Table 3 e USB security software threats and solutions. Threat Solution Buffer overflow attack Software input validation Key logger: password attack Virtual keyboard: random key layout Password brute force attack Self lock counter Protocol attack Asymmetric data encryption 182 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 Author’s personal copy Windows kernel and thus help mitigate this threat vector effectively. 8. Conclusion and further work In this paper, we have investigated all the currently identified USB based software attacks and their payloads on host computers and USB devices, and have established taxonomy of the attacks. We have also created a security framework to handle USB based software attacks on the basis of newer Windows operating systems including Windows Vista, Windows Server 2008, and Windows 7 on both x86 and x64 platforms. The framework was designed for addressing all the identified USB based software attacks at the minimum deployment and maintenance efforts. The result also show that reengineering effort must be paid in the standardization process for USB security software to create an industry-wide secure implementation standard for all USB devices. Finally, USB driver implementation should be moved to User Mode to prevent privilege escalation in case a buffer overflow attack on the driver is successfully conducted. Appendix. Table A1. Surveyed USB based malware families. No. Malware family No. Malware family 1 Auraaxa 26 W32/Frethoga 2 AutoIta 27 W32/Hamweqa 3 AutoIt/Renocidea 28 W32/Harya 4 Brontoka 29 W32/Mabezata 5 Confickera 30 W32/Perlovgaa 6 Emolda 31 W32/Regula 7 Generic!atra 32 W32/SillyShareCopya 8 Invadesysa 33 W32/Taterfa 9 Mal_Otoruna 34 W32/Yacspeel.A.dll 10 Niuniua 35 Worm.Autorun.VHG 11 Pushbota 36 Worm.VBS.Autorun.r 12 PWS-Gamaniav 37 Worm.W32.AutoRuna 13 Slenfbota 38 Worm.W32.AutoRun.dui 14 Troj_CoreLink.D 39 Worm.W32.AutoRun.eee 15 Trojan.Autorun.AET 40 Worm.W32/Autoruna 16 Trojan.AutorunINF.Gen 41 Worm.W32/RJumpa 17 VBS.Runautoa 42 Worm_Agent.TBH 18 W32.Gammima.AG 43 Worm_Autorun.AZB 19 W32.Saltity.AE 44 Worm_Autorun.BSE 20 W32.SillyDC 45 Worm_Autorun.CBZ 21 W32.SillyFDC 46 Worm_Downad.A 22 W32.Sality.OG 47 Worm_QQpass.ADH 23 W32.Worm. Downadup.Gen 48 Worm_VB.BDN 24 W32/Autoruna 25 W32/Conficker.B a The number of variants may vary from three, such as W3/Hary and W32/Mebezat families, to several hundred such as AutoIt and Pushbot families. However, not all variants’ profiles are available on the databases. Only autorun related variants with available profiles in the databases are surveyed. Table A2. Tested common USB hack toolkits. No. Name & version No. Name & version 1 Amish 1.0 (No U3) 26 PasswordFox v1.20 2 Asterisk Logger 1.04 27 Pwdump6 3 Blat 262 28 Resource Hacker Version 3.5.2 4 Dialupass2 29 RPC-Mail version 0.1 5 Enable-Abel SwitchBlade 30 SkypeLogView v1.12 6 Etherreal on USB 31 Slurp Audit 7 Gandalf 7zBlade 32 SniffUSB 8 GonZors SwitchBlade 1.2 33 Snort 2.8.5 9 GonZors SwitchBlade 2.0 34 Stellar Password Recovery v1.5 10 HackBlade 35 Stunnel 3.10 11 IE Cache View 36 Stunnel 4.33 12 IE PassView v1.17 37 Switchblade alternative 1.3 by Silivrenion 13 IECookiesView 38 TCP Dump version 3.9.4 14 IEHistoryView 39 USB HackSaw 0.2 15 John 40 USB Hacksaw Version 0.1 POC 16 Mail PassView v1.55 41 USB Pocket Knife v0.8.8.0 17 MessenPass v1.30 42 USBDeview v1.06 18 MozillaCacheView v1.27 43 USBDumper v2.2 19 MozillaCookiesView v1.30 44 USBlyzer 1.5 20 MozillaHistoryView
v1.25 45 Web dumper 2.4 21 Nemesis 1.4 46 White Hat Payload 1.3 22 Network Password Recovery v1.24 47 Windows password Key 23 Nmap 3.8.1 48 WireShark 1.2.1 24 Nmap 5.0 49 U3 Incident Response Switchblade 25 Nmapbot version 0.2 50 Kapowdude Table A3. Tested hack tool and hack toolkit categories (total number of toolkits: 3802). No. Category of hack tools No. Category of hack tools 1 Bluetooth exploiting tools 22 Phishing tools 2 Buffer overflow 23 Proxy hacking 3 Credit card information exploiting tools 24 Reverse engineering tools 4 Data collection tools 25 RFID hacking tools 5 Data recovery tools 26 Router cracking 6 Database exploiting tools 27 Session hijacking 7 DoS tools 28 Sniffer tools 8 Encryption tools 29 Software cracking kits 9 Enumeration 30 Spamming tools 10 Foot printing 31 Spying tools 11 Google hacking 32 SQL injection 12 IDS and firewall exploiting 33 Steganography tools 13 Information hiding 34 System exploiting tools 14 Internet anonymity 35 System scanning 15 Linux system exploiting tools 36 Trojan and backdoor kits 16 Mac OS exploiting tools 37 Virus and worm kits 17 Mail hacking 38 VOIP hacking tools 18 Mobile & PDA devices cracking 39 Web app vulnerability scanner 19 Password cracking 40 Web browser hacking 20 Password stealing 41 Web server exploiting tools 21 Penetration testing tools 42 Wireless cracking d i g i t a l inves t i ga t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 183 Author’s personal copy r e f e r e n c e s Alzarouni M. The reality of risks from consented use of USB devices. In: Proceedings of the 4th Australian information security conference; 2006. Architecture of the User Mode Driver Framework, Version 1.0. Microsoft Corporation, 2007. Bakker PJ, et al. Investigating ‘secure’ USB sticks; 2007. v.1.4. Fox- IT Forensic IT Experts B.V. Olof Palmestraat 6, 2616 LM Delft, The Netherlands. Chance R. Understanding USB flash drives as portable infrastructure. 1401 Hardley Ct., Bel Air, MD 21014, US: Browsercraft, LLC; 2005. Fabian M. Endpoint security: managing USB based removable devices with the advent of portable applications. In: Information security curriculum development conference; 2007. Gibson WR, Dyar D. Implementing preinstallation environment media for use in user support. In: Proceedings of the 35th annual ACM SIGUCCS conference on user services; 2007. Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W, Calandrino JA, Feldman AJ. “Lest we remember: cold boot attacks on encryption keys,” in Proc. USENIX Security Symposium; 2008. Harrison K, Xu S. Protecting cryptographic keys from memory disclosure attacks. In: 37th annual IEEE/IFIP international conference on dependable systems and networks; 2007. Jeong H, Choi Y, Jeon W, Yang F, Lee W, Kim S. Vulnerability analysis of secure USB flash drives. In: Memory technology, design and testing. IEEE International Workshop; 2007. Lee S, Savoldi A, Lee S, Lim J. Password recovery using an evidence collection tool and countermeasures. In: Intelligent information hiding and multimedia signal processing, third international conference, vol. 2; 2007. Marcus D, Greve P, Masiello S, Scharoun D. McAfee threats report: third quarter. McAfee, Inc. McAfee Avert Labs; 2009. McAfee Threats Report: Second Quarter 2009,” [McAfee, Inc]. Paget F. Avert passes milestone: 20 million malware samples. McAfee Lab Blog, McAfee, Inc, ; 2009 [accessed 20.11.09]. D.V Pham, M.N Halgamuge, A. Syed and P. Mendis, “Optimizing windows security features to block malware and hack tools on USB storage devices”. Progress in electromagnetics research symposium, 2010. Roberts PF. USB devices can crack windows. eWEEK, Ziff Davis Enterprise Inc, ; 2005 [accessed 20.08.09]. Thomas P, Morris A. An investigation into the development of an anti-forensic tool to obscure USB flash drive device information on a windows XP platform. In: Digital forensics and incident analysis, third international annual workshop; 2008. p. 60e6. Thomas V, Ramagopal P, Mohandas R. The rise of autorun- based malware. McAfee Avert Labs, McAfee, Inc; 2009. Vega RD. Linux USB device driver – buffer overflow. St Clement House 1-3 Alencon Link Basingstoke RG21 7SB, England: MWR InfoSecurity Security Advisory. MWR InfoSecurity Limited; 2009. W3chools. Operating system statistics, ; 2009 [accessed 10.10.09]. 184 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4

Leave a Reply

Your email address will not be published. Required fields are marked *