Digital Forensics and Malware Analysis

When the security of a system is broken or put into question, Digital Forensics is the discipline that can help to determine what happened. Digital Forensics science arises as a result of the evolution of technology and as such should continue progressing in order to cover the analysis of new use cases for the prosecution of cybercriminals. For instance, the inclusion of the Internet of Things (IoT) paradigm brings to the cybercrime scene countless heterogeneous devices for which there are no well defined digital forensics techniques to acquire and analyse the digital evidence. Some solutions have emerged during the past few years, but there are still very specific and difficult to serve as a common framework for the digital forensic community. Some processes for digital forensics require to stop or interrupt the services in the platforms to be analysed. However, as an intrinsic part of the new scenarios, there are multiple systems that cannot be interrupted or from which the digital evidence cannot be acquired easily because the interfaces or the protocols used are proprietary or unknown. Also, with the increasing number of devices and also the massive use of social networks and applications, the volume of data to be analysed during a digital investigation can increase considerably. New solutions to correlate data and demonstrate the provenance of the digital evidence becomes critical. In this regard, one of the current challenges to be investigated is data normalisation for digital evidence management, a problem that is also affecting to current SIEMs. While there are novel solutions for digital forensics, these are below its potential; new solutions must be designed in order to take advantage of Open Source Intelligence (OSINT) and Threat Intelligence services. Moreover, this becomes critical for malware analysis, a new discipline which has emerged as an evolution of digital forensics but with enough entity to require new methodologies and criteria for the analysis. For example, it is very important to identify if an attack is directed or if, instead, it is random. Being able to track the origin of the malware is one of the current open problems. The integration of existent techniques and services for digital forensics with new methodologies for those scenarios (and new ones to appear) is crucial to understand the context of the digital investigation and also to improve the security solutions, discouraging disloyalty, malicious and unfair use of technologies.



IoT Forensics is the term coined to describe a new branch of computer forensics dedicated to the particular features and requirements of digital investigations in Internet of Things (IoT) scenarios.

The IoTest (EXPLORA) project is focused on this topic. In particular, there are three directions within this research topic at NICS lab. First, the definition of "Digital Witness" has been formalised in different research papers and journals, where the most representative is [1]. This definition includes a discussion about the feasibility of this approach considering the embedded anti-tampering solutions with cryptographic capabilities available in multiple devices (e.g. TPM, secure element) together with the requirements for digital evidence collection considering multiple standards. Second, an important part of this solution is to promote the citizen collaboration towards their personal devices. Considering the nature of the digital witness approach, there are several privacy issues that must be considered. In order to cover these, the solution has been widely analysed from the privacy point of view in [2], also defining a solution to enable the anonymous witnessing approach. Furthermore, this analysis reflected that there is a lack of solutions to consider privacy and digital forensics tradeoffs, in particular in IoT-Forensics. In order to provide a solution the PRoFIT framework is defined in [3]. Moreover, this model is used to adapt the digital witness in order to balance privacy and digital forensics requirements based on the context of a digital investigation [4]. In [5], privacy-aware digital forensics solutions and challenges are analysed in deep considering several contexts, not only IoT Forensics.

Part of the efforts in this specific topic are meant to test the approach in realistic scenarios. To this end, its viability is being studied to solve different problems within the proactive 5G security in the digital forensic field, such as: [6] and [7]. Also, as a proof of concept, a prototype of digital witness has been developed for Android systems using a Google Pixel 3 terminal and, specifically, the secure chip Titan M as secure element. The solution has been named SELVIA and its source code is available at GitHub.

The patent [8] (national patent extended to international patent) includes a detailed description of a tentative architecture for digital witnessing, considering the different components that will be operating into the digital device.


Malware-driven Honeypots

In 2016, ransomware grew considerably, affecting almost half of businesses worldwide. Infections via e-mail, phishing and botnet nodes remain the most commonly used methods to compromise computers in the business environment. As a consequence, one of the biggest concerns today is how to respond effectively to malware dissemination campaigns. Honeypot systems are designed to capture attacks by simulating real services and/or applications. They employ deception techniques that try to satisfy the attacker’s demands, providing him/her with valid responses to service requests and apparently accepting modifications they want to make on the system.

There are two main scenarios commonly used for deploying honeypots: i) replicate live services of the production environment and ii) research environments. The efforts in NICS Lab focus on the second scenario, where the goal is to show a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. The main issue when designing this type of solution is the lack of information prior to the attack. Currently, there are principally two approaches to the problem: (a) studying only specific scenarios (web servers, SSH/Telnet protocols, etc.), and (b) implementing specialized trap systems for a reduced set of malware families (eg. Mirai). However, new malware attacking these honeypots will not necessarily activate all stages of the attack, due to an unfulfilled requirement. In order to solve part of these problems, in [9] the Hogney architecture is proposed for the deployment of malware-driven honeypots. This new concept refers to honeypots that have been dynamically configured according to the environment expected by malware. The adaptation mechanism designed here is built on services that offer up-to-date and relevant intelligence information on current threats. Thus, the Hogney architecture takes advantage of recent Indicators Of Compromise (IOC) and information about suspicious activity currently being studied by analysts. The information gathered from these services is then used to adapt honeypots to fulfill malware requirements, inviting them to unleash their full strength. In addition, in [10] a methodology to deploy relevant honeypots in IoT environments is proposed. The methodology is divided in five phases and considers aspects as the ranking popularity of the chosen devices and the requirement for avoiding the detection of our trap nodes as honeypots by some of the most popular IoT scanners (e.g. Shodan).


Technical Resources: Digital Forensics and Malware Analysis lab

NICS Lab has one laboratory isolated from the rest of the University of Malaga, used for the development of prototypes and security tests of those projects and research works with other teams, subject to confidential requirements. It is in this laboratory where NICS Lab has diverse malware and forensic tools and computing resources for performing very delicate task, such as: reverse engineering, infrastructure for the virtualized execution of malware, digital evidence recovery and analysis, forensic examination of memory, hard disk and network traffic. For this purpose, NICS Lab has top quality software tools like IDA Pro, Encase Forensic Deluxe and AccessData Forensic Toolkit. We also have a wide set of development kits for analysing wireless communications, operating in different frequencies and covering protocols like ZigBee, Bluetooth Low Energy, 6LoWPAN, RFID, NFC and SDR transceptors, etc. Also tools for analysing serial communications, Modbus, Rs-232, USB and Ethernet.

All these tools and resources are also used for deploying new use cases used for training professionals in various specialization courses.


  1. A. Nieto, R. Roman, and J. Lopez, "Digital Witness: Safeguarding Digital Evidence by using Secure Architectures in Personal Devices",
    IEEE Network, IEEE Communications Society, pp. 12-19, 2016. DOI (I.F.: 7.230)More..


    Personal devices contain electronic evidence associated with the behaviour of their owners and other devices in their environment, which can help clarify the facts of a cyber-crime scene. These devices are usually analysed as containers of proof. However, it is possible to harness the boom of personal devices to define the concept of digital witnesses, where personal devices are able to actively acquire, store, and transmit digital evidence to an authorised entity, reliably and securely. This article introduces this novel concept, providing a preliminary analysis on the management of digital evidence and the technologies that can be used to implement it with security guarantees in IoT environments. Moreover, the basic building blocks of a digital witness are defined.

    Impact Factor: 7.230
    Journal Citation Reports® Science Edition (Thomson Reuters, 2016)

  2. A. Nieto, R. Rios, and J. Lopez, "Digital Witness and Privacy in IoT: Anonymous Witnessing Approach",
    16th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom 2017), IEEE, pp. 642-649, 08/2017. DOI More..


    The digital witness approach defines the collaboration between IoT devices - from wearables to vehicles - to provide digital evidence through a Digital Chain of Custody to an authorised entity. As one of the cores of the digital witness, binding credentials unequivocally identify the user behind the digital witness. The objective of this article is to perform a critical analysis of the digital witness approach from the perspective of privacy, and to propose solutions that help include some notions of privacy in the scheme (for those cases where it is possible). In addition, digital anonymous witnessing as a tradeoff mechanism between the original approach and privacy requirements is proposed. This is a clear challenge in this context given the restriction that the identities of the links in the digital chain of custody should be known. 

  3. A. Nieto, R. Rios, and J. Lopez, "A Methodology for Privacy-Aware IoT-Forensics",
    16th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom 2017), IEEE, pp. 626-633, 08/2017. DOI More..


    The Internet of Things (IoT) brings new challenges to digital forensics. Given the number and heterogeneity of devices in such scenarios, it bring extremely difficult to carry out investigations without the cooperation of individuals. Even if they are not directly involved in the offense, their devices can yield digital evidence that might provide useful clarification in an investigation. However, when providing such evidence they may leak sensitive personal information. This paper proposes PRoFIT; a new model for IoT-forensics that takes privacy into consideration by incorporating the requirements of ISO/IEC 29100:2011 throughout the investigation life cycle. PRoFIT is intended to lay the groundwork for the voluntary cooperation of individuals in cyber crime investigations.

  4. A. Nieto, R. Rios, and J. Lopez, "IoT-Forensics meets Privacy: Towards Cooperative Digital Investigations",
    Sensors, vol. 18, issue 2, no. 492, MDPI, 02/2018. DOI (I.F.: 3.031)More..


    IoT-Forensics is a novel paradigm for the acquisition of electronic evidence whose operation is conditioned by the peculiarities of the Internet of Things (IoT) context. As a branch of computer forensics, this discipline respects the most basic forensic principles of preservation, traceability, documentation, and authorization. The digital witness approach also promotes such principles in the context of the IoT while allowing personal devices to cooperate in digital investigations by voluntarily providing electronic evidence to the authorities. However, this solution is highly dependent on the willingness of citizens to collaborate and they may be reluctant to do so if the sensitive information within their personal devices is not sufficiently protected when shared with the investigators. In this paper, we provide the digital witness approach with a methodology that enables citizens to share their data with some privacy guarantees. We apply the PRoFIT methodology, originally defined for IoT-Forensics environments, to the digital witness approach in order to unleash its full potential. Finally, we show the feasibility of a PRoFIT-compliant digital witness with two use cases.

    Impact Factor: 3.031
    Journal Citation Reports® Science Edition (Thomson Reuters, 2018)

  5. A. Nieto, R. Rios, and J. Lopez, "Privacy-Aware Digital Forensics",
    Security and Privacy for Big Data, Cloud Computing and Applications, Lizhe Wang, Wei Ren, Raymoond Choo and Fatos Xhafa, The Institution of Engineering and Technology (IET) , 09/2019. More..
  6. A. Nieto, A. Acien, and G. Fernandez, "Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation",
    Mobile Networks and Applications (MONET), Springer US, pp. 881-889, 10/2018. DOI (I.F.: 2.39)More..


    Crowdsourcing can be a powerful weapon against cyberattacks in 5G networks. In this paper we analyse this idea in detail, starting from the use cases in crowdsourcing focused on security, and highlighting those areas of a 5G ecosystem where crowdsourcing could be used to mitigate local and remote attacks, as well as to discourage criminal activities and cybercriminal behaviour. We pay particular attention to the capillary network, where an infinite number of IoT objects coexist. The analysis is made considering the different participants in a 5G IoT ecosystem.

    Impact Factor: 2.39
    Journal Citation Reports® Science Edition (Thomson Reuters, 2018)

  7. A. Nieto, A. Acien, and J. Lopez, "Capture the RAT: Proximity-based Attacks in 5G using the Routine Activity Theory",
    The 16th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC 2018), IEEE, pp. 520-527, 08/2018. DOI More..


    The fifth generation of cellular networks (5G) will enable different use cases where security will be more critical than ever before (e.g. autonomous vehicles and critical IoT devices). Unfortunately, the new networks are being built on the certainty that security problems can not be solved in the short term. Far from reinventing the wheel, one of our goals is to allow security software developers to implement and test their reactive solutions for the capillary network of 5G devices. Therefore, in this paper a solution for analysing proximity-based attacks in 5G environments is modelled and tested using OMNET++. The solution, named CRAT, is able to decouple the security analysis from the hardware of the device with the aim to extend the analysis of proximity-based attacks to different use-cases in 5G. We follow a high-level approach, in which the devices can take the role of victim, offender and guardian following the principles of the routine activity theory. 

  8. A. Nieto, R. Roman, and J. Lopez, "Testigo digital: procedimientos y dispositivos para la gestión segura de evidencias electrónicas con credenciales vinculantes",
    España, C. Autón./Reg. de explotación: Andalucía, Invention Patent, vol. P201500764, G06F 21/00, 10/2015.
  9. G. Fernandez, A. Nieto, and J. Lopez, "Modeling Malware-driven Honeypots",
    14th International Conference On Trust, Privacy & Security In Digital Business (TrustBus 2017), vol. 10442, Springer International Publishing, pp. 130-144, 08/2017. DOI More..


    In this paper we propose the Hogney architecture for the deployment of malware-driven honeypots. This new concept refers to honeypots that have been dynamically configured according to the environment expected by malware. The adaptation mechanism designed here is built on services that offer up-to-date and relevant intelligence information on current threats. Thus, the Hogney architecture takes advantage of recent Indicators Of Compromise (IOC) and information about suspicious activity currently being studied by analysts. The information gathered from these services is then used to adapt honeypots to fulfill malware requirements, inviting them to unleash their full strength.

  10. A. Acien, A. Nieto, G. Fernandez, and J. Lopez, "A comprehensive methodology for deploying IoT honeypots",
    15th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2018), vol. LNCS 11033, Springer Nature Switzerland AG, pp. 229–243, 09/2018. DOI More..


    Recent news have raised concern regarding the security on the IoT field. Vulnerabilities in devices are arising and honeypots are an excellent way to cope with this problem. In this work, current solutions for honeypots in the IoT context, and other solutions adaptable to it are analyzed in order to set the basis for a methodology that allows deployment of IoT honeypot.