P. Andriotis, G. Oikonomou, T. Tryfonas, S. Li, "Highlighting Relationships of a Smartphone’s Social Ecosystem in Potentially Large Investigations", IEEE Transactions on Cybernetics, IEEE, 46(9), pp. 1974-1985, 2016
Social media networks are becoming increasingly popular because they can satisfy diverse needs of individuals (both personal and professional). Modern mobile devices are empowered with increased capabilities, taking advantage of the technological progress that makes them smarter than their predecessors. Thus, a smartphone user is not only the phone owner, but also an entity that may have different facets and roles in various social media networks. We believe that these roles can be aggregated in a single social ecosystem, which can be derived by the smartphone. In this paper, we present our concept of the social ecosystem in contemporary devices and we attempt to distinguish the different communities that occur from the integration of social networking in our lives. In addition, we propose techniques to highlight major actors within the ecosystem. Moreover, we demonstrate our suggested visualization scheme, which illustrates the linking of entities that live in separate communities using data taken from the smartphone. Finally, we extend our concept to include various parallel ecosystems during potentially large investigations and we link influential entities in a vertical fashion. We particularly examine cases where data aggregation is performed by specific applications, producing volumes of textual data that can be analyzed with text mining methods. Our analysis demonstrates the risks of the rising ``bring your own device'' trend in enterprise environments.
P. Andriotis, G. Oikonomou, A. Mylonas, T. Tryfonas, "A Study on Usability and Security Features of the Android Pattern Lock Screen", Information and Computer Security, Emerald, 24(1), pp. 53-72, 2016
The Android pattern lock screen (or graphical password) is a popular user authentication method that relies on the advantages provided by the visual representation of a password, which enhance its memorability. Graphical passwords are vulnerable to attacks (e.g. shoulder surfing); thus, the need for more complex passwords becomes apparent. This paper aims to focus on the features that constitute a usable and secure pattern and investigate the existence of heuristic and physical rules that possibly dictate the formation of a pattern.
H. Read, K. Xynos, I. Sutherland, F. Roarson, P. Andriotis, G. Oikonomou, "An Extensible Platform for the Forensic Analysis of Social Media Data", in Human Aspects of Information Security, Privacy, and Trust - HAS 2015, ser. Lecture Notes in Computer Science, 9190, pp. 404-414, 2015
Visualising data is an important part of the forensic analysis process. Many cell phone forensic tools have specialised visualisation components, but are as of yet able to tackle questions concerning the broad spectrum of social media communication sources. Visualisation tools tend to be stove-piped, it is difficult to take information seen in one visualisation tool and obtain a different perspective in another tool. If an interesting relationship is observed, needing to be explored in more depth, the process has to be reiterated by manually generating a subset of the data, converting it into the correct format, and invoking the new application. This paper describes a cloud-based data storage architecture and a set of interactive visualisation tools developed to allow for a more straightforward exploratory analysis. This approach developed in this tool suite is demonstrated using a case study consisting of social media data extracted from two mobile devices.
P. Andriotis, G. Oikonomou, "Messaging Activity Reconstruction with Sentiment Polarity Identification", in Human Aspects of Information Security, Privacy, and Trust - HAS 2015, ser. Lecture Notes in Computer Science, 9190, pp. 475-486, 2015
Sentiment Analysis aims to extract information related to the emotional state of the person that produced a text document and also describe the sentiment polarity of the short or long message. This kind of information might be useful to a forensic analyst because it provides indications about the psychological state of the person under investigation at a given time. In this paper we use machine-learning algorithms to classify short texts (SMS), which could be found in the internal memory of a smartphone and extract the mood of the person that sent them. The basic goal of our method is to achieve low False Positive Rates. Moreover, we present two visualization schemes with the intention to provide the ability to digital forensic analysts to see graphical representations of the messaging activity of their suspects and therefore focus on specific areas of interest reducing their workload.
P. Andriotis, T. Tryfonas, G. Oikonomou, I. King, "A framework to describe multimedia circulation in the smartphone ecosystem", in Advances in Digital Forensics XI, ser. IFIP Advances in Information and Communication Technology, 462, pp. 251-267, 2015
Contemporary mobile devices allow almost unrestricted sharing of multimedia and other types of files. But as smartphones and tablets can easily access the Internet or exchange files wirelessly, they've also transformed to useful tools for criminals, aiming at performing illegal activities such as sharing contraband or distributing child abuse images. Thus, the need to investigate the source and destination of a multimedia file that resides in the internal memory of a smartphone becomes apparent. In this paper we present a framework that illustrates and visualizes the flow of digital images as evidence obtained from the artefacts retrieved from Android smartphones during a forensic investigation. Our approach uses `big data' concepts to facilitate the processing of diverse (semi-structured) evidence derived from mobile devices and extends the idea of Digital Evidence Bags (DEB). We obtained our data after running an experiment that included image exchanging through numerous channels such as Bluetooth, Internet and cloud services. Our study presents information about the locations where evidence resides and uses graph databases to store metadata and therefore, visualize the relationships that connect images with apps and events.
P. Andriotis, T. Tryfonas, G. Oikonomou, "Complexity metrics and user strength perceptions of the pattern-lock graphical authentication method", in Proc. 16th International Conference on Human-Computer Interaction (HCI 2014), ser. Lecture Notes in Computer Science, 8533, pp. 115-126, 2014 (invited)
One of the most popular contemporary graphical password approaches is the Pattern-Lock authentication mechanism that comes integrated with the Android mobile operating system. In this paper we investigate the impact of password strength meters on the selection of a perceivably secure pattern. We first define a suitable metric to measure pattern strength, taking into account the constraints imposed by the Pattern-Lock mechanism's design. We then implement an app via which we conduct a survey for Android users, retaining demographic information of responders and their perceptions on what constitutes a pattern complex enough to be secure. Subsequently, we display a pattern strength meter to the participant and investigate whether this additional prompt influences the user to change their pattern to a more effective and complex one. We also investigate potential correlations between our findings and results of a previous pilot study in order to detect any significant biases on setting a Pattern-Lock.
P. Andriotis, T. Tryfonas, G. Oikonomou, S. Li, Z. Tzermias, K. Xynos, H. Read, V. Prevelakis, "On the Development of Automated Forensic Analysis Methods for Mobile Devices", in Proc. 7th International Conference on Trust & Trustworthy Computing (TRUST 2014), ser. Lecture Notes in Computer Science, 8564, pp. 212-213, 2014
P. Andriotis, T. Tryfonas, G. Oikonomou, T. Spyridopoulos, A. Zaharis, A. Martini, I. Askoxylakis, "On Two Different Methods for Steganography Detection in JPEG Images with Benford's Law", in Proc. 7th Scientific NATO Conference in Security and Protection of Information (SPI 2013), Brno, Czech Republic, pp. 3-14, 2013
The practice of steganography, which in a computer context usually means manipulating multimedia content to embed hidden messages, may be used by criminals worldwide to facilitate their communication instead of, or complementary to, encryption. There is even speculation that global terrorist groups have been using steganography to communicate in covert ways. This paper will introduce steganography and discuss practical aspects of its detection. It will also discuss two recently proposed methods for detecting whether hidden messages exist in JPEG images using Benford's Law. The Law describes the logarithmic distribution of leading digits in sets of naturally set numbers and has been used with success in detecting financial fraud and election rigging in the past. The first approach examines the lead digit distribution of the raw contents of the bytes of a suspect image, whilst the second examines the distribution of lead digits of quantised discrete cosine transform (DCT) coefficients of the JPEG encoding. Both methods produce fast and credible results and are supported by open source toolkits that can be used by law enforcement and investigative authorities worldwide.
P. Andriotis, G. Oikonomou, T. Tryfonas, "JPEG Steganography Detection with Benford's Law", Digital Investigation, Elsevier, 9(3-4), pp. 246-257, 2013
In this paper we present a novel approach to the problem of steganography detection in JPEG images by applying a statistical attack. The method is based on the empirical Benford's Law and, more specifically, on its generalised form. We prove and extend the validity of the logarithmic rule in colour images and introduce a blind steganographic method which can flag a file as a suspicious stego-carrier. The proposed method achieves very high accuracy and speed and is based on the distributions of the first digits of the quantised Discrete Cosine Transform coefficients present in JPEGs. In order to validate and evaluate our algorithm, we developed steganographic tools which are able to analyse image files and we subsequently applied them on the popular Uncompressed Colour Image Database. Furthermore, we demonstrate that not only can our method detect steganography but, if certain criteria are met, it can also reveal which steganographic algorithm was used to embed data in a JPEG file.
P. Andriotis, Z. Tzermias, A. Mparmpaki, S. Ioannidis, G. Oikonomou, "Multilevel Visualization Using Enhanced Social Network Analysis with Smartphone Data", International Journal of Digital Crime and Forensics, IGI Global, 5(4), pp. 34-54, 2013
While technology matures and becomes more productive, mobile devices can be affordable and, consequently, fully integrated in people's lives. After their unexpected bloom and acceptance, Online Social Networks are now sources of valuable information. We therefore use them for tasks varying from direct marketing to forensic analysis. We have already seen Social Network Forensics techniques focused on particular networks implementing methods that collect data from user accounts. During the forensic analysis it is common to aggregate information from different sources but, usually, this procedure causes correlation problems. Here, we present our method to correlate data gathered from various social networks in combination with smartphones creating a new form of social map of the user under investigation. In addition, we introduce a multi level graph that utilises the correlated information from the smartphone and the social networks and demonstrates in three dimensions the relevance of each contact with the suspect.
P. Andriotis, T. Tryfonas, G. Oikonomou, C. Yildiz, "A Pilot Study on the Security of Pattern Screen-Lock Methods and Soft Side Channel Attacks", in Proc. 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 13), pp. 1-6, 2013
Graphical passwords that allow a user to unlock a smartphone's screen are one of the Android operating system's features and many users prefer them instead of traditional text-based codes. A variety of attacks has been proposed against this mechanism, of which notable are methods that recover the lock patterns using the oily residues left on screens when people move their fingers to reproduce the unlock code. In this paper we present a pilot study on user habits when setting a pattern lock and on their perceptions regarding what constitutes a secure pattern. We use our survey's results to establish a scheme, which combines a behaviour-based attack and a physical attack on graphical lock screen methods, aiming to reduce the search space of possible combinations forming a pattern, to make it partially or fully retrievable.
P. Andriotis, G. Oikonomou, T. Tryfonas, "Forensic Analysis of Wireless Networking Evidence of Android Smartphones", in Proc. IEEE International Workshop on Information Forensics and Security (WIFS 12), Tenerife, Spain, pp. 109 - 114, 2012
This paper introduces a method for acquiring forensic-grade evidence from Android smartphones using open source tools. We investigate in particular cases where the suspect has made use of the smartphone's Wi-Fi or Bluetooth interfaces. We discuss the forensic analysis of four case studies, which revealed traces that were left in the inner structure of three mobile Android devices and also indicated security vulnerabilities. Subsequently, we propose a detailed plan for forensic examiners to follow when dealing with investigations of potential crimes committed using the wireless facilities of a suspect Android smartphone. This method can be followed to perform physical acquisition of data without using commercial tools and then to examine them safely in order to discover any activity associated with wireless communications. We evaluate our method using the Association of Chief Police Officers' (ACPO) guidelines of good practice for computer-based, electronic evidence and demonstrate that it is made up of an acceptable host of procedures for mobile forensic analysis, focused specifically on the device's Bluetooth and Wi-Fi facilities.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without explicit permission from the copyright holder.