@article{MausHoefkenSchuba2011, author = {Maus, Stefan and H{\"o}fken, Hans-Wilhelm and Schuba, Marko}, title = {Forensic Analysis of Geodata in Android Smartphones}, pages = {1 -- 11}, year = {2011}, language = {en} } @article{SchaeferHoefkenSchuba2011, author = {Schaefer, Thomas and H{\"o}fken, Hans-Wilhelm and Schuba, Marko}, title = {Windows Phone 7 from a Digital Forensics' Perspective}, publisher = {Springer}, address = {Berlin}, year = {2011}, language = {en} } @inproceedings{SchuetzBreuerHoefkenetal.2013, author = {Sch{\"u}tz, P. and Breuer, M. and H{\"o}fken, Hans-Wilhelm and Schuba, Marko}, title = {Malware proof on mobile phone exhibits based on GSM/GPRS traces}, series = {The Second International Conference on Cyber Security, Cyber Peacefare and Digital Forensic (CyberSec 2013) : 04.03. - 06.03.2013, Kuala Lumpur, Malaysia}, booktitle = {The Second International Conference on Cyber Security, Cyber Peacefare and Digital Forensic (CyberSec 2013) : 04.03. - 06.03.2013, Kuala Lumpur, Malaysia}, publisher = {The Society of Digital Information and Wireless Communication}, isbn = {978-0-9853483-7-3}, pages = {89 -- 96}, year = {2013}, language = {en} } @inproceedings{StoebeHoefkenSchubaetal.2013, author = {St{\"o}be, Rolf and H{\"o}fken, Hans-Wilhelm and Schuba, Marko and Breuer, Michael}, title = {Artificial ageing of mobile devices using a simulated GSM/GPRS network}, series = {Eighth International Conference on Availability, Reliability and Security (ARES) : 2-6 Sept. 2013, Regensburg}, booktitle = {Eighth International Conference on Availability, Reliability and Security (ARES) : 2-6 Sept. 2013, Regensburg}, publisher = {IEEE}, pages = {493 -- 497}, year = {2013}, language = {en} } @inproceedings{BonneyHoefkenPaffenetal.2015, author = {Bonney, Gregor and H{\"o}fken, Hans-Wilhelm and Paffen, Benedikt and Schuba, Marko}, title = {ICS/SCADA Security - Analysis of a Beckhoff CX5020 PLC}, series = {1st International Conference on Information Systems Security and Privacy : ICISSP 2015}, booktitle = {1st International Conference on Information Systems Security and Privacy : ICISSP 2015}, organization = {International Conference on Information Systems Security and Privacy <1, 2015, Angers>}, pages = {1 -- 6}, year = {2015}, language = {en} } @inproceedings{LindenlaufHoefkenSchuba2015, author = {Lindenlauf, Simon and H{\"o}fken, Hans-Wilhelm and Schuba, Marko}, title = {Cold Boot Attacks on DDR2 and DDR3 SDRAM}, series = {10th International Conference on Availability, Reliability and Security (ARES) 2015}, booktitle = {10th International Conference on Availability, Reliability and Security (ARES) 2015}, doi = {10.1109/ARES.2015.28}, pages = {287 -- 292}, year = {2015}, language = {en} } @book{GalleyMinoggioSchubaetal.2016, author = {Galley, Birgit and Minoggio, Ingo and Schuba, Marko and Bischoff, Barbara and H{\"o}fken, Hans-Wilhelm}, title = {Unternehmenseigene Ermittlungen : Recht - Kriminalistik - IT}, publisher = {Erich Schmidt Verlag}, address = {Berlin}, isbn = {978-3-503-16531-5}, pages = {XIII, 372 S.}, year = {2016}, language = {de} } @inproceedings{BraunHoefkenSchubaetal.2015, author = {Braun, Sebastian and H{\"o}fken, Hans-Wilhelm and Schuba, Marko and Breuer, Michael}, title = {Forensische Sicherung von DSLRoutern}, series = {Proceedings of D-A-CH Security 2015. St. Augustin 8. und 9. September 2015}, booktitle = {Proceedings of D-A-CH Security 2015. St. Augustin 8. und 9. September 2015}, pages = {11 S.}, year = {2015}, language = {de} } @inproceedings{BeckerHoefkenSchuetzetal.2016, author = {Becker, Sebastian and H{\"o}fken, Hans-Wilhelm and Sch{\"u}tz, Philip and Schuba, Marko}, title = {IT-forensische Erkennung modifizierter Android-Apps}, series = {Proceedings of DACH Security 2016, Klagenfurt, Austria, September 2016}, booktitle = {Proceedings of DACH Security 2016, Klagenfurt, Austria, September 2016}, editor = {Schartner, P.}, pages = {120 -- 125}, year = {2016}, abstract = {Malware auf Smartphones ist ein Problem, dem auch Strafverfolgungsbeh{\"o}rden immer h{\"a}ufiger gegen{\"u}berstehen. Insbesondere Telefone, bei denen potentiell schadhafte Apps zu einem finanziellen Schaden gef{\"u}hrt haben, finden sich auf den Schreibtischen der Polizei wieder. Dabei m{\"u}ssen die Ermittler m{\"o}glichst schnell und gezielt erkennen k{\"o}nnen, ob eine App tats{\"a}chlich schadhaft manipuliert wurde, was manipuliert wurde und mit wem die App kommuniziert. Klassische Malware-Erkennungsverfahren helfen zwar bei der generellen Erkennung schadhafter Software, sind aber f{\"u}r die polizeiliche Praxis nicht geeignet. Dieses Paper stellt ein Programm vor, welches gerade die forensischen Fragestellungen ber{\"u}cksichtigt und so f{\"u}r den Einsatz in der Strafverfolgung in Frage kommt.}, language = {de} } @inproceedings{BroennerHoefkenSchuba2016, author = {Broenner, Simon and H{\"o}fken, Hans-Wilhelm and Schuba, Marko}, title = {Streamlining extraction and analysis of android RAM images}, series = {Proceedings of the 2nd international conference on information systems security and privacy}, booktitle = {Proceedings of the 2nd international conference on information systems security and privacy}, organization = {ICISSP International Conference on Information Systems Security and Privacy <2, 2016, Rome, Italy>}, isbn = {978-989-758-167-0}, doi = {10.5220/0005652802550264}, pages = {255 -- 264}, year = {2016}, language = {en} } @inproceedings{SchwankeHoefkenSchuba2017, author = {Schwanke, Peter and H{\"o}fken, Hans-Wilhelm and Schuba, Marko}, title = {Security Analysis of the ADS Protocol of a Beckhoff CX2020 PLC}, pages = {1 -- 5}, year = {2017}, abstract = {ICSs (Industrial Control Systems) and its subset SCADA systems (Supervisory Control and Data Acquisition) are getting exposed to a constant stream of new threats. The increasing importance of IT security in ICS requires viable methods to assess the security of ICS, its individual components, and its protocols. This paper presents a security analysis with focus on the communication protocols of a single PLC (Programmable Logic Controller). The PLC, a Beckhoff CX2020, is examined and new vulnerabilities of the system are revealed. Based on these findings recommendations are made to improve security of the Beckhoff system and its protocols.}, language = {en} } @inproceedings{GranatHoefkenSchuba2017, author = {Granat, Andreas and H{\"o}fken, Hans-Wilhelm and Schuba, Marko}, title = {Intrusion Detection of the ICS Protocol EtherCAT}, pages = {1 -- 5}, year = {2017}, abstract = {Control mechanisms like Industrial Controls Systems (ICS) and its subgroup SCADA (Supervisory Control and Data Acquisition) are a prerequisite to automate industrial processes. While protection of ICS on process management level is relatively straightforward - well known office IT security mechanisms can be used - protection on field bus level is harder to achieve as there are real-time and production requirements like 24x7 to consider. One option to improve security on field bus level is to introduce controls that help to detect and to react on attacks. This paper introduces an initial set of intrusion detection mechanisms for the field bus protocol EtherCAT. To this end existing Ethernet attack vectors including packet injection and man-in-the-middle attacks are tested in an EtherCAT environment, where they could interrupt the EtherCAT network and may even cause physical damage. Based on the signatures of such attacks, a preprocessor and new rule options are defined for the open source intrusion detection system Snort demonstrating the general feasibility of intrusion detection on field bus level.}, language = {en} } @incollection{SchubaHoefken2022, author = {Schuba, Marko and H{\"o}fken, Hans-Wilhelm}, title = {Cybersicherheit in Produktion, Automotive und intelligenten Geb{\"a}uden}, series = {IT-Sicherheit - Technologien und Best Practices f{\"u}r die Umsetzung im Unternehmen}, booktitle = {IT-Sicherheit - Technologien und Best Practices f{\"u}r die Umsetzung im Unternehmen}, publisher = {Carl Hanser Verlag}, address = {M{\"u}nchen}, isbn = {978-3-446-47223-5}, doi = {10.3139/9783446473478.012}, pages = {193 -- 218}, year = {2022}, language = {de} } @inproceedings{SchubaHoefkenLinzbach2022, author = {Schuba, Marko and H{\"o}fken, Hans-Wilhelm and Linzbach, Sophie}, title = {An ICS Honeynet for Detecting and Analyzing Cyberattacks in Industrial Plants}, series = {2021 International Conference on Electrical, Computer and Energy Technologies (ICECET)}, booktitle = {2021 International Conference on Electrical, Computer and Energy Technologies (ICECET)}, publisher = {IEEE}, isbn = {978-1-6654-4231-2}, doi = {10.1109/ICECET52533.2021.9698746}, pages = {6 Seiten}, year = {2022}, abstract = {Cybersecurity of Industrial Control Systems (ICS) is an important issue, as ICS incidents may have a direct impact on safety of people or the environment. At the same time the awareness and knowledge about cybersecurity, particularly in the context of ICS, is alarmingly low. Industrial honeypots offer a cheap and easy to implement way to raise cybersecurity awareness and to educate ICS staff about typical attack patterns. When integrated in a productive network, industrial honeypots may not only reveal attackers early but may also distract them from the actual important systems of the network. Implementing multiple honeypots as a honeynet, the systems can be used to emulate or simulate a whole Industrial Control System. This paper describes a network of honeypots emulating HTTP, SNMP, S7communication and the Modbus protocol using Conpot, IMUNES and SNAP7. The nodes mimic SIMATIC S7 programmable logic controllers (PLCs) which are widely used across the globe. The deployed honeypots' features will be compared with the features of real SIMATIC S7 PLCs. Furthermore, the honeynet has been made publicly available for ten days and occurring cyberattacks have been analyzed}, language = {en} }