Electromagnetic Side-Channel A�acks:Potential for Progressing Hindered Digital Forensic Analysis

Asanka SayakkaraForensics & Security Research Group

School of Computer ScienceUniversity College Dublin

Irelandasanka.sayakkara@ucdconnect.ie

Nhien-An Le-KhacForensics & Security Research Group

School of Computer ScienceUniversity College Dublin

Irelandan.lekhac@ucd.ie

Mark ScanlonForensics & Security Research Group

School of Computer ScienceUniversity College Dublin

Irelandmark.scanlon@ucd.ie

ABSTRACTDigital forensics is fast-growing �eld involving the discovery andanalysis of digital evidence acquired from electronic devices to assistinvestigations for law enforcement. Traditional digital forensicinvestigative approaches are o�en hampered by the data containedon these devices being encrypted. Furthermore, the increasinguse of IoT devices with limited standardisation makes it di�cultto analyse them with traditional techniques. �is paper arguesthat electromagnetic side-channel analysis has signi�cant potentialto progress investigations obstructed by data encryption. Severalpotential avenues towards this goal are discussed.

CCS CONCEPTS•Security and privacy→ Side-channel analysis and counter-measures; Hardware a�acks and countermeasures;

KEYWORDSElectromagnetic Side-channels, Unintentional Hardware Emissions,So�ware De�ned Radio, Digital ForensicsACM Reference format:Asanka Sayakkara, Nhien-An Le-Khac, and Mark Scanlon. 2018. Electro-magnetic Side-Channel A�acks: Potential for Progressing Hindered DigitalForensic Analysis. In Proceedings of �e International Workshop on Specula-tive Side Channel Analysis, Amsterdam, Netherlands, 2018 (WoSSCA), 6 pages.DOI: 10.1145/nnnnnnn.nnnnnnn

1 INTRODUCTION�e increasing consumer reliance on electronic devices has risento a level where it is easier for a�ackers to compromise the pri-vacy and security of an individual’s digital information than byany other means. Private information is stored in a wide varietyof digital platforms including mobile phones, personal computers,social media pro�les, cloud storage, etc. [27]. �e recent emergenceof Internet of �ings (IoT) devices, which integrates into the fabricof everyday life, enables the digital recording of even more per-sonal information. �e �eld of information security deals with thechallenge of keeping this sensitive data from falling into the hands

Permission to make digital or hard copies of part or all of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor pro�t or commercial advantage and that copies bear this notice and the full citationon the �rst page. Copyrights for third-party components of this work must be honored.For all other uses, contact the owner/author(s).WoSSCA, Amsterdam, Netherlands© 2018 Copyright held by the owner/author(s). 978-x-xxxx-xxxx-x/YY/MM. . .$15.00DOI: 10.1145/nnnnnnn.nnnnnnn

of unauthorized parties. However, when criminal and illegal activ-ities involve electronic and computing devices, law enforcementauthorities require access to each suspect’s private data, under war-rant, in order to collect potentially pertinent evidence [29]. In thisregard, the �elds of information security and digital forensics arejuxtaposed with each other.

Modern personal computers and mobile devices provide facil-ity to encrypt the hard disks and other non-volatile data storage.While this functionality was �rst o�ered as an option to users oninitial setup of these devices, it is increasingly the default behaviour,especially on mobile environments, such as iOS and Android [2].While IoT devices have limited data processing power and storagecapabilities, lightweight cryptographic mechanisms are utilized inmany platforms. Encrypted data has long been identi�ed as a po-tentially rich source of evidence. Many cases have been hamperedwhen encrypted data was encountered [17]. With respect to IoTdevices, even if encryption is not employed, the lack of standardisedinterfaces to access the stored data can still pose a challenge.

Side-channel analysis has been proven to be e�ective againstmany security mechanisms on computing systems. Accessing unau-thorized regions of volatile and non-volatile storage, interceptingregular operations of applications and processes, and many otheruseful possibilities exist [22]. Among various side-channel a�acks,electromagnetic (EM) side-channel analysis is an important classof a�acks that does not require an a�acker to have physical ac-cess to the target device. �is means that passive observation ofunintentional EM wave emissions from a target device opens up awindow to an a�acker to infer the activities being performed andthe data being handled on the target [34]. Without running anyspeci�c so�ware on the target device or without tapping into itsinternal hardware, EM side-channel a�acks can provide a seamlessaccess point for the a�acker. Recent advances in the domain showsthat such a�acks are capable of retrieving sensitive data, such asencryption keys [24].

Most mobile devices and IoT devices seized for forensic investi-gations tend to be powered on when they are found. However, legalrequirements for digital forensic investigation demand that, ideally,investigations should be performed without inadvertently, or in-tentionally, modifying any information. Meeting this requiremento�en prevents an investigator from compromising the so�ware andhardware while acquiring evidence [9]. Due to the nature of EMside-channel analysis, it has a desirable hands-o� quality from aforensic perspective and has the potential to act as a manner to un-obtrusively access the internal information from a device. A varietyof avenues ranging from simple activity recognition to breaking

WoSSCA, 2018, Amsterdam, Netherlands Sayakkara, Le-Khac & Scanlon

EM Trace Acquisition

Seize the device

hidden layer output layer

Take Notes and Photographs of theDevice Appearance.

Acquire diskimages Disk image analysis

EM Side-Channel Analysis

Investigation Report

Figure 1: A typical digital forensic investigation starts with a seized device as part of a legal process. Major focus of theinvestigation goes to the analysis of non-volatile storage, i.e., hard disk. However, with the incorporation of EM side-channelanalysis into the process, live data forensics can be performed if the device is switched on at the time it was seized.

encryption could be bene�cial to a digital forensic investigator.In this work, various potential applications for EM side-channelanalysis in the domain of digital forensics are discussed in.

2 DIGITAL FORENSIC ANALYSISA typical digital forensic investigation starts when a law enforce-ment encounters an electronic device in a crime scene or seized itfrom a person under investigation. �ese devices can vary fromtraditional personal computers and mobile devices to IoT devices,such as smart home devices and wearables. �e seized devices areusually handed over to a digital forensic laboratory where special-ists perform the investigation on the device [9]. Initially, picturesand notes were taken about the physical conditions of the device.For personal computers, the investigation mainly focuses on thedata stored in the non-volatile memory, i.e., the hard disk or solidstate drive. A forensically-sound disk image is acquired, whichis analysed using specialised so�ware tools to identify pertinentinformation.

�e sole purpose of acquiring a disk image from the deviceunder investigation is to prevent the investigative procedure frominadvertently making changes to the device. Popular tools such asEnCase and �e Sleuth Kit are designed to extract information fromdisk images. In contrast to personal computers, the forensic analysisof mobile devices typically requires specialised hardware toolsdue to the fact that di�erent makes and models of mobile deviceshas di�erent internal structures. Even though there are variouscommercial tools available for mobile devices, they need to beupdated each time a new device model comes into the market. �emaintainers of commercial tools for forensic evidence acquisitionon mobile devices are struggling to keep up with the highly dynamicecosystem of mobile devices [2].

IoT devices have become ubiquitous in everyday life and collecta large volume of information that can be useful in a forensic inves-tigation [19]. For example, a �tness wearable can contain highly

precise information regarding the movements of the owner, whichcan assist in identifying where the person was at a particular pointin time. Similarly, a smart TV or a smart light bulb may containinformation regarding the usage pa�erns of the owner and mighthint at the presence of the owner in a premises at a particular time.However, IoT focused digital forensic tools are extremely limited.In fact, many IoT devices are not usable in investigations due tounavailability of support from commercial vendors or open-sourceprojects. �e large variety of IoT devices in the market makes itvirtually impossible to support all of them within a limited tool set.

Whenever encryption is involved in the storage of a devicebeing investigated, forensic tools are unable to extract informa-tion [17]. From the investigator’s perspective, a very limited num-ber of workarounds are potentially viable. �e obvious approachcan be asking the device owner for the decryption key or password.However, if the device owner is not corporative, this approach isnot viable. Another possible approach can involve seeking the as-sistance of the device vendor to unlock the access to data usingwhatever the capabilities the vendor holds. However, many recentcases indicates that even the device vendors does not have accessto the encrypted data storage on devices they produce. Under thesecircumstances, forensic investigations may end up unable to collectthe required evidence from the devices they have seized [33].

Figure 1 illustrates the work�ow of actions taken in a typicaldigital forensic analysis of a device. �e usual sequence of actionsto analyse non-volatile storage has to be altered if the device usesencryption to protect data. If the device is turned on at the time itwas seized, there’s an opportunity to use EM side-channel analysisas a live data forensic technique on the device.

3 ELECTROMAGNETIC SIDE-CHANNELSPassing time varying electric currents through conductors causeEM waves to radiate into the environment. As computing devicesconsist of electronic circuits, they unintentionally generate EM

EM Side-Channel A�acks: Potential for Progressing Hindered Digital Forensic Analysis WoSSCA, 2018, Amsterdam, Netherlands

0 5 10 15 20 25 30 35Time (s)

25000200001500010000

50000

5000

Am

plit

ude

2.0 2.5 3.0 3.5 4.0 4.5 5.0 5.5 6.0Time (s)

4000300020001000

010002000

Am

plit

ude

2.10 2.15 2.20 2.25 2.30 2.35 2.40 2.45 2.50Time (s)

4000300020001000

010002000

Am

plit

ude

Figure 2: Waveform of the AM demodulated signal from theCPU of Raspberry Pi. �e signal represents the AES encryp-tions performed on the device with approximately 1 secondgaps.

emissions during their internal operations [10]. Depending on theexact component on a device that contributes, the resulting EMemission can unintentionally contain information about the ac-tivities associated with that component. For example, computerdisplays are a source of strong EM emissions that are known tofacilitate reconstruction of the images being [15, 26, 32]. Similarly,central processing units (CPUs) of computers are known to providehints on the CPU activities being performed [5]. From a digitalforensic perspective, EM emissions associated with the CPU opera-tions are of speci�c interest.

In order to use EM emissions as a side-channel informationsource for an a�acker, it is necessary to capture the signals withsu�cient accuracy. Professionals in radio frequency (RF) engineer-ing and related �elds uses oscilloscopes and spectrum analysers asthe typical tools to measure EM emissions from electronic devicesfor purposes such as electromagnetic compatibility (EMC) testing.However, cheap and o�-the-shelf devices, so�ware de�ned radios(SDR), are ge�ing increasingly popular among EM side-channelsecurity researchers due to their lower cost and ease of use withcon�gurable so�ware components [31].

When an acquired EM signal from a target device, i.e., EM trace,is illustrated as a waveform or as a spectrogram, it is possibleto visually distinguish individual operations of the CPU. Usingthese illustrations straightforwardly to eavesdrop on the the CPUactivities is called simple electromagnetic analysis (SEMA). �is hasbeen widely used to demonstrate a�acks to computer systems [13].By monitoring instructions being executed on the CPU, an a�ackergains several capabilities including reverse engineering unknownso�ware, monitoring the control �ow of known so�ware, etc.

�e most powerful EM emission source of a computing deviceis the processor, which operates with the help of fast clock pulses.For example, consider a Raspberry Pi device as a target that hasa processor running at 1.4 GHz. Tuning an SDR to the relevant

frequency near the target reveals that there is a strong EM signal atthe processor clock frequency. Taking it as the carrier wave, otheroperations within the CPU gets modulated into it, which can beobserved a�er demodulating the EM traces. If a target device isperforming cryptographic operations, the captured EM traces cancontain the information relevant to the cryptographic algorithmsin some type of modulation. Figure 2 illustrates the amplitudedemodulated EM traces of the target device when it was performingadvanced encryption standard (AES) encryption operations. �eblobs visible in the waveform across time are the signature of AESencryption blocks as modulated into the CPU clock frequency.

Di�erential electromagnetic analysis (DEMA) is an advanced tech-nique to eavesdrop on critical variables being handled by algorithmsrunning on a CPU [13, 14]. For example, when a cryptographicalgorithm performs data encryption continuously over a time pe-riod using a single encryption key, the observed EM traces have astrong correlation to that speci�c reused encryption key. DEMAa�acks utilise this correlation between the secret key and the EMtraces to reduce the number of bruteforce guesses an a�acker hasto make in order to determine the secret key’s bit pa�ern. It hasbeen shown that DEMA is successful against many cryptographicalgorithms including AES, RSA and many others [23, 36].

Recognising the threat of EM side-channel a�acks to computersystems, various countermeasures have been proposed that involvesboth hardware and so�ware modi�cations [23, 25, 35]. Among var-ious so�ware based countermeasures, two important methods are,masking variables and randomizing the operations of algorithms inorder to make it di�cult for an external observer to identify them.Similarly, major hardware countermeasures include minimizing theEM emission intensity by employing obfuscation techniques andthe use of dual line logic. Even though proper implementation ofsuch countermeasures can place a barrier to the a�ackers, manycomputing devices do not implement these technique – leaving thewindow for EM side-channel a�acks open. Furthermore, it has beenshown that even when such countermeasures are implemented ondevices, it does not completely prevent EM side-channel a�acks.�ey simply increase the di�cultly for the a�acker by requiringmore observations and a larger number of EM traces to carry outthe same a�ack procedure.

Figure 3 illustrates a forensic investigative se�ing for EM side-channel analysis. �e device under investigation (DUI) is placedinside an EMC/Anechoic chamber to prevent external EM inter-ference and vibrations from a�ecting the accuracy of the EM mea-surement. �e signals are captured using a magnetic loop antennaconnected to a so�ware de�ned radio (SDR). Captured signals areconverted to an Inphase and �adrature (I/Q) data stream that issubsequently analysed on a host computer system.

4 ELECTROMAGNETIC SIDE-CHANNELS FORFORENSICS

With the current challenges in digital forensics and the state-of-the-art of EM side-channel analysis, it is important to identify the futurepotential impact for digital forensics from these a�acks. �is sectionhighlights some of the potential ways this impact may occur in thefuture under several key themes. Many of these approaches are

WoSSCA, 2018, Amsterdam, Netherlands Sayakkara, Le-Khac & Scanlon

Target Device

SDR Device

Magnetic Loop Antenna

EMC / Anechoic Chamber

EM Side-Channel Analysis on a Computer

Figure 3: An illustration of howanEMside-channel analysiswould be performed in a forensic investigative setting. Tar-get device is placed inside an EMC/Anechoic chamber andobserved using an SDR device that is connected to an EManalysis so�ware framework.

already starting to be realised and others are ambitious predictionsthat can prove signi�cantly bene�cial.

4.1 More Frequent Cryptographic OperationsEM side-channel a�acks require a large number of traces acquiredfrom a target device while the device is performing cryptographicoperations using a single key. It has been demonstrated that sucha�acks are viable under laboratory conditions. However in mostPC operating systems, it is rare to �nd practical situations where ana�acker can observe EM emissions from a device for an extendedperiod of time (since cryptographic operations typically occur lesso�en than in the laboratory experimental conditions). �e mostcommon encryption occurring on many personal devices are securesocket layer (SSL) based web tra�c.

Encrypted storage is becoming commonplace in both desktopand mobile devices. Access to encrypted �le systems causes anincreased number of cryptographic CPU operations. Live dataforensic techniques can help to perform investigations on suchdevices [12]. However, forensic investigators o�en encounter pow-ered on but locked devices. As long as the device is reading andwriting to the encrypted storage, EM emissions should re�ect thecryptographic operations on the device. �erefore, an a�ackercan straightforwardly force the victim device to perform crypto-graphic operations in order to acquire side-channel traces for keyextraction.

4.2 Combined Side-Channel AttacksInstead of using a single side-channel a�ack in isolation, combi-nations of multiple side-channel a�acks directed towards a singlecomputer system can prove more fruitful. It has been proven thatpower and EM side-channel analysis can be combined to achievebe�er results [1]. �ere can be some operations of the CPU thatare more clearly re�ected in the device’s power consumption thanin the EM emission and vice versa.

Sometimes, combining conventional a�acks, e.g., spyware andworms, with EM side-channel a�acks can provide new kinds ofcompound a�acks that are di�cult to counteract. For example, amalware running on a victim computer can aid an EM side-channela�acker to extract additional information over the EM side-channelalone. �is can be achieved through running specially selectedinstruction sequences on the CPU to intentionally emit encodedEM signals. Yang et al. [37] illustrated a mechanism to intentionallymodulate EM emissions of electronic and electromechanical devicesto ex�ltrate data from the device to an external receiver. �is hintsat the potential for employing these unintentional EM side-channelsto intentionally and covertly transmit data wherever necessary.

�ere are two potential avenues for malware assisted EM side-channel a�acks. Firstly, malicious JavaScript can be embeddedin a website, using cross-site scripting (XSS) or otherwise, andread the contents of a user’s screen and encode that informationinto deliberate CPU EM emissions. Furthermore, TEMPEST stylea�acks on computer monitors can be combined with other a�acks toincrease the a�ack surface for air-gapped computer equipment [11].For example, malware running on a target computer could read local�les and encode that information into the computer’s video output.Image steganographic techniques can be used to hide the encodeddata from the human user’s view [6]. Meanwhile, a TEMPEST stylea�ack can be performed on the computer’s monitor in order toextract the video frames ultimately leaking data to the a�acker.

4.3 File SignaturesMany types of digital multimedia content including images, audio,and video �les are stored in a compressed format for e�cient storageand distribution [3]. As a result, when a computer starts playingan audio/video �le in a speci�c format, e.g., MPEG-2 Audio LayerIII, AAC, MPEG-4, etc., or a�empts to display a compressed imageformat, e.g., JPEG, GIF, etc., corresponding decompression so�warehas to process the content. Since the so�ware’s execution path willbe governed by the media �le content, the instruction executionsequence will also depend on the media �le. �erefore, it is possiblethat the CPU might emit EM pa�erns unique to a speci�c �le beinghandled. �is could potentially lead to the ability to identify the�les being handled by a device.

While there have been a�empts to make EM emission signaturesfor hardware devices and speci�c so�ware running on them forpro�ling purposes, such as RF-DNA technique [8], the possibilityof pro�ling speci�c media �les using the EM emission caused bythem is a potential avenue for future exploration. Searching for aknown �le, such as known illegal content, in a target device is achallenge that the digital forensics community has been a�emptingto solve in e�cient and e�ective ways as manual comparison iso�en overly arduous for the expert investigators [18]. When a

EM Side-Channel A�acks: Potential for Progressing Hindered Digital Forensic Analysis WoSSCA, 2018, Amsterdam, Netherlands

device is handling a �le, passive observations of EM emissions canhelp to pro�le the �le being handled by the device. �is can belater be compared with a known set of �le signatures to con�rmthe access or processing of a speci�c �le on the target device.

4.4 Packet Analysis at Network Devices�ere are a wide variety of special purpose computers being usedin various specialised application environments including networkrouters and switches. �ere can o�en be an operational need toinvestigate a live network. �is focuses on the data-link and IPlayers in the networking stack. In such cases, it is necessary torun network analysis so�ware tools on speci�c interfaces at hostcomputers [7]. Analysing the network purely based on the tra�cgoing through routers and switches in order to observe live eventsis a challenging task. In situations like this, the EM emissionsof routers and switches might be able to provide an approximatepicture of the workload and tra�c on the network. It has beenshown that EM emissions observed from Ethernet cables can lead toidentify the MAC addresses of frames being handled by networkingdevices [28]. In that demonstration, a�ackers has used a techniquesimilar to SEMA.

When IP packets are being switched at routers, the router hasto update certain �elds in the packet including time-to-live (TTL)and the header checksum. A�er updating these �elds, the routerforwards the packet to the relevant network interface. If the EMemission pa�erns of the router forwarding a packet to an interfaceand processing a packet are distinguishable, there are opportunitiesto perform interesting analysis on routers by observing their EMemissions. Packets that contains a speci�c payload, such as mal-ware that comes from or addressed to a speci�c host, and networkbased a�acks, e.g., DoS a�acks, might be identi�able. Similarly, ana�acker could gather EM emissions from a router to eavesdrop onthe data being delivered through a wired network. Such possibili-ties are important from a digital forensic perspective when networkanalysis tools cannot be a�ached to a live system for analysis.

4.5 Easy Access to Electromagnetic SpectrumEM side-channel analysis a�acks traditionally involve expensivehardware including RF probes, oscilloscopes, spectrum analysers,and data acquisition modules. Such devices are mostly used in EMinsulated laboratory environments. Moreover the con�gurationand operation of these devices requires specialized domain knowl-edge. Information security specialists and digital forensic analystsmight not have access to such hardware and might not posses thespecialized knowledge required for their operation. While DIY en-thusiast a�empts have been made to build such tools for lower costs,such e�orts come with a penalty of lower precision and accuracy.�is situation places a signi�cant barrier to the wide adoption ofEM side-channel analysis.

Recent advancements in SDR hardware enables new opportu-nities for accessing radio spectrum for non-specialists. A�ordableSDR hardware and freely available so�ware libraries can be usedto process and decode various wireless communication protocols.�e ever-increasing processing power and memory capacity onpersonal computers supports the use of SDR so�ware tools at highsampling rates. EM side-channel analysis a�ackers have recently

started to use SDR tools as a more a�ordable alternative to theexpensive RF signal acquisition hardware. Following this trend,digital forensic analysis should be possible through the leveragingof EM side-channels detected on SDR based hardware and so�wareplatforms.

4.6 Advancements in Machine LearningRecent advances that have been made in the area of arti�cial in-telligence (AI) have demonstrated promising applications to manyother domains across computer science. Various tasks where hu-man intuition was required to perform decision making are nowbeing replaced with machine learning and deep learning basedalgorithms. So�ware libraries and frameworks are becoming in-creasingly available in order to assist the building of applicationsthat have intelligent capabilities. Examples include the automateddetection of malicious programs, image manipulation, and networkanomaly detection.

EM side-channel analysis techniques, such as SEMA and spec-trogram pa�ern observations, that previously required human in-tervention can be automated through the development of AI tech-niques. It is possible to extract be�er information from EM tracesthan the current manual observations are capable of achieving.�ere are several examples of existing work that has already lever-aged AI techniques to recognize EM trace pa�erns, which stronglyhints the future role that can be played by AI algorithms in EMside-channel analysis for digital forensics [4, 16, 20, 21, 30].

5 DISCUSSION AND FUTUREWORKWhen digital evidence is presented to a court of law as a part ofan investigation, the evidence acquisition procedure can get thor-oughly questioned and challenged. �is is due to the fact thatlegal processes follow strict procedures to ensure fairness to allparties involved. As a result, digital forensic evidence acquisitionprocedures are demanded to be documented and auditable. Currentdigital evidence acquisition procedures, practices and tools in useare time-tested to be resilient against such legal challenges. �ere-fore, whenever a completely new way of acquiring digital evidenceis introduced, it has to be thoroughly scrutinized to face reliabilitychallenges in a court of law.

Many of the EM side-channel a�acks that have been demon-strated in the literature are performed in controlled laboratoryconditions where the a�acker had the choice of target device selec-tion. �erefore, the a�ackers had the freedom to avoid potentialpitfalls that could a�ect the end result. In order to make sucha�acks realistic and reliable enough to perform on any arbitrarydevice encountered, further research is necessary. Sometimes, asuccessful execution of an EM side-channel a�ack can be easier fora malicious objective while the same a�ack can be unreliable andinsu�ciently trustworthy for a digital forensic investigation. �issituation hints that for EM side-channel analysis to be leveraged fordigital forensic purposes, well tested tools and frameworks need tobe developed so that the digital forensic community can graduallybuild trust with the technique.

Our future work is towards this goal of leveraging EM side-channel analysis as a reliable digital forensic practice to overcomethe currently faced challenges. Due to the lack of realistic and

WoSSCA, 2018, Amsterdam, Netherlands Sayakkara, Le-Khac & Scanlon

reliable a�ack demonstrations, further evaluations are necessaryto con�rm that various published a�acks are applicable on a widevariety of devices on the market. �e manner to increase the relia-bility of these a�acks needs to be explored. Many digital forensicspecialists working for law enforcement and industry may not beexperienced in operating radio frequency data acquisition devices.�erefore, easily operable tools are necessary.

6 CONCLUSION�is work discussed the challenges faced by digital forensic in-vestigators due to encrypted storage on computing devices andIoT devices with non-uniform internal designs. EM side-channelanalysis techniques, which have been successfully demonstrated toleak critical information from computing devices, is considered apromising solution. Various applicable scenarios of the techniquein the context of digital forensic domain are identi�ed. While theEM side-channel analysis domain is still in its infancy to addressthe demanding encryption issue in digital forensics, the aforemen-tioned application scenarios indicate that it shows strong promiseto produce useful, case progressing results in the future.

REFERENCES[1] Dakshi Agrawal, Josyula R Rao, and Pankaj Rohatgi. 2003. Multi-channel a�acks.

In International Workshop on Cryptographic Hardware and Embedded Systems(CHES). Springer, 2–16.

[2] Mohd Shahdi Ahmad, Nur Emyra Musa, Rathidevi Nadarajah, Rosilah Hassan,and Nor E�endy Othman. 2013. Comparison between android and iOS Operat-ing System in terms of security. In 8th International Conference on InformationTechnology in Asia (CITA). IEEE, 1–4.

[3] Vasudev Bhaskaran and Konstantinos Konstantinides. 1997. Image and videocompression standards: algorithms and architectures. Vol. 408. Springer Science &Business Media.

[4] Robert Callan, Farnaz Behrang, Alenka Zajic, Milos Prvulovic, and AlessandroOrso. 2016. Zero-overhead pro�ling via em emanations. In Proceedings of the25th International Symposium on So�ware Testing and Analysis. ACM, 401–412.

[5] Robert Callan, Alenka Zajic, and Milos Prvulovic. 2014. A practical methodologyfor measuring the side-channel signal available to the a�acker for instruction-level events. In 47th Annual IEEE/ACM International Symposium on Microarchi-tecture (MICRO). IEEE, 242–254.

[6] Abbas Cheddad, Joan Condell, Kevin Curran, and Paul Mc Kevi�. 2010. Digitalimage steganography: Survey and analysis of current methods. Signal Processing90, 3 (2010), 727–752.

[7] Vicka Corey, Charles Peterman, Sybil Shearin, Michael S Greenberg, and JamesVan Bokkelen. 2002. Network forensics analysis. IEEE Internet Computing 6, 6(2002), 60–66.

[8] Randall D Deppensmith and Samuel J Stone. 2014. Optimized �ngerprint gen-eration using unintentional emission radio-frequency distinct native a�ributes(RF-DNA). In Aerospace and Electronics Conference, NAECON 2014-IEEE National.IEEE, 327–330.

[9] Xiaoyu Du, Nhien-An Le-Khac, and Mark Scanlon. 2017. Evaluation of DigitalForensic Process Models with Respect to Digital Forensics as a Service. In Pro-ceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS2017). ACPI, Dublin, Ireland, 573–581.

[10] Robin Getz and Bob Moeckel. 1996. Understanding and eliminating EMI inMicrocontroller Applications. National Semiconductor (1996).

[11] Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, andYuval Elovici. 2015. GSMem: Data Ex�ltration from Air-Gapped Computers overGSM Frequencies.. In USENIX Security Symposium. 849–864.

[12] Brian Hay, Ma� Bishop, and Kara Nance. 2009. Live analysis: Progress andchallenges. IEEE Security & Privacy 7, 2 (2009).

[13] Paul Kocher, Joshua Ja�e, and Benjamin Jun. 1999. Di�erential power analysis.In Advances in Cryptology (CRYPTO ‘99). Springer, 789–789.

[14] Paul Kocher, Joshua Ja�e, Benjamin Jun, and Pankaj Rohatgi. 2011. Introductionto di�erential power analysis. Journal of Cryptographic Engineering 1, 1 (2011),5–27.

[15] Markus G Kuhn and Ross J Anderson. 1998. So� tempest: Hidden data transmis-sion using electromagnetic emanations. In International Workshop on InformationHiding. Springer, 124–142.

[16] Liran Lerman, Gianluca Bontempi, and Olivier Markowitch. 2011. Side channela�ack: an approach based on machine learning. In Proceedings of 2nd InternationalWorkshop on Constructive Side-Channel Analysis and Security Design (COSADE).Schindler and Huss, 29–41.

[17] David Lillis, Bre� Becker, Tadhg O’Sullivan, and Mark Scanlon. 2016. CurrentChallenges and Future Research Areas for Digital Forensic Investigation. In�e 11th ADFSL Conference on Digital Forensics, Security and Law (CDFSL 2016).ADFSL, Daytona Beach, FL, USA, 9–20.

[18] David Lillis, Frank Breitinger, and Mark Scanlon. 2018. Hierarchical Bloom FilterTrees for Approximate Matching. Journal of Digital Forensics, Security and Law13, 1 (01 2018).

[19] Aine MacDermo�, �ar Baker, and Qi Shi. 2018. IoT Forensics: Challenges For�e IoA Era. In New Technologies, Mobility and Security (NTMS), 2018 9th IFIPInternational Conference on. IEEE, 1–5.

[20] Houssem Maghrebi, �ibault Portiglia�i, and Emmanuel Prou�. 2016. Breakingcryptographic implementations using deep learning techniques. In InternationalConference on Security, Privacy, and Applied Cryptography Engineering. Springer,3–26.

[21] Alireza Nazari, Nader Sehatbakhsh, Monjur Alam, Alenka Zajic, and MilosPrvulovic. 2017. EDDIE: EM-Based Detection of Deviations in Program Execu-tion. In Proceedings of the 44th Annual International Symposium on ComputerArchitecture. ACM, 333–346.

[22] Romain Poussier, Vincent Grosso, and Francois-Xavier Standaert. 2015. Com-paring approaches to rank estimation for side-channel security evaluations.In International Conference on Smart Card Research and Advanced Applications.Springer, 125–142.

[23] Jean-Jacques �isquater and David Samyde. 2001. Electromagnetic Analysis(EMA): Measures and counter-measures for smart cards. Smart Card Program-ming and Security (2001), 200–210.

[24] C. Ramsay and J. Lohuis. White Paper: TEMPEST a�acks against AEScovertly stealing keys for 200 euros. Technical Report. Fox-IT, Netherlands.10 pages. h�ps://www.fox-it.com/nl/wp-content/uploads/sites/12/Tempesta�acks against AES.pdf

[25] Hendra Saputra, Narayanan Vijaykrishnan, M Kandemir, Mary Jane Irwin, RBrooks, Soontae Kim, and Wei Zhang. 2003. Masking the energy behavior ofDES encryption. In Proceedings of the conference on Design, Automation and Testin Europe-Volume 1. IEEE Computer Society, 10084.

[26] Asanka Sayakkara, Nhien-An Le-Khac, and Mark Scanlon. 2018. AccuracyEnhancement of Electromagnetic Side-channel A�acks on Computer Monitors.In �e 2nd International Workshop on Criminal Use of Information Hiding (CUING),part of the 13th International Conference on Availability, Reliability and Security(ARES) (ARES ’17). ACM, Hamburg, Germany.

[27] Mark Scanlon, Jason Farina, and M-Tahar Kechadi. 2015. Network InvestigationMethodology for BitTorrent Sync: A Peer-to-Peer Based File SynchronisationService. Computers & Security 54 (10 2015), 27 – 43. DOI:h�p://dx.doi.org/10.1016/j.cose.2015.05.003

[28] Ma�hias Schulz, Patrick Klapper, Ma�hias Hollick, Erik Tews, and Stefan Katzen-beisser. 2016. Trust the wire, they always told me!: On practical non-destructivewire-tap a�acks against Ethernet. In Proceedings of the 9th ACM Conference onSecurity & Privacy in Wireless and Mobile Networks. ACM, 43–48.

[29] Somayeh Soltani and Seyed Amin Hosseini Seno. 2017. A survey on digitalevidence collection and analysis. In 7th International Conference on Computerand Knowledge Engineering (ICCKE). IEEE, 247–253.

[30] Barron Stone and Samuel Stone. 2016. Comparison of Radio Frequency BasedTechniques for Device Discrimination and Operation Identi�cation. In 11thInternational Conference on Cyber Warfare and Security: ICCWS2016. AcademicConferences and Publishing Limited, 475.

[31] Walter HW Tu�lebee. 2003. So�ware de�ned radio: enabling technologies. JohnWiley & Sons.

[32] Wim Van Eck. 1985. Electromagnetic radiation from video display units: Aneavesdropping risk? Computers & Security 4, 4 (1985), 269–286.

[33] Eva A Vincze. 2016. Challenges in digital forensics. Police Practice and Research17, 2 (2016), 183–194.

[34] Satohiro Wakabayashi, Seita Maruyama, Tatsuya Mori, Shigeki Goto, MasahiroKinugawa, and Yu-ichi Hayashi. 2017. POSTER: Is Active Electromagnetic Side-channel A�ack Practical?. In Proceedings of the 2017 ACM SIGSAC Conference onComputer and Communications Security. ACM, 2587–2589.

[35] Marc Wi�eman and Martijn Oostdijk. 2008. Secure application programming inthe presence of side channel a�acks. In RSA Conference, Vol. 2008.

[36] Marc F Wi�eman, Jasper GJ van Woudenberg, and Federico Menarini. 2011.Defeating RSA Multiply-Always and Message Blinding Countermeasures. InCryptographers� Track at the RSA Conference (CT-RSA), Vol. 6558. Springer, 77–88.

[37] Chouchang Jack Yang and Alanson P Sample. 2017. EM-Comm: Touch-basedCommunication via Modulated Electromagnetic Emissions. Proceedings of theACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 1, 3 (2017),118.