Digital Forensics The Science of Searching Computers For evidence
Kit Petrie
Uses of Digital Forensics
Criminal Investigations
•Copyright infringement •Espionage •Fraud
Network Forensics Network assesment Hackers Industrial Espionage
What do Digital Forensics Experts Do?
Gather evidence Preserve data integrity (Chain of evidence) Identify critical information Analyze evidence Present evidence
Gather evidence
Normal collection vs Selective collection Siezure of physical computer/hard drives Examine/copy RAM from live systems Maintain/copy live state for Encryption Use of a hardware write blocking device Online data (email, ISP logs) Subpoena/request data
Preserve data integrity
Authenticity and Integrity.
Hardware write blocking device.
Hash Encrypt and sign original Evidence
Document all activities performed on data
Store evidence in a secure environment to prevent tampering and leaking(Ethics?)
Identify critical information
Search for information related to alleged crime Identify suspects and tie them to login credentials Maintain privacy of info not related to alleged crime (Ethical Considerations) Encryption, files or full disk.
Analyze evidence Goals
Establish facts to prove crime occurred
Identify suspects
Build a time line of events
Techniques
Data mining search
File classification
Clustering text based search
Clustering text based search Text pattern matching == Grep! But how to rank the results? Adaptive User Interest Hierarchy (AUIH)
Investigator groups interesting results into categories
Machine Learning tries to match similar search results Best matches are highest ranked Feedback from Investigator helps the program improve it's rankings.
Present evidence Prosecution:
Explain importance of data to the prosecuting attorney before court. (Provide analogy) Prepare a statement presenting the evidence in a technically accessible manner.
Points to prove (specific to each criminal act)
Interpret the data (Static vs Dynamic IPs)
Show the time line
Make recommendations about the digital evidence.
What do Digital Forensics Experts Do?
Gather evidence Preserve data integrity (Chain of evidence) Identify critical information Analyze evidence Present evidence
Digital Forensics Tools Commercial Packages
Encase
Forensics Tool Kit (FTK)
Open Source Software
Sleuth Kit libraries
Autopsy GUI
Digital Forensics Tools Encase Forensic- Guidance Software
Industry Standard Software
Mobile/Cybersecurity/eDiscovery
EnScript scripting language requires programming experience
Court approved forensic file format.
Extensive training program.
Digital Forensics Tools Forensic Tool Kit (FTK)- AccessData
Memory analysis
Custom tablet for mobile phone acquisition
Built in decryption and password cracking
Email analysis
Built for distributed analysis
Digital Forensics Tools The Sleuth Kit -Open Source
C Libraries for forensics investigation
“Autopsy” GUI
Hadoop framework for large data sets
Online Wiki and training available
Libraries can be used in automated Forensics tasks
Uses SQLite database
Network Forensics
Information gathering
Vulnerability assessment
Network bottlenecks
Network usage profiling
Legal evidence
Monitoring networks for illegal activity
Gathering evidence of illegal file transfer
Monitoring communications
Intrusion detection
Hax0rs!
Only info remaining if log files are
Information gathering
Assess and improve the usage of your network
Test your network to find vulnerabilities before someone else does Penetration testing
Legal evidence
Monitor communications, chat forums, email, VoIP for illegal or suspicious activities Gather evidence of illegal file transfer such as copyright infringement or child pornography
Monitoring networks for signs of espionage
“Federal networks have been thoroughly penetrated by foreign spies, and current perimeter-based defenses that attempt to curb intrusions are outdated and futile”
- director of Information Systems Analysis Center, Sandia National Laboratories
Need for Intrusion Detection
Network intrusion can cost lots of money
PlayStation Network breach cost Sony $171m
Industrial espionage can cost companies their competitive advantage
“Every major company in the United States has already been penetrated by China.” -Richard Clarke, Counterterrorism Czar
Intrusion detection
Honeypots
Systems set up as targets for intruders
Monitor what an intruder does
Attempt to identify the intruder
Tampering detection
Monitoring the integrity of log files and system files Alert administrator when critical files are changed
Intrusion detection
Outbound Packet Inspection
Outgoing firewall that inspects all outbound communications Uses a Man in the Middle attack to intercept all encrypted communications
Network Mapping
Examine and identify all hosts on a network to guard against rogue access
Determine which hosts offer what services and why
Network Forensics Tools
Wireshark/Snort (Ethical/unEthical Uses)
“Sniff” all TCP/IP packets on a network
Make a record of suspicious/all packets
Nmap
Map a network
Determine what services are available and being used
Honeypots/Honeyd
Creates virtual hosts on a network Designed to lure intruders and track their activities
Network Forensics Tools
Metasploit (Ethics?)
Test known exploits against a network
Use existing components to write exploits
Sqlmap/sqlninja(Ethics?)
Take over back end databases
Aircrack(Ethics?)
Penetration testing for SQL injection attacks
WEP and WPA Encryption cracking
Tripwire/AIDE
Monitor key files and directories for
Network Forensics
Information gathering
Vulnerability assessment
Network bottlenecks
Network usage profiling
Legal evidence
Monitoring networks for illegal activity
Gathering evidence of illegal file transfer
Monitoring communications
Intrusion detection
Hax0rs! Only info remaining if log files are deleted
End of Presentation Digital Forensics: A growing field for computer scientists in Law Enforcement. Questions:
1)Criminal forensics? 2)Network forensics? 3)Forensic tools?
References Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels preservation in computer forensics investigation process," Internet Technology and Secured Transactions (ICITST), 2011 International Conference for , vol., no., pp.777-782, 11-14 Dec. 2011
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=6148437&isnumber=6148349 CPP! Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman; Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on , vol., no., pp.266b, Jan. 2007 doi: 10.1109/HICSS.2007.301
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=4076922&isnumber=4076362