The Science of Searching Computers
For evidence
Kit Petrie


• Copyright infringement
• Espionage
• Fraud


Network assesment

Hackers

Industrial Espionage


Gather evidence

Preserve data integrity (Chain of evidence)

Identify critical information

Analyze evidence

Present evidence


Normal collection vs Selective collection

Siezure of physical computer/hard drives

Examine/copy RAM from live systems

Maintain/copy live state for Encryption

Use of a hardware write blocking device

Online data (email, ISP logs)

Subpoena/request data


Authenticity and Integrity.

Hardware write blocking device.

Hash Encrypt and sign original Evidence

Document all activities performed on data
Store evidence in a secure environment to prevent tampering and leaking( Ethics?
)


Search for information related to alleged crime

Identify suspects and tie them to login credentials

Maintain privacy of info not related to alleged crime (Ethical Considerations)

Encryption , files or full disk.

Goals

Establish facts to prove crime occurred

Identify suspects

Build a time line of events
Techniques

Data mining search

File classification

Clustering text based search

Text pattern matching == Grep!
But how to rank the results?
Adaptive User Interest Hierarchy (AUIH)

Investigator groups interesting results into categories

Machine Learning tries to match similar search results

Best matches are highest ranked

Feedback from Investigator helps the program improve it's rankings.

Prosecution:

Explain importance of data to the prosecuting attorney before court. (Provide analogy)

Prepare a statement presenting the evidence in a technically accessible manner.

Points to prove (specific to each criminal act)

Interpret the data (Static vs Dynamic IPs)

Show the time line

Make recommendations about the digital evidence.


Gather evidence

Preserve data integrity (Chain of evidence)

Identify critical information

Analyze evidence

Present evidence

Commercial Packages

Encase

Forensics Tool Kit (FTK)
Open Source Software

Sleuth Kit libraries

Autopsy GUI

Encase Forensic- Guidance Software

Industry Standard Software

Mobile/Cybersecurity/eDiscovery

EnScript scripting language requires programming experience

Court approved forensic file format.

Extensive training program.

Forensic Tool Kit ( FTK )- AccessData

Memory analysis

Custom tablet for mobile phone acquisition

Built in decryption and password cracking

Email analysis

Built for distributed analysis

The Sleuth Kit Open Source


C Libraries for forensics investigation
“Autopsy” GUI

Hadoop framework for large data sets

Online Wiki and training available

Libraries can be used in automated
Forensics tasks

Uses SQLite database


Information gathering



Vulnerability assessment
Network bottlenecks
Network usage profiling

Legal evidence



Monitoring networks for illegal activity
Gathering evidence of illegal file transfer
Monitoring communications

Intrusion detection


Hax0rs!
Only info remaining if log files are deleted


Assess and improve the usage of your network

Test your network to find vulnerabilities before someone else does

Penetration testing


Monitor communications, chat forums, email , VoIP for illegal or suspicious activities

Gather evidence of illegal file transfer such as copyright infringement or child pornography


Monitoring networks for signs of espionage
“
Federal networks have been thoroughly penetrated by foreign spies, and current perimeter-based defenses that attempt to curb intrusions are outdated and futile
”
- director of Information Systems Analysis
Center, Sandia National Laboratories


Network intrusion can cost lots of money

PlayStation Network breach cost Sony $171m

Industrial espionage can cost companies their competitive advantage

“Every major company in the United States has already been penetrated by China.”
-Richard Clarke, Counterterrorism Czar


Honeypots



Systems set up as targets for intruders
Monitor what an intruder does
Attempt to identify the intruder

Tampering detection


Monitoring the integrity of log files and system files
Alert administrator when critical files are changed


Outbound Packet Inspection


Outgoing firewall that inspects all outbound communications
Uses a Man in the Middle attack to intercept all encrypted communications

Network Mapping


Examine and identify all hosts on a network to guard against rogue access
Determine which hosts offer what services and why


Wireshark/Snort ( Ethical/unEthical Uses )

“Sniff” all TCP/IP packets on a network

Make a record of suspicious/all packets

Nmap


Map a network
Determine what services are available and being used

Honeypots/Honeyd


Creates virtual hosts on a network
Designed to lure intruders and track their activities


Metasploit ( Ethics?
)


Test known exploits against a network
Use existing components to write exploits

Sqlmap/sqlninja( Ethics?
)


Penetration testing for SQL injection attacks
Take over back end databases

Aircrack( Ethics?
)

WEP and WPA Encryption cracking

Tripwire/AIDE

Monitor key files and directories for tampering or changes.


Information gathering



Vulnerability assessment
Network bottlenecks
Network usage profiling

Legal evidence



Monitoring networks for illegal activity
Gathering evidence of illegal file transfer
Monitoring communications

Intrusion detection


Hax0rs!
Only info remaining if log files are deleted

Digital Forensics: A growing field for computer scientists in Law Enforcement.
Questions:
1)Criminal forensics?
2)Network forensics?
3)Forensic tools?

Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels preservation in computer forensics investigation process," Internet
Technology and Secured Transactions (ICITST), 2011 International
Conference for , vol., no., pp.777-782, 11-14 Dec. 2011
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=6148437&isnumber=6148349
CPP!
Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman;
Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using
Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual
Hawaii International Conference on , vol., no., pp.266b, Jan. 2007 doi: 10.1109/HICSS.2007.301
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=4076922&isnumber=4076362