FINAL YEAR PROJECT Trevor Brosnan BSc(Hons) Computer Forensics 20039663@mail.wit.ie • ORIGINS OF PROJECT • COFEE COMPARISON • HOW IT WORKS • DEMOSTRATION • TECHNOLOGIES • COMPATIBLE / TESTING • PROJECT TIMELINE • FUTURE /CONCLUSION • FUNCTIONALITY • QUESTIONS/ISSUES overview Computer Fraud has many branches and none is more emerging then that caused by employees. This type of fraud is common place within the workforce, as it does not require an employee to have extensive I.T. knowledge, just the opportunity. Cost is the Biggest concern in considering an investigation -Ernest&Young Report 2011 Fraud can be defined as the intentional deception made for personal gain and to damage another. Make it as simple as possible….. origins of project • Microsoft COFEE is a forensics tool, approximately 15MB in size that fits on a USB drive for law enforcement officials to use in PC An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a preconfigured COFEE device. Strengths: Created by Microsoft for Microsoft systems. Weakness: Available only to Law Enforcements, Outdated tools.DECAF was invented by hackers to thwart all investigations done by this tool. • EnCase Forensic, the industry-standard computer investigation solution, is for forensic practitioners who need to conduct efficient, forensically sounds data collection and investigations using a repeatable and defensible process.[ENCASE] Strengths: The leader on the market for any professional forensic investigation. Weaknesses: Extremely expensive ($4000-$4500). • BackTrack5 was designed to be an all in one live cd used on security audits and was specifically crafted to not leave any remnants of itself on the laptop. It has since expanded to being the most widely adopted penetration testing framework in existence and is used by the security community all over the world.”[BackTrack] Strengths: Extremely powerful, Has a massive repository of tools Weakness: Extremely complex to use, Separate Operating System current applications how it works For the development of fraudIT one main tool encompassed the entire project, this tool is the programming language known as Python Python Python is a programming language that lets you work more quickly and integrate your systems more effectively. You can learn to use Python and see almost immediate gains in productivity and lower maintenance costs. Python runs on Windows, Linux/Unix, Mac OS X, and has been ported to the Java and .NET virtual machines. [Python 2011] PyQt4 PyQt is a set of Python bindings for Nokia's Qt application framework and runs on all platforms supported by Qt including Windows, MacOS/X and Linux. There are two sets of bindings: PyQt v4 supports Qt v4; and the older PyQt v3 supports Qt v3 and earlier. The bindings are implemented as a set of Python modules and contain over 300 classes and over 6,000 functions and methods. [QT2012] python Iteration 0 Start 8/9/11 The main goals of this stage is to produce the first prototype End 31/10/11 Look into methods and technologies which will be used throughout my project Creation of the projects Concept. Ensure that the project is viable. Assignment of a project supervisor. Creation of overall goals. Investigations into similar applications. Research into new tools to incorporate into the application. The development of the first Report. Iteration 1 Start 1/11/12 The main goal of this stage is to develop the first working Prototype End 12/12/11 known as “Prototype version 1” Obtain relevant skills in Python programming, techniques in Perl Scripting and understand how these work together with a QT based GUI. Research into fraudulent activity within the work place. Research the Ethical foundation of my application. Create Report 2. project timeline Iteration 2 Start 13/12/11 The main goal of this iteration is to improve the GUI of the application End 2/2/12 and include additional functionality Creation of PROTOTYPES v2. Increase the functionality with additional tools and create a more visually appealing application. Test for bugs that could occur. Assess the way the application will be delivered along with dependencies needed. Iteration 3 The final iteration of the project will see the creation of a fully Start 3/2/12 functioning program End 1/5/12 Creation of PROTOTYPE v3. Creation of FINAL APPLICATION. The main focus will be to test for any faults within the application. The removal of any redundant code or features. The creation of the final reports and documentation. Final Report created and submitted. • System Audit Information– Logins, System Uptime, System Information, Update History, Recycle Bin History, Windows File System, Power On History, Scheduled Events, Running Services. Unusual Activity- Blue Screen Tracker, Open Files, Event Log’s, Application Crashes, Windows Crash Reports, Whats in Startup Devices – Battery Information, Bluetooth, USB History. • Network Audit Connections – IP Information, Port Information, Check Firewall, Firewall Rules, Nearby Wifi, Networked PCs, Show Groups, Wireless Info. Browser- Chrome/IE/Firefox History, Chrome/IE/Firefox Cache, Chrome/IE/Firefox Cookies Email – Gathering and analysis Additional – Skype History Logs, Live Contacts, Internet Passwords, Opera History, Safari History, Get Bookmarks, Search History tools used #1 • Registry Audit Initial– Gather Hives User Hive- Shellbags, Printers, Recent Files, Recent Application, Typed URLs, Proxy Settings, IE Registry Entries, Recent Documents, Windows Searches, File Associations. Software Hive– Application Paths, Network Cards, Wireless Associations, SQL last connected, Profile List, Internet Applications, Uninstalled Apps, Yahoo Message, Apps Associations, Port Devices System Hive – Network Information, Mounted Devices, Removed Devices, Shutdown History, Event Logs, Safe Boot History, USB Information, Running Services. Security/SAM – Parsing of Hive • File Audit General – Alternate Data Streams, Clipboard History, MSOffice Addons, Video Cache History Text, Image Video and Audio AuditsPop up drag and drop audits using Alternate Data Streams, Metadata, File Duplication and Integrity checks tools used #2 • Live Audit runs the most important tools with a single click • All in One Audits runs all in 1 audits using the most important tools of the system, network and registry tools • Report Generation Reports are generated for each of the Live Audits and All in 1 tools ran, so that a user can review the information at a later stage • Evidence Uploads All data gathered is with a click of a button uploaded to an Amazon S3 Bucket • Tutorials These along with a few other features will help guide the user in their use of the application additional functionality • • • • • • • • • Logging System Evidence Duplication Integrity Checking Timestamps Portability Sub-processing Application Centre Icon Association Re-encoding Outputs background functions • • • • • • • • Global Variables Folder creation Text Browser Use of Windows Functions Progress Bars Error Messages Status Bar OS commands VS Cofee is Microsoft’s incident response GUI which was made available to the Law Enforcement officers to help aid them in their investigations. Cofee uses around 30 unique tools while fraudIT uses over 80 • • • • Design Features/Tools Ease of Use Display cofee comparison • • • • Integrity Evidence Connectivity All in 1 The Demonstration of the Project will include: • • • • • • • Accessing application using a USB Loading the application Running various tools Using the File Audit Uploading Evidence Reviewing Reports Due to the length of time it takes to run a Live Audit this will be demonstrated using a video clip as to speed up the time it would normally take. demo Using ACTIVESTATE Komodo we will take a look at the python code which is use to build the application code overview Compatibility is of major concern when creating fraudIT Windows Systems tested for compatibility : XP , 7 and 8 (different architectures) Testing carried out: Use case Testing: Whether the application can be used by a novice. Code Review /Debugging: Asking coders to see what I can do to increase the performance compatible & testing Tool comparison: Different tools used for the same function • Time Management additional projects • Display Issues icons, centring, sizing • Compatibly Issues XP->7 -> 8 • Tool Acquisition command line only • Programming Issues perl and python knowledge increase • Project Concept idea has changed over time • Presentation Issues issues time management and weigh of markings • Alert Data Allow for unusual results to be flashed to the user • Apple Compatible Acquire tools for Mac PCs • Timelines Incorporate timelines for the all in one audits • Central Application Run the application from a central server • Python Power Instead of using open source tools include python code to preform the functions future The skills which I have gained from this project have been immense, they have helped me gain confidence in my ability to learn new programming languages, improve my time management and was one of the main reasons I have been offered a job with Version 1 as a Graduate IT Consultant. The time spent on the creation of the application has also proven quiet useful for other modules as with my understanding in python has been incorporated into projects (Development of an Android APK Analysis Application for a research project in Network Security). It has highlighted weaknesses and strengths which I never knew I had. conclusion questions • • • • • • [BackTrack2011]BackTrack Linux - Penetration Testing Distribution. Available at: http://www.backtrack-linux.org/ [Accessed October 26, 2011]. [Coffe2011]Computer Online Forensic Evidence Extractor (COFEE). Available at: http://www.microsoft.com/industry/government/solutions/cofee/default.aspx [Accessed October 22, 2011]. [Encase]Leading E-Discovery, Forensic Software. Available at: http://www.guidancesoftware.com [Accessed November 1, 2011] [Qt2011]Riverbank | Software | PyQt | What is PyQt? Available at: http://www.riverbankcomputing.co.uk/software/pyqt/intro [Accessed October 17, 2011]. [Python2011]Python Programming Language – Official Website. Available at: http://www.python.org/ [Accessed October 22, 2011]. references