WHITE PAPER
UNIFIED
CYBER FORENSICS
EXECUTIVE SUMMARY
The accelerating use of communication devices, networks, and information processing
technologies improves an agency’s ability to meet its mission requirements more efficiently;
however, it also increases the risk of accidental data loss, insider threats, and sophisticated
cyber-attacks. According to the Annual Symantec Internet Security Threat Report issued
April 30, 2012, “Symantec blocked more than 5.5 billion malicious attacks in 2011, an
increase of 81 percent over the previous year. In addition, the number of unique malware
variants increased to 403 million, and the number of Web attacks blocked per day
increased by 36 percent.” Legacy security technologies, such as intrusion detection systems
and network forensics tools, have provided agencies with some of the necessary capabilities to understand specific types of security events on their networks. However, these
technologies do not provide enough insight to completely recreate events to fully understand what has occurred and, more importantly, how it occurred.
Unified Cyber Forensics (UCF) is an innovative approach to understanding and reconstructing security events. It provides IT security organizations with easy-to-use tools to recreate
and investigate any and all threats being perpetrated on their enterprise networks. Instead
of just capturing basic packet information like source and destination addresses, UCF
captures entire communication flows. Once captured, data is stored, enriched, and made
readily accessible through intuitive and powerful tools that encourage and enable
unrestricted investigation. This provides agency analysts with the critical ability to completely recreate full communication sessions including e-mail, chat messages, documents,
and web pages to fully understand what has transpired. UCF makes it possible for agencies
to quickly and accurately ascertain the impact of a cyber-incident, understand how to
prevent future incursions, or rapidly identify and mitigate insider threats.
Merlin is a federal systems integrator bringing together best-of-breed cyber solutions to
provide unparalleled insight into the information passing across Enterprise networks in real
time. Our innovative solutions give agencies the ability to view, search, and correlate “data
of interest” at any level: from network addresses, to reconstructed application files (and
their attributes) in native formats (e.g., html, doc, ppt, pdf…), to metadata generated by
forensic analysts. In order to provide agencies with total network situational awareness,
Merlin combines industry-leading packet capture capabilities with the secure and reliable
storage products from NetApp and the forensic processing and analytical power of Cybertap. UCF solutions are deployed on servers specially designed and engineered by Merlin to
ensure seamless integration and optimal performance.
Introduction
Network forensics tools have matured
considerably over the last decade. While
useful to address specific issues, even
modern tools typically only support a single
function such as malware detection, insider
threats, fraud, or compliance. Use and
management of the tools also require
significant manual effort. The tools are
usually only implemented as a reaction to a
predefined event, and then data surrounding that event is handed to an analyst who
must parse through it line by line. These
tools typically do not provide a high level of
meaningful insight into network transactions
that occurred before or after an incident.
Knowing what happened immediately
before or after an event is valuable intelligence that can better illustrate how an
attack was perpetrated. Use of forensics
tools, due largely to their cryptic
character-based views, often require highly
skilled analysts to operate and interpret the
data. This greatly limits their usability and
capacity for building a holistic view of a
threat situation.
As the world becomes more “cybersophisticated”, agencies need new tools
that speed forensic analyses of rapidly
growing data sets in the ongoing investigation of evolving threats. Analysts can
leverage search engine technology to find
clues that warrant further investigation and
provide the means for “deep dive” analysis
and the ability to explore related event
branches and information.
Unified Cyber Forensics
Internet users have become accustomed
to easily searching vast amounts of data
everywhere at any time. Unified Cyber
Forensics makes the same true for cyber
analysis; all data from network packets and
documents that were sent over the network
are now easily searchable on demand.
2
MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS
Employing a search engine as the underlying data repository (rather than a traditional
database) makes this possible. UCF allows
you to capture (get the packets);
reassemble them (into sessions or flow);
reconstitute the original documents
(e-mails, web pages, chats, documents);
enrich the data (content, attributes,
protocol data, entities); index all of that;
and make it available through a powerful,
yet intuitive, tool. Processing data, reconstituting original documents, and indexing
them while maintaining all original network
relationships, and storing this data in a
searchable repository can be done
constantly. This advanced processing
delivers an easy-to-use, powerful, and
scalable network forensics capability.
UCF offers highly flexible deployment
options allowing an enterprise to store a
day of traffic, a week, a month or more
depending upon your needs. This process
would normally be long and time consuming requiring parsing through large amount
of network data, but UCF makes this a
simple search because all of the network
traffic has already been reconstituted and
indexed by the tool.
Unified Cyber Forensics enables:
• The investigation of all data that crosses
the network,
• Investigators to understand users’ actions
on (and to) the network,
• Content-oriented investigations that go
beyond network traffic, headers, and IP
Addresses and focus on individuals,
e-mails, chats, Facebook, web pages,
and documents,
• The creation of a suspect’s ePersona
allowing an investigator to see and track
a suspect’s online activities and online
identity.
• Flexibility to investigate any event and
hypothesis
COMPUTER
INTRUSIONS
BY HACKERS,
CRIMINALS
AND NATIONS
AGAINST U.S.
INFRASTRUCTURE
INCREASED
SEVENTEEN
FOLD FROM
2009 TO 2011
-- GEN. KEITH
ALEXANDER,
U.S. CYBER
COMMAND
ePERSONA
ALLOWS YOU
TO IDENTIFY
EVERYTHING
AND
EVERYONE
INVOLVED IN
AN ACTIVITY.
The Merlin Unified Cyber
Forensics Solution
The Merlin Unified Cyber Forensics solution is
a new integrated technology that utilizes
open standards to enable packet-level
processing along with fully reconstructed
data and a robust storage solution to retain
a full copy of the network packet data and
reconstituted files. The processing engine
extracts and converts packet-level network
transactions (from stored or real-time
PCAPS) into reconstituted files. The files are
saved in their native format (i.e. .wav, .jpg,
http, .doc etc.) and further processing is
accomplished to index and correlate all of
the information. This advanced processing
results in an easy-to-use, powerful, and
scalable network forensics and cyber
analysis capability.
Preprocessing data allows an investigator to
parse through mountains of network traffic
with ease, instantly extracting relevant
data, and substantially reducing the
amount of traffic requiring manual inspection. Relevant data can be anything the
investigator defines it to be—all traffic for a
given individual, all images, all chats
between two people about a given
subject, anything that happened during a
particular timeframe, or other parameters
germane to the investigation. Correlating
and assessing related data and events
becomes a simple task that can be
accomplished quickly. Further, event
research can be conducted by investigators without highly specialized skillsets,
freeing up forensic experts to spend more
time on analysis rather than legwork.
Merlin’s UCF solution employs an intuitive
user interface that makes it easy for users
without specialized skills or training to find
the information they need. It is designed to
be used quickly and efficiently by a broad
range of investigators such as corporate
FIGURE 1: UNIFIED CYBER FORENSICS DATA CAPTURE, ENRICHMENT, AND INDEXING PROCESS
FIRST:
captured PCAP data is reassembled into flows and furthermore into
actual content (i.e., webpages, emails, attachments, downloaded/ uploaded files,
etc.). All of the PCAPs and Native Files are stored in a single repository.
SECOND:
the resulting reconstituted files are enriched (content,
attributes, metadata, protocols, tags, relationships) to enable powerful searches
THIRD:
files and their enriched data are indexed and made easily and
powerfully searchable on both specific string matches and general entity (Name,
Phone, SSN, Credit Card Number) searches, individually or in complex combinations.
3
MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS
and government officials, human
resources, IG investigators, regulators,
lawyers, cyber security forensic analysts,
law enforcement officers, and intelligence
analysts. These investigators are able to
investigate and monitor network-based
activities in support of any type of analysis
including insider threat, waste, fraud,
abuse, compliance & compliance monitoring, network and infrastructure security,
lawful intercept, and intelligence gathering.
Investigators will be able to use Merlin’s UCF
capabilities to find, visualize and follow the
online actions of their suspects to gather
evidence and make their cases. Analysts will
be able to see and reenact what their
suspects saw and did on the network by
taking network traffic and turning it back into
its original form including web pages, chats,
e-mails, attachments, phone calls, etc.
The Merlin Unified Cyber Forensics solution
provides a familiar search engine-style user
interface that dramatically reduces the
learning curve for users. It offers a robust
query engine with full word, protocol,
meta-data, entity, and Boolean search
functions. These features can be combined
to support complex queries with
sub-second response from very large data
sets including reconstructions of file transfers, emails, websites, chat, and http
creation of ePersona. Merlin’s UCF solutions
are built on a platform utilizing open
standards. The open standard API-driven
nature of this solution supports access to the
data repository by many common
COTS/GOTS applications customers rely on.
Partners
Merlin’s UCF solution harnesses the incredible forensics power of Cybertap Recon
and NetApp’s world class enterprise
storage capabilities to provide agencies
with an unparalleled forensic investigation
solution that is fast, user friendly, reliable,
and agile. It has been engineered to
quickly and easily scale to meet each
customer’s unique business requirements
and budget. Agencies can begin with a
deployment that meets their immediate
needs, then add processing and storage
capacity incrementally as their requirements change.
As shown in the figure below, NetApp’s
storage solutions are the critical enabler of
UCF solutions. The entire system relies upon
the secure, high speed and highlyavailable storage every step of the way.
NetApp’s storage solution provides:
• Secure Encrypted Storage: Maintaining a
secure copy of all network traffic and of
the reconstituted network data.
• High Speed Access: Allowing for efficient
preprocess of the data and improving
the performance and user experience of
the Forensic investigation.
UNIFIED CYBER
FORENSICS
PROVIDES
USERS ACROSS
AN AGENCY A
METHOD TO
QUICKLY AND
EASILY SEARCH,
ANALYZE AND
RECONSTRUCT
EVENTS UNIQUE
TO THE
INVESTIGATION
OF ANY TYPE
OF THREAT.
• High Availability and Reliability: Ensuring
availability of data for essential forensics
and analysis capabilities.
• Flexible Expansion Options: Permitting
additional capacity to be added
gracefully as demand grows.
• Efficient Storage Features: Allowing for a
reduction in the overall storage requirements, thus, making the solution more
cost effective.
Cybertap Recon provides the intelligence
that makes this Unified Cyber Forensics
solution possible by performing the
pre-processing functions necessary to
reconstitute, tag, and index all of the
network traffic. Cybertap Recon then
presents actionable information to the
forensic analyst who initiates an investigational search. Recon provides:
MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS 4
• Data Enrichment: Including network flow
reassembly, document reconstitution,
content extraction, tagging, and metadata generation.
• Open Standards: All reconstructed files
are output in their original format and all
files, indexes, and API calls are in industry
standard formats which provide the
option to use third party tools.
• Complete Indexing and Searching:
Allows for fast searching based on
network data, reconstructed content,
tags, generic search terms, and relationships with Boolean combinations.
• ePersona: The personification of an
individual’s online electronic presence
and includes identification and tagging
of all electronic identities, linking of
relationships, and insight into a user’s
network habits.
• Comprehensive Repository: Data
includes timestamps, IP & MAC
addresses, ports, protocols used, related
flow data, certificates, tokens, user IDs,
FIGURE 2: UNIFIED CYBER FORENSICS IMPROVES SPEED, SCALABILITY, INTEGRATION, AND INFORMATION
CLARITY FOR INVESTIGATORS
Nothing is missed and all potential data is accounted for.
Zero Packet Loss
BENEFIT: Any analysis done on the traffic is complete and accurate.
Information is categorized and tagged.
Index Everything
Scalability
BENEFIT: This allows investigators the flexibility to search any and all criteria quickly and
easily without having to learn a specific format, language, or style.
Ability to expand from a single collection point to multiple collection points across the
enterprise and act as a single storage agent for all Enterprise forensics tools.
BENEFIT: Simple and cost effective ability to expand and meet future needs
Based on non-proprietary industry standards
Open Standards
Full Traffic
Reconstruction
Fast & Efficient Forensic
Scenario Investigation
5
BENEFIT: Quickly integrate with other enterprise forensics tools, collectors and other
related technologies.
Provides a clear copy of all files sent over the network including webpages,
attachments, emails, VoIP calls, etc.
BENEFIT: Investigators can open actual files reconstructed from network packets.
Utilizes pre-processing for tagging and indexing of information in conjunction with an
easy-to-use search interface.
BENEFIT: Enables faster analysis than parsing the data manually and returns useful results
the first time.
MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS
etc., all in chronological order and with
entity relationships (ePersona).
• Ease-of-Use: Usable by all investigators, it
presents the data exactly as it was
originally viewed by the suspect, and
allows you to query the data any way
you like through a graphical web-based
user interface.
• Universal Applicability: Useful for all
enterprise network investigations.
Use Cases
Merlin’s Unified Cyber Forensic solution
provides a robust capability to meet the
traditional and non-traditional forensics
needs of agencies. The 100% packet
capture and storage capability provides
agencies with a centralized tool for all of
their forensics analysis requirements.
Analysts will have access to the entire
network transaction (including documents
and application data) so they will not have
to spend time accessing other computers
or servers. This also means one tool can be
used for every organization, from operations and security to legal and HR.
The pre-processing and user-friendly GUI
interface provide real-time results in an
intuitive format. With all of the information
already categorized and indexed, this
means results will be instantaneous and
more investigating can occur in a shorter
period of time. The GUI interface requires
little training and leverages common
search engine commands. This means
FIGURE 3: MERLIN'S UNIFIED CYBER FORENSICS SOLUTION HARNESSES ADVANCED CAPABILITIES FROM NETAPP
AND CYBERTAP
Merlin Unified Cyber Forensics Solution
MERLIN
NETAPP
CYBERTAP
CASE MATERIAL
Network Operations
METADATA
IG/Legal
ePERSONA
RECONSTRUCTION
PCAPs
REAL-TIME
NETWORK
PACKETS
PRE-PROCESSING
ENGINE
ATTRIBUTES
DOCUMENTS
FLOW
PACKETS
Security Operations
GUI INTERFACE
SEARCH ENGINE &
CASE ANALYSIS
TOOLS
Compliance
HR
Law Enforcement
DoD/Intelligence
BITS
MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS 6
non-technical users in groups such as HR
and legal will be able to reconstruct a
Microsoft Word document or PowerPoint file
and actually review the content, see data
accessed relative to the time it was
accessed in a link analysis fashion, or
successively follow links.
The powerful analytics tools allows an
agency to constantly monitor for predefined
data sets that can be viewed as threats, as
well as search historical events to look for
patterns of behaviors or investigate specific
instances thoroughly. A few of the many
potential use cases for Merlin’s integrated
solution are shown in Figure 4.
Example
Scenario: A federal agency that accepts
credit card payments for citizen service has
been notified by their credit card clearing
house that credit card information from
multiple customers appears to have been
stolen.
STEPS: A forensic analyst working for the
agency investigated this situation and
FIGURE 4: THE ABILITY TO QUICKLY AND EASILY SEARCH ANY KIND OF NETWORK DATA MAKES MERLIN'S UNIFIED
CYBER FORENSICS SOLUTION USEFUL FOR A WIDE RANGE OF APPLICATIONS
Network Operations
• Network Security
• Application Performance
IG/Legal
• eDiscovery
• Waste, Fraud and Abuse
• Internal Investigations
Security Operations
MERLIN
UNIFIED CYBER FORENSICS
Compliance
HR
7
MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS
•
•
•
•
•
Insider Threat
Theft Prevention
Data Loss
Malicous Actions
Malware Impact
•
•
•
•
•
IPII/SPII
HIPAA
PCI
Financial
eFOIA
• Acceptable Use
• Employee Productivity
Law Enforcement
• Survellience
• Child Protection
• Net-Based Crimes
DoD/Intelligence
• Enemy Intent
• Active Monitoring
• Computer Attacks
employed the Merlin UCF tool and took the
following steps:
1. Performed a search for all of the stolen
credit card numbers – no results were
found.
2. Performed a search for last names
associated the stolen credit card
numbers – multiple results were found
3. The files and communications associated
with the results were reconstituted and
the analyst was able to review multiple
Microsoft Word documents, Excel File
and Instant Messenger streams that
revealed illegal transmission of credit
card data.
4. The analyst then identified the source of
the communications stream and
performed an in-depth search on this
individual communications streams for
the past six months and found additional
sensitive information that was being sent
out on a regular basis.
RESULTS: The agency was able to quickly
analyze and collect evidence against an
employee who was passing sensitive
customer information to criminal organizations. The initial investigation began with a
tip from the credit card clearing house and
with the use of the Merlin UCF tool suite, the
agency was able to uncover the extent
and methods of the breach and stop them.
Conclusion
Enterprise security is crucial for any size
agency. UCF offers innovative capabilities
that greatly enhance security and compliance monitoring while also providing
efficiencies that allow limited resources to
accomplish more. Merlin provides the
capability to do in-depth cyber forensics, in
real-time, across all of the information
traversing its network, and it provides the
means for anyone who needs access to the
data to easily search it. Built on open
standards, Merlin’s solution allows quick and
easy access by third party applications
requiring use of the same information, thus
removing the need for additional storage.
Investigators from many backgrounds and
skill levels can use the tool to gain a greater
understanding of what is happening on the
Enterprise.
ABOUT
MERLIN
Merlin International® is one of
the fastest growing information
technology solutions providers
in the country. Founded in
1997, the veteran-owned,
privately held business has
consistently grown both its
revenue and its staff since
the company’s inception.
Merlin is approximately 100
employees strong, with its
seasoned professionals
possessing decades of
experience – working in the
public and private sectors –
as well as top-secret security
The Merlin UCF solution is highly flexible and
agile for various deployment scenarios.
Agencies can deploy all or part of the tool’s
capabilities and scale the processing
power based on the level of traffic on their
network. Storage of network traffic and the
reconstituted data is no trivial concern, but
thanks to scalable, secure, and cost
effective storage solutions from NetApp,
agencies can leverage best-in-class
storage products to ensure consistent and
optimized results are obtained every time.
clearances.
Working alongside its system
integrator and vendor
partners, Merlin provides
turn-key IT solutions that solve
complex and critical problems
while fulfilling mission objectives for federal government
agencies and organizations
involved in civilian services,
defense, intelligence, health
care and a variety of other
areas.
SALES REPRESENTATIVE
sales@merlin-intl.com
www.merlin-intl.com
T 1.877.430.3021
MERLIN GOVERNMENTCONTRACTS
SEWP# NNG07DA23B
GSA# GS35F0783M
CORPORATE OFfiCE
4B Inverness Court East | Suite 100
Englewood, CO 80112
T 303.221.0797 | F 303.496.1420
FEDERAL OPERATIONS
8381 Old Courthouse Rd | Suite 200
Vienna, VA 22182
T 703.752.2928 | F 703.752.2935
Merlin International, Inc.
Copyright © 2012 Merlin International, Inc.
All rights reserved.
October 2012