Kit - Digital Forensics

advertisement

Digital Forensics

The Science of Searching Computers

For evidence

Kit Petrie

Uses of Digital Forensics

Criminal Investigations

• Copyright infringement

• Espionage

• Fraud

Network Forensics

Network assesment

Hackers

Industrial Espionage

What do Digital Forensics Experts Do?

Gather evidence

Preserve data integrity (Chain of evidence)

Identify critical information

Analyze evidence

Present evidence

Gather evidence

Normal collection vs Selective collection

Siezure of physical computer/hard drives

Examine/copy RAM from live systems

Maintain/copy live state for Encryption

Use of a hardware write blocking device

Online data (email, ISP logs)

Subpoena/request data

Preserve data integrity

Authenticity and Integrity.

Hardware write blocking device.

Hash Encrypt and sign original Evidence

Document all activities performed on data

Store evidence in a secure environment to prevent tampering and leaking( Ethics?

)

Identify critical information

Search for information related to alleged crime

Identify suspects and tie them to login credentials

Maintain privacy of info not related to alleged crime (Ethical Considerations)

Encryption , files or full disk.

Analyze evidence

Goals

Establish facts to prove crime occurred

Identify suspects

Build a time line of events

Techniques

Data mining search

File classification

Clustering text based search

Clustering text based search

Text pattern matching == Grep!

But how to rank the results?

Adaptive User Interest Hierarchy (AUIH)

Investigator groups interesting results into categories

Machine Learning tries to match similar search results

Best matches are highest ranked

Feedback from Investigator helps the program improve it's rankings.

Present evidence

Prosecution:

Explain importance of data to the prosecuting attorney before court. (Provide analogy)

Prepare a statement presenting the evidence in a technically accessible manner.

Points to prove (specific to each criminal act)

Interpret the data (Static vs Dynamic IPs)

Show the time line

Make recommendations about the digital evidence.

What do Digital Forensics Experts Do?

Gather evidence

Preserve data integrity (Chain of evidence)

Identify critical information

Analyze evidence

Present evidence

Digital Forensics Tools

Commercial Packages

Encase

Forensics Tool Kit (FTK)

Open Source Software

Sleuth Kit libraries

Autopsy GUI

Digital Forensics Tools

Encase Forensic- Guidance Software

Industry Standard Software

Mobile/Cybersecurity/eDiscovery

EnScript scripting language requires programming experience

Court approved forensic file format.

Extensive training program.

Digital Forensics Tools

Forensic Tool Kit ( FTK )- AccessData

Memory analysis

Custom tablet for mobile phone acquisition

Built in decryption and password cracking

Email analysis

Built for distributed analysis

Digital Forensics Tools

The Sleuth Kit Open Source

C Libraries for forensics investigation

“Autopsy” GUI

Hadoop framework for large data sets

Online Wiki and training available

Libraries can be used in automated

Forensics tasks

Uses SQLite database

Network Forensics

Information gathering

Vulnerability assessment

Network bottlenecks

Network usage profiling

Legal evidence

Monitoring networks for illegal activity

Gathering evidence of illegal file transfer

Monitoring communications

Intrusion detection

Hax0rs!

Only info remaining if log files are deleted

Information gathering

Assess and improve the usage of your network

Test your network to find vulnerabilities before someone else does

Penetration testing

Legal evidence

Monitor communications, chat forums, email , VoIP for illegal or suspicious activities

Gather evidence of illegal file transfer such as copyright infringement or child pornography

Monitoring networks for signs of espionage

Federal networks have been thoroughly penetrated by foreign spies, and current perimeter-based defenses that attempt to curb intrusions are outdated and futile

- director of Information Systems Analysis

Center, Sandia National Laboratories

Need for Intrusion Detection

Network intrusion can cost lots of money

PlayStation Network breach cost Sony $171m

Industrial espionage can cost companies their competitive advantage

“Every major company in the United States has already been penetrated by China.”

-Richard Clarke, Counterterrorism Czar

Intrusion detection

Honeypots

Systems set up as targets for intruders

Monitor what an intruder does

Attempt to identify the intruder

Tampering detection

Monitoring the integrity of log files and system files

Alert administrator when critical files are changed

Intrusion detection

Outbound Packet Inspection

Outgoing firewall that inspects all outbound communications

Uses a Man in the Middle attack to intercept all encrypted communications

Network Mapping

Examine and identify all hosts on a network to guard against rogue access

Determine which hosts offer what services and why

Network Forensics Tools

Wireshark/Snort ( Ethical/unEthical Uses )

“Sniff” all TCP/IP packets on a network

Make a record of suspicious/all packets

Nmap

Map a network

Determine what services are available and being used

Honeypots/Honeyd

Creates virtual hosts on a network

Designed to lure intruders and track their activities

Network Forensics Tools

Metasploit ( Ethics?

)

Test known exploits against a network

Use existing components to write exploits

Sqlmap/sqlninja( Ethics?

)

Penetration testing for SQL injection attacks

Take over back end databases

Aircrack( Ethics?

)

WEP and WPA Encryption cracking

Tripwire/AIDE

Monitor key files and directories for tampering or changes.

Network Forensics

Information gathering

Vulnerability assessment

Network bottlenecks

Network usage profiling

Legal evidence

Monitoring networks for illegal activity

Gathering evidence of illegal file transfer

Monitoring communications

Intrusion detection

Hax0rs!

Only info remaining if log files are deleted

End of Presentation

Digital Forensics: A growing field for computer scientists in Law Enforcement.

Questions:

1)Criminal forensics?

2)Network forensics?

3)Forensic tools?

References

Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels preservation in computer forensics investigation process," Internet

Technology and Secured Transactions (ICITST), 2011 International

Conference for , vol., no., pp.777-782, 11-14 Dec. 2011

URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=6148437&isnumber=6148349

CPP!

Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman;

Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using

Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual

Hawaii International Conference on , vol., no., pp.266b, Jan. 2007 doi: 10.1109/HICSS.2007.301

URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=4076922&isnumber=4076362

Download