The Science of Searching Computers
For evidence
Kit Petrie
• Copyright infringement
• Espionage
• Fraud
Network assesment
Hackers
Industrial Espionage
Gather evidence
Preserve data integrity (Chain of evidence)
Identify critical information
Analyze evidence
Present evidence
Normal collection vs Selective collection
Siezure of physical computer/hard drives
Examine/copy RAM from live systems
Maintain/copy live state for Encryption
Use of a hardware write blocking device
Online data (email, ISP logs)
Subpoena/request data
Authenticity and Integrity.
Hardware write blocking device.
Hash Encrypt and sign original Evidence
Document all activities performed on data
Store evidence in a secure environment to prevent tampering and leaking( Ethics?
)
Search for information related to alleged crime
Identify suspects and tie them to login credentials
Maintain privacy of info not related to alleged crime (Ethical Considerations)
Encryption , files or full disk.
Goals
Establish facts to prove crime occurred
Identify suspects
Build a time line of events
Techniques
Data mining search
File classification
Clustering text based search
Text pattern matching == Grep!
But how to rank the results?
Adaptive User Interest Hierarchy (AUIH)
Investigator groups interesting results into categories
Machine Learning tries to match similar search results
Best matches are highest ranked
Feedback from Investigator helps the program improve it's rankings.
Prosecution:
Explain importance of data to the prosecuting attorney before court. (Provide analogy)
Prepare a statement presenting the evidence in a technically accessible manner.
Points to prove (specific to each criminal act)
Interpret the data (Static vs Dynamic IPs)
Show the time line
Make recommendations about the digital evidence.
Gather evidence
Preserve data integrity (Chain of evidence)
Identify critical information
Analyze evidence
Present evidence
Commercial Packages
Encase
Forensics Tool Kit (FTK)
Open Source Software
Sleuth Kit libraries
Autopsy GUI
Encase Forensic- Guidance Software
Industry Standard Software
Mobile/Cybersecurity/eDiscovery
EnScript scripting language requires programming experience
Court approved forensic file format.
Extensive training program.
Forensic Tool Kit ( FTK )- AccessData
Memory analysis
Custom tablet for mobile phone acquisition
Built in decryption and password cracking
Email analysis
Built for distributed analysis
The Sleuth Kit Open Source
C Libraries for forensics investigation
“Autopsy” GUI
Hadoop framework for large data sets
Online Wiki and training available
Libraries can be used in automated
Forensics tasks
Uses SQLite database
Information gathering
Vulnerability assessment
Network bottlenecks
Network usage profiling
Legal evidence
Monitoring networks for illegal activity
Gathering evidence of illegal file transfer
Monitoring communications
Intrusion detection
Hax0rs!
Only info remaining if log files are deleted
Assess and improve the usage of your network
Test your network to find vulnerabilities before someone else does
Penetration testing
Monitor communications, chat forums, email , VoIP for illegal or suspicious activities
Gather evidence of illegal file transfer such as copyright infringement or child pornography
Monitoring networks for signs of espionage
“
Federal networks have been thoroughly penetrated by foreign spies, and current perimeter-based defenses that attempt to curb intrusions are outdated and futile
”
- director of Information Systems Analysis
Center, Sandia National Laboratories
Network intrusion can cost lots of money
PlayStation Network breach cost Sony $171m
Industrial espionage can cost companies their competitive advantage
“Every major company in the United States has already been penetrated by China.”
-Richard Clarke, Counterterrorism Czar
Honeypots
Systems set up as targets for intruders
Monitor what an intruder does
Attempt to identify the intruder
Tampering detection
Monitoring the integrity of log files and system files
Alert administrator when critical files are changed
Outbound Packet Inspection
Outgoing firewall that inspects all outbound communications
Uses a Man in the Middle attack to intercept all encrypted communications
Network Mapping
Examine and identify all hosts on a network to guard against rogue access
Determine which hosts offer what services and why
Wireshark/Snort ( Ethical/unEthical Uses )
“Sniff” all TCP/IP packets on a network
Make a record of suspicious/all packets
Nmap
Map a network
Determine what services are available and being used
Honeypots/Honeyd
Creates virtual hosts on a network
Designed to lure intruders and track their activities
Metasploit ( Ethics?
)
Test known exploits against a network
Use existing components to write exploits
Sqlmap/sqlninja( Ethics?
)
Penetration testing for SQL injection attacks
Take over back end databases
Aircrack( Ethics?
)
WEP and WPA Encryption cracking
Tripwire/AIDE
Monitor key files and directories for tampering or changes.
Information gathering
Vulnerability assessment
Network bottlenecks
Network usage profiling
Legal evidence
Monitoring networks for illegal activity
Gathering evidence of illegal file transfer
Monitoring communications
Intrusion detection
Hax0rs!
Only info remaining if log files are deleted
Digital Forensics: A growing field for computer scientists in Law Enforcement.
Questions:
1)Criminal forensics?
2)Network forensics?
3)Forensic tools?
Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels preservation in computer forensics investigation process," Internet
Technology and Secured Transactions (ICITST), 2011 International
Conference for , vol., no., pp.777-782, 11-14 Dec. 2011
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=6148437&isnumber=6148349
CPP!
Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman;
Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using
Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual
Hawaii International Conference on , vol., no., pp.266b, Jan. 2007 doi: 10.1109/HICSS.2007.301
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=4076922&isnumber=4076362