Analyze evidence Goals Establish facts to prove crime occurred

Analyze evidence

• Goals

• Establish facts to prove crime occurred

• Identify suspects

• Build a time line of events

• Techniques

• Data mining search

• File classification

• Clustering text based search

Clustering text based search

• Text pattern matching == Grep!

• But how to rank the results?

• Adaptive User Interest Hierarchy (AUIH)

• Investigator groups interesting results into categories

• Machine Learning tries to match similar search results

• Best matches are highest ranked

• Feedback from Investigator helps the program improve it's rankings.

Present evidence

• Prosecution:

• Explain importance of data to the prosecuting attorney before court. (Provide analogy)

• Prepare a statement presenting the evidence in a technically accessible manner.

• Points to prove (specific to each criminal act)

• Interpret the data (Static vs Dynamic IPs)

• Show the time line

• Make recommendations about the digital evidence.

Digital Forensics Tools

• Commercial Packages

• Encase

• Forensics Tool Kit (FTK)

• Open Source Software

• Sleuth Kit libraries

• Autopsy GUI

Digital Forensics Tools

• Encase Forensic- Guidance Software

• Industry Standard Software

• Mobile/Cybersecurity/eDiscovery

• EnScript scripting language requires programming experience

• Court approved forensic file format.

• Extensive training program.

Digital Forensics Tools

• Forensic Tool Kit (FTK)- AccessData

• Memory analysis

• Custom tablet for mobile phone acquisition

• Built in decryption and password cracking

• Email analysis

• Built for distributed analysis

Digital Forensics Tools

• The Sleuth Kit -Open Source

• C Libraries for forensics investigation

• “Autopsy” GUI

• Hadoop framework for large data sets

• Online Wiki and training available

• Libraries can be used in automated Forensics tasks

• Uses SQLite database

Network Forensics

• Information gathering

• Vulnerability assessment
• Network bottlenecks
• Network usage profiling

• Legal evidence

• Monitoring networks for illegal activity
• Gathering evidence of illegal file transfer
• Monitoring communications

• Intrusion detection

• Hax0rs!
• Only info remaining if log files are deleted

Information gathering

• Assess and improve the usage of your network

• Test your network to find vulnerabilities before someone else does

• Penetration testing

Legal evidence

• Monitor communications, chat forums, email, VoIP for illegal or suspicious activities

• Gather evidence of illegal file transfer such as copyright infringement or child pornography

• Monitoring networks for signs of espionage

• “Federal networks have been thoroughly penetrated by foreign spies, and current perimeter-based defenses that attempt to curb intrusions are outdated and futile”

• - director of Information Systems Analysis Center, Sandia National Laboratories

Need for Intrusion Detection

• Network intrusion can cost lots of money

• PlayStation Network breach cost Sony $171m

• Industrial espionage can cost companies their competitive advantage

• “Every major company in the United States has already been penetrated by China.”

• -Richard Clarke, Counterterrorism Czar

Intrusion detection

• Honeypots

• Systems set up as targets for intruders
• Monitor what an intruder does
• Attempt to identify the intruder

• Tampering detection

• Monitoring the integrity of log files and system files
• Alert administrator when critical files are changed

Intrusion detection

• Outbound Packet Inspection

• Outgoing firewall that inspects all outbound communications
• Uses a Man in the Middle attack to intercept all encrypted communications

• Network Mapping

• Examine and identify all hosts on a network to guard against rogue access
• Determine which hosts offer what services and why

Network Forensics Tools

• Wireshark/Snort (Ethical/unEthical Uses)

• “Sniff” all TCP/IP packets on a network
• Make a record of suspicious/all packets

• Nmap

• Map a network
• Determine what services are available and being used

• Honeypots/Honeyd

• Creates virtual hosts on a network
• Designed to lure intruders and track their activities

Network Forensics Tools

• Metasploit (Ethics?)

• Test known exploits against a network
• Use existing components to write exploits

• Sqlmap/sqlninja(Ethics?)

• Penetration testing for SQL injection attacks
• Take over back end databases

• Aircrack(Ethics?)

• WEP and WPA Encryption cracking

• Tripwire/AIDE

• Monitor key files and directories for tampering or changes.

Network Forensics

• Information gathering

• Vulnerability assessment
• Network bottlenecks
• Network usage profiling

• Legal evidence

• Monitoring networks for illegal activity
• Gathering evidence of illegal file transfer
• Monitoring communications

• Intrusion detection

• Hax0rs!
• Only info remaining if log files are deleted

End of Presentation

• Digital Forensics: A growing field for computer scientists in Law Enforcement.

• Questions:

• 1)Criminal forensics?

• 2)Network forensics?

• 3)Forensic tools?

References

• Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels preservation in computer forensics investigation process," Internet Technology and Secured Transactions (ICITST), 2011 International Conference for , vol., no., pp.777-782, 11-14 Dec. 2011

• URL: http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=6148437&isnumber=6148349

• CPP!

• Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman; Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on , vol., no., pp.266b, Jan. 2007

• doi: 10.1109/HICSS.2007.301

• URL: http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=4076922&isnumber=4076362