Goals Establish facts to prove crime occurred Identify suspects Build a time line of events Techniques Data mining search File classification Clustering text based search
Clustering text based search Text pattern matching == Grep! But how to rank the results? Adaptive User Interest Hierarchy (AUIH) Investigator groups interesting results into categories Machine Learning tries to match similar search results Best matches are highest ranked Feedback from Investigator helps the program improve it's rankings.
Present evidence Prosecution: Explain importance of data to the prosecuting attorney before court. (Provide analogy) Prepare a statement presenting the evidence in a technically accessible manner. Points to prove (specific to each criminal act) Interpret the data (Static vs Dynamic IPs) Make recommendations about the digital evidence.
Digital Forensics Tools Commercial Packages Encase Forensics Tool Kit (FTK) Open Source Software Sleuth Kit libraries Autopsy GUI
Digital Forensics Tools Encase Forensic- Guidance Software Industry Standard Software Mobile/Cybersecurity/eDiscovery EnScript scripting language requires programming experience Court approved forensic file format. Extensive training program.
Digital Forensics Tools Forensic Tool Kit (FTK)- AccessData Memory analysis Built in decryption and password cracking Email analysis Built for distributed analysis
Digital Forensics Tools The Sleuth Kit -Open Source C Libraries for forensics investigation “Autopsy” GUI Hadoop framework for large data sets Online Wiki and training available Libraries can be used in automated Forensics tasks Uses SQLite database
Network Forensics - Vulnerability assessment
- Network bottlenecks
- Network usage profiling
Legal evidence - Monitoring networks for illegal activity
- Gathering evidence of illegal file transfer
- Monitoring communications
Intrusion detection
Information gathering Assess and improve the usage of your network Test your network to find vulnerabilities before someone else does Penetration testing
Legal evidence Monitor communications, chat forums, email, VoIP for illegal or suspicious activities Gather evidence of illegal file transfer such as copyright infringement or child pornography Monitoring networks for signs of espionage “Federal networks have been thoroughly penetrated by foreign spies, and current perimeter-based defenses that attempt to curb intrusions are outdated and futile” - director of Information Systems Analysis Center, Sandia National Laboratories
Need for Intrusion Detection Network intrusion can cost lots of money - PlayStation Network breach cost Sony $171m
Industrial espionage can cost companies their competitive advantage - “Every major company in the United States has already been penetrated by China.”
Intrusion detection Honeypots - Systems set up as targets for intruders
- Monitor what an intruder does
- Attempt to identify the intruder
Tampering detection - Monitoring the integrity of log files and system files
- Alert administrator when critical files are changed
Intrusion detection Outbound Packet Inspection - Outgoing firewall that inspects all outbound communications
- Uses a Man in the Middle attack to intercept all encrypted communications
Network Mapping
Network Forensics Tools Wireshark/Snort (Ethical/unEthical Uses) - “Sniff” all TCP/IP packets on a network
- Make a record of suspicious/all packets
Nmap - Map a network
- Determine what services are available and being used
Honeypots/Honeyd - Creates virtual hosts on a network
- Designed to lure intruders and track their activities
Network Forensics Tools Metasploit (Ethics?) - Test known exploits against a network
- Use existing components to write exploits
Sqlmap/sqlninja(Ethics?) Aircrack(Ethics?) - WEP and WPA Encryption cracking
Tripwire/AIDE - Monitor key files and directories for tampering or changes.
Network Forensics Information gathering - Vulnerability assessment
- Network bottlenecks
- Network usage profiling
Legal evidence - Monitoring networks for illegal activity
- Gathering evidence of illegal file transfer
- Monitoring communications
Intrusion detection - Hax0rs!
- Only info remaining if log files are deleted
End of Presentation Digital Forensics: A growing field for computer scientists in Law Enforcement. Questions: 1)Criminal forensics? 2)Network forensics? 3)Forensic tools?
References Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels preservation in computer forensics investigation process," Internet Technology and Secured Transactions (ICITST), 2011 International Conference for , vol., no., pp.777-782, 11-14 Dec. 2011 URL: http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=6148437&isnumber=6148349 CPP! Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman; Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on , vol., no., pp.266b, Jan. 2007 doi: 10.1109/HICSS.2007.301 URL: http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=4076922&isnumber=4076362
Dostları ilə paylaş: |