Transcript Kit - Digital Forensics

Digital Forensics
The Science of Searching Computers
For evidence
Kit Petrie
Uses of Digital Forensics

Criminal Investigations
•Copyright infringement
•Espionage
•Fraud

Network Forensics
Network assesment
 Hackers
 Industrial Espionage

What do Digital Forensics Experts Do?





Gather evidence
Preserve data integrity (Chain of evidence)
Identify critical information
Analyze evidence
Present evidence
Gather evidence



Normal collection vs Selective collection
Siezure of physical computer/hard drives
 Examine/copy RAM from live systems
 Maintain/copy live state for Encryption
 Use of a hardware write blocking device
Online data (email, ISP logs)
 Subpoena/request data
Preserve data integrity

Authenticity and Integrity.

Hardware write blocking device.

Hash Encrypt and sign original Evidence

Document all activities performed on data
Store evidence in a secure environment to
prevent tampering and leaking(Ethics?)
Identify critical information




Search for information related to alleged
crime
Identify suspects and tie them to login
credentials
Maintain privacy of info not related to
alleged crime (Ethical Considerations)
Encryption, files or full disk.
Analyze evidence
Goals

Establish facts to prove crime occurred

Identify suspects

Build a time line of events
Techniques

Data mining search

File classification

Clustering text based search
Clustering text based search
Text pattern matching == Grep!
But how to rank the results?
Adaptive User Interest Hierarchy (AUIH)




Investigator groups interesting results into categories
Machine Learning tries to match similar search
results
Best matches are highest ranked
Feedback from Investigator helps the program
improve it's rankings.
Present evidence
Prosecution:


Explain importance of data to the prosecuting
attorney before court. (Provide analogy)
Prepare a statement presenting the evidence in
a technically accessible manner.

Points to prove (specific to each criminal act)

Interpret the data (Static vs Dynamic IPs)

Show the time line

Make recommendations about the digital
evidence.
What do Digital Forensics Experts Do?





Gather evidence
Preserve data integrity (Chain of evidence)
Identify critical information
Analyze evidence
Present evidence
Digital Forensics Tools
Commercial Packages

Encase

Forensics Tool Kit (FTK)
Open Source Software

Sleuth Kit libraries

Autopsy GUI
Digital Forensics Tools
Encase Forensic- Guidance Software

Industry Standard Software

Mobile/Cybersecurity/eDiscovery

EnScript scripting language requires
programming experience

Court approved forensic file format.

Extensive training program.
Digital Forensics Tools
Forensic Tool Kit (FTK)- AccessData

Memory analysis

Custom tablet for mobile phone acquisition

Built in decryption and password cracking

Email analysis

Built for distributed analysis
Digital Forensics Tools
The Sleuth Kit -Open Source

C Libraries for forensics investigation

“Autopsy” GUI

Hadoop framework for large data sets

Online Wiki and training available


Libraries can be used in automated
Forensics tasks
Uses SQLite database
Network Forensics



Information gathering

Vulnerability assessment

Network bottlenecks

Network usage profiling
Legal evidence

Monitoring networks for illegal activity

Gathering evidence of illegal file transfer

Monitoring communications
Intrusion detection

Hax0rs!

Only info remaining if log files are
Information gathering



Assess and improve the usage of your
network
Test your network to find vulnerabilities
before someone else does
Penetration testing
Legal evidence


Monitor communications, chat forums,
email, VoIP for illegal or suspicious
activities
Gather evidence of illegal file transfer such
as copyright infringement or child
pornography

Monitoring networks for signs of espionage

“Federal networks have been thoroughly penetrated by
foreign spies, and current perimeter-based defenses that
attempt to curb intrusions are outdated and futile”
- director of Information Systems Analysis
Center, Sandia National Laboratories
Need for Intrusion Detection

Network intrusion can cost lots of money


PlayStation Network breach cost Sony $171m
Industrial espionage can cost companies
their competitive advantage

“Every major company in the United States has
already been penetrated by China.”
-Richard Clarke, Counterterrorism Czar
Intrusion detection


Honeypots

Systems set up as targets for intruders

Monitor what an intruder does

Attempt to identify the intruder
Tampering detection


Monitoring the integrity of log files and
system files
Alert administrator when critical files are
changed
Intrusion detection

Outbound Packet Inspection



Outgoing firewall that inspects all
outbound communications
Uses a Man in the Middle attack to
intercept all encrypted communications
Network Mapping


Examine and identify all hosts on a
network to guard against rogue access
Determine which hosts offer what
services and why
Network Forensics Tools


Wireshark/Snort (Ethical/unEthical Uses)

“Sniff” all TCP/IP packets on a network

Make a record of suspicious/all packets
Nmap



Map a network
Determine what services are available
and being used
Honeypots/Honeyd


Creates virtual hosts on a network
Designed to lure intruders and track their
activities
Network Forensics Tools


Metasploit (Ethics?)

Test known exploits against a network

Use existing components to write exploits
Sqlmap/sqlninja(Ethics?)



Take over back end databases
Aircrack(Ethics?)


Penetration testing for SQL injection
attacks
WEP and WPA Encryption cracking
Tripwire/AIDE

Monitor key files and directories for
Network Forensics



Information gathering

Vulnerability assessment

Network bottlenecks

Network usage profiling
Legal evidence

Monitoring networks for illegal activity

Gathering evidence of illegal file transfer

Monitoring communications
Intrusion detection


Hax0rs!
Only info remaining if log files are
deleted
End of Presentation
Digital Forensics: A growing field for
computer scientists in Law Enforcement.
Questions:
1)Criminal forensics?
2)Network forensics?
3)Forensic tools?
References
Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels
preservation in computer forensics investigation process," Internet
Technology and Secured Transactions (ICITST), 2011 International
Conference for , vol., no., pp.777-782, 11-14 Dec. 2011
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu
mber=6148437&isnumber=6148349
CPP!
Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman;
Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using
Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual
Hawaii International Conference on , vol., no., pp.266b, Jan. 2007
doi: 10.1109/HICSS.2007.301
URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu
mber=4076922&isnumber=4076362