Example: Data Mining for the NBA - The University of Texas at Dallas
Download
Report
Transcript Example: Data Mining for the NBA - The University of Texas at Dallas
Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #5
Technology and Services
September 9, 2009
Review of Lectures
Part 1 of the Course
- Reference: Part 1 of the Book + Links given in Lectures
- Lecture 1: Introduction to Digital Forensics
- Lecture 2: Background on Cyber Security
- Lecture 3: Data Recovery and Evidence Collection
- Lecture 4: Malicious Code Detection: How do you detect
that the problem has occurred?
- Lecture 5: Forensics Technologies and Services
Part 2 of the Course
- Part 2 of the Book
- Lecture 6: Data Acquisition Details (September 14, 2009)
Assignment #1
Text Book
- Hands-on Project 2.1
- Hands-on Project 2.2
- Chapter 2
- Page 68-69
- Due: Wednesday September 23, 2009
Outline
Forensics Technologies
- Forensics Technology
Military,
Law Enforcement, Business Forensics
Forensics Techniques
Finding Hidden Data, Spyware, Encryption, Data
Protection, Tracing, Data Mining
- Security Technologies
Wireless, Firewalls, Biometrics
Services
- Cyber crime, Cyber detective, Risk Managemen,
Investigative services, Process improvement
-
Introduction
Digital forensics includes computer forensics and network
forensics
Computer forencis
gathers evidence from computer media seized at crime
scene
- Issues involve imaging storage media, recovering deleted
files, searching slack and free space, preserving the
collected information for litigation
Network forencis
- Analysis of computer network intrusion evidence
-
Military Forensics
CFX-2000: Computer Forencis Experiment 2000
- Information Directorate (AFRL) partnership with
-
-
NIJ/NLECTC
Hypothesis: possible to determine the motives, intent,
targets, sophistication, identity and location of cyber
terrorists by deploying an integrated forensics analysis
framework
Tools included commercial products and research
prototypes
http://www.afrlhorizons.com/Briefs/June01/IF0016.html
http://rand.org/pubs/monograph_reports/MR1349/MR1349.
appb.pdf
Law Enforcement Forensics
Commonly examined systems: Windows NT, Windows 2000,
XP and 2003
Preserving evidence
- Mirror image backups: Safe Back technology from New
Technologies Inc.
Tools to handle
- Trojan Horse programs / File slacks
Data Hiding Techniques
AnaDisk analyzes diskettes
COPYQM duplicates diskettes
- E-Commerce investigation: Net Threat Analyzer
Text search: TextSearch Plus tool
- Fuzzy logic/data mining tools to identify unknown text
Intelligent Forensics Filter
-
-
Business Forensics
Remote monitoring of target computers
- Data Interception by Remote Transmission (DIRT) from
Codex Data Systems
Creating trackable electronic documents
Theft recovery software for laptops and PCs
- PC Phonehome tool
- RFID technology
Forensics Techniques
Techniques for finding, preserving and preparing evidence
Finding evidence is a complex process as the forensic expert
has to determine where the evidence resides
Evidence may be in files, evidence may be in disks,
evidence may be on paper. Need to track all types of
evidence
Preserving evidence includes ensuring that the evidence is
not tampered with
Involves pre-incident planning and training in incident
discovery procedures’ If the machine is turned on, leave it
on; do not run programs on that particular computer
Preparing evidence will include data recovery,
documentation, etc.
-
-
Finding Hidden Data
When files are deleted, usually they can be recovered
The files are marked as deleted, but they are still residing in
the disk until they are overwritten
Files may also be hidden in different parts of the disk
The challenge is to piece the different part of the file together
to recover the original file
There is research on using statistical methods for file
recovery
http://www.cramsession.com/articles/files/finding-hiddendata---how-9172003-1401.asp
http://www.devtarget.org/downloads/ca616-seufertwolfgarten-assignment2.pdf
Spyware/Adware
Spyware is computer software that is installed surreptitiously
on a personal computer to intercept or take partial control
over the user's interaction with the computer, without the
user's informed consent.
http://en.wikipedia.org/wiki/Spyware
Spyware is mostly advertising supported software (adware)
Shareware authors place ads from media company and get a
piece if the revenue
PC surveillance tools that allow a user to nominate computer
activity
- Keystroke capture, snapshots, email logging, chats etc.
Privacy concerns with spyware
-
Encryption
Popular Encryption techniques
- Public key/ Private Key
Owner of the data encrypts with the public key of the receiver;
Receiver decrypts with his private key
In some cases owner may encrypt with his private key for
multiple receiver. Receiver will decrypt with the owner’s
public key
Merkle Hash is a popular method to hash documents; one
way hash function
Challenge is to generate unique keys
Issues: Trusted authority to generate keys and credentials
Internet/Web Tracing
Where has the email come from
- Check IP address
- Sender may use fake address by changing fields; sending
server may not check this and so the mail is sent
Tracing web activity
Who has logged into the system say from a public web site
and modified accounts and grades?
Web/email tracking tools
http://www.cryer.co.uk/resources/websitetracking.htm
- http://www.visualware.com/resources/tutorials/email.html
-
Wireless Technology Forensics
Forensic Examination of a RIM (BlackBerry) Wireless Device
http://www.rh-law.com/ediscovery/Blackberry.pdf
-
“There are two types of RIM devices within each model class. The Exchange Edition is meant
for use in a corporate environment while the Internet Edition works with standard POP email
accounts. The Exchange Edition employs Triple-DES encryption to send and receive but the
Internet Edition communicates in clear text. Neither employs an encrypted files system”
Relevance of RIM forensics
-
“The RIM device shares the same evidentiary value as any other Personal Digital Assistant
(PDA). As the investigator may suspect of most file systems, a delete is by no means a total
removal of data on the device. However, the RIM’s always-on, wireless push technology adds
a unique dimension to forensic examination. Changing and updating data no longer requires a
desktop synchronization. In fact, a RIM device does not need a cradle or desktop connection
to be useful. The more time a PDA spends with its owner, the greater the chance is that it will
more accurately reflect and tell a story about that person. Thus, the RIM’s currently
unsurpassed portability is the examiner’s greatest ally”
Wireless Technology Forensics - 2
The Hardware
-
The RIM device is designed around an Intel 32-bit i386 processor, a low power embedded
version of the same processor that used to power a desktop PC. Each unit has 512 KB of
SRAM and 4 or 5 MB of Flash RAM, depending on the model. The RIM’s SRAM is
analogous to the RAM on a desktop and the Flash memory is the “disk space” used to
store the Operating System (OS), applications, and the file system. The RIM’s OS is a
single executable named PAGER.EXE and the applications are DLL’s.
Toolbox
-
BlackBerry Desktop Software available free at www.blackberry.com; BlackBerry C++
Software Development Kit v2.1 available free at www.blackberry.com; • Hex editor; • Text
editor; • AA batteries; • Spare BlackBerry Cradles
-
The examination PC should meet the minimum requirements for the BlackBerry Software
Development Kit (SDK) and have two available external 9-pin RS232 serial ports. Disk
space required for evidence gathering is minimal: space equal to the amount of Flash
RAM in the RIM units being investigated.
Firewall Forensics
http://www.linuxsecurity.com/resource_files/firewalls/firewall-
seen.html
Analyzing firewall logs, especially what port numbers etc.
mean?. May use this information to help figure out what
hackers are up to.
-
What does destination port number ZZZZ mean?
What does this ICMP info mean?
What do these IP addresses indicate?
Stuff doesn't work
What are some typical signatures of well-known programs?
What do these other logs mean?
How do I configure filters?
Packet Zen
What's the deal with NetBIOS (UDP port 137)?
Biometrics Forensics: Richard Vorder Bruegge
http://www.biometrics.org/bc2004/Bios/vorderbruegge_bio_OK.pdf
http://www.biometrics.org/bc2004/Presentations/Conference/2%20Tuesday%
20September%2021/Tue_Ballroom%20B/1%20DOJ%20Session/Vorderbruegg
e_Presentation.pdf
It often happens that people confuse biometrics and forensics. After all, television
and movies make it look like automated biometrics databases can be used to
identify and convict people all the time. Isn't that what forensics is all about?
Unfortunately, this can have an adverse affect on the development of forensic tools
which utilize biometric features, because those in position to make funding
decisions may not understand the distinction between the two. This presentation
will attempt to provide the audience with a better understanding of the relationship
between biometrics and forensics from the standpoint of a forensic scientist.
Biometrics Forensics: Richard Vorder Bruegge
Advances in the field of biometrics offers great potential for the field of forensics.
Biometric databases offer the promise of enabling law enforcement and the
intelligence community to rapidly identify questioned individuals if they are present
in the queried database. However, obtaining a "hit" in a biometric database is a far
cry from an identification in the world of forensic science. The standard of proof to
which forensic scientists in the United States are held is "beyond a reasonable
doubt". That "reasonable doubt" criteria, coupled with standards for scientific and
technical evidence elucidated in the "Daubert" and "Kumho Tire" cases, require that
conclusions offered by forensic scientists be supported at beyond that offered by
current biometric systems, particularly in the field of facial recognition.
http://forensic-evidence.com/site/ID/ID_prime_qd.html
Reviewing Court Approves of Fingerprint Admissibility
Technologies: Conclusion
Two types of forensics: Computer forencis and network forensics
Computer forencis is mainly about file system forencis; network
forensics is about detecting intrusions and connecting with
hackers/terrorists
Various techniques are being developed for Military forensics, Law
enforcement forencis, Business forensics; not mutually exclusive
Difference tools for differing systems
Systems include operating systems, database systems, networks,
middleware, wireless systems, firewalls, biometrics
Biometrics systems may be compromised; however biometrics may
be used as evidence
Data mining/analysis being used for forensics
- http://eprints.qut.edu.au/archive/00002274/01/2274.pdf (Image
mining for digital forensics)
Types of Computer Forensics Systems
Internet Security Systems
Intrusion Detection Systems
Firewall Security Systems
Storage Area Network Security Systems
Network disaster recovery systems
Public key infrastructure systems
Wireless network security systems
Satellite encryption security systems
Instant Messaging Security Systems
Net privacy systems
Identity management security systems
Identify theft prevention systems
Biometric security systems
Homeland security systems
Cyber Crime
Financial Fraud
Sabotage of Data or Networks
Theft of Proprietary Information
System Penetration from the outside and denial of service
Unauthorized access by insiders and employee misuse of
Internet access privileges: Insider threat
Malicious code (e.g., Virus)
Cyber Detective
Forensics investigators
- detect the extent f security breach,
- recover lost data,
- determine how an intruder got past the security
mechanisms,
- and possibly identify the culprit
Legal issues
- Admissibility of digital evidence in court
Laws lag technology
- Theft: A person must permanently deprive the victim of
property: does this apply to cyber theft?
-
Risk Management
Risk management
- is the human activity which integrates recognition of risk,
risk assessment, developing strategies to manage it, and
mitigation of risk using managerial resources.
- The strategies include transferring the risk to another
party, avoiding the risk, reducing the negative effect of the
risk, and accepting some or all of the consequences of a
particular risk.
- http://en.wikipedia.org/wiki/Risk_management
Risk management for Computer Forensics
- Effective IT and staff policies
- Use of state of the art Vendor tools
- Effective procedures
Forensic Services
Forensics Incident Response
Evidence Collection
Forensic Analysis
Expert witness
Forensic litigation and insurance claims support
Training
Process improvement
Investigative services examples
Intrusion detection service
- Installing technical safeguards to spot network intruders
or detect denial of service attacks at e-commerce servers
Digital evidence collection
- Identify all devices that may contain evidence
- Quarantine all in-house computers
- Court orders to preserver and collect evidence
Process Improvement: Tools
Dig –x/nslookup
Whois
Ping
Traceroute
Finger
Anonymous surfing
USENET
Need to integrate the processes
Links
http://www.compforensics.com/
http://www.computer-forensic.com/faqs.html
http://www.cfsiusa.com/
- Dallas, TX
http://www.evestigate.com/
http://www.digitaldataforensics.com/
http://www.databankservices.com/
- Austin, TX
http://www.vogon-international.com/computer-
forensics/
http://www.vogon.co.uk/
http://www.forensiccomputerservice.com/