Transcript FINAL YEAR PROJECT Trevor Brosnan BSc(Hons

FINAL YEAR PROJECT
Trevor Brosnan
BSc(Hons) Computer Forensics
[email protected]
• ORIGINS OF PROJECT
• COFEE COMPARISON
• HOW IT WORKS
• DEMOSTRATION
• TECHNOLOGIES
• COMPATIBLE / TESTING
• PROJECT TIMELINE
• FUTURE /CONCLUSION
• FUNCTIONALITY
• QUESTIONS/ISSUES
overview
Computer Fraud has many branches and none is more
emerging then that caused by employees. This type of fraud
is common place within the workforce, as it does not require
an employee to have extensive I.T. knowledge, just the
opportunity.
Cost is the Biggest concern in considering an investigation
-Ernest&Young Report 2011
Fraud can be defined as the intentional deception made for
personal gain and to damage another.
Make it as simple as possible…..
origins of project
•
Microsoft COFEE is a forensics tool, approximately 15MB in size that fits on a
USB drive for law enforcement officials to use in PC An officer with even minimal
computer experience can be tutored—in less than 10 minutes—to use a preconfigured COFEE device.
Strengths: Created by Microsoft for Microsoft systems.
Weakness: Available only to Law Enforcements, Outdated tools.DECAF was
invented by hackers to thwart all investigations done by this tool.
•
EnCase Forensic, the industry-standard computer investigation solution, is for forensic
practitioners who need to conduct efficient, forensically sounds data collection and
investigations using a repeatable and defensible process.[ENCASE]
Strengths: The leader on the market for any professional forensic investigation.
Weaknesses: Extremely expensive ($4000-$4500).
•
BackTrack5 was designed to be an all in one live cd used on security audits and was
specifically crafted to not leave any remnants of itself on the laptop. It has since expanded
to being the most widely adopted penetration testing framework in existence and is used by
the security community all over the world.”[BackTrack]
Strengths: Extremely powerful, Has a massive repository of tools
Weakness: Extremely complex to use, Separate Operating System
current applications
how it works
For the development of fraudIT one main tool
encompassed the entire project, this tool is the
programming language known as Python
Python
Python is a programming language that lets you work more quickly and integrate your systems more
effectively. You can learn to use Python and see almost immediate gains in productivity and lower
maintenance costs.
Python runs on Windows, Linux/Unix, Mac OS X, and has been ported to the Java and .NET virtual
machines.
[Python 2011]
PyQt4
PyQt is a set of Python bindings for Nokia's Qt application framework and runs on all platforms
supported by Qt including Windows, MacOS/X and Linux. There are two sets of bindings: PyQt v4
supports Qt v4; and the older PyQt v3 supports Qt v3 and earlier. The bindings are implemented as a
set of Python modules and contain over 300 classes and over 6,000 functions and methods.
[QT2012]
python
Iteration 0
Start 8/9/11 The main goals of this stage is to produce the first prototype
End 31/10/11 Look into methods and technologies which will be used throughout
my project
 Creation of the projects Concept.
 Ensure that the project is viable.
 Assignment of a project supervisor.
 Creation of overall goals.
 Investigations into similar applications.
 Research into new tools to incorporate into the application.
 The development of the first Report.
Iteration 1
Start 1/11/12 The main goal of this stage is to develop the first working Prototype
End 12/12/11 known as “Prototype version 1”
 Obtain relevant skills in Python programming, techniques in
Perl Scripting and understand how these work together with a
QT based GUI.
 Research into fraudulent activity within the work place.
 Research the Ethical foundation of my application.
 Create Report 2.
project timeline
Iteration 2
Start 13/12/11 The main goal of this iteration is to improve the GUI of the application
End 2/2/12 and include additional functionality
 Creation of PROTOTYPES v2.
 Increase the functionality with additional tools and create a
more visually appealing application.
 Test for bugs that could occur.
 Assess the way the application will be delivered along with
dependencies needed.
Iteration 3
The final iteration of the project will see the creation of a fully
Start 3/2/12
functioning program
End 1/5/12
 Creation of PROTOTYPE v3.
 Creation of FINAL APPLICATION.
 The main focus will be to test for any faults within the
application.
 The removal of any redundant code or features.
 The creation of the final reports and documentation.
 Final Report created and submitted.
• System Audit
Information– Logins, System Uptime, System
Information, Update History, Recycle Bin History,
Windows File System, Power On History, Scheduled
Events, Running Services.
Unusual Activity- Blue Screen Tracker, Open Files,
Event Log’s, Application Crashes, Windows Crash Reports, Whats in Startup
Devices – Battery Information, Bluetooth, USB History.
• Network Audit
Connections – IP Information, Port Information, Check Firewall, Firewall Rules, Nearby Wifi,
Networked PCs, Show Groups, Wireless Info.
Browser- Chrome/IE/Firefox History, Chrome/IE/Firefox Cache, Chrome/IE/Firefox Cookies
Email – Gathering and analysis
Additional – Skype History Logs, Live Contacts, Internet Passwords, Opera History, Safari
History, Get Bookmarks, Search History
tools used #1
• Registry Audit
Initial– Gather Hives
User Hive- Shellbags, Printers, Recent Files, Recent Application, Typed URLs, Proxy
Settings, IE Registry Entries, Recent Documents, Windows Searches, File Associations.
Software Hive– Application Paths, Network Cards, Wireless Associations, SQL last
connected, Profile List, Internet Applications, Uninstalled Apps, Yahoo Message, Apps
Associations, Port Devices
System Hive – Network Information, Mounted Devices, Removed Devices, Shutdown
History, Event Logs, Safe Boot History, USB Information, Running Services.
Security/SAM – Parsing of Hive
• File Audit
General – Alternate Data Streams, Clipboard History, MSOffice Addons, Video Cache History
Text, Image Video and Audio AuditsPop up drag and drop audits using Alternate Data Streams, Metadata, File Duplication and
Integrity checks
tools used #2
• Live Audit
runs the most important tools with a single click
• All in One Audits
runs all in 1 audits using the most important tools of
the system, network and registry tools
• Report Generation
Reports are generated for each of the Live Audits and All
in 1 tools ran, so that a user can review the information at
a later stage
• Evidence Uploads
All data gathered is with a click of a button uploaded to
an Amazon S3 Bucket
• Tutorials
These along with a few other features will help guide
the user in their use of the application
additional functionality
•
•
•
•
•
•
•
•
•
Logging System
Evidence Duplication
Integrity Checking
Timestamps
Portability
Sub-processing
Application Centre
Icon Association
Re-encoding Outputs
background functions
•
•
•
•
•
•
•
•
Global Variables
Folder creation
Text Browser
Use of Windows Functions
Progress Bars
Error Messages
Status Bar
OS commands
VS
Cofee is Microsoft’s incident response GUI which was made available to the Law Enforcement officers to
help aid them in their investigations. Cofee uses around 30 unique tools while fraudIT uses over 80
•
•
•
•
Design
Features/Tools
Ease of Use
Display
cofee comparison
•
•
•
•
Integrity
Evidence
Connectivity
All in 1
The Demonstration of the Project will include:
•
•
•
•
•
•
•
Accessing application using a USB
Loading the application
Running various tools
Using the File Audit
Uploading Evidence
Reviewing Reports
Due to the length of time it takes to run a Live Audit this
will be demonstrated using a video clip as to speed up the
time it would normally take.
demo
Using ACTIVESTATE Komodo we will take a look at the python
code which is use to build the application
code overview
Compatibility is of major concern when creating fraudIT
Windows Systems tested for compatibility : XP , 7 and 8 (different architectures)
Testing carried out:
Use case Testing:
Whether the application can be used by
a novice.
Code Review /Debugging:
Asking coders to see what I can do to
increase the performance
compatible & testing
Tool comparison:
Different tools used for the same
function
• Time Management
additional projects
• Display Issues
icons, centring, sizing
• Compatibly Issues
XP->7 -> 8
• Tool Acquisition
command line only
• Programming Issues
perl and python knowledge increase
• Project Concept
idea has changed over time
• Presentation Issues
issues
time management and weigh of markings
• Alert Data
Allow for unusual results to be flashed to the user
• Apple Compatible
Acquire tools for Mac PCs
• Timelines
Incorporate timelines for the all in one audits
• Central Application
Run the application from a central server
• Python Power
Instead of using open source tools include python code to
preform the functions
future
The skills which I have gained from this project have been
immense, they have helped me gain confidence in my ability to
learn new programming languages, improve my time
management and was one of the main reasons I have been offered
a job with Version 1 as a Graduate IT Consultant.
The time spent on the creation of the application has also proven
quiet useful for other modules as with my understanding in
python has been incorporated into projects (Development of an
Android APK Analysis Application for a research project in
Network Security). It has highlighted weaknesses and strengths
which I never knew I had.
conclusion
questions
•
•
•
•
•
•
[BackTrack2011]BackTrack Linux - Penetration Testing Distribution. Available at:
http://www.backtrack-linux.org/ [Accessed October 26, 2011].
[Coffe2011]Computer Online Forensic Evidence Extractor (COFEE). Available at:
http://www.microsoft.com/industry/government/solutions/cofee/default.aspx
[Accessed October 22, 2011].
[Encase]Leading E-Discovery, Forensic Software. Available at:
http://www.guidancesoftware.com [Accessed November 1, 2011]
[Qt2011]Riverbank | Software | PyQt | What is PyQt? Available at:
http://www.riverbankcomputing.co.uk/software/pyqt/intro
[Accessed October 17, 2011].
[Python2011]Python Programming Language – Official Website. Available at:
http://www.python.org/ [Accessed October 22, 2011].
references