Lecture3.ppt

Digital Forensics

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Lecture #3

Technology

August 27, 2007

Outline

Review of Lecture 2 Introduction Forensics Technology

- Military, Law Enforcement, Business Forensics Forensics Techniques

- Finding Hidden Data, Spyware, Encryption, Data Protection, Tracing, Data Mining

Security Technologies

- Wireless, Firewalls, Biometrics Conclusion and Next Steps APPENDIX: Data Mining

Review of Lecture #2: Fundamentals

Applications

- Law enforcement, Human resources, Other Services Benefits Using the evidence Case Histories/Studies

Introduction

Digital forensics includes computer forensics and network forensics

Computer forencis

- gathers evidence from computer media seized at crime scene

- Issues involve imaging storage media, recovering deleted files, searching slack and free space, preserving the collected information for litigation

Network forencis

- Analysis of computer network intrusion evidence

Military Forensics

CFX-2000: Computer Forencis Experiment 2000

- Information Directorate (AFRL) partnership with NIJ/NLECTC

- Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework

- Tools included commercial products and research prototypes

- http://www.afrlhorizons.com/Briefs/June01/IF0016.html

- http://rand.org/pubs/monograph_reports/MR1349/MR1349.appb.pdf

Law Enforcement Forensics

Commonly examined systems: Windows NT, Windows 2000, XP and 2003

Preserving evidence

- Mirror image backups: Safe Back technology from New Technologies Inc.

Tools to handle

- Trojan Horse programs / File slacks

- Data Hiding Techniques AnaDisk analyzes diskettes COPYQM duplicates diskettes

- E-Commerce investigation: Net Threat Analyzer

- Text search: TextSearch Plus tool

- Fuzzy logic/data mining tools to identify unknown text Intelligent Forensics Filter

Business Forensics

Remote monitoring of target computers

- Data Interception by Remote Transmission (DIRT) from Codex Data Systems

Creating trackable electronic documents Theft recovery software for laptops and PCs

- PC Phonehome tool

- RFID technology

Forensics Techniques

Techniques for finding, preserving and preparing evidence Finding evidence is a complex process as the forensic expert

has to determine where the evidence resides

- Evidence may be in files, evidence may be in disks, evidence may be on paper. Need to track all types of evidence

Preserving evidence includes ensuring that the evidence is not tampered with

- Involves pre-incident planning and training in incident discovery procedures’ If the machine is turned on, leave it on; do not run programs on that particular computer

Preparing evidence will include data recovery, documentation, etc.

Finding Hidden Data

When files are deleted, usually they can be recovered The files are marked as deleted, but they are still residing in

the disk until they are overwritten Files may also be hidden in different parts of the disk The challenge is to piece the different part of the file together

to recover the original file There is research on using statistical methods for file

recovery http://www.cramsession.com/articles/files/finding-hidden-data

---how-9172003-1401.asp http://www.devtarget.org/downloads/ca616-seufert-

wolfgarten-assignment2.pdf

Spyware/Adware

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

- http://en.wikipedia.org/wiki/Spyware Spyware is mostly advertising supported software (adware) Shareware authors place ads from media company and get a

piece if the revenue PC surveillance tools that allow a user to nominate computer

activity

- Keystroke capture, snapshots, email logging, chats etc. Privacy concerns with spyware

Encryption

Popular Encryption techniques

- Public key/ Private Key Owner of the data encrypts with the public key of the

receiver; Receiver decrypts with his private key In some cases owner may encrypt with his private key for

multiple receiver. Receiver will decrypt with the owner’s public key

Merkle Hash is a popular method to hash documents; one way hash function

Challenge is to generate unique keys Issues: Trusted authority to generate keys and credentials

Internet/Web Tracing

Where has the email come from

- Check IP address

- Sender may use fake address by changing fields; sending server may not check this and so the mail is sent

Tracing web activity Who has logged into the system say from a public web site

and modified accounts and grades? Web/email tracking tools

- http://www.cryer.co.uk/resources/websitetracking.htm

- http://www.visualware.com/resources/tutorials/email.html

Wireless Technology Forensics Forensic Examination of a RIM (BlackBerry) Wireless Device

http://www.rh-law.com/ediscovery/Blackberry.pdf

- “There are two types of RIM devices within each model class. The Exchange Edition is meant

for use in a corporate environment while the Internet Edition works with standard POP email

accounts. The Exchange Edition employs Triple-DES encryption to send and receive but the

Internet Edition communicates in clear text. Neither employs an encrypted files system”

Relevance of RIM forensics

- “The RIM device shares the same evidentiary value as any other Personal Digital Assistant

(PDA). As the investigator may suspect of most file systems, a delete is by no means a total

removal of data on the device. However, the RIM’s always-on, wireless push technology adds

a unique dimension to forensic examination. Changing and updating data no longer requires a

desktop synchronization. In fact, a RIM device does not need a cradle or desktop connection

to be useful. The more time a PDA spends with its owner, the greater the chance is that it will

more accurately reflect and tell a story about that person. Thus, the RIM’s currently

unsurpassed portability is the examiner’s greatest ally”

Wireless Technology Forensics - 2 The Hardware

- The RIM device is designed around an Intel 32-bit i386 processor, a low power

embedded version of the same processor that used to power a desktop PC. Each unit

has 512 KB of SRAM and 4 or 5 MB of Flash RAM, depending on the model. The RIM’s

SRAM is analogous to the RAM on a desktop and the Flash memory is the “disk space”

used to store the Operating System (OS), applications, and the file system. The RIM’s

OS is a single executable named PAGER.EXE and the applications are DLL’s.

Toolbox

- BlackBerry Desktop Software available free at www.blackberry.com; BlackBerry C++

Software Development Kit v2.1 available free at www.blackberry.com; • Hex editor; • Text

editor; • AA batteries; • Spare BlackBerry Cradles

- The examination PC should meet the minimum requirements for the BlackBerry Software

Development Kit (SDK) and have two available external 9-pin RS232 serial ports. Disk

space required for evidence gathering is minimal: space equal to the amount of Flash

RAM in the RIM units being investigated.

Firewall Forensics http://www.linuxsecurity.com/resource_files/firewalls/firewall-

seen.html Analyzing firewall logs, especially what port numbers etc.

mean?. May use this information to help figure out what hackers are up to.

- What does destination port number ZZZZ mean?

- What does this ICMP info mean?

- What do these IP addresses indicate?

- Stuff doesn't work

- What are some typical signatures of well-known programs?

- What do these other logs mean?

- How do I configure filters?

- Packet Zen

- What's the deal with NetBIOS (UDP port 137)?

Biometrics Forensics: Richard Vorder Bruegge

http://www.biometrics.org/bc2004/Bios/vorderbruegge_bio_OK.pdf

http://www.biometrics.org/bc2004/Presentations/Conference/2%20Tuesday%20September%2021/Tue_Ballroom%20B/1%20DOJ%20Session/Vorderbruegge_Presentation.pdf

It often happens that people confuse biometrics and forensics. After all, television and movies make it look like automated biometrics databases can be used to identify and convict people all the time. Isn't that what forensics is all about? Unfortunately, this can have an adverse affect on the development of forensic tools which utilize biometric features, because those in position to make funding decisions may not understand the distinction between the two. This presentation will attempt to provide the audience with a better understanding of the relationship between biometrics and forensics from the standpoint of a forensic scientist.

Biometrics Forensics: Richard Vorder Bruegge

Advances in the field of biometrics offers great potential for the field of forensics. Biometric databases offer the promise of enabling law enforcement and the intelligence community to rapidly identify questioned individuals if they are present in the queried database. However, obtaining a "hit" in a biometric database is a far cry from an identification in the world of forensic science. The standard of proof to which forensic scientists in the United States are held is "beyond a reasonable doubt". That "reasonable doubt" criteria, coupled with standards for scientific and technical evidence elucidated in the "Daubert" and "Kumho Tire" cases, require that conclusions offered by forensic scientists be supported at beyond that offered by current biometric systems, particularly in the field of facial recognition.

http://forensic-evidence.com/site/ID/ID_prime_qd.html Reviewing Court Approves of Fingerprint Admissibility

Conclusion Two types of forensics: Computer forencis and network forensics Computer forencis is mainly about file system forencis; network

forensics is about detecting intrusions and connecting with hackers/terrorists

Various techniques are being developed for Military forensics, Law enforcement forencis, Business forensics; not mutually exclusive

Difference tools for differing systems Systems include operating systems, database systems, networks,

middleware, wireless systems, firewalls, biometrics Biometrics systems may be compromised; however biometrics may

be used as evidence Data mining/analysis being used for forensics

- http://eprints.qut.edu.au/archive/00002274/01/2274.pdf (Image mining for digital forensics)

Next Steps: Lectures #4 and #5

Guest Lecture (Lecture #4, August 29, 2007)- Data Mining Techniques for Malicious code

detection Lecture #5 (September 5, 2007)

- Chapter 3 of the Text book + additional references

- Types of Computer Forensics Systems

Appendix: Data Mining/Analysis

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

August 27, 2007

Outline of Data Mining

What is Data Mining? Data warehousing vs data mining Steps to Data Mining Need for Data Mining Example Applications Technologies for Data Mining Why Data Mining Now? Preparation for Data Mining Data Mining Tasks, Methodology, Techniques Commercial Developments Status, Challenges , and Directions

What is Data Mining?

Data MiningKnowledge Mining

Knowledge Discoveryin Databases

Data Archaeology

Data Dredging

Database MiningKnowledge Extraction

Data Pattern Processing

Information Harvesting

Siftware

The process of discovering meaningful new correlations, patterns, and trends by sifting through large amounts of data, often previously unknown, using pattern recognition technologies and statistical and mathematical techniques(Thuraisingham 1998)

Example Data Warehouse

OracleDBMS forIncidents

SybaseDBMS forHackers

MicrosoftDBMS forProfiles

Data Warehouse:Data correlatingIncidents with Hackers

UsersQuerythe Warehouse

Data Warehouses vs Data Mining

Goal: Improved business efficiency

- Improve marketing (advertise to the most likely buyers)

- Inventory reduction (stock only needed quantities) Information source: Historical business data

- Example: Supermarket sales records

- Size ranges from 50k records (research studies) to terabytes (years of data from chains)

- Data is already being warehoused Sample question – what products are generally purchased together?

The answers are in the data, need to MINE the data

Date/Time/Register Fish Turkey Cranberries Wine ...12/6 13:15 2 N Y Y N ...12/6 13:16 3 Y N N Y ...

Large amounts of current and historical data being stored As databases grow larger, decision-making from the data is not

possible; need knowledge derived from the stored data Data for multiple data sources and multiple domains

- Medical, Financial, Military, etc. Need to analyze the data

- Support for planning (historical supply and demand trends)

- Yield management (scanning airline seat reservation data to maximize yield per seat)

- System performance (detect abnormal behavior in a system)

- Mature database analysis (clean up the data sources)

- Intrusion detection, links between suspicious people and events

Need for Data Mining

What’s going on in data mining? What are the technologies for data mining?

- Database management, data warehousing, machine learning, statistics, pattern recognition, visualization, parallel processing

What can data mining do for you?

- Data mining outcomes: Classification, Clustering, Association, Anomaly detection, Prediction, Estimation, . . .

How do you carry out data mining?

- Data mining techniques: Decision trees, Neural networks, Market-basket analysis, Link analysis, Genetic algorithms, . . .

What is the current status?

- Many commercial products mine relational databases What are some of the challenges?

- Mining unstructured data, extracting useful patterns, web mining, Data mining, national security and privacy

Knowledge Directed Data Mining

Data Sources

Integratedata sources

Clean/modifydata sources

Minethe data

ExamineResults/Pruneresults

Reportfinalresults

ExpertSystem

Take Actions

Integration of Multiple Technologies

MachineLearning

DatabaseManagement

DataWarehousing

Statistics

DataMining

VisualizationParallelProcessing

Data Mining Needs for Counterterrorism: Non-real-time Data Mining

Gather data from multiple sources

- Information on terrorist attacks: who, what, where, when, how

- Personal and business data: place of birth, ethnic origin, religion, education, work history, finances, criminal record, relatives, friends and associates, travel history, . . .

- Unstructured data: newspaper articles, video clips, speeches, emails, phone records, . . .

Integrate the data, build warehouses and federations Develop profiles of terrorists, activities/threats Mine the data to extract patterns of potential terrorists and predict

future activities and targets Find the “needle in the haystack” - suspicious needles? Data integrity is important Techniques have to SCALE

Data Mining Needs for Counterterrorism: Real-time Data Mining

Nature of data

- Data arriving from sensors and other devices Continuous data streams

- Breaking news, video releases, satellite images

- Some critical data may also reside in caches Rapidly sift through the data and discard unwanted data for later use

and analysis (non-real-time data mining) Data mining techniques need to meet timing constraints Quality of service (QoS) tradeoffs among timeliness, precision and

accuracy Presentation of results, visualization, real-time alerts and triggers

Data Mining Needs for Counterterrorism: Cybersecurity

Determine nature of threats and vulnerabilities

- e.g., emails, trojan horses and viruses Classify and group the threats Profiles of potential cyberterrorist groups and their capabilities Data mining for intrusion detection

- Real-time/ near-real-time data mining

- Limit the damage before it spreads Data mining for preventing future attacks

- Forensics

Data Mining Outcomes and Techniques for Counter-terrorism

Association:John and Jamesoften seen together after anattack

Link Analysis:Follow chain from A to B to C to D

Clustering: Divide population; People from country X of a certain religion; people from Country Y Interested in airplanes

Classification:Build profiles ofTerrorist and classify terrorists

Anomaly Detection:John registers at flight school;but des not care about takeoff or landing

Data Mining Outcomes and Techniques

Web Usage Mining for Counter-terrorism

Determine theWeb usage ofsuspected terrorists

Mine terroristweb sites and Determine behavior

Mine web usage and giveAdvice to analystabout the actions to take

Web Usage Miningfor Counter-terrorism

Current Status, Challenges and Directions Status

- Data Mining is now a technology

- Several prototypes and tools exist; Many or almost all of them work on relational databases

Challenges

- Mining large quantities of data; Dealing with noise and uncertainty, Needle in the haystack

Directions

- Mining multimedia and text databases, Web mining (structure, usage and content), Data mining, national security and privacy