Digital Forensics

1
Digital Forensics

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Information Warfare
• and Military Forensics
• November 19, 2008

2
Outline

• Information Warfare
• Defensive Strategies for Government and Industry
• Military Tactics
• Terrorism and Information Warfare
• Tactics of Private Corporations
• Future IW strategies
• Surveillance Tools
• The Victims of Information Warfare
• Military Forensics
• Relevant Papers

3
What is Information Warfare?

• Information warfare is the use and management of
  information in pursuit of a competitive advantage
  over an opponent. Information warfare may involve
  collection of tactical information, assurance
  that one's own information is valid, spreading of
  propaganda or disinformation to demoralize the
  enemy and the public, undermining the quality of
  opposing force information and denial of
  information collection opportunities to opposing
  forces.
• http//en.wikipedia.org/wiki/Information_warfare

4
Defensive Strategies for Government and Industry

• Are US and Foreign governments prepared for
  Information Warfare
• According to John Vacca, US will be most affected
  with 60 of the worlds computing power
• Stealing sensitive information as well as
  critical, information to cripple an economy
  (e.g., financial information)
• What have industry groups done
• IT-SAC Information Technology Information
  Sharing and Analysis
• Will strategic diplomacy help with Information
  Warfare?
• Educating the end user is critical according to
  John Vacca

5
Defensive Strategies for Government and Industry

• What are International organizations?
• Think Tanks and Research agencies
• Book cites several countries from Belarus to
  Taiwan engaged in Economic Espionage and
  Information Warfare
• Risk-based analysis
• Military alliances
• Coalition forces US, UK, Canada, Australia have
  regular meetings on Information Warfare
• Legal implications
• Strong parallels between National Security and
  Cyber Security

6
Military Tactics

• Supporting Technologies
• Agents, XML, Human Computer Interaction
• Military tactics
• Planning, Security, Intelligence
• Tools
• Offensive Ruinous IW tools
• Launching massive distributed denial of service
  attacks
• Offensive Containment IW tools
• Operations security, Military deception,
  Psychological operations, Electronic warfare (use
  electromagnetic energy), Targeting Disable
  enemy's C2 (c0mmand and control) system and
  capability

7
Military Tactics

• Tools (continued)
• Defensive Preventive IW Tools
• Monitor networks
• Defensive Ruinous IW tools
• Information operations
• Defensive Responsive Containment IW tools
• Handle hacking, viruses.
• Other aspects
• Dealing with sustained terrorist IW tactics,
  Dealing with random terrorist IW tactics

8
Terrorism and Information Warfare

• Terrorists are using the web to carry out
  terrorism activities
• What are the profiles of terrorists? Are they
  computer literate?
• Hacker controlled tanks, planes and warships
• Is there a Cyber underground network?
• What are their tools?
• Information weapons, HERF gun (high power radio
  energy at an electronic target), Electromagnetic
  pulse. Electric power disruptive technologies
• Why are they hard to track down?
• Need super forensics tools

9
Tactics of Private Corporations

• Defensive tactics
• Open course intelligence, Gather business
  intelligence
• Offensive tactics
• Packet sniffing, Trojan horse etc.
• Prevention tactics
• Security techniques such as encryption
• Survival tactics
• Forensics tools

10
Future IW Tactics

• Electromagnetic bomb
• Technology, targeting and delivery
• Improved conventional method
• Virus, worms, trap doors, Trojan horse
• Global positioning systems
• Nanotechnology developments
• Nano bombs

11
Surveillance Tools

• Data emanating from sensors
• Video data, surveillance data
• Data has to be analyzed
• Monitoring suspicious events
• Data mining
• Determining events/activities that are abnormal
• Biometrics technologies
• Privacy is a concern

12
Victims of Information Warfare

• Loss of money and funds
• Loss of shelter, food and water
• Spread of disease
• Identity theft
• Privacy violations
• Death and destruction
• Note Computers can be hacked to loose money and
  identity computers can be used to commit a crime
  resulting in death and destruction

13
Military Forensics

• CFX-2000 Computer Forencis Experiment 2000
• Information Directorate (AFRL) partnership with
  NIJ/NLECTC
• Hypothesis possible to determine the motives,
  intent, targets, sophistication, identity and
  location of cyber terrorists by deploying an
  integrated forensics analysis framework
• Tools included commercial products and research
  prototypes
• http//www.afrlhorizons.com/Briefs/June01/IF0016.h
  tml
• http//rand.org/pubs/monograph_reports/MR1349/MR13
  49.appb.pdf

14
Relevant Papers

• 1. Cyber Forensics a Military Perspective
  https//www.utica.edu/academic/institutes/ecii/pub
  lications/articles/A04843F3-99E5-632B-FF420389C063
  3B1B.pdfHow to Reuse Knowledge about Forensic
  Investigations
• 2. Danilo Bruschi, Mattia Monga, Universita
  degli Studi di Milano
• http//dfrws.org/2004/day3/D3-Martignoni_Knowledge
  _reuse.pdf
• 3. John Lowry, BBN Systems Adversary Modeling to
  Develop Forensic Observables
• http//dfrws.org/2004/day2/Adversary_Modeling_to_D
  evelop_Forensic_Observables.pdf
• 4. Dr. Golden G. Richard III, University of New
  Orleans, New Orleans, LA Breaking the
  Performance Wall The Case for Distributed
  Digital Forensics
• http//dfrws.org/2004/day2/Golden-Perfromance.pdf

15
Abstract of Paper 1

• This paper discusses some of the unique military
  requirements and challenges in Cyber Forensics. A
  definition of Cyber Forensics is presented in a
  military context. Capabilities needed to perform
  cyber forensic analysis in a networked
  environment are discussed, along with a list of
  current shortcomings in providing these
  capabilities and a technology needs list.
  Finally, it is shown how these technologies and
  capabilities are transferable to civilian law
  enforcement, critical infrastructure protection,
  and industry.

16
Definition

• The exploration and application of
  scientifically proven methods to gather, process,
  interpret, and utilize digital evidence in order
  to
• Provide a conclusive description of all
  cyber-attack activities for the purpose of
  complete post-attack enterprise and critical
  infrastructure information restoration
• Correlate, interpret, and predict adversarial
  actions and their impact on planned military
  operations
• Make digital data suitable and persuasive for
  introduction into a criminal investigative
  process

17
Military Needs

• Data protection When a candidate digital
  information source is identified, measures must
  be put in place to prevent the information from
  being destroyed or becoming unavailable.
• Data Acquisition The general practice of
  transferring data from a venue out of physical or
  administrative control of the investigator, into
  a controlled location.
• Imaging The creation of a bit-for-bit copy of
  seized data for the purposes of providing an
  indelible facsimile upon which multiple analyses
  may be performed, without fear of corrupting the
  original dataset.
• Extraction The identification and separating
  of potentially useful data from the imaged
  dataset. This encompasses the recovery of
  damaged, corrupted, or destroyed data, or data
  that has been manipulated algorithmically to
  prevent its detection (e.g. encryption or
  steganography.)

18
Military Needs

• Interrogation The querying of extracted data
  to determine if a priori indicators or
  relationships exist in the data. Examples include
  looking for known telephone numbers, IP
  addresses, and names of individuals.
• Ingestion/Normalization The storage and
  transfer of extracted data in a format or
  nomenclature that is easily or commonly
  understood by investigators. This could include
  the conversion of hexadecimal or binary
  information into readable characters, conversion
  of data to another ASCII2 language set, or
  conversion to a format that can be input into
  another data analysis tool.
• Analysis The fusion, correlation, graphing,
  mapping, or timelining of data to determine
  possible relationships within the data, and to
  developing investigative hypotheses.
• Reporting The presentation of analyzed data
  in a persuasive and evident form to a human
  investigator or military commander.

19
Areas of Focus

• A major issue in this area is how to rapidly
  collect and normalize digital evidence from a
  variety of sources including firewalls, hosts,
  network management systems, and routers. The
  information that is collected could then be used
  to predict or anticipate adversarial actions,
  understand the current state of affairs, and help
  in determining appropriate courses-of-action.
• Perform work that allows us to detect data hidden
  within network traffic. The hidden data problem
  is especially insidious. The art of hiding data
  is called steganography, which means covered
  writing.
• Database forensic analysis. We need to be able to
  reconstruct past events and trace evidence to
  indicate data destruction, reconstitution of
  damaged or destroyed databases or their schemas,
  and direct attacks on the DBMSs security
  mechanism to gain privileges to a database or the
  operating system.

20
Areas of Focus

• Distributed intelligent forensic agents
  Distributed intelligent forensic agents would be
  small, lightweight programs that are launched
  from an agent control center whenever a
  suspicious event is identified. These agents
  would then gather the appropriate digital
  evidence and return the evidence to central
  control for further analysis by other tools.
• Trusted Timestamps has to be considered when
  performing network-based cyber forensics. In
  order to properly timeline events over a
  distributed network system, events collected at
  each appliance or node need to be properly
  time-synchronized.
• The proliferation of cellular and wireless
  hand-held devices presents a unique challenge to
  the forensic examiner. Unlike a wired network in
  which investigation of a cyber attack eventually
  leads to tracing the attack back to a physical
  location, a wireless information attack does not
  require physical access to the medium being
  exploited.

21
Areas of Focus

• Quick views of seized media is a focus area.
  Current approaches to analyze the entire hard
  drive can take many months. For the purpose of
  quickly restoring operations, an Operating System
  Hash Library could be constructed to fingerprint
  hash values of operating system files of properly
  configured software.
• Multi-lingual analysis of storage media. Is
  important. No longer is the cyber world one which
  is utilized primarily by English-speaking
  citizens. An automated means that can translate
  the recovered data or at least indicate a
  probable language set is vital to the timely
  processing of cyber attacks posed by non-English
  speaking citizens and foreign nationals.
• Finally, there needs to be a uniform standard for
  the development and testing of forensic tools.
  There need to be metrics established that help
  determine the extent that a software or hardware
  tool performs a particular forensic function, and
  the associated error rate with that process.

22
Abstract of Paper 2

• When detectives perform investigations they
  manage a huge amount of information, they make
  use of specialized skills and analyze a wide
  knowledge base of evidence. Most of the work is
  not explicitly recorded and this hurdles external
  reviews and training. In this paper we propose a
  model able to organize forensic knowledge in a
  reusable way. Thus, past experience may be used
  to train new personnel, to foster knowledge
  sharing among detective communities and to expose
  collected information to quality assessment by
  third parties.

23
Outline

• Introduction
• Framework
• Model and Reasoning
• Example
• Directions

24
Introduction

• Problems
• evidence might be easily and voluntarily erased
  evidence might be easily and voluntarily forged
  (i.e., false evidence might be created)
  evidence might be altered accidentally by daily
  activities (i.e., the everyday use of a system
  might damage evidence)
• evidence at different abstraction layers, has
  different meanings and properties (e.g., an html
  document may be considered formatted text, or a
  sequence of ASCII characters, or a set of blocks
  in the file system structure)
• Solutions
• produce reusable forensic knowledge to be used as
  support during investigations
• organize past experience to foster knowledge
  sharing among forensic experts
• record collected information in a way that ease
  quality assessment.

25
Framework

• Investigative process
• formulate hypotheses on the state of the world
  that caused the case collect evidence on the
  basis of these hypotheses correlate actual
  evidence with hypotheses adjust hypotheses, and
  repeat the process until the consistency state of
  the knowledge about the case is high.
• Framework
• Evidence nothing that is not clear and evident
  can be accepted.
• Analysis a problem that cannot be faced all at
  once should be decomposed in easier parts.
• Synthesis a decomposed problem has to be
  recomposed, but only after every part has been
  verified through detailed observations and
  considerations.
• Enumeration the whole process has to be reviewed
  to evaluate the soundness and completeness of the
  generalizations involved. Moreover, a careful
  revision is needed to ascertain the absence of
  errors and misinterpretations.

26
Model and Reasoning

• Graph is used to represent all the knowledge
  acquired over the time.
• Hypotheses and evidence are expressed in natural
  language.
• To better illustrate the inductive reasoning used
  to prove or disprove a hypotheses a graphical
  formalism is used
• Example Hypotheses are represented by square,
  evidence collecting tests by circle and the
  weight of evidence by a label on the edge linking
  evidence to hypotheses.

27
Example

• During a chat session a user has been caught
  spreading an offensive picture. After a
  preliminary investigation Mr. Black felt under
  suspicion. He has been accused of guilty because
  the address used by the sender to transmit the
  images, was, at that moment, assigned to him.
• In the preliminary phase the detective, starting
  from the file received and the address of the
  sender, comes to identify Mr. Black as the
  criminal. Mr. Blacks computer has been seized
  for further analysis.
• The paper formulates the root hypothesis and
  applies the reasoning method described.

28
Directions

• Producing reusable knowledge, since forensic
  (sub-)graphs can be exploited to generate
  completely unrelated case graphs
• Structuring argumentation from evidence to
  prosecution hypotheses, since a graphical
  representation of the structure of the hypothesis
  space and the evidence support that was collected
  may convey, even at a glimpse, the global
  soundness and completeness of the information
  gathering
• Guiding less skilled detectives during evidence
  collection, since the highly specialized
  knowledge of experts in a field can be shared,
  thanks to its recording in a structured fashion.

29
Abstract of Paper 3

• Observables of malicious behavior in the cyber
  realm are derived from intuition or analysis of
  previous (a-posteriori) events. This creates an
  untenable situation where cyber defenders are
  unprepared for novel attacks or malicious
  behaviors particularly those expected to be
  used by sophisticated adversaries. Development of
  a complete theory of observables with a
  particular focus on development of a-priori
  observables is critical to defend against
  computer network attack and computer network
  exploitation. Monitoring of a-priori observables
  will greatly assist in the areas of indications
  and warnings and attack sensing and warning.
  Forensic development and analysis of a-priori
  observables is critical to determine the type of
  adversary, adversary mission, and ultimately
  attribution.

30
Outline

• Introduction
• Threat Model
• Types of Adversaries
• Process Model
• Adversaries and Forensics
• Directions

31
Introduction

• The current sets of cyber observables are
  developed after an attack or event takes place.
  These are termed a-posteriori observables because
  they follow the pattern of eventanalysisobservab
  les.
• Properly specified, these observables will catch
  most or all repeat events or new events that use
  the same techniques.
• These observables have no value in identifying
  new types of events or novel variations of known
  events. Since the vulnerability space is huge,
  defenders are forced into a responsive mode of
  operation.
• What is needed is an additional set of
  observables that will permit the detection and
  analysis of novel events and attacks. These must
  be developed a-priori and follow the pattern of
  threatanalysisobservables.

32
Threat Model

• Any threat model must start with analysis of
  adversary behavior and incorporate sufficient
  knowledge of the defended system.
• For development of a-posteriori observables, real
  behaviors and real systems are used. For
  development of a-priori observables, hypothetical
  or potential adversarial behavior is modeled.
• Cyber-adversaries have goals and objectives.
  There is a reason why the defenders system is
  under attack.
• Cyber-adversaries have resource limitations.
• Cyber-adversaries engage in mission planning,
  practice, development and testing
• Cyber-adversaries translate their behavior into
  the world of computers and networks.

33
Types of Adversaries Example

• Class IV First-world and certain second-world
  countries, including military and intelligence
  agencies. Future terrorist organizations. Future
  organized criminal groups. Some types of insider.
• Class III Almost every country not in the Class
  IV category. Some terrorist organizations. Some
  organized criminal groups. Some types of insider.
  Some types of radical organizations.
• Class II A very few countries. Many terrorist
  organizations. Many organized criminal groups.
  Many types of insider. Many types of radical
  groups. Very expert hackers and hacker
  coalitions.
• Class I Some terrorist organizations. Some
  organized criminal groups. Many types of insider.
  Many types of radical groups. Beginner to
  journeyman hackers.

34
Process Model

• The process model shows a high-level process
  model of adversary behavior. However, it can be
  expected that a Class IV adversary will engage in
  a much more detailed set of behaviors.
• There is a strategic set of goals followed by
  assignment of missions and mission objectives.
• The adversarys strategic planning can be
  represented in a Warnier/Orr diagram. The goal is
  to identify effects that can be achieved, i.e.,
  to identify the top-level opportunities and
  resources available to carry out the strategic
  mission.
• Behavior The adversary will study their enemy to
  determine what they have in place and how they
  operate. The adversary will develop a list of
  desired effects that the adversary wishes to have
  on their enemy. The adversary also takes an
  initial, high-level cut at the targets of
  interest.

35
Adversaries and Forensics

• The discipline of computer forensics has been
  largely focused on the development of a set of
  tools and procedures.
• However, the majority of efforts have remained at
  this level and not progressed to meet the
  challenge of Class III and Class IV adversaries.
• With the resources available to these
  adversaries, it is not apparent that analysis of
  single exploits or events will help to identify
  and analyze the presence of these adversaries.
• For example, it is understood that an adversary
  will not use his most valuable or sophisticated
  techniques or methods unless there is sufficient
  payoff.
• Consequently, identification of Class IV
  adversaries must look for supporting evidence.
  Fortunately, the kinds of process and control
  exercised by this type of adversary is likely to
  leave such evidence.

36
Directions

• While the development of new models and
  characterizations of cyber-adversaries has been
  informally pursued for several years and within
  multiple government-supported programs, the full
  development and presentation is made under an
  effort called Theory of Observables within the
  Proactive and Predictive Cyber Indications and
  Warnings contract from the Advanced Research and
  Development Activity (ARDA).
• ARDAs web site is located at www.ic-arda.org.

37
Abstract of Paper 4

• Authors make the case for distributed digital
  forensic (DDF) tools and provide several
  real-world examples where traditional
  investigative tools executing on a single
  workstation have clearly reached their limits,
  severely hampering timely processing of digital
  evidence. Based on their observations about the
  typical tasks carried out in the investigative
  process, they outline a set of system
  requirements for DDF software. Next, authors
  propose a lightweight distributed framework
  designed to meet these requirements and describe
  an early prototype implementation of it. Finally,
  we present some performance comparisons of
  single- versus multiple-machine implementations
  of several typical tasks and describe some more
  sophisticated forensics analysis techniques,
  which will be enabled by a transition to DDF
  tools.

38
Introduction

• Having all of the analysis to be carried out in
  one location may have a performance impact
• If the site is down, then the work has to be
  postponed
• Therefore distributed digital forensics analysis
  may be an option
• Requirements include
• Scalability
• Platform Independence
• Extensibility
• Robustness

39
Approach and Directions

• System Architecture
• Based on architectures for distributed data
  management and/or distributed data mining
• Distributed workload
• Each node carries out a specific task, or all of
  the nodes carry out the same task and then the
  results have to be combined
• Analysis
• Each node carries out analysis and the results
  have to be combined
• Some directions include
• Develop a framework for DDF Middleware for
  forensics analysis - Tools are integrated in a
  middleware environment. Appropriate tools are
  involved