Digital Forensics

1
Digital Forensics

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Lecture 5
• Forensics Systems
• September 5, 2007

2
Outline

• Some developments
• Review of Lectures 3 and 4
• Lectures 5
• Types of Computer Forensics Systems
• Objective Identify issues in corporate planning
  for computer forensics
• Tools for Digital Forensics
• Assignment 1
• Lab Tour

3
Some Developments

• Internships positions available in commuter
  forensics with DFW area FBI and Law Enforcement
• Guest lectures are being arranged to be given by
  DFW FBI and Law Enforcement
• Dates to be given
• Mid-term exam week of October 9 or October 16

4
Review of Lectures 3 and 4

• Lecture 3
• Forensics Technology
• Military, Law Enforcement, Business Forensics
• Forensics Techniques
• Finding Hidden Data, Spyware, Encryption, Data
  Protection, Tracing, Data Mining
• Security Technologies
• Wireless, Firewalls, Biometrics
• APPENDIX Data Mining
• Lecture 4 Data Mining for Malicious Code
  Detection

5
Types of Computer Forensics Systems

• Internet Security Systems
• Intrusion Detection Systems
• Firewall Security Systems
• Storage Area Network Security Systems
• Network disaster recovery systems
• Public key infrastructure systems
• Wireless network security systems
• Satellite encryption security systems
• Instant Messaging Security Systems
• Net privacy systems
• Identity management security systems
• Identify theft prevention systems
• Biometric security systems
• Homeland security systems

6
Internet Security Systems

• Security hierarchy
• Public, Private and Mission Critical data
• Unclassified, Confidential, Secret and TopSecret
  data
• Security Policy
• Who gets access to what data
• Bell LaPadula Security Policy, Noninterference
  Policy
• Access Control
• Role-based access control, Usage control
• Encryption
• Public/private keys
• Secret payment systems
• Directions
• Smart cards

7
Intrusion Detection Systems

• An intrusion can be defined as any set of
  actions that attempt to compromise the integrity,
  confidentiality, or availability of a resource.
• Attacks are
• Host-based attacks
• Network-based attacks
• Intrusion detection systems are split into two
  groups
• Anomaly detection systems
• Misuse detection systems
• Use audit logs
• Capture all activities in network and hosts.
• But the amount of data is huge!

8
Our Approach Overview
Training Data
Class
Hierarchical Clustering (DGSOT)
Testing
SVM Class Training
DGSOT Dynamically growing self organizing tree
Testing Data
9
Our Approach Hierarchical Clustering
Our Approach
Hierarchical clustering with SVM flow chart
10
Worm Detection Introduction

• What are worms?
• Self-replicating program Exploits software
  vulnerability on a victim Remotely infects other
  victims
• Evil worms
• Severe effect Code Red epidemic cost 2.6
  Billion
• Automatic signature generation possible
• EarlyBird System (S. Singh. -UCSD) Autograph (H.
  Ah-Kim. - CMU)
• Goals of worm detection
• Real-time detection
• Issues
• Substantial Volume of Identical Traffic, Random
  Probing
• Methods for worm detection
• Count number of sources/destinations Count
  number of failed connection attempts
• Worm Types
• Email worms, Instant Messaging worms, Internet
  worms, IRC worms, File-sharing Networks worms

11
Email Worm Detection using Data Mining
Task given some training instances of both
normal and viral emails, induce a hypothesis
to detect viral emails.
We used Naïve Bayes SVM
Outgoing Emails
The Model
Test data
Feature extraction
Classifier
Machine Learning
Training data
Clean or Infected ?
12
Firewall Security Systems

• Firewall is a system or groups of systems that
  enforces an access control policy between two
  networks
• Benefits
• Implements access control across networks
• Maintains logs that can be analyzed
• Data mining for analyzing firewall logs and
  ensuring policy consistency
• Limitatations
• No security within the network
• Difficult to implement content based policies
• Difficult to protect against malicious code
• Data driven attacks

13
Traffic Mining

• To bridge the gap between what is written in the
  firewall policy rules and what is being observed
  in the network is to analyze traffic and log of
  the packets traffic mining
• Network traffic trend may show that some rules
  are out-dated or not used recently

Firewall Policy Rule
14

• Traffic Mining Results

1 TCP,INPUT,129.110.96.117,ANY,...,80,DENY 2
TCP,INPUT,...,ANY,...,80,ACCEPT 3
TCP,INPUT,...,ANY,...,443,DENY 4
TCP,INPUT,129.110.96.117,ANY,...,22,DENY 5
TCP,INPUT,...,ANY,...,22,ACCEPT 6
TCP,OUTPUT,129.110.96.80,ANY,...,22,DENY 7
UDP,OUTPUT,...,ANY,...,53,ACCEPT 8
UDP,INPUT,...,53,...,ANY,ACCEPT 9
UDP,OUTPUT,...,ANY,...,ANY,DENY 10
UDP,INPUT,...,ANY,...,ANY,DENY 11
TCP,INPUT,129.110.96.117,ANY,129.110.96.80,22,DENY
12 TCP,INPUT,129.110.96.117,ANY,129.110.96.80,80
,DENY 13 UDP,INPUT,...,ANY,129.110.96.80,ANY,
DENY 14 UDP,OUTPUT,129.110.96.80,ANY,129.110.10.
,ANY,DENY 15 TCP,INPUT,...,ANY,129.110.96.80,
22,ACCEPT 16 TCP,INPUT,...,ANY,129.110.96.80,
80,ACCEPT 17 UDP,INPUT,129.110..,53,129.110.96.
80,ANY,ACCEPT 18 UDP,OUTPUT,129.110.96.80,ANY,129
.110..,53,ACCEPT
Rule 1, Rule 2 gt GENRERALIZATION Rule 1, Rule
16 gt CORRELATED Rule 2, Rule 12 gt
SHADOWED Rule 4, Rule 5 gt GENRERALIZATION Rule
4, Rule 15 gt CORRELATED Rule 5, Rule 11
gt SHADOWED
Anomaly Discovery Result
15
Storage Area Network Security Systems

• High performance networks that connects all the
  storage systems
• After as disaster such as terrorism or natural
  disaster (9/11 or Katrina), the data has to be
  availability
• Database systems is a special kind of storage
  system
• Benefits include centralized management,
  scalability reliability, performance
• Security attacks on multiple storage devices
• Secure storage is being investigated

16
Network Disaster Recovery Systems

• Network disaster recovery is the ability to
  respond to an interruption in network services by
  implementing a disaster recovery palm
• Policies and procedures have to be defined and
  subsequently enforced
• Which machines to shut down, determine which
  backup servers to use, When should law
  enforcement be notified

17
Public Key Infrastructure Systems

• A certificate authority that issues and verifies
  digital certificates
• A registration authority that acts as a verifier
  for the certificate authority before a digital
  certificate is issued to a requester
• One or more directories where the certificates
  with their public keys are held
• A certificate management systems

18
Digital Identity Management

• Digital identity is the identity that a user has
  to access an electronic resource
• A person could have multiple identities
• A physician could have an identity to access
  medical resources and another to access his bank
  accounts
• Digital identity management is about managing the
  multiple identities
• Manage databases that store and retrieve
  identities
• Resolve conflicts and heterogeneity
• Make associations
• Provide security
• Ontology management for identity management is an
  emerging research area

19
Digital Identity Management - II

• Federated Identity Management
• Corporations work with each other across
  organizational boundaries with the concept of
  federated identity
• Each corporation has its own identity and may
  belong to multiple federations
• Individual identity management within an
  organization and federated identity management
  across organizations
• Technologies for identity management
• Database management, data mining, ontology
  management, federated computing

20
Identity Theft Management

• Need for secure identity management
• Ease the burden of managing numerous identities
• Prevent misuse of identity preventing identity
  theft
• Identity theft is stealing another persons
  digital identity
• Techniques for preventing identity thefts include
• Access control, Encryption, Digital Signatures
• A merchant encrypts the data and signs with the
  public key of the recipient
• Recipient decrypts with his private key

21
Biometrics

• Early Identication and Authentication (IA)
  systems, were based on passwords
• Recently physical characteristics of a person are
  being used for identification
• Fingerprinting
• Facial features
• Iris scans
• Voice recognition
• Facial expressions
• Biometrics techniques will provide access not
  only to computers but also to building and homes
• Systems are vulnerable to attack e.g., Fake
  biometrics

22
Homeland Security Systems

• Border and Transportation Security
• RFID technologies?
• Emergency preparedness
• After an attack happens what actions are to be
  taken?
• Chemical, Biological, Radiological and Nuclear
  security
• Sensor technologies
• Information analysis and Infrastructure
  protection
• Data mining, security technologies

23
Other Types of Systems

• Wireless security systems
• Protecting PDAs and phones against denial of
  service and related attacks
• Satellite encryption systems
• Pretty Good Privacy PGP that uses RSA security
• Instant messaging
• Deployment of instant messaging is usually not
  controlled
• Should IM be blocked?
• Net Privavacy
• Can we ensure privacy on the networks and systems
• Privacy preserving access?

24
Conclusion

• We have discussed many types of forensics systems
• These are systems that are secure, but can be
  attacked
• Security solutions include policy enforcement,
  access control encryption, protecting against
  malicious code
• How can these systems be compromised and what are
  the actions that need to be taken?

25
Open Source and Related Tools

• http//www.opensourceforensics.org/tools/index.htm
  l
• http//www.cerias.purdue.edu/research/forensics/
• http//www.digital-evidence.org/papers/opensrc_leg
  al.pdf
• http//digitalforensics.ch/nikkel05b.pdf
• http//www.fukt.bth.se/uncle/papers/master/thesis
  .pdf
• http//www.vascan.org/webdocs/06confdocs/Day1-Tech
  nicalTrack-DONE/CrimJesseDigital20Forensics.pdf

26
Assignment 1

• Four exercises at the end of Chapters 1, 2, 3 and
  4
• Due date September 24, 2007
• You can read the answers at the back, but please
  try to produce your own answers

27
Lab Tour and possible Programming projects

• SAIAL Security Analysis and Information
  Assurance Laboratory
• Develop programs to monitor what your adversary
  is doing
• Will help our research a lot
• Can you develop techniques that will put pieces
  of the deleted files together to create the
  original file?
• Use data analysis/mining for intrusion detection
• Simulate an attack and use the open source tools
• Analyze a disk image
• Will try to give you a disk image to work with