1 / 42

Selected Topics Digital Forensics and Biometrics

Selected Topics Digital Forensics and Biometrics. Dr. Bhavani Thuraisingham The University of Texas at Dallas November 2013. Outline: Digital Forensics. Introduction Applications Law enforcement, Human resources, Other Services Benefits Using the evidence Conclusion. Digital Forensics.

Thomas
Download Presentation

Selected Topics Digital Forensics and Biometrics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Selected TopicsDigital Forensics and Biometrics Dr. Bhavani Thuraisingham The University of Texas at Dallas November 2013

  2. Outline: Digital Forensics • Introduction • Applications • Law enforcement, Human resources, Other • Services • Benefits • Using the evidence • Conclusion

  3. Digital Forensics • Digital forensics is about the investigation of crime including using digital/computer methods • More formally: “Digital forensics, also known as computer forensics, involved the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca • Digital evidence may be used to analyze cyber crime (e.g. Worms and virus), physical crime (e.g., homicide) or crime committed through the use of computers (e.g., child pornography)

  4. Relationship to Intrusion Detection, Firewalls, Honeypots • They all work together with Digital forensics techniques • Intrusion detection • Techniques to detect network and host intrusions • Firewalls • Monitors traffic going to and from and organization • Honeypots • Set up to attract the hacker or enemy; Trap • Digital forensics • Once the attack has occurred or crime committed need to decide who committed the crime

  5. Computer Crime • Computers are attacked – Cyber crime • Computer Virus • Computers are used to commit a crime • E.g., child predators, Embezzlement, Fraud • Computers are used to solve a crime • FBI’s workload: Recent survey • 74% of their efforts on white collar crimes such as healthcare fraud, financial fraud etc. • Remaining 26% of efforts spread across all other areas such as murder and child pornography • Source: 2003 Computer Crime and Security Survey, FBI

  6. Objective and Priority • Objective of Computer Forensics • To recovery, analyze and present computer based material in such a way that is it usable as evidence in a court of law • Note that the definition is the following: “computer forensics, involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca • Priority • Main priority is with forensics procedures, rules of evidence and legal processes; computers are secondary • Therefore accuracy is crucial

  7. The Job of a Forensics Specialist • Determine the systems from which evidence is collected • Protect the systems from which evidence is collected • Discover the files and recover the data • Get the data ready for analysis • Carry out an analysis of the data • Produce a report • Provide expert consultation and/or testimony?

  8. Applications: Law Enforcement • Important for the evidence to be handled by a forensic expert; else it may get tainted • Need to choose an expert carefully • What is his/her previous experience? Has he/she worked on prior cases? Has he/she testified in court? What is his/her training? Is he CISSP certified? • Forensic expert will be scrutinized/cross examined by the defense lawyers • Defense lawyers may have their own possibly highly paid experts?

  9. Applications: Human Resources • To help the employer • What web sites visited? • What files downloaded • Have attempts been made to conceal the evidence or fabricate the evidence • Emails sent/received • To help the employee • Emails sent by employer – harassment • Notes on discrimination • Deleted files by employer

  10. Applications: Other • Supporting criminals • Gangs using computer forensics to find out about members and subsequently determine their whereabouts • Support rogue governments and terrorists • Terrorists using computer forensics to find out about what we (the good guys) are doing • We and the law enforcement have to be one step ahead of the bad guys • Understand the mind of the criminal

  11. Services • Data Services • Seizure, Duplication and preservation, recovery • Document and Media • Document searched, Media conversion • Expert witness • Service options • Other services

  12. Data Services • Data Seizure • The expert should assist the law enforcement official in collecting the data. • Need to identify the disks that contain the data • Data Duplication and Preservation • Data absolutely cannot be contaminated • Copy of the data has to be made and need to work with the copy and keep the original in a safe place • Data Recovery • Once the device is seized (either local or remote) need to use appropriate tools to recover the data

  13. Data Services: Finding Hidden Data • When files are deleted, usually they can be recovered • The files are marked as deleted, but they are still residing in the disk until they are overwritten • Files may also be hidden in different parts of the disk • The challenge is to piece the different part of the file together to recover the original file • There is research on using statistical methods for file recovery • http://www.cramsession.com/articles/files/finding-hidden-data---how-9172003-1401.asp • http://www.devtarget.org/downloads/ca616-seufert-wolfgarten-assignment2.pdf

  14. Document and Media Services • Document Searches • Efficient search of numerous documents • Check for keywords and correlations • Media Conversion • Legacy devices may contain unreadable data. This data ahs to be converted using appropriate conversion tools • Should be placed in appropriate storage for analysis

  15. Expert Witness Services • Expert should explain computer terms and complicated processes in an easy to understand manner to law enforcement, lawyers, judges and jury • Computer technologists and lawyers speak different languages • Expertise • Computer knowledge and expertise in computer systems, storage • Knowledge on interacting with lawyers, criminology • Domain knowledge such as embezzlement, child exploitation • Should the expert witness and the forencis specialist be one and the same?

  16. Service Options • Should provide various types of services • Standard, Emergency, Priority, Weekend After hours services • Onsite/Offsite services • Cost and risks – major consideration • Example: Computer Forensics Services Corporation • http://www.computer-forensic.com/ • As stated in the above web site, this company provides “expert, court approved, High Tech Investigations, litigation support and IT Consulting.” They also "Preserve, identify, extract, document and interpret computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures.”

  17. Other Services • Computer forensics data analysis for criminal and civil investigations/litigations • Analysis of company computers to determine employee activity • If he/she conducting his own business and/or downloading pornography • Surveillance for suspicious event detection • Produce timely reports

  18. Benefits of using Professional services • Protecting the evidence • Should prevent from damage and corruption • Secure the evidence • Store in a secure place, also use encryption technologies such as public/private keys • Ensure that the evidence is not harmed by virus • Document clearly who handled the data and when - auditing • Cleint/Attoney privilege • Freeze the scene of the crime – do not contaminate or change

  19. Using the Evidence: Criminal and Civil Proceedings • Criminal prosecutors • Civil litigation attorneys – harassment, discrimination, embezzlement, divorce • Insurance companies • Computer forensics specialists to help corporations and lawyers • Law enforcement officials • Individuals to sue a company • Also defense attorneys, and “the bad guys”

  20. Issues and Problems that could occur • Computer Evidence MUST be • Authentic: not tampered with • Accurate: have high integrity • Complete: no missing points • Convincing: no holes • Conform: rules and regulations • Handle change: data may be volatile and time sensitive • Handle technology changes: tapes to disks; MAC to PC • Human readable: Binary to words

  21. Legal tests • Countries with a common law tradition • UK, US, Possibly Canada, Australia, New Zealand • Real evidence • Comes from an inanimate object and can be examined by the court • Testimonial evidence • Live witness when cross examined • Hearsay • Wiki entry “Hearsay in English law and Hearsay in United States law, a legal principle concerning the admission of evidence through repetition of out-of-court statements” • Are the following admissible in court? • Data mining results, emails, printed documents

  22. Traditional Forensics vs Computer Forensics • Traditional Forensics • Materials tested and testing methods usually do not change rapidly • Blood, DNA, Drug, Explosive, Fabric • Computer Forensics • Material tested and testing methods may change rapidly • We did not have web logs in back in 1990 • We did not have RAID storage in 1980

  23. Major Steps for Digital Forensics • Incident Response – Law enforcement • Chain of Custody • Evidence Collection (data seizure) • Secure the Evidence • Evidence Analysis – Crime Scene Reconstruction • Searching for keywords, Create a timeline • Report Generation

  24. Where to collect the evidence • Do not switch the machine off – Capture RAM • What if the hard drive is encrypted – need the key • Hard drive • Email • File System • Log files • Windows Registries • Windows Artifacts – Facebook, Skype, Recycle bin • Browser • Mobile systems – smartphones

  25. Conclusion • Important to have experts for computer forensics evidence gathering and analysis • Important to secure the evidence: authenticity, completeness, integrity • Important to have the proper tools for analysis • Important to apply the correct legal tests • Computer forencis can be used to benefit both the “good and bad guys” • Need to be several steps smarter than the enemy

  26. Outline: Biometrics • Introduction to Biometrics • What is Biometrics? • What is the Process? • Why Biometrics? • Biometrics Resources • What is Secure Biometrics • Revisiting Topics to be covered • Some exploratory research areas • Some useful reference books

  27. What is Biometrics? • Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic • Features measured: Face, Fingerprints, Hand geometry, handwriting, Iris, Retinal, Vein and Voice • Identification and personal certification solutions for highly secure applications • Numerous applications: medical, financial, child care, computer access etc.

  28. What is the Process? • Three-steps: Capture-Process-Verification • Capture: A raw biometric is captured by a sensing device such as fingerprint scanner or video camera • Process: The distinguishing characteristics are extracted from the raw biometrics sample and converted into a processed biometric identifier record • Called biometric sample or template • Verification and Identification • Matching the enrolled biometric sample against a single record; is the person really what he claims to be? • Matching a biometric sample against a database of identifiers

  29. Why Biometrics? • Biometrics replaces Traditional Authentication Methods • Provides better security • More convenient • Better accountability • Applications on Fraud detection and Fraud deterrence • Dual purpose • Cyber Security and National Security

  30. Why Biometrics? (Continued) • Authentication mechanisms often used are User ID and Passwords • However password mechanisms have vulnerabilities • Stealing passwords etc. • Biometrics systems are less prone to attacks • Need sophisticated techniques for attacks • Cannot steal facial features and fingerprints • Need sophisticated image processing techniques for modifying facial features

  31. Why Biometrics? (Continued) • Biometrics systems are more convenient • Need not have multiple passwords or difficult passwords • E.g., characters, numbers and special symbols • Need not remember passwords • Need not carry any cards or tokens • Better accountability • Can determine who accessed the system with less complexity

  32. Why Biometrics? (Concluded) • Dual Purpose • Cyber Security and National Security • Access to computer systems and networks • Fraud detection • Who has intruded the system? • Who has entered the building • Surveillance and monitoring • Fraud Deterrence • Because of biometrics systems, people are nervous to commit crimes • Stealing from supermarkets and shops, etc.

  33. Biometrics Resources • Biometrics Consortium is the major resource • www.biometrics.org • Another Resource • http://www.biometricsinfo.org/ • Has Information on • Who is doing what • Academia, Industry and Government • White papers on Biometrics technologies • Fingerprint detection, facial recognition, Iris scanning, - - - -

  34. Biometrics Resources: What is academia doing? • Michigan State University • Developing algorithms for fingerprint detection, etc. • West Virginia University • Forensic identification initiative • San Jose State University • Mathematical concepts

  35. Biometrics Resources: What is Industry doing? • Focus is on building faster and cheaper devices • More accuracy, less false positives and negatives • Incorporating biometrics into mobile devices, Smartcards • Biometrics in healthcare: delivering medication to correct patients • Biometrics in child care: Children are picked up by those authorized • Protecting digital content • Ensuring that voice and video are not altered Vendors: http://www.biometricsinfo.org/vendors.htm

  36. Biometrics Resources: What is Government doing? • NSA (National Security Agency) • Research on protecting critical information systems • DoD (Department of Defense) • Biometrics Management Office • Provide Armed forces access to Biometrics systems for combat operations • INS/DHS (Department of Homeland Security; Immigration and Nationalization Service) • Biometrics technologies at Airports • NIST (National Institute of Standards and Technologies) • Major player in Biometrics

  37. Activities of NIST • Measurements, Testing and Standards is NIST’s mission • Focus on Biometrics Standards • Activities • Biometrics Consortium • Common Biometric Exchange File Format • Biometric Interoperability, Performance and Assurance Working Group • BioAPI Consortium • Various Standards

  38. Activities of NIST (Continued) • Biometrics Consortium is the Government focal point for research, development and testing of Biometric products and technologies • Common Biometric Exchange File Format is a product of the consortium to develop common fingerprint template formats • Biometrics Interoperability working group promotes common definitions and concepts for exchanging information between national and international partners • BioAPI consortium develops common Application Programming Interfaces for biometrics technologies

  39. Activities of NIST (Concluded) • NIST is developing standards for the following: • Finger image format for data Interchange • Face image format for data interchange • Iris image format for data interchange • Signature image format for data interchange • NIST is working with International standards organizations for joint standards • ISO (International Standards Organization)

  40. What is Secure Biometrics? • Study the attacks of biometrics systems • Modifying fingerprints • Modifying facial features • Develop a security policy and model for the system • Application independent and Application specific policies • Enforce Security constraints • Entire face is classified but the nose can be displayed • Develop a formal model • Formalize the policy • Design the system and identify security critical components • Reference monitor for biometrics systems

  41. Security Vulnerabilities • Type 1 attack: present fake biometric such a synthetic biometric • Type 2 attack: Submit a previously intercepted biometric data: replay • Type 3 attack: Compromising the feature extractor module to give results desired by attacker • Type 4 attack: Replace the genuine feature values produced by the system by fake values desired by attacker • Type 5 attack: Produce a high number of matching results • Type 6 attack: Attack the template database: add templates, modify templates etc.

  42. Security and Privacy for Biometrics • Privacy of the Individuals have to be protected • CNN News Release: August 29, 2005 • Distorting Biometrics Enhances Security and Privacy • Biometric data converted to numerical strings by mathematical algorithm for later use • If the mathematical templates are stolen could be dangerous • Researchers have developed method to alter the images in a defined and repeated way • Hackers steal the distortion not the original face or fingerprint

More Related