1 / 14

The Law Enforcement Paradigm in DoD Environments 23 April 02

xandy
Download Presentation

The Law Enforcement Paradigm in DoD Environments 23 April 02

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. The Law Enforcement Paradigm in DoD Environments 23 April 02 Gary Palmer Dr. Lang CGS 5132 Final Project

    2. Agenda The overall “forensic” challenge The differences in perspective Law Enforcement & DoD's paradigm. Evolution of the investigative process Law Enforcement Taxonomy Military & civilian operations Research challenges Groups involved Here’s what we’ll be talking aboutHere’s what we’ll be talking about

    3. Challenges The Big picture. - Currently - tools are developed without significant research - What defines expertise (Pollack decision - reference)? - no consistent terminology, lexicon, or taxonomy - Resistance to the fact of a changing environment (virtual crime scene- virtual crime lab) - Need to recognize that Dig For research (based on sound method) is at the heart of it all. Including the newly named Homeland Security discipline. - NEED TO FIND THE COMMON GROUND - FOR A START!The Big picture. - Currently - tools are developed without significant research - What defines expertise (Pollack decision - reference)? - no consistent terminology, lexicon, or taxonomy - Resistance to the fact of a changing environment (virtual crime scene- virtual crime lab) - Need to recognize that Dig For research (based on sound method) is at the heart of it all. Including the newly named Homeland Security discipline. - NEED TO FIND THE COMMON GROUND - FOR A START!

    4. Overall Perspectives Perspectives and reasons for needing (and using) forensic technology are very important. - AFRL has talked to a wide spectrum of forensic consumer - So far LE and Mil / Civ ops don’t share objectives. That makes their technology desires very different. - Speed vs. accuracy (integrity) Goal is to provide technology that serves r/t operational need while also satisfying strict admissibility criteria. Glossary: COO - Continuity of Operations NRT - near real time DCFL- DOD Computer Forensic Laboratory AFOSI - AF Office of Special Investigations NIPC - National Infrastructure Protection Center TRANSCOM - USAF Transportation Command , Scott AFB, MO AFRL/ NOC - AF Research Lab - Network Operations CenterPerspectives and reasons for needing (and using) forensic technology are very important. - AFRL has talked to a wide spectrum of forensic consumer - So far LE and Mil / Civ ops don’t share objectives. That makes their technology desires very different. - Speed vs. accuracy (integrity) Goal is to provide technology that serves r/t operational need while also satisfying strict admissibility criteria. Glossary: COO - Continuity of Operations NRT - near real time DCFL- DOD Computer Forensic Laboratory AFOSI - AF Office of Special Investigations NIPC - National Infrastructure Protection Center TRANSCOM - USAF Transportation Command , Scott AFB, MO AFRL/ NOC - AF Research Lab - Network Operations Center

    5. Investigative Process Model - IPM Law Enforcement View The LE model was the most accessible and most clearly documented. - Items in green on the investigative line denote those steps with the greatest need for “forensic” technology. - Items in green on judicature line indicate those items that require the output of forensic technology to be most effective. Network ops policies Forensic Sciences support: Insurance - Forensic engineering Archeology - Forensic Serology, Odontology Glossary: USC - United States Code UCMJ - Uniform Code of Military Justice The LE model was the most accessible and most clearly documented. - Items in green on the investigative line denote those steps with the greatest need for “forensic” technology. - Items in green on judicature line indicate those items that require the output of forensic technology to be most effective. Network ops policies Forensic Sciences support: Insurance - Forensic engineering Archeology - Forensic Serology, Odontology Glossary: USC - United States Code UCMJ - Uniform Code of Military Justice

    6. IPM - Architectural View NIST - National Institute of Standards and Technology CFTT - Computer Forensic Tool Testing ProgramNIST - National Institute of Standards and Technology CFTT - Computer Forensic Tool Testing Program

    7. Generic Investigative Process Model Tried to apply knowledge and experience from AFRL’s work in ID for the enterprise (AFED) - Some tools and technologies addressed identified areas (AFRL Research) FACS - Forensic Analysis and Collection System FIAT - Forensic Intrusion Analysis Tool SI-FI - Synthesizing Information for Forensic Investigation IMATS - Integrated Media Analysis Toolkit Result - even from this high level look - many holes existed ( Opportunities for improvement)Tried to apply knowledge and experience from AFRL’s work in ID for the enterprise (AFED) - Some tools and technologies addressed identified areas (AFRL Research) FACS - Forensic Analysis and Collection System FIAT - Forensic Intrusion Analysis Tool SI-FI - Synthesizing Information for Forensic Investigation IMATS - Integrated Media Analysis Toolkit Result - even from this high level look - many holes existed ( Opportunities for improvement)

    8. Generic Investigative Process Model

    9. Taxonomy for Digital Forensic Science The DECISION category simply show a continuum. It was felt that the Presentation category was the end point for the digital forensic taxonomy. This is a work in progress The DECISION category simply show a continuum. It was felt that the Presentation category was the end point for the digital forensic taxonomy. This is a work in progress

    10. I2C2 Vision (Information Infrastructure Command and Control) Protect , Detect, Assess, React (respond) - Assessment or analysis is a suitable place for Forensic technologyProtect , Detect, Assess, React (respond) - Assessment or analysis is a suitable place for Forensic technology

    11. Operational Forensic Components

    12. Forensic R&D Needs Network Forensics Predict/Anticipate adversarial actions Distributed collection and fusion Analysis and reasoning Trusted Timestamps to provide irrefutable proof of when a transaction occurred on a digital system Multi-Lingual analysis of storage media “Blind” Detection and extraction of data hidden in transactions Streaming media (macro commands) Stego and watermarkings Detecting Hidden Data Within Network Traffic Covert Channels within standard protocols Network Forensics – The soup to nuts concept of identifying, collecting, protecting, fusing, and analyzing distributed network information in order to scientifically understand the sequence of events and impact to the enterprise. Trusted Timestamps – We have a Phase II fast-track SBIR with Wetstone Tech. To develop a secure time server system that provides trusted digital timestamps based on inputs from the two US NMI’s (Bolder Colorado atomic clock, and the Naval Observatory). Provides irrefutable evidence of when a network event occurred. Wetstone already is providing this service to 15 clients worldwide, mainly from financial services sector (Seiko of Japan wants to put these devices in all of their ATM machines… certain police forensics labs want this to prove when hard drives were imaged and hashed…) Multi-lingual: Kamal Jabbour (Syracuse U) developed a capability that maps slack space characters to foreign character sets to determine if data is hidden in different languages. Detection and Extraction – Remember Kamal’s demonstration where he imbedded commands in the media stream that would take over a victim’s computer when he/she played the clip? How can we detect these? The stego/watermarking problem is well understood, and difficult to detect if you don’t have the original image/item with which to compare. Hidden data in network – Think Moonlight Maze and other data leak methods. What other signaling methods may exist in order to subvert our firewalls or other security mechanisms? (e.g. packet micro-fragmentation)Network Forensics – The soup to nuts concept of identifying, collecting, protecting, fusing, and analyzing distributed network information in order to scientifically understand the sequence of events and impact to the enterprise. Trusted Timestamps – We have a Phase II fast-track SBIR with Wetstone Tech. To develop a secure time server system that provides trusted digital timestamps based on inputs from the two US NMI’s (Bolder Colorado atomic clock, and the Naval Observatory). Provides irrefutable evidence of when a network event occurred. Wetstone already is providing this service to 15 clients worldwide, mainly from financial services sector (Seiko of Japan wants to put these devices in all of their ATM machines… certain police forensics labs want this to prove when hard drives were imaged and hashed…) Multi-lingual: Kamal Jabbour (Syracuse U) developed a capability that maps slack space characters to foreign character sets to determine if data is hidden in different languages. Detection and Extraction – Remember Kamal’s demonstration where he imbedded commands in the media stream that would take over a victim’s computer when he/she played the clip? How can we detect these? The stego/watermarking problem is well understood, and difficult to detect if you don’t have the original image/item with which to compare. Hidden data in network – Think Moonlight Maze and other data leak methods. What other signaling methods may exist in order to subvert our firewalls or other security mechanisms? (e.g. packet micro-fragmentation)

    13. Forensic R&D Needs Cellular and Hand-Held Analysis 3G+ Services, Symbian OS (java based) Database Forensic Analysis New vulnerabilities, identification & recovery Forensic implications - Oracle 9i - outer joins Forensic Imaging Technology Network State, standards (CFTT) Cross Paradigm Research System Complexity is a huge challenge Technologies with wide applications Forensic Research for Wireless IP 802.11b, WEP (A8+), VPN overlay, AP auditing (AirTrac) Encryption Hand-held: Extraction of hidden data structures either 1) purposely hidden from OS; 2) not yet properly cleaned up by OS. Extraction of JAVA programs and other mobile code (probably the next new virus realm the general public will be hit with) on cellular phones. Databases: How can we better analyze DB audit logs to reconstruct past events? (e.g. data destruction, reconstitution of damaged/destroyed DB’s or their schema, direct attacks on a DB’s security mechanisms to gain privilege to DB or to the operating system, etc) Imaging technology: It’s not necessarily the technology that needs to be improved, but the establishment of better processes and procedures on HOW it is used in order to obtain valid results or to compare capabilities. Cross-paradigm: Wireless IP: Reference the Paul Ratazzi, Frank Cole, and ASU study of WEP. War drive around AFRL. With proper antenna, detected up to 2 miles away, but perhaps up to 20 miles with better antenna. Broke WEP with relatively few packets monitored. Recommended VPN overlay solution to AF to help make up for WEP inadequacies. Prototyped Wireless IP intrusion detection system (eg. Detected Netstalker)Hand-held: Extraction of hidden data structures either 1) purposely hidden from OS; 2) not yet properly cleaned up by OS. Extraction of JAVA programs and other mobile code (probably the next new virus realm the general public will be hit with) on cellular phones. Databases: How can we better analyze DB audit logs to reconstruct past events? (e.g. data destruction, reconstitution of damaged/destroyed DB’s or their schema, direct attacks on a DB’s security mechanisms to gain privilege to DB or to the operating system, etc) Imaging technology: It’s not necessarily the technology that needs to be improved, but the establishment of better processes and procedures on HOW it is used in order to obtain valid results or to compare capabilities. Cross-paradigm: Wireless IP: Reference the Paul Ratazzi, Frank Cole, and ASU study of WEP. War drive around AFRL. With proper antenna, detected up to 2 miles away, but perhaps up to 20 miles with better antenna. Broke WEP with relatively few packets monitored. Recommended VPN overlay solution to AF to help make up for WEP inadequacies. Prototyped Wireless IP intrusion detection system (eg. Detected Netstalker)

    14. Groups AFRL collaborates with government agencies in areas of advanced research, prototyping and development related to digital forensic analysis. DoD Computer Forensic Laboratory (DCFL) Air Force Office of Special Investigations (AFOSI) National Aeronautic and Space Administration (NASA/IG) National Institute of Standards and Technology (NIST) National Law Enforcement Corrections & Technology Center (NLECTC) [NIJ] Computer Forensics Research & Development Center (CFRDC) [Utica College] Department of State – Diplomatic Security Bureau A few words about AFRL’s Digital Forensic Program - Who have we talked to? - What are their major focus areas? - How can we help them?A few words about AFRL’s Digital Forensic Program - Who have we talked to? - What are their major focus areas? - How can we help them?

    15. Group Activities CFX I – Computer Crime Scenario CFX II – Computer Forensic Exhibition Internally, the AFRL program wants to serve the full spectrum of needs at a fundamental scientific level. - LE via CFX - Academia, military and e-commerce via DFRWSInternally, the AFRL program wants to serve the full spectrum of needs at a fundamental scientific level. - LE via CFX - Academia, military and e-commerce via DFRWS

More Related