1 / 22

Survey of Information Assurance

Survey of Information Assurance. Digital Forensics. Agenda. What is Digital Forensics? Procedure Identification Acquisition Analysis Presentation Analysis Techniques Techniques Examples Real Action: 0x80 Present and Future. Forensics.

wynter-sears
Download Presentation

Survey of Information Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Survey of Information Assurance Digital Forensics

  2. Agenda • What is Digital Forensics? • Procedure • Identification • Acquisition • Analysis • Presentation • Analysis Techniques • Techniques • Examples • Real Action: 0x80 • Present and Future

  3. Forensics Forensic science is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action. Ref: http://en.wikipedia.org/wiki/Forensic

  4. Digital Forensics Computer forensics ... is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006 Ref: http://en.wikipedia.org/wiki/Computer_forensics

  5. Procedures • Analysis • Presentation Identification Acquisition

  6. Procedures The basic procedure to follow for examination of digital data is as follows: • Identification – Answers “WHAT” information is sought, where to obtain it. • Acquisition – Obtain forensic copies of all digital data required; including snapshots and live datasets. • Analysis – Aggregation, correlation, filtering, transformation and meta-data generation to obtain digital evidence. • Presentation – Creating a final report to present the digital evidence.

  7. Identification Acquisition Analysis Presentation Procedure Flow

  8. Procedure Step #1: Identification • Evidence will often be based on scenario. • Places to look: • For Intrusions • Logs • Rootkits • Hidden files • For Illegal graphic images • Image files • Web history • Intelligence • Documents • E-mails

  9. Procedure Step #2: Acquisition • Preserve Evidence • Prevent computer state from changing • Copy the hard disk bit wise • Copy memory before powered off • Save state of all network connections • Disconnect from network if connected • Copying Hard disk • Boot hard disk in trusted media e.g. DOS floppy, Linux Live CD • Remove the hard disk and place in the trusted system

  10. Procedure Step #3: Analysis • Heavily dependant of the skills of Analyst and nature of evidence sought. • Aggregation, Correlation, Filtering, Transformation and Meta-Data Generation. • Pre-analysis (~ Acquisition) • Aggregation + Transformation: Data Recovery and Unification. • Meta-Data Generation: Categorization, indexing, hashing… • Data to Evidence mapping, isolation & contextualization • Difference from data and evidence

  11. Procedure Step #4: Presentation • Prepare report of noteworthy evidence. • Relate evidence to crime; i.e. explain the role of evidence in given case.

  12. Analysis Techniques • Executable Analysis • File Clustering • Password Cracking • Data Searching Text Analysis Image Analysis Video Analysis Executable Analysis

  13. Analysis: General Types • Text analysis • Unicode normalization • Language Identification • Named entity extraction • Transliteration • Image analysis • Steganography detection • Computer-generated vs. real image • Video analysis • Executable analysis

  14. Analysis: General Types (2) • File clustering / classification • Password cracking • Data Searching • Keyword search • File attributes (name, date or creation/access, type etc.) • Specific files

  15. Examples • Unicode Normalization “In many cases, Unicode allows multiple representations of what is, linguistically, the same string. For example: Capital A with dieresis (umlaut) can be represented either as a single Unicode code point "Ä" (U+00C4) or the combination of Capital A and the combining Dieresis character ("A" + "¨", that is, U+0041 U+0308).” Ref: http://msdn2.microsoft.com/en-us/library/ms776393(VS.85).aspx • Transliteration Ref: http://acharya.iitm.ac.in/multi_sys/translit.php

  16. Examples (2) • Steganography Ref: http://www.strangehorizons.com/2001/20011008/steganography.shtml

  17. Real Action: An Example The case of Metadata in image

  18. Real Action: 0x80 • The Hacker: “0x80” • Time: Early 2006 • Event: “0x80” chooses to be interviewed in the Washington Post about his alleged violation of federal law. • Claim: Having broken into 2000+ personal computers, these hacked computers or “bots” begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. Ref: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html

  19. Real Action: 0x80 (2) • Mistake: Allowed The Washington Post to publish several photographs, including a doctored image of himself, face seen partially. • How he got Tracked: The images in said article had metadata, indicating towards his location “Roland, Oklahoma” • Details: Then it was noticed that retouched pictures showing the obfuscated hacker included meta tags -- information in plain text attached to many photos. This information revealed the name of the photographer, the type of camera used to take it, the time and date it was taken, as well as the fact that the picture was taken in Roland, Oklahoma. The pictures themselves seemed to reveal that the hacker has blond hair -- at least the hair on his arms appears blond in one photo. Ref: http://antiworm.blogspot.com/2006/02/hacker-0x80-0wn3d-by-fbi-arrested.html • Eventually “0x80” was arrested by FBI.

  20. Present and Future

  21. Present and Future - Digital Forensics Now Later… Unorganized Science Treated with skepticism as evidence in cases other than cyber-crimes. Struggling to keep up with staggering amount of data. Lack of clarity on policy and policing. Always a step behind Likely to be formalized May gain acceptance as evidence to crimes other than cyber-crimes Newer and innovative approach needed. Policy could be created in future. Likely to remain so…

  22. References • www.basistech.com/knowledge-center/forensics/crash-course-in-digital-forensics.pdf • www.opensourceforensics.org/ • http://www.garykessler.net/library/steganography.html • https://www.spammimic.com/explain.shtml • http://www.strangehorizons.com/2001/20011008/steganography.shtml

More Related