digital forensics survey of information assurance
TRANSCRIPT
Digital Forensics
Survey of Information Assurance
AgendaWhat is Digital Forensics?Procedure
IdentificationAcquisitionAnalysisPresentation
Analysis TechniquesTechniquesExamples
Real Action: 0x80Present and Future
Forensics
Forensic science is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action.Ref: http://en.wikipedia.org/wiki/Forensic
Digital ForensicsComputer forensics ... is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006Ref: http://en.wikipedia.org/wiki/Computer_forensics
Procedures
1. Identification2. Acquisition
3. Analysis4. Presentation
ProceduresThe basic procedure to follow for examination of digital data is as follows:Identification – Answers “WHAT” information is sought, where to obtain it.Acquisition – Obtain forensic copies of all digital data required; including snapshots and live datasets. Analysis – Aggregation, correlation, filtering, transformation and meta-data generation to obtain digital evidence.Presentation – Creating a final report to present the digital evidence.
Procedure Flow
Identification
Acquisition AnalysisPresentati
on
Procedure Step #1: IdentificationEvidence will often be based on scenario.Places to look:
For Intrusions Logs RootkitsHidden files
For Illegal graphic images Image filesWeb history
Intelligence DocumentsE-mails
Procedure Step #2: AcquisitionPreserve Evidence
Prevent computer state from changingCopy the hard disk bit wiseCopy memory before powered offSave state of all network connectionsDisconnect from network if connected
Copying Hard diskBoot hard disk in trusted media e.g. DOS
floppy, Linux Live CDRemove the hard disk and place in the
trusted system
Procedure Step #3: Analysis Heavily dependant of the skills of Analyst and
nature of evidence sought.Aggregation, Correlation, Filtering,
Transformation and Meta-Data Generation.Pre-analysis (~ Acquisition)
Aggregation + Transformation: Data Recovery and Unification.
Meta-Data Generation: Categorization, indexing, hashing…
Data to Evidence mapping, isolation & contextualizationDifference from data and evidence
Procedure Step #4: PresentationPrepare report of noteworthy evidence.Relate evidence to crime; i.e. explain the
role of evidence in given case.
Analysis Techniques
1. Text Analysis2. Image Analysis3. Video Analysis4. Executable
Analysis
5. Executable Analysis
6. File Clustering7. Password
Cracking8. Data Searching
Analysis: General TypesText analysis
Unicode normalizationLanguage IdentificationNamed entity extractionTransliteration
Image analysis Steganography detection Computer-generated vs. real image
Video analysisExecutable analysis
Analysis: General Types (2)File clustering / classificationPassword crackingData Searching
Keyword searchFile attributes (name, date or
creation/access, type etc.)Specific files
Examples
Unicode Normalization“In many cases, Unicode allows multiple
representations of what is, linguistically, the same string. For example:
Capital A with dieresis (umlaut) can be represented either as a single Unicode code point "Ä" (U+00C4) or the combination of Capital A and the combining Dieresis character ("A" + "¨", that is, U+0041 U+0308). ”Ref: http://msdn2.microsoft.com/en-us/library/ms776393(VS.85).aspx
Transliteration
Ref: http://acharya.iitm.ac.in/multi_sys/translit.php
Examples (2)Steganography
Ref: http://www.strangehorizons.com/2001/20011008/steganography.shtml
Real Action: An Example
• The case of Metadata in image
Real Action: 0x80The Hacker: “0x80”Time: Early 2006Event: “0x80” chooses to be interviewed in the
Washington Post about his alleged violation of federal law.
Claim: Having broken into 2000+ personal computers, these hacked computers or “bots” begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites.
Ref: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html
Real Action: 0x80 (2)Mistake: Allowed The Washington Post to publish
several photographs, including a doctored image of himself, face seen partially.
How he got Tracked: The images in said article had metadata, indicating towards his location “Roland, Oklahoma”
Details: Then it was noticed that retouched pictures showing the obfuscated hacker included meta tags -- information in plain text attached to many photos. This information revealed the name of the photographer, the type of camera used to take it, the time and date it was taken, as well as the fact that the picture was taken in Roland, Oklahoma. The pictures themselves seemed to reveal that the hacker has blond hair -- at least the hair on his arms appears blond in one photo.
Ref: http://antiworm.blogspot.com/2006/02/hacker-0x80-0wn3d-by-fbi-arrested.html
Eventually “0x80” was arrested by FBI.
Present and Future
Present and Future - Digital Forensics
Now Later…Unorganized ScienceTreated with
skepticism as evidence in cases other than cyber-crimes.
Struggling to keep up with staggering amount of data.
Lack of clarity on policy and policing.
Always a step behind
Likely to be formalizedMay gain acceptance
as evidence to crimes other than cyber-crimes
Newer and innovative approach needed.
Policy could be created in future.
Likely to remain so…
Referenceswww.basistech.com/knowledge-center/
forensics/crash-course-in-digital-forensics.pdf
www.opensourceforensics.org/ http://www.garykessler.net/library/
steganography.html https://www.spammimic.com/
explain.shtml http://www.strangehorizons.com/
2001/20011008/steganography.shtml