1
2007. 2. 8.
Kyo-il Chung, Ph. D.Convergence Security Group
KyoKyo--ilil Chung, Ph. D.Chung, Ph. D.Convergence Security GroupConvergence Security Group
Digital Forensics Technologies…
Digital Forensics Digital Forensics TechnologiesTechnologies……
2 ::: ETRI, The Future Wave :::
ContentsContents
Introduction of Digital ForensicsIntroduction of Digital ForensicsI
Chain of Custody & TechnologiesChain of Custody & TechnologiesII
Case StudiesCase StudiesIII
ConclusionsConclusionsIV
3 ::: ETRI, The Future Wave :::
ETRI
Established in 1976Established in 1976
KoreaKorea’’s largest government s largest government funded research facility in funded research facility in the fields of IT & Comm.the fields of IT & Comm.
R&D Fields : R&D Fields : Semiconductors, Mobile Semiconductors, Mobile Communications, Networks, Communications, Networks, Security, etc. Security, etc.
4 ::: ETRI, The Future Wave :::
Organization of ISRD
Information Security Research Division
Applied Security Group Convergence Security Group
Project Supporting Department
• Network Security Architecture Team
• Secure OS Research Team
• Active Security Research Team
• Privacy Protection Research Team
• P2P Security Research Team
• Wireless Security Application Research Team
• Cryptography Research Team
• Digital ID Security Research Team
• RFID/USN Security Research Team
• Biometrics Technology Research Team
• Biometrics Chipset Research Team
• Bio-medical Information Security Research Team
• Home Network Security Research Team
5 ::: ETRI, The Future Wave :::
Next Generation Security System Tech.
Security Gateway System
Secure Router System
Security Management System
Network Security Tech. for P2P Overlay Networks over Wired/Wireless IPV6 Infrastructures
Development of Secure Platform for Wireless Network
Applied Security Group
6 ::: ETRI, The Future Wave :::
Cryptographic Algorithm and ProtocolNext Generation Cryptographic Algorithm Design & AnalysisPrivacy Enhancing Technology
Digital ID SecurityInternet ID Management TechnologyAutonomous Identity Federation Bridging Technology
RFID/USN SecurityLight-weight Crypto Algorithm for RFID & Sensor NetworkLow Power & High Speed ProcessorSecurity Mechanism for RFID/USN Environments
Convergence Security Group
7 ::: ETRI, The Future Wave :::
User Identification Technology Using BiometricsMulti-modal Biometric & Searching Technology
Biometric Chipset
Biometric Data Protection
Security in HealthcareBio Sensor Technology
Security Tech. for EHR, u-Hospital
Authentication and Authorization Tech. for Home Networkslightweight authentication and access control mechanism for homenetworks
8 ::: ETRI, The Future Wave :::
Done
Design and development of information security algorithm for IMT- 2000 system
Electronic certificate based PKI system
USB token containing biometric functions
Wireless LAN information security technology
Next generation IC card
USIM chipset for 3rd generation mobile communications
9 ::: ETRI, The Future Wave :::
Where to apply?Where to apply?Where to apply?
I. Introduction of Digital ForensicsI. Introduction of Digital Forensics
What is Digital Forensics?What is Digital Forensics?
Why Digital Forensics?Why Digital Forensics?
10 ::: ETRI, The Future Wave :::
Forensics?Forensics?
We are very familiar CSI (crime scene investigation) …
11 ::: ETRI, The Future Wave :::
Computer crime? Computer crime?
Your company has recently hired a new salesman.
6 months after his hire, he leaves your company and forms a competing interest, sending letters to all of your clients.
You may think this a bit odd and contact an attorney to consider filing a suit.
What has occurred is a virtual theft -- -- the salesman stole a copy of your client database.
Note that this is a VIRTUAL theft -- since you were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to prosecute him criminally.
by Jkizza, UT Chattanooga
12 ::: ETRI, The Future Wave :::
How much information?How much information?
“How much Information?” (Berkeley, USA)
Before 1999 (about 300 thousand years), human have produced 12 Exabyte Information,
We have made 9 Exabyte Information, after 1999 only 4 years.
Quantity of information is raised as double as year.. Accelerate the information digitalization
Only 0.03% of produced information is recorded by paper, 2002
* 1 Exabyte : 1018 byte (1Gigabyte x 1 billion)Storage Medium 1999-2000 2002 %
Paper 1,200 1,634 36%
Film 431,690 420,254 -3%
Magnetic 2,779,760 5,187,130 87%
Optical 81 103 28%
TOTAL 3,212,731 5,609,121 74.5%
13 ::: ETRI, The Future Wave :::
Increasing of digital evidences in criminal investigationIncreasing of digital evidences in criminal investigation
2000년 2001년 2002년 2003년
0
2000
4000
6000
8000
10000
12000
[CERT, Prosecutor’s office] [CERT, Police Agency]
Hacking, Viruses, Extraction of Private informationCyber Game, Cyber terror, etc
20012001 20042004
33,32533,325 77,09977,099
YearYear
# Crime# CrimeIncreasing transition of computer & cyber crime
Increasing transition of computer & cyber crime
Digital EvidenceIncrease the case that the important evidences are located in computer as crimes related in computer or the general crimes.
Features of Digital EvidenceDigital evidences are easy to copy, difficult to classify the original and copied materials, and easy to manipulate and delete
14 ::: ETRI, The Future Wave :::
DefinitionDefinition
Logical procedure to acquire, store, analyze and report the digital evidence to make legal evidence
To clarify and prove the relations of the events occurred with a computer using the digital data stored in the computer
The sequential procedure such as the acquisition of the digital evidence without damaging the digital data, proving the existence of the data at the specific time, making the legal evidence after analyzing the digital evidence
Replay
Rightfulness
Total 2008Total 2008market revenuemarket revenue
674.7674.7Promptness
Digital ForensicDiscipline
Chain of custody
Integrity
15 ::: ETRI, The Future Wave :::
Applicable areasApplicable areas
Computer Crime Investigation– Spy, Technology leakage, Blackmailing, Fraud, Counterfeit, Hacking, Cyber
terror
Civil Trial – Defamation of character, Negligence, Audit
Prevention and Response against Intrusion– Constructing the database of data, Rapid processing of vast data, Analyzing
the accidents, Response (Trace, Acquisition of evidence, Information Sharing)
16 ::: ETRI, The Future Wave :::
Purpose of Digital ForensicsPurpose of Digital Forensics
Computer crime investigation
Evidence analysis for civil trial
Data analysis of digital devices
Purpose of Digital Forensics
Device
Data C&A
System & Network
Application Analysis
Technologies of Digital Forensics
Acquisition of evidence
Chain of custody
Management of digital evidence
Analysis report
+ =
Procedures of Digital Forensics
17 ::: ETRI, The Future Wave :::
Market Forecast..Market Forecast..
Market forecastMarket forecast
Digital forensic is mainly used in the computer-crime-related trial such as hacking, and forensic market has increased rapidly.Digital forensic is mainly used in the computer-crime-related trial such as hacking, and forensic market has increased rapidly.
20042004
20012001
(Unit : 100million dollar)
1.91.9
1.01.01.331.33
2.642.64
Source : IDC (2004)
6.06.0
forensicproduct
Accident response service
20082008
7.867.86
(Growth rate (year) = 29%)forensicproduct
Accident response service
forensicproduct
Accident response service
18 ::: ETRI, The Future Wave :::
Procedure of Digital ForensicsProcedure of Digital Forensics
Technologies for Digital ForensicsTechnologies for Digital Forensics
ⅡⅡ. Chain of Custody & Technologies. Chain of Custody & Technologies
Classificaion of technologiesClassificaion of technologies
ProductsProducts
19 ::: ETRI, The Future Wave :::
Procedure of Digital Forensic Procedure of Digital Forensic -- Chain of CustodyChain of Custody
PreliminaryPreliminary AcquisitionAcquisition Chain of custodyChain of custody AnalysisAnalysis ReportReport
Forensic tool testing
Preparing tools
Cooperative system
Scene investigation
Disk imaging
Authentication of evidence
Making copy of image
Transfer of evidence
Search hidden dataTime-line analysisSignature analysisData recovery and searchLog analysis
Evidence analysis
Investigator list
Opinion of expert
20 ::: ETRI, The Future Wave :::
Classification of technologiesClassification of technologies
File Decryption, Crack
Information Hiding
File Repair
Internet
Application
Network Data Collection & Analysis
Software (Program files) Analysis
Live Data Collection & Analysis
System Monitoring
Network Trace
System & Network
File Identification (Find)
File systems Repair
Browsing
TimeLine
Search
Data
Storage Media Duplication
Storage Media Repair
Device
21 ::: ETRI, The Future Wave :::
Technologies for Digital ForensicsTechnologies for Digital Forensics (Device)(Device)
DeviceStorage Media Duplication
• Imaging: making an image of the storage by copying bit by bit
• Write Block: protecting a storage to keep the information of the storage intact
• Mounting: uploading an image as a sub-directory to the forensic system
Storage Media Repair• Physical or electronic recovery of a storage
: recover a storage from the physically or electronically damaged state
22 ::: ETRI, The Future Wave :::
Technologies for Digital ForensicsTechnologies for Digital Forensics (System)(System)
SystemLive Data Collection & Analysis
• Acquisition and analysis of the volatile data of the live system
• System (Process, Memory, File, Network) Monitoring, Memory Dump, Log Collection
Software (Program files) Analysis• Obtaining the information of the installed softwares and analyzing the
executable files
• Software Analysis, Debugging, Disassemble
23 ::: ETRI, The Future Wave :::
Technologies for Digital ForensicsTechnologies for Digital Forensics (Network)(Network)
NetworkNetwork Data Collection & Analysis
• Data acquisition and analysis of network packet, network environment, and log of security devices
Network Trace• Tracing the physical and logical source of traffic
• E-mail header analysis, IP back-tracing, BPBT-based remote-user tracing, Gathering IP information from ISP
* BPBT : Bak-Pak Bubble Trap
* ISP : Internet Service Provider
24 ::: ETRI, The Future Wave :::
Technologies for Digital ForensicsTechnologies for Digital Forensics (Data)(Data)
DataFile System Repair
• Logical recovery of the storage : Recovery of file allocation table and MBR from the damaged storage
Browsing• Viewing the mounted image• Summary and detailed information of disks, directories and files• Quick view
File Identification (Find) : Hashed Search using RDS• Narrowing the target files using reference data set (RDS) • NSRL Project
* CFTT : Computer Forensics Tool Testing * MBR : Master Boot Record * NSRL : National Software Reference Library
25 ::: ETRI, The Future Wave :::
Search• Easy and efficient string search (Indexing, Hash Set)• File, String, Attribute, Hashed Search
Time Line• Events analysis according to the occurrence of the events• System-based time-line, Network-based time-line
History & File Signature• Finding deliberate file attribute modification by analyzing file signature
26 ::: ETRI, The Future Wave :::
Technologies for Digital ForensicsTechnologies for Digital Forensics (Application)(Application)
ApplicationFile Decryption, Crack
• Decrypt or recover the information which is encrypted or protected by cryptography.
• Object : Document file (Office, HWP, PDF, ZIP), System Logon
Slack Space• Could not be recognized through the file table• Find the physical address of the slack space and look into the clusters
assigned to the slack space
Information Hiding• Find the hiding information and turn it into the easily accessible data• Object : Steganography, NTFS Stream, OLE 2.0
* OLE : Object Linking and Embedding
27 ::: ETRI, The Future Wave :::
File Repair• Reconstruct the original file from the damaged file using the linguistics and
file-format information. • Object : Executable File, Document File, Data File
E-mail• Turn the data of E-mail Application into the easily accessible data• Viewing, Recover, Repair (PST, DBX)
Internet • Find the visited cite using cookie and history files of the internet browser,
and investigate what the user has done.
28 ::: ETRI, The Future Wave :::
ProductsProducts
Types Products
Hardware Protection Tool A-Card, FastBlock, NoWrite
Imaging Tool DD(Linux), Safe Back, SnapBack DatArrest, FreeBSD, Mares imaging tool
Searching Tool Grep(linux), dtSearch, Text Search Plus(NTI),Afind Hfind Sfind(Forensic Toolkit)
Browsing, Viewer Conversions Plus, Quick View Plus, ThumbsPlusWinHex, Ultra Edit
Analysis, Recovery Tool Hash Keeper, TCT, EasyRecovery FileRepairFinal data, Advanced Password Recovery
Integration Tool EnCase, iLook, Forensix, Forensic ToolkitAutopsy, F.I.R.E, Final Forensic
29 ::: ETRI, The Future Wave :::
Certification of Digital Forensics ToolCertification of Digital Forensics Tool
Computer Forensics Tool Test Program (CFTT), NIST, USA
Presentation of Verification & Evaluation Methods for Computer Forensics Tools
Strengthen of Objectivity, Publication the Test Results as Documentation
– Major Point : Reliability, Accuracy, Integrity, Generality
– Test Functions : Imaging, File Recovery, String Search
30 ::: ETRI, The Future Wave :::
Morgan Stanley 사건Morgan Stanley 사건
ⅢⅢ. Case Studies. Case Studies
진주서부농협 명예훼손 사건진주서부농협 명예훼손 사건
31 ::: ETRI, The Future Wave :::
Case Study (1)Case Study (1)
진주서부농협 명예훼손 사건사건 경위
• 진주서부농협 상봉지소 등 7개소에 명예훼손 내용의 글이 담긴 우편물 발송, 이에 대해 피해자가 명예훼손으로 고발
포렌식 적용 사례
• 피고인으로부터 현주컴퓨터 1대 압수(한글문서 등은 모두 삭제된 상태)• 압수된 컴퓨터에서 범행 관련 우편물 겉봉투에 부착한 주소록 등 삭제된 한글 파일 복구, 이를 근거로 기소
– 컴퓨터 복구 결과, 원심판시 각 편지가 발송된 곳의 주소록이 발견되었고, 그 주소록의 글씨체와 크기가 각 편지에 기재된 주소의 글씨체 및 크기와 동일하다는점을 근거
– 2003. 9. 30. 1심 선고(징역 8월, 집유 2년)• 2005. 7. 6. 재심청구
– EnCase 분석 결과, 주소록이 들어있던 #529847.hwp 파일의 최초 생성 일자가범행 일자 이후인 것으로 확인된 것을 근거로 재심 청구/재판 진행 중
32 ::: ETRI, The Future Wave :::
Case Study (2)Case Study (2)
Morgan Stanley 사건사건 경위
• ’98년 페럴맨이 소유하고 있던 콜맨사를 모건 스탠리의 고객사인 의류업체선빔사에 매각하도록 주선하는 과정에서,
• 파산 직전인 선빔사의 재정상태를 알면서도 페럴맨에게 제대로 알려주지않았다는 이유로 소송을 제기
판결
• 모건 스탠리는 증거 자료로써 과거의 콜맨사 매각 관련 e-mail 기록을 제출하지 못했고, 이는 결국 e-mail을 고의로 파기했다는 페럴맨 측의 의혹 제기로 이어져 재판 결과에 결정적으로 불리하게 적용
• 2005년 5월, 미국 플로리다 법원은 증거 확보를 소홀히 한 모건 스탠리측에레브론의 회장인 로널드 페럴맨에게 14억 5430만 달러를 배상해야 한다고
판결
• 이는 민사사건에서의 디지털 증거 확보의 중요성 강조
34 ::: ETRI, The Future Wave :::
ConclusionsConclusions
Need of rapid development of forensic technic and toolsIncreased cyber crime
Necessity of digital evidence
Dependency on the foreign forensic system
Need of forensic specialistField of cryptanalysis
Steganography
Systems : OS, Database, Web, Mobile …
Making law to guarantee the digital evidence through digital forensic