Digital Forensics

1
Digital Forensics

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Network and Application Forensics
• September 28, 2011

2
Network Forensics

• Network Forensics
• Network Attacks
• Security Measures
• Network Forensics and Tools
• Types of Networks
• Other info
• Summary/Conclusion and Links
• Special presentation of network forensic
• http//www.infragard.net/library/congress_05/compu
  ter_forensics/network_primer.pdf

3
Network Attacks

• Denial of service Denial of service attacks
  cause the service or program to cease functioning
  or prevent others from making use of the service
  or program.
• These may be performed at the network layer by
  sending carefully crafted and malicious datagrams
  that cause network connections to fail.
• They may also be performed at the application
  layer, where carefully crafted application
  commands are given to a program that cause it to
  become extremely busy or stop functioning.
• Preventing suspicious network traffic from
  reaching hosts and preventing suspicious program
  commands and requests are the best ways of
  minimizing the risk of a denial of service
  attack.
• It is useful to know the details of the attack
  method, so you should educate yourself about each
  new attack as it gets publicized.

4
Network Attacks

• Spoofing This type of attack causes a host or
  application to mimic the actions of another.
• Typically the attacker pretends to be an innocent
  host by following IP addresses in network
  packets.
• For example, a well-documented exploit of the BSD
  rlogin service can use this method to mimic a TCP
  connection from another host by guessing TCP
  sequence numbers.
• To protect against this type of attack, verify
  the authenticity of datagrams and commands.
• Prevent datagram routing with invalid source
  addresses. Introduce unpredictablility into
  connection control mechanisms, such as TCP
  sequence numbers and the allocation of dynamic
  port addresses.

5
Network Attacks

• Eavesdropping This is the simplest type of
  attack.
• A host is configured to "listen" to and capture
  data not belonging to it. Carefully written
  eavesdropping programs can take usernames and
  passwords from user login network connections.
• Broadcast networks like Ethernet are especially
  vulnerable to this type of attack.
• To protect against this type of threat, avoid use
  of broadcast network technologies and enforce the
  use of data encryption.
• IP firewalling is very useful in preventing or
  reducing unauthorized access, network layer
  denial of service, and IP spoofing attacks.
• It not very useful in avoiding exploitation of
  weaknesses in network services or programs and
  eavesdropping.

6
Securing a Network

• Need measures to secure a network and prevent
  breaches
• Apply patches User a layered network defense
  strategy
• NSA (National Security Agency) ahs developed DiD
  Defense in Depth) and has three models of
  protection
• People, Technology, Operations
• People Employees are trained well
• Technology Strong network architecture and
  testing tools
• Operations applying security patches, anti-virus
  software, etc.

7
Network Security Mechanisms

• Network security starts from authenticating any
  user, most likely a username and a password.
• Once authenticated, a stateful firewall enforces
  access policies such as what services are allowed
  to be accessed by the network users
• Though effective to prevent unauthorized access,
  this component fails to check potentially harmful
  contents such as computer worms being transmitted
  over the network.
• An intrusion prevention system (IPS) helps detect
  and prevent such malware. IPS also monitors for
  suspicious network traffic for contents, volume
  and anomalies to protect the network from attacks
  such as denial of service.
• Communication between two hosts using the network
  could be encrypted to maintain privacy.
• Individual events occurring on the network could
  be tracked for audit purposes and for a later
  high level analysis.

8
Network Security Mechanisms

• Honeypots, essentially decoy network-accessible
  resources, could be deployed in a network as
  surveillance and early-warning tools.
• Techniques used by the attackers that attempt to
  compromise these decoy resources are studied
  during and after an attack to keep an eye on new
  exploitation techniques.
• Such analysis could be used to further tighten
  security of the actual network being protected by
  the honeypot
• Some tools Firewall, Antivirus software and
  Internet Security Software. For authentication,
  use strong passwords and change it on a
  bi-weekly/monthly basis. When using a wireless
  connection, use a robust password. Network
  analyzer to monitor and analyze the network.

9
Network Forensics

• What is Network Forensics?
• http//searchsecurity.techtarget.com/sDefinition/0
  ,,sid14_gci859579,00.html
• Network Forensics Analysis
• Relationship to Honeynets/Honeypots
• Policies for Networks Forensics
• Example Prototype System
• Some Popular Networks Forensics Analysis Tools
  (NFAT)

10
What is Network Forensics

• Network forensics is the process of capturing
  information that moves over a network and trying
  to make sense of it in some kind of forensics
  capacity.
• Network forensics is the capture, recording, and
  analysis of network events in order to discover
  the source of security attacks or other problem
  incidents.
• A network forensics appliance is a device that
  automates this process.
• Wireless forensics is the process of capturing
  information that moves over a wireless network
  and trying to make sense of it in some kind of
  forensics capacity.

11
What is Network Forensics?

• Network forensics systems can be one of two
  kinds
• "Catch-it-as-you-can" systems, in which all
  packets passing through a certain traffic point
  are captured and written to storage with analysis
  being done subsequently in batch mode. This
  approach requires large amounts of storage,
  usually involving a RAID system.
• "Stop, look and listen" systems, in which each
  packet is analyzed in a rudimentary way in memory
  and only certain information saved for future
  analysis. This approach requires less storage but
  may require a faster processor to keep up with
  incoming traffic.

12
What is Network Forensics

• Network Forensics is the process of collecting
  and analyzing raw network data and then tracking
  network traffic to determine how an attack took
  place
• When intruders break into a network they leave a
  trail. Need to spot variations in network
  traffic detect anomalies
• Network forensics can usually help to determine
  whether network has been attacked or there is a
  user error
• Examiners must establish standards procedures to
  carry out forensics

13
Network Analysis

• Find analysis techniques developed for one type
  of network and apply it to another type of
  network
• Types of networks
• Computer and Communication Networks
• Telecommunication Network
• Transportation networks
• Highways, Railroad, Air Traffic
• Human networks
• Terror networks, Relationship networks

14
Network Forensics Analysis Tools (NFAT)
Relationships between IDS, Firewalls and NFAT

• IDS attempts to detect activity that violates an
  organizations security policy by implementing a
  set of rules describing preconfigures patterns of
  interest
• Firewall allows or disallows traffic to or from
  specific networks, machine addresses and port
  numbers
• NFAT synergizes with IDSs and Firewalls.
• Preserves long term record of network traffic
• Allows quick analysis of trouble spots identified
  by IDSs and Firewalls
• NFATs must do the following
• Capture network traffic
• Analyze network traffic according to user needs
• Allow system users discover useful and
  interesting things about the analyzed traffic

15
NFAT Tasks

• Traffic Capture
• What is the policy?
• What is the traffic of interest?
• Intermal/Externasl?
• Collect packets tcpdump
• Traffic Analysis
• Sessionizing captured traffic (organize)
• Protocol Parsing and analysis
• Check for strings, use expert systems for
  analysis
• Interacting with NFAT
• Appropriate user interfaces, reports, examine
  large quantities of information and make it
  manageable

16
Network Forensics NetworkMiner

• NetworkMiner is a Network Forensic Analysis Tool
  (NFAT) for Windows.
• NetworkMiner can be used as a passive network
  sniffer/packet capturing tool in order to detect
  operating systems, sessions, hostnames, open
  ports etc. without putting any traffic on the
  network.
• The purpose of NetworkMiner is to collect data
  (such as forensic evidence) about hosts on the
  network rather than to collect data regarding the
  traffic on the network.
• The main view is host centric (information
  grouped per host) rather than packet centric
  (information showed as a list of packets/frames).

17
Honeynets/Honeypots

• Network Forensics and honeynet systems have the
  same features of collecting information about
  computer misuses
• Honeynet system can lure attackers and gain
  information about new types of intrusions
• Network forensics systems analyze and reconstruct
  he attack behaviors
• These two systems integrated together build a
  active self learning and response system to
  profile the intrusion behavior features and
  investigate the original source of the attack.

18
Honeynet project

• Honeynet project was established to make
  information about network attacks and solutions
  widely available
• Objectives Awareness, information, tools
• Attacks distributed Denial of Service, Zero day
  attacks
• Honeypot is a computer set up to lure attackers
• Honeywalls are computers set up to monitor what
  is happening to the honeypots in the network

19
Policies Computer Attack Taxonomy

• Probing
• Attackers reconnaissance
• Attackers create a profile of an organization's
  structure, network capabilities and content,
  security posture
• Attacker finds the targets and devices plans to
  circumvent the security mechanism
• Penetration
• Exploit System Configuration errors and
  vulnerabilities
• Install Trojans, record passwords, delete files,
  etc.
• Cover tracks
• Configure event logging to a previous state
• Clear event logs and hide files

20
Policies to enhance forensics

• Retaining information
• Planning the response
• Training
• Accelerating the investigation
• Preventing anonymous activities
• Protect the evidence

21
Example Prototype System Iowa State University

• Network Forensics Analysis mechanisms should meet
  the following
• Short response times User friendly interfaces
• Questions addresses
• How likely is a specific host relevant to the
  attack? What is the role the host played in the
  attack? How strong are two hosts connected to the
  attack?
• Features of the prototype
• Preprocessing mechanism to reduce redundancy in
  intrusion alerts
• Graph model for presenting and interacting with
  th3 evidence
• Hierarchical reasoning framework for automated
  inference of attack group identification

22
Example Prototype System Modules

• Evidence collection module
• Evidence preprocessing module
• Attack knowledge base
• Assets knowledge base
• Evidence graph generation module
• Attack reasoning module
• Analyst interface module
• Reference
• http//delivery.acm.org/10.1145/1420000/1410238/a4
  -wang.pdf?key11410238key29838895521collGUIDE
  dlGUIDECFID57276464CFTOKEN77054716
• https//www.dfrws.org/2005/proceedings/wang_eviden
  cegraphs.pdf

23
Network Tools

• Network Forensics tools help in the monitoring of
  the network
• Example the records that Ps tools generate can
  prove that an employee ran a program without
  permission
• Can also monitor machines/processes that may be
  harmful
• Problem is the attacker can get administrator
  rights and start using the tools
• Chapter 11 discusses tools for Windows and Linux

24
Some Popular Tools

• Raytheons SilentRunner
• Gives administrators help as they attempt to
  protect their companys assets
• Collector, Analyzer and Visualize Modules
• Sandstorm Enterprises NetIntercept
• Hardware appliance focused on capturing network
  traffic
• Niksuns NetDetector
• Its an appliance like NetIntercept
• Has an alerting mechanism
• Integrates with Cicso IDS for a complete forensic
  analysis

25
Network Forensics Open Source Tools

• Open source tools
• Wireshark
• Kismet
• Snort
• OSSEC
• NetworkMiner is an open source Network Forensics
  Tool available at SourceForge.
• Xplico is an Internet/IP Traffic Decoder (NFAT).
  Protocols supported HTTP, SIP, FTP, IMAP, POP,
  SMTP, TCP, UDP, IPv4, IPv6

26
Network Forensics Commercial Tools

• Deep Analysis Tools (data mining based tools)
• E-Detective
• ManTech International Corporation
• Network Instruments
• NIKSUN's NetDetector
• PacketMotion
• Sandstorm's NetIntercept
• Mera Systems NetBeholder
• InfoWatch Traffic Monitor

27
Network Forensics Commercial Tools

• Flow-Based Systems
• Arbor Networks
• GraniteEdge Networks
• Lancope http//www.lancope.com/
• Mazu Networks http//www.mazunetworks.com/
• Hybrid Systems
• These systems combine flow analysis, deep
  analysis, and security event monitoring and
  reporting.
• Q1 Labs http//www.q1labs.com/

28
Performing Live Acquisitions

• Insert bootable forensics CD in the suspect
  system
• Keep a log of all the actions
• Send collected information to a network drive
• Copy the physical memory
• Determine if root kit is present access systems
  firmware, - -
• Get forensics hash value of all files

29
Performing Live Acquisitions Windows

• Setup NetCat listener to send the forensics data
• Load Helix CD in the CD-ROM drive
• Click appropriate buttons System Information
  Glad arrow etc
• Click Acquire Live Image if Widows System
• Connect to NetCat listener to send the collected
  data (e.g., enter IP address of NetCat listener)
• Click Incidence Response Tools
• Click on appropriate tools to collect data

30
Standard procedures

• Standard installation image, hash schemes (e.g.,
  MD5, SHA-1)
• Fix vulnerabilities if intrusion is detected
• Retrieve volatile data (RAM, processes)
• Acquire compromised drive and make forensics
  image of it
• Compare forensics image and standard image and
  determine if anything has changed

31
Network Logs

• Network logs record traffic in and out of network
• Network servers, routers, firewalls record
  activities and events that move through them
• One ways is to run Tcpdump
• When viewing network log, port information can
  give clues about suspicious activity
• Use network analysis tool

32
Packet Sniffers

• Devices or software to monitor (sniff) traffic
• TCP/IP sniffers operate at the Packet level in
  OSI operates at the Layer 2 or 3 level (e.g. Data
  link or Network layers)
• Some sniffers perform packet captures, some
  perform analysis and some perform both
• Tools exist for examining (i) packets with
  certain flags set (ii) email headers (iii) IRC
  chats

33
Summary

• Network Forensics is the process of collecting
  and analyzing raw network data and then tracking
  network traffic to determine how an attack took
  place
• Layered defense strategies to the network
  architecture
• Live acquisitions are needed to retrieve volatile
  items
• Standard procedure are needed to establish how to
  proceed after a network attack occurs
• By monitoring network traffic can establish
  normal operations then determine if there is an
  anomaly
• Network tools used to monitor networks but
  intruders can get admin rights to attack from the
  inside
• Tools are available for monitoring network
  traffic for both Windows and Linux systems
• Honeynet project enables people to learn latest
  intrusion techniques

34
Links

• https//www.dfrws.org/2005/proceedings/wang_eviden
  cegraphs.pdf
• http//www.cs.fsu.edu/yasinsac/Papers/MY01.pdf
• http//www.sandstorm.net/support/netintercept/down
  loads/ni-ieee.pdf
• http//www.giac.org/certified_professionals/practi
  cals/gsec/2478.php
• http//www.infragard.net/library/congress_05/compu
  ter_forensics/network_primer.pdf
• http//dfrws.org/2003/presentations/Brief-Casey.pd
  f
• http//delivery.acm.org/10.1145/1070000/1066749/p3
  02-ren.pdf?key11066749key20512850911collGUIDE
  dlGUIDECFID36223233CFTOKEN49225512
• http//dfrws.org/

35
Application Forensics

• Email Forensics
• UTD work on Email worm detection - revisited
• Mobile System Forensics
• Note Other Application/systems related forensics
• Database forensics, Network forensics (already
  discussed)
• Military Forensics Overview
• Optional paper to read
• http//www.mindswap.org/papers/Trust.pdf

36
Email Forensics

• Email Investigations
• Client/Server roles
• Email crimes and violations
• Email servers
• Email forensics tools

37
Email Investigations

• Types of email investigations
• Emails have worms and viruses suspicious emails
• Checking emails in a crime homicide
• Types of suspicious emails
• Phishing emails i- they are in HTML format and
  redirect to suspicious web sites
• Nigerian scam
• Spoofing emails

38
Client/Server Roles

• Client-Server architecture
• Email servers runs the email server programs
  example Microsoft Exchange Server
• Email runs the client program example Outlook
• Identitication/authntictaion is used for client
  to access the server
• Intranet/Internet email servers
• Intranet local environment
• Internet public example yahoo, hotmail etc.

39
Email Crimes and Violations

• Goal is to determine who is behind the crime such
  as who sent the email
• Steps to email forensics
• Examine email message
• Copy email message also forward email
• View and examine email header tools available
  for outlook and other email clients
• Examine additional files such as address books
• Trace the message using various Internet tools
• Examine network logs (netflow analysis)
• Note UTD Netflow tools SCRUB are in SourceForge

40
Email Servers

• Need to work with the network administrator on
  how to retrieve messages from the server
• Understand how the server records and handles the
  messages
• How are the email logs created and stored
• How are deleted email messages handled by the
  server? Are copies of the messages still kept?
• Chapter 12 discussed email servers by UNIX,
  Microsoft, Novell

41
Email Forensics Tools

• Several tools for Outlook Express, Eudora
  Exchange, Lotus notes
• Tools for log analysis, recovering deleted
  emails,
• Examples
• AccessData FTK
• FINALeMAIL
• EDBXtract
• MailRecovery

42
Worm Detection Introduction

• What are worms?
• Self-replicating program Exploits software
  vulnerability on a victim Remotely infects other
  victims
• Evil worms
• Severe effect Code Red epidemic cost 2.6
  Billion
• Goals of worm detection
• Real-time detection
• Issues
• Substantial Volume of Identical Traffic, Random
  Probing
• Methods for worm detection
• Count number of sources/destinations Count
  number of failed connection attempts
• Worm Types
• Email worms, Instant Messaging worms, Internet
  worms, IRC worms, File-sharing Networks worms
• Automatic signature generation possible
• EarlyBird System (S. Singh -UCSD) Autograph (H.
  Ah-Kim - CMU)

43
Email Worm Detection using Data Mining
Task given some training instances of both
normal and viral emails, induce a hypothesis
to detect viral emails.
We used Naïve Bayes SVM
Outgoing Emails
The Model
Test data
Feature extraction
Classifier
Machine Learning
Training data
Clean or Infected ?
44
Assumptions

• Features are based on outgoing emails.
• Different users have different normal
  behaviour.
• Analysis should be per-user basis.
• Two groups of features
• Per email (of attachments, HTML in body,
  text/binary attachments)
• Per window (mean words in body, variable words in
  subject)
• Total of 24 features identified
• Goal Identify normal and viral emails based
  on these features

45
Feature sets

• Per email features
• Binary valued Features
• Presence of HTML script tags/attributes
  embedded images hyperlinks
• Presence of binary, text attachments MIME types
  of file attachments
• Continuous-valued Features
• Number of attachments Number of words/characters
  in the subject and body
• Per window features
• Number of emails sent Number of unique email
  recipients Number of unique sender addresses
  Average number of words/characters per subject,
  body average word length Variance in number of
  words/characters per subject, body Variance in
  word length
• Ratio of emails with attachments

46
Data Mining Approach
Classifier
Clean/ Infected
Test instance
Clean/ Infected
infected?
SVM
Naïve Bayes
Test instance
Clean?
Clean
47
Data set

• Collected from UC Berkeley.
• Contains instances for both normal and viral
  emails.
• Six worm types
• bagle.f, bubbleboy, mydoom.m,
• mydoom.u, netsky.d, sobig.f
• Originally Six sets of data
• training instances normal (400) five worms
  (5x200)
• testing instances normal (1200) the sixth worm
  (200)
• Problem Not balanced, no cross validation
  reported
• Solution re-arrange the data and apply
  cross-validation

48
Our Implementation and Analysis

• Implementation
• Naïve Bayes Assume Normal distribution of
  numeric and real data smoothing applied
• SVM with the parameter settings one-class SVM
  with the radial basis function using gamma
  0.015 and nu 0.1.
• Analysis
• NB alone performs better than other techniques
• SVM alone also performs better if parameters are
  set correctly
• mydoom.m and VBS.Bubbleboy data set are not
  sufficient (very low detection accuracy in all
  classifiers)
• The feature-based approach seems to be useful
  only when we have
• identified the relevant features
• gathered enough training data
• Implement classifiers with best parameter
  settings

49
Mobile Device/System Forensics

• Mobile device forensics overview
• Acquisition procedures
• Summary

50
Mobile Device Forensics Overview

• What is stored in cell phones
• Incoming/outgoing/missed calls
• Text messages
• Short messages
• Instant messaging logs
• Web pages
• Pictures
• Calendars
• Address books
• Music files
• Voice records

51
Mobile Phones

• Multiple generations
• Analog, Digital personal communications, Third
  generations (increased bandwidth and other
  features)
• Digital networks
• CDMA, GSM, TDMA, - - -
• Proprietary OSs
• SIM Cards (Subscriber Identity Module)
• Identifies the subscriber to the network
• Stores personal information, addresses books,
  etc.
• PDAs (Personal digital assistant)
• Combines mobile phone and laptop technologies

52
Acquisition procedures

• Mobile devices have volatile memory, so need to
  retrieve RAM before losing power
• Isolate device from incoming signals
• Store the device in a special bag
• Need to carry out forensics in a special lab
  (e.g., SAIAL)
• Examine the following
• Internal memory, SIM card, other external memory
  cards, System server, also may need information
  from service provider to determine location of
  the person who made the call

53
Mobile Forensics Tools

• Reads SIM Card files
• Analyze file content (text messages etc.)
• Recovers deleted messages
• Manages PIN codes
• Generates reports
• Archives files with MD5, SHA-1 hash values
• Exports data to files
• Supports international character sets

54
Information Warfare

• Information Warfare
• Defensive Strategies for Government and Industry
• Military Tactics
• Terrorism and Information Warfare
• Tactics of Private Corporations
• Future IW strategies
• Surveillance Tools
• The Victims of Information Warfare
• Military Forensics
• Relevant Papers

55
What is Information Warfare?

• Information warfare is the use and management of
  information in pursuit of a competitive advantage
  over an opponent. Information warfare may involve
  collection of tactical information, assurance
  that one's own information is valid, spreading of
  propaganda or disinformation to demoralize the
  enemy and the public, undermining the quality of
  opposing force information and denial of
  information collection opportunities to opposing
  forces.
• http//en.wikipedia.org/wiki/Information_warfare

56
Defensive Strategies for Government and Industry

• Are US and Foreign governments prepared for
  Information Warfare
• According to John Vacca, US will be most affected
  with 60 of the worlds computing power
• Stealing sensitive information as well as
  critical, information to cripple an economy
  (e.g., financial information)
• What have industry groups done
• IT-SAC Information Technology Information
  Sharing and Analysis
• Will strategic diplomacy help with Information
  Warfare?
• Educating the end user is critical according to
  John Vacca

57
Defensive Strategies for Government and Industry

• What are International organizations?
• Think Tanks and Research agencies
• Book cites several countries from Belarus to
  Taiwan engaged in Economic Espionage and
  Information Warfare
• Risk-based analysis
• Military alliances
• Coalition forces US, UK, Canada, Australia have
  regular meetings on Information Warfare
• Legal implications
• Strong parallels between National Security and
  Cyber Security

58
Military Tactics

• Supporting Technologies
• Agents, XML, Human Computer Interaction
• Military tactics
• Planning, Security, Intelligence
• Tools
• Offensive Ruinous IW tools
• Launching massive distributed denial of service
  attacks
• Offensive Containment IW tools
• Operations security, Military deception,
  Psychological operations, Electronic warfare (use
  electromagnetic energy), Targeting Disable
  enemy's C2 (c0mmand and control) system and
  capability

59
Military Tactics

• Tools (continued)
• Defensive Preventive IW Tools
• Monitor networks
• Defensive Ruinous IW tools
• Information operations
• Defensive Responsive Containment IW tools
• Handle hacking, viruses.
• Other aspects
• Dealing with sustained terrorist IW tactics,
  Dealing with random terrorist IW tactics

60
Terrorism and Information Warfare

• Terrorists are using the web to carry out
  terrorism activities
• What are the profiles of terrorists? Are they
  computer literate?
• Hacker controlled tanks, planes and warships
• Is there a Cyber underground network?
• What are their tools?
• Information weapons, HERF gun (high power radio
  energy at an electronic target), Electromagnetic
  pulse. Electric power disruptive technologies
• Why are they hard to track down?
• Need super forensics tools

61
Tactics of Private Corporations

• Defensive tactics
• Open course intelligence, Gather business
  intelligence
• Offensive tactics
• Packet sniffing, Trojan horse etc.
• Prevention tactics
• Security techniques such as encryption
• Survival tactics
• Forensics tools

62
Future IW Tactics

• Electromagnetic bomb
• Technology, targeting and delivery
• Improved conventional method
• Virus, worms, trap doors, Trojan horse
• Global positioning systems
• Nanotechnology developments
• Nano bombs

63
Surveillance Tools

• Data emanating from sensors
• Video data, surveillance data
• Data has to be analyzed
• Monitoring suspicious events
• Data mining
• Determining events/activities that are abnormal
• Biometrics technologies
• Privacy is a concern

64
Victims of Information Warfare

• Loss of money and funds
• Loss of shelter, food and water
• Spread of disease
• Identity theft
• Privacy violations
• Death and destruction
• Note Computers can be hacked to loose money and
  identity computers can be used to commit a crime
  resulting in death and destruction

65
Military Forensics

• CFX-2000 Computer Forencis Experiment 2000
• Information Directorate (AFRL) partnership with
  NIJ/NLECTC
• Hypothesis possible to determine the motives,
  intent, targets, sophistication, identity and
  location of cyber terrorists by deploying an
  integrated forensics analysis framework
• Tools included commercial products and research
  prototypes
• http//www.afrlhorizons.com/Briefs/June01/IF0016.h
  tml
• http//rand.org/pubs/monograph_reports/MR1349/MR13
  49.appb.pdf

66
Digital Forensics

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Appendix
• Social Network Analysis and Forensics
• October 8, 2010