Title: Digital Forensics
1Digital Forensics
- Dr. Bhavani Thuraisingham
- The University of Texas at Dallas
- Network and Application Forensics
- September 28, 2011
2Network Forensics
- Network Forensics
- Network Attacks
- Security Measures
- Network Forensics and Tools
- Types of Networks
- Other info
- Summary/Conclusion and Links
- Special presentation of network forensic
- http//www.infragard.net/library/congress_05/compu
ter_forensics/network_primer.pdf
3Network Attacks
- Denial of service Denial of service attacks
cause the service or program to cease functioning
or prevent others from making use of the service
or program. - These may be performed at the network layer by
sending carefully crafted and malicious datagrams
that cause network connections to fail. - They may also be performed at the application
layer, where carefully crafted application
commands are given to a program that cause it to
become extremely busy or stop functioning. - Preventing suspicious network traffic from
reaching hosts and preventing suspicious program
commands and requests are the best ways of
minimizing the risk of a denial of service
attack. - It is useful to know the details of the attack
method, so you should educate yourself about each
new attack as it gets publicized.
4Network Attacks
- Spoofing This type of attack causes a host or
application to mimic the actions of another. - Typically the attacker pretends to be an innocent
host by following IP addresses in network
packets. - For example, a well-documented exploit of the BSD
rlogin service can use this method to mimic a TCP
connection from another host by guessing TCP
sequence numbers. - To protect against this type of attack, verify
the authenticity of datagrams and commands. - Prevent datagram routing with invalid source
addresses. Introduce unpredictablility into
connection control mechanisms, such as TCP
sequence numbers and the allocation of dynamic
port addresses.
5Network Attacks
- Eavesdropping This is the simplest type of
attack. - A host is configured to "listen" to and capture
data not belonging to it. Carefully written
eavesdropping programs can take usernames and
passwords from user login network connections. - Broadcast networks like Ethernet are especially
vulnerable to this type of attack. - To protect against this type of threat, avoid use
of broadcast network technologies and enforce the
use of data encryption. - IP firewalling is very useful in preventing or
reducing unauthorized access, network layer
denial of service, and IP spoofing attacks. - It not very useful in avoiding exploitation of
weaknesses in network services or programs and
eavesdropping.
6Securing a Network
- Need measures to secure a network and prevent
breaches - Apply patches User a layered network defense
strategy - NSA (National Security Agency) ahs developed DiD
Defense in Depth) and has three models of
protection - People, Technology, Operations
- People Employees are trained well
- Technology Strong network architecture and
testing tools - Operations applying security patches, anti-virus
software, etc.
7Network Security Mechanisms
- Network security starts from authenticating any
user, most likely a username and a password. - Once authenticated, a stateful firewall enforces
access policies such as what services are allowed
to be accessed by the network users - Though effective to prevent unauthorized access,
this component fails to check potentially harmful
contents such as computer worms being transmitted
over the network. - An intrusion prevention system (IPS) helps detect
and prevent such malware. IPS also monitors for
suspicious network traffic for contents, volume
and anomalies to protect the network from attacks
such as denial of service. - Communication between two hosts using the network
could be encrypted to maintain privacy. - Individual events occurring on the network could
be tracked for audit purposes and for a later
high level analysis.
8Network Security Mechanisms
- Honeypots, essentially decoy network-accessible
resources, could be deployed in a network as
surveillance and early-warning tools. - Techniques used by the attackers that attempt to
compromise these decoy resources are studied
during and after an attack to keep an eye on new
exploitation techniques. - Such analysis could be used to further tighten
security of the actual network being protected by
the honeypot - Some tools Firewall, Antivirus software and
Internet Security Software. For authentication,
use strong passwords and change it on a
bi-weekly/monthly basis. When using a wireless
connection, use a robust password. Network
analyzer to monitor and analyze the network.
9Network Forensics
- What is Network Forensics?
- http//searchsecurity.techtarget.com/sDefinition/0
,,sid14_gci859579,00.html - Network Forensics Analysis
- Relationship to Honeynets/Honeypots
- Policies for Networks Forensics
- Example Prototype System
- Some Popular Networks Forensics Analysis Tools
(NFAT)
10What is Network Forensics
- Network forensics is the process of capturing
information that moves over a network and trying
to make sense of it in some kind of forensics
capacity. - Network forensics is the capture, recording, and
analysis of network events in order to discover
the source of security attacks or other problem
incidents. - A network forensics appliance is a device that
automates this process. - Wireless forensics is the process of capturing
information that moves over a wireless network
and trying to make sense of it in some kind of
forensics capacity.
11What is Network Forensics?
- Network forensics systems can be one of two
kinds - "Catch-it-as-you-can" systems, in which all
packets passing through a certain traffic point
are captured and written to storage with analysis
being done subsequently in batch mode. This
approach requires large amounts of storage,
usually involving a RAID system. - "Stop, look and listen" systems, in which each
packet is analyzed in a rudimentary way in memory
and only certain information saved for future
analysis. This approach requires less storage but
may require a faster processor to keep up with
incoming traffic.
12What is Network Forensics
- Network Forensics is the process of collecting
and analyzing raw network data and then tracking
network traffic to determine how an attack took
place - When intruders break into a network they leave a
trail. Need to spot variations in network
traffic detect anomalies - Network forensics can usually help to determine
whether network has been attacked or there is a
user error - Examiners must establish standards procedures to
carry out forensics
13Network Analysis
- Find analysis techniques developed for one type
of network and apply it to another type of
network - Types of networks
- Computer and Communication Networks
- Telecommunication Network
- Transportation networks
- Highways, Railroad, Air Traffic
- Human networks
- Terror networks, Relationship networks
14Network Forensics Analysis Tools (NFAT)
Relationships between IDS, Firewalls and NFAT
- IDS attempts to detect activity that violates an
organizations security policy by implementing a
set of rules describing preconfigures patterns of
interest - Firewall allows or disallows traffic to or from
specific networks, machine addresses and port
numbers - NFAT synergizes with IDSs and Firewalls.
- Preserves long term record of network traffic
- Allows quick analysis of trouble spots identified
by IDSs and Firewalls - NFATs must do the following
- Capture network traffic
- Analyze network traffic according to user needs
- Allow system users discover useful and
interesting things about the analyzed traffic
15NFAT Tasks
- Traffic Capture
- What is the policy?
- What is the traffic of interest?
- Intermal/Externasl?
- Collect packets tcpdump
- Traffic Analysis
- Sessionizing captured traffic (organize)
- Protocol Parsing and analysis
- Check for strings, use expert systems for
analysis - Interacting with NFAT
- Appropriate user interfaces, reports, examine
large quantities of information and make it
manageable
16Network Forensics NetworkMiner
- NetworkMiner is a Network Forensic Analysis Tool
(NFAT) for Windows. - NetworkMiner can be used as a passive network
sniffer/packet capturing tool in order to detect
operating systems, sessions, hostnames, open
ports etc. without putting any traffic on the
network. - The purpose of NetworkMiner is to collect data
(such as forensic evidence) about hosts on the
network rather than to collect data regarding the
traffic on the network. - The main view is host centric (information
grouped per host) rather than packet centric
(information showed as a list of packets/frames).
17Honeynets/Honeypots
- Network Forensics and honeynet systems have the
same features of collecting information about
computer misuses - Honeynet system can lure attackers and gain
information about new types of intrusions - Network forensics systems analyze and reconstruct
he attack behaviors - These two systems integrated together build a
active self learning and response system to
profile the intrusion behavior features and
investigate the original source of the attack.
18Honeynet project
- Honeynet project was established to make
information about network attacks and solutions
widely available - Objectives Awareness, information, tools
- Attacks distributed Denial of Service, Zero day
attacks - Honeypot is a computer set up to lure attackers
- Honeywalls are computers set up to monitor what
is happening to the honeypots in the network
19Policies Computer Attack Taxonomy
- Probing
- Attackers reconnaissance
- Attackers create a profile of an organization's
structure, network capabilities and content,
security posture - Attacker finds the targets and devices plans to
circumvent the security mechanism - Penetration
- Exploit System Configuration errors and
vulnerabilities - Install Trojans, record passwords, delete files,
etc. - Cover tracks
- Configure event logging to a previous state
- Clear event logs and hide files
20Policies to enhance forensics
- Retaining information
- Planning the response
- Training
- Accelerating the investigation
- Preventing anonymous activities
- Protect the evidence
21Example Prototype System Iowa State University
- Network Forensics Analysis mechanisms should meet
the following - Short response times User friendly interfaces
- Questions addresses
- How likely is a specific host relevant to the
attack? What is the role the host played in the
attack? How strong are two hosts connected to the
attack? - Features of the prototype
- Preprocessing mechanism to reduce redundancy in
intrusion alerts - Graph model for presenting and interacting with
th3 evidence - Hierarchical reasoning framework for automated
inference of attack group identification
22Example Prototype System Modules
- Evidence collection module
- Evidence preprocessing module
- Attack knowledge base
- Assets knowledge base
- Evidence graph generation module
- Attack reasoning module
- Analyst interface module
- Reference
- http//delivery.acm.org/10.1145/1420000/1410238/a4
-wang.pdf?key11410238key29838895521collGUIDE
dlGUIDECFID57276464CFTOKEN77054716 - https//www.dfrws.org/2005/proceedings/wang_eviden
cegraphs.pdf
23Network Tools
- Network Forensics tools help in the monitoring of
the network - Example the records that Ps tools generate can
prove that an employee ran a program without
permission - Can also monitor machines/processes that may be
harmful - Problem is the attacker can get administrator
rights and start using the tools - Chapter 11 discusses tools for Windows and Linux
24Some Popular Tools
- Raytheons SilentRunner
- Gives administrators help as they attempt to
protect their companys assets - Collector, Analyzer and Visualize Modules
- Sandstorm Enterprises NetIntercept
- Hardware appliance focused on capturing network
traffic - Niksuns NetDetector
- Its an appliance like NetIntercept
- Has an alerting mechanism
- Integrates with Cicso IDS for a complete forensic
analysis
25Network Forensics Open Source Tools
- Open source tools
- Wireshark
- Kismet
- Snort
- OSSEC
- NetworkMiner is an open source Network Forensics
Tool available at SourceForge. - Xplico is an Internet/IP Traffic Decoder (NFAT).
Protocols supported HTTP, SIP, FTP, IMAP, POP,
SMTP, TCP, UDP, IPv4, IPv6
26Network Forensics Commercial Tools
- Deep Analysis Tools (data mining based tools)
- E-Detective
- ManTech International Corporation
- Network Instruments
- NIKSUN's NetDetector
- PacketMotion
- Sandstorm's NetIntercept
- Mera Systems NetBeholder
- InfoWatch Traffic Monitor
27Network Forensics Commercial Tools
- Flow-Based Systems
- Arbor Networks
- GraniteEdge Networks
- Lancope http//www.lancope.com/
- Mazu Networks http//www.mazunetworks.com/
- Hybrid Systems
- These systems combine flow analysis, deep
analysis, and security event monitoring and
reporting. - Q1 Labs http//www.q1labs.com/
28Performing Live Acquisitions
- Insert bootable forensics CD in the suspect
system - Keep a log of all the actions
- Send collected information to a network drive
- Copy the physical memory
- Determine if root kit is present access systems
firmware, - - - Get forensics hash value of all files
29Performing Live Acquisitions Windows
- Setup NetCat listener to send the forensics data
- Load Helix CD in the CD-ROM drive
- Click appropriate buttons System Information
Glad arrow etc - Click Acquire Live Image if Widows System
- Connect to NetCat listener to send the collected
data (e.g., enter IP address of NetCat listener) - Click Incidence Response Tools
- Click on appropriate tools to collect data
30Standard procedures
- Standard installation image, hash schemes (e.g.,
MD5, SHA-1) - Fix vulnerabilities if intrusion is detected
- Retrieve volatile data (RAM, processes)
- Acquire compromised drive and make forensics
image of it - Compare forensics image and standard image and
determine if anything has changed
31Network Logs
- Network logs record traffic in and out of network
- Network servers, routers, firewalls record
activities and events that move through them - One ways is to run Tcpdump
- When viewing network log, port information can
give clues about suspicious activity - Use network analysis tool
32Packet Sniffers
- Devices or software to monitor (sniff) traffic
- TCP/IP sniffers operate at the Packet level in
OSI operates at the Layer 2 or 3 level (e.g. Data
link or Network layers) - Some sniffers perform packet captures, some
perform analysis and some perform both - Tools exist for examining (i) packets with
certain flags set (ii) email headers (iii) IRC
chats
33Summary
- Network Forensics is the process of collecting
and analyzing raw network data and then tracking
network traffic to determine how an attack took
place - Layered defense strategies to the network
architecture - Live acquisitions are needed to retrieve volatile
items - Standard procedure are needed to establish how to
proceed after a network attack occurs - By monitoring network traffic can establish
normal operations then determine if there is an
anomaly - Network tools used to monitor networks but
intruders can get admin rights to attack from the
inside - Tools are available for monitoring network
traffic for both Windows and Linux systems - Honeynet project enables people to learn latest
intrusion techniques
34Links
- https//www.dfrws.org/2005/proceedings/wang_eviden
cegraphs.pdf - http//www.cs.fsu.edu/yasinsac/Papers/MY01.pdf
- http//www.sandstorm.net/support/netintercept/down
loads/ni-ieee.pdf - http//www.giac.org/certified_professionals/practi
cals/gsec/2478.php - http//www.infragard.net/library/congress_05/compu
ter_forensics/network_primer.pdf - http//dfrws.org/2003/presentations/Brief-Casey.pd
f - http//delivery.acm.org/10.1145/1070000/1066749/p3
02-ren.pdf?key11066749key20512850911collGUIDE
dlGUIDECFID36223233CFTOKEN49225512 - http//dfrws.org/
35Application Forensics
- Email Forensics
- UTD work on Email worm detection - revisited
- Mobile System Forensics
- Note Other Application/systems related forensics
- Database forensics, Network forensics (already
discussed) - Military Forensics Overview
- Optional paper to read
- http//www.mindswap.org/papers/Trust.pdf
36Email Forensics
- Email Investigations
- Client/Server roles
- Email crimes and violations
- Email servers
- Email forensics tools
37Email Investigations
- Types of email investigations
- Emails have worms and viruses suspicious emails
- Checking emails in a crime homicide
- Types of suspicious emails
- Phishing emails i- they are in HTML format and
redirect to suspicious web sites - Nigerian scam
- Spoofing emails
38Client/Server Roles
- Client-Server architecture
- Email servers runs the email server programs
example Microsoft Exchange Server - Email runs the client program example Outlook
- Identitication/authntictaion is used for client
to access the server - Intranet/Internet email servers
- Intranet local environment
- Internet public example yahoo, hotmail etc.
39Email Crimes and Violations
- Goal is to determine who is behind the crime such
as who sent the email - Steps to email forensics
- Examine email message
- Copy email message also forward email
- View and examine email header tools available
for outlook and other email clients - Examine additional files such as address books
- Trace the message using various Internet tools
- Examine network logs (netflow analysis)
- Note UTD Netflow tools SCRUB are in SourceForge
40Email Servers
- Need to work with the network administrator on
how to retrieve messages from the server - Understand how the server records and handles the
messages - How are the email logs created and stored
- How are deleted email messages handled by the
server? Are copies of the messages still kept? - Chapter 12 discussed email servers by UNIX,
Microsoft, Novell
41Email Forensics Tools
- Several tools for Outlook Express, Eudora
Exchange, Lotus notes - Tools for log analysis, recovering deleted
emails, - Examples
- AccessData FTK
- FINALeMAIL
- EDBXtract
- MailRecovery
42Worm Detection Introduction
- What are worms?
- Self-replicating program Exploits software
vulnerability on a victim Remotely infects other
victims - Evil worms
- Severe effect Code Red epidemic cost 2.6
Billion - Goals of worm detection
- Real-time detection
- Issues
- Substantial Volume of Identical Traffic, Random
Probing - Methods for worm detection
- Count number of sources/destinations Count
number of failed connection attempts - Worm Types
- Email worms, Instant Messaging worms, Internet
worms, IRC worms, File-sharing Networks worms - Automatic signature generation possible
- EarlyBird System (S. Singh -UCSD) Autograph (H.
Ah-Kim - CMU)
43Email Worm Detection using Data Mining
Task given some training instances of both
normal and viral emails, induce a hypothesis
to detect viral emails.
We used Naïve Bayes SVM
Outgoing Emails
The Model
Test data
Feature extraction
Classifier
Machine Learning
Training data
Clean or Infected ?
44Assumptions
- Features are based on outgoing emails.
- Different users have different normal
behaviour. - Analysis should be per-user basis.
- Two groups of features
- Per email (of attachments, HTML in body,
text/binary attachments) - Per window (mean words in body, variable words in
subject) - Total of 24 features identified
- Goal Identify normal and viral emails based
on these features
45Feature sets
- Per email features
- Binary valued Features
- Presence of HTML script tags/attributes
embedded images hyperlinks - Presence of binary, text attachments MIME types
of file attachments - Continuous-valued Features
- Number of attachments Number of words/characters
in the subject and body - Per window features
- Number of emails sent Number of unique email
recipients Number of unique sender addresses
Average number of words/characters per subject,
body average word length Variance in number of
words/characters per subject, body Variance in
word length - Ratio of emails with attachments
46Data Mining Approach
Classifier
Clean/ Infected
Test instance
Clean/ Infected
infected?
SVM
Naïve Bayes
Test instance
Clean?
Clean
47Data set
- Collected from UC Berkeley.
- Contains instances for both normal and viral
emails. - Six worm types
- bagle.f, bubbleboy, mydoom.m,
- mydoom.u, netsky.d, sobig.f
- Originally Six sets of data
- training instances normal (400) five worms
(5x200) - testing instances normal (1200) the sixth worm
(200) - Problem Not balanced, no cross validation
reported - Solution re-arrange the data and apply
cross-validation
48Our Implementation and Analysis
- Implementation
- Naïve Bayes Assume Normal distribution of
numeric and real data smoothing applied - SVM with the parameter settings one-class SVM
with the radial basis function using gamma
0.015 and nu 0.1. - Analysis
- NB alone performs better than other techniques
- SVM alone also performs better if parameters are
set correctly - mydoom.m and VBS.Bubbleboy data set are not
sufficient (very low detection accuracy in all
classifiers) - The feature-based approach seems to be useful
only when we have - identified the relevant features
- gathered enough training data
- Implement classifiers with best parameter
settings
49Mobile Device/System Forensics
- Mobile device forensics overview
- Acquisition procedures
- Summary
50Mobile Device Forensics Overview
- What is stored in cell phones
- Incoming/outgoing/missed calls
- Text messages
- Short messages
- Instant messaging logs
- Web pages
- Pictures
- Calendars
- Address books
- Music files
- Voice records
51Mobile Phones
- Multiple generations
- Analog, Digital personal communications, Third
generations (increased bandwidth and other
features) - Digital networks
- CDMA, GSM, TDMA, - - -
- Proprietary OSs
- SIM Cards (Subscriber Identity Module)
- Identifies the subscriber to the network
- Stores personal information, addresses books,
etc. - PDAs (Personal digital assistant)
- Combines mobile phone and laptop technologies
52Acquisition procedures
- Mobile devices have volatile memory, so need to
retrieve RAM before losing power - Isolate device from incoming signals
- Store the device in a special bag
- Need to carry out forensics in a special lab
(e.g., SAIAL) - Examine the following
- Internal memory, SIM card, other external memory
cards, System server, also may need information
from service provider to determine location of
the person who made the call
53Mobile Forensics Tools
- Reads SIM Card files
- Analyze file content (text messages etc.)
- Recovers deleted messages
- Manages PIN codes
- Generates reports
- Archives files with MD5, SHA-1 hash values
- Exports data to files
- Supports international character sets
54Information Warfare
- Information Warfare
- Defensive Strategies for Government and Industry
- Military Tactics
- Terrorism and Information Warfare
- Tactics of Private Corporations
- Future IW strategies
- Surveillance Tools
- The Victims of Information Warfare
- Military Forensics
- Relevant Papers
55What is Information Warfare?
- Information warfare is the use and management of
information in pursuit of a competitive advantage
over an opponent. Information warfare may involve
collection of tactical information, assurance
that one's own information is valid, spreading of
propaganda or disinformation to demoralize the
enemy and the public, undermining the quality of
opposing force information and denial of
information collection opportunities to opposing
forces. - http//en.wikipedia.org/wiki/Information_warfare
56Defensive Strategies for Government and Industry
- Are US and Foreign governments prepared for
Information Warfare - According to John Vacca, US will be most affected
with 60 of the worlds computing power - Stealing sensitive information as well as
critical, information to cripple an economy
(e.g., financial information) - What have industry groups done
- IT-SAC Information Technology Information
Sharing and Analysis - Will strategic diplomacy help with Information
Warfare? - Educating the end user is critical according to
John Vacca
57Defensive Strategies for Government and Industry
- What are International organizations?
- Think Tanks and Research agencies
- Book cites several countries from Belarus to
Taiwan engaged in Economic Espionage and
Information Warfare - Risk-based analysis
- Military alliances
- Coalition forces US, UK, Canada, Australia have
regular meetings on Information Warfare - Legal implications
- Strong parallels between National Security and
Cyber Security
58Military Tactics
- Supporting Technologies
- Agents, XML, Human Computer Interaction
- Military tactics
- Planning, Security, Intelligence
- Tools
- Offensive Ruinous IW tools
- Launching massive distributed denial of service
attacks - Offensive Containment IW tools
- Operations security, Military deception,
Psychological operations, Electronic warfare (use
electromagnetic energy), Targeting Disable
enemy's C2 (c0mmand and control) system and
capability
59Military Tactics
- Tools (continued)
- Defensive Preventive IW Tools
- Monitor networks
- Defensive Ruinous IW tools
- Information operations
- Defensive Responsive Containment IW tools
- Handle hacking, viruses.
- Other aspects
- Dealing with sustained terrorist IW tactics,
Dealing with random terrorist IW tactics
60Terrorism and Information Warfare
- Terrorists are using the web to carry out
terrorism activities - What are the profiles of terrorists? Are they
computer literate? - Hacker controlled tanks, planes and warships
- Is there a Cyber underground network?
- What are their tools?
- Information weapons, HERF gun (high power radio
energy at an electronic target), Electromagnetic
pulse. Electric power disruptive technologies - Why are they hard to track down?
- Need super forensics tools
61Tactics of Private Corporations
- Defensive tactics
- Open course intelligence, Gather business
intelligence - Offensive tactics
- Packet sniffing, Trojan horse etc.
- Prevention tactics
- Security techniques such as encryption
- Survival tactics
- Forensics tools
62Future IW Tactics
- Electromagnetic bomb
- Technology, targeting and delivery
- Improved conventional method
- Virus, worms, trap doors, Trojan horse
- Global positioning systems
- Nanotechnology developments
- Nano bombs
63Surveillance Tools
- Data emanating from sensors
- Video data, surveillance data
- Data has to be analyzed
- Monitoring suspicious events
- Data mining
- Determining events/activities that are abnormal
- Biometrics technologies
- Privacy is a concern
64Victims of Information Warfare
- Loss of money and funds
- Loss of shelter, food and water
- Spread of disease
- Identity theft
- Privacy violations
- Death and destruction
- Note Computers can be hacked to loose money and
identity computers can be used to commit a crime
resulting in death and destruction
65Military Forensics
- CFX-2000 Computer Forencis Experiment 2000
- Information Directorate (AFRL) partnership with
NIJ/NLECTC - Hypothesis possible to determine the motives,
intent, targets, sophistication, identity and
location of cyber terrorists by deploying an
integrated forensics analysis framework - Tools included commercial products and research
prototypes - http//www.afrlhorizons.com/Briefs/June01/IF0016.h
tml - http//rand.org/pubs/monograph_reports/MR1349/MR13
49.appb.pdf
66Digital Forensics
- Dr. Bhavani Thuraisingham
- The University of Texas at Dallas
- Appendix
- Social Network Analysis and Forensics
- October 8, 2010