Digital Forensics - PowerPoint PPT Presentation

1 / 39
About This Presentation

Digital Forensics


Tools included commercial products and research prototypes ... set, or conversion to a format that can be input into another data analysis tool. ... – PowerPoint PPT presentation

Number of Views:1597
Avg rating:5.0/5.0
Slides: 40
Provided by: chrisc8


Transcript and Presenter's Notes

Title: Digital Forensics

Digital Forensics
  • Dr. Bhavani Thuraisingham
  • The University of Texas at Dallas
  • Information Warfare
  • and Military Forensics
  • November 19, 2008

  • Information Warfare
  • Defensive Strategies for Government and Industry
  • Military Tactics
  • Terrorism and Information Warfare
  • Tactics of Private Corporations
  • Future IW strategies
  • Surveillance Tools
  • The Victims of Information Warfare
  • Military Forensics
  • Relevant Papers

What is Information Warfare?
  • Information warfare is the use and management of
    information in pursuit of a competitive advantage
    over an opponent. Information warfare may involve
    collection of tactical information, assurance
    that one's own information is valid, spreading of
    propaganda or disinformation to demoralize the
    enemy and the public, undermining the quality of
    opposing force information and denial of
    information collection opportunities to opposing
  • http//

Defensive Strategies for Government and Industry
  • Are US and Foreign governments prepared for
    Information Warfare
  • According to John Vacca, US will be most affected
    with 60 of the worlds computing power
  • Stealing sensitive information as well as
    critical, information to cripple an economy
    (e.g., financial information)
  • What have industry groups done
  • IT-SAC Information Technology Information
    Sharing and Analysis
  • Will strategic diplomacy help with Information
  • Educating the end user is critical according to
    John Vacca

Defensive Strategies for Government and Industry
  • What are International organizations?
  • Think Tanks and Research agencies
  • Book cites several countries from Belarus to
    Taiwan engaged in Economic Espionage and
    Information Warfare
  • Risk-based analysis
  • Military alliances
  • Coalition forces US, UK, Canada, Australia have
    regular meetings on Information Warfare
  • Legal implications
  • Strong parallels between National Security and
    Cyber Security

Military Tactics
  • Supporting Technologies
  • Agents, XML, Human Computer Interaction
  • Military tactics
  • Planning, Security, Intelligence
  • Tools
  • Offensive Ruinous IW tools
  • Launching massive distributed denial of service
  • Offensive Containment IW tools
  • Operations security, Military deception,
    Psychological operations, Electronic warfare (use
    electromagnetic energy), Targeting Disable
    enemy's C2 (c0mmand and control) system and

Military Tactics
  • Tools (continued)
  • Defensive Preventive IW Tools
  • Monitor networks
  • Defensive Ruinous IW tools
  • Information operations
  • Defensive Responsive Containment IW tools
  • Handle hacking, viruses.
  • Other aspects
  • Dealing with sustained terrorist IW tactics,
    Dealing with random terrorist IW tactics

Terrorism and Information Warfare
  • Terrorists are using the web to carry out
    terrorism activities
  • What are the profiles of terrorists? Are they
    computer literate?
  • Hacker controlled tanks, planes and warships
  • Is there a Cyber underground network?
  • What are their tools?
  • Information weapons, HERF gun (high power radio
    energy at an electronic target), Electromagnetic
    pulse. Electric power disruptive technologies
  • Why are they hard to track down?
  • Need super forensics tools

Tactics of Private Corporations
  • Defensive tactics
  • Open course intelligence, Gather business
  • Offensive tactics
  • Packet sniffing, Trojan horse etc.
  • Prevention tactics
  • Security techniques such as encryption
  • Survival tactics
  • Forensics tools

Future IW Tactics
  • Electromagnetic bomb
  • Technology, targeting and delivery
  • Improved conventional method
  • Virus, worms, trap doors, Trojan horse
  • Global positioning systems
  • Nanotechnology developments
  • Nano bombs

Surveillance Tools
  • Data emanating from sensors
  • Video data, surveillance data
  • Data has to be analyzed
  • Monitoring suspicious events
  • Data mining
  • Determining events/activities that are abnormal
  • Biometrics technologies
  • Privacy is a concern

Victims of Information Warfare
  • Loss of money and funds
  • Loss of shelter, food and water
  • Spread of disease
  • Identity theft
  • Privacy violations
  • Death and destruction
  • Note Computers can be hacked to loose money and
    identity computers can be used to commit a crime
    resulting in death and destruction

Military Forensics
  • CFX-2000 Computer Forencis Experiment 2000
  • Information Directorate (AFRL) partnership with
  • Hypothesis possible to determine the motives,
    intent, targets, sophistication, identity and
    location of cyber terrorists by deploying an
    integrated forensics analysis framework
  • Tools included commercial products and research
  • http//
  • http//

Relevant Papers
  • 1. Cyber Forensics a Military Perspective
    3B1B.pdfHow to Reuse Knowledge about Forensic
  • 2. Danilo Bruschi, Mattia Monga, Universita
    degli Studi di Milano
  • http//
  • 3. John Lowry, BBN Systems Adversary Modeling to
    Develop Forensic Observables
  • http//
  • 4. Dr. Golden G. Richard III, University of New
    Orleans, New Orleans, LA Breaking the
    Performance Wall The Case for Distributed
    Digital Forensics
  • http//

Abstract of Paper 1
  • This paper discusses some of the unique military
    requirements and challenges in Cyber Forensics. A
    definition of Cyber Forensics is presented in a
    military context. Capabilities needed to perform
    cyber forensic analysis in a networked
    environment are discussed, along with a list of
    current shortcomings in providing these
    capabilities and a technology needs list.
    Finally, it is shown how these technologies and
    capabilities are transferable to civilian law
    enforcement, critical infrastructure protection,
    and industry.

  • The exploration and application of
    scientifically proven methods to gather, process,
    interpret, and utilize digital evidence in order
  • Provide a conclusive description of all
    cyber-attack activities for the purpose of
    complete post-attack enterprise and critical
    infrastructure information restoration
  • Correlate, interpret, and predict adversarial
    actions and their impact on planned military
  • Make digital data suitable and persuasive for
    introduction into a criminal investigative

Military Needs
  • Data protection When a candidate digital
    information source is identified, measures must
    be put in place to prevent the information from
    being destroyed or becoming unavailable.
  • Data Acquisition The general practice of
    transferring data from a venue out of physical or
    administrative control of the investigator, into
    a controlled location.
  • Imaging The creation of a bit-for-bit copy of
    seized data for the purposes of providing an
    indelible facsimile upon which multiple analyses
    may be performed, without fear of corrupting the
    original dataset.
  • Extraction The identification and separating
    of potentially useful data from the imaged
    dataset. This encompasses the recovery of
    damaged, corrupted, or destroyed data, or data
    that has been manipulated algorithmically to
    prevent its detection (e.g. encryption or

Military Needs
  • Interrogation The querying of extracted data
    to determine if a priori indicators or
    relationships exist in the data. Examples include
    looking for known telephone numbers, IP
    addresses, and names of individuals.
  • Ingestion/Normalization The storage and
    transfer of extracted data in a format or
    nomenclature that is easily or commonly
    understood by investigators. This could include
    the conversion of hexadecimal or binary
    information into readable characters, conversion
    of data to another ASCII2 language set, or
    conversion to a format that can be input into
    another data analysis tool.
  • Analysis The fusion, correlation, graphing,
    mapping, or timelining of data to determine
    possible relationships within the data, and to
    developing investigative hypotheses.
  • Reporting The presentation of analyzed data
    in a persuasive and evident form to a human
    investigator or military commander.

Areas of Focus
  • A major issue in this area is how to rapidly
    collect and normalize digital evidence from a
    variety of sources including firewalls, hosts,
    network management systems, and routers. The
    information that is collected could then be used
    to predict or anticipate adversarial actions,
    understand the current state of affairs, and help
    in determining appropriate courses-of-action.
  • Perform work that allows us to detect data hidden
    within network traffic. The hidden data problem
    is especially insidious. The art of hiding data
    is called steganography, which means covered
  • Database forensic analysis. We need to be able to
    reconstruct past events and trace evidence to
    indicate data destruction, reconstitution of
    damaged or destroyed databases or their schemas,
    and direct attacks on the DBMSs security
    mechanism to gain privileges to a database or the
    operating system.

Areas of Focus
  • Distributed intelligent forensic agents
    Distributed intelligent forensic agents would be
    small, lightweight programs that are launched
    from an agent control center whenever a
    suspicious event is identified. These agents
    would then gather the appropriate digital
    evidence and return the evidence to central
    control for further analysis by other tools.
  • Trusted Timestamps has to be considered when
    performing network-based cyber forensics. In
    order to properly timeline events over a
    distributed network system, events collected at
    each appliance or node need to be properly
  • The proliferation of cellular and wireless
    hand-held devices presents a unique challenge to
    the forensic examiner. Unlike a wired network in
    which investigation of a cyber attack eventually
    leads to tracing the attack back to a physical
    location, a wireless information attack does not
    require physical access to the medium being

Areas of Focus
  • Quick views of seized media is a focus area.
    Current approaches to analyze the entire hard
    drive can take many months. For the purpose of
    quickly restoring operations, an Operating System
    Hash Library could be constructed to fingerprint
    hash values of operating system files of properly
    configured software.
  • Multi-lingual analysis of storage media. Is
    important. No longer is the cyber world one which
    is utilized primarily by English-speaking
    citizens. An automated means that can translate
    the recovered data or at least indicate a
    probable language set is vital to the timely
    processing of cyber attacks posed by non-English
    speaking citizens and foreign nationals.
  • Finally, there needs to be a uniform standard for
    the development and testing of forensic tools.
    There need to be metrics established that help
    determine the extent that a software or hardware
    tool performs a particular forensic function, and
    the associated error rate with that process.

Abstract of Paper 2
  • When detectives perform investigations they
    manage a huge amount of information, they make
    use of specialized skills and analyze a wide
    knowledge base of evidence. Most of the work is
    not explicitly recorded and this hurdles external
    reviews and training. In this paper we propose a
    model able to organize forensic knowledge in a
    reusable way. Thus, past experience may be used
    to train new personnel, to foster knowledge
    sharing among detective communities and to expose
    collected information to quality assessment by
    third parties.

  • Introduction
  • Framework
  • Model and Reasoning
  • Example
  • Directions

  • Problems
  • evidence might be easily and voluntarily erased
    evidence might be easily and voluntarily forged
    (i.e., false evidence might be created)
    evidence might be altered accidentally by daily
    activities (i.e., the everyday use of a system
    might damage evidence)
  • evidence at different abstraction layers, has
    different meanings and properties (e.g., an html
    document may be considered formatted text, or a
    sequence of ASCII characters, or a set of blocks
    in the file system structure)
  • Solutions
  • produce reusable forensic knowledge to be used as
    support during investigations
  • organize past experience to foster knowledge
    sharing among forensic experts
  • record collected information in a way that ease
    quality assessment.

  • Investigative process
  • formulate hypotheses on the state of the world
    that caused the case collect evidence on the
    basis of these hypotheses correlate actual
    evidence with hypotheses adjust hypotheses, and
    repeat the process until the consistency state of
    the knowledge about the case is high.
  • Framework
  • Evidence nothing that is not clear and evident
    can be accepted.
  • Analysis a problem that cannot be faced all at
    once should be decomposed in easier parts.
  • Synthesis a decomposed problem has to be
    recomposed, but only after every part has been
    verified through detailed observations and
  • Enumeration the whole process has to be reviewed
    to evaluate the soundness and completeness of the
    generalizations involved. Moreover, a careful
    revision is needed to ascertain the absence of
    errors and misinterpretations.

Model and Reasoning
  • Graph is used to represent all the knowledge
    acquired over the time.
  • Hypotheses and evidence are expressed in natural
  • To better illustrate the inductive reasoning used
    to prove or disprove a hypotheses a graphical
    formalism is used
  • Example Hypotheses are represented by square,
    evidence collecting tests by circle and the
    weight of evidence by a label on the edge linking
    evidence to hypotheses.

  • During a chat session a user has been caught
    spreading an offensive picture. After a
    preliminary investigation Mr. Black felt under
    suspicion. He has been accused of guilty because
    the address used by the sender to transmit the
    images, was, at that moment, assigned to him.
  • In the preliminary phase the detective, starting
    from the file received and the address of the
    sender, comes to identify Mr. Black as the
    criminal. Mr. Blacks computer has been seized
    for further analysis.
  • The paper formulates the root hypothesis and
    applies the reasoning method described.

  • Producing reusable knowledge, since forensic
    (sub-)graphs can be exploited to generate
    completely unrelated case graphs
  • Structuring argumentation from evidence to
    prosecution hypotheses, since a graphical
    representation of the structure of the hypothesis
    space and the evidence support that was collected
    may convey, even at a glimpse, the global
    soundness and completeness of the information
  • Guiding less skilled detectives during evidence
    collection, since the highly specialized
    knowledge of experts in a field can be shared,
    thanks to its recording in a structured fashion.

Abstract of Paper 3
  • Observables of malicious behavior in the cyber
    realm are derived from intuition or analysis of
    previous (a-posteriori) events. This creates an
    untenable situation where cyber defenders are
    unprepared for novel attacks or malicious
    behaviors particularly those expected to be
    used by sophisticated adversaries. Development of
    a complete theory of observables with a
    particular focus on development of a-priori
    observables is critical to defend against
    computer network attack and computer network
    exploitation. Monitoring of a-priori observables
    will greatly assist in the areas of indications
    and warnings and attack sensing and warning.
    Forensic development and analysis of a-priori
    observables is critical to determine the type of
    adversary, adversary mission, and ultimately

  • Introduction
  • Threat Model
  • Types of Adversaries
  • Process Model
  • Adversaries and Forensics
  • Directions

  • The current sets of cyber observables are
    developed after an attack or event takes place.
    These are termed a-posteriori observables because
    they follow the pattern of eventanalysisobservab
  • Properly specified, these observables will catch
    most or all repeat events or new events that use
    the same techniques.
  • These observables have no value in identifying
    new types of events or novel variations of known
    events. Since the vulnerability space is huge,
    defenders are forced into a responsive mode of
  • What is needed is an additional set of
    observables that will permit the detection and
    analysis of novel events and attacks. These must
    be developed a-priori and follow the pattern of

Threat Model
  • Any threat model must start with analysis of
    adversary behavior and incorporate sufficient
    knowledge of the defended system.
  • For development of a-posteriori observables, real
    behaviors and real systems are used. For
    development of a-priori observables, hypothetical
    or potential adversarial behavior is modeled.
  • Cyber-adversaries have goals and objectives.
    There is a reason why the defenders system is
    under attack.
  • Cyber-adversaries have resource limitations.
  • Cyber-adversaries engage in mission planning,
    practice, development and testing
  • Cyber-adversaries translate their behavior into
    the world of computers and networks.

Types of Adversaries Example
  • Class IV First-world and certain second-world
    countries, including military and intelligence
    agencies. Future terrorist organizations. Future
    organized criminal groups. Some types of insider.
  • Class III Almost every country not in the Class
    IV category. Some terrorist organizations. Some
    organized criminal groups. Some types of insider.
    Some types of radical organizations.
  • Class II A very few countries. Many terrorist
    organizations. Many organized criminal groups.
    Many types of insider. Many types of radical
    groups. Very expert hackers and hacker
  • Class I Some terrorist organizations. Some
    organized criminal groups. Many types of insider.
    Many types of radical groups. Beginner to
    journeyman hackers.

Process Model
  • The process model shows a high-level process
    model of adversary behavior. However, it can be
    expected that a Class IV adversary will engage in
    a much more detailed set of behaviors.
  • There is a strategic set of goals followed by
    assignment of missions and mission objectives.
  • The adversarys strategic planning can be
    represented in a Warnier/Orr diagram. The goal is
    to identify effects that can be achieved, i.e.,
    to identify the top-level opportunities and
    resources available to carry out the strategic
  • Behavior The adversary will study their enemy to
    determine what they have in place and how they
    operate. The adversary will develop a list of
    desired effects that the adversary wishes to have
    on their enemy. The adversary also takes an
    initial, high-level cut at the targets of

Adversaries and Forensics
  • The discipline of computer forensics has been
    largely focused on the development of a set of
    tools and procedures.
  • However, the majority of efforts have remained at
    this level and not progressed to meet the
    challenge of Class III and Class IV adversaries.
  • With the resources available to these
    adversaries, it is not apparent that analysis of
    single exploits or events will help to identify
    and analyze the presence of these adversaries.
  • For example, it is understood that an adversary
    will not use his most valuable or sophisticated
    techniques or methods unless there is sufficient
  • Consequently, identification of Class IV
    adversaries must look for supporting evidence.
    Fortunately, the kinds of process and control
    exercised by this type of adversary is likely to
    leave such evidence.

  • While the development of new models and
    characterizations of cyber-adversaries has been
    informally pursued for several years and within
    multiple government-supported programs, the full
    development and presentation is made under an
    effort called Theory of Observables within the
    Proactive and Predictive Cyber Indications and
    Warnings contract from the Advanced Research and
    Development Activity (ARDA).
  • ARDAs web site is located at

Abstract of Paper 4
  • Authors make the case for distributed digital
    forensic (DDF) tools and provide several
    real-world examples where traditional
    investigative tools executing on a single
    workstation have clearly reached their limits,
    severely hampering timely processing of digital
    evidence. Based on their observations about the
    typical tasks carried out in the investigative
    process, they outline a set of system
    requirements for DDF software. Next, authors
    propose a lightweight distributed framework
    designed to meet these requirements and describe
    an early prototype implementation of it. Finally,
    we present some performance comparisons of
    single- versus multiple-machine implementations
    of several typical tasks and describe some more
    sophisticated forensics analysis techniques,
    which will be enabled by a transition to DDF

  • Having all of the analysis to be carried out in
    one location may have a performance impact
  • If the site is down, then the work has to be
  • Therefore distributed digital forensics analysis
    may be an option
  • Requirements include
  • Scalability
  • Platform Independence
  • Extensibility
  • Robustness

Approach and Directions
  • System Architecture
  • Based on architectures for distributed data
    management and/or distributed data mining
  • Distributed workload
  • Each node carries out a specific task, or all of
    the nodes carry out the same task and then the
    results have to be combined
  • Analysis
  • Each node carries out analysis and the results
    have to be combined
  • Some directions include
  • Develop a framework for DDF Middleware for
    forensics analysis - Tools are integrated in a
    middleware environment. Appropriate tools are
Write a Comment
User Comments (0)