Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Application Forensics October 26, 2009
Outline l Forensics - UTD work on worm detection - revisited - Mobile System Forensics - Note: Other Application/systems related forensics l Database forensics, Network forensics (already discussed) - Reference: Chapters 12 and 13 of text book l Military Forensics Overview - Papers to discuss week of November 2 l Optional paper to read: -
Forensics l Investigations l Client/Server roles l crimes and violations l servers l forensics tools
Investigations l Types of investigations - s have worms and viruses – suspicious s - Checking s in a crime – homicide l Types of suspicious s - Phishing s i- they are in HTML format and redirect to suspicious web sites - Nigerian scam - Spoofing s
Client/Server Roles l Client-Server architecture l servers runs the server programs – example Microsoft Exchange Server l runs the client program – example Outlook l Identitication/authntictaion is used for client to access the server l Intranet/Internet servers - Intranet – local environment - Internet – public: example: yahoo, hotmail etc.
Crimes and Violations l Goal is to determine who is behind the crime such as who sent the l Steps to forensics - Examine message - Copy message – also forward - View and examine header: tools available for outlook and other clients - Examine additional files such as address books - Trace the message using various Internet tools - Examine network logs (netflow analysis) l Note: UTD Netflow tools SCRUB are in SourceForge
Servers l Need to work with the network administrator on how to retrieve messages from the server l Understand how the server records and handles the messages l How are the logs created and stored l How are deleted messages handled by the server? Are copies of the messages still kept? l Chapter 12 discussed servers by UNIX, Microsoft, Novell
Forensics Tools l Several tools for Outlook Express, Eudora Exchange, Lotus notes l Tools for log analysis, recovering deleted s, l Examples: - AccessData FTK - FINAL - EDBXtract - MailRecovery
Worm Detection: Introduction l What are worms? - Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims l Evil worms - Severe effect; Code Red epidemic cost $2.6 Billion l Goals of worm detection - Real-time detection l Issues - Substantial Volume of Identical Traffic, Random Probing l Methods for worm detection - Count number of sources/destinations; Count number of failed connection attempts l Worm Types - worms, Instant Messaging worms, Internet worms, IRC worms, File- sharing Networks worms l Automatic signature generation possible - EarlyBird System (S. Singh -UCSD); Autograph (H. Ah-Kim - CMU)
Worm Detection using Data Mining Training data Feature extraction Clean or Infected ? Outgoing s Classifier Machine Learning Test data The Model Task: given some training instances of both “normal” and “viral” s, induce a hypothesis to detect “viral” s. We used: Naïve Bayes SVM
Assumptions l Features are based on outgoing s. l Different users have different “normal” behaviour. l Analysis should be per-user basis. l Two groups of features - Per (#of attachments, HTML in body, text/binary attachments) - Per window (mean words in body, variable words in subject) l Total of 24 features identified l Goal: Identify “normal” and “viral” s based on these features
Feature sets - Per features l Binary valued Features Presence of HTML; script tags/attributes; embedded images; hyperlinks; Presence of binary, text attachments; MIME types of file attachments l Continuous-valued Features Number of attachments; Number of words/characters in the subject and body - Per window features l Number of s sent; Number of unique recipients; Number of unique sender addresses; Average number of words/characters per subject, body; average word length:; Variance in number of words/characters per subject, body; Variance in word length l Ratio of s with attachments
Data Mining Approach Classifier SVMNaïve Bayes infected ? Clean ? Clean Clean/ Infected Test instance
Data set l Collected from UC Berkeley. - Contains instances for both normal and viral s. l Six worm types: - bagle.f, bubbleboy, mydoom.m, - mydoom.u, netsky.d, sobig.f l Originally Six sets of data: - training instances: normal (400) + five worms (5x200) - testing instances: normal (1200) + the sixth worm (200) l Problem: Not balanced, no cross validation reported l Solution: re-arrange the data and apply cross-validation
Our Implementation and Analysis l Implementation - Naïve Bayes: Assume “Normal” distribution of numeric and real data; smoothing applied - SVM: with the parameter settings: one-class SVM with the radial basis function using “gamma” = and “nu” = 0.1. l Analysis - NB alone performs better than other techniques - SVM alone also performs better if parameters are set correctly - mydoom.m and VBS.Bubbleboy data set are not sufficient (very low detection accuracy in all classifiers) - The feature-based approach seems to be useful only when we have identified the relevant features gathered enough training data Implement classifiers with best parameter settings
Mobile Device/System Forensics l Mobile device forensics overview l Acquisition procedures l Summary
Mobile Device Forensics Overview l What is stored in cell phones - Incoming/outgoing/missed calls - Text messages - Short messages - Instant messaging logs - Web pages - Pictures - Calendars - Address books - Music files - Voice records
Mobile Phones l Multiple generations - Analog, Digital personal communications, Third generations (increased bandwidth and other features) l Digital networks - CDMA, GSM, TDMA, l Proprietary OSs l SIM Cards (Subscriber Identity Module) - Identifies the subscriber to the network - Stores personal information, addresses books, etc. l PDAs (Personal digital assistant) - Combines mobile phone and laptop technologies
Acquisition procedures l Mobile devices have volatile memory, so need to retrieve RAM before losing power l Isolate device from incoming signals - Store the device in a special bag - Need to carry out forensics in a special lab (e.g., SAIAL) l Examine the following - Internal memory, SIM card, other external memory cards, System server, also may need information from service provider to determine location of the person who made the call
Mobile Forensics Tools l Reads SIM Card files l Analyze file content (text messages etc.) l Recovers deleted messages l Manages PIN codes l Generates reports l Archives files with MD5, SHA-1 hash values l Exports data to files l Supports international character sets
Papers to discuss: October 28, 2009 l FORZA – Digital forensics investigation framework that incorporate legal issues l A cyber forensics ontology: Creating a new approach to studying cyber forensics l Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem -
Papers to discuss November 2-4, 2008 l Forensic feature extraction and cross-drive analysis l A correlation method for establishing provenance of timestamps in digital evidence -
Applications Forensics – Part II Dr. Bhavani Thuraisingham The University of Texas at Dallas Information Warfare and Military Forensics October 26, 2009
Outline l Information Warfare - Defensive Strategies for Government and Industry - Military Tactics - Terrorism and Information Warfare - Tactics of Private Corporations - Future IW strategies - Surveillance Tools - The Victims of Information Warfare l Military Forensics l Relevant Papers
What is Information Warfare? l Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. Information warfare may involve collection of tactical information, assurance that one's own information is valid, spreading of propaganda or disinformation to demoralize the enemy and the public, undermining the quality of opposing force information and denial of information collection opportunities to opposing forces.collectionassurancepropagandadisinformation demoralizeenemy l
Defensive Strategies for Government and Industry l Are US and Foreign governments prepared for Information Warfare - According to John Vacca, US will be most affected with 60% of the world’s computing power - Stealing sensitive information as well as critical, information to cripple an economy (e.g., financial information) l What have industry groups done - IT-SAC: Information Technology Information Sharing and Analysis l Will strategic diplomacy help with Information Warfare? l Educating the end user is critical according to John Vacca
Defensive Strategies for Government and Industry l What are International organizations? - Think Tanks and Research agencies - Book cites several countries from Belarus to Taiwan engaged in Economic Espionage and Information Warfare l Risk-based analysis l Military alliances - Coalition forces – US, UK, Canada, Australia have regular meetings on Information Warfare l Legal implications l Strong parallels between National Security and Cyber Security
Military Tactics l Supporting Technologies - Agents, XML, Human Computer Interaction l Military tactics - Planning, Security, Intelligence l Tools - Offensive Ruinous IW tools l Launching massive distributed denial of service attacks - Offensive Containment IW tools l Operations security, Military deception, Psychological operations, Electronic warfare (use electromagnetic energy), Targeting: Disable enemy's C2 (c0mmand and control) system and capability
Military Tactics l Tools (continued) - Defensive Preventive IW Tools l Monitor networks - Defensive Ruinous IW tools l Information operations - Defensive Responsive Containment IW tools l Handle hacking, viruses. l Other aspects - Dealing with sustained terrorist IW tactics, Dealing with random terrorist IW tactics
Terrorism and Information Warfare l Terrorists are using the web to carry out terrorism activities l What are the profiles of terrorists? Are they computer literate? l Hacker controlled tanks, planes and warships l Is there a Cyber underground network? l What are their tools? - Information weapons, HERF gun (high power radio energy at an electronic target), Electromagnetic pulse. Electric power disruptive technologies l Why are they hard to track down? - Need super forensics tools
Tactics of Private Corporations l Defensive tactics - Open course intelligence, Gather business intelligence l Offensive tactics - Packet sniffing, Trojan horse etc. l Prevention tactics - Security techniques such as encryption l Survival tactics - Forensics tools
Future IW Tactics l Electromagnetic bomb - Technology, targeting and delivery l Improved conventional method - Virus, worms, trap doors, Trojan horse l Global positioning systems l Nanotechnology developments - Nano bombs
Surveillance Tools l Data emanating from sensors: - Video data, surveillance data - Data has to be analyzed - Monitoring suspicious events l Data mining - Determining events/activities that are abnormal l Biometrics technologies l Privacy is a concern
Victims of Information Warfare l Loss of money and funds l Loss of shelter, food and water l Spread of disease l Identity theft l Privacy violations l Death and destruction l Note: Computers can be hacked to loose money and identity; computers can be used to commit a crime resulting in death and destruction
Military Forensics l CFX-2000: Computer Forencis Experiment Information Directorate (AFRL) partnership with NIJ/NLECTC - Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework - Tools included commercial products and research prototypes appb.pdf appb.pdf
Papers to be Discussed (November 2-4, 2009) 1. Cyber Forensics: a Military Perspective articles/A04843F3-99E5-632B-FF420389C0633B1B.pdf articles/A04843F3-99E5-632B-FF420389C0633B1B.pdf How to Reuse Knowledge about Forensic Investigations 2. Danilo Bruschi, Mattia Monga, Universit`a degli Studi di Milano 3. John Lowry, BBN Systems: Adversary Modeling to Develop Forensic Observables rensic_Observables.pdf 4. Dr. Golden G. Richard III, University of New Orleans, New Orleans, LA: Breaking the Performance Wall: The Case for Distributed Digital Forensics