Digital Forensics

Dr. Bhavani ThuraisinghamThe University of Texas at Dallas

Application Forensics

October 26, 2009

Outline

Email Forensics- UTD work on Email worm detection - revisited- Mobile System Forensics- Note: Other Application/systems related forensics

Database forensics, Network forensics (already discussed)

- Reference: Chapters 12 and 13 of text book Military Forensics Overview

- Papers to discuss week of November 2 Optional paper to read:

- http://www.mindswap.org/papers/Trust.pdf

Email Forensics

Email Investigations Client/Server roles Email crimes and violations Email servers Email forensics tools

Email Investigations

Types of email investigations- Emails have worms and viruses – suspicious emails- Checking emails in a crime – homicide

Types of suspicious emails- Phishing emails i- they are in HTML format and redirect to

suspicious web sites- Nigerian scam- Spoofing emails

Client/Server Roles

Client-Server architecture Email servers runs the email server programs – example

Microsoft Exchange Server Email runs the client program – example Outlook Identitication/authntictaion is used for client to access the

server Intranet/Internet email servers

- Intranet – local environment- Internet – public: example: yahoo, hotmail etc.

Email Crimes and Violations

Goal is to determine who is behind the crime such as who sent the email

Steps to email forensics- Examine email message- Copy email message – also forward email - View and examine email header: tools available for

outlook and other email clients- Examine additional files such as address books- Trace the message using various Internet tools- Examine network logs (netflow analysis)

Note: UTD Netflow tools SCRUB are in SourceForge

Email Servers

Need to work with the network administrator on how to retrieve messages from the server

Understand how the server records and handles the messages

How are the email logs created and stored How are deleted email messages handled by the server? Are

copies of the messages still kept? Chapter 12 discussed email servers by UNIX, Microsoft,

Novell

Email Forensics Tools

Several tools for Outlook Express, Eudora Exchange, Lotus notes

Tools for log analysis, recovering deleted emails, Examples:

- AccessData FTK- FINALeMAIL- EDBXtract- MailRecovery

Worm Detection: Introduction What are worms?

- Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims

Evil worms- Severe effect; Code Red epidemic cost $2.6 Billion

Goals of worm detection- Real-time detection

Issues- Substantial Volume of Identical Traffic, Random Probing

Methods for worm detection- Count number of sources/destinations; Count number of failed connection

attempts Worm Types

- Email worms, Instant Messaging worms, Internet worms, IRC worms, File-sharing Networks worms

Automatic signature generation possible - EarlyBird System (S. Singh -UCSD); Autograph (H. Ah-Kim - CMU)

Email Worm Detection using Data Mining

Training data

Feature extraction

Clean or Infected ?

Outgoing Emails

ClassifierMachine Learning

Test data

The Model

Task: given some training instances of both “normal” and “viral” emails, induce a hypothesis to detect “viral” emails.

We used:Naïve BayesSVM

Assumptions

Features are based on outgoing emails. Different users have different “normal” behaviour. Analysis should be per-user basis. Two groups of features

- Per email (#of attachments, HTML in body, text/binary attachments)

- Per window (mean words in body, variable words in subject)

Total of 24 features identified Goal: Identify “normal” and “viral” emails based on

these features

Feature sets

- Per email features Binary valued Features

Presence of HTML; script tags/attributes; embedded images; hyperlinks;

Presence of binary, text attachments; MIME types of file attachments

Continuous-valued FeaturesNumber of attachments; Number of words/characters in

the subject and body- Per window features

Number of emails sent; Number of unique email recipients; Number of unique sender addresses; Average number of words/characters per subject, body; average word length:; Variance in number of words/characters per subject, body; Variance in word length

Ratio of emails with attachments

Data Mining Approach

Classifier

SVM Naïve Bayesinfected?

Clean?

Clean

Clean/ Infected

Clean/ Infected

Test instance

Test instance

Data set

Collected from UC Berkeley.- Contains instances for both normal and viral emails.

Six worm types: - bagle.f, bubbleboy, mydoom.m, - mydoom.u, netsky.d, sobig.f

Originally Six sets of data:- training instances: normal (400) + five worms (5x200) - testing instances: normal (1200) + the sixth worm (200)

Problem: Not balanced, no cross validation reported Solution: re-arrange the data and apply cross-validation

Our Implementation and Analysis Implementation

- Naïve Bayes: Assume “Normal” distribution of numeric and real data; smoothing applied

- SVM: with the parameter settings: one-class SVM with the radial basis function using “gamma” = 0.015 and “nu” = 0.1.

Analysis

- NB alone performs better than other techniques

- SVM alone also performs better if parameters are set correctly- mydoom.m and VBS.Bubbleboy data set are not sufficient (very low detection

accuracy in all classifiers)

- The feature-based approach seems to be useful only when we have

identified the relevant featuresgathered enough training dataImplement classifiers with best parameter settings

Mobile Device/System Forensics

Mobile device forensics overview Acquisition procedures Summary

Mobile Device Forensics Overview

What is stored in cell phones- Incoming/outgoing/missed calls- Text messages- Short messages- Instant messaging logs- Web pages- Pictures- Calendars- Address books- Music files- Voice records

Mobile Phones

Multiple generations- Analog, Digital personal communications, Third

generations (increased bandwidth and other features) Digital networks

- CDMA, GSM, TDMA, - - - Proprietary OSs SIM Cards (Subscriber Identity Module)

- Identifies the subscriber to the network- Stores personal information, addresses books, etc.

PDAs (Personal digital assistant)- Combines mobile phone and laptop technologies

Acquisition procedures

Mobile devices have volatile memory, so need to retrieve RAM before losing power

Isolate device from incoming signals- Store the device in a special bag- Need to carry out forensics in a special lab (e.g., SAIAL)

Examine the following- Internal memory, SIM card, other external memory cards,

System server, also may need information from service provider to determine location of the person who made the call

Mobile Forensics Tools Reads SIM Card files Analyze file content (text messages etc.) Recovers deleted messages Manages PIN codes Generates reports Archives files with MD5, SHA-1 hash values Exports data to files Supports international character sets

Papers to discuss: October 28, 2009 FORZA – Digital forensics investigation framework that

incorporate legal issues- http://dfrws.org/2006/proceedings/4-Ieong.pdf

A cyber forensics ontology: Creating a new approach to studying cyber forensics

- http://dfrws.org/2006/proceedings/5-Brinson.pdf Arriving at an anti-forensics consensus: Examining how to define

and control the anti-forensics problem- http://dfrws.org/2006/proceedings/6-Harris.pdf

Papers to discuss November 2-4, 2008 Forensic feature extraction and cross-drive analysis

- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf A correlation method for establishing provenance of timestamps in

digital evidence- http://dfrws.org/2006/proceedings/13-%20Schatz.pdf

Applications Forensics – Part II

Dr. Bhavani ThuraisinghamThe University of Texas at Dallas

Information Warfare and Military Forensics

October 26, 2009

Outline

Information Warfare- Defensive Strategies for Government and Industry- Military Tactics- Terrorism and Information Warfare- Tactics of Private Corporations- Future IW strategies- Surveillance Tools- The Victims of Information Warfare

Military Forensics Relevant Papers

What is Information Warfare?

Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. Information warfare may involve collection of tactical information, assurance that one's own information is valid, spreading of propaganda or disinformation to demoralize the enemy and the public, undermining the quality of opposing force information and denial of information collection opportunities to opposing forces.

http://en.wikipedia.org/wiki/Information_warfare

Defensive Strategies for Government and Industry

Are US and Foreign governments prepared for Information Warfare

- According to John Vacca, US will be most affected with 60% of the world’s computing power

- Stealing sensitive information as well as critical, information to cripple an economy (e.g., financial information)

What have industry groups done- IT-SAC: Information Technology Information Sharing and

Analysis Will strategic diplomacy help with Information Warfare? Educating the end user is critical according to John Vacca

Defensive Strategies for Government and Industry

What are International organizations?- Think Tanks and Research agencies- Book cites several countries from Belarus to Taiwan

engaged in Economic Espionage and Information Warfare Risk-based analysis Military alliances

- Coalition forces – US, UK, Canada, Australia have regular meetings on Information Warfare

Legal implications Strong parallels between National Security and Cyber

Security

Military Tactics Supporting Technologies

- Agents, XML, Human Computer Interaction Military tactics

- Planning, Security, Intelligence Tools

- Offensive Ruinous IW tools Launching massive distributed denial of service

attacks- Offensive Containment IW tools

Operations security, Military deception, Psychological operations, Electronic warfare (use electromagnetic energy), Targeting: Disable enemy's C2 (c0mmand and control) system and capability

Military Tactics Tools (continued)

- Defensive Preventive IW Tools Monitor networks

- Defensive Ruinous IW tools Information operations

- Defensive Responsive Containment IW tools Handle hacking, viruses.

Other aspects- Dealing with sustained terrorist IW tactics, Dealing with

random terrorist IW tactics

Terrorism and Information Warfare

Terrorists are using the web to carry out terrorism activities What are the profiles of terrorists? Are they computer

literate? Hacker controlled tanks, planes and warships Is there a Cyber underground network? What are their tools?

- Information weapons, HERF gun (high power radio energy at an electronic target), Electromagnetic pulse. Electric power disruptive technologies

Why are they hard to track down?- Need super forensics tools

Tactics of Private Corporations

Defensive tactics- Open course intelligence, Gather business intelligence

Offensive tactics- Packet sniffing, Trojan horse etc.

Prevention tactics- Security techniques such as encryption

Survival tactics- Forensics tools

Future IW Tactics

Electromagnetic bomb- Technology, targeting and delivery

Improved conventional method- Virus, worms, trap doors, Trojan horse

Global positioning systems Nanotechnology developments

- Nano bombs

Surveillance Tools

Data emanating from sensors:- Video data, surveillance data- Data has to be analyzed- Monitoring suspicious events

Data mining- Determining events/activities that are abnormal

Biometrics technologies Privacy is a concern

Victims of Information Warfare

Loss of money and funds Loss of shelter, food and water Spread of disease Identity theft Privacy violations Death and destruction Note: Computers can be hacked to loose money and identity;

computers can be used to commit a crime resulting in death and destruction

Military Forensics

CFX-2000: Computer Forencis Experiment 2000- Information Directorate (AFRL) partnership with

NIJ/NLECTC- Hypothesis: possible to determine the motives, intent,

targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework

- Tools included commercial products and research prototypes

- http://www.afrlhorizons.com/Briefs/June01/IF0016.html- http://rand.org/pubs/monograph_reports/MR1349/

MR1349.appb.pdf

Papers to be Discussed (November 2-4, 2009)1. Cyber Forensics: a Military Perspective

https://www.utica.edu/academic/institutes/ecii/publications/articles/A04843F3-99E5-632B-FF420389C0633B1B.pdf

How to Reuse Knowledge about Forensic Investigations2. Danilo Bruschi, Mattia Monga, Universit`a degli Studi di Milanohttp://dfrws.org/2004/day3/D3-Martignoni_Knowledge_reuse.pdf3. John Lowry, BBN Systems: Adversary Modeling to Develop

Forensic Observableshttp://dfrws.org/2004/day2/

Adversary_Modeling_to_Develop_Forensic_Observables.pdf4. Dr. Golden G. Richard III, University of New Orleans, New

Orleans, LA: Breaking the Performance Wall: The Case for Distributed Digital Forensics

http://dfrws.org/2004/day2/Golden-Perfromance.pdf