Digital Forensics TechnologiesTechnologies……old.hsn.or.kr/hsn2007/document/8_SS/S-3.pdf · Certification of Digital Forensics Tool Computer Forensics Tool Test Program (CFTT),

1

2007. 2. 8.

Kyo-il Chung, Ph. D.Convergence Security Group

KyoKyo--ilil Chung, Ph. D.Chung, Ph. D.Convergence Security GroupConvergence Security Group

Digital Forensics Technologies…

Digital Forensics Digital Forensics TechnologiesTechnologies……

2 ::: ETRI, The Future Wave :::

ContentsContents

Introduction of Digital ForensicsIntroduction of Digital ForensicsI

Chain of Custody & TechnologiesChain of Custody & TechnologiesII

Case StudiesCase StudiesIII

ConclusionsConclusionsIV


ETRI

Established in 1976Established in 1976

KoreaKorea’’s largest government s largest government funded research facility in funded research facility in the fields of IT & Comm.the fields of IT & Comm.

R&D Fields : R&D Fields : Semiconductors, Mobile Semiconductors, Mobile Communications, Networks, Communications, Networks, Security, etc. Security, etc.


Organization of ISRD

Information Security Research Division

Applied Security Group Convergence Security Group

Project Supporting Department

• Network Security Architecture Team

• Secure OS Research Team

• Active Security Research Team

• Privacy Protection Research Team

• P2P Security Research Team

• Wireless Security Application Research Team

• Cryptography Research Team

• Digital ID Security Research Team

• RFID/USN Security Research Team

• Biometrics Technology Research Team

• Biometrics Chipset Research Team

• Bio-medical Information Security Research Team

• Home Network Security Research Team


Next Generation Security System Tech.

Security Gateway System

Secure Router System

Security Management System

Network Security Tech. for P2P Overlay Networks over Wired/Wireless IPV6 Infrastructures

Development of Secure Platform for Wireless Network

Applied Security Group


Cryptographic Algorithm and ProtocolNext Generation Cryptographic Algorithm Design & AnalysisPrivacy Enhancing Technology

Digital ID SecurityInternet ID Management TechnologyAutonomous Identity Federation Bridging Technology

RFID/USN SecurityLight-weight Crypto Algorithm for RFID & Sensor NetworkLow Power & High Speed ProcessorSecurity Mechanism for RFID/USN Environments

Convergence Security Group


User Identification Technology Using BiometricsMulti-modal Biometric & Searching Technology

Biometric Chipset

Biometric Data Protection

Security in HealthcareBio Sensor Technology

Security Tech. for EHR, u-Hospital

Authentication and Authorization Tech. for Home Networkslightweight authentication and access control mechanism for homenetworks


Done

Design and development of information security algorithm for IMT- 2000 system

Electronic certificate based PKI system

USB token containing biometric functions

Wireless LAN information security technology

Next generation IC card

USIM chipset for 3rd generation mobile communications


Where to apply?Where to apply?Where to apply?

I. Introduction of Digital ForensicsI. Introduction of Digital Forensics

What is Digital Forensics?What is Digital Forensics?

Why Digital Forensics?Why Digital Forensics?


Forensics?Forensics?

We are very familiar CSI (crime scene investigation) …


Computer crime? Computer crime?

Your company has recently hired a new salesman.

6 months after his hire, he leaves your company and forms a competing interest, sending letters to all of your clients.

You may think this a bit odd and contact an attorney to consider filing a suit.

What has occurred is a virtual theft -- -- the salesman stole a copy of your client database.

Note that this is a VIRTUAL theft -- since you were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to prosecute him criminally.

by Jkizza, UT Chattanooga


How much information?How much information?

“How much Information?” (Berkeley, USA)

Before 1999 (about 300 thousand years), human have produced 12 Exabyte Information,

We have made 9 Exabyte Information, after 1999 only 4 years.

Quantity of information is raised as double as year.. Accelerate the information digitalization

Only 0.03% of produced information is recorded by paper, 2002

* 1 Exabyte : 1018 byte (1Gigabyte x 1 billion)Storage Medium 1999-2000 2002 %

Paper 1,200 1,634 36%

Film 431,690 420,254 -3%

Magnetic 2,779,760 5,187,130 87%

Optical 81 103 28%

TOTAL 3,212,731 5,609,121 74.5%


Increasing of digital evidences in criminal investigationIncreasing of digital evidences in criminal investigation

2000년 2001년 2002년 2003년

0

2000

4000

6000

8000

10000

12000

[CERT, Prosecutor’s office] [CERT, Police Agency]

Hacking, Viruses, Extraction of Private informationCyber Game, Cyber terror, etc

20012001 20042004

33,32533,325 77,09977,099

YearYear

# Crime# CrimeIncreasing transition of computer & cyber crime

Increasing transition of computer & cyber crime

Digital EvidenceIncrease the case that the important evidences are located in computer as crimes related in computer or the general crimes.

Features of Digital EvidenceDigital evidences are easy to copy, difficult to classify the original and copied materials, and easy to manipulate and delete


DefinitionDefinition

Logical procedure to acquire, store, analyze and report the digital evidence to make legal evidence

To clarify and prove the relations of the events occurred with a computer using the digital data stored in the computer

The sequential procedure such as the acquisition of the digital evidence without damaging the digital data, proving the existence of the data at the specific time, making the legal evidence after analyzing the digital evidence

Replay

Rightfulness

Total 2008Total 2008market revenuemarket revenue

674.7674.7Promptness

Digital ForensicDiscipline

Chain of custody

Integrity


Applicable areasApplicable areas

Computer Crime Investigation– Spy, Technology leakage, Blackmailing, Fraud, Counterfeit, Hacking, Cyber

terror

Civil Trial – Defamation of character, Negligence, Audit

Prevention and Response against Intrusion– Constructing the database of data, Rapid processing of vast data, Analyzing

the accidents, Response (Trace, Acquisition of evidence, Information Sharing)


Purpose of Digital ForensicsPurpose of Digital Forensics

Computer crime investigation

Evidence analysis for civil trial

Data analysis of digital devices

Purpose of Digital Forensics

Device

Data C&A

System & Network

Application Analysis

Technologies of Digital Forensics

Acquisition of evidence

Chain of custody

Management of digital evidence

Analysis report

+ =

Procedures of Digital Forensics


Market Forecast..Market Forecast..

Market forecastMarket forecast

Digital forensic is mainly used in the computer-crime-related trial such as hacking, and forensic market has increased rapidly.Digital forensic is mainly used in the computer-crime-related trial such as hacking, and forensic market has increased rapidly.

20042004

20012001

(Unit : 100million dollar)

1.91.9

1.01.01.331.33

2.642.64

Source : IDC (2004)

6.06.0

forensicproduct

Accident response service

20082008

7.867.86

(Growth rate (year) = 29%)forensicproduct


forensicproduct



Procedure of Digital ForensicsProcedure of Digital Forensics

Technologies for Digital ForensicsTechnologies for Digital Forensics

ⅡⅡ. Chain of Custody & Technologies. Chain of Custody & Technologies

Classificaion of technologiesClassificaion of technologies

ProductsProducts


Procedure of Digital Forensic Procedure of Digital Forensic -- Chain of CustodyChain of Custody

PreliminaryPreliminary AcquisitionAcquisition Chain of custodyChain of custody AnalysisAnalysis ReportReport

Forensic tool testing

Preparing tools

Cooperative system

Scene investigation

Disk imaging

Authentication of evidence

Making copy of image

Transfer of evidence

Search hidden dataTime-line analysisSignature analysisData recovery and searchLog analysis

Evidence analysis

Investigator list

Opinion of expert


Classification of technologiesClassification of technologies

File Decryption, Crack

Information Hiding

File Repair

Internet

Email

Application

Network Data Collection & Analysis

Software (Program files) Analysis

Live Data Collection & Analysis

System Monitoring

Network Trace

System & Network

File Identification (Find)

File systems Repair

Browsing

TimeLine

Search

Data

Storage Media Duplication

Storage Media Repair

Device


Technologies for Digital ForensicsTechnologies for Digital Forensics (Device)(Device)

DeviceStorage Media Duplication

• Imaging: making an image of the storage by copying bit by bit

• Write Block: protecting a storage to keep the information of the storage intact

• Mounting: uploading an image as a sub-directory to the forensic system

Storage Media Repair• Physical or electronic recovery of a storage

: recover a storage from the physically or electronically damaged state


Technologies for Digital ForensicsTechnologies for Digital Forensics (System)(System)

SystemLive Data Collection & Analysis

• Acquisition and analysis of the volatile data of the live system

• System (Process, Memory, File, Network) Monitoring, Memory Dump, Log Collection

Software (Program files) Analysis• Obtaining the information of the installed softwares and analyzing the

executable files

• Software Analysis, Debugging, Disassemble


Technologies for Digital ForensicsTechnologies for Digital Forensics (Network)(Network)

NetworkNetwork Data Collection & Analysis

• Data acquisition and analysis of network packet, network environment, and log of security devices

Network Trace• Tracing the physical and logical source of traffic

• E-mail header analysis, IP back-tracing, BPBT-based remote-user tracing, Gathering IP information from ISP

* BPBT : Bak-Pak Bubble Trap

* ISP : Internet Service Provider


Technologies for Digital ForensicsTechnologies for Digital Forensics (Data)(Data)

DataFile System Repair

• Logical recovery of the storage : Recovery of file allocation table and MBR from the damaged storage

Browsing• Viewing the mounted image• Summary and detailed information of disks, directories and files• Quick view

File Identification (Find) : Hashed Search using RDS• Narrowing the target files using reference data set (RDS) • NSRL Project

* CFTT : Computer Forensics Tool Testing * MBR : Master Boot Record * NSRL : National Software Reference Library


Search• Easy and efficient string search (Indexing, Hash Set)• File, String, Attribute, Hashed Search

Time Line• Events analysis according to the occurrence of the events• System-based time-line, Network-based time-line

History & File Signature• Finding deliberate file attribute modification by analyzing file signature


Technologies for Digital ForensicsTechnologies for Digital Forensics (Application)(Application)

ApplicationFile Decryption, Crack

• Decrypt or recover the information which is encrypted or protected by cryptography.

• Object : Document file (Office, HWP, PDF, ZIP), System Logon

Slack Space• Could not be recognized through the file table• Find the physical address of the slack space and look into the clusters

assigned to the slack space

Information Hiding• Find the hiding information and turn it into the easily accessible data• Object : Steganography, NTFS Stream, OLE 2.0

* OLE : Object Linking and Embedding


File Repair• Reconstruct the original file from the damaged file using the linguistics and

file-format information. • Object : Executable File, Document File, Data File

E-mail• Turn the data of E-mail Application into the easily accessible data• Viewing, Recover, Repair (PST, DBX)

Internet • Find the visited cite using cookie and history files of the internet browser,

and investigate what the user has done.


ProductsProducts

Types Products

Hardware Protection Tool A-Card, FastBlock, NoWrite

Imaging Tool DD(Linux), Safe Back, SnapBack DatArrest, FreeBSD, Mares imaging tool

Searching Tool Grep(linux), dtSearch, Text Search Plus(NTI),Afind Hfind Sfind(Forensic Toolkit)

Browsing, Viewer Conversions Plus, Quick View Plus, ThumbsPlusWinHex, Ultra Edit

Analysis, Recovery Tool Hash Keeper, TCT, EasyRecovery FileRepairFinal data, Advanced Password Recovery

Integration Tool EnCase, iLook, Forensix, Forensic ToolkitAutopsy, F.I.R.E, Final Forensic


Certification of Digital Forensics ToolCertification of Digital Forensics Tool

Computer Forensics Tool Test Program (CFTT), NIST, USA

Presentation of Verification & Evaluation Methods for Computer Forensics Tools

Strengthen of Objectivity, Publication the Test Results as Documentation

– Major Point : Reliability, Accuracy, Integrity, Generality

– Test Functions : Imaging, File Recovery, String Search


Morgan Stanley 사건Morgan Stanley 사건

ⅢⅢ. Case Studies. Case Studies

진주서부농협 명예훼손 사건진주서부농협 명예훼손 사건


Case Study (1)Case Study (1)

진주서부농협 명예훼손 사건사건 경위

• 진주서부농협 상봉지소 등 7개소에 명예훼손 내용의 글이 담긴 우편물 발송, 이에 대해 피해자가 명예훼손으로 고발

포렌식 적용 사례

• 피고인으로부터 현주컴퓨터 1대 압수(한글문서 등은 모두 삭제된 상태)• 압수된 컴퓨터에서 범행 관련 우편물 겉봉투에 부착한 주소록 등 삭제된 한글 파일 복구, 이를 근거로 기소

– 컴퓨터 복구 결과, 원심판시 각 편지가 발송된 곳의 주소록이 발견되었고, 그 주소록의 글씨체와 크기가 각 편지에 기재된 주소의 글씨체 및 크기와 동일하다는점을 근거

– 2003. 9. 30. 1심 선고(징역 8월, 집유 2년)• 2005. 7. 6. 재심청구

– EnCase 분석 결과, 주소록이 들어있던 #529847.hwp 파일의 최초 생성 일자가범행 일자 이후인 것으로 확인된 것을 근거로 재심 청구/재판 진행 중


Case Study (2)Case Study (2)

Morgan Stanley 사건사건 경위

• ’98년 페럴맨이 소유하고 있던 콜맨사를 모건 스탠리의 고객사인 의류업체선빔사에 매각하도록 주선하는 과정에서,

• 파산 직전인 선빔사의 재정상태를 알면서도 페럴맨에게 제대로 알려주지않았다는 이유로 소송을 제기

판결

• 모건 스탠리는 증거 자료로써 과거의 콜맨사 매각 관련 e-mail 기록을 제출하지 못했고, 이는 결국 e-mail을 고의로 파기했다는 페럴맨 측의 의혹 제기로 이어져 재판 결과에 결정적으로 불리하게 적용

• 2005년 5월, 미국 플로리다 법원은 증거 확보를 소홀히 한 모건 스탠리측에레브론의 회장인 로널드 페럴맨에게 14억 5430만 달러를 배상해야 한다고

판결

• 이는 민사사건에서의 디지털 증거 확보의 중요성 강조


ⅣⅣ. Conclusions. Conclusions


ConclusionsConclusions

Need of rapid development of forensic technic and toolsIncreased cyber crime

Necessity of digital evidence

Dependency on the foreign forensic system

Need of forensic specialistField of cryptanalysis

Steganography

Systems : OS, Database, Web, Mobile …

Making law to guarantee the digital evidence through digital forensic


Thank you

for attention!!

Documents

Digital Forensics TechnologiesTechnologies……old.hsn.or.kr/hsn2007/document/8_SS/S-3.pdf · Certification of Digital Forensics Tool Computer Forensics Tool Test Program (CFTT),