Example Data Mining for the NBA by pengxiuhui


									Digital Forensics

    Dr. Bhavani Thuraisingham
  The University of Texas at Dallas

             Lecture #7
Processing Crime and Incident Scene

        September 17, 2008
  Review
  Processing crime and Incident Scenes
  Review Questions
  Reference: Chapters 2 and 5 of textbook
  End of Part I of Course

  Lecture 1: Overview of Digital Forensics (Chapter 1 of
  Lecture 2: Information Security Review
  Lecture 3: Data Recovery, Verification, Lab Tour (Chapter 3 of
   textbook – constructing a forensics lab)
  Lecture 4: Data Acquisition: Chapter 4 of textbook
  Lecture 5: Malicious Code Detection (e.g., Computer is the
   Victim of the Crime; applying data mining techniques)
  Lecture 6: Digital Forensics Analysis – Part 1
Processing Crime and Incident Scenes
  Topics in Chapter 2
    - Securing evidence
    - Gathering evidence
    - Analyzing evidence
  Topics in Chapter 5
    - Understanding the rules of evidence
    - Collecting evidence in private-sector incident scenes
    - Processing law enforcement crime scenes
    - Steps to Processing Crime and Incident Scenes
    - Case study
  Other topics
    - Forensics technologies
Securing Evidence
  To secure and catalog evidence large evidence bags, tapes,
   tags, labels, etc. may be used
  Tamper Resistant Evidence Security Bags
     - Example: EVIDENT
     - “These heavy-duty polyethylene evidence bags require no
       prepackaging of evidence prior to use. The instantaneous
       adhesive closure strip is permanent and impossible to
       open without destroying the seal. A border pattern around
       the edge of the bag reveals any attempt at cutting or
       tampering with evidence.”
  See also the work of SWDGE (Scientific Working Group on
   Digital Evidence) and IOCE (International Organization on
   Computer Evidence)
Gathering Evidence
  Bit Stream Copy
    - Bit by bit copy of the original drive or storage medium
    - Bit stream image is the file containing the bit stream copy
      of all data on a disk
  Using ProDiscover to acquire a thumb drive
    - On a thumb drive locate the write protect switch and place
      drive in write protect model
    - Start ProDiscover
    - Click Action, Capture Image from menu
    - Click Save
    - Write name of technician
    - Use hash algorithms for security
    - Click OK
    - See also discussion in lecture 4
Analyzing Evidence
  Start ProDiscover
  Create new file
  Click on image file to be analyzed
  Search for keywords, patterns and enter patterns to be
  Click report and export file
  Details in Chapter 2
Understanding the Rules of Evidence
  Federal rules of evidence; each state also may have its own
   rules of evidence
     - www.usdoj.gov
  Computer records are in general hearsay evidence unless
   they qualify as business records
     - Hearsay evidence is second hand or indirect evidence
     - Business records are records of regularly conducted
       business activity such as memos, reports, etc.
  Computer records consist of computer generated records and
   computer stored records
  Computer generated records include log files while computer
   stored records are electronic data
  Al computer records must be authentic
Private sector incident scenes

   Corporate investigations
     - Employee termination cases, Attorney-Client privilege
        investigations, Media leak investigations, Industrial
        espionage investigations
   Private sector incident scenes
      - Private section includes private corporations and
        government agencies not involved with law enforcement
      - They must comply with state public disclosure and federal
        Freedom of Information act and make certain documents
        available as public records
      - Law enforcement is called if needed (if the investigation
        becomes a criminal investigation)
Law Enforcement crime Scenes

  A law enforcement officer may seize criminal evidence only
   with probable cause
     - A specific crime was committed
     - Evidence of the crime exists
     - Place to searched includes the evidence
  The forensics team should know about the terminology used
   in warrants
  To prepare for a search and carry out an investigation the
   following steps have to be carried out
     - Identifying the nature of the case, the type of computing
       system, determine whether computer can be seized,
       identify the location, determine who is in charge,
       determine the tools
Steps to processing crime and incident scenes
(Details in Chapter 5)

  Seizing a computer incident or crime scene
  Sizing the digital evidence at crime scene
  Storing the digital evidence
  Obtaining a digital hash
  Conducting analysis and reporting
Case Study (Chapter 5)

  Company A (Mr. Jones) gets an order for widgets from
   Company B. When the order is ready, B says it did not place
   the order. A then retrieves the email sent by B. B states it did
   not send the email. What should A do?
  Steps to carry out
     - Close Mr. Jones Outlook
     - User windows explorer to locate Outlook PST that has
       Mr.,. Jones business email
     - Determine the size of PST and connect appropriate media
       device (e.g. USB)
     - Copy PST into external USB
     - Fill out evidence form – date/time etc.
     - Leave company A and return to the investigation desk and
       carry out the investigation (see previous lectures)
Other Topics: Forensics technologies

  Forensics Technology
    - Military, Law Enforcement, Business Forensics
  Forensics Techniques
    - Finding Hidden Data, Spyware, Encryption, Data
      Protection, Tracing, Data Mining
  Security Technologies
    - Wireless, Firewalls, Biometrics
Military Forensics

  CFX-2000: Computer Forencis Experiment 2000
    - Information Directorate (AFRL) partnership with
    -   Hypothesis: possible to determine the motives, intent,
        targets, sophistication, identity and location of cyber
        terrorists by deploying an integrated forensics analysis
    -   Tools included commercial products and research
    -   http://www.afrlhorizons.com/Briefs/June01/IF0016.html
    -   http://rand.org/pubs/monograph_reports/MR1349/MR1349.
Law Enforcement Forensics
  Commonly examined systems: Windows NT, Windows 2000,
   XP and 2003
  Preserving evidence
     - Mirror image backups: Safe Back technology from New
       Technologies Inc.
  Tools to handle
     - Trojan Horse programs / File slacks
     - Data Hiding Techniques
          AnaDisk analyzes diskettes
          COPYQM duplicates diskettes

     - E-Commerce investigation: Net Threat Analyzer
     - Text search: TextSearch Plus tool
     - Fuzzy logic/data mining tools to identify unknown text
          Intelligent Forensics Filter
Business Forensics

  Remote monitoring of target computers
    - Data Interception by Remote Transmission (DIRT) from
      Codex Data Systems
  Creating trackable electronic documents
  Theft recovery software for laptops and PCs
    - PC Phonehome tool
    - RFID technology
Forensics Techniques

  Techniques for finding, preserving and preparing evidence
  Finding evidence is a complex process as the forensic expert
   has to determine where the evidence resides
     - Evidence may be in files, evidence may be in disks,
       evidence may be on paper. Need to track all types of
  Preserving evidence includes ensuring that the evidence is
   not tampered with
     - Involves pre-incident planning and training in incident
       discovery procedures’ If the machine is turned on, leave it
       on; do not run programs on that particular computer
  Preparing evidence will include data recovery,
   documentation, etc.
Finding Hidden Data

  When files are deleted, usually they can be recovered
  The files are marked as deleted, but they are still residing in
   the disk until they are overwritten
  Files may also be hidden in different parts of the disk
  The challenge is to piece the different part of the file together
   to recover the original file
  There is research on using statistical methods for file
  http://www.cramsession.com/articles/files/finding-hidden-
  http://www.devtarget.org/downloads/ca616-seufert-

  Spyware is computer software that is installed surreptitiously
   on a personal computer to intercept or take partial control
   over the user's interaction with the computer, without the
   user's informed consent.
     - http://en.wikipedia.org/wiki/Spyware
  Spyware is mostly advertising supported software (adware)
  Shareware authors place ads from media company and get a
   piece if the revenue
  PC surveillance tools that allow a user to nominate computer
     - Keystroke capture, snapshots, email logging, chats etc.
  Privacy concerns with spyware
  Popular Encryption techniques
    - Public key/ Private Key
  Owner of the data encrypts with the public key of the receiver;
   Receiver decrypts with his private key
  In some cases owner may encrypt with his private key for
   multiple receiver. Receiver will decrypt with the owner’s
   public key
  Merkle Hash is a popular method to hash documents; one
   way hash function
  Challenge is to generate unique keys
  Issues: Trusted authority to generate keys and credentials
Internet/Web Tracing

  Where has the email come from
    - Check IP address
    - Sender may use fake address by changing fields; sending
       server may not check this and so the mail is sent
  Tracing web activity
  Who has logged into the system say from a public web site
   and modified accounts and grades?
  Web/email tracking tools
     - http://www.cryer.co.uk/resources/websitetracking.htm
     - http://www.visualware.com/resources/tutorials/email.html
Wireless Technology Forensics
 Forensic Examination of a RIM (BlackBerry) Wireless Device
   -   “There are two types of RIM devices within each model class. The Exchange Edition is meant
       for use in a corporate environment while the Internet Edition works with standard POP email
       accounts. The Exchange Edition employs Triple-DES encryption to send and receive but the
       Internet Edition communicates in clear text. Neither employs an encrypted files system”

 Relevance of RIM forensics
   -   “The RIM device shares the same evidentiary value as any other Personal Digital Assistant
       (PDA). As the investigator may suspect of most file systems, a delete is by no means a total
       removal of data on the device. However, the RIM’s always-on, wireless push technology adds
       a unique dimension to forensic examination. Changing and updating data no longer requires a
       desktop synchronization. In fact, a RIM device does not need a cradle or desktop connection
       to be useful. The more time a PDA spends with its owner, the greater the chance is that it will
       more accurately reflect and tell a story about that person. Thus, the RIM’s currently
       unsurpassed portability is the examiner’s greatest ally”
Wireless Technology Forensics - 2
  The Hardware
    -   The RIM device is designed around an Intel 32-bit i386 processor, a low power embedded
        version of the same processor that used to power a desktop PC. Each unit has 512 KB of
        SRAM and 4 or 5 MB of Flash RAM, depending on the model. The RIM’s SRAM is
        analogous to the RAM on a desktop and the Flash memory is the “disk space” used to
        store the Operating System (OS), applications, and the file system. The RIM’s OS is a
        single executable named PAGER.EXE and the applications are DLL’s.

  Toolbox
    -   BlackBerry Desktop Software available free at www.blackberry.com; BlackBerry C++
        Software Development Kit v2.1 available free at www.blackberry.com; • Hex editor; • Text
        editor; • AA batteries; • Spare BlackBerry Cradles
    -   The examination PC should meet the minimum requirements for the BlackBerry Software
        Development Kit (SDK) and have two available external 9-pin RS232 serial ports. Disk
        space required for evidence gathering is minimal: space equal to the amount of Flash
        RAM in the RIM units being investigated.
Firewall Forensics
  http://www.linuxsecurity.com/resource_files/firewalls/firewall-
  Analyzing firewall logs, especially what port numbers etc.
   mean?. May use this information to help figure out what
   hackers are up to.
    -   What does destination port number ZZZZ mean?

    -   What does this ICMP info mean?
    -   What do these IP addresses indicate?

    -   Stuff doesn't work
    -   What are some typical signatures of well-known programs?
    -   What do these other logs mean?
    -   How do I configure filters?

    -   Packet Zen
    -   What's the deal with NetBIOS (UDP port 137)?
Biometrics Forensics: Richard Vorder Bruegge
  http://www.biometrics.org/bc2004/Bios/vorderbruegge_bio_OK.pdf

  http://www.biometrics.org/bc2004/Presentations/Conference/2%20Tuesday%
  It often happens that people confuse biometrics and forensics. After all, television
   and movies make it look like automated biometrics databases can be used to
   identify and convict people all the time. Isn't that what forensics is all about?
   Unfortunately, this can have an adverse affect on the development of forensic tools
   which utilize biometric features, because those in position to make funding
   decisions may not understand the distinction between the two. This presentation
   will attempt to provide the audience with a better understanding of the relationship
   between biometrics and forensics from the standpoint of a forensic scientist.
Biometrics Forensics: Richard Vorder Bruegge
  Advances in the field of biometrics offers great potential for the field of forensics.
   Biometric databases offer the promise of enabling law enforcement and the
   intelligence community to rapidly identify questioned individuals if they are present
   in the queried database. However, obtaining a "hit" in a biometric database is a far
   cry from an identification in the world of forensic science. The standard of proof to
   which forensic scientists in the United States are held is "beyond a reasonable
   doubt". That "reasonable doubt" criteria, coupled with standards for scientific and
   technical evidence elucidated in the "Daubert" and "Kumho Tire" cases, require that
   conclusions offered by forensic scientists be supported at beyond that offered by
   current biometric systems, particularly in the field of facial recognition.
  http://forensic-evidence.com/site/ID/ID_prime_qd.html
   Reviewing Court Approves of Fingerprint Admissibility
Review Questions (Lectures 1, 3-7)

   Describe what is meant by digital forensics
   Describe the steps for a forensic investigation
   Describe how Data is Acquired in a Forensics Investigation
   Describe the process of constructing a forensic lab
   Describe data recovery in a forensic investigation
   Describe verification aspects of a forensic investigation
   Describe for malicious code may be detected in a machine
   Describe techniques for digital forensics analysis
   Describe the steps involved in processing a crime scene
   Describe the rules of evidence
   Describe forensics technologies

To top