Lecture14 by wanghonghx


									Digital Forensics

   Dr. Bhavani Thuraisingham
 The University of Texas at Dallas

Network and Application Forensics

         October 8, 2010
Network Forensics
  Network Forensics
    - Network Attacks
    - Security Measures
    - Network Forensics and Tools
    - Types of Networks
    - Other info
  Summary/Conclusion and Links
  Special presentation of network forensic
  http://www.infragard.net/library/congress_05/computer_foren
Network Attacks
  Denial of service
   Denial of service attacks cause the service or program to cease functioning
   or prevent others from making use of the service or program.
  These may be performed at the network layer by sending carefully crafted
   and malicious datagrams that cause network connections to fail.
  They may also be performed at the application layer, where carefully crafted
   application commands are given to a program that cause it to become
   extremely busy or stop functioning.
  Preventing suspicious network traffic from reaching hosts and preventing
   suspicious program commands and requests are the best ways of minimizing
   the risk of a denial of service attack.
  It is useful to know the details of the attack method, so you should educate
   yourself about each new attack as it gets publicized.
Network Attacks
  Spoofing
   This type of attack causes a host or application to mimic the actions of
  Typically the attacker pretends to be an innocent host by following IP
   addresses in network packets.
  For example, a well-documented exploit of the BSD rlogin service can use
   this method to mimic a TCP connection from another host by guessing TCP
   sequence numbers.
  To protect against this type of attack, verify the authenticity of datagrams
   and commands.
  Prevent datagram routing with invalid source addresses. Introduce
   unpredictablility into connection control mechanisms, such as TCP sequence
   numbers and the allocation of dynamic port addresses.
Network Attacks
  Eavesdropping
   This is the simplest type of attack.
  A host is configured to "listen" to and capture data not belonging to it.
   Carefully written eavesdropping programs can take usernames and
   passwords from user login network connections.
  Broadcast networks like Ethernet are especially vulnerable to this type of
  To protect against this type of threat, avoid use of broadcast network
   technologies and enforce the use of data encryption.
  IP firewalling is very useful in preventing or reducing unauthorized access,
   network layer denial of service, and IP spoofing attacks.
  It not very useful in avoiding exploitation of weaknesses in network services
   or programs and eavesdropping.
Securing a Network

  Need measures to secure a network and prevent breaches
  Apply patches; User a layered network defense strategy
  NSA (National Security Agency) ahs developed DiD Defense
   in Depth) and has three models of protection
    -  People, Technology, Operations
     - People: Employees are trained well
     - Technology: Strong network architecture and testing
    -  Operations: applying security patches, anti-virus
       software, etc.
Network Security Mechanisms
  Network security starts from authenticating any user, most likely a
   username and a password.
  Once authenticated, a stateful firewall enforces access policies such
   as what services are allowed to be accessed by the network users
  Though effective to prevent unauthorized access, this component
   fails to check potentially harmful contents such as computer worms
   being transmitted over the network.
  An intrusion prevention system (IPS) helps detect and prevent such
   malware. IPS also monitors for suspicious network traffic for
   contents, volume and anomalies to protect the network from attacks
   such as denial of service.
  Communication between two hosts using the network could be
   encrypted to maintain privacy.
  Individual events occurring on the network could be tracked for
   audit purposes and for a later high level analysis.
Network Security Mechanisms
  Honeypots, essentially decoy network-accessible resources,
   could be deployed in a network as surveillance and early-
   warning tools.
  Techniques used by the attackers that attempt to compromise
   these decoy resources are studied during and after an attack
   to keep an eye on new exploitation techniques.
  Such analysis could be used to further tighten security of the
   actual network being protected by the honeypot
  Some tools: Firewall, Antivirus software and Internet Security
   Software. For authentication, use strong passwords and
   change it on a bi-weekly/monthly basis. When using a
   wireless connection, use a robust password. Network
   analyzer to monitor and analyze the network.
Network Forensics

  What is Network Forensics?
    - http://searchsecurity.techtarget.com/sDefinition/0,,sid14_
  Network Forensics Analysis
  Relationship to Honeynets/Honeypots
  Policies for Networks Forensics
  Example Prototype System
  Some Popular Networks Forensics Analysis Tools (NFAT)
What is Network Forensics
 Network forensics is the process of capturing information that
  moves over a network and trying to make sense of it in some
  kind of forensics capacity.
    - Network forensics is the capture, recording, and analysis
       of network events in order to discover the source of
       security attacks or other problem incidents.
 A network forensics appliance is a device that automates this
 Wireless forensics is the process of capturing information
  that moves over a wireless network and trying to make sense
  of it in some kind of forensics capacity.
What is Network Forensics?

  Network forensics systems can be one of two kinds:
    - "Catch-it-as-you-can" systems, in which all packets
        passing through a certain traffic point are captured and
        written to storage with analysis being done subsequently
        in batch mode. This approach requires large amounts of
        storage, usually involving a RAID system.
    -   "Stop, look and listen" systems, in which each packet is
        analyzed in a rudimentary way in memory and only certain
        information saved for future analysis. This approach
        requires less storage but may require a faster processor
        to keep up with incoming traffic.
What is Network Forensics

  Network Forensics is the process of collecting and analyzing
   raw network data and then tracking network traffic to
   determine how an attack took place
  When intruders break into a network they leave a trail. Need to
   spot variations in network traffic; detect anomalies
  Network forensics can usually help to determine whether
   network has been attacked or there is a user error
  Examiners must establish standards procedures to carry out
Network Analysis

  Find analysis techniques developed for one type of network
   and apply it to another type of network
  Types of networks
     - Computer and Communication Networks
    -  Telecommunication Network
     - Transportation networks
          Highways, Railroad, Air Traffic
     - Human networks
          Terror networks, Relationship networks
Network Forensics Analysis Tools (NFAT):
Relationships between IDS, Firewalls and NFAT
  IDS attempts to detect activity that violates an organization’s
   security policy by implementing a set of rules describing
   preconfigures patterns of interest
  Firewall allows or disallows traffic to or from specific
   networks, machine addresses and port numbers
  NFAT synergizes with IDSs and Firewalls.
     - Preserves long term record of network traffic
     - Allows quick analysis of trouble spots identified by IDSs
       and Firewalls
  NFATs must do the following:
     - Capture network traffic
     - Analyze network traffic according to user needs
     - Allow system users discover useful and interesting things
       about the analyzed traffic
NFAT Tasks
  Traffic Capture
    - What is the policy?
    - What is the traffic of interest?
    - Intermal/Externasl?
    - Collect packets: tcpdump
  Traffic Analysis
    - Sessionizing captured traffic (organize)
    - Protocol Parsing and analysis
         Check   for strings, use expert systems for analysis
  Interacting with NFAT
     - Appropriate user interfaces, reports, examine large
       quantities of information and make it manageable
Network Forensics: NetworkMiner
  NetworkMiner is a Network Forensic Analysis Tool (NFAT) for
  NetworkMiner can be used as a passive network
   sniffer/packet capturing tool in order to detect operating
   systems, sessions, hostnames, open ports etc. without
   putting any traffic on the network.
  The purpose of NetworkMiner is to collect data (such as
   forensic evidence) about hosts on the network rather than to
   collect data regarding the traffic on the network.
  The main view is host centric (information grouped per host)
   rather than packet centric (information showed as a list of

  Network Forensics and honeynet systems have the same
   features of collecting information about computer misuses
  Honeynet system can lure attackers and gain information
   about new types of intrusions
  Network forensics systems analyze and reconstruct he attack
  These two systems integrated together build a active self
   learning and response system to profile the intrusion
   behavior features and investigate the original source of the
Honeynet project

  Honeynet project was established to make information about
   network attacks and solutions widely available
  Objectives: Awareness, information, tools
  Attacks: distributed Denial of Service, Zero day attacks
  Honeypot is a computer set up to lure attackers
  Honeywalls are computers set up to monitor what is
   happening to the honeypots in the network
Policies: Computer Attack Taxonomy
  Probing
    - Attackers reconnaissance
    - Attackers create a profile of an organization's structure,
      network capabilities and content, security posture
    - Attacker finds the targets and devices plans to circumvent
      the security mechanism
  Penetration
    - Exploit System Configuration errors and vulnerabilities
    - Install Trojans, record passwords, delete files, etc.
  Cover tracks
    - Configure event logging to a previous state
    - Clear event logs and hide files
Policies to enhance forensics

   Retaining information
   Planning the response
   Training
   Accelerating the investigation
   Preventing anonymous activities
   Protect the evidence
Example Prototype System: Iowa State University
  Network Forensics Analysis mechanisms should meet the
     - Short response times; User friendly interfaces
  Questions addresses
     - How likely is a specific host relevant to the attack? What
       is the role the host played in the attack? How strong are
       two hosts connected to the attack?
  Features of the prototype
    -  Preprocessing mechanism to reduce redundancy in
       intrusion alerts
     - Graph model for presenting and interacting with th3
    -  Hierarchical reasoning framework for automated inference
       of attack group identification
Example Prototype System: Modules
  Evidence collection module
  Evidence preprocessing module
  Attack knowledge base
  Assets knowledge base
  Evidence graph generation module
  Attack reasoning module
  Analyst interface module
  Reference
  http://delivery.acm.org/10.1145/1420000/1410238/a4-
  https://www.dfrws.org/2005/proceedings/wang_evidencegrap
Network Tools

  Network Forensics tools help in the monitoring of the network
  Example: the records that Ps tools generate can prove that an
   employee ran a program without permission
  Can also monitor machines/processes that may be harmful
  Problem is the attacker can get administrator rights and start
   using the tools
  Chapter 11 discusses tools for Windows and Linux
Some Popular Tools

  Raytheon’s SilentRunner
    - Gives administrators help as they attempt to protect their
       company’s assets
     - Collector, Analyzer and Visualize Modules
  Sandstorm Enterprise’s NetIntercept
     - Hardware appliance focused on capturing network traffic
  Niksun’s NetDetector
     - Its an appliance like NetIntercept
    -  Has an alerting mechanism
     - Integrates with Cicso IDS for a complete forensic analysis
Network Forensics: Open Source Tools
 Open source tools
   - Wireshark
   - Kismet
   - Snort
   - OSSEC
   - NetworkMiner is an open source Network Forensics Tool
       available at SourceForge.
   -   Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols
       supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP,
       IPv4, IPv6
Network Forensics: Commercial Tools
  Deep Analysis Tools (data mining based tools)
    - E-Detective
    - ManTech International Corporation
    - Network Instruments
    - NIKSUN's NetDetector
    - PacketMotion
    - Sandstorm's NetIntercept
    - Mera Systems NetBeholder
    - InfoWatch Traffic Monitor
Network Forensics: Commercial Tools
  Flow-Based Systems
    - Arbor Networks
    - GraniteEdge Networks
    - Lancope http://www.lancope.com/
    - Mazu Networks http://www.mazunetworks.com/
  Hybrid Systems
    - These systems combine flow analysis, deep analysis, and
        security event monitoring and reporting.
    -   Q1 Labs http://www.q1labs.com/
Performing Live Acquisitions

  Insert bootable forensics CD in the suspect system
  Keep a log of all the actions
  Send collected information to a network drive
  Copy the physical memory
  Determine if root kit is present; access system’s firmware, - -
  Get forensics hash value of all files
Performing Live Acquisitions: Windows

  Setup NetCat listener to send the forensics data
  Load Helix CD in the CD-ROM drive
  Click appropriate buttons – System Information; Glad arrow
  Click Acquire Live Image if Widows System
  Connect to NetCat listener to send the collected data (e.g.,
   enter IP address of NetCat listener)
  Click Incidence Response Tools
  Click on appropriate tools to collect data
Standard procedures

  Standard installation image, hash schemes (e.g., MD5, SHA-1)
  Fix vulnerabilities if intrusion is detected
  Retrieve volatile data (RAM, processes)
  Acquire compromised drive and make forensics image of it
  Compare forensics image and standard image and determine
   if anything has changed
Network Logs

  Network logs record traffic in and out of network
  Network servers, routers, firewalls record activities and
   events that move through them
  One ways is to run Tcpdump
  When viewing network log, port information can give clues
   about suspicious activity
  Use network analysis tool
Packet Sniffers

  Devices or software to monitor (sniff) traffic
  TCP/IP sniffers operate at the Packet level; in OSI operates at
   the Layer 2 or 3 level (e.g. Data link or Network layers)
  Some sniffers perform packet captures, some perform
   analysis and some perform both
  Tools exist for examining (i) packets with certain flags set (ii)
   email headers (iii) IRC chats
  Network Forensics is the process of collecting and analyzing
   raw network data and then tracking network traffic to
   determine how an attack took place
  Layered defense strategies to the network architecture
  Live acquisitions are needed to retrieve volatile items
  Standard procedure are needed to establish how to proceed
   after a network attack occurs
  By monitoring network traffic can establish normal
   operations; then determine if there is an anomaly
  Network tools used to monitor networks; but intruders can
   get admin rights to attack from the inside
  Tools are available for monitoring network traffic for both
   Windows and Linux systems
  Honeynet project enables people to learn latest intrusion
  https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf
  http://www.cs.fsu.edu/~yasinsac/Papers/MY01.pdf
  http://www.sandstorm.net/support/netintercept/downloads/ni-
  http://www.giac.org/certified_professionals/practicals/gsec/2478.php
  http://www.infragard.net/library/congress_05/computer_forensics/net
  http://dfrws.org/2003/presentations/Brief-Casey.pdf
  http://delivery.acm.org/10.1145/1070000/1066749/p302-
  http://dfrws.org/
Application Forensics

  Email Forensics
    - UTD work on Email worm detection - revisited
    - Mobile System Forensics
    - Note: Other Application/systems related forensics
         Database  forensics, Network forensics (already
  Military Forensics Overview
  Optional paper to read:
    - http://www.mindswap.org/papers/Trust.pdf
Email Forensics

  Email Investigations
  Client/Server roles
  Email crimes and violations
  Email servers
  Email forensics tools
Email Investigations

  Types of email investigations
    - Emails have worms and viruses – suspicious emails
    - Checking emails in a crime – homicide
  Types of suspicious emails
    - Phishing emails i- they are in HTML format and redirect to
        suspicious web sites
    -   Nigerian scam
    -   Spoofing emails
Client/Server Roles

  Client-Server architecture
  Email servers runs the email server programs – example
   Microsoft Exchange Server
  Email runs the client program – example Outlook
  Identitication/authntictaion is used for client to access the
  Intranet/Internet email servers
     - Intranet – local environment
    -  Internet – public: example: yahoo, hotmail etc.
Email Crimes and Violations

  Goal is to determine who is behind the crime such as who
   sent the email
  Steps to email forensics
     - Examine email message
    -  Copy email message – also forward email
     - View and examine email header: tools available for
       outlook and other email clients
     - Examine additional files such as address books
    -  Trace the message using various Internet tools
    -  Examine network logs (netflow analysis)
          Note: UTD Netflow tools SCRUB are in SourceForge
Email Servers

  Need to work with the network administrator on how to
   retrieve messages from the server
  Understand how the server records and handles the
  How are the email logs created and stored
  How are deleted email messages handled by the server? Are
   copies of the messages still kept?
  Chapter 12 discussed email servers by UNIX, Microsoft,
Email Forensics Tools

  Several tools for Outlook Express, Eudora Exchange, Lotus
  Tools for log analysis, recovering deleted emails,
  Examples:
    - AccessData FTK
    - EDBXtract
    - MailRecovery
Worm Detection: Introduction
       What are worms?
    -      Self-replicating program; Exploits software vulnerability on a victim;
           Remotely infects other victims
       Evil worms
    -      Severe effect; Code Red epidemic cost $2.6 Billion
       Goals of worm detection
    -      Real-time detection
       Issues
    -      Substantial Volume of Identical Traffic, Random Probing
       Methods for worm detection
    -      Count number of sources/destinations; Count number of failed connection
       Worm Types
    -      Email worms, Instant Messaging worms, Internet worms, IRC worms, File-
           sharing Networks worms
       Automatic signature generation possible
    -      EarlyBird System (S. Singh -UCSD); Autograph (H. Ah-Kim - CMU)
Email Worm Detection using Data Mining
       given some training instances of both           We used:
       “normal” and “viral” emails,                        Naïve Bayes
       induce a hypothesis to detect “viral” emails.       SVM
                             The Model
                                                           Test data

                               Learning                    Classifier
 Training data

                                                       Clean or Infected ?

   Features are based on outgoing emails.

   Different users have different “normal” behaviour.

   Analysis should be per-user basis.

   Two groups of features
     -   Per email (#of attachments, HTML in body,
         text/binary attachments)
     -   Per window (mean words in body, variable words
         in subject)
   Total of 24 features identified

   Goal: Identify “normal” and “viral” emails based on
    these features
Feature sets

  -   Per email features
        Binary valued Features
            Presence of HTML; script tags/attributes; embedded
              images; hyperlinks;
            Presence of binary, text attachments; MIME types of file
        Continuous-valued Features
            Number of attachments; Number of words/characters in
              the subject and body
  -   Per window features
        Number of emails sent; Number of unique email recipients;
          Number of unique sender addresses; Average number of
          words/characters per subject, body; average word length:;
          Variance in number of words/characters per subject, body;
          Variance in word length
        Ratio of emails with attachments
Data Mining Approach

Test                  Classifier                 Clean/
instance                                         Infected

                       infected                       Infected
                SVM    ?           Naïve Bayes
Test instance
                      Clean                             Clean
Data set

 Collected from UC Berkeley.
   -   Contains instances for both normal and viral emails.
 Six worm types:
   -   bagle.f, bubbleboy, mydoom.m,
   -   mydoom.u, netsky.d, sobig.f
 Originally Six sets of data:
   -   training instances: normal (400) + five worms (5x200)
   - testing instances: normal (1200) + the sixth worm (200)
 Problem: Not balanced, no cross validation reported
 Solution: re-arrange the data and apply cross-validation
Our Implementation and Analysis
 Implementation
   -   Naïve Bayes: Assume “Normal” distribution of numeric and real
       data; smoothing applied
   -   SVM: with the parameter settings: one-class SVM with the radial basis
       function using “gamma” = 0.015 and “nu” = 0.1.
 Analysis
   -   NB alone performs better than other techniques
   -   SVM alone also performs better if parameters are set correctly
   -   mydoom.m and VBS.Bubbleboy data set are not sufficient (very low detection
       accuracy in all classifiers)

   -   The feature-based approach seems to be useful only when we have

             identified the relevant features
             gathered enough training data
             Implement classifiers with best parameter settings
Mobile Device/System Forensics

  Mobile device forensics overview
  Acquisition procedures
  Summary
Mobile Device Forensics Overview

  What is stored in cell phones
    - Incoming/outgoing/missed calls
    - Text messages
    - Short messages
    - Instant messaging logs
    - Web pages
    - Pictures
    - Calendars
    - Address books
    - Music files
    - Voice records
Mobile Phones

  Multiple generations
    - Analog, Digital personal communications, Third
       generations (increased bandwidth and other features)
  Digital networks
    -  CDMA, GSM, TDMA, - - -
  Proprietary OSs
  SIM Cards (Subscriber Identity Module)
     - Identifies the subscriber to the network
    -  Stores personal information, addresses books, etc.
  PDAs (Personal digital assistant)
     - Combines mobile phone and laptop technologies
Acquisition procedures

  Mobile devices have volatile memory, so need to retrieve RAM
   before losing power
  Isolate device from incoming signals
     - Store the device in a special bag
    -  Need to carry out forensics in a special lab (e.g., SAIAL)
  Examine the following
     - Internal memory, SIM card, other external memory cards,
       System server, also may need information from service
       provider to determine location of the person who made
       the call
Mobile Forensics Tools
  Reads SIM Card files
  Analyze file content (text messages etc.)
  Recovers deleted messages
  Manages PIN codes
  Generates reports
  Archives files with MD5, SHA-1 hash values
  Exports data to files
  Supports international character sets
Information Warfare
  Information Warfare
    - Defensive Strategies for Government and Industry
    - Military Tactics
    - Terrorism and Information Warfare
    - Tactics of Private Corporations
    - Future IW strategies
    - Surveillance Tools
    - The Victims of Information Warfare
  Military Forensics
  Relevant Papers
What is Information Warfare?

  Information warfare is the use and management of
   information in pursuit of a competitive advantage over an
   opponent. Information warfare may involve collection of
   tactical information, assurance that one's own information is
   valid, spreading of propaganda or disinformation to
   demoralize the enemy and the public, undermining the quality
   of opposing force information and denial of information
   collection opportunities to opposing forces.
  http://en.wikipedia.org/wiki/Information_warfare
Defensive Strategies for Government and

  Are US and Foreign governments prepared for Information
    - According to John Vacca, US will be most affected with
       60% of the world’s computing power
    -  Stealing sensitive information as well as critical,
       information to cripple an economy (e.g., financial
  What have industry groups done
    - IT-SAC: Information Technology Information Sharing and
  Will strategic diplomacy help with Information Warfare?
  Educating the end user is critical according to John Vacca
Defensive Strategies for Government and

  What are International organizations?
    - Think Tanks and Research agencies
    - Book cites several countries from Belarus to Taiwan
       engaged in Economic Espionage and Information Warfare
  Risk-based analysis
  Military alliances
     - Coalition forces – US, UK, Canada, Australia have regular
       meetings on Information Warfare
  Legal implications
  Strong parallels between National Security and Cyber
Military Tactics
  Supporting Technologies
     - Agents, XML, Human Computer Interaction
  Military tactics
     - Planning, Security, Intelligence
  Tools
     - Offensive Ruinous IW tools
            Launching   massive distributed denial of service
     -   Offensive Containment IW tools
           Operations security, Military deception, Psychological
            operations, Electronic warfare (use electromagnetic
            energy), Targeting: Disable enemy's C2 (c0mmand and
            control) system and capability
Military Tactics
  Tools (continued)
    - Defensive Preventive IW Tools
         Monitor networks
    -  Defensive Ruinous IW tools
         Information operations
    - Defensive Responsive Containment IW tools
         Handle hacking, viruses.
  Other aspects
    - Dealing with sustained terrorist IW tactics, Dealing with
      random terrorist IW tactics
Terrorism and Information Warfare

  Terrorists are using the web to carry out terrorism activities
  What are the profiles of terrorists? Are they computer
  Hacker controlled tanks, planes and warships
  Is there a Cyber underground network?
  What are their tools?
      - Information weapons, HERF gun (high power radio energy
        at an electronic target), Electromagnetic pulse. Electric
        power disruptive technologies
  Why are they hard to track down?
      - Need super forensics tools
Tactics of Private Corporations

  Defensive tactics
    - Open course intelligence, Gather business intelligence
  Offensive tactics
    - Packet sniffing, Trojan horse etc.
  Prevention tactics
    - Security techniques such as encryption
  Survival tactics
    - Forensics tools
Future IW Tactics

  Electromagnetic bomb
    - Technology, targeting and delivery
  Improved conventional method
    - Virus, worms, trap doors, Trojan horse
  Global positioning systems
  Nanotechnology developments
    - Nano bombs
Surveillance Tools

  Data emanating from sensors:
    - Video data, surveillance data
    - Data has to be analyzed
    - Monitoring suspicious events
  Data mining
    - Determining events/activities that are abnormal
  Biometrics technologies
  Privacy is a concern
Victims of Information Warfare

  Loss of money and funds
  Loss of shelter, food and water
  Spread of disease
  Identity theft
  Privacy violations
  Death and destruction
  Note: Computers can be hacked to loose money and identity;
   computers can be used to commit a crime resulting in death
   and destruction
Military Forensics

  CFX-2000: Computer Forencis Experiment 2000
    - Information Directorate (AFRL) partnership with
    -   Hypothesis: possible to determine the motives, intent,
        targets, sophistication, identity and location of cyber
        terrorists by deploying an integrated forensics analysis
    -   Tools included commercial products and research
    -   http://www.afrlhorizons.com/Briefs/June01/IF0016.html
    -   http://rand.org/pubs/monograph_reports/MR1349/MR1349.
 Digital Forensics

     Dr. Bhavani Thuraisingham
  The University of Texas at Dallas


Social Network Analysis and Forensics

           October 8, 2010
Social Network Analysis of 9/11 Terrorists
  Early in 2000, the CIA was informed of two terrorist suspects linked to al-Qaeda.
  Nawaf Alhazmi and Khalid Almihdhar were photographed attending a meeting of
  known terrorists in Malaysia. After the meeting they returned to Los Angeles,
  where they had
  already set up residence in late 1999.
Social Network Analysis of 9/11 Terrorists
 What do you do with these suspects? Arrest or deport them
 immediately? No, we need to use them to discover more of the al-
 Qaeda network.

 Once suspects have been discovered, we can use their daily activities
 to uncloak their network. Just like they used our technology against
 us, we can use their planning process against them. Watch them, and
 listen to their conversations to see...

 •who they call / email
 •who visits with them locally and in other cities
 •where their money comes from

 The structure of their extended network begins to emerge as data is
 discovered via surveillance.
Social Network Analysis of 9/11 Terrorists

A suspect being monitored may have many contacts -- both accidental and intentional. We
must always be wary of 'guilt by association'. Accidental contacts, like the mail delivery
person, the grocery store clerk, and neighbor may not be viewed with investigative interest.

Intentional contacts are like the late afternoon visitor, whose car license plate is traced back to
a rental company at the airport, where we discover he arrived from Toronto (got to notify the
Canadians) and his name matches a cell phone number (with a Buffalo, NY area code) that our
suspect calls regularly. This intentional contact is added to our map and we start tracking his
interactions -- where do they lead? As data comes in, a picture of the terrorist organization
slowly comes into focus.

How do investigators know whether they are on to something big? Often they don't. Yet in this
case there was another strong clue that Alhazmi and Almihdhar were up to no good -- the
attack on the USS Cole in October of 2000. One of the chief suspects in the Cole bombing
[Khallad] was also present [along with Alhazmi and Almihdhar] at the terrorist meeting in
Malaysia in January 2000.

Once we have their direct links, the next step is to find their indirect ties -- the 'connections of
their connections'. Discovering the nodes and links within two steps of the suspects usually
starts to reveal much about their network. Key individuals in the local network begin to stand
out. In viewing the network map in Figure 2, most of us will focus on Mohammed Atta because
we now know his history. The investigator uncloaking this network would not be aware of
Atta's eventual importance. At this point he is just another node to be investigated.
Figure 2 shows the two suspects and

Social Network Analysis of 9/11 Terrorists
Social Network Analysis of 9/11 Terrorists
Social Network Analysis of 9/11 Terrorists

We now have enough data for two key conclusions:
•   All 19 hijackers were within 2 steps of the two original suspects uncovered in 2000!
•   Social network metrics reveal Mohammed Atta emerging as the local leader

With hindsight, we have now mapped enough of the 9-11 conspiracy to stop it. Again, the
     investigators are never sure they have uncovered enough information while they are in
     the process of uncloaking the covert organization. They also have to contend with
     superfluous data. This data was gathered after the event, so the investigators knew
     exactly what to look for. Before an event it is not so easy.

As the network structure emerges, a key dynamic that needs to be closely monitored is the
     activity within the network. Network activity spikes when a planned event approaches. Is
     there an increase of flow across known links? Are new links rapidly emerging between
     known nodes? Are money flows suddenly going in the opposite direction? When activity
     reaches a certain pattern and threshold, it is time to stop monitoring the network, and
     time to start removing nodes.

The author argues that this bottom-up approach of uncloaking a network is more effective
     than a top down search for the terrorist needle in the public haystack -- and it is less
     invasive of the general population, resulting in far fewer "false positives".
Figure 2 shows the two suspects and

Social Network Analysis of Steroid Usage in Baseball

When the Mitchell Report on steroid use in Major League Baseball [MLB], was published, people were
surprised at who and how many players were mentioned. The diagram below shows a human network created
from data found in the Mitchell Report. Baseball players are shown as green nodes. Those who were found to
be providers of steroids and other illegal performance enhancing substances appear as red nodes. The links
reveal the flow of chemicals -- from provider to player.
Applying to Network Forensics

  Start with infected machines
  Then follow the chain to other machines
  Visualization techniques for the network of affected machines
  Iowa State University Prototype is an example

To top