Digital Forensics

1
Digital Forensics

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Application Forensics
• October 26, 2009

2
Outline

• Email Forensics
• UTD work on Email worm detection - revisited
• Mobile System Forensics
• Note Other Application/systems related forensics
• Database forensics, Network forensics (already
  discussed)
• Reference Chapters 12 and 13 of text book
• Military Forensics Overview
• Papers to discuss week of November 2
• Optional paper to read
• http//www.mindswap.org/papers/Trust.pdf

3
Email Forensics

• Email Investigations
• Client/Server roles
• Email crimes and violations
• Email servers
• Email forensics tools

4
Email Investigations

• Types of email investigations
• Emails have worms and viruses suspicious emails
• Checking emails in a crime homicide
• Types of suspicious emails
• Phishing emails i- they are in HTML format and
  redirect to suspicious web sites
• Nigerian scam
• Spoofing emails

5
Client/Server Roles

• Client-Server architecture
• Email servers runs the email server programs
  example Microsoft Exchange Server
• Email runs the client program example Outlook
• Identitication/authntictaion is used for client
  to access the server
• Intranet/Internet email servers
• Intranet local environment
• Internet public example yahoo, hotmail etc.

6
Email Crimes and Violations

• Goal is to determine who is behind the crime such
  as who sent the email
• Steps to email forensics
• Examine email message
• Copy email message also forward email
• View and examine email header tools available
  for outlook and other email clients
• Examine additional files such as address books
• Trace the message using various Internet tools
• Examine network logs (netflow analysis)
• Note UTD Netflow tools SCRUB are in SourceForge

7
Email Servers

• Need to work with the network administrator on
  how to retrieve messages from the server
• Understand how the server records and handles the
  messages
• How are the email logs created and stored
• How are deleted email messages handled by the
  server? Are copies of the messages still kept?
• Chapter 12 discussed email servers by UNIX,
  Microsoft, Novell

8
Email Forensics Tools

• Several tools for Outlook Express, Eudora
  Exchange, Lotus notes
• Tools for log analysis, recovering deleted
  emails,
• Examples
• AccessData FTK
• FINALeMAIL
• EDBXtract
• MailRecovery

9
Worm Detection Introduction

• What are worms?
• Self-replicating program Exploits software
  vulnerability on a victim Remotely infects other
  victims
• Evil worms
• Severe effect Code Red epidemic cost 2.6
  Billion
• Goals of worm detection
• Real-time detection
• Issues
• Substantial Volume of Identical Traffic, Random
  Probing
• Methods for worm detection
• Count number of sources/destinations Count
  number of failed connection attempts
• Worm Types
• Email worms, Instant Messaging worms, Internet
  worms, IRC worms, File-sharing Networks worms
• Automatic signature generation possible
• EarlyBird System (S. Singh -UCSD) Autograph (H.
  Ah-Kim - CMU)

10
Email Worm Detection using Data Mining
Task given some training instances of both
normal and viral emails, induce a hypothesis
to detect viral emails.
We used Naïve Bayes SVM
Outgoing Emails
The Model
Test data
Feature extraction
Classifier
Machine Learning
Training data
Clean or Infected ?
11
Assumptions

• Features are based on outgoing emails.
• Different users have different normal
  behaviour.
• Analysis should be per-user basis.
• Two groups of features
• Per email (of attachments, HTML in body,
  text/binary attachments)
• Per window (mean words in body, variable words in
  subject)
• Total of 24 features identified
• Goal Identify normal and viral emails based
  on these features

12
Feature sets

• Per email features
• Binary valued Features
• Presence of HTML script tags/attributes
  embedded images hyperlinks
• Presence of binary, text attachments MIME types
  of file attachments
• Continuous-valued Features
• Number of attachments Number of words/characters
  in the subject and body
• Per window features
• Number of emails sent Number of unique email
  recipients Number of unique sender addresses
  Average number of words/characters per subject,
  body average word length Variance in number of
  words/characters per subject, body Variance in
  word length
• Ratio of emails with attachments

13
Data Mining Approach
Classifier
Clean/ Infected
Test instance
Clean/ Infected
infected?
SVM
Naïve Bayes
Test instance
Clean?
Clean
14
Data set

• Collected from UC Berkeley.
• Contains instances for both normal and viral
  emails.
• Six worm types
• bagle.f, bubbleboy, mydoom.m,
• mydoom.u, netsky.d, sobig.f
• Originally Six sets of data
• training instances normal (400) five worms
  (5x200)
• testing instances normal (1200) the sixth worm
  (200)
• Problem Not balanced, no cross validation
  reported
• Solution re-arrange the data and apply
  cross-validation

15
Our Implementation and Analysis

• Implementation
• Naïve Bayes Assume Normal distribution of
  numeric and real data smoothing applied
• SVM with the parameter settings one-class SVM
  with the radial basis function using gamma
  0.015 and nu 0.1.
• Analysis
• NB alone performs better than other techniques
• SVM alone also performs better if parameters are
  set correctly
• mydoom.m and VBS.Bubbleboy data set are not
  sufficient (very low detection accuracy in all
  classifiers)
• The feature-based approach seems to be useful
  only when we have
• identified the relevant features
• gathered enough training data
• Implement classifiers with best parameter
  settings

16
Mobile Device/System Forensics

• Mobile device forensics overview
• Acquisition procedures
• Summary

17
Mobile Device Forensics Overview

• What is stored in cell phones
• Incoming/outgoing/missed calls
• Text messages
• Short messages
• Instant messaging logs
• Web pages
• Pictures
• Calendars
• Address books
• Music files
• Voice records

18
Mobile Phones

• Multiple generations
• Analog, Digital personal communications, Third
  generations (increased bandwidth and other
  features)
• Digital networks
• CDMA, GSM, TDMA, - - -
• Proprietary OSs
• SIM Cards (Subscriber Identity Module)
• Identifies the subscriber to the network
• Stores personal information, addresses books,
  etc.
• PDAs (Personal digital assistant)
• Combines mobile phone and laptop technologies

19
Acquisition procedures

• Mobile devices have volatile memory, so need to
  retrieve RAM before losing power
• Isolate device from incoming signals
• Store the device in a special bag
• Need to carry out forensics in a special lab
  (e.g., SAIAL)
• Examine the following
• Internal memory, SIM card, other external memory
  cards, System server, also may need information
  from service provider to determine location of
  the person who made the call

20
Mobile Forensics Tools

• Reads SIM Card files
• Analyze file content (text messages etc.)
• Recovers deleted messages
• Manages PIN codes
• Generates reports
• Archives files with MD5, SHA-1 hash values
• Exports data to files
• Supports international character sets

21
Papers to discuss October 28, 2009

• FORZA Digital forensics investigation framework
  that incorporate legal issues
• http//dfrws.org/2006/proceedings/4-Ieong.pdf
• A cyber forensics ontology Creating a new
  approach to studying cyber forensics
• http//dfrws.org/2006/proceedings/5-Brinson.pdf
• Arriving at an anti-forensics consensus
  Examining how to define and control the
  anti-forensics problem
• http//dfrws.org/2006/proceedings/6-Harris.pdf

22
Papers to discuss November 2-4, 2008

• Forensic feature extraction and cross-drive
  analysis
• http//dfrws.org/2006/proceedings/10-Garfinkel.pdf
  
• A correlation method for establishing provenance
  of timestamps in digital evidence
• http//dfrws.org/2006/proceedings/13-20Schatz.pdf
  

23
Applications Forensics Part II

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Information Warfare
• and Military Forensics
• October 26, 2009

24
Outline

• Information Warfare
• Defensive Strategies for Government and Industry
• Military Tactics
• Terrorism and Information Warfare
• Tactics of Private Corporations
• Future IW strategies
• Surveillance Tools
• The Victims of Information Warfare
• Military Forensics
• Relevant Papers

25
What is Information Warfare?

• Information warfare is the use and management of
  information in pursuit of a competitive advantage
  over an opponent. Information warfare may involve
  collection of tactical information, assurance
  that one's own information is valid, spreading of
  propaganda or disinformation to demoralize the
  enemy and the public, undermining the quality of
  opposing force information and denial of
  information collection opportunities to opposing
  forces.
• http//en.wikipedia.org/wiki/Information_warfare

26
Defensive Strategies for Government and Industry

• Are US and Foreign governments prepared for
  Information Warfare
• According to John Vacca, US will be most affected
  with 60 of the worlds computing power
• Stealing sensitive information as well as
  critical, information to cripple an economy
  (e.g., financial information)
• What have industry groups done
• IT-SAC Information Technology Information
  Sharing and Analysis
• Will strategic diplomacy help with Information
  Warfare?
• Educating the end user is critical according to
  John Vacca

27
Defensive Strategies for Government and Industry

• What are International organizations?
• Think Tanks and Research agencies
• Book cites several countries from Belarus to
  Taiwan engaged in Economic Espionage and
  Information Warfare
• Risk-based analysis
• Military alliances
• Coalition forces US, UK, Canada, Australia have
  regular meetings on Information Warfare
• Legal implications
• Strong parallels between National Security and
  Cyber Security

28
Military Tactics

• Supporting Technologies
• Agents, XML, Human Computer Interaction
• Military tactics
• Planning, Security, Intelligence
• Tools
• Offensive Ruinous IW tools
• Launching massive distributed denial of service
  attacks
• Offensive Containment IW tools
• Operations security, Military deception,
  Psychological operations, Electronic warfare (use
  electromagnetic energy), Targeting Disable
  enemy's C2 (c0mmand and control) system and
  capability

29
Military Tactics

• Tools (continued)
• Defensive Preventive IW Tools
• Monitor networks
• Defensive Ruinous IW tools
• Information operations
• Defensive Responsive Containment IW tools
• Handle hacking, viruses.
• Other aspects
• Dealing with sustained terrorist IW tactics,
  Dealing with random terrorist IW tactics

30
Terrorism and Information Warfare

• Terrorists are using the web to carry out
  terrorism activities
• What are the profiles of terrorists? Are they
  computer literate?
• Hacker controlled tanks, planes and warships
• Is there a Cyber underground network?
• What are their tools?
• Information weapons, HERF gun (high power radio
  energy at an electronic target), Electromagnetic
  pulse. Electric power disruptive technologies
• Why are they hard to track down?
• Need super forensics tools

31
Tactics of Private Corporations

• Defensive tactics
• Open course intelligence, Gather business
  intelligence
• Offensive tactics
• Packet sniffing, Trojan horse etc.
• Prevention tactics
• Security techniques such as encryption
• Survival tactics
• Forensics tools

32
Future IW Tactics

• Electromagnetic bomb
• Technology, targeting and delivery
• Improved conventional method
• Virus, worms, trap doors, Trojan horse
• Global positioning systems
• Nanotechnology developments
• Nano bombs

33
Surveillance Tools

• Data emanating from sensors
• Video data, surveillance data
• Data has to be analyzed
• Monitoring suspicious events
• Data mining
• Determining events/activities that are abnormal
• Biometrics technologies
• Privacy is a concern

34
Victims of Information Warfare

• Loss of money and funds
• Loss of shelter, food and water
• Spread of disease
• Identity theft
• Privacy violations
• Death and destruction
• Note Computers can be hacked to loose money and
  identity computers can be used to commit a crime
  resulting in death and destruction

35
Military Forensics

• CFX-2000 Computer Forencis Experiment 2000
• Information Directorate (AFRL) partnership with
  NIJ/NLECTC
• Hypothesis possible to determine the motives,
  intent, targets, sophistication, identity and
  location of cyber terrorists by deploying an
  integrated forensics analysis framework
• Tools included commercial products and research
  prototypes
• http//www.afrlhorizons.com/Briefs/June01/IF0016.h
  tml
• http//rand.org/pubs/monograph_reports/MR1349/MR13
  49.appb.pdf

36
Papers to be Discussed (November 2-4, 2009)

• Cyber Forensics a Military Perspective
  https//www.utica.edu/academic/institutes/ecii/pub
  lications/articles/A04843F3-99E5-632B-FF420389C063
  3B1B.pdf
• How to Reuse Knowledge about Forensic
  Investigations
• 2. Danilo Bruschi, Mattia Monga, Universita
  degli Studi di Milano
• http//dfrws.org/2004/day3/D3-Martignoni_Knowledge
  _reuse.pdf
• 3. John Lowry, BBN Systems Adversary Modeling to
  Develop Forensic Observables
• http//dfrws.org/2004/day2/Adversary_Modeling_to_D
  evelop_Forensic_Observables.pdf
• 4. Dr. Golden G. Richard III, University of New
  Orleans, New Orleans, LA Breaking the
  Performance Wall The Case for Distributed
  Digital Forensics
• http//dfrws.org/2004/day2/Golden-Perfromance.pdf