Automated Production of Predetermined Digital

Evidence

Submitted byVipin Kumar1104331054

EC 3rd year

Prof J.P SAINI

Under the able guidance and support of

INTRODUCTION 2.4 Billion Internet user worldwide.

2/3 of online adults have been victim of cybercrime.

Estimated global loss of $110 billion annually.

TERMINOLOGY Digital evidence

Any probative information stored or transmitted

digitally. Ubiquitous, Immaterial, local, remote.

DIGITAL ALIBI Excuse supplied by a person suspected

FALSE DIGITAL ALIBI Tampering digital information

CASE STUDY Rodney Bradford -19 years old charged with

armed robbery case. Alberto Stasi -Suspect in the murder.

In both cases DNA traces and digital evidence on the PCs prove them innocent.

CREATION OF PREDETERMINED DIGITAL EVIDENCE

Alibi Maker (AM) - an individual interested in constructing a false digital alibi

Target System (TS) - Personal computer of AM

AIMTo produce remote digital evidence, or even a mix of local and remote evidence.

Different strategies to accomplish this-Involvement of another PersonRemotization and Automation.

REMOTIZATION Remote control of the TS from a different

machine. Two methods:

Using KVM device Software control from another PC

SOFTWARE CONTROL

Control software to pilot the TS from another computer Avoid installation Portable application such as TeamViewer Portable Success depends on the ability of obfuscating the server process

KVM METHOD KVM switch over IP (IP-KVM) creates remote connection to the KVM ports of the TS.

WHAT IT DOES? Digitizes and compresses the video signal of the TS for transmission to a remote controller Do not require any software to be installed.

PROBLEMS

Controller machine, MAC or IP addresses of the KVM, may be recorded by other components of the network, such as DHCP. The necessity of human intervention. Unwanted creation of logs and caches.

AUTOMATION Automation : To have false alibi at required time without human interference. It’s a type of program Can simulate any common user activity,

Web navigation authentication posting of messages sending of emails videogames

THE AUTOMATION METHODOLOGY

DIGITAL EVIDENCE OF AN AUTOMATION

May access resources on the TS Modification of system state TYPES Wanted Evidence Unwanted evidence

UNWANTED EVIDENCE TYPE

Filesystem Traces Execution Traces Virtual Memory Traces LOGIN Traces

UNWANTED EVIDENCE HANDLING

Require awareness on OS modules Other approaches

a-priori avoidance a-posteriori removal and obfuscation

A-PRIORI AVOIDANCE Disabling any logging mechanisms

Virtual Memory Prefetch Volume Shadow Copy

(Can be suspicious)

Executing the automation from an external device

A-POSTERIORI REMOVAL

Removal by secure deletion procedure Manual deletion

using Deft suite to avoid suspicion Automatic deletion

Difficult as executable files are read only Interpreted programming languages can do the job

OBFUSCATION

Using common file names

Storing the suspicious files in system folders.

DEVELOPMENT OF AN AUTOMATION

(1) Preparation of the development environment(2) Implementation of the automation(3) Testing of the(4) Automation procedure(5) Exportation of the automation(6) Destruction of the development environment

PREPARATION AND DESTRUCTION OF THE ENVIRONMENT

Should be totally isolated and similar from the TS

Techniques to create a proper development environment:

Virtual machine Live OS Physically isolated system

IMPLEMENTATION OF THE AUTOMATION

Depends on the choice of the automation techniques Some techniques are:

Using frameworks such as AutoIt By writing hundreds code lines in a whatever scripting language

Synchronization of all the automated operations

TESTING OF THE AUTOMATION PROCEDURE

Verify that the automation acts correctly Identify all the unwanted artifacts left by the automation Specific tools

Process monitoring tools Digital forensic tools

EXPORTING THE AUTOMATION

Network Transfer

External Memory Transfer

V. AUTOMATION TOOLS

Framework that allows the implementation of a program

Any programming languages supporting GUI events

VBScript

VBScript is a scripting language

Simulate user interaction such as mouse movements, clicks and keystrokes.

Does not require any third-party resources

Provides advance simulation features than AutoIt

UNWANTED EVIDENCE IN WINDOWS 7

Prefetch Registry Hibernation Restore Points

EXECUTION Load script onto SD card containing other multimedia files. Access SD card through File Explorer The script HexToDec.vb is launched with a simple double-click. Hardcode starting time

CASE STUDY: WINDOWS 7 An advanced automation for Windows 7 Alibi Timeline.

Time Activity

T0 Execution of a Web browser

T1 Access to Facebook

T2 Posting of a message on Facebook

T3 System shutdown

Execution of a Web Browser

Crucial steps to avoid failures :

Internet connection must be functioning and stable Disable the automatic saving of login information Add websites to “ Trusted sites”.

USE OF BROWSER AND FB

ANALYSIS

Verification of coherence of DE with the alibi timeline

Discover any unwanted evidence left by the automation

CONCLUSION

Given methodology could be exploited by a party Automation is a program able to simulate a series of human activities Problem of avoiding unwanted traces is also addressedCase study on a target system running Windows 7 is presented

REFERENCE

IEEE ACCESS Received April 17, 2013, accepted April 24, 2013, published May 10, 2013.

AUTHORS ANIELLO CASTIGLIONE (Member, IEEE), GIUSEPPE CATTANEO, GIANCARLO DE MAIO, AND ALFREDO DE SANTIS (Member, IEEE)

Department of Computer Science, University of Salerno, Via Ponte don Melillo, Fisciano I-84084, Italy

THANK YOU