Digital Forensics

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Lecture #5

Forensics Systems

September 5, 2007

Outline

Some developments Review of Lectures 3 and 4 Lectures 5

- Types of Computer Forensics Systems

- Objective: Identify issues in corporate planning for computer forensics

Tools for Digital Forensics Assignment #1 Lab Tour

Some Developments

Internships positions available in commuter forensics with DFW area FBI and Law Enforcement

Guest lectures are being arranged to be given by DFW FBI and Law Enforcement

- Dates to be given Mid-term exam: week of October 9 or October 16

Review of Lectures 3 and 4

Lecture 3

- Forensics Technology Military, Law Enforcement, Business Forensics

- Forensics Techniques Finding Hidden Data, Spyware, Encryption, Data

Protection, Tracing, Data Mining

- Security Technologies Wireless, Firewalls, Biometrics

- APPENDIX: Data Mining Lecture 4: Data Mining for Malicious Code Detection

Types of Computer Forensics Systems Internet Security Systems Intrusion Detection Systems Firewall Security Systems Storage Area Network Security Systems Network disaster recovery systems Public key infrastructure systems Wireless network security systems Satellite encryption security systems Instant Messaging Security Systems Net privacy systems Identity management security systems Identify theft prevention systems Biometric security systems Homeland security systems

Internet Security Systems

Security hierarchy

- Public, Private and Mission Critical data

- Unclassified, Confidential, Secret and TopSecret data Security Policy

- Who gets access to what data

- Bell LaPadula Security Policy, Noninterference Policy Access Control

- Role-based access control, Usage control Encryption

- Public/private keys

- Secret payment systems Directions

- Smart cards

Intrusion Detection Systems

An intrusion can be defined as “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource”.

Attacks are:

- Host-based attacks

- Network-based attacks Intrusion detection systems are split into two groups:

- Anomaly detection systems

- Misuse detection systems Use audit logs

- Capture all activities in network and hosts.

- But the amount of data is huge!

Our Approach: Overview

TrainingData

Class

Hierarchical Clustering (DGSOT)

Testing

Testing Data

SVM Class Training

DGSOT: Dynamically growing self organizing tree

Hierarchical clustering with SVM flow chart

Our Approach

Our Approach: Hierarchical Clustering

Worm Detection: Introduction

What are worms?

- Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims

Evil worms

- Severe effect; Code Red epidemic cost $2.6 Billion Automatic signature generation possible

- EarlyBird System (S. Singh. -UCSD); Autograph (H. Ah-Kim. - CMU) Goals of worm detection

- Real-time detection Issues

- Substantial Volume of Identical Traffic, Random Probing Methods for worm detection

- Count number of sources/destinations; Count number of failed connection attempts

Worm Types

- Email worms, Instant Messaging worms, Internet worms, IRC worms, File-sharing Networks worms

Email Worm Detection using Data Mining

Training data

Feature extraction

Clean or Infected ?

Outgoing Emails

ClassifierMachine Learning

Test data

The Model

Task: given some training instances of both “normal” and “viral” emails, induce a hypothesis to detect “viral” emails.

We used:Naïve BayesSVM

Firewall Security Systems

Firewall is a system or groups of systems that enforces an access control policy between two networks

Benefits

- Implements access control across networks

- Maintains logs that can be analyzed Data mining for analyzing firewall logs and ensuring

policy consistency Limitatations

- No security within the network

- Difficult to implement content based policies

- Difficult to protect against malicious code Data driven attacks

Traffic Mining

To bridge the gap between what is written in the firewall policy rules and what is being observed in the network is to analyze traffic and log of the packets– traffic mining

Network traffic trend may show that some rules are out-dated or not used recently

FirewallFirewallLog FileLog File

Mining Log File Mining Log File Using FrequencyUsing Frequency

FilteringFilteringRule Rule

GeneralizationGeneralization

Generic RulesGeneric Rules

Identify Decaying Identify Decaying &&

Dominant RulesDominant Rules

EditEditFirewall RulesFirewall Rules

FirewallPolicy Rule

Traffic Mining Results

Anomaly Discovery ResultAnomaly Discovery Result

Rule 1, Rule 2: ==> GENRERALIZATIONRule 1, Rule 16: ==> CORRELATEDRule 2, Rule 12: ==> SHADOWEDRule 4, Rule 5: ==> GENRERALIZATIONRule 4, Rule 15: ==> CORRELATEDRule 5, Rule 11: ==> SHADOWED

1: TCP,INPUT,129.110.96.117,ANY,*.*.*.*,80,DENY2: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,80,ACCEPT3: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,443,DENY4: TCP,INPUT,129.110.96.117,ANY,*.*.*.*,22,DENY5: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,22,ACCEPT6: TCP,OUTPUT,129.110.96.80,ANY,*.*.*.*,22,DENY7: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,53,ACCEPT8: UDP,INPUT,*.*.*.*,53,*.*.*.*,ANY,ACCEPT9: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY10: UDP,INPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY11: TCP,INPUT,129.110.96.117,ANY,129.110.96.80,22,DENY12: TCP,INPUT,129.110.96.117,ANY,129.110.96.80,80,DENY13: UDP,INPUT,*.*.*.*,ANY,129.110.96.80,ANY,DENY14: UDP,OUTPUT,129.110.96.80,ANY,129.110.10.*,ANY,DENY15: TCP,INPUT,*.*.*.*,ANY,129.110.96.80,22,ACCEPT16: TCP,INPUT,*.*.*.*,ANY,129.110.96.80,80,ACCEPT17: UDP,INPUT,129.110.*.*,53,129.110.96.80,ANY,ACCEPT18: UDP,OUTPUT,129.110.96.80,ANY,129.110.*.*,53,ACCEPT

Storage Area Network Security Systems

High performance networks that connects all the storage systems

- After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability

- Database systems is a special kind of storage system Benefits include centralized management, scalability

reliability, performance Security attacks on multiple storage devices

- Secure storage is being investigated

Network Disaster Recovery Systems

Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery palm

Policies and procedures have to be defined and subsequently enforced

Which machines to shut down, determine which backup servers to use, When should law enforcement be notified

Public Key Infrastructure Systems

A certificate authority that issues and verifies digital certificates

A registration authority that acts as a verifier for the certificate authority before a digital certificate is issued to a requester

One or more directories where the certificates with their public keys are held

A certificate management systems

Digital Identity Management

Digital identity is the identity that a user has to access an electronic resource

A person could have multiple identities

- A physician could have an identity to access medical resources and another to access his bank accounts

Digital identity management is about managing the multiple identities

- Manage databases that store and retrieve identities

- Resolve conflicts and heterogeneity

- Make associations

- Provide security Ontology management for identity management is an

emerging research area

Digital Identity Management - II

Federated Identity Management

- Corporations work with each other across organizational boundaries with the concept of federated identity

- Each corporation has its own identity and may belong to multiple federations

- Individual identity management within an organization and federated identity management across organizations

Technologies for identity management

- Database management, data mining, ontology management, federated computing

Identity Theft Management

Need for secure identity management

- Ease the burden of managing numerous identities

- Prevent misuse of identity: preventing identity theft Identity theft is stealing another person’s digital identity Techniques for preventing identity thefts include

- Access control, Encryption, Digital Signatures

- A merchant encrypts the data and signs with the public key of the recipient

- Recipient decrypts with his private key

Biometrics

Early Identication and Authentication (I&A) systems, were based on passwords

Recently physical characteristics of a person are being used for identification

- Fingerprinting

- Facial features

- Iris scans

- Voice recognition

- Facial expressions Biometrics techniques will provide access not only to

computers but also to building and homes Systems are vulnerable to attack e.g., Fake biometrics

Homeland Security Systems

Border and Transportation Security

- RFID technologies? Emergency preparedness

- After an attack happens what actions are to be taken? Chemical, Biological, Radiological and Nuclear security

- Sensor technologies Information analysis and Infrastructure protection

- Data mining, security technologies

Other Types of Systems

Wireless security systems

- Protecting PDAs and phones against denial of service and related attacks

Satellite encryption systems

- Pretty Good Privacy – PGP that uses RSA security Instant messaging

- Deployment of instant messaging is usually not controlled

- Should IM be blocked? Net Privavacy

- Can we ensure privacy on the networks and systems

- Privacy preserving access?

Conclusion

We have discussed many types of forensics systems These are systems that are secure, but can be

attacked Security solutions include policy enforcement,

access control encryption, protecting against malicious code

How can these systems be compromised and what are the actions that need to be taken?

Open Source and Related Tools

http://www.opensourceforensics.org/tools/index.html http://www.cerias.purdue.edu/research/forensics/ http://www.digital-evidence.org/papers/opensrc_legal.pdf http://digitalforensics.ch/nikkel05b.pdf http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf http://www.vascan.org/webdocs/06confdocs/Day1-TechnicalT

rack-DONE/CrimJesseDigital%20Forensics.pdf

Assignment #1

Four exercises at the end of Chapters 1, 2, 3 and 4 Due date: September 24, 2007 You can read the answers at the back, but please try to

produce your own answers

Lab Tour and possible Programming projects

SAIAL: Security Analysis and Information Assurance Laboratory

Develop programs to monitor what your adversary is doing

- Will help our research a lot Can you develop techniques that will put pieces of the

deleted files together to create the original file? Use data analysis/mining for intrusion detection Simulate an attack and use the open source tools Analyze a disk image

- Will try to give you a disk image to work with