Digital Forensics Dr Bhavani Thuraisingham The University of

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Information Warfare and Military Forensics November 19, 2008

Outline l Information Warfare - Defensive Strategies for Government and Industry - Military Tactics - Terrorism and Information Warfare - Tactics of Private Corporations - Future IW strategies - Surveillance Tools - The Victims of Information Warfare l Military Forensics l Relevant Papers

What is Information Warfare? l Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. Information warfare may involve collection of tactical information, assurance that one's own information is valid, spreading of propaganda or disinformation to demoralize the enemy and the public, undermining the quality of opposing force information and denial of information collection opportunities to opposing forces. l http: //en. wikipedia. org/wiki/Information_warfare

Defensive Strategies for Government and Industry l Are US and Foreign governments prepared for Information Warfare According to John Vacca, US will be most affected with 60% of the world’s computing power Stealing sensitive information as well as critical, information to cripple an economy (e. g. , financial information) l What have industry groups done IT-SAC: Information Technology Information Sharing and Analysis l Will strategic diplomacy help with Information Warfare? l Educating the end user is critical according to John Vacca -

Defensive Strategies for Government and Industry l What are International organizations? - Think Tanks and Research agencies - Book cites several countries from Belarus to Taiwan engaged in Economic Espionage and Information Warfare l Risk-based analysis l Military alliances Coalition forces – US, UK, Canada, Australia have regular meetings on Information Warfare l Legal implications l Strong parallels between National Security and Cyber Security -

Military Tactics l Supporting Technologies - Agents, XML, Human Computer Interaction l Military tactics - Planning, Security, Intelligence l Tools - Offensive Ruinous IW tools l Launching - massive distributed denial of service attacks Offensive Containment IW tools l Operations security, Military deception, Psychological operations, Electronic warfare (use electromagnetic energy), Targeting: Disable enemy's C 2 (c 0 mmand control) system and capability

Military Tactics l Tools (continued) - Defensive Preventive IW Tools networks Defensive Ruinous IW tools l Information operations Defensive Responsive Containment IW tools l Handle hacking, viruses. l Other aspects Dealing with sustained terrorist IW tactics, Dealing with random terrorist IW tactics - l Monitor

Terrorism and Information Warfare l Terrorists are using the web to carry out terrorism activities l What are the profiles of terrorists? Are they computer literate? l Hacker controlled tanks, planes and warships l Is there a Cyber underground network? l What are their tools? - Information weapons, HERF gun (high power radio energy at an electronic target), Electromagnetic pulse. Electric power disruptive technologies l Why are they hard to track down? Need super forensics tools -

Tactics of Private Corporations l Defensive tactics - Open course intelligence, Gather business intelligence l Offensive tactics - Packet sniffing, Trojan horse etc. l Prevention tactics - Security techniques such as encryption l Survival tactics - Forensics tools

Future IW Tactics l Electromagnetic bomb - Technology, targeting and delivery l Improved conventional method - Virus, worms, trap doors, Trojan horse l Global positioning systems l Nanotechnology developments - Nano bombs

Surveillance Tools l Data emanating from sensors: - Video data, surveillance data - Data has to be analyzed - Monitoring suspicious events l Data mining - Determining events/activities that are abnormal l Biometrics technologies l Privacy is a concern

Victims of Information Warfare l Loss of money and funds l Loss of shelter, food and water l Spread of disease l Identity theft l Privacy violations l Death and destruction l Note: Computers can be hacked to loose money and identity; computers can be used to commit a crime resulting in death and destruction

Military Forensics l CFX-2000: Computer Forencis Experiment 2000 - Information Directorate (AFRL) partnership with - NIJ/NLECTC Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework Tools included commercial products and research prototypes http: //www. afrlhorizons. com/Briefs/June 01/IF 0016. html http: //rand. org/pubs/monograph_reports/MR 1349. appb. pdf

Relevant Papers 1. Cyber Forensics: a Military Perspective https: //www. utica. edu/academic/institutes/ecii/publications/art icles/A 04843 F 3 -99 E 5 -632 B-FF 420389 C 0633 B 1 B. pdf. How to Reuse Knowledge about Forensic Investigations 2. Danilo Bruschi, Mattia Monga, Universit`a degli Studi di Milano http: //dfrws. org/2004/day 3/D 3 -Martignoni_Knowledge_reuse. pdf 3. John Lowry, BBN Systems: Adversary Modeling to Develop Forensic Observables http: //dfrws. org/2004/day 2/Adversary_Modeling_to_Develop_Fo rensic_Observables. pdf 4. Dr. Golden G. Richard III, University of New Orleans, LA: Breaking the Performance Wall: The Case for Distributed Digital Forensics http: //dfrws. org/2004/day 2/Golden-Perfromance. pdf

Abstract of Paper 1 l This paper discusses some of the unique military requirements and challenges in Cyber Forensics. A definition of Cyber Forensics is presented in a military context. Capabilities needed to perform cyber forensic analysis in a networked environment are discussed, along with a list of current shortcomings in providing these capabilities and a technology needs list. Finally, it is shown how these technologies and capabilities are transferable to civilian law enforcement, critical infrastructure protection, and industry.

Definition l “The exploration and application of scientifically proven methods to gather, process, interpret, and utilize digital evidence in order to: • Provide a conclusive description of all cyber-attack activities for the purpose of complete post-attack enterprise and critical infrastructure information restoration • Correlate, interpret, and predict adversarial actions and their impact on planned military operations • Make digital data suitable and persuasive for introduction into a criminal investigative process” -

Military Needs - • Data protection – When a candidate digital information source is identified, measures must be put in place to prevent the information from being destroyed or becoming unavailable. • Data Acquisition – The general practice of transferring data from a venue out of physical or administrative control of the investigator, into a controlled location. • Imaging – The creation of a bit-for-bit copy of seized data for the purposes of providing an indelible facsimile upon which multiple analyses may be performed, without fear of corrupting the original dataset. • Extraction – The identification and separating of potentially useful data from the imaged dataset. This encompasses the recovery of damaged, corrupted, or destroyed data, or data that has been manipulated algorithmically to prevent its detection (e. g. encryption or steganography. )

Military Needs - • Interrogation – The querying of extracted data to determine if a priori indicators or relationships exist in the data. Examples include looking for known telephone numbers, IP addresses, and names of individuals. - • Ingestion/Normalization – The storage and transfer of extracted data in a format or nomenclature that is easily or commonly understood by investigators. This could include the conversion of hexadecimal or binary information into readable characters, conversion of data to another ASCII 2 language set, or conversion to a format that can be input into another data analysis tool. - • Analysis – The fusion, correlation, graphing, mapping, or timelining of data to determine possible relationships within the data, and to developing investigative hypotheses. - • Reporting – The presentation of analyzed data in a persuasive and evident form to a human investigator or military commander.

Areas of Focus l A major issue in this area is how to rapidly collect and normalize digital evidence from a variety of sources including firewalls, hosts, network management systems, and routers. The information that is collected could then be used to predict or anticipate adversarial actions, understand the current state of affairs, and help in determining appropriate courses-of-action. l Perform work that allows us to detect data hidden within network traffic. The hidden data problem is especially insidious. The art of hiding data is called steganography, which means “covered writing”. l Database forensic analysis. We need to be able to reconstruct past events and trace evidence to indicate data destruction, reconstitution of damaged or destroyed databases or their schemas, and direct attacks on the DBMS’s security mechanism to gain privileges to a database or the operating system.

Areas of Focus l Distributed intelligent forensic agents: Distributed intelligent forensic agents would be small, lightweight programs that are launched from an agent control center whenever a suspicious event is identified. These agents would then gather the appropriate digital evidence and return the evidence to central control for further analysis by other tools. l Trusted Timestamps has to be considered when performing network-based cyber forensics. In order to properly timeline events over a distributed network system, events collected at each appliance or node need to be properly time-synchronized. l The proliferation of cellular and wireless hand-held devices presents a unique challenge to the forensic examiner. Unlike a wired network in which investigation of a cyber attack eventually leads to tracing the attack back to a physical location, a wireless information attack does not require physical access to the medium being exploited.

Areas of Focus l Quick views” of seized media is a focus area. Current approaches to analyze the entire hard drive can take many months. For the purpose of quickly restoring operations, an Operating System Hash Library could be constructed to fingerprint hash values of operating system files of properly configured software. l Multi-lingual analysis of storage media. Is important. No longer is the cyber world one which is utilized primarily by English-speaking citizens. An automated means that can translate the recovered data or at least indicate a probable language set is vital to the timely processing of cyber attacks posed by non-English speaking citizens and foreign nationals. l Finally, there needs to be a uniform standard for the development and testing of forensic tools. There need to be metrics established that help determine the extent that a software or hardware tool performs a particular forensic function, and the associated error rate with that process.

Abstract of Paper 2 l When detectives perform investigations they manage a huge amount of information, they make use of specialized skills and analyze a wide knowledge base of evidence. Most of the work is not explicitly recorded and this hurdles external reviews and training. In this paper we propose a model able to organize forensic knowledge in a reusable way. Thus, past experience may be used to train new personnel, to foster knowledge sharing among detective communities and to expose collected information to quality assessment by third parties.

Outline l Introduction l Framework l Model and Reasoning l Example l Directions

Introduction l Problems - evidence might be easily and voluntarily erased; • evidence might be easily and voluntarily forged (i. e. , false evidence might be created); • evidence might be altered accidentally by daily activities (i. e. , the everyday use of a system might damage evidence); • evidence at different abstraction layers, has different meanings and properties (e. g. , an html document may be considered formatted text, or a sequence of ASCII characters, or a set of blocks in the file system structure) l Solutions - produce reusable forensic knowledge to be used as support during investigations; • organize past experience to foster knowledge sharing among forensic experts; • record collected information in a way that ease quality assessment.

Framework l Investigative process - formulate hypotheses on the state of the world that caused the case; collect evidence on the basis of these hypotheses; correlate actual evidence with hypotheses; adjust hypotheses, and repeat the process until the consistency state of the knowledge about the case is high. l Framework - Evidence: nothing that is not clear and evident can be accepted. Analysis: a problem that cannot be faced all at once should be decomposed in easier parts. Synthesis: a decomposed problem has to be recomposed, but only after every part has been verified through detailed observations and considerations. Enumeration: the whole process has to be reviewed to evaluate the soundness and completeness of the generalizations involved. Moreover, a careful revision is needed to ascertain the absence of errors and misinterpretations.

Model and Reasoning l Graph is used to represent all the knowledge acquired over the time. l Hypotheses and evidence are expressed in natural language. l To better illustrate the inductive reasoning used to prove or disprove a hypotheses a graphical formalism is used Example: Hypotheses are represented by square, evidence collecting tests by circle and the weight of evidence by a label on the edge linking evidence to hypotheses. -

Example l During a chat session a user has been caught spreading an offensive picture. After a preliminary investigation Mr. Black felt under suspicion. He has been accused of guilty because the address used by the sender to transmit the images, was, at that moment, assigned to him. l In the preliminary phase the detective, starting from the file received and the address of the sender, comes to identify Mr. Black as the criminal. Mr. Black’s computer has been seized for further analysis. l The paper formulates the root hypothesis and applies the reasoning method described.

Directions l Producing reusable knowledge, since forensic (sub-)graphs can be exploited to generate completely unrelated case graphs; l Structuring argumentation from evidence to prosecution hypotheses, since a graphical representation of the structure of the hypothesis space and the evidence support that was collected may convey, even at a glimpse, the global soundness and completeness of the information gathering; l Guiding less skilled detectives during evidence collection, since the highly specialized knowledge of experts in a field can be shared, thanks to its recording in a structured fashion.

Abstract of Paper 3 l Observables of malicious behavior in the cyber realm are derived from intuition or analysis of previous (a-posteriori) events. This creates an untenable situation where cyber defenders are unprepared for novel attacks or malicious behaviors – particularly those expected to be used by sophisticated adversaries. Development of a complete theory of observables with a particular focus on development of a-priori observables is critical to defend against computer network attack and computer network exploitation. Monitoring of a-priori observables will greatly assist in the areas of indications and warnings and attack sensing and warning. Forensic development and analysis of a-priori observables is critical to determine the type of adversary, adversary mission, and ultimately attribution.

Outline l Introduction l Threat Model l Types of Adversaries l Process Model l Adversaries and Forensics l Directions

Introduction l The current sets of cyber observables are developed after an attack or event takes place. These are termed a-posteriori observables because they follow the pattern of event—analysis— observables. l Properly specified, these observables will catch most or all repeat events or new events that use the same techniques. l These observables have no value in identifying new types of events or novel variations of known events. Since the vulnerability space is huge, defenders are forced into a responsive mode of operation. l What is needed is an additional set of observables that will permit the detection and analysis of novel events and attacks. These must be developed a-priori and follow the pattern of threat— analysis—observables.

Threat Model l Any threat model must start with analysis of adversary behavior and incorporate sufficient knowledge of the defended system. l For development of a-posteriori observables, real behaviors and real systems are used. For development of a-priori observables, hypothetical or potential adversarial behavior is modeled. l Cyber-adversaries have goals and objectives. There is a reason why the defender’s system is under attack. l Cyber-adversaries have resource limitations. l Cyber-adversaries engage in mission planning, practice, development and testing l Cyber-adversaries translate their behavior into the world of computers and networks.

Types of Adversaries: Example l Class IV First-world and certain second-world countries, including military and intelligence agencies. Future terrorist organizations. Future organized criminal groups. Some types of insider. l Class III Almost every country not in the Class IV category. Some terrorist organizations. Some organized criminal groups. Some types of insider. Some types of radical organizations. l Class II A very few countries. Many terrorist organizations. Many organized criminal groups. Many types of insider. Many types of radical groups. Very expert hackers and hacker coalitions. l Class I Some terrorist organizations. Some organized criminal groups. Many types of insider. Many types of radical groups. Beginner to journeyman hackers.

Process Model l The process model shows a high-level process model of adversary behavior. However, it can be expected that a Class IV adversary will engage in a much more detailed set of behaviors. l There is a strategic set of goals followed by assignment of missions and mission objectives. l The adversary’s strategic planning can be represented in a Warnier/Orr diagram. The goal is to identify effects that can be achieved, i. e. , to identify the top-level opportunities and resources available to carry out the strategic mission. l Behavior: The adversary will study their enemy to determine what they have in place and how they operate. The adversary will develop a list of desired effects that the adversary wishes to have on their enemy. The adversary also takes an initial, high-level cut at the targets of interest.

Adversaries and Forensics l The discipline of computer forensics has been largely focused on the development of a set of tools and procedures. l However, the majority of efforts have remained at this level and not progressed to meet the challenge of Class III and Class IV adversaries. l With the resources available to these adversaries, it is not apparent that analysis of single exploits or events will help to identify and analyze the presence of these adversaries. l For example, it is understood that an adversary will not use his most valuable or sophisticated techniques or methods unless there is sufficient payoff. l Consequently, identification of Class IV adversaries must look for supporting evidence. Fortunately, the kinds of process and control exercised by this type of adversary is likely to leave such evidence.

Directions l While the development of new models and characterizations of cyber-adversaries has been informally pursued for several years and within multiple government-supported programs, the full development and presentation is made under an effort called Theory of Observables within the Proactive and Predictive Cyber Indications and Warnings contract from the Advanced Research and Development Activity (ARDA). l ARDA’s web site is located at www. ic-arda. org.

Abstract of Paper 4 l Authors make the case for distributed digital forensic (DDF) tools and provide several real-world examples where traditional investigative tools executing on a single workstation have clearly reached their limits, severely hampering timely processing of digital evidence. Based on their observations about the typical tasks carried out in the investigative process, they outline a set of system requirements for DDF software. Next, authors propose a lightweight distributed framework designed to meet these requirements and describe an early prototype implementation of it. Finally, we present some performance comparisons of singleversus multiple-machine implementations of several typical tasks and describe some more sophisticated forensics analysis techniques, which will be enabled by a transition to DDF tools.

Introduction l Having all of the analysis to be carried out in one location may have a performance impact l If the site is down, then the work has to be postponed l Therefore distributed digital forensics analysis may be an option l Requirements include Scalability Platform Independence Extensibility Robustness -

Approach and Directions l System Architecture - Based on architectures for distributed data management and/or distributed data mining l Distributed workload Each node carries out a specific task, or all of the nodes carry out the same task and then the results have to be combined l Analysis Each node carries out analysis and the results have to be combined l Some directions include: Develop a framework for DDF; Middleware forensics analysis - Tools are integrated in a middleware environment. Appropriate tools are involved -