Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #5 Technology and Services September 9, 2009.

Slides:



Advertisements
Similar presentations
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Advertisements

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #26 Emerging Technologies.
Crime and Security in the Networked Economy Part 4.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 9: Privacy, Crime, and Security
We’ve got what it takes to take what you got! NETWORK FORENSICS.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #7 Processing Crime and Incident Scene September 17, 2008.
Security+ Guide to Network Security Fundamentals
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Lecture 10 Security and Control.
Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.
McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter 8 Protecting People and Information: Threats and Safeguards Copyright © 2010 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Securing Information Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Cyber crime & Security Prepared by : Rughani Zarana.
BUSINESS B1 Information Security.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
C8- Securing Information Systems
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #3 Technology August 27, 2007.
8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
McGraw-Hill Technology Education © 2006 by the McGraw-Hill Companies, Inc. All rights reserved CHAPTER PRIVACY AND SECURITY.
CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace  Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
IT in Business Issues in Information Technology Lecture – 13.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Chap1: Is there a Security Problem in Computing?.
Introduction to Biometrics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #1 Biometrics and Other Emerging Technologies in Applications.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Chapter 7 1Artificial Intelligent. OBJECTIVES Explain why information systems need special protection from destruction, error, and abuse Assess the business.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
Computers Are Your Future Eleventh Edition Chapter 9: Privacy, Crime, and Security Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall1.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Securing Information Systems
Securing Information Systems
Controlling Computer-Based Information Systems, Part II
Introduction to Computer Forensics
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Firewalls.
Securing Information Systems
Introduction to Computer Forensics
INFORMATION SYSTEMS SECURITY and CONTROL
ONLINE SECURE DATA SERVICE
PLANNING A SECURE BASELINE INSTALLATION
G061 - Network Security.
Presentation transcript:

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #5 Technology and Services September 9, 2009

Review of Lectures l Part 1 of the Course - Reference: Part 1 of the Book + Links given in Lectures - Lecture 1: Introduction to Digital Forensics - Lecture 2: Background on Cyber Security - Lecture 3: Data Recovery and Evidence Collection - Lecture 4: Malicious Code Detection: How do you detect that the problem has occurred? - Lecture 5: Forensics Technologies and Services l Part 2 of the Course - Part 2 of the Book - Lecture 6: Data Acquisition Details (September 14, 2009)

Assignment #1 l Text Book - Hands-on Project Hands-on Project Chapter 2 - Page Due: Wednesday September 23, 2009

Outline l Forensics Technologies - Forensics Technology l Military, Law Enforcement, Business Forensics - Forensics Techniques l Finding Hidden Data, Spyware, Encryption, Data Protection, Tracing, Data Mining - Security Technologies l Wireless, Firewalls, Biometrics l Services - Cyber crime, Cyber detective, Risk Managemen, Investigative services, Process improvement

Introduction l Digital forensics includes computer forensics and network forensics l Computer forencis - gathers evidence from computer media seized at crime scene - Issues involve imaging storage media, recovering deleted files, searching slack and free space, preserving the collected information for litigation l Network forencis - Analysis of computer network intrusion evidence

Military Forensics l CFX-2000: Computer Forencis Experiment Information Directorate (AFRL) partnership with NIJ/NLECTC - Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework - Tools included commercial products and research prototypes appb.pdf appb.pdf

Law Enforcement Forensics l Commonly examined systems: Windows NT, Windows 2000, XP and 2003 l Preserving evidence - Mirror image backups: Safe Back technology from New Technologies Inc. l Tools to handle - Trojan Horse programs / File slacks - Data Hiding Techniques l AnaDisk analyzes diskettes l COPYQM duplicates diskettes - E-Commerce investigation: Net Threat Analyzer - Text search: TextSearch Plus tool - Fuzzy logic/data mining tools to identify unknown text l Intelligent Forensics Filter

Business Forensics l Remote monitoring of target computers - Data Interception by Remote Transmission (DIRT) from Codex Data Systems l Creating trackable electronic documents l Theft recovery software for laptops and PCs - PC Phonehome tool - RFID technology

Forensics Techniques l Techniques for finding, preserving and preparing evidence l Finding evidence is a complex process as the forensic expert has to determine where the evidence resides - Evidence may be in files, evidence may be in disks, evidence may be on paper. Need to track all types of evidence l Preserving evidence includes ensuring that the evidence is not tampered with - Involves pre-incident planning and training in incident discovery procedures’ If the machine is turned on, leave it on; do not run programs on that particular computer l Preparing evidence will include data recovery, documentation, etc.

Finding Hidden Data l When files are deleted, usually they can be recovered l The files are marked as deleted, but they are still residing in the disk until they are overwritten l Files may also be hidden in different parts of the disk l The challenge is to piece the different part of the file together to recover the original file l There is research on using statistical methods for file recovery l data---how asp data---how asp l wolfgarten-assignment2.pdf

Spyware/Adware l Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.computer softwarepersonal computerinformed consent l Spyware is mostly advertising supported software (adware) l Shareware authors place ads from media company and get a piece if the revenue l PC surveillance tools that allow a user to nominate computer activity - Keystroke capture, snapshots, logging, chats etc. l Privacy concerns with spyware

Encryption l Popular Encryption techniques - Public key/ Private Key l Owner of the data encrypts with the public key of the receiver; Receiver decrypts with his private key l In some cases owner may encrypt with his private key for multiple receiver. Receiver will decrypt with the owner’s public key l Merkle Hash is a popular method to hash documents; one way hash function l Challenge is to generate unique keys l Issues: Trusted authority to generate keys and credentials

Internet/Web Tracing l Where has the come from - Check IP address - Sender may use fake address by changing fields; sending server may not check this and so the mail is sent l Tracing web activity l Who has logged into the system say from a public web site and modified accounts and grades? l Web/ tracking tools

Wireless Technology Forensics l Forensic Examination of a RIM (BlackBerry) Wireless Device “There are two types of RIM devices within each model class. The Exchange Edition is meant for use in a corporate environment while the Internet Edition works with standard POP accounts. The Exchange Edition employs Triple-DES encryption to send and receive but the Internet Edition communicates in clear text. Neither employs an encrypted files system” l Relevance of RIM forensics - “The RIM device shares the same evidentiary value as any other Personal Digital Assistant (PDA). As the investigator may suspect of most file systems, a delete is by no means a total removal of data on the device. However, the RIM’s always-on, wireless push technology adds a unique dimension to forensic examination. Changing and updating data no longer requires a desktop synchronization. In fact, a RIM device does not need a cradle or desktop connection to be useful. The more time a PDA spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. Thus, the RIM’s currently unsurpassed portability is the examiner’s greatest ally”

Wireless Technology Forensics - 2 l The Hardware - The RIM device is designed around an Intel 32-bit i386 processor, a low power embedded version of the same processor that used to power a desktop PC. Each unit has 512 KB of SRAM and 4 or 5 MB of Flash RAM, depending on the model. The RIM’s SRAM is analogous to the RAM on a desktop and the Flash memory is the “disk space” used to store the Operating System (OS), applications, and the file system. The RIM’s OS is a single executable named PAGER.EXE and the applications are DLL’s. l Toolbox - BlackBerry Desktop Software available free at BlackBerry C++ Software Development Kit v2.1 available free at Hex editor; Text editor; AA batteries; Spare BlackBerry Cradleswww.blackberry.com - The examination PC should meet the minimum requirements for the BlackBerry Software Development Kit (SDK) and have two available external 9-pin RS232 serial ports. Disk space required for evidence gathering is minimal: space equal to the amount of Flash RAM in the RIM units being investigated.

Firewall Forensics l seen.html seen.html l Analyzing firewall logs, especially what port numbers etc. mean?. May use this information to help figure out what hackers are up to. - What does destination port number ZZZZ mean? What does destination port number ZZZZ mean? - What does this ICMP info mean? What does this ICMP info mean? - What do these IP addresses indicate? What do these IP addresses indicate? - Stuff doesn't work Stuff doesn't work - What are some typical signatures of well-known programs? What are some typical signatures of well-known programs? - What do these other logs mean? What do these other logs mean? - How do I configure filters? How do I configure filters? - Packet Zen Packet Zen - What's the deal with NetBIOS (UDP port 137)? What's the deal with NetBIOS (UDP port 137)?

Biometrics Forensics: Richard Vorder Bruegge l l 20September%2021/Tue_Ballroom%20B/1%20DOJ%20Session/Vorderbruegg e_Presentation.pdf 20September%2021/Tue_Ballroom%20B/1%20DOJ%20Session/Vorderbruegg e_Presentation.pdf l It often happens that people confuse biometrics and forensics. After all, television and movies make it look like automated biometrics databases can be used to identify and convict people all the time. Isn't that what forensics is all about? Unfortunately, this can have an adverse affect on the development of forensic tools which utilize biometric features, because those in position to make funding decisions may not understand the distinction between the two. This presentation will attempt to provide the audience with a better understanding of the relationship between biometrics and forensics from the standpoint of a forensic scientist.

Biometrics Forensics: Richard Vorder Bruegge l Advances in the field of biometrics offers great potential for the field of forensics. Biometric databases offer the promise of enabling law enforcement and the intelligence community to rapidly identify questioned individuals if they are present in the queried database. However, obtaining a "hit" in a biometric database is a far cry from an identification in the world of forensic science. The standard of proof to which forensic scientists in the United States are held is "beyond a reasonable doubt". That "reasonable doubt" criteria, coupled with standards for scientific and technical evidence elucidated in the "Daubert" and "Kumho Tire" cases, require that conclusions offered by forensic scientists be supported at beyond that offered by current biometric systems, particularly in the field of facial recognition. l Reviewing Court Approves of Fingerprint Admissibility

Technologies: Conclusion l Two types of forensics: Computer forencis and network forensics l Computer forencis is mainly about file system forencis; network forensics is about detecting intrusions and connecting with hackers/terrorists l Various techniques are being developed for Military forensics, Law enforcement forencis, Business forensics; not mutually exclusive l Difference tools for differing systems l Systems include operating systems, database systems, networks, middleware, wireless systems, firewalls, biometrics l Biometrics systems may be compromised; however biometrics may be used as evidence l Data mining/analysis being used for forensics - (Image mining for digital forensics)

Types of Computer Forensics Systems l Internet Security Systems l Intrusion Detection Systems l Firewall Security Systems l Storage Area Network Security Systems l Network disaster recovery systems l Public key infrastructure systems l Wireless network security systems l Satellite encryption security systems l Instant Messaging Security Systems l Net privacy systems l Identity management security systems l Identify theft prevention systems l Biometric security systems l Homeland security systems

Cyber Crime l Financial Fraud l Sabotage of Data or Networks l Theft of Proprietary Information l System Penetration from the outside and denial of service l Unauthorized access by insiders and employee misuse of Internet access privileges: Insider threat l Malicious code (e.g., Virus)

Cyber Detective l Forensics investigators - detect the extent f security breach, - recover lost data, - determine how an intruder got past the security mechanisms, - and possibly identify the culprit l Legal issues - Admissibility of digital evidence in court - Laws lag technology - Theft: A person must permanently deprive the victim of property: does this apply to cyber theft?

Risk Management l Risk management - is the human activity which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources.risk risk assessmentstrategies - The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. - l Risk management for Computer Forensics - Effective IT and staff policies - Use of state of the art Vendor tools - Effective procedures

Forensic Services l Forensics Incident Response l Evidence Collection l Forensic Analysis l Expert witness l Forensic litigation and insurance claims support l Training l Process improvement

Investigative services examples l Intrusion detection service - Installing technical safeguards to spot network intruders or detect denial of service attacks at e-commerce servers l Digital evidence collection - Identify all devices that may contain evidence - Quarantine all in-house computers - Court orders to preserver and collect evidence

Process Improvement: Tools l Dig –x/nslookup l Whois l Ping l Traceroute l Finger l Anonymous surfing l USENET l Need to integrate the processes

Links l l l Dallas, TX l l l Austin, TX l forensics/ forensics/ l l