Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #5 Forensics Systems September 5, 2007

Outline l Some developments l Review of Lectures 3 and 4 l Lectures 5 - Types of Computer Forensics Systems - Objective: Identify issues in corporate planning for computer forensics l Tools for Digital Forensics l Assignment #1 l Lab Tour

Some Developments l Internships positions available in commuter forensics with DFW area FBI and Law Enforcement l Guest lectures are being arranged to be given by DFW FBI and Law Enforcement - Dates to be given l Mid-term exam: week of October 9 or October 16

Review of Lectures 3 and 4 l Lecture 3 - Forensics Technology l Military, Law Enforcement, Business Forensics - Forensics Techniques l Finding Hidden Data, Spyware, Encryption, Data Protection, Tracing, Data Mining - Security Technologies l Wireless, Firewalls, Biometrics - APPENDIX: Data Mining l Lecture 4: Data Mining for Malicious Code Detection

Types of Computer Forensics Systems l Internet Security Systems l Intrusion Detection Systems l Firewall Security Systems l Storage Area Network Security Systems l Network disaster recovery systems l Public key infrastructure systems l Wireless network security systems l Satellite encryption security systems l Instant Messaging Security Systems l Net privacy systems l Identity management security systems l Identify theft prevention systems l Biometric security systems l Homeland security systems

Internet Security Systems l Security hierarchy - Public, Private and Mission Critical data - Unclassified, Confidential, Secret and TopSecret data l Security Policy - Who gets access to what data - Bell LaPadula Security Policy, Noninterference Policy l Access Control - Role-based access control, Usage control l Encryption - Public/private keys - Secret payment systems l Directions - Smart cards

Intrusion Detection Systems l An intrusion can be defined as “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource”. l Attacks are: - Host-based attacks - Network-based attacks l Intrusion detection systems are split into two groups: - Anomaly detection systems - Misuse detection systems l Use audit logs - Capture all activities in network and hosts. - But the amount of data is huge!

Our Approach: Overview Training Data Class Hierarchical Clustering (DGSOT) Testing Testing Data SVM Class Training DGSOT: Dynamically growing self organizing tree

Hierarchical clustering with SVM flow chart Our Approach Our Approach: Hierarchical Clustering

Worm Detection: Introduction l What are worms? - Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims l Evil worms - Severe effect; Code Red epidemic cost $2.6 Billion l Automatic signature generation possible - EarlyBird System (S. Singh. -UCSD); Autograph (H. Ah-Kim. - CMU) l Goals of worm detection - Real-time detection l Issues - Substantial Volume of Identical Traffic, Random Probing l Methods for worm detection - Count number of sources/destinations; Count number of failed connection attempts l Worm Types - worms, Instant Messaging worms, Internet worms, IRC worms, File- sharing Networks worms

Worm Detection using Data Mining Training data Feature extraction Clean or Infected ? Outgoing s Classifier Machine Learning Test data The Model Task: given some training instances of both “normal” and “viral” s, induce a hypothesis to detect “viral” s. We used: Naïve Bayes SVM

Firewall Security Systems l Firewall is a system or groups of systems that enforces an access control policy between two networks l Benefits - Implements access control across networks - Maintains logs that can be analyzed l Data mining for analyzing firewall logs and ensuring policy consistency l Limitatations - No security within the network - Difficult to implement content based policies - Difficult to protect against malicious code l Data driven attacks

Traffic Mining l To bridge the gap between what is written in the firewall policy rules and what is being observed in the network is to analyze traffic and log of the packets– traffic mining l Network traffic trend may show that some rules are out- dated or not used recently Firewall Log File Mining Log File Using Frequency FilteringRuleGeneralization Generic Rules Identify Decaying & Dominant Rules Edit Firewall Rules Firewall Policy Rule

Traffic Mining Results Anomaly Discovery Result Rule 1, Rule 2: ==> GENRERALIZATION Rule 1, Rule 16: ==> CORRELATED Rule 2, Rule 12: ==> SHADOWED Rule 4, Rule 5: ==> GENRERALIZATION Rule 4, Rule 15: ==> CORRELATED Rule 5, Rule 11: ==> SHADOWED 1: TCP,INPUT, ,ANY,*.*.*.*,80,DENY 2: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,80,ACCEPT 3: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,443,DENY 4: TCP,INPUT, ,ANY,*.*.*.*,22,DENY 5: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,22,ACCEPT 6: TCP,OUTPUT, ,ANY,*.*.*.*,22,DENY 7: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,53,ACCEPT 8: UDP,INPUT,*.*.*.*,53,*.*.*.*,ANY,ACCEPT 9: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY 10: UDP,INPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY 11: TCP,INPUT, ,ANY, ,22,DENY 12: TCP,INPUT, ,ANY, ,80,DENY 13: UDP,INPUT,*.*.*.*,ANY, ,ANY,DENY 14: UDP,OUTPUT, ,ANY, *,ANY,DENY 15: TCP,INPUT,*.*.*.*,ANY, ,22,ACCEPT 16: TCP,INPUT,*.*.*.*,ANY, ,80,ACCEPT 17: UDP,INPUT, *.*,53, ,ANY,ACCEPT 18: UDP,OUTPUT, ,ANY, *.*,53,ACCEPT

Storage Area Network Security Systems l High performance networks that connects all the storage systems - After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability - Database systems is a special kind of storage system l Benefits include centralized management, scalability reliability, performance l Security attacks on multiple storage devices - Secure storage is being investigated

Network Disaster Recovery Systems l Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery palm l Policies and procedures have to be defined and subsequently enforced l Which machines to shut down, determine which backup servers to use, When should law enforcement be notified

Public Key Infrastructure Systems l A certificate authority that issues and verifies digital certificates l A registration authority that acts as a verifier for the certificate authority before a digital certificate is issued to a requester l One or more directories where the certificates with their public keys are held l A certificate management systems

Digital Identity Management l Digital identity is the identity that a user has to access an electronic resource l A person could have multiple identities - A physician could have an identity to access medical resources and another to access his bank accounts l Digital identity management is about managing the multiple identities - Manage databases that store and retrieve identities - Resolve conflicts and heterogeneity - Make associations - Provide security l Ontology management for identity management is an emerging research area

Digital Identity Management - II l Federated Identity Management - Corporations work with each other across organizational boundaries with the concept of federated identity - Each corporation has its own identity and may belong to multiple federations - Individual identity management within an organization and federated identity management across organizations l Technologies for identity management - Database management, data mining, ontology management, federated computing

Identity Theft Management l Need for secure identity management - Ease the burden of managing numerous identities - Prevent misuse of identity: preventing identity theft l Identity theft is stealing another person’s digital identity l Techniques for preventing identity thefts include - Access control, Encryption, Digital Signatures - A merchant encrypts the data and signs with the public key of the recipient - Recipient decrypts with his private key

Biometrics l Early Identication and Authentication (I&A) systems, were based on passwords l Recently physical characteristics of a person are being used for identification - Fingerprinting - Facial features - Iris scans - Voice recognition - Facial expressions l Biometrics techniques will provide access not only to computers but also to building and homes l Systems are vulnerable to attack e.g., Fake biometrics

Homeland Security Systems l Border and Transportation Security - RFID technologies? l Emergency preparedness - After an attack happens what actions are to be taken? l Chemical, Biological, Radiological and Nuclear security - Sensor technologies l Information analysis and Infrastructure protection - Data mining, security technologies

Other Types of Systems l Wireless security systems - Protecting PDAs and phones against denial of service and related attacks l Satellite encryption systems - Pretty Good Privacy – PGP that uses RSA security l Instant messaging - Deployment of instant messaging is usually not controlled - Should IM be blocked? l Net Privavacy - Can we ensure privacy on the networks and systems - Privacy preserving access?

Conclusion l We have discussed many types of forensics systems l These are systems that are secure, but can be attacked l Security solutions include policy enforcement, access control encryption, protecting against malicious code l How can these systems be compromised and what are the actions that need to be taken?

Open Source and Related Tools l l l l l l TechnicalTrack-DONE/CrimJesseDigital%20Forensics.pdf TechnicalTrack-DONE/CrimJesseDigital%20Forensics.pdf

Assignment #1 l Four exercises at the end of Chapters 1, 2, 3 and 4 l Due date: September 24, 2007 l You can read the answers at the back, but please try to produce your own answers

Lab Tour and possible Programming projects l SAIAL: Security Analysis and Information Assurance Laboratory l Develop programs to monitor what your adversary is doing - Will help our research a lot l Can you develop techniques that will put pieces of the deleted files together to create the original file? l Use data analysis/mining for intrusion detection l Simulate an attack and use the open source tools l Analyze a disk image - Will try to give you a disk image to work with