& SELECTED TOPICS: DIGITAL FORENSICS Xinwen Fu, UMass Lowell, USA Center for Cyber Forensics, UMass Lowell

Outline  Introduction  Related Laws in Network Forensics Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws  Conclusion 2

Introduction 3 Based on Symantec Internet Security Threat Report 2011 Trends  Symantec blocked more than 5.5 billion attacks in 2011  Over 154 attacks took place per day in Dec  Attacks skyrocketed by more than 81% compared with 2010  More than million identities were exposed

Digital Forensics  Recovery and investigation of material found in digital devices, often in relation to computer crime  Encompassment of the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence for the benefit of courts or employers (incrimination or exoneration) 4 Digital Forensics Computer Forensics Network Forensics

5 Xinwen Fu Example Computer Forensic Toolkit ® (FTK ® )

Network Forensics  Monitor and analyze computer network traffic for the purposes of information and legal evidence gathering, or intrusion detection  Deal with dynamic information 6

Demo – HAWK: mini-Helicopter-based Aerial Localization Wireless Kit 7 youtu.be/watch?v=ju86xnHbEq0 Xinwen Fu

Demo - HaLo: Hand-held Locator youtu.be/S0vMe02-tZc youtu.be/ 8 Xinwen Fu

Outline  Introduction  Related Laws in Network Forensics Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws  Conclusion 9

Traditional Crime 10 Proactive Investigation Real Time Investigation Retroactive Investigation Other Witnesses and clues

Cyber Crime 11 P2P Network Search who owns the child pornography material Proactive Investigation Real Time Investigation Retroactive Investigation

Classification of Strategies for Network Investigation 12 Proactive Investigation Real Time Investigation Retroactive Investigation Cyber Crime Incident Prepare for and detect the incident Monitor and preserve incoming/outcoming traffic during the cyber crime and conduct the traceback if possible Collect and reassemble leftover data among victim’s computer and network Where are the Laws and due process? E.g. search anonymous P2P network and identify the source of illegal materials E.g., UML server was attacked, police read the logs from the IDS, firewall and local ISPs and try to reconstruct the past session. E.g., Trace who is downloading illegal child pornography videos.

Terminology of Related Laws  Reasonable Privacy: a person deserves reasonable privacy if he/she actually expects privacy and his/her subjective expectation of privacy is “one that society is prepared to recognize as ‘reasonable.’”  Probable Cause “a reasonable belief that a person has committed a crime”. the standard by which law enforcement officers have the grounds to make an arrest, to conduct a personal or property search, or to obtain a warrant for arrest, etc. when criminal charges are being considered 13

Terminology (Cont’)  Subpoena: A specific type of court order to compel a witness to give a statement or to appear in court to testify Law enforcement with a subpoena can require an ISP for logs to determine a particular subscriber’s identity  Court Order: An official judge’s statement to compel or order someone, or a party, to do something or to refrain from doing something Law enforcement officers can install a packet-sniffer on an ISP’s router to collect all packets non-content information coming from a particular IP address to reconstruct a session  Search Warrant: A written court order authorizing law enforcement officers to search a certain area and/or seize property specifically described in the warrant Law enforcement officers can intercept an online conversation and collect the content with a search warrant 14

Constitutional Law  The Fourth Amendment is the main constitutional restriction to network forensics investigation  “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” 15

Statutory Laws  The Wiretap Act (Title III) Prohibit unauthorized government access to private electronic communications in real time  The Stored Communications Act Protect the privacy right for customers and subscribers of Internet service providers (ISPs) and regulates government access to stored content and non-content records held by ISPs  The Pen Register Act Also known as the Pen Registers and Trap and Trace Devices statute A pen register device records outgoing addressing information (such as a phone number dialed and receiver’s address) A trap and trace device records incoming addressing information (such as incoming phone number and sender’s address) 16

Network Forensics with Laws 17 Proactive Investigation Real Time Investigation Retroactive Investigation Cyber Crime Incident People’s Reasonable expected privacy (The Fourth Amendment) Title III and Pen Register Act OR Constitutional Laws Stored Communications Act OR Constitutional Laws Subpoena/Court OrderCourt Order/Search Warrant Subpoena/Court Order/Search Warrant

Outline  Introduction  Related Laws in Network Forensics Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws  Conclusion 18

Conclusion  We study related laws in Network Forensics  We refine the framework of Network Forensics with three categories of investigations  Suggestion: while studying network forensics research, we should always consider the impact of laws 19

20 Xinwen Fu20/15 Thank you! Xinwen Fu

Network Forensics with Laws (Cont’) 21 Pen/Trap Statute Non- Content Packets’ size, number; IP address; Flags Title III Content ’s Subject, Content; Packet’s Payload SCA Info. stored in digital media s, Logs, Subscriber’s info. Cyber Crime Constitutional Issuse Statutory Issue The 4 th Amendment

Traditional crime and policing  A passenger is walking down the street.  The passenger is attacked by a robber.  The passenger or other witness calls “911” during/after the robbery.  Police center sends units to the site.  Police may catch the criminal at the event place if the robbery hasn’t finished yet.  Police conduct the investigation if the robber flees away.  Police may or may not catch the robber.  Law enforcement summarize the characters of the crimes in that area and send more police patrolling in that area to deter the potential criminals. 22

Network crime and policing  A hacker intrudes a company server.  Alert System (Firewall, IDS) detect the intrude or not. Or system Administrator find abnormal activities.  Report to police.  Police can watch the criminal activities on the server if the intrusion hasn’t finished yet.  Police conduct the investigation with probable authorization whether or not the intrusion finished.  Police may or may not find the hacker.  System administrator patches the server, makes more restrict rules on Firewall and IDS. 23

Network Forensics with Laws  Pro-active Investigation Summarize the characters of cyber crimes and set up firewall and IDSs to prevent and detect cyber crimes. People’s Reasonable expected privacy (The Fourth Amendment)  Real time Investigation Preserve income/outcome traffic during the cyber crime and trying to traceback the intruder. Title III and Pen Register Act OR Constitutional Laws  Retroactive Investigation Collect and reassemble the left over data among victim computer and network. Stored Communications Act OR Constitutional Laws 24