91.460.201 & 91.530.202 SELECTED TOPICS: DIGITAL

FORENSICS

Xinwen Fu, UMass Lowell, USA

Center for Cyber Forensics, UMass Lowell

Outline

Introduction Related Laws in Network Forensics

Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws

Conclusion

2

Introduction3

Based on Symantec Internet Security Threat Report 2011 Trends

Symantec blocked more than 5.5 billion attacks in 2011

Over 154 attacks took place per day in Dec. 2011

Attacks skyrocketed by more than 81% compared with 2010

More than 232.4 million identities were exposed

Digital Forensics Recovery and investigation of material found in

digital devices, often in relation to computer crime

Encompassment of the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence for the benefit of courts or employers (incrimination or exoneration)

4

Digital Forensics

Computer Forensics

Network Forensics

5

Xinwen Fu

Exam

ple

Com

pute

r Fo

rensi

c To

olk

it® (

FTK

®)

Network Forensics

Monitor and analyze computer network traffic for the purposes of information and legal evidence gathering, or intrusion detection

Deal with dynamic information

6

Demo – HAWK: mini-Helicopter-based Aerial Localization Wireless Kit

7

youtu.be/watch?v=ju86xnHbEq0

Xinwen Fu

Demo - HaLo: Hand-held Locator youtu.be/S0vMe02-tZc

8

Xinwen Fu

Outline

Introduction Related Laws in Network Forensics

Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws

Conclusion

9

Traditional Crime10

Proactive Investigation

Real Time Investigation

Retroactive Investigation

Other Witnesses and clues

Cyber Crime11

P2P Networ

k

Search who owns the child pornography material

Proactive Investigation

Real Time Investigation

Retroactive Investigation

Classification of Strategies for Network Investigation

12

Proactive Investigatio

n

Real Time Investigation

Retroactive Investigatio

n

Cyber Crime Incident

Prepare for and detect the incident

Monitor and preserve incoming/outcoming

traffic during the cyber crime and conduct the traceback if possible

Collect and reassemble leftover data

among victim’s computer and

network

Where are the Laws and due

process?

E.g. search anonymous P2P

network and identify the source of illegal materials

E.g., UML server was attacked, police read the logs from the IDS, firewall and local ISPs and try to

reconstruct the past session.

E.g., Trace who is downloading illegal child

pornography videos.

Terminology of Related Laws

Reasonable Privacy: a person deserves reasonable privacy if he/she actually expects privacy and his/her subjective expectation of privacy is “one that

society is prepared to recognize as ‘reasonable.’”

Probable Cause “a reasonable belief that a person has committed a

crime”. the standard by which law enforcement officers have

the grounds to make an arrest, to conduct a personal or property search, or to obtain a warrant for arrest, etc. when criminal charges are being considered

13

Terminology (Cont’) Subpoena: A specific type of court order to compel a

witness to give a statement or to appear in court to testify Law enforcement with a subpoena can require an ISP for

logs to determine a particular subscriber’s identity Court Order: An official judge’s statement to compel

or order someone, or a party, to do something or to refrain from doing something Law enforcement officers can install a packet-sniffer on an

ISP’s router to collect all packets non-content information coming from a particular IP address to reconstruct a session

Search Warrant: A written court order authorizing law enforcement officers to search a certain area and/or seize property specifically described in the warrant Law enforcement officers can intercept an online

conversation and collect the content with a search warrant

14

Constitutional Law

The Fourth Amendment is the main constitutional restriction to network forensics investigation

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”

15

Statutory Laws The Wiretap Act (Title III)

Prohibit unauthorized government access to private electronic communications in real time

The Stored Communications Act Protect the privacy right for customers and subscribers of

Internet service providers (ISPs) and regulates government access to stored content and non-content records held by ISPs

The Pen Register Act Also known as the Pen Registers and Trap and Trace Devices

statute A pen register device records outgoing addressing information

(such as a phone number dialed and receiver’s email address) A trap and trace device records incoming addressing

information (such as incoming phone number and sender’s email address)

16

Network Forensics with Laws17

Proactive Investigatio

n

Real Time Investigation

Retroactive Investigatio

n

Cyber Crime Incident

People’s Reasonable

expected privacy (The Fourth

Amendment)

Title III and Pen Register Act OR

Constitutional Laws

Stored Communications

Act OR Constitutional

Laws

Subpoena/Court Order

Court Order/Search Warrant

Subpoena/Court Order/Search

Warrant

Outline

Introduction Related Laws in Network Forensics

Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws

Conclusion

18

Conclusion

We study related laws in Network Forensics

We refine the framework of Network Forensics with three categories of investigations

Suggestion: while studying network forensics research, we should always consider the impact of laws

19

20 Xinwen Fu 20/15

Thank you!

Xinwen Fu

Network Forensics with Laws (Cont’)

21

Pen/Trap

Statute

Non-Content

Packets’ size, number;

IP address;Flags

Title III ContentEmail’s Subject,

Content;Packet’s Payload

SCAInfo. stored

in digital media

Emails, Logs, Subscriber’s

info.

Cyber Crime

Constitutional Issuse

Statutory Issue

The 4th Amendme

nt

Traditional crime and policing

A passenger is walking down the street. The passenger is attacked by a robber. The passenger or other witness calls “911”

during/after the robbery. Police center sends units to the site. Police may catch the criminal at the event place if

the robbery hasn’t finished yet. Police conduct the investigation if the robber flees

away. Police may or may not catch the robber. Law enforcement summarize the characters of the

crimes in that area and send more police patrolling in that area to deter the potential criminals.

22

Network crime and policing

A hacker intrudes a company server. Alert System (Firewall, IDS) detect the intrude or

not. Or system Administrator find abnormal activities.

Report to police. Police can watch the criminal activities on the

server if the intrusion hasn’t finished yet. Police conduct the investigation with probable

authorization whether or not the intrusion finished. Police may or may not find the hacker. System administrator patches the server, makes

more restrict rules on Firewall and IDS.

23

Network Forensics with Laws

Pro-active Investigation Summarize the characters of cyber crimes and set up

firewall and IDSs to prevent and detect cyber crimes. People’s Reasonable expected privacy (The Fourth

Amendment) Real time Investigation

Preserve income/outcome traffic during the cyber crime and trying to traceback the intruder.

Title III and Pen Register Act OR Constitutional Laws Retroactive Investigation

Collect and reassemble the left over data among victim computer and network.

Stored Communications Act OR Constitutional Laws

24