New Approaches to Complex Digital investigation

8/7/2019 New Approaches to Complex Digital investigation

1/33

A New Approach toComplex Digital

Investigations

Peter Stephenson CPE, CISSP, CIFI, CISM, FICAFChief Technology Officer, U.S. Operations,

[email protected]


2/33

Copyright 2003 QinetiQ Trusted Information Management

2

Critics, unimpressed by the rigor of theforensic digital examination process,

have taken the position that forensic

digital analysis is, more rightly, simplylittle more than ad hoc data collection

and analysis.

I am one of those critics.


3/33


3

Defining Digital Forensic Science

Forensic science is the application of natural science to matters of law

Forensic science seeks to find the root cause of an event

To be considered a discipline, Digital Forensic Science must becharacterized by the following associated entities:

Theory: a body of statements and principles that attempts toexplain how things work

Abstractions and models: considerations beyond the obvious,factual, or observed

Elements of practice: related technologies, tools, and methods

Corpus of literature and professional practice

Confidence and trust in results: usefulness and purpose

The current state of Digital Forensic Science exhibits only some ofthese characteristics and they are not tied to specific disciplinarypractices considered by any group as scientifically rigorous.*

* Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop


4/33


4

Result: A Definition for Practitioners to Build

On

The use of scientifically derived and proven

methods toward the preservation, collection,

validation, identification, analysis, interpretation,documentation and presentation of digital evidence

derived from digital sources for the purpose of

facilitating or furthering the reconstruction of

events found to be criminal, or helping to anticipateunauthorized actions shown to be disruptive to

planned operations.

Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop


5/33


5

Result: A Definition for Practitioners to Build

On

The use ofscientifically derived and proven

methods toward the preservation, collection,

validation, identification, analysis, interpretation,documentation and presentation of digital evidence

derived from digital sources for the purpose of

facilitating or furthering the reconstruction of

events found to be criminal, or helping to anticipateunauthorized actions shown to be disruptive to

planned operations.



6/33


6

Framework for an Investigative Process

for Digital Forensics



7/33


7

Framework for an Investigative

Process for Digital Forensics

Identification

Event/crime detection

Resolve signature

Profile detection Anomalous detection

Complaints

System monitoring

Audit analysis



8/33


8



Preservation

Case management

Imaging technologies

Chain of custody

Time synchronization



9/33


9



Collection

Preservation

Approved methods

Approved software

Approved hardware

Legal authority

Lossless compression

Sampling

Data reduction

Recovery techniques



10/33


10



Examination

Preservation

Traceability

Validation Techniques Filtering techniques

Pattern matching

Hidden data discovery

Hidden data extraction



11/33


11



Analysis

Preservation

Traceability

Statistical Protocols

Data mining

Timeline

Link Special



12/33


12



Presentation

Documentation

Expert testimony

Clarification Mission impact statement

Recommended countermeasure

Statistical interpretation



13/33


13

Reliable methods*

Help distinguish evidence from coincidence without ambiguity

Allow alternative results to be ranked by some principle basic to thesciences applied

Allow for certainty considerations Wherever appropriate through thisranking of available alternatives

Disallow hypotheses more extraordinary than the facts themselves

Pursue general impressions to the level of specific details

Pursue testing by breaking hypotheses (alternative explanations) intotheir smallest logical components, risking one part at a time

Allow tests either to prove or disprove alternative explanations(hypotheses)

A formalized approach

Has specific rules, structure and vocabulary

Allows repeatability

May be used to verify a process

Structuring and Formalizing the Digital

Forensic Process

* Forensics Science. James and Nordby. Pub CRC Press


14/33


14

Rationale

End-to-end digital investigation (EEDI)

Complex attacks begin with the attacker and end with the victim

Requires a corroborated orlinkedchain of evidence

Using the Digital Investigation Process Language (DIPL) to describe the investigativeprocess

Allows us to describe the process

Allows us to describe the attack as perceived by the investigator

Permits verification of a complex investigation during the investigation to identifyholes in the evidence chain and suggest how to plug those gaps

Permits verification that the investigative process was complete and correct andfollowed a reliable method of inquiry*

Integrity

Competence

Defensible technique

Relevant experience

* Forensics Science. James and Nordby. Pub CRC Press


15/33


15

Problems We Want to Solve

Inconsistency in forensic analysis of digital events

Inconsistencies in interpreting digital evidence incomplex attacks

Inconsistencies in representing results of digitalinvestigations

Incomplete or unsupported evidence chains in complexdigital investigations possibly leading to erroneousconclusions

Current tendency to focus upon specific platforms orenvironments instead of a generalized process


16/33


16

The End-to-End Digital Investigative

Process (EEDI)

EEDI takes the view that the incident begins at the attacker, ends at

the victim, and includes everything in between

First rule of end-to-end forensic digital analysis

Primary evidence must always be corroborated by at least one

other piece of relevant primary evidence to be considered a valid

part of the evidence chain. Evidence that does not fit this

description, but does serve to corroborate some other piece of

evidence without itself being corroborated, is considered to be

secondary evidence.

Exception: the first piece of evidence in the chain from theIdentification layer

Must be well corroborated with secondary evidence


17/33


17

An Example of an End-to-End

Investigation Identification

Call received

Preservation

Case file opened

Server imaged Image in chain of custody

Server logs preserved

Entry in case file

Collection

SafeBack used

Policies reviewed forauthority to proceed

Began interviews

Event described Unavailable mortgage

database

Server checked: db gone

Observed action by adminincluding remote login

Restore from backupunsuccessful data bad

Entry in case file


18/33


18


Investigation Examination

Data recovered from serverdrive

Database deleted andpartially overwritten

Placed in chain of custody Entry in case file

Data recovered from serverlogs

Login by admin from anetwork connection

Gateway address Attack PC address

and name

Placed in chain of custody

Entry in case file

Data recovered fromgateway logs

Time & date of access to

gateway by attack PC IP address of attack PC

Entry in case file



19/33


19


Investigation

Examination cont.

Data recovered from attack

PC

SafeBack used


Policies reviewed for

authority to proceed

Login info re: victim

recovered

Authentication data for

victim recovered

Attack PC username

recovered: suspect

identified

Suspect logged in at

time of event

Entry in case file


20/33


20


Investigation Examination cont.

Data recovered from floorswipe card access log


Entry in case file

Witness interviews Co-workers in physical

proximity place suspect atdesk within 1 hour ofevent

Supervisors places

suspect at desk within 3minutes of event

Entry in case file

Analysis

Timeline of events created

Evidence linked and

traceability established Entry in case file


21/33


21


InvestigationPresentation

Timeline and chain ofevidence documented infinal report

Suspect interviewed andpresented with conclusionsand evidence

Entry in case file

Decision

Suspect confesses

END


22/33


22

Developing the Digital Investigation Process

Language

Started with the Common Intrusion SpecificationLanguage (CISL)

Derived from LISP

Formal language proven using the Lambda

Calculus A language that can be used to disseminate event

records, analysis results, and countermeasuredirectives amongst intrusion detection and responsecomponents.

Found by Doyle at MIT to be inadequate for thattask - however, offers a very rich language forforensic digital analysis

Still requires some extensions

Source: A Common Intrusion Specification Language (CISL) Feiertag, et al, last revised 11 June 1999


23/33


23

Developing the Process Language

CISL structure

S-expressions

Data structure developed by Rivest in 1997 that issuitable for representing arbitrary complex data

structures. (Rivest, S-Expressions, 4 May 1997) May be byte strings or lists of simpler S-expressions

Semantic Identifiers (SIDs)

Tags added at the beginning of an S-expression thatgive a semantic clue to the interpretation of the rest ofthe S-expression

Verb SIDs Role SIDS

Atom SIDS

Conjunction SIDs

Referent SIDs



24/33


24

Typical CISL S-Expression

(OpenApplicationSession

(When

(Time 14:57:36 24 Feb 1998)

)

(Initiator

(HostName big.evil.com)

)

(Account

(UserName joe)

(RealName Joe Cool)

(HostName ten.ada.net)

)

(Receiver

(standardTCPPort 23)

)

)


Interpretation

At 14:57:36 on 24 Feb 1998, someone at

big.evil.com opened a telnet session on

ten.ada.net logging in as username: joe,

real name: Joe Cool.


25/33

Copyright 2003 QinetiQ Trusted Information Management25

Typical CISL Extensions Required by

DIPL

The CISL model was examined for restructuringinto the DFRWS model

Certain new categories of SIDs needed to be

added to CISL to round out the applicability toforensic digital investigation Investigative and forensic verb SIDs

Investigative and forensic atom SIDs

Investigative and forensic role SIDs


26/33


Fragment of Earlier Example

Expressed in DIPL

Identification

Call received

(And

(Report

(Initiator

(RealName Joe Operator)

)(Observer

(RealName Peter Stephenson)

)

(AttackNickName access denied to a file or object)

(FileName Mortages.db)

(Target(HostName Server1)

)

)


27/33



Expressed in DIPL

Preservation

Case file opened

Server imaged

Image in chain of custody


Entries in case file

(ManageCase

(Initiator(RealName Peter Stephenson)

)

(CaseName Case123)

(BeginTime 16:35 1 Jan 1998)

)(Image

(Initiator

(RealName Peter Stephenson))

(Tool

(ProgramName SafeBack)

(VersionNumber 3.0)(


(EndTime 20:14 1 Jan 1998)

(Target

(HostName Server1)

)

(ReferAs 0x12345678)


28/33



Expressed in DIPL

Preservation


(PreserveCustody

(Evidence

(ReferTo 0x12345678)

)

)

(ManageCase

(Initiator


)

(CaseName Case123)


)

)

(ExtractData

(Evidence

(FileName server.log)

(ReferAs 0x87654321)

)(Target


)

(PreserveCustody

(Evidence



)

)


29/33



Expressed in DIPL

Collection

Entry in case file

SafeBack used

(ManageCase

(Initiator


)

(CaseName Case123)

(BeginTime 21:05 1 Jan 1998))

(TraceAuthority

(ApprovedSoftware

(Tool

(ProgramName SafeBack)

(VersionNumber 3.0)

)(Citation

(CaseName joe v volcano)

)

)


30/33



Expressed in DIPL

Collection

Policies reviewed for

authority to proceed

(ApprovedMethod

(Certification

(Certifier

(RealName NTI)

(CertType NTI Training)

(CertNumber Course 1-1-95)(Observer


)

)

)

(Policy

(PolicyName Information Privacy Policy)(PolicyDate 1 Jan 1990)

(Observer


)

)


31/33



Expressed in DIPL

Collection

Entry in case file

Conduct interviews

(ManageCase

(Initiator


)

(CaseName Case123)


))

(Interview

(Initiator


)

(Subject

(RealName Jane Sneaker)

)

(BeginTIme 08:30 2 Jan 1998)(EndTime 10:45 2 Jan 1998)

(ManageCase

(Initiator


)

(CaseName Case123)


))

Code continues untilCode continues until

The entire case has beenThe entire case has beencharacterizedcharacterized


32/33


Benefits of the Formal Approach

Describes a repeatable digital forensic process in a structured manner

Allows independent analysis and verification of a forensic investigationincluding the interpretation of the attack process

Formally documents the total investigative process

Pre-attack activities

As interpreted by the investigator Investigative process

Attack activities

As interpreted by the investigator

Post-attack activities

As interpreted by the investigator

Documentation, evidence management, procedural issues

Allows verification of the investigative process during the investigation andmay help suggest ways to plug holes in the EEDI process

Gaps in the chain of evidence

May be fed into a model checker for formal modeling of the process


33/33


New Approaches to Complex Digital investigation

Documents

Transcript of New Approaches to Complex Digital investigation