New Approaches to Complex Digital investigation
Transcript of New Approaches to Complex Digital investigation
-
8/7/2019 New Approaches to Complex Digital investigation
1/33
A New Approach toComplex Digital
Investigations
Peter Stephenson CPE, CISSP, CIFI, CISM, FICAFChief Technology Officer, U.S. Operations,
-
8/7/2019 New Approaches to Complex Digital investigation
2/33
Copyright 2003 QinetiQ Trusted Information Management
2
Critics, unimpressed by the rigor of theforensic digital examination process,
have taken the position that forensic
digital analysis is, more rightly, simplylittle more than ad hoc data collection
and analysis.
I am one of those critics.
-
8/7/2019 New Approaches to Complex Digital investigation
3/33
Copyright 2003 QinetiQ Trusted Information Management
3
Defining Digital Forensic Science
Forensic science is the application of natural science to matters of law
Forensic science seeks to find the root cause of an event
To be considered a discipline, Digital Forensic Science must becharacterized by the following associated entities:
Theory: a body of statements and principles that attempts toexplain how things work
Abstractions and models: considerations beyond the obvious,factual, or observed
Elements of practice: related technologies, tools, and methods
Corpus of literature and professional practice
Confidence and trust in results: usefulness and purpose
The current state of Digital Forensic Science exhibits only some ofthese characteristics and they are not tied to specific disciplinarypractices considered by any group as scientifically rigorous.*
* Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
4/33
Copyright 2003 QinetiQ Trusted Information Management
4
Result: A Definition for Practitioners to Build
On
The use of scientifically derived and proven
methods toward the preservation, collection,
validation, identification, analysis, interpretation,documentation and presentation of digital evidence
derived from digital sources for the purpose of
facilitating or furthering the reconstruction of
events found to be criminal, or helping to anticipateunauthorized actions shown to be disruptive to
planned operations.
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
5/33
Copyright 2003 QinetiQ Trusted Information Management
5
Result: A Definition for Practitioners to Build
On
The use ofscientifically derived and proven
methods toward the preservation, collection,
validation, identification, analysis, interpretation,documentation and presentation of digital evidence
derived from digital sources for the purpose of
facilitating or furthering the reconstruction of
events found to be criminal, or helping to anticipateunauthorized actions shown to be disruptive to
planned operations.
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
6/33
Copyright 2003 QinetiQ Trusted Information Management
6
Framework for an Investigative Process
for Digital Forensics
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
7/33
Copyright 2003 QinetiQ Trusted Information Management
7
Framework for an Investigative
Process for Digital Forensics
Identification
Event/crime detection
Resolve signature
Profile detection Anomalous detection
Complaints
System monitoring
Audit analysis
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
8/33
Copyright 2003 QinetiQ Trusted Information Management
8
Framework for an Investigative
Process for Digital Forensics
Preservation
Case management
Imaging technologies
Chain of custody
Time synchronization
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
9/33
Copyright 2003 QinetiQ Trusted Information Management
9
Framework for an Investigative
Process for Digital Forensics
Collection
Preservation
Approved methods
Approved software
Approved hardware
Legal authority
Lossless compression
Sampling
Data reduction
Recovery techniques
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
10/33
Copyright 2003 QinetiQ Trusted Information Management
10
Framework for an Investigative
Process for Digital Forensics
Examination
Preservation
Traceability
Validation Techniques Filtering techniques
Pattern matching
Hidden data discovery
Hidden data extraction
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
11/33
Copyright 2003 QinetiQ Trusted Information Management
11
Framework for an Investigative
Process for Digital Forensics
Analysis
Preservation
Traceability
Statistical Protocols
Data mining
Timeline
Link Special
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
12/33
Copyright 2003 QinetiQ Trusted Information Management
12
Framework for an Investigative
Process for Digital Forensics
Presentation
Documentation
Expert testimony
Clarification Mission impact statement
Recommended countermeasure
Statistical interpretation
Source: A Road Map for Digital Forensic Research 6th November 2001, The Digital Forensic Research Work Shop
-
8/7/2019 New Approaches to Complex Digital investigation
13/33
Copyright 2003 QinetiQ Trusted Information Management
13
Reliable methods*
Help distinguish evidence from coincidence without ambiguity
Allow alternative results to be ranked by some principle basic to thesciences applied
Allow for certainty considerations Wherever appropriate through thisranking of available alternatives
Disallow hypotheses more extraordinary than the facts themselves
Pursue general impressions to the level of specific details
Pursue testing by breaking hypotheses (alternative explanations) intotheir smallest logical components, risking one part at a time
Allow tests either to prove or disprove alternative explanations(hypotheses)
A formalized approach
Has specific rules, structure and vocabulary
Allows repeatability
May be used to verify a process
Structuring and Formalizing the Digital
Forensic Process
* Forensics Science. James and Nordby. Pub CRC Press
-
8/7/2019 New Approaches to Complex Digital investigation
14/33
Copyright 2003 QinetiQ Trusted Information Management
14
Rationale
End-to-end digital investigation (EEDI)
Complex attacks begin with the attacker and end with the victim
Requires a corroborated orlinkedchain of evidence
Using the Digital Investigation Process Language (DIPL) to describe the investigativeprocess
Allows us to describe the process
Allows us to describe the attack as perceived by the investigator
Permits verification of a complex investigation during the investigation to identifyholes in the evidence chain and suggest how to plug those gaps
Permits verification that the investigative process was complete and correct andfollowed a reliable method of inquiry*
Integrity
Competence
Defensible technique
Relevant experience
* Forensics Science. James and Nordby. Pub CRC Press
-
8/7/2019 New Approaches to Complex Digital investigation
15/33
Copyright 2003 QinetiQ Trusted Information Management
15
Problems We Want to Solve
Inconsistency in forensic analysis of digital events
Inconsistencies in interpreting digital evidence incomplex attacks
Inconsistencies in representing results of digitalinvestigations
Incomplete or unsupported evidence chains in complexdigital investigations possibly leading to erroneousconclusions
Current tendency to focus upon specific platforms orenvironments instead of a generalized process
-
8/7/2019 New Approaches to Complex Digital investigation
16/33
Copyright 2003 QinetiQ Trusted Information Management
16
The End-to-End Digital Investigative
Process (EEDI)
EEDI takes the view that the incident begins at the attacker, ends at
the victim, and includes everything in between
First rule of end-to-end forensic digital analysis
Primary evidence must always be corroborated by at least one
other piece of relevant primary evidence to be considered a valid
part of the evidence chain. Evidence that does not fit this
description, but does serve to corroborate some other piece of
evidence without itself being corroborated, is considered to be
secondary evidence.
Exception: the first piece of evidence in the chain from theIdentification layer
Must be well corroborated with secondary evidence
-
8/7/2019 New Approaches to Complex Digital investigation
17/33
Copyright 2003 QinetiQ Trusted Information Management
17
An Example of an End-to-End
Investigation Identification
Call received
Preservation
Case file opened
Server imaged Image in chain of custody
Server logs preserved
Entry in case file
Collection
SafeBack used
Policies reviewed forauthority to proceed
Began interviews
Event described Unavailable mortgage
database
Server checked: db gone
Observed action by adminincluding remote login
Restore from backupunsuccessful data bad
Entry in case file
-
8/7/2019 New Approaches to Complex Digital investigation
18/33
Copyright 2003 QinetiQ Trusted Information Management
18
An Example of an End-to-End
Investigation Examination
Data recovered from serverdrive
Database deleted andpartially overwritten
Placed in chain of custody Entry in case file
Data recovered from serverlogs
Login by admin from anetwork connection
Gateway address Attack PC address
and name
Placed in chain of custody
Entry in case file
Data recovered fromgateway logs
Time & date of access to
gateway by attack PC IP address of attack PC
Entry in case file
Placed in chain of custody
-
8/7/2019 New Approaches to Complex Digital investigation
19/33
Copyright 2003 QinetiQ Trusted Information Management
19
An Example of an End-to-End
Investigation
Examination cont.
Data recovered from attack
PC
SafeBack used
Placed in chain of custody
Policies reviewed for
authority to proceed
Login info re: victim
recovered
Authentication data for
victim recovered
Attack PC username
recovered: suspect
identified
Suspect logged in at
time of event
Entry in case file
-
8/7/2019 New Approaches to Complex Digital investigation
20/33
Copyright 2003 QinetiQ Trusted Information Management
20
An Example of an End-to-End
Investigation Examination cont.
Data recovered from floorswipe card access log
Placed in chain of custody
Entry in case file
Witness interviews Co-workers in physical
proximity place suspect atdesk within 1 hour ofevent
Supervisors places
suspect at desk within 3minutes of event
Entry in case file
Analysis
Timeline of events created
Evidence linked and
traceability established Entry in case file
-
8/7/2019 New Approaches to Complex Digital investigation
21/33
Copyright 2003 QinetiQ Trusted Information Management
21
An Example of an End-to-End
InvestigationPresentation
Timeline and chain ofevidence documented infinal report
Suspect interviewed andpresented with conclusionsand evidence
Entry in case file
Decision
Suspect confesses
END
-
8/7/2019 New Approaches to Complex Digital investigation
22/33
Copyright 2003 QinetiQ Trusted Information Management
22
Developing the Digital Investigation Process
Language
Started with the Common Intrusion SpecificationLanguage (CISL)
Derived from LISP
Formal language proven using the Lambda
Calculus A language that can be used to disseminate event
records, analysis results, and countermeasuredirectives amongst intrusion detection and responsecomponents.
Found by Doyle at MIT to be inadequate for thattask - however, offers a very rich language forforensic digital analysis
Still requires some extensions
Source: A Common Intrusion Specification Language (CISL) Feiertag, et al, last revised 11 June 1999
-
8/7/2019 New Approaches to Complex Digital investigation
23/33
Copyright 2003 QinetiQ Trusted Information Management
23
Developing the Process Language
CISL structure
S-expressions
Data structure developed by Rivest in 1997 that issuitable for representing arbitrary complex data
structures. (Rivest, S-Expressions, 4 May 1997) May be byte strings or lists of simpler S-expressions
Semantic Identifiers (SIDs)
Tags added at the beginning of an S-expression thatgive a semantic clue to the interpretation of the rest ofthe S-expression
Verb SIDs Role SIDS
Atom SIDS
Conjunction SIDs
Referent SIDs
Source: A Common Intrusion Specification Language (CISL) Feiertag, et al, last revised 11 June 1999
-
8/7/2019 New Approaches to Complex Digital investigation
24/33
Copyright 2003 QinetiQ Trusted Information Management
24
Typical CISL S-Expression
(OpenApplicationSession
(When
(Time 14:57:36 24 Feb 1998)
)
(Initiator
(HostName big.evil.com)
)
(Account
(UserName joe)
(RealName Joe Cool)
(HostName ten.ada.net)
)
(Receiver
(standardTCPPort 23)
)
)
Source: A Common Intrusion Specification Language (CISL) Feiertag, et al, last revised 11 June 1999
Interpretation
At 14:57:36 on 24 Feb 1998, someone at
big.evil.com opened a telnet session on
ten.ada.net logging in as username: joe,
real name: Joe Cool.
-
8/7/2019 New Approaches to Complex Digital investigation
25/33
Copyright 2003 QinetiQ Trusted Information Management25
Typical CISL Extensions Required by
DIPL
The CISL model was examined for restructuringinto the DFRWS model
Certain new categories of SIDs needed to be
added to CISL to round out the applicability toforensic digital investigation Investigative and forensic verb SIDs
Investigative and forensic atom SIDs
Investigative and forensic role SIDs
-
8/7/2019 New Approaches to Complex Digital investigation
26/33
Copyright 2003 QinetiQ Trusted Information Management26
Fragment of Earlier Example
Expressed in DIPL
Identification
Call received
(And
(Report
(Initiator
(RealName Joe Operator)
)(Observer
(RealName Peter Stephenson)
)
(AttackNickName access denied to a file or object)
(FileName Mortages.db)
(Target(HostName Server1)
)
)
-
8/7/2019 New Approaches to Complex Digital investigation
27/33
Copyright 2003 QinetiQ Trusted Information Management27
Fragment of Earlier Example
Expressed in DIPL
Preservation
Case file opened
Server imaged
Image in chain of custody
Server logs preserved
Entries in case file
(ManageCase
(Initiator(RealName Peter Stephenson)
)
(CaseName Case123)
(BeginTime 16:35 1 Jan 1998)
)(Image
(Initiator
(RealName Peter Stephenson))
(Tool
(ProgramName SafeBack)
(VersionNumber 3.0)(
(BeginTime 17:00 1 Jan 1998)
(EndTime 20:14 1 Jan 1998)
(Target
(HostName Server1)
)
(ReferAs 0x12345678)
-
8/7/2019 New Approaches to Complex Digital investigation
28/33
Copyright 2003 QinetiQ Trusted Information Management28
Fragment of Earlier Example
Expressed in DIPL
Preservation
Server logs preserved
(PreserveCustody
(Evidence
(ReferTo 0x12345678)
)
)
(ManageCase
(Initiator
(RealName Peter Stephenson)
)
(CaseName Case123)
(BeginTime 20:25 1 Jan 1998)
)
)
(ExtractData
(Evidence
(FileName server.log)
(ReferAs 0x87654321)
)(Target
(ReferTo 0x12345678)
)
(PreserveCustody
(Evidence
(ReferTo 0x87654321)
(BeginTime 20:45 1 Jan 1998)
)
)
-
8/7/2019 New Approaches to Complex Digital investigation
29/33
Copyright 2003 QinetiQ Trusted Information Management29
Fragment of Earlier Example
Expressed in DIPL
Collection
Entry in case file
SafeBack used
(ManageCase
(Initiator
(RealName Peter Stephenson)
)
(CaseName Case123)
(BeginTime 21:05 1 Jan 1998))
(TraceAuthority
(ApprovedSoftware
(Tool
(ProgramName SafeBack)
(VersionNumber 3.0)
)(Citation
(CaseName joe v volcano)
)
)
-
8/7/2019 New Approaches to Complex Digital investigation
30/33
Copyright 2003 QinetiQ Trusted Information Management30
Fragment of Earlier Example
Expressed in DIPL
Collection
Policies reviewed for
authority to proceed
(ApprovedMethod
(Certification
(Certifier
(RealName NTI)
(CertType NTI Training)
(CertNumber Course 1-1-95)(Observer
(RealName Peter Stephenson)
)
)
)
(Policy
(PolicyName Information Privacy Policy)(PolicyDate 1 Jan 1990)
(Observer
(RealName Peter Stephenson)
)
)
-
8/7/2019 New Approaches to Complex Digital investigation
31/33
Copyright 2003 QinetiQ Trusted Information Management31
Fragment of Earlier Example
Expressed in DIPL
Collection
Entry in case file
Conduct interviews
(ManageCase
(Initiator
(RealName Peter Stephenson)
)
(CaseName Case123)
(BeginTime 21:05 1 Jan 1998)
))
(Interview
(Initiator
(RealName Peter Stephenson)
)
(Subject
(RealName Jane Sneaker)
)
(BeginTIme 08:30 2 Jan 1998)(EndTime 10:45 2 Jan 1998)
(ManageCase
(Initiator
(RealName Peter Stephenson)
)
(CaseName Case123)
(BeginTime 21:05 1 Jan 1998)
))
Code continues untilCode continues until
The entire case has beenThe entire case has beencharacterizedcharacterized
-
8/7/2019 New Approaches to Complex Digital investigation
32/33
Copyright 2003 QinetiQ Trusted Information Management32
Benefits of the Formal Approach
Describes a repeatable digital forensic process in a structured manner
Allows independent analysis and verification of a forensic investigationincluding the interpretation of the attack process
Formally documents the total investigative process
Pre-attack activities
As interpreted by the investigator Investigative process
Attack activities
As interpreted by the investigator
Post-attack activities
As interpreted by the investigator
Documentation, evidence management, procedural issues
Allows verification of the investigative process during the investigation andmay help suggest ways to plug holes in the EEDI process
Gaps in the chain of evidence
May be fed into a model checker for formal modeling of the process
-
8/7/2019 New Approaches to Complex Digital investigation
33/33
Copyright 2003 QinetiQ Trusted Information Management33