310 likes | 435 Views
Computer Forensics – Iowa State University Experience. ISU Information Assurance Center www.iac.iastate.edu April 18, 2003. Outline. Computer Forensics: Research Education Outreach About the ISU program: Research Education Outreach. Forensics Research.
E N D
Computer Forensics – Iowa State University Experience ISU Information Assurance Center www.iac.iastate.edu April 18, 2003
Outline Computer Forensics: Research Education Outreach About the ISU program: Research Education Outreach
Forensics Research Network Origin Identification (Tom Daniels) Accountable Anonymity (Yong Guan, Tom Daniels) Tracing Encrypted Connections (Yong Guan)
Network Origin Identification • Finding the wily hacker! • Many ways that an attacker can conceal his computer/location/identity • Lying about/Laundering of Identity • Authentication is too expensive/problematic to use for everything • Forensic approaches are needed • Passive Origin Id System for Networks (POISN) • Build an architecture that can trace numerous different types of traffic • Leverage and incorporate past work in origin id.
Origin Identification Techniques • Allows: • Prosecution/Civil Litigation • Cessation/Filtering of Attacks • Past Work Focuses on Individual Types of Origin Concealment • POISN develops a general architecture that incorporates past work and allows tracing new types of traffic.
Distributed Network Just network data sources Less intrusive to use What traffic can be traced without host access? POISN Approach • Distributed Multisource • Incorporates network and host data sources • Can trace many types of traffic • Subject to covert channel problems • Requires wide deployment
Accountable Anonymity • Problem Definition • Networked computer systems can be attacked from virtually anywhere in the world, the attackers can easily hide their identity and origin through stepping stones such as anonymity systems. Even worse, encrypted attack traffic makes tracing the source of attack substantially more difficult. • Our proposed approaches make it possible to trace encrypted attack traffic through a chain of stepping stones in real-time, which can help to stop further attacks, apprehend and punish those who are responsible. • Solution will be applicable to a wide range of forensic investigations at all levels.
Accountable Anonymity • Technical Approach: • We address this tracing problem through a novel correlation scheme based on statistical timing, size, and other properties of the incoming traffic and outgoing traffic of a stepping stone, rather than the contents of the network messages. • The basic approaches include statistical traffic analysis, pattern recognition, and network tomography.
Stepping Stones Attacker Target System Accountable Anonymity
Tracing Encrypted Connections • Anonymity is key techniques for protecting people’s privacy. However, it can be used to launch attacks. The attackers can easily hide their identity and origin through anonymity systems. • Our proposed research aim at developing an innovative concept “Accountable Anonymity” by introducing accountability into anonymity, and designing approaches to implement accountable anonymity. • Solution will be applicable to a wide range of forensic investigations at all levels.
Tracing Encrypted Connections • Technical Approach: • We address this by studying security implications of various anonymity mechanisms and impacts of human factors and law and policy issues, and designing a sweet spot (i.e., accountable anonymity) between accountability and anonymity. • Our previous publications on anonymity research: • Y. Guan, et al, “An Optimal Strategy for Anonymous Communication Protocols,” IEEE ICDCS 2002. • Y. Guan, et al, “A Quantitative Analysis of Anonymous Communications,” in IEEE Transactions on Reliability, to appear. • T. Daniels, et al, “Identification of host audit data to detect attacks on low-level IP vulnerabilities,” Journal of Computer Security, 1999.
Forensics Education • Computer Forensics & Cyberspace Camouflaging
Computer Forensics & Cyberspace Camouflaging • Graduate survey of modern topics in computer forensics and cyberspace camouflaging. • Computer forensics studies cyber-attack prevention, planning, detection, and response with the goals of counteracting cybercrime, cyberterrorism, and cyberpredators and making them accountable. • Cyberspace camouflaging (e.g. anonymity) are likely to be effective methods against hostile computer forensics.
Computer Forensics & Cyberspace Camouflaging • Module I: Overview of Computer Forensics and Cyberspace Camouflaging & 1 week • Module II: Basics of Computer Networks and Operating Systems & 1.5 weeks • Module III: Advanced Topics of Computer Forensics & 4 weeks • Module IV: Intrusion Detection and Response & 3 weeks • Module V: Steganography & Steganalysis & 1 week • Module VI: Anonymity/Pseudonymity/Privacy Protection (e.g., P3P) & 3 weeks • Module VII: Legal and ethical issues & 1 week (optional)
Forensics Outreach MFRC DPS Cyber Crime Lab
Midwest Forensics Resource Center • Partnership of Crime Laboratories in IA, IL, WI, MN, ND, SD, NE, KS, and MO, with ISU and the USDOE Ames Laboratory • Four-part Program • Casework • Training • Education • Research • Funded by National Institute of Justice • Director: David P. Baldwin, (515)294-2069
Midwest Forensics Resource Center Initial DOJ funding started end of August, 2002. • A second round of funding was authorized during February of 2003. Has held three Annual Meetings – also specialized regional meetings for crime labs and: • rural law enforcement, • agencies charged with countering agro-terrorism, • college/university forensic science programs
Midwest Forensics Resource Center Progress in four program areas: • Casework Assistance performed work for crime lab or local law enforcement • helped determine cause of 2 deaths, • employed university resources to investigate video tape, • identified biological materials found on a burglary suspect (thought to tie him to a crime scene) • Training: • Providing academic and R&D lectures and video to crime labs, • invited by FBI to become regional training partner • Education: • held regional meeting of forensic science education programs and state/regional crime labs • Research: • Issuing RFP’s, performing R&D project for FBI
ISU Department of Public Safety • Guest lectures in class • Legal issues • Ethical issues • Case studies • Computer Case work • Over 10 cases • Helped serve search warrants • Educated officers in cyber crime
Case work • Backdoor software installed on lab of computers to capture password • Password capture software install on web server • Computers are used for spam mail • New computer attacked within 15 minutes of being installed • Child porn, IP theft, Software theft.
Cyber Crime Lab • Partnership between: • MFRC • IAC • ISU’s Department of Public Safety • Goals: • improve computer security education at ISU, • provide source of computer security R&D ideas, • improve campus and local computer forensic investigation, • establish a new forensics resource for rural Iowa
Cyber Crime Lab • Replaces State Cyber Crime Lab • Faculty, Students, and Law enforcement will become certified in computer forensics • Lab established in DPS facility • Training ground for students. • Work on both criminal and civil cases
Information Assurance at ISU • Multidisciplinary: seven academic departments • Synergistic: 30+ faculty, joint research • Sustained Education: 12 IA courses offered each year • Outreach: seminars and short courses to state agencies and industry; security awareness integrated in other curricula; significant inter-University projects • University and Regents support: IA Center, MS degree, Graduate Certificate, Ph.D. & undergraduate minor under consideration
Education • Graduate education • Courses since 1995 • NSF CyberCorps fellowships • Masters of Science in Information Assurance • MS programs specializing in IA in: CprE, CS, Math, PolySci, MIS, and IMSE • PhD programs specializing in IA: CprE and CS • Graduate Certificate in IA • Ph.D. Program planned for next year
Courses • CprE 530: Computer Network Protocols distance education • CprE 531: Computer System Security distance education • CprE 532: Information Warfare distance education • CprE/Math 533: Cryptography distance education • CprE 534: Legal & Ethical Issues in Security • CprE 537: Security in Wireless Communications • ComS 586: Network Architectures • ComS 552: Advanced Operating Systems • CprE 592: Seminar (new topics) • IE 581X: E-Commerce Systems Engineering • MIS 533: Data Management for Decision Makers • MIS 534: Electronic Commerce • MIS 535: Telecommunications Management • MIS 538: Business Processes and Systems • PolySci 421: Constitutional Freedoms • PolySci 487/587: Electronic Democracy • PolySci 486/586: Science, Technology, and Public Policy • Note: CprE 530, 531, 532, and 533 lead to an Iowa State University Certificate in Information Assurance
Outreach • Seminars, tutorials, media “experts” • Membership on over 10 national panels, boards, and committees • NSF faculty development workshop • Summer workshops to increase the number of faculty who teach IA • 20 faculty members invited from across the Midwest
Future • IU/CRC Proposal • Cyber protection lab • Increased research funding • Continued participation at state and national level.
NSF I/UCRC • Center for Information Protection • Needs at least 18 companies to commit to $600,000 a year in funding for 5 years. • NSF funded support for the operation of the center
NSF I/UCRC • NSF provided $10,000 planning grant to raise the funding to create the center • University Partners: • Mississippi State University • University of Kansas • Other schools will be added • (talking with NCSU and Duke)