1 / 28

Extract and Correlate Evidences in Computer Forensics

Extract and Correlate Evidences in Computer Forensics. Alicia Castro Thesis Defense Master of Engineering in Software Engineering Department of Computer Science University of Colorado, Colorado Springs. Computer Forensics Facts.

heilig
Download Presentation

Extract and Correlate Evidences in Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extract and Correlate Evidences in Computer Forensics Alicia Castro Thesis Defense Master of Engineering in Software Engineering Department of Computer Science University of Colorado, Colorado Springs Alicia Castro/NICA Computer Forensic

  2. Computer Forensics Facts • Computer forensics is about investigating digital evidence related to criminal or suspicious behavior where computers or computer and related equipment may or may not be the target. • Internet crime has increased 22.3% in 2009 over 2008. Alicia Castro/NICA Computer Forensic

  3. Computer Forensic Background • Digital evidence includes computer generated records such as the logs/output of computer programs and computer-stored records such as email messages/chats • It is difficult to attribute certain computer activities to an individual especially in a shared multi-access environment.  require establish timeline and correlating of events Alicia Castro/NICA Computer Forensic

  4. Key Related Work • Computer Forensics in Forensics (Peisert, 2008) • It explains the relationship between seize and seizure laws, forensic investigation rules and the use of the forensic tools and/or forensic analysis. • Discipline of Internet Forensic (Berghel, 2003) • It explains the correlation of seizes and seizure and computer forensic tools • An internet forensic specialist needs to know morerethan a hacker. Alicia Castro/NICA Computer Forensic

  5. Key Related Work • Next Generation Digital Forensics(Roussev, 2006) • Investigators have more and complex cases, forensic tools are not up to the new challenges. • Secure Audit Logs to Support Computer Forensics (Kelsey, 1999) • Audit logs use as forensic tools to detect intrusion and provide audit capabilities. My thesis objective is getting information of users with user profile. Alicia Castro/NICA Computer Forensic

  6. Comparable Forensic Tools Alicia Castro/NICA Computer Forensic

  7. Computer Forensics Legal Issues • Understand fundamentals of: • Search and Seizure laws • Electronic Communication Privacy Act • Wiretap Statute • Pen/Trap Statute • Patriotic Act • State Laws about Search and Seizure Alicia Castro/NICA Computer Forensic

  8. Forensic Investigation Accessories to a Crime Alicia Castro/NICA Computer Forensic

  9. …Forensic Investigation Suspect Accomplices of a Crime Alicia Castro/NICA Computer Forensic

  10. Utilities Used by NICA Forensic Tool Nica is the nick name of Nicaraguan citizens, being that I am from Nicaragua I decided that this was a good name for it. Nica Forensic Tool uses external tools to help parse and extract info from the cache files of IE, Mozilla Firefox, Google Chrome browsers and Outlook .pst files • IECacheView • MozillaCacheView • ChromeCacheView • IEHV • Outlook Redemption • Microsoft Log Parser Alicia Castro/NICA Computer Forensic

  11. Nica Forensic tool functionality • Use the cache files parser information and determine what information is valuable. • Get cookies and history files of each web browser, Skype logs, Instant Messenger and Outlook logs. • Store information in a database • Display any output providing potential evidences. • Design of GUI for easy assess to forensic evidences. Alicia Castro/NICA Computer Forensic

  12. Nica Forensic Tool • Unlike similar forensic tools like Galleta and Pasco; it finds all the users on the computer not just the logged on users. • Unlike similar forensic tools like Galleta, Pasco and RegRipper; it does not need the investigator to enter the path where the information would be found. Nica Forensic Tool does it for the investigator. Alicia Castro/NICA Computer Forensic

  13. Nica Forensic Tool Design Enter Case Number Case Description Forensic Investigator Notes Alicia Castro/NICA Computer Forensic

  14. Run the parser to find entries by activities. Note the time stamp for date that the investigation was done and also the time it takes to find all the activities Alicia Castro/NICA Computer Forensic

  15. Provide Timeline Viewer Report by user, date time and activities Alicia Castro/NICA Computer Forensic

  16. Facilitate Finding/Gathering of Evidences Alicia Castro/NICA Computer Forensic

  17. Select the Evidences Alicia Castro/NICA Computer Forensic

  18. Display Selected Suspected Activities Alicia Castro/NICA Computer Forensic

  19. Evidence Classification • Inclusion Criteria • More than one activity • Time between activities is less than 15 minutes • Previous history of web sites visited • Exclusion Criteria • One isolated activity and no previous history • Two or more activities with time intervals of more than 15 minutes between each activity Alicia Castro/NICA Computer Forensic

  20. Nica Forensic Tool Logic Flow Chart Alicia Castro/NICA Computer Forensic

  21. Nica Forensic Tool Logic Flow Chart (2) Alicia Castro/NICA Computer Forensic

  22. Nica Forensic Tool Implementation • Number of End Users = 6 (it can be unlimited) • Effects on change of task and responsibilities of End Users: • Tool is portable, investigators can carry it with them. • It works fast, that it can be run when a suspect just moves away from his/her computer for a few minutes. • It is still a forensic tool, all the legal steps should be followed before trying to run the tool. Alicia Castro/NICA Computer Forensic

  23. Nica Forensic Tool Usage & Limitations • NICA Forensic Tool was used by one investigator during the investigation of a specific case. The investigator was amazed that the tool provided information about other activities like Outlook and IM. The investigator did not know that there was such a tool that provided all that information. (Used in a real case) • NICA Forensic Tool can be used only on computers that are using the Windows platform. • Currently set to use the most popular browsers, instant messengers, and Outlook email client but more can be added easily to the scalable architecture. Alicia Castro/NICA Computer Forensic

  24. Performance Results The time depends on how many activities are storage on the computer and how many applications are installed. It can be as fast as two seconds or can take several minutes. Alicia Castro/NICA Computer Forensic

  25. Lessons Learned • Difficulties encountered and overcome • Found fewer related research literature • Forensic Tools are limited to specific activities • Output information was not user friendly; clean xml files • Mistakes to avoid • Allow enough time for testing. • Test and test again and carefully review your work. • Test again with a third party. Alicia Castro/NICA Computer Forensic

  26. Future Directions • Future Works: • Add more applications and/or tools to the scalable application • Add more methods to look in to other parts of applications and give more evidence for investigations. • Ported to Linux Alicia Castro/NICA Computer Forensic

  27. Conclusion • Only portable Forensic Tool that automatically looks for login paths and all user profiles • Captures relevant Evidences • Easy to use • Assist Investigators in obtaining reliable evidence • Automatically looks for path to each of the applications and files where evidence can be found. • Gets all the user profiles, actual logged and not logged • Produce timeline reports by user per activity Alicia Castro/NICA Computer Forensic

  28. References • B. Schneier, J. Kelsey. Secure Audit Logs to Support Computer Forensics. Communications of the ACM (2), May 1999. • G. Richard III, V. Roussev. Next Generation Digital Forensics. Communications of theACM(49), February 2006 • H. Berghel. The Discipline of Internet Forensics. Communications of the ACM (46)August 2003. • Reyes, A & Wiles, J., (2007). The Best Damn Cybercrime and Digital Forensics. Burlington, MA. Syngress Publishing Inc. • S. Peisert, M.Bishop, K. Marzullo. Computer Forensics in Forensis. Communications of the ACM, (42), April 2008. • Skibell, R. (2003). Cybercrimes and Misdemeanors: A Reevaluation of the Computer Fraud and Abuse Act. Berkely Technology Law Journal, 18/909. • /acastro/doc/MasterThesisV6.doc Alicia Castro/NICA Computer Forensic

More Related