Beruflich Dokumente
Kultur Dokumente
VOl. 1 NO. 1
CLOUD-BASED MOBILE:
WHAT ABOUT DIGITAL FORENSICS?
Allow
us to
guide
your
CAREER
SENIOR
PRACTITIONER
CISMP
Mar 18-22, Apr 22-26, May 13-17, Jun 10-14,
Jul 8-12, Sep 30 - Oct 4, Oct 14-18, Nov 18-22 PRACTITIONER
PCiBCM
Mar 18-22, Apr 8-12, Apr 22-26, Jun 10-14, Jul 8-12,
N 11-15, Dec 9-13
Aug 5-9, Sep 16 -20, Oct 14-18, Nov
PCiIRM
Apr 22-26, May 6-10, May 20-24, Jun 3-7, Jun 17-21,
Jul 8-12, Jul 22-26, Aug 5-9, Oct 7-11, Oct 21-25, Nov 4-8,
Nov 18-22, Dec 2-6, Dec 16-20
4
contents
22
How Uses ENCASE® Tools to Solve Client’s E-Discovery
Challenges in Canada
by Dominic Jaar
Clients of KPMG in Canada turn to us when e-discovery challenges loom and they’re not sure
they have the internal capability to meet their legal obligations in a cost-effective fashion. What
we bring to those clients is our experience providing tested and reliable processes and solutions
customized to their particular situations.
28
Self Collection is Ricky Business
by Elias Psyllos
Whenever a matter arises that requires the collection or preservation of Electronically Stored Infor-
mation, most companies first thought is to have their internal IT department, create the “images”
of the digital media involved in the matter. This is what is known as a “self collection”. The topic of
“self collection” has been one area of Computer Forensics and E-Discovery that is continuously
discussed and debated.
32
Cloud-Based Mobile: What About Digital Forensics?
by Lamine Aouad and Tahar Kechadi
The significant growth in mobile systems combined with the emergence of the other influencial
field – cloud computing, has created another challenge for digital forensics. How to retrieve data from
cloud-based mobile, has become an intriguing question for every passionate forensic specialist.
38
Sim Card Forensics
by Apurva Rustagi
This article introduces the file-system implemented in Subscriber Identity Module (SIM) cards and
the collection of data contents that might be helpful in a forensic investigation. The author, also,
provides programming code that is designed to extract some of the important data such as Short
Message Service (SMS) traffic and contact information from the SIM Card. A data extraction ap-
plication would be written in ANSI C.
42
Malware Analysis: Detecting and Defeating Unknown Malware
by Kevin McAleavey
It is common for malware to slip right past security solutions undetected and unmitigated, leaving
more system’s infected with each passing day despite these efforts. The malware can not only threaten
the process of conducting investigations, it can also threaten the evidence obtained from those inves-
tigations itself. How to detect and defeat unknown and undetected malware.
www.eForensicsMag.com 5
HOW TO PREPARE
ORACLE
for Examination in the Forensic Lab
by Todd Markley
T
raditional forensic examinations of images ject disk in the lab. The second best option would
using tools like EnCase or FTK often allow require exporting the data from the original Oracle
little more than access to fragments of text database, either before or after the collection im-
in the Oracle files. Examination in the context of aging. If the original subject system was running
the original schema, using a live Oracle instance, Linux, which is more forgiving than Windows, it
can provide the best possible perspective of evi- may allow booting on only similar hardware. The
dence. This article will explore restoring an Oracle example in this article will present the more difficult
instance from a forensic image. situation where booting a copy of the original disk
The Oracle database is a complex application does not work and the examiner has only a source
that will store its data in many locations, often image without any export backup.
spread over a number of directories and/or disks. The subject computer in this example is an IBM
The configuration files that include the locations ThinkPad laptop with 64bit Windows 7, and has
of the data are binary, and are normally only ac- the Oracle 11gR2 database installed. This data-
cessed through the database. The Oracle installer base was also loaded with 4,009,021 records with
can use a compiler to link object modules with the
operating system that creates custom executable
files. This linking with the operating system dur-
ing installation can hinder directly running a copy
on another system. These are a few of the obsta-
cles that make the task of recreating an Oracle in-
stance in the lab difficult. In the ideal setting, the
original or identical hardware would be available.
That would allow booting a direct copy of the sub- Figure 1. Oracle Registry entries on Windows
6
HOW TO PREPARE ORACLE
unique hash values from the NSRL hash set from These control files are also binary. Each con-
http://www.nsrl.nist.gov/. trol file should contain identical information, un-
When Oracle is installed, the location of the soft- less they are out of sync. If the control files are out
ware and data are provided by the user. Finding of sync then that may indicate that the data files
the location of ORACLE_HOME and the supporting da- are also out of sync and need recovery. Using the
ta is the first step. Searching the disk for known Or- strings command again, a list of all the data files
acle files is one way to find ORACLE_HOME. If the sub- used by this instance can be extracted. This list of
ject was a Unix or Linux system, then the text file data files will need to be copied to the lab system
/etc/oratab can provide the information. On Win- (see Figure 3).
dows, the location is stored in the registry under The exact version of Oracle that was used on the
HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE. The name subject system is important. By default, part of the
of the target database, also known as the SID, can version number is often used in the ORACLE_HOME
also be found in the Unix/Linux oratab file, or in the path. This allows more than one version to be in-
Windows registry (see Figure 1). stalled on the system. One place to find more detail
The next step is to locate the SPFILE and/or about the database version is in the $ORACLE_HOME/
PFILE that is used for startup. On the Unix/Linux inventory/Components21/oracle.server directory
system, this is located in $ORACLE_HOME/dbs, and and adjacent directories in Components21 (see Fig-
on Windows it may be found in $ORACLE_HOME\ ure 4).
database directory. The file names under Unix In this example, the target lab system will be run-
are init*.ora or spfile*.ora. The Windows file ning Linux. If the source subject computer is using
names are the same, only in uppercase: INIT*. a 32 bit operating system, then it is better if the tar-
ORA or SPFILE*.ORA. These two forms of the start- get is also 32 bits. Likewise if the subject is 64 bit,
up file both contain the same information, but the then the target should be 64 bit. In this example,
default SPFILE format is binary while the PFILE/ the subject system was running a 64 bit version of
INIT format is plain text. The database SID is in Windows 7, so the lab system was installed with
place of the * in each file name. The default in- 64 bit Linux. The exact Linux distribution used is
stallation only creates the binary SPFILE. Either
one can be used for startup, and sometimes both
will be found. These directories can contain more
than one set of startup files, one set for each SID
instance. The following steps can be repeated for
each SID, but in this example the source database
only has one instance.
The text can be extracted from the binary SP-
FILE using the strings command, which will pro-
vide the needed details. This is the same informa-
tion found in the text PFILE. A line from this text will
include the list of control_files=, which has the
path to one or more copies of the Oracle control
file for this SID (see Figure 2).
Figure 2. Extracting configuration text from SPFILEWIN.ORA Figure 4. Identify Oracle version number from the “oracle.
using the strings command server” directory listing
www.eForensicsMag.com 7
not as important as long as you are able to install many places on the internet. Oracle also makes
the Oracle software. The Oracle web site http:// current versions of the database installation soft-
www.oracle.com/ includes a list of supported sys- ware available on its web site. The version of Ora-
tems, and also makes the Oracle Enterprise Linux cle installed on the lab system needs be as close
distribution available for download. Instructions for as possible to the subject Oracle version. If the ex-
installing Oracle on supported systems can also act version is not available, then a newer version
be found on the Oracle web site. Instructions for in- may work, but the closer the version the better.
stalling Oracle on other distributions can be found The examiner should create a database during the
installation which can be used for baseline startup
Listing 1. Save Control Trace and PFILE and control templates. On the lab system, with the
installed database instance running, login as the
[oracle@cray2 ~]$ sqlplus / as sysdba “oracle” user. Verify and/or set the Oracle environ-
SQL*Plus: Release 11.2.0.1.0 Production on Sat ment to match the installed database.
Sep 22 17:08:44 2012
Copyright (c) 1982, 2011, Oracle. All rights [oracle@cray2 ~]$ printenv|grep ORA
reserved. ORACLE_SID=tstdb
Oracle Database 11g Enterprise Edition Release ORACLE_BASE=/u01/ora
11.2.0.1.0 - 64bit Production ORACLE_HOME=/u01/ora/o11g
SQL> ALTER DATABASE BACKUP CONTROLFILE TO Use the following SQL commands to create the
TRACE AS '/tmp/control.trace'; baseline example templates, and shut it down: see
Database altered. Listing 1.
The PFILE will be found in $ORACLE_HOME/dbs/
SQL> CREATE PFILE FROM SPFILE; init*.ora, where the * matches the SID. These
File created. two template files were the only things needed
from the install database, so it is shut down to free
SQL> SHUTDOWN IMMEDIATE; resources which may be needed later.
In this example, all the required files were copied
Listing 2. /etc/oratab from the subject Windows disk to the /s/oracle/
win directory. In this directory, these sub direc-
tstdb:/u01/ora/o11g:N tories were also created: /s/oracle/win/admin/
WIN:/u01/ora/o11g:N adump and /s/oracle/win/fast_recovery_area
(see Figure 5).
Listing 3. Set Oracle Environment It is possible for Oracle to use raw partitions for ta-
blespace data files. If raw partitions are used, then
[oracle@cray2 ~]$ . oraenv these partitions would need to be copied and acces-
ORACLE_SID = [tstdb] ? WIN sible on the lab system. Although this is outside the
The Oracle base for ORACLE_HOME=/u01/ora/o11g scope of this article, the same steps should work
is /u01/ora using the /dev entries for the matching raw parti-
[oracle@cray2 ~]$ printenv|grep ORA tions instead of the paths to the data files.
ORACLE_SID=WIN In previous steps, it was found that the SID of
ORACLE_BASE=/u01/ora the subject was WIN. Copy the $ORACLE_HOME/dbs/
ORACLE_HOME=/u01/ora/o11g init*.ora template that was created to $ORACLE_
HOME/dbs/initWIN.ora and edit this file changing
Listing 4. tnsnames.ora
WIN =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST =
192.168.1.211)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = WIN)
)
)
8
HOW TO PREPARE ORACLE
the name of the database, file paths, and directo- Copy the /tmp/control.trace file to control_win.
ry paths to match the new WIN instance (see Fig- sql and edit it changing the name of the database,
ure 6). file paths, and sizes to match our new instance.
The initWIN.ora PFILE is the one that will be The file has two sections. In this example, the
used to start the new WIN instance because, unlike NORESETLOGS case will be used, because all the RE-
the SPFILE a text file is easy to edit without using DO log files from the subject system are available
the database. The lab computer may require differ- and they are expected to be in sync. This section
ent configuration parameters than the original sub- begins with STARTUP NOMOUNT and ends with the
ject system. One example of a difference would ALTER TABLESPACE TEMP command. The size of the
be the parameters for memory usage, because REDO files is set to 50M, which matches the actu-
the lab system may not have the same amount of al file size of 52429312 that equals 50*1024*1024.
memory as the original database. Assume the in- The ALTER TABLESPACE TEMP command is also set to
stalled database had valid configuration parame- the new TEMP01.DBF path and the size adjusted to
ters for the lab system hardware since it worked. match the file. Comment out the RECOVER DATABASE
Adjustments can be made later if needed, but ideal command because it should not be needed (see
tuning should not be necessary since this will not Figure 7).
be a production database and performance is not As the root user, the examiner should add a line
a priority for most examinations. to the /etc/oratab file for this new instance. In this
example the /etc/oratab looks like this: see List-
ing 2.
Now as the oracle user, change the Oracle envi-
ronment to match the new WIN instance: see List-
ing 3.
The control_win.sql file can now be used to cre-
ate new control files (see Figure 8).
With this example the control SQL finished with-
out error and the database is now available. If the
control SQL had failed with any errors, then each
would need to examined and resolved.
The ${ORACLE_HOME}/network/admin/tnsnames.
ora file can now be modified to include our new
WIN instance. For example: see Listing 4.
This example is simpler than some because only
one change is necessary to allow network access
to the WIN instance, which may be required by
Figure 6. After edit of initWIN.ora file for startup of new some utilities. More complex configurations may
instance
require other changes to enable networking.
If the subject database was using a port number
other than 1521, or the lab configuration is not de-
Figure 7. After edit of SQL used to create a new control file Figure 8. Creating the new control file and starting the WIN
for the WIN instance database
www.eForensicsMag.com 9
Listing 5. Display LOCAL_LISTENER Parameter
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
10
HOW TO PREPARE ORACLE
fault then the LOCAL_LISTENER parameter may need known, then they can be changed at this point with
to be changed. The following can be used to dis- these commands: see Listing 7.
play the current value: see Listing 5. Creating a backup of the database with the data
If the network details are not the default, then val- pump utility “expdp” will provide a more portable
ue of the LOCAL_LISTENER must contain the match- snapshot of the data and it will also verify access
ing network information used by the listener. Here to every part of the database. But data pump re-
is an example of changing this parameter for ad- quires write access. The system and temporary
dress 192.168.1.210 and port 1522: see Listing 6. tables that may be altered by data pump are also
Although many activities will write to the data- well known and considered safe for preserving us-
base, some actions are well understood not to er data. The following short script provides a data
affect the content of the user data. The forensic pump example for extracting a portable snapshot.
examiner must weigh the advantages and disad- The destination path and system password should
vantages of any actions that will write to the data- be changed to match the target system. see List-
base. Although the database is accessible using ing 8.
the Linux oracle account with “/ as sysdba”, some During an examination, it is often desirable that
tasks may require knowing database passwords. the subject data is accessed read-only to protect
If the SYS and/or SYSTEM passwords are not it from alteration. The content of the database can
"000000206738748EDD92C4E3D2E823896700F849","392126E756571EBF112CB1C1CDEDF926","EBD105A0","I05002T2.
PFB",98865,3095,"WIN",""
"0000004DA6391F7F5D2F7FCCF36CEBDA60C6EA02","0E53C14A3E48D94FF596A2824307B492","AA6A7B16","00br2026.
gif",2226,228,"WIN",""
"000000A9E47BD385A0A3685AA12C2DB6FD727A20","176308F27DD52890F013A3FD80F92E51","D749B562","femvo523.
wav",42748,4887,"MacOSX",""
"000001EF1880189B7DE7C15E971105EB6707DE83","B47139415F735A98069ACE824A114399","33FFFCF2","LINUX_
DR.066",1723,8925,"Linux",""
"0000051C1E5A5DECF28FE8B57ABFE2B82A3EDD1C","11A6E2A7EF1273F93ECCB22ACCC15267","9314EB02","EPLQL2PC.
PBD",6076,2866,"Solaris",""
"0000053DD188DB497821D216D9AA50DD0F1529BD","5AEC257B5EEB4AA386C28C52AE7EEC2B","E8C1285A","CMBIZ097.
ccx",19818,228,"WIN",""
"000006F5B59A85CC6133E6F8801A715E466778A5","F9A6430EAAB2A665DFED8EB2350D81E1","AA288908","IMKI003P.
PNG",31306,9011,"WIN95",""
"000007A1255E11E87B40E4877E5865B0A30C3849","B7A367DEFB8802FF4FF357FED346AE6F","D3203AD4","test_
frozen.pyc",840,7935,"Linux",""
www.eForensicsMag.com 11
Listing 11. verify.pl
#!/usr/bin/perl
# Take records to test on stdin, then verify them as a match in Oracle
#
use DBI qw(:sql_types);
my(@rec);
my($rcnt)=0;
my($total)=0;
my($found)=0;
my($notfound)=0;
my($toomany)=0;
while( ($l=<>) ) {
my(@irec);
if( $l =~ /"([^"]*)","([^"]*)","([^"]*)","([^"]*)",([^,]*),([^,]*),"([^"]*)","([^"]*)"/ ) {
$irec[0]=$1; $irec[1]=$2; $irec[2]=$3; $irec[3]=$4; $irec[4]=$5;
$irec[5]=$6; $irec[6]=$7; $irec[7]=$8;
} else {
unset(@irec);
}
$total++;
$sth->execute($irec[0]) or die "Couldn't execute SQL: " . DBI->errstr;
$rcnt=0;
while( @rec = $sth->fetchrow_array() ) {
my($sha) = $rec[0];
my($md5) = $rec[1];
if( $rec[0] eq $irec[0] && $rec[1] eq $irec[1] && $rec[2] eq $irec[2] &&
$rec[3] eq $irec[3] && $rec[4] == $irec[4] && $rec[5] == $irec[5] &&
$rec[6] eq $irec[6]) {
$rcnt++;
} else {
print "Rec: " . $rec[0] . " " . $irec[0] . "\n";
foreach $i ( 0..6 ) {
if( $rec[$i] ne $irec[$i] ) { print $i . ") " . $rec[$i] . " != " . $irec[$i] . "\n";
}
}
}
}
if($rcnt<1) { $notfound++; }
if($rcnt==1) { $found++; }
if($rcnt>1) { $toomany++; }
print DBI->errstr;
}
$sth->finish;
$dbh->disconnect;
12
HOW TO PREPARE ORACLE
be protected by the shutdown and restart of the was in use were determined. These data files were
database with these commands: see Listing 9. copied to the lab system and the necessary con-
The image subject included a table containing figuration was set up to create a new group of con-
records from the NSRL hash database. Here is trol files and start an instance. Enabling network
a sample of the NSRL source records that were access, changing unknown passwords, exporting
used: see Listing 10. with data pump, and restarting the database in
To verify the forensic integrity of the user data read-only mode were also discussed. Although the
in the lab instance, a perl script was used to com- forensic examination of an Oracle database can
pare each record to the original NSRL source file. be a difficult challenge, this article has explored
The NSRL source data is provided as flat text, and the option of inspecting the data in the lab using
in this case perl was selected because it was well Oracle to retain the original schema context. Un-
suited to the task of parsing this format. The fol- der the right circumstances, this process could be
lowing script was used for this test: see Listing 11. a valuable aid to the forensic examiner.
This perl script requires installation of the DBI
and DBD::Oracle software. These installation de-
tails can be found many places on the internet, but
are outside the scope of this article. The test using
this script was successful with 100% of the records
matching with the following output:
Advertisement
Real-Time Intrusion
Detection
for Critical Infrastructure Protection:
CockpitCI Approach
H
What you will learn: owever, strictly speaking, they intrusion detection approach pro-
Critical Information Infrastruc- are not effective intrusion de- posed for a new European Frame-
ture Protection, Machine learn- tection methods, as they re- work-7 (FP7) funded research proj-
ing techniques applied to Intru- quire knowing what kind of attack is ect, CockpitCI. The article provides
sion detection and new European
expecting, which deviates from the the CockpitCI concept and roles of
Framework-7 funded project re-
lated to Critical Infrastructure Pro-
fundamental object of intrusion de- intelligent machine learning meth-
tection.
tection. In this article we describe ods to prevent cyber-attacks. A dis-
an intelligent intrusion detection ap- cussion on this concept emphasizes
proach, which does not require any the need of intelligent risk detection,
What you should know: attack signatures, proposed for a analysis and protection techniques
Very basic understanding of in- new European Framework-7 (FP7) for Critical Infrastructures (CI). With
formation technology & machine funded research project, CockpitCI. the intelligence of machine learning
learning (references are given to
solutions, CockpitCI will contribute
support this).
INTRODUCTION to a safer living environment for peo-
In today’s growing cyber world, ple especially by providing smart de-
where a nation’s vital communica- tection tools, early alerting systems
tions and utilities infrastructure can and strategic security system, which
be impacted depending upon the allows isolating default systems and
level and sophistication of hostile at- ensuring the safeguarding of living
tacks, the need for Critical Infrastruc- environment. The distributed frame-
ture Protection (CIP) and advanced work of the system will ensure an
cyber security is at all-time high. In operational deployment of the secu-
this article we describe an intelligent rity all over Europe and will improve
14
Real-Time Intrusion Detection for Critical Infrastructure Protection
the European Critical Information Infrastructure intrusion detection has received considerable mo-
Protection (CIIP) strategy. tivation owing to the following reasons [1] [2]:
CockpitCI will focus on cyber-attacks to control
systems of energy grids that are typically intercon- • If an intrusion is detected quickly enough, an
nected with public Telco networks. Power grids and intruder can be identified quickly and ejected
Telco networks have a large impact on daily life and from the system before any damage is done or
are typically referred as CI since their correct oper- any data are compromised. Even if the detec-
ation is essential for the everyday life of our mod- tion is not sufficiently timely to pre-empt the in-
ern society. There are bi-directional dependent re- truder, the sooner that the intrusion is detected,
lationships and reciprocal influences among CIs, the less is the amount of potential damage do-
named interdependencies. That is especially true ne and the more quickly that recovery can be
because CIs are more and more reliant on infor- achieved.
mation and communication technology and mainly • An effective intrusion detection system can
through this reliance they have become more and serve as a deterrent, acting to prevent intru-
more interdependent. The successful delivery of sion.
any essential CI service depends upon the oper- • Intrusion detection enables the collection of in-
ating status not only of the CI which is intended formation about intrusion techniques that can
to deliver such a service but also on the operat- be used to analyses the new threats and to
ing status of any interdependent CIs. Initial distur- strengthen the intrusion prevention facility.
bances in (or even destruction of) parts of one CI,
may result in cascading effects in the infrastructure Along with the above motivations, the intention of
itself or/and in the other interdependent CIs. intrusion detection can be summarized as follows:
The paradox is that Power and Telco CIs mas-
sively rely on newest interconnected (and vulnera- • Detect as many types of attacks as possible
ble) Information and Communication Technologies (i.e. including internal malicious/non-malicious
(ICT), while the control equipment is typically old, and external opportunistic/ deliberate attacks),
legacy software/hardware. Such a combination of thereby increase the detection rate.
factors may lead to very dangerous situations, ex- • Detect as accurately as possible, thereby re-
posing the systems to a wide variety of attacks. ducing the number of false alarms.
This article first discusses machine learning based • Detect attacks in the shortest possible time,
intrusion detection strategies for CIP and then in- thereby reducing the damage of the attacks.
troduces an advance intrusion detection technique
which will be developed as a part of the CockpitCI The above requirements have prompted research-
project to protect CI from such cyber-attacks. ers to develop various types of IDS that fulfil the
above goals to prevent Supervisory Control And Da-
MACHINE LEARNING BASED INTRUSION ta Acquisition (SCADA) systems from cyber-attacks.
DETECTION SCADA systems are vulnerable to cyber-attacks
Intrusion detection is the process of observing and due to design and implementation flaws in the cyber-
analysing the events taking place in an informa- security system. Malicious users attack the cyber-
tion system in order to discover signs of security
problems. Traditionally, Intrusion Detection Sys-
Events are analysed and patterns are detected
tems (IDS) are analysed by human analysts (se-
curity analysts). They evaluate the alerts and take
decisions accordingly. Nevertheless, this is an ex-
tremely difficult and time consuming task as the
If patterns are known, the relationships between the
number of alerts generated could be quite large
data elements are identified
and the environment may also change rapidly.
Machine learning has the capability to: 1) gather
knowledge about the new data, 2) make predic-
tions about the new data based on the knowledge If the relationships are known, context of data
gained from the previous data. This makes ma- elements are identified
chine learning techniques more efficient for intru-
sion detection than human analysts.
IDS monitors the activities that occur in a com-
If the context is known, then the meaning of the data
puting resource to detect violations of a security
is understood (i.e. whether the data corresponds to
policy of an organization. These violations may be
caused by people external to the organization (i.e. normal or abnormal behaviour of the system)
attackers) or by employees/contractors of the or- Figure 1. Core process of threat identification by machine
ganization (i.e. insiders). During the recent past, learning
www.eForensicsMag.com 15
security system vulnerabilities by using a sequence Anomaly Detection
of events to break in to the SCADA system [3, 4]. Anomaly detection is an IDS triggering method that
These events result in characteristics that are de- generates alarms when an event behaves different
fined by patterns of attack. The goal of any machine from the normal behaviour patterns. Thus this can
learning techniques, in intrusion detection, is to anal- be defined as a problem of finding patterns in da-
yse the input event data and to detect patterns that ta that are different to the expected behaviour of
would reflect possible threats to the cyber-infrastruc- a system. Figure 3 illustrates the anomalous da-
ture. The core process of threat identification by ma- ta patterns in a simple 2-dimentional data set. In
chine learning is illustrated in Figure 1. this example the data has two normal regions, N1
According to the detection principle used for the and N2. Data that sufficiently deviate from these
process shown in Figure 1, intrusion detection regions, i.e. point A1, point A2 and region A3 are
techniques can be classified into following main considered as anomalies.
modules (but not limited to): Signature detection The anomaly detection approach has two main
(misuse detection), Anomaly detection. Detection steps: training and detection. In the training step,
principles behind each module are discussed in machine learning techniques are used to gener-
the following subsections. ate a profile of normal behaviours that define the
healthy cyber-infrastructure. In the detection step,
Signature Detection (Misuse an event is classified as an attack if the event re-
Detection) cords deviates sufficiently from the normal pro-
Signature detection also known as misuse detec- files. Unlike signature detection, anomaly de-
tion generates alarms when a known cyber-attack tection has the potential to detect novel attacks.
occurs. In this technique the behaviour of the sys- However, anomaly detection typically has a high
tem is compared with unique patterns and char- false-positive rate. This is because in anomaly
acteristics of known attacks, called signatures. detection any sufficient deviation from the base
This is typically done by measuring the similar- line is flagged as an intrusion. Thus it is likely
ity between the input events and signatures of that non-intrusive behaviour that falls outside the
known attacks. If a match is found, an alarm is normal region generates an alarm, resulting in a
triggered. As a result, known cyber-attacks can false-positive.
be detected immediately with a low false-positive The key challenge for anomaly detection in in-
rate. However, if there is no similarity match, the trusion detection is the analysis of huge amounts
event is classified as normal behaviour and the of data with high dimensional feature space. It re-
detection approach will search for further pat- quires computationally efficient data mining tech-
terns. Thus, signature detection can only detect niques to handle large amounts of input data. Fur-
known attacks. Figure 2 illustrates the approach thermore, the data typically comes in a streaming
of signature detection. fashion, thus requiring online analysis. As the data
Signature detection heavily relies on the prior amounts to millions, even a few false alarms can be
knowledge of attack signatures. Thus the effective- overwhelming when it comes to decision making.
ness of the detection mechanism relies on a fre- In anomaly detection, labelled data correspond-
quent updating of the signature database. ing to normal system behaviour are usually avail-
Due to the availability of prior knowledge on attack able, while the labelled data for intrusions are not.
signatures, hence the availability of labelled data, As a result, unsupervised machine learning tech-
supervised machine learning techniques are gen- niques are preferred for anomaly detection.
erally used for signature based intrusion detection.
Y
Patterns derived from
system behaviour
N1
A1
Database of A2
No Similarity
match? attack
signatures N2
Yes A3
Suspicious behaviour
X
Figure 2. Signature detection approach Figure 3. Anomalies in a simple 2-dimentional data set
16
Real-Time Intrusion Detection for Critical Infrastructure Protection
The following paragraphs explain the super- that normal and intrusion data can be clustered.
vised and unsupervised machine learning tech- Thus, most of the solutions to unsupervised intru-
niques mentioned in the above signature and sion detection are clustering based intrusion detec-
anomaly detection. tion techniques such as k-means clustering.
Kernel
transformation
Hyperplane
www.eForensicsMag.com 17
selection algorithms [9] are designed for one-class Support Vector Machine] principles is proposed for
classification; however, these algorithms can po- intrusion detection in CockpitCI. OCSVM is a natural
tentially fail with the increasing diversity of normal extension of the support vector machine (SVM) al-
set and they are not meant to the problem with a gorithm to the case of unlabelled data, especially for
small number of self-samples, or general classifi- detection of outliers. Hence OCSVM is an unsuper-
cation problem where probability distribution plays vised machine learning technique. Whereas SVM
a crucial role. Furthermore, negative selection only algorithm is a supervised machine learning method
works for a standard sequence, which is not suit- and it is essentially construed as a two-class classi-
able for online detection. Other algorithms, such fication algorithm (i.e. it requires class labels of both
as time series analysis are also introduced to intru- positive and negative samples). SVM uses a kernel
sion detections, and again, they may not be suit- function to map data into a space where it is linear-
able for most of the real application cases. Table 1 ly separable. The space where the data is mapped
presents and analysis of some of the intrusion de- may be of higher dimension than the initial space.
tection strategies discussed above. The SVM allows finding a hyper-plane which opti-
To minimize the above mention drawbacks, an in- mally separates the classes of data: the hyper-plane
telligent approach based on OCSVM [One-Class is such that its distance to the nearest training da-
Transform inputs into outputs Low computational time Prior knowledge of the ano-
that match targets through Nonlinear data analysis maly type is required
Artificial neural nonlinear processing in a con- Training data needs to be ade-
nected group of neurons quate and balanced. Thus a
network (ANN) [6]
large number of attack tra-
ining data is required
Computes the approximate di- Simple to understand and Prior knowledge of the ano-
k-Nearest stances between different input easy to implement maly type is required
neighbour (KNN) vectors, and then assigns the Sensitive to noise samples
[5] unlabelled point to the class of Difficult to classify complex
its k-nearest neighbours data
Clusters of temporal data are Suitable for coping with da- Prior knowledge of the ano-
specified by a mixture of dy- ta dependency among tempo- maly type is required
namic models ral data High computational comple-
Hidden Markov
Solid statistical foundation xity
model (HMM) [8] Large number of unstructured
parameters
Need large amounts of data
Assigns objects into groups No signatures (class labels) re- Need parameters to specify
(clusters) by demining the di- quired number of segmentations and
stance between the objects Simple to understand and the detection procedure has
over multiple dimensions of easy to implement to shift from one state to ano-
k-Means
the data set ther state
clustering [11] Different initial partitions can
result in different final clusters
Produce less accurate classi-
fiers for complex data
18
Real-Time Intrusion Detection for Critical Infrastructure Protection
ta points is maximal (maximum margin). An exam- considered elements of machine learning such as
ple is shown on the Figure 4. The SVM has shown clustering and neural networks. However, none of
superior performance in the classification problem them has yet considered using OCSVM principles
and has been used successfully in many real-world in commercial software’s although research have
problems. However, the weakness of SVM is that it shown great potential in the area of intrusion detec-
needs the prior labelled data and is very sensitive tion [12,13,14].
to noise. A relatively small number of mislabelled
samples (noise samples) can dramatically decrease One Class SVM working mechanism
its performance. In the case of CI monitoring, which The OCSVM separates outliers from the major-
patterns in the data are normal or abnormal may not ity and the approach can be considered as a regu-
be obvious to operators. Thus, although SVM proved lar two-class SVM where all the data lies in the first
to be a powerful classification tool its implementation class and the origin is the only member of the sec-
in CI intrusion detection is difficult without the avail- ond class [4, 5] as shown in Figure 5. The basic idea
ability of adequate labelled data. To overcome this of the OCSVM is to map the input data into a high
issue and other drawbacks mentioned in Table 1, an dimensional feature space and construct an optimal
intelligent unsupervised machine learning approach separating hyper-plane, which is defined as the one
based on OCSVM principles is proposed for intru- with the maximum margin (or separation) between
sion detection in CockpitCI. the two classes. This optimal hyper-plane can be
Unlike SVM or similar classification methods, solved easily using a dual formulation. The solution is
OCSVM does not need any labelled data for train- sparse and only support vectors are used to specify
ing or any information about the kind of intrusion the separating hyper-plane. The number of support
is expecting for the detection process. In summa- vectors can be very small compared to the size of
ry, the OCSVM possesses several advantages for the training set and only support vectors are impor-
processing network performance data and auto- tant for prediction of future points. By the use of ker-
mate the network performance monitoring, which nel function, it is possible to compute the separating
can be highlighted as: hyper-plane without explicitly carrying out the map-
ping operations into the feature space and all neces-
• no signatures of training data are required sary computations are performed directly in the input
• robustness to noise samples in the training space. A brief description of the intrusion detection
process algorithm is given is the in the following paragraphs.
• algorithm configuration can be controlled by Considering a data set with N = {x1, x2,…, xl}, x∈
the user to regulate the percentage of anoma- RN, the task is to find a function f that takes the value
lies expected “+1” for most of the vtectors in the data set (i.e. for
• each anomaly detector can be trained to pro- normal or attack free data), and “-1” for the other very
duce a small number of data samples to make small part (i.e. data corresponding to intrusions). As
decisions, which makes its implementation effi- explained above, the strategies for the OCSVM are:
cient and effective first, map the input data into a feature space H (com-
• the detectors can operate fast enough for its monly known as Hilbert space) according to a map-
online operations ping function X =ɸ(x), and separate the data from
the origin to its maximum margin. A hyper-plane f(x)
Most of the current intrusion detection commercial is built up to mark the boundary of this separation.
software’s are based on approaches with statistics The key idea for the separation is that it doesn’t real-
embedded feature processing, time series analysis ly need all the data to be separated to the same side
and pattern recognition techniques. Some software of the hyper-plane f(x), on controversy, a small num-
ber of points can be lying on the other side of the hy-
per-plane. In order to allow this, slack variables are
introduced to the objective function of support vector
machine, and the OCSVM solves the following qua-
dratic optimization problem:
www.eForensicsMag.com 19
the hyper-plane. ξi are slack variables acting as pe- kernel is adopted in the proposed approach. is the
nalization in the objective function. v∈(0,1) is the standard deviation in equation (6).
trade-off parameter to balance between the nor-
mal and data corresponding to intrusions in the
data set and a maximum of vx100% data points
are expected to return negative values according For any x, if the f(x) is negative, x is detected as
to f(x)=w.ɸ(x)-ρ. Deriving its dual representations, a possible intrusion, otherwise x is normal. Figure
the OCSVM is to solve the following problems: 6 shows the structure of the proposed intrusion
Select the kernel function K(x,x’) in the Hilbert detection algorithm. In the algorithm, the OCSVM
space H and the trade-off parameter v, construct principles are used to train the offline data and
and solve the following optimization problem to generate the detection model, and then the model
find the solution for the Largrangian multiplier α: function is employed for intrusion detection. A neg-
ative value returned from the decision function will
imply an abnormal event. Events with negative val-
ues are moved to the threat assessment module
to quantify the risk(s) associated with the attack.
This will allow the field equipment to perform local
decisions in order to self-identify and self-react to
abnormal situations introduced by cyber-attacks.
CONCLUSION
The parameter v directly determines the sensitivity The researches performed during the CockpitCI proj-
of outlier detection (i.e. intrusions) in the algorithm. ect will allow improving the cyber-security industry. In
Is called as kernel function and can be with various the real world application, it is difficult to find sufficient
format. In literature it is reported that the Radial attack data for training and testing intrusion detection
Basic Function (RBF), as shown in equation (6) is techniques. Most attacks will remain unknown. Thus,
the most widely used kernel in SVM [15], and RBF the design and application of real-time intrusion de-
20
Real-Time Intrusion Detection for Critical Infrastructure Protection
References
[1] S.V. Sabnani, Computer Security: A Machine Learning, Approach, Technical report, 2008
[2] William Stallings, Network Security Essentials: Applications and Standards (3rd Edition), Prentice Hall, 2006.
[3] L. O’Murchu N. Falliere. W32.Stuxnet dossier, Symantec White Paper, February 2011.
[4] S. Bologna, and R. Setola, “The Need to Improve Local Self-Awareness in CIP/CIIP”, Proc. of First IEEE International
Workshop on Critical Infrastructure Protection (IWCIP 2005), pp. 84-89, Darmstadt, Germany, 3-4 November 2005.
[5] P. Cunningham and S.J. Delany, k-Nearest Neighbour Classifiers, Technical Report UCD-CSI-2007-4, March 27, 2007.
[6] Gershenson C. Artificial neural networks for beginners. In: Cognitive and computing sciences. University of Sussex.
[7] Christopher. J. C. Burges, A tutorial on support vector machines for pattern recognition, DataMining and Know-
ledge Discovery, 2(2):955-974, Kluwer Academic Publishers, Boston, 1998.
[8] Rabiner, L. R. (1989). “A tutorial on hidden Markov models and selected applications in speech recognition.” Pro-
ceedings of the IEEE 77(2): 257-286.
[9] Zhou Ji, Dipankar Dasgupta, Revisiting Negative Selection Algorithms, Evolutionary Computation, Summer 2007,
Vol. 15, No. 2.
[12] J. Ma and S. Perkins, Time-series novelty detection using one-class support vector machines, Proceedings of the
International Joint Conference on Neural Networks, July, 2003, pp. 1741-1745
[13] K. Li, H. Huang, S. Tian and W. Xu, Improving one-class SVM for anomaly detection, Proceedings of the Second In-
ternational Conference on Machine Learning and Cybernetics, Xi’an, 2003, pp. 3077-3081.
[14] B. Schölkopf, J. Platt, J. Shawe-Taylor, A.J. Smola, and R. Williamson, “Estimating the support of a high-dimensio-
nal distribution,” Neural computation, Vol. 13, No. 7, pp. 1443-1472, 2001.
[15] S.S. Keerthi and C.J. Lin, Asymptotic behaviors of support vector machines with Gaussian Kernel, Neural Compu-
tation, vol. 15, no. 7, 2003, pp. 1667-1689.
tection methods, which does not require any attack • Broadcast alerting message to other CIs to as-
signatures, will be important in developing future CIP sess impact and enhance the cyber security of
and advanced cyber security solutions. CockpitCI interconnected CIs.
will develop such smart detection tools for CI protec-
tion and likely to give a real advantage in the security ACKNOWLEDGMENT
market. With the developments of intelligent machine The authors would like to thank the partners of the
learning based solutions CockpitCI will be able to: CockpitCI consortium and acknowledge the fund-
ing support from European Framework-7 Program
• Deploy smart detection agents to monitor the for the project (Grant no. 285647).
potential cyber threats and transmit alerts to the
central control centre belonged to the CI owner.
• Analyse the threat, and perform simulation to
predict cyber risk level and predicted quality of Author bio
service (QoS) level for the whole CI. Jianmin Jiang received B.Sc degree from
• Design reaction strategy and assess the im- Shandong Mining Institute, China, in 1982,
pact on QoS. M.Sc degree from China University of Mining
and Technology in 1984, and PhD from the
Author bio University of Nottingham, UK, in 1994. From
Lasith Yasakethu received his BSc. Engi- 1985 to 1989, he was a lecturer at Jiangxi
neering degree (First Class Hons.) in Electri- University of Technology, China. In 1989, he
cal and Electronic Engineering from the Uni- joined Loughborough University, UK, as a visiting scholar and
versity of Peradeniya, Sri Lanka, in 2007. He later moved to the University of Nottingham as a research as-
was awarded the prize for best performance sistant. In 1992, he was appointed a lecturer of electronics at
in Electronic Communication Engineering by Bolton University, UK, and moved back to Loughborough Uni-
the University of Peradeniya for his achieve- versity in 1995 as a lecturer of computer science. From 1997
ments in undergraduate studies. In Oct. 2007 he was awarded to 2001, he worked as a full professor of Computing at the Uni-
the Overseas Research Scholarships Award by the Higher Ed- versity of Glamorgan, Wales, UK. In 2002, he joined the Uni-
ucation Funding Council of England to pursue PhD at the Uni- versity of Bradford, as a Chair Professor of Digital Media, and
versity of Surrey UK. After completing his PhD he worked as Director of Digital Media & Systems Research Institute. He is
a Research Engineer for Technicolor Research & Innovations now a Professor of Media Computing at University of Surrey,
(formerly known as THOMSON R&D), in Rennes France, from United Kingdom. He is also an adjunct professor at Tianjin Uni-
Oct. 2010 to March 2012. Currently he is working as Research versity, China. He is a chartered engineer, fellow of IEE, fellow
Fellow in Computing Department, University of Surrey UK. His of RSA, member of EPSRC College, and EU FP-6/7 evalua-
research interests include Cyber-security, Machine Learning, tor. His research interests include, image/video processing in
Quality of Experience (QoE) in multimedia communications, compressed domain, digital video coding, stereo image coding,
2D/3D video processing and transmission, Content creation for medical imaging, computer graphics, machine learning and AI
3D cinema and 3DTV. He has worked for several EU FP6 and applications in digital media processing, retrieval and analysis.
FP7 projects in the above fields. He is a member of IEEE. He has published around 400 refereed research papers.
www.eForensicsMag.com 21
How Uses ENCASE®
Tools
to Solve Client’s E-Discovery Challenges in
Canada
by Dominic Jaar
O
What you will learn: ne of the tools that my in- covery professionals’ toolkits, to col-
How EnCase eDiscovery helps formation management, e- lect electronically stored information
KPMG in Canada perform re- discovery and forensic tech- (ESI) from laptops, workstations,
mote collection for its clients over nology teams use to meet client servers, and portable devices like
their networks.
expectations is EnCase® eDiscov- smartphones and USB thumb-drives.
How KPMG addresses data pri-
vacy issues in the European
ery from Guidance Software. This KPMG relies on it because it always
Union (EU) for international com-
article describes some of the ways provided us with a complete job but
panies. EnCase eDiscovery and EnCase® also because it has the backing of
A method of simplifying data Portable can be used and have been a decade of published court deci-
transfer, culling, and production. used on behalf of our clients in ways sions attesting to its acceptability to
How EnCase Portable can be both conventional and creative. courts. It is used by law enforcement
used for clients with offices in re- as well as regulatory, military and in-
mote geographic areas. ENCASE® FORENSIC telligence investigators. These days
CAPABILITIES you’ll even hear people in the pro-
What you should know: First, let me summarize the techno- fession say to EnCase it, meaning
The basic principles of digital in- logical challenges that EnCase eDis- to prepare a digital collection from a
vestigation. covery make manageable. As read- computer.
How e-discovery relates to foren-
ers of eForensics Magazine, you’re The end result of an EnCase Fo-
sic investigations.
likely to be familiar with the basic rensic collection is an EnCase evi-
EnCase° Forensic product, which dence file format consisting of a fo-
allows for digital investigation and rensic image file (E01) or a logical
forensic collection. EnCase Foren- evidence file (LEF), the second of
sic is a standard part of most e-dis- which is the company’s proprietary
22
virtual container for holding collected ESI in a way
that makes it possible to verify that the data con-
tained therein is exactly what was collected.
Created using a highly auditable process, these
evidence file formats provide proven chain-of-cus-
tody information that is automatically generated
at the time of acquisition and continually verified
thereafter, as well. Such information cannot be
modified or altered within EnCase software, and
includes:
www.eForensicsMag.com
eDiscovery offers the option of having the resulting network using EnCase eDiscovery, in large part
LEF with the collected ESI land wherever we wish due to the EnCase evidence file formats, which
on a network. We just identify an output path, and have been accepted in thousands of courts world-
that’s where the LEF is stored. wide. All communications with the servlets have to
be authenticated by the EnCase Secure Authenti-
Covering the Entire E-Discovery cation for EnCase (SAFE) server, which provides
Cycle granular, role-based access that defines which
EnCase eDiscovery software provides oversight of users can connect to which servlets. Integrity is
the entire e-discovery process, in that it carries the maintained through the EnCase evidence verifica-
process through every phase of e-discovery. We use tion process.
it on behalf of our clients to perform early case as- The second huge time- and money-saver for our
sessment (ECA) (it offers a web-based viewer that clients comes from the global reach of EnCase
permits searching and filtering, case-specific tagging eDiscovery. Even if we were to use just a single
and commenting on individual e-mails or files, as well consultant operating an EnCase eDiscovery col-
as batch coding) and processing. In fact, we at KP- lection on a client’s network, that single consul-
MG in Canada have worked and continue to work tant could be conducting numerous simultaneous
extensively with EnCase eDiscovery developers at searches around the world.
Guidance Software on components of load files that Because EnCase eDiscovery can also operate
meet our needs and those of our clients. virtually, a single operator can be controlling col-
lections actually launched simultaneously from
How We Perform Collections various locations and jurisdictions around the
Faster and Better – and Save globe. Each can be scheduled individually to al-
Clients Money – Using EnCase low for time zones when machines are likely to be
eDiscovery turned on. We find that an important advantage of
The first advantage of using EnCase eDiscovery is EnCase eDiscovery is that it can search regard-
simple math: We can conduct collections across a less of open applications, which means that if an
client’s network with a single consultant from a sin- employee has Outlook® open, for instance, we
gle location. Only one operator is required to per- can still collect email from that custodian.
form the collection (or pre-collection analytics). Of To give a sense of the scale and reach, a single
course, we spend a good deal of time beforehand KPMG in Canada consultant can simultaneous-
in identifying sources of potentially responsive ly be collecting from 50 or even 100 employees
ESI, crafting the search criteria and parameters all in five separate continents, something that would
in close coordination with the client’s legal and IT take at least five consultants using manual collec-
teams, who may be coordinating legal holds, send- tion technology requiring in-person collection. This
ing legal hold notices, and possibly contending manual process requires human collection and re-
with privacy considerations (I’ll discuss below how view of each and every document, email, or other
EnCase eDiscovery can help with collections that piece of ESI at each physical location.
encompass the US, Canada, and Europe). Our new method represents at least an 80% sav-
Unlike collections performed by a team of con- ings in consultant costs for our clients and the ben-
sultants using one-to-one collection technology, efit of a standardized approach for all collections.
going from machine to machine, a few per day, a
single consultant using EnCase eDiscovery can Data Protection Restrictions:
collect from hundreds of custodians across a glob- Collecting employees’ data from
al network, including from: the EU and US from Canada
EnCase eDiscovery can play a significant role
• Laptops and workstations, including PSTs re- in easing constraints on collection and process-
siding there ing of the personal data of European employ-
• Peripheral devices such as thumb-drives and ees. When United States (US) litigation calls for
external hard drives the preservation and production of data collect-
• Share drives ed from European employees, parties struggle
• Email stores to comply with their court obligations versus EU
• SharePoint privacy restrictions. The European Union (EU)
• etc. data protection laws call for collection approach-
es that are the least intrusive feasible method
Many clients prefer that we conduct these collec- for balancing the legitimate business or legal
tions from within their corporate firewalls, although, need to collect the data against the employees’
in the appropriate case, we can do so virtually from right to privacy, which is considered a fundamen-
our KPMG offices. We are able to maintain securi- tal human right. The EU also restricts transfer
ty, confidentiality, and integrity of the data over the of personal employee data outside of Europe to
24
HOW KPMG USES
ENCASE® TOOLS
countries who do not have what the EU deem to authorities. Some works councils are reas-
be adequate protection for privacy. sured when told that all collections will be do-
Canada represents a middle ground between the ne from a jurisdiction that recognizes strict em-
US and Europe when it comes to privacy regula- ployee privacy, rather than from the US.
tion over collection and processing of employee • Emphasize that existing investigative policies
data. Although located just north of the US, its da- already approved by the works council will re-
ta privacy laws are much closer to the tough pro- main in place. For example, HR policies relat-
tections by the European Union (EU), and the EU ing to the investigation of potential employee
data protection officials have declared Canada to wrongdoing had long ago been approved by
have adequate protections for those rights, mean- the works council and will not be affected by
ing that data collected from European employees the use of EnCase Enterprise technology. That
legally can more easily be transferred from Europe data would go directly to the company’s HR
to Canada. team and would be handled the same as be-
On the other hand, the US’s lax data protection fore.
laws have not earned the adequate protection des- • Permit employees to create a “personal folder.”
ignation from the EU, and therefore data collected If employees create a folder in their computer
from European employees is normally prohibited file structure with an agreed-upon folder name
from transfer to the US, unless certain stringent re- in which they can place all of their personal da-
quirements are met, including obtaining the signed ta, EnCase Enterprise’s search criteria can be
written consent of the European employee. configured to leave that folder untouched, so
The first of these challenges – collection and that none of that data will be collected.
preservation of European employees’ ESI – can be • Ability to restrict searches by file type. Employ-
mitigated through the use of EnCase eDiscovery ees can be sensitive about certain types of files
and EnCase® Enterprise, which offers remote and that may not be of interest to the company – per-
non-disruptive investigation of any endpoint on a sonal photographs, for instance. With EnCase
company’s network. EnCase technology has been Enterprise, these file types can be excluded.
approved for use by data officers and works coun-
cils at various companies as a collection tool that is With its federal privacy mandate, Germany has
less intrusive of privacy than alternative collection the most stringent privacy rules in the European
methods. Here are the points emphasized by or- Union. For tips on how to obtain German works
ganizations when seeking approval of data privacy council approval for use of EnCase, a white paper
officers and works councils: on the topic is available here.
• Emphasize that EnCase® Enterprise can en- Simplifying Data Transfer, Culling,
able you to avoid collecting employee personal and Production
E-mail or documents. With EnCase Enterprise, Once targeted portions of European employees’
your collections will cull the data and preserve data has been collected, US litigants still face the
only those emails and electronic documents daunting challenge of transferring that data to the
that meet precise search criteria, including key- US for review, further culling down, and produc-
words and file types. Other documents that tion to adversaries. This is where KPMG in Can-
do not meet the search criteria – including pri- ada holds a key geographical advantage because
vate personal data (“Personal data are defined
as “any information relating to an identified or
identifiable natural person (“data subject”); an
identifiable person is one who can be identi-
fied, directly or indirectly, in particular by refer-
ence to an identification number or to one or
more factors specific to his physical, physiolog-
ical, mental, economic, cultural or social identi-
ty;” (art. 2 a),” http://en.wikipedia.org/wiki/Data_
Protection_Directive.
See http://export.gov/safeharbor/index.asp for
an introduction to Safe Harbor principles and
self-certification.) – will be left behind.
• Assure that collections will be done from a ju-
risdiction with “adequate protection” (See
http://export.gov/safeharbor/index.asp for an in-
troduction to Safe Harbor principles and self-
certification) pursuant to EU data protection
www.eForensicsMag.com 25
Canada is deemed by the EU to have “adequate • Scan for evidence without calling in a specialist
protection.” This means that employees’ person- or seizing computers;
al data lawfully collected in Europe can be trans- • Perform forensically sound triage and collection;
ferred more easily to Canada with less EU transfer • Pre-screen evidence to reduce data volumes,
restrictions. allowing forensic professionals to work more
Using Canada as a privacy “safe zone,” US liti- efficiently;
gants can leverage KPMG in Canada’s geographic • Return the device and the data to profession-
and EnCase eDiscovery to collect European em- als for analysis in an encrypted format.
ployees’ data remotely from Canada, and then re-
view and process the collected ESI in Canada. En- What this means for my team is that we no longer
Case eDiscovery enables us to collect European need to fly to remote locations for a simple task,
data from Canada by deploying a collection com- but can use express delivery services to our cli-
puter to the client’s European network and con- ent locations or use their own internal mail and
necting to this computer using the client’s VPN in- have the appropriate person at each client site run
frastructure. the data-collection process with our assistance by
All communications between EnCase eDiscovery phone. Then it’s a simple matter of returning the
and the collection computer are encrypted to the EnCase Portable device via delivery service for
Advanced Encryption Standard (AES) with a key analysis and processing in one of our KPMG in
size of 128 bits. Furthermore, the encryption algo- Canada offices.
rithms used are certified FIPS 140-2-compliant. We’ve found that clients prefer this methodology,
Once the data is transferred to Canada, legal because they feel actively involved in the process,
teams can review that ESI in Canada and cull it rather than having a third party come in and disrupt
down to the much smaller subset that needs to their business processes.
be produced to adversaries or regulators. Once
culled down and ready for production, the organi- Using EnCase eDiscovery to
zation must now obtain consent from the employ- Process Clients’ ESI
ees whose data are implicated, which is commonly A final value-add for KPMG in Canada’s clients is
a smaller number of employees. And at this point, that we are able to process collected ESI using En-
the employee can be reassured that only a frac- Case eDiscovery either at their sites or at our offic-
tion of his or her data need be transferred to the es. While EnCase eDiscovery is better known for its
US. In some cases none of an employee’s ESI will collection capabilities, it also includes a processing
make it through the review process. In most mat- engine for culling, de-duplication, other processing
ters, using Canada as the discovery hub between and creation of load files in Concordance, Summa-
Europe and the US will ease the privacy challenge tion, EDRM-XML or native file formats.
significantly.
In Summary
EnCase Portable The globalization of business for many corpo-
Canada is a country of considerable size, with most rations and industries has ushered in an era of
major cities and business centers in the southern- complexity with regard to international law and
most part of the country. KPMG in Canada has a data collections. Our decades of dedicated experi-
number of clients that operate their businesses in ence at KPMG in Canada and the use of well-es-
the northern part of the country. Many of these are tablished technologies and products like EnCase
mining or energy companies and collecting from eDiscovery and EnCase Portable have allowed us
these remote locations can be complex and ex- to work creatively within the data protection laws
pensive. of different countries. We now can offer our clients
Historically, we had to fly people to perform col- new options in data collection and processing in a
lection, which was very time-consuming for the cli- way that enables best practices, complete compli-
ent, particularly when all that was needed, in many ance with the laws of every country and region in-
cases, was a snapshot of a hard drive or server. volved, and the most costeffective and non-disrup-
EnCase Portable is another tool that provides tive means possible.
not only a key capability to our skill and tool set,
but enables a dramatic reduction in the time re- Any trademarks represented in this communica-
quired to perform certain steps in data collection tion are the property of their respective owner(s).
and processing.
EnCase Portable is a powerful search and col-
lection software for field or remote personnel de-
livered on a USB device. Even non-specialists can Author bio
plug the EnCase Portable device with pre-config- Partner and National Leader, Information Management, eDis-
ured datacollection jobs into a USB drive and: covery and Forensic Technology Services KPMG
26
The Premier International Forensics Event for Police, Military, Intelligence Agencies, Lawyers,
Corporate Forensic Analysts, Laboratories, Government Bodies and Agencies together with
leading suppliers, services, equipment and practitioners from across the world.
Conferences – Workshops – Training – Networking – Exhibition
by Elias Psyllos
H
What you will learn:
owever, many companies do sic images” (or copies that they think
• The risks involved with perform-
ing a self-collection
not have an internal forensic are forensically sound) of digital evi-
• The importance of having a Fo- matter expert to manage the dence that can possibly be involved
rensic Analyst perform the collec- electronic discovery process, and in a matter for preserving, collect-
tion this article is geared toward you. ing, and/or analyzing Electronically
• Why using an outside party for Whenever a matter arises that re- Stored Information regarding a Digi-
collection purposes is important quires the collection or preservation tal Investigation or E-Discovery mat-
• An example of a self-collection of Electronically Stored Information ter.”
gone wrong for in a court case (referred throughout the rest of the IT Departments and the individu-
article as ESI), most companies first als within may be capable of creating
What you should know: thought is to have their internal IT de- “images” or copies, however, it may
• The purpose of performing fo-
partment, create the “images” of the not be a forensically sound image
rensic collections
• How forensic collections fit into
digital media involved in the matter. and it may not follow the policies and
an E-Discovery matter (EDRM This is what is known as a “self col- procedures designated by the courts
cycle) lection”. for collecting ESI. The outcome of
• How forensic collections pertain this is a copy that is not forensically
to the business world IT DEPARTMENT sound, and in turn may be rejected
The topic of “self collection” has been as evidence. Alternatively, because
one area of Computer Forensics and the “image” was not preserved cor-
E-Discovery that is continuously dis- rectly, relevant data could be miss-
cussed and debated. Self Collection, ing, or altered.
can be defined as “one of the parties Another prevailing aspect of the
involved in a matter, creating “foren- “self collection” mentality is compa-
28
nies assume that having their own IT people in-
volved in the forensic process is a good idea. The
assumption that the internal IT personnel know the
systems and data the best may be correct, but it
may cause a negative effect in the overall process.
IT staff, although an expert in the IT field, may not
know or understand the correct procedures for col-
lecting or preserving ESI. As well, internal IT de-
partments may not have the correct paperwork,
such as Chain of Custody forms to include in the
preservation or collection needed in these matters.
Having a neutral third party conduct the forensic
process removes any chance of challenging the
original data that was collected and the methods/
procedures taken to collect the data. The neutral
third party should involve forensic matter expert(s)
that abide(s) by the procedures designated by the
courts and has experience in collecting and pre-
serving ESI.
At the same time, having an IT individual conduct
analysis of the digital media can lead to vital infor-
mation being lost or overlooked, that is related to
the matter. An IT individual may not know exactly
what to look for as they are not trained Forensic
Examiners. They may see relevant data as not so
relevant or may not consider various means of dig-
ital media to be relevant for collection purposes.
Using a third party Forensic Examiner or E-Dis-
covery company, is beneficial because of the ex-
perience they bring to the table in conducting anal-
ysis and in assisting with managing relevant digital
media to be collected/analyzed. The concept here
is the same as if you were going to court for a mat-
ter. Although a paralegal may know the laws and
can essentially guide you through the process, you
wouldn’t hire them to represent you. You would
hire a licensed attorney who has had the experi-
ence and specific skill set to represent you in court
and be able to follow all the correct policies/proce-
dures mandated by the court.
A perfect example of why self collections are not
a good choice can be seen in the case Green v.
Blitz U.S.A., (E.D. Tex. Mar. 1, 2011). In this case
involving ESI, the company had placed one of
their own employees in charge of managing the
ESI. This individual was not a forensic expert and
did not have experience in managing ESI, which
in turn caused relevant data to be lost because no
legal holds were issued. Instead, employees were
urged to delete email and ESI every so often from
there systems.
Relevant data was also left out by the employee
who conducted the search, as they had no experi-
ence in conducting searches on ESI. This resulted in
the court rejecting the data and findings. It cost the
company more money to remedy the situation, then it
would of cost to hire a third party Forensic Examiner
or E-Discovery Company with a Forensics Team to
conduct the matter correctly from the start.
www.eForensicsMag.com
Aside from the more noticeable reasons why ating a forensically sound image, vital information
you want to have a Forensic Examiner or E-Dis- could be lost forever. That is why having a Foren-
covery company with a Forensics Team from the sic Examiner to handle all the evidence, ensures
start, here are a few important items to consider. the chain of custody is being maintained and any
Forensic Examiners have the knowledge and ex- interaction with the evidence will not alter or affect
perience working with attorneys or companies to the evidence.
ensure all the relevant digital media is accounted Overall the risks associated with “self collection”
for and collected in a matter. You don’t want to un- are heavy in weight. As we discussed throughout
der collect the digital media or over collect as well; this article, the various situations of one perform-
creating a data set that is either too small or too ing a “self collection” could run into, as well as the
large. Over collecting data can end up costing a legal ramifications that may follow, as we saw in
large amount of money when related to E-Discov- Green v. Blitz U.S.A., (E.D. Tex. Mar. 1, 2011) can
ery terms. Under collecting data, can result in ex- cause much larger problems, then by using a Fo-
cluding relevant information that is necessary in a rensic Examiner or E-Discovery company with a
matter or exclude digital media that should have Forensics Team from the beginning.
been collected regarding a matter. Having professionals handle these matters en-
Forensic Examiners are trained to work hand in sures that all steps involved follow the governed
hand with attorneys and companies alike, in order policies and procedures accepted by the courts.
to provide the technical support needed for these For those that continue to perform self collections
types of matters. The examiner can assist in identi- or support it, I urge you to do further research of
fying the digital media associated with the relevant the legal ramifications as well as the risks involved
custodians, (users) involved in a matter by inter- in performing these collections.
viewing the custodians and working together with For further information or to discuss a possible
local IT to understand the IT policies and network Forensic Collection, E-Discovery, or Network Se-
system. curity (Penetration Testing) matter, please feel free
to reach out to us at Forensic Security Solutions
“THE COMPANIES” IT POLICIES & Company. Feel free to contact us through our web-
PROCEDURES site at: www.ForensicSSC.com or via email at:
Forensic Examiners or E-Discovery companies contact@forensicssc.com. Thank you.
with a Forensics Team also have the experience of
collecting data in any type of environment. Wheth-
er it is for a high profile matter or an “under cov-
er” matter, forensic examiners have the knowledge
and ability to adapt to any scenario.
You may be wondering what the relevance is
to self collection? IT departments and individu-
als alike are not trained to deal with these types
of scenarios, making it even more difficult to per-
form a collection correctly. Asking an IT individual
to make an “image” of a fellow employee’s hard
drive creates a problem for the individual. Having Author bio
the matter stay under the radar may be difficult or Elias Psyllos is the Founder/ Managing Direc-
may cause the IT individual to make a choice be- tor of Forensic Security Solutions Company,
tween a “friend” at work and creating the image a Computer Forensics, E-Discovery, and Net-
correctly. That is why using a third party Forensic work Security consulting firm. Prior to estab-
Examiner or E-Discovery Company with a Foren- lishing F.S.S.C, he has served as a Forensic
sics Team ensures the matter is handled correctly. Examiner, Sr. Forensic Examiner, and Team
Forensic Examiners have been trained to assess Lead in the Corporate and Federal Law En-
a situation and adjust their collection approach as forcement Agency sides of Computer Foren-
necessary while still staying within the court ap- sics. He has conducted digital forensic projects for Fortune
proved procedures. 500 corporations, AmLaw 100 law firms, large and medium
financial institutions and corporations, non-profits, and law en-
CHAIN OF CUSTODY forcement agencies. He has vast experience with conducting
Attempting to perform a “self collection” could re- forensic acquisitions on digital media, mobile devices, target-
sult in the original evidence being altered or de- ed, multi-user, and small to large scale collections and analy-
stroyed if it is not handled properly. If the origi- sis. Forensic Security Solutions Company is geared toward
nal evidence is altered in any way, the evidence providing their customers with extraordinary project manage-
will not be accepted into court. At the same time ment and client interfacing that can be utilized for any size
if the original evidence is destroyed prior to cre- matter. Feel to visit us at our website, www.ForensicSSC.com.
30
BOSTON • May 28-31, 2013
The Westin Boston Waterfront
I
n addition of becoming a distributed computing indeed remarkable context awarenessbecause of
challenge, this combination raises many chal- all the sensors and various connectivity options
lenges in terms of data security andforensic ev- they have. Thesecan be used for advance con-
idence acquisition. One of the very important is- texts such as fine-grained locations: for instance,
sues is howto retrieve the data while insuring the a combination of Bluetooth and Wi-Fi signals can
integrity of the methods for dealing with informa- be sent to the cloudand have that come back with
tion containedand sourced from different places. a more precise location in the closedspace where
This article describes this aspect andother poten- GPS signals can be received.
tial issues with forensic evidence in the spaceof According to Juniper Research, the market for
cloud-based mobile. cloud-basedmobile applications is predicted to grow
from $400 million back in 2009 to nearly $39 billion
Introduction by 2016! Inaddition, to all the environments specifi-
Broadly speaking, cloud-based mobile platforms cally designed tostore content on the clouds, such
can be thought of asdata storage and processing as Dropbox, SugarSync, iCloud, among manyo-
happening outside of the mobile deviceusing cloud thers, most of the mobile apps are using cloudser-
services. This has already enabled new types vices. When we consider top apps for both iOS and
ofapplications on mobile devices, such as picture Android, most of them use remote resources, includ-
and video processing, data backup, context-aware ing messaging, games, social media, entertainment,
mobile social networks, etc. As a result, running travel, education, multimedia, and many others.
an application on smartphones is not restricted to In this context, few questions arose: how to inter-
how powerful the device is. This opens up possi- act with cloud resourcesand services to conduct fo-
bilitiesfor a new class of applications by leveraging rensic investigations? How toinvestigate incidents
features from bothsystems. Mobile devices have or infringements that have occurredusing mobile
32
CLOUD-BASED MOBILE
devices that are interacting with the cloud? This is stacks and implementations need to be wellunder-
nota straightforward task and there is a need for de- stood. Consider virtualisation and shared resourc-
signing forensic procedurethat takes into account es for instance; the virtualisation allowsthe sharing
the characteristics of both systems and their inter- of the same physical resourcesamong many ser-
actions, while preserving the data integrity, its evi- vice/OS instances to be deployed. The hypervisor
dence value, and complying with jurisdictional and is the piece ofsoftware allowing this, and there is a
regulatory requirements. We believe that these are range of them that can be found in [3], [4], [5]. Note
very important questions as these devicesare be- that the components that make up cloud environ-
coming knowledge collectors: the data is processed ments (CPU, caches, GPUs, etc.) were not nec-
and potentially backed-up somewhereelse. Cur- essarily designed to offer strong isolationproper-
rently, the data and services are consumed over the ties for multi-tenant usage. The investigator needs
networkand, therefore, forensic investigations are to be aware of the dynamic nature of hypervisors
obviously more complex and tedious to conduct. andunderstand how they work. Another important
Moreover, the lack of control over the cloud re- consideration to take into account is the level of
sources and services for mobile applications security (are they secure enough? is it possible to
makesit more difficult for the investigators. Anoth- access the host or other guests (virtualised) from
er important aspect is the limitations on the provid- a guest instance?). Experience has shown that hy-
ers’ side onwhat can or cannot be done from a fo- pervisors have exhibited flaws that have enabled
rensic point of view, either if anindividual using the guest OSs to gain inappropriate levels of control
service as part of an investigation, or if thedata has orinfluence on physical platform.
been compromised on the cloud. In this article, we With these virtual environments, where nearly
first discuss general issues of conducting forensic- everything is shared, traditional ownership bound-
investigations on cloud data and services. Different aries are blurred. This is different in the case of a
providers have significantly different services, which SaaS offering because the userdoes not have ac-
makesany digital forensics process quite unique cess to the instances in which the data is stored
and complicated. Then we will discuss challenges orthe backend systems that make up the service.
for conducting a forensic analysis under specific de- Developers use this type of services, such as da-
ployment types and delivery models. We will then tabase or storage services. Theinvestigator needs
briefly describe legal aspects, followed by asimple to understand the way a service works. A storage
case study. It aims to highlight the importance of un- service like Dropbox for instance contains a local
derstanding the design considerations andthe data- hidden cache folder, which is meant to store de-
flow of mobile applications using the clouds. Con- leted files, whether users are using theirdesktop
cluding remarks and future directions will conclude or the mobile app to access and update the data.
this paper. This can help an investigationto find out what was
happening on that account (until the permanent
What is involved? deletion or the clean up cycle has been initiated).
Digital forensics investigations follow specific step- It is also possible to see deleted data through the
simplementing common and best practices for en- Web interface, aswell as events logs, if the inves-
suring a chain of custody that willstand up in court. tigator has legal access to the systemto determine
While these are well established intraditional com- who has been recently looking at the files, editing,
puter forensics [1], [2], etc. the cloud ecosystem ordeleting them.
presentssome very noticeable differences be- The network also plays a crucial role in this, and
cause of its distributed nature, volatility of its re- is anintegral part in identifying eventual servers,
sources, and the technologies used to implement machine images, etc., that might need to betaken
it:virtualisation, machine images, databases and down or isolated to conduct a more traditional foren-
other offerings, etc. An investigation is thus limited sicsinvestigation. These would have been nodes or
by the implementation ofthe underlying services edges of propagated data orevents. Consequently,
and backend systems as well as the waythe devel- it is of prime importance tounderstandapplications’
opers are using them. For instance, dealing with dataflow. Another important point is versioning and
an application using its own database deploymen- restoring earlier states, which are not always sup-
ton EC2 is different from the one using SimpleDB. ported, although it can be essential in many cases.
The sameapplies when using different providers. The next few sections identify a number of challeng-
Data isstored and accessible in different ways, as es of cloud-based mobile forensics.
is the logging of theapplication itself.
Given the large variety of cloud architectures and Forensics challenges
systems, there is a huge range of possible use cas- Cloud resources provide huge opportunities to
es. The tools andskills are still relatively immature companiesand developers for hosting, computing,
as the area is continuallyevolving. A different and- and storing their data and services. As already-
new mind-set is required, as a range of technology mentioned, this new paradigm presents huge chal-
www.eForensicsMag.com 33
lenges for forensics investigations. The current however many challenges in relation to the way
lack of standards, the need for efficient and ge- differentIaaS offerings are presented:
nericmonitoring, and data trackingtools are appar-
ent. Obviously, the overall process does not need • The data is not always persistent: in Amazon’s
to bechanged, but rather the way the investigators EC2, for instance, ESB (Elastic Block Store)
respond to each of cloud types, services, service has to be used to allow data persistence inde-
models in these environments. In other words, the pendently from the lifetime of an instance.
forensic process faces huge challenges of com- • Logs and data might be fragmented and dis-
bining various logical and physicalentities, rather tributed, which may affect the acquisition.
than an isolated physical entity such as desktop or • Multi-tenancy and shared resources, and the
amobile device. way the storage space is allocated may also
In the context of mobile systems, the client is a contaminate the imaging and acquisition.
smartphone or atablet accessing a remote service
on the cloud provider. The mobile deviceitself is ob- Also, even with the relative accessibility, low-level
viously the primary source of evidence in the case analysis isstill not possible, as well as access to
of aninvestigation. Many studies have been done the hardware.
in acquiring the data fromthese devices, recovering
deleted datafrom database files, dealing with flash PaaS
memories, [6], [7], among others. However, we be- Platform as a Service is the delivery model where
lieve that remote access and serviceswill play an in- computing anddevelopment platforms and solution
creasingly important role in future investigations, as stacks are offered as services. It is supposed to
most appswill be outsourcing their data and compu- facilitate the development and deployment of ap-
tational needs from cloud type infrastructure. There plicationsby avoiding for the users the complexity
is alsothe case of attacks and breaches either using of administrating theinfrastructure, development,
or involving these devices. A recent study, from Arx- and deployment layers. It provides necessary tools
an, a software security company, hasshowed that tosupport the complete life cycle of building and
more than 90% of top paid mobile apps have been deliveringapplications and services. In this case,
hacked [8]. The hackers would reverse-engineer there is only control on thesource code and devel-
the code of an App, then alter it and return it to the opment cycle on the client side, which makes it a
market, usually via third party markets. lotmore challenging. All the challenges described
The important question is “how to go beyond the for IaaS may also applyhere, in addition to the fact
device itself into the cloud to provideadditional fo- that these are proprietary close systems.
rensic data to prove or disapprove that an action In addition to access and authentication logs,
has occurred, which can be communication, breach, which are provider-specifics some features of these
etc.? Depending on the remote service, it should be systems may be of use in an investigation. Also,
possible to obtain data (actual data or logs) to recre- with the emerging of the multi-cloud trend, there
ateaccesses and the sequence of events. The first is a possibility of deployments on various clouds.
technical challenge then is how to findthe informa- Manylibraries and PaaS offerings are supporting
tion source: a particular virtual instance that was a range of provideroperations, languages, frame-
running or supporting a particular service ata par- works, and services, including LibCloud [9], Cloud
ticular time! The time is a very important issue here, Foundry [10], and JClouds [11]. Multi-cloud deploy-
if thelogging is not properly synchronised between ments makean investigation even more challenging
the different componentsof the system, it would be to traceand analyse applications and data. A plat-
difficult to present it as valid evidencein court. The form called Feedhenry [12], staging itsservers’ exe-
main challenge boils down then to the acquisition, cution to Cloud Foundry, is an exampleof a support
wherenext generation forensic tools must be able of multi-cloud deployments, although the current-
to identify all thephysical and logical components in multi-cloud support in Cloud Foundry itself is still
a range of cases among differentarchitectures and limited.
implementations of cloud delivery models. In the fol-
lowing, we briefly present some of the challenges SaaS
with basic delivery models. Software as a Service is the model in which a pro-
vider licenses applications to customers. It is the
IaaS mostclosed model in terms offorensics and acquisi-
Infrastructure as a Service is the delivery of infra- tion. An investigation would be very dependent on
structurein the form of virtualised instances. This thecloud side access and logging features, in ad-
is the most openof the delivery models, in terms dition to the serviceimplementation and its deploy-
of access to the provider side, and is the only one- ment. How to isolate a particular processwould also
where the traditional forensic acquisition may ap- be a problem in this model. Many companies prefer
ply, via snapshotsand machine images. There are to outsource their appsto SaaS providers. The mod-
34
CLOUD-BASED MOBILE
elis indeed attractive, offering ready-to-use custom- establish control mechanismsto safeguard individual
isable apps thatcan be used on various devices. businesses. The process of acquiring thedata is in-
deed often more scrutinised than the actual eviden-
Discussion cerecovered for a criminal investigation. This has a
There are obviously different possible configura- direct impact on the forensic analysis and the neces-
tions in terms of whatpart of the application (code sary mind-set around the area. It needs to be adapt-
and data) is being hosted on the cloud or the de- ed to different laws in different jurisdictions, different
vice itself, in addition to what technology, model, organisations recording different levels ofdetails.
orsupport are being used.
An emerging trend in creating, deploying, and Case study
managingcloud-based mobile applications is pow- With the increasing success of cloud platforms and
ered by what is called mobileplatforms, or more services, most companies anddevelopers are le-
formally Mobile Enterprise Application Platforms veraging cloud capabilities for theirapplications.
(MEAP). There are many MEAP tools, includ- However, as it would have come across from pre-
ingTiggzi [13], WebMobi [14], SUP from Sybase/ vioussections, there are large number of possible
SAP, and Feedhenry [15]. These are not widely- scenariosand use cases. We have already men-
adopted yet, however, investigators need to build tioned the case of cloud storage(sharing, backups,
knowledge about thesetechnologies, as the mar- etc.) supported by many apps, usingservices like
ket seems to be moving towards MEAP. There Dropbox and SugarSync. Depending on the back-
are alsoapps accessed only through a browser, endsystem, there are different manners in tracing
called Web apps. Mobilespecific features might not data in the caseof breaches or search for informa-
be available in this case, but a nativeapp can be tion. Indeed, in this simple use case, we consider
wrapped up around it to provide a wider access to a global view of a data lifecycle.
suchfeatures (location-based for instance). These Consider the case of sharing data on social me-
trends are specificallytargeting the ease of reuse dia for instance. Most of the apps cache the data
across different devices andsystems. locally (for performance reasons andnetwork con-
In addition to these technologies, any of the de- siderations). However, if this data is cleared from
livery models can be used to developmobile ap- the device itself, it would still be accessiblesome-
ps. Furthermore, mobile middlewarealso can help where else. For instance, in one of the most popu-
companies expose their internal assets to devel- lar photo sharing apps, namely Instagram, the da-
opers and remote apps as mobile APIs, which ta is stillavailable and accessible on the cloud after
maybe cloud-based as well. All these case stud- being cleared out from thedevice. Instagram uses
ies and technologies introduce high complexity to Amazon servicesincluding EC2, S3, CloudFront as
developers, administrators, managers, andobvi- CDN (Content Delivery Network), and the photos
ously to investigators. In all cases, the data flow go straightto Amazon S3. In the case of a user per-
betweenbackend and devices. Therefore, its cach- forming a deletion operation, the photos are in fact
ing, encryption, security involved, services, etc., all removedfrom the CDN. The photos URLs (which
need to be well understood. we saved beforehand) return Access Denied er-
rors, which in this case do not say anything about
Legal implications the existence of the requested data. The data is
The challenges in cloud-based forensics are not on- not linkable, but it still available on S3 for a certain
ly technical. Thereare many legal challenges asso- period of time. The data flow in this case is quites-
ciated with data recording and privacyissues. Da- traightforward with data only moving between the
ta privacy laws and policies are diverse, what data device and Amazon’sservices and resources. This
can beacquired and how to deal with it for current could be more complicated in othercases, which
or future investigations changeacross borders.The combine self-hosting with the cloud or multi-cloud
logged data and type, and its storage duration can deployments.
also change. Inaddition, many other questions need This distribution across multiple physicalloca-
to be addressed including the manner in which the tions of the data, while potentiallyhelping investi-
data is provided to theinvestigator and what is the gators, creates many issues about users data pri-
process of acquiring it, how long should it take for vacy. Indeed, a quick look at apps data access we
the provider to producethe required data, is there realise that they overreachpermissions. Why does
any legal implication for the provider if the data was Instagram for instance, or Yelp, Waze, etc. have
not made available on time, etc. These questions access to call logs? Dozens of apps were actual-
are all hugely important, especially with the clouds ly found to be taking users address books without
being ubiquitous, multinational, andwidely distribut- their knowledge, according to VentureBeat, a tech-
ed. nology blog. There is very little indication about
Compliance to regulations is the main hurdle so far, how the information will be usedor how the com-
as most lawmakers and regulators all over the world pany stores it or plans to store it. These issues will
www.eForensicsMag.com 35
play an important role in the near future in terms of implicationsin terms of forensics analysis. We al-
forensic investigations. Consequently, there is an so discussed legal implicationsand presented a
increasing tendency to encrypt and even destruct simple case study to show the importance of un-
messages, logs, etc. as an “anti-forensic” function- derstanding the flow of data and events. In future
ality. Enhanced privacy means more complicated work, we will document fundamentals of digital fo-
forensicexaminations. As an example, there is a rensics investigationsfor cloud-based apps and
service (due to launch in October 2012), called Si- platforms, with the purpose ofproposing efficient
lent Circle, which offers a whole private network methods and procedures in acquiring the data,
with an encryptedsuite for all calls and text com- preserving its integrity and its evidence value.
munications. How to deal with this’ privacy vs. fo-
rensics’ dilemma in the cloud context is an interest-
ing aspect to look at in the near future.
36
F.S.S.C.
Forensic Security Solutions Co.
A Computer Forensics and Network Security Consulting Co.
by Apurva Rustagi
T
he Global System for Mobile communica- ny system traces the position of handset terminals
tions, popularly known as GSM, is one of for transfer of data between the terminal and the
the primary mobile telephony systems found fixed network. Since a subscriber would need a
around the world, competing with Code Division mobile device to receive or send data, he would
Multiple Access (CDMA). Europe, including the always carry it on his person. This establishes a
United Kingdom, uses GSM standards for mo- one-to-one relationship between the user and the
bile communications. In GSM taxonomy, a cellular mobile device, which may prove to be very inter-
phone is called a Mobile Station, comprised of two esting to an investigation.
distinct components. The components are namely Various kinds of information that can be stored in
the Subscriber Identity Module (SIM) and the Mo- the SIM are as follows:
bile Equipment (ME) – i.e the phone handset. GSM
mainly uses SIM (Subscriber Identity Module) card SUBSCRIBER INFORMATION
technology for implementing user authentication Every SIM card is identified by a unique Integrated
and accessing subscribed services. Circuit Card Identification (ICCID) which can be up
Before going into the technical details, it would be to 20 digits long. It consists of an industry identifier
better to first understand why forensic investigation prefix (“89” for telecommunications), followed by a
of SIM cards is so valuable and what pieces of data country code, an issuer identifier number, and an
might be available for extraction from a SIM card. individual account identification number. The IC-
Mobile telephony, which is essentially a means CID can be read from the SIM without providing a
of communication, implies exchange of voice and PIN and can never be updated. The country code
data between two subscribers through a common and issuer identifier can be used to determine the
network. Such voice and data can be useful in ma- network operator providing service and to obtain
ny investigations. Secondly, every mobile telepho- call data records for the subscriber.
38
Sim Card Forensics
The SIM stores the International Mobile Sub- communications. The LAI is composed of the MCC
scriber Identity (IMSI), which is a unique identi- and MNC of the location area and the Location Ar-
fier for each subscriber in the system. It is simi- ea Code (LAC), an identifier for a collection of cells.
lar to ICCID, comprised of a Mobile Country Code When the phone is turned off, the LAI is retained,
(MCC), a Mobile Network Code (MNC) and Mobile making it possible to determine the general locale
Subscriber Identity Number (MSIN). Networks use where the phone was last operating.
IMSIs to identify to which network a device owner Similarly, the GPRS Location Information (LO-
subscribes and, if not the network, whether to al- CIGPRS) Elementary File (EF) contains the Rout-
low access to the service. ing Area Information (RAI) for data communi-
The SIM Card also stores the Mobile Station In- cations over the General Packet Radio Service
ternational Subscriber Directory Number (MSIS- (GPRS). The RAI is composed of the MCC and
DN), which should contain the telephone number MNC of the routing area and the LAC, as well as
assigned to the subscriber for receiving calls on a Routing Area Code (RAC), an identifier of the
the phone. This value, however, can be updated routing area within the LAC. Routing areas may be
by the subscriber, making it a less reliable data defined the same as location areas or they may in-
source, since it would, then, be inconsistent with volve fewer cells, providing greater resolution.
the actual assigned number.
File System
Phonebook and Call Information (Swenson, Manes, & Shenoi)
Abbreviated Dialing Numbers (AND): Subscribers Here are some details about the SIM card file sys-
can maintain a list of the numbers they call or from tem and commands for processing it, followed by
which they are called more frequently or that are of an explanation of the prototype application and data
more importance to them. that can be retrieved. A SIM card is a type of smart
Last Numbers Dialed (LND): This storage is used card. A smart card’s file system is stored in an inter-
to retain most recent phone numbers called by the nal Electrically Erasable Programmable Read Only
device. The presence of a log does not guarantee Memory (EEPROM) chip, protected by security fea-
a call to this number because it might happen that tures of the card. It has an hierarchical tree structure
there was an attempt to call, but the connection with a root called Master File (MF), Figure 1.
was unsuccessful on the network. As in many other file systems, there are two
classes of files: Directories, called Dedicated Files
Messaging Information (DF); and files, called Elementary Files (EF). They
Text messaging is a means of communication in can be viewed as the nodes and leaves of a tree,
which messages entered on one cell phone are respectively. The MF is a DF. The main difference
sent to another via the mobile phone network. between a DF and an EF is that a DF contains only
Each SMS contains other information besides the a header, whereas an EF contains a header and a
text itself. This includes the time an incoming mes- body. The header contains all the meta-information
sage was sent, the sender’s phone number, the that quantitatively relates the file to the structure of
SMS Center address, and the status of the entry. the file system (available space under a DF, num-
The status of a message entry can be marked as ber of direct children, length of a record, etc.) and
free space or as occupied by one of the following: security information, whereas, the body contains
a received message to be read; a received mes- information related to the application for which the
sage that has been read; an outgoing message to smart card has been issued.
be sent; or an outgoing message that has been Depending on the structure of the body, four types
sent. Deletion of SMS works fundamentally similar of EF are possible in a smart card’s file system:
to deletion of files in traditional file systems. When
a user deletes messages using his phone, the • Transparent EF: These files are organized as a
messages are marked as free space and retained sequence of bytes. It is possible to read all or
on the SIM until they are overwritten. When a new
message is written to an available slot, the unused
portion is filled with padding, overwriting any rem-
nants of a previous message that might be there.
Location Information
A GSM is a cellular network where it consists of dis-
tinct radio cells used to establish communications
with mobile phones. The SIM keeps track of the ar-
ea under which it falls for both voice and data com-
munications. The Location Information (LOCI) con- Figure 1. Hierarchical structure of Erasable Programmable
tains the Location Area Information (LAI) for voice Read Only Memory (EEPROM) chip
www.eForensicsMag.com 39
only a subset of their contents by specifying a What is important to note is that there is no com-
numeric interval. mand to eliminate or create files; nor is there a
• Linear-fixed EF: The atomic unit for these files command to quickly browse the file system.
is the record, instead of the byte. A record is a Smart cards can be compared to safes. Like
group of bytes that have a known coding: every safes, they implement many security systems to
record of the same file represents the same protect their content: data. One of such security
kind of information. In a linear-fixed EF, all the systems uses “access conditions.” If any of the
records have the same length. commands were executable by anyone at any
• Linear-variable EF: This is the same as a lin- time, all sensitive data stored in the file system
ear-fixed EF, but, here, the length may vary would be readily available to the external world.
from one record to the other. Access conditions are constraints to the execution
• Cyclic EF: These files implement a circular buf- of commands. They allow command execution
fer where the atomic unit of manipulation is the by only authorized entities and only during corre-
record. Therefore, the concepts of “first and sponding authorization times. There are 16 access
last” are substituted by those of “previous and conditions, shown in Table 1, and every file in the
next.” file system has its own specific access conditions
for each command. Access conditions are orga-
SIM cards, which are a proper subset of smart nized in levels, but this organization is not hierar-
cards, do not allow linear-variable EFs, implement- chical: that is, authorization for higher levels does
ing only transparent, linear-fixed and cyclic EFs. not imply authorization for lower levels.
Every file is unambiguously identified by its ID,
which acts as the name of the file. No two files in Table 1. 16 access conditions
the whole files system can have the same ID. LEVEL Acces Conditions
The allowed file system operations are coded in-
to a set of commands. The interface device (IFD), 0 ALWays
which is the device capable of interfacing with a 1 CHV1
smart card and setting up a communication ses- 2 CHV2
sion, issues the commands to the smart card, and,
3 Reserved for Future Us
then, waits for responses. The IFD acts as the
“master” and the smart card as the “slave.” 4-14 ADM
The aforementioned commands, by means of 15 NEVer
which it is possible to interact with a SIM card’s file
system, are: Briefly, the meaning of these access conditions is:
• SELECT: This command selects a file for use • ALW: The command is always executable on
and makes the header of that file available to the file;
the IFD; • CHV1: The command is executable on the file
• STATUS: This command has the meaning of a only if one among Card Holder Verification 1
SELECT with MF as argument; (CHV1) code or Unblock Card Holder Verifica-
• READ BINARY: This command reads a string tion 1 (UNBLOCK CHV1) code has been suc-
of bytes from the current EF; cessfully provided;
• UPDATE BINARY: This command updates a • CHV2: This is the same as CHV1, but using Card
string of bytes in the current EF; Holder Verification 2 (CHV2) code or Unblock
• READ RECORD: This command reads one Card Holder Verification 2 (UNBLOCK CHV2);
complete record in a record-formatted file; • ADM: Allocation of these levels is the respon-
• UPDATE RECORD: This command updates sibility of the administrative authority – the card
one complete record in a record-formatted file; provider or the telephony provider that issues
• SEEK: This command searches the records of cards to its subscribers.
a record-formatted file for the first record that • NEV: The command is never executable on the file.
starts with the given pattern;
• INCREASE: This command adds the value The SIM operating system typically allows three
passed as a parameter by the IFD to the last attempts to enter the correct CHV, before blocking
increased/updated record of the current cy- further attempts.
clic EF and stores the result in the oldest in- If the user fails to the enter the correct CHV
creased/updated record. It is used for incre- value more than three times, access to the SIM
menting time or charge information. is blocked, and the correct Unblock CHV value
• GET RESPONSE: The IFD uses this com- needs to be submitted. This is also known as a
mand to transfer data from the smartcard to PIN Unblocking Key or “PUK” and resets the CHV
the IFD. It is the IFD itself that has to request it. and the attempt counter.
40
Bibliography
• Casadei, F. S. (2006, Fall). Forensics and SIM Cards: an
Overview. International Journal of Digital Evidence.
• Digital cellular telecommunications system (Phase
2+); Specification of the Subscriber Identity Modu-
le – Mobile Equipment (SIM – ME) Interface (3GPP
TS 11.11 version 8.12.0 Release 1999). (n.d.). ETSI.
• GSM 11.11 Specification of the Subscriber Identi-
ty Module – Mobile Equipment (SIM-ME) Interface.
(n.d.). ETSI.
• Savoldi, A. &. (n.d.). SIM and USIM Filesystem: a Fo-
rensics Perspective.
• Subscriber Identity Module-Wikipedia, the free en-
cyclopedia. (n.d.). Retrieved March 23, 2010, from
Wikipedia: http://en.wikipedia.org/wiki/Subscriber_
Identity_Module
• Swenson, C., Manes, G., & Shenoi, S. (n.d.). IMAGING
AND ANALYSIS OF GSM SIM CARDS. Advances in
Digital Forensics .
• Wayne Jansen, R. A. (n.d.). Forensic Software Tools
for Cell Phone Subscriber Identity Modules.
Forensic Tools
There are various tools for data management on
SIM Card. Such tools give users the ability to read
as well as write data onto the SIM card. Such da-
ta management tools that allow the writing of data
should be avoided for forensic analysis.
Among available forensic tools for SIM card data
acquisition are Cellebrite UFED and Paraben SIM
Card Seizure. More tools are available and use the
same fundamental concepts for acquisition. Tradi-
tional imaging, like those of Hard Disk Drives, is
not possible for SIM cards due to various levels of
access restriction levied on the files. Instead, com-
mand directives called Application Protocol Data
Units (APDUs) are sent to the SIM to extract data,
without modification, from each EF of the file sys-
tem. The APDU protocol is a simple command-re-
sponse exchange. Each element of the file system
defined in the standard has a unique numeric iden-
tifier assignment; these identifiers can be used to
reference the element and perform some opera-
tion, such as reading the contents when using an
acquisition tool.
Author bio
Apurva Rustagi is working for one for
Big 4 consultancy firms and holds spe-
cial interest in mobile forensics.He can be
contacted at apurva.rustagi@ymail.com.
www.eForensicsMag.com
MALWARE ANALYSIS:
Detecting and Defeating
Unknown Malware
by Kevin McAleavey, The KNOS Project
A
What you will learn: ccording to antivirus vendor malware” know full well that we’ve
• How to locate suspicious pro- Symantec, over 1 million new been losing the battle badly, and so
grams and how to determine if pieces of malware are cre- do Information Technology Adminis-
they’re malware or benign
ated every day. In 2011, Symantec trators and Managers.
• Using file hashes in order to
saw over 403 million new malware When malware strike’s a comput-
verify the origin and authenticity
of suspicious programs
samples according to Kevin Haley, er, the obligatory response by IT
• How to locate the startups for Director of Security Technology and Department’s is to remove the ma-
malware, all of the associated Response at his “Symantec Security chine, wipe and reformat the hard
components and locations where Awareness” presentation in October drive, reload a fresh copy of the op-
malware can hide 2012. The samples received by Sy- erating system and then reimage the
• How to locate rogue services mantec and other antivirus and an- drive, with the normal compliment of
and unkillable malware process- timalware vendors are analyzed pri- authorized applications and configu-
es and regain access to the sys- marily by automated systems, and rations, whereupon it is returned to
tem occasionally by human analyst’s to the victim in a known and “trusted”
• Useful tools to aid in the diag-
become “signatures” placed in their state. While this causes great incon-
nosis and mitigation of malware
detection databases on a daily basis. venience to the victim, who has now
What you should know:
Despite all these known samples, lost whatever work that may have
• Familiarity with use of the RE- it is common for malware to slip right been on the machine, it is the on-
GEDIT Windows Registry editor past security solutions undetected ly practical mean’s to remove mal-
• Familiarity with use of the Win- and unmitigated, leaving more sys- ware, given that the antivirus and
dows CMD Command line tem’s infected with each passing day antimalware industry has been los-
• Familiarity with the normal lay- despite these efforts. Those of us ing the battle against malware for
out of a Windows file system who have been fighting the “war on years now.
42
Detecting and Defeating Unknown Malware
www.eForensicsMag.com 43
Bots communicate collectively with other bots or con-
“Bot” is derived from the word “robot” and are au- trollers autonomously as a distributed network.
tomated malware that controls network communi- Some RATs also offer bot capabilities, thus blur-
cations or services. Bots often automate tasks and ring definition’s among some vendors.
provide information or services that would other-
wise be conducted by a human being. A typical use Spyware
of bots is to gather information, and then interact Spyware, also called “adware” by some vendors, is
automatically with instant messaging (IM), Internet the most commonly found malware on machines.
Relay Chat (IRC), or other web interfaces. They Spyware is any program that tracks and reports
may also be used to interact dynamically with web- your computing activity without consent. While it is
sites, and recent ones have featured highly cus- not designed to inflict damage, spyware can seri-
tomized protocols of their own. ously affect the performance of machines. Spyware
Bots are self-propagating malware designed to is often bundled with free software, and automat-
infect a host and connect back to a central serv- ically installs itself with the program you intended
er or servers that act as a command and control to use. Sign’s of spyware include sudden modifi-
(C&C) center for an entire network of compro- cations to your web browser, unwanted additional
mised devices, or “botnet.” With a botnet, attack- searchbar’s or “toolkits”, or redirects of your search
ers can also launch broad-based, coordinated attempts and the frequent displaying of pop-ups.
“remote-control,” and flood-type DDOS attacks Spyware and “adware” are often defined inter-
against their target(s). changeably, but “adware” simply displays adver-
tisement’s, whereas spyware returns more detailed
Trojan Horses information than just a cookie to the site, which dis-
Trojan horse malware are programs which appear plays the ad’s such as browsing history detail’s, or
harmless, and may also appear to be useful and other personally identifiable information about surfing
completely functional. However, they will contain habits. Spyware should not be confused with more
other components which will install malware onto serious malware like keyloggers, RATs or other exfil-
the machine while keeping the victim busy with a di- tration tools, these are largely a privacy issue.
version, or appearing to fail, causing the end user to Many antiviruse’s do not detect all spyware, giv-
think the trojan was merely defective in some way. en that numerous purveyors of spyware will sue in
They might arrive as an email attachment, or pres- order to have the “false positives” removed from
ent themselves as a useful application on a website detection databases in security products. When in-
enticing the user to download and install them. Be- vestigating strange, undetected program’s on ma-
cause it does not have the ability to self replicate, chines, spyware is often found and can prevent
trojans are a completely different animal from virus- analysis from continuing further when actual mal-
es or worms. Trojans require human assistance in ware exists. Therefore, when spyware is found, di-
order to spread, usually through “social engineer- agnosis should not end just because some spy-
ing” means. They often deliver destructive payloads ware was found on a victim’s machine, it is often a
and can also install other types of malware. sign that the hunt has only begun.
44
Detecting and Defeating Unknown Malware
are quite compact. Their only purpose is to gain though they’re still technically considered a “virus”,
entry into a system, and once installed they will and because they run independently of the oper-
download other component’s quietly in the back- ating system, antivirus software is highly likely to
ground, or they will contain various file’s needed never detect them at all.
for a successful infection. Whereupon, they will in- Bootkits can function regardless of the operating
stall all of the other pieces that malware requires system that is booted, and therefore a very valuable
to carry out its function. Droppers are usually com- tool for APT and other situations where the expense
pressed with a specially obfuscated “wrapper” that of such custom malware justifies the effort. It was
is designed to elude detection by antiviruse’s by one of many considerations in our own KNOS de-
means of encryption and other techniques. sign despite the current rarity of this threat.
Bootkits can only be defeated by clearing and re-
Rootkits flashing firmware with tools provided by the manu-
Rootkits are the most difficult of all malware to de- facturer of the hardware itself. Even then, the hard-
tect, as their purpose is to completely hide malware ware should no longer be considered “trustworthy”
from the user as well as security software intended to since most “bootkits” are placed following the last
detect malware. Rootkits operate at the system lev- byte of firmware code in the device, and many “re-
el and are designed like other system and hardware flash” tools fail to overwrite the infection.
drivers, using special code in order to hide the mal-
ware installed at the user level. Some rootkits are al- Pseudo-rootkits
most impossible to detect, even with forensics, and I coined this term back around 2000 with our BO-
run as system services, device drivers, or can even Clean product to describe perfectly legitimate soft-
be written to firmware in the system’s hardware such ware which has been installed onto a machine in or-
as; video cards, network cards, BIOS, or any other der to act as malware. Pseudo-rootkits are legitimate
device which allows updating of the hardware’s “firm- program’s which were installed without authorization
ware.” Their entire function is to hide malware, and and when audited, will turn out to be completely le-
the only visible symptom of their presence is unex- gitimate. They include things such as FTP software,
plained reboots, or blue screen crashe’s, if they have Remote desktop software, keyloggers used by par-
any bugs in their code. Absent programming bugs ent’s and corporation’s to monitor use of machine’s,
however, are extremely difficult to detect. Rootkits chat software, torrent software and numerous other
run at the lowest levels of a particular operating sys- “name brand” products that security software will not
tem for which they are designed. detect because it’s a “legitimate tool.”
However, they are not installed in the normal lo-
Bootkits cation where they would be installed legitimate-
Bootkits are the latest concern, although despite the ly and have been modified with other “legitimate
hype, their practical application is still largely theo- tools” to remain hidden while they’re in use by
retical and impractical. However, when the specific remote actors. Pseudo-rootkits will not be listed
hardware configuration in the potential victim’s com- in “Add/Remove software” since they weren’t in-
puter is fully known, it is practical to construct one. stalled by legitimate means. Our former BOClean
Bootkits consist of custom code designed to func- product was the only security product which set off
tion within a system’s “firmware” such as; BIOS, warnings when this was the case, warning the user
printers, video cards, ethernet and WiFi device’s, that such was operating without their knowledge
and any other hardware that is capable of having and gave them the option to remove them. Most
its firmware “flashed” or upgraded. Bootkits are dif- security vendors will not even attempt to detect
ferentiated from rootkits because a bootkit does not these at all even if they are “out of place.”
require the services of an operating system they are
completely self-contained independently of the op- Exploits
erating system, whereas rootkits are designed to Exploits are malware which are designed to exploit
work after the OS has been booted. weaknesses and design errors in existing software
As a computer boots, BIOS (or in newer ma- or operating systems and are often embedded in
chines, EFI or UEFI data on the local hard disk) web sites, documents and file servers which con-
contains pointers to the various boot firmware in sist of scripts such as; Active X, Java applets, Ja-
modern components. By placing malware in the vascript, PDF files and multimedia file’s which will,
hardware itself, a “bootkit” can be started before the thanks to poorly written code, perform unauthor-
operating system and maintain control throughout ized actions on the victims machine. Persistent ex-
a session. However, any such “bootkit” has to be ploits require that a copy be stored locally, usual-
written specifically for that hardware, and will not ly in the internet browser’s cache file’s, or in the
work on another version of that hardware, owing to TEMP space. There are numerous other examples
the variety of hardware designs. The term “bootkit” of exploits as well, which are triggered each time a
is also often referred to as, “boot sector infectors” malware page is visited.
www.eForensicsMag.com 45
WARNING SIGNS THAT UNDETECTED idea as to when it first started showing symptoms.
MALWARE MIGHT BE PRESENT System restore often disables recently added mal-
The majority of malware is poorly written and will ware and lets you get back into the machine. How-
often noticeably affect the computer. When mal- ever, a large amount of malware disables your
ware fails to be detected by your antivirus or oth- ability to get at many parts of your system. If this is
er security software, the following symptoms merit the case, read below where I describe how to re-
further investigation: enable deliberately disabled functions.
If you were successful, then you can proceed with
• Degraded computer functionality. hunting for the malware. A system restore will only
• Antivirus, firewall or other security software hopefully prevent malware from starting. It will still be
has been disabled. present on the machine, hopefully inactive at least
• Odd behavior, such as unexpected reboots or temporarily in order to allow you to find and remove it.
icons no longer responding. Now the hunt can begin. This can become quite
• Popup windows appearing when not browsing involved, but generally you’ll want to proceed in
the internet. this order:
• System errors, blue screens, or reliable pro-
grams suddenly crashing. • Clean all temp folders and internet caches
• Strange traffic on the network, as well as slow from all browsers.
browsing. • Perform an Antivirus scan while running in
• Disabled functions such as Task Manager, Re- Safe Mode.
gedit, User switching, login, logout or shutdown. • Audit running processes.
• Files or programs on your PC that you do not • Audit the ‘startup’ files and registry entries.
recognize. • Audit network connections.
• While surfing the internet, certain sites such as • Check the file system for files that have been
www.microsoft.com or sites with antivirus, or hidden and REALLY hidden files.
other security software vendors do not work. • Check for unusual services.
• There are folders in your Windows Explorer, • Audit the HOSTS file and Windows TCP/IP
but clicking on them doesn’t open them. Settings (redirects to incorrect sites are often
• After a reboot, Windows reports a Data Protec- done by modifying these).
tion Violation in “Windows Explorer”, and shuts
down Explorer to restart it right away. If the above doesn’t solve the problem, then it’s
time to dive into the system manually. This is the
HUNTING FOR MALWARE hard stuff, and requires an absolute need to ac-
Unplug your network cable and manually turn your cess the data on the infected machine since it can
computer off. Reboot your computer into “Safe Mode become quite labor and time intensive now.
with Command Prompt”. As the computer is booting
tap the “F8 key” continuously, which should bring up MALWARE HUNTING THE HARD WAY
the “Windows Advanced Options Menu”, as shown Look for odd processes such as normal service
below. Use your arrow keys to move to “Safe Mode names which are misspelled. svchost.exe is ex-
with Command Prompt” and press Enter key. pected, scvhost.exe is NOT. Random character file
Make sure you log in to an account with adminis- names are almost always guaranteed to be mal-
trative privileges (login as admin). ware, and they change each time the system is re-
Once the Command Prompt appears you have booted in most cases.
only a few seconds to type in explorer and hit En- Another frequent indicator of malware are file-
ter. If you fail to do it quickly within 2-3 seconds, names with double extensions such as program.
Malware on the system is likely to take over and pdf.exe where the double extension serves to
not let you type anymore. Keep trying if necessary trick victims into believing that the file in question
until you succeed. is something other than an executable like in this
If you managed to bring up Windows Explorer case where it might appear to be a PDF file if “show
you can try to run System Restore with the follow- file extensions” is disabled in the file explorer view.
ing commands: Incorrect icons for files are also a reason for fur-
ther investigation. With “show file extensions” en-
• Win XP: C:\windows\system32\restore\rstrui. abled in the file explorer, executables which display
exe and press Enter a file folder icon, or an archive file icon or perhaps
• Win Vista/Seven: C:\windows\system32\rstrui. a document icon are highly suspicious. Legitimate
exe and press Enter programs will provide an icon that shows a prod-
uct logo or an icon logically associated with that
Follow the steps to restore your computer into an program and won’t mislead the user visually as to
earlier day prior to the infection if you have any what the icon represents.
46
Detecting and Defeating Unknown Malware
Another clue which should be followed is to check your antivirus failed you! They probably saw a dif-
for valid signatures for any executable which claims ferent copy than the one that just got installed on
to have originated from a large vendor. Most major your machine and the signature will only spot that
enterprises now sign their code and the absence other identical copy, not necessarily yours. This is
of a signature, or misspelled “properties” informa- also the reason why the “body counts” are so high
tion is also an important clue. Here, examining the for malware and so many variant versions of the
“properties” for unknown programs is quite useful. same exact malware in their definitions.
Unusual processes with high CPU utilization with Years ago, our operation made a product called
seemingly legitimate process names which are un- “BOClean.” We actually examined each and every
expected are also a sign of possible infection by piece of malware in memory and then created a
malware. The Windows Task Manager is usually memory-based definition for malware that would
circumvented by malware to prevent malware from always detect the malware no matter how it was
appearing in the task list, however you might get repacked, encrypted, polymorphed or modified
lucky and spot some this way. since all programs must shed all that once they
Searching the web using process names you are ready to run in memory on a computer.
are unsure about will give clues to the legitimacy As a result of this design, we could detect any
of individual processes. There are a few sites that variant knowing that there is a very limited number
provide databases which will give a detail listing of coders who produce malware and we made it a
of processes, including file sizes and verdict as to point to study the authors themselves rather than
whether they’re legitimate or suspicious. their code and zeroed in on specific means of de-
Installing a tool which will allow you to take an tecting the author. As a result, we detected every-
MD5 or SHA1 “hash” of any suspect files will make thing new that they wrote without the need to add
searches for those processes a whole lot saner and individual definitions. Even in the most sophisticat-
will make it easier to confirm whether the files are le- ed of “APT” malware, the authors always manage
gitimate or suspect. Most malware search sites will to leave some unique “signature” in their work that
use MD5 and/or SHA1 hashes in order to confirm can be used to detect their next move.
their verdicts and thus being ready to determine the When I was last directly in charge of antimalware
MD5 or SHA1 hash of suspect files is strongly rec- labs two years ago, the number of “unique au-
ommended to save time. These tools include: thors” was in the vicinity of only about 1,500 cod-
ers. I’d bet that the number today is less than twice
• Microsoft File Checksum Integrity Verifier (gen- that. But my premise was that each individual au-
erates MD5 and SHA1 hashes) which can be thor had their quirks, and you could count on those
downloaded here: http://www.microsoft.com/ showing up in the code they released. It was the
en-us/download/details.aspx?id=11533 secret of our reputation with BOClean. But it took
• I prefer this tool myself: HASHCHECK, which a lot of work in the face of an ever expanding num-
installs as a shell extension right into Windows’ ber of samples. Today you only see the security
file explorer: http://code.kliu.org/hashcheck/ companies expending that level of money and ef-
fort on the likes of Stuxnet.
WHY DO WE NEED FILE HASHING? Since file hashes are the industry standard
As I indicated earlier, “file hashes” are, the “secret though, that’s what they use for sample and defini-
sauce” of the antimalware business. By perform- tion sharing within the industry, as well as databas-
ing an MD5 or SHA1 hash on a file, a unique long es of malware publicly available to the public which
number is generated that is unique to that specific you can use to research whether or not unknown
file. It’s a means of generating a quick and dirty files are already known to malware analysts or other
“signature” for a known file whether it’s legitimate vendors in the industry. MD5 hashes are the older
or it is malware. It permits security software ven- standard, SHA1 hashes are the currently popular
dors to feed a file to their signature database with- exchange information. So you will want to obtain
out so much as looking at a sample that’s been both MD5 and SHA1 hashes of any files which you
flagged as malware. No effort, no time, put it in the suspect and then use those values to perform inter-
blender, out pops a new “definition.” It’s cheap, it’s net searches at places like virustotal, jotti, or similar
fast and it’s lazy for the security vendors. to determine if a file is legitimate or suspicious de-
The downside with using hashes for antivirus pending on the results of your search. Doing those
signatures is that if one single BIT of code chang- hashes will save you a _lot_ of time in your hunt!
es, due to encryption, a different packer, even add-
ing blank characters to the end of a file making RELEASE THE HOUNDS, ON WITH THE
it one byte larger, that hash will no longer match HUNT!
the “known malware” signature and thus it will go In addition to the task manager that comes with
undetected until the new variant gets hashed and Windows, these tools give far more detailed infor-
added to that signature database. THIS is why mation for you to examine them and are less likely
www.eForensicsMag.com 47
to be fooled into hiding malware unlike the Win- highly suspicious when a server is not being delib-
dows task manager: erately run on the machine in question.
A list of TCP and UDP ports and their expected
• GUI Process Explorer from Sysinternals: http:// purposes are listed here: http://en.wikipedia.org/
technet.microsoft.com/en-us/sysinternals/ wiki/List_of_TCP_and_UDP_port_numbers.
bb896653 Once again, sysinternals to the rescue: http://tech-
• GUI Autoruns from sysinternals: http://technet. net.microsoft.com/en-us/sysinternals/bb897437.
microsoft.com/en-us/sysinternals/bb963902
Check for hidden files
Lacking those tools, the next step is to look for odd There are files that are required for your system to
entries in the “startup” sections of the registry using run, many of these are hidden from accidental dele-
Windows’ built-in tools. Keep in mind that legitimate tion. Malware takes advantage of such file attributes
programs are seldom found in multiple start locations, to hide from standard file searches, but the Windows
such as run, runOnce, runOnceEx and runservices, but folder view menu will allow you display any HIDDEN,
it’s quite common for malware to copy its startups SYSTEM and READONLY file settings on your sys-
to multiple locations in order to ensure that if one is tem so that you can browse almost all of the files
found, others will successfully start the malware each on the system being examined. There are also files
time the machine is rebooted. If you are unable to ac- known as “super-hidden files” which require the ex-
cess the registry or built-in tools, or are unable to run tra step of going into the View tab of the file explorer
any programs at all, I will explain down below how to and specifically unchecking “Hide protected operat-
get around disabled functions and services. ing system files (recommended)” as well as ensuring
that all other file types are made visible. Please be
To look for the normal startup aware that malware can still hide their files from the
locations where malware might be File Explorer through the use of rootkits.
started When performing this search pay particular at-
tention to directories in the %PATH% variable such as
winkey + R | msconfig | Startup Tab C:\windows\system32, most malware tends to be
placed in the system “path” environment setting and
or loaded via the registry without an absolute path. DO
NOT delete any of the files listed by this command
winkey + R | regedit | check the following unless you are positive they are malware, you can
easily hose a completely functional system by doing
Audit the ‘startup’ locations. The most commonly so. To delete files, you will need to UNSET hidden,
used startup locations in the registry are: system and read-only attributes first.
Be mindful also, that there are “super-hidden”
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\ files that Microsoft will just not let you access which
CurrentVersion\Run begin with a $ sign as the first character of the file-
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\ name. These are reserved for the system only and
CurrentVersion\RunOnce have been used to hide malware rootkits. One of
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\ the most infamous rootkits which I tracked down
CurrentVersion\RunOnceEx many years ago was the SONY rootkit, installed by
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\ DRM contained on their commercial music CD’s. I
CurrentVersion\RunServices wrote up a set of manual instructions for those who
• H K C U \ S o f t w a r e\ m i c r o s o f t\ w i n d o w s\ didn’t use our BOClean product here: http://www.
CurrentVersion\Run dslreports.com/forum/remark,14817570.
• HKU\.DEFAULT\Software\Microsoft\Windows\ Malware can also hide in Alternate Data Streams
CurrentVersion\Run (ADS), which hides files inside other files. One clev-
er way of hiding malware, as well as purloined files
Audit network connections in the act of espionage is to write the content’s to an
winkey + R | cmd | netstat –nao ADS, whereupon they’re almost impossible to find
Connections continually in ‘SYN sent’ state on 445, without knowing the name of the ADS itself. These
139, or other established connections on odd ports, files are usually written to important system files and
such as 6667(IRC) established connections on typi- sometimes buried inside folder entries themselves
cal but unexpected ports such as FTP, TELNET, rather than as files so as to elude detection. They
even 80(http) where inbound connections aren’t will contain a colon (:) between two filenames such
normally expected are a sign of malware running as for example winstart.exe:malware.exe or simi-
surreptitiously. Inbound connections to websites lar. The colon is the clue that you’re dealing with
and other services normally occur on ports higher an ADS file that will not appear in a directory listing.
than 1024, but outbounds on ports below 1024 are Most antiviruses do not look for these by default.
48
Detecting and Defeating Unknown Malware
An excellent tutorial on how ADS works can be winkey + R | msconfig | Services Tab
found here: http://windowssecrets.com/top-story/ winkey + R | services.msc |
hide-sensitive-files-with-alternate-data-streams/. From the Command shell -> tasklist, taskkill,
And an even more useful description of what tasklist /svc
would be involved in deleting them can be read
here: http://www.bleepingcomputer.com/tutorials/ Once malware has been identified, it’s best to re-
windows-alternate-data-streams/. move it while in safe mode. Some malware will have
The following tool can locate them: Sysinternals additional processes and DLL’s (and possibly root-
Streams: http://technet.microsoft.com/en-us/sys- kits) that can prevent you from removing them by
internals/bb897440. means of “injecting” their code into legitimate sys-
Some malware will install as a system service. tem processes. Deleting startup locations and files
While removal of services is more difficult, you while in safe mode can usually restore a system to
can usually at least disable them for temporary working condition but remember, there’s no such
clean up: thing as a “trusted machine” once it’s been owned.
www.eForensicsMag.com 49
Finally, Rootkits: Rootkits are almost impossible • C:\windows\system32\
to find although many aren’t all that sophisticated. • C:\WINDOWS\Prefetch
There are numerous tools which will attempt to de-
tect a rootkit’s files, but they’re more prone to false In these file folders, if you opt to sort by date,
positives than actually finding genuine rootkits. you can sometimes see what has recently been
They include: touched, added or changed so long as the mal-
ware didn’t change the particular file’s time and
• Sysinternals Rootkit Revealer http://technet.mi- date stamps. Malware will usually be listed with
crosoft.com/en-us/sysinternals/bb897445 DLL, OCX, SCR, VBX, BAT, CMD or EXE file ex-
• Hitman Pro (I recommend this comprehen- tensions, sometimes with random file names and
sive scanner which uses multiple AV engines in most cases, you should be able to search the
to scan, but doesn’t remove them) http://www. internet for details by filename to determine if it’s a
surfright.nl/en known threat or not. This is when it’s helpful to also
know the exact file size in bytes as well as hav-
Bear in mind that just because a “rootkit detector” ing an MD5 or SHA1 hash of the file in question to
fails to find any rootkits doesn’t mean that there make matching your mystery easier.
aren’t any. Rootkits operate at the operating sys- If the filename doesn’t turn up in an internet
tem level and can easily hide themselves complete- search, it’s likely to be rogue, but again, you can’t
ly since most security software operates at the user count on that either. Sometimes malware will use
level, which is segregated from the operating system filenames similar to genuine system files such as
level. In Win7 and later, that isolation is even more rundll32, but will be located in the wrong directory. If
profound than in earlier versions of Windows almost you see something called rundll33 then it’s a pretty
guaranteeing that rootkits will never be detected un- safe bet that it’s malware and should be deleted.
less they’re caught in the act of being installed. System files are usually in SYSTEM32 and below,
its presence in WINDOWS or TEMP is also suspect.
Locating malware which might be However, the vast majority of malware is start-
located in Startup Folders ed by entries in the Windows Registry, and here it
The most ordinary autostart locations in Windows gets dicey because there are just so many places
are in folders actually named “Startup.” On all that malware can be started from such as these
Windows computers, there is an individual Start- particular Windows registry keys (see Listing 1).
up folder for every user (account) who has ever The most difficult part of the registry hunt is that
logged on in addition to a Startup folder shared there are so many entries in each of them which
by all users of a particular system. These folders culminates in an executable, DLL file or other li-
can often be managed through the paths above or brary file being loaded and started. Unfortunately,
Windows Start button → All Programs → Startup each and every one has to be examined to deter-
→ Right click. In XP they are: mine whether it is legitimate or not. As I indicated
at the outset, there are just too many places for
• C:\Documents and Settings\<USERNAME>\ malware to hide in the Windows operating system.
Start Menu\Programs\Startup And these only account for EXE files. DLL’s and
• C:\Documents and Settings\Default User\Start other potential malware have other locations from
Menu\Programs\Startup which they can be started. Be particularly cautious
• C:\Documents and Settings\All Users\Start when you spot a startup entry which begins with
Menu\Programs\Startup “RunDll” or “RunDll32” in front of a DLL, OCX or
• C:\windows\tasks other file. RunDLL is Microsoft’s “run a DLL as an
executable” function which will allow malware to run
Whereas in Vista and later they’ve been changed to as a library instead of an executable and thus loads
it into the operating system itself instead of running
• c:\ users\<USERNAME>\appdata\roaming\mi- it as a separate program. Any of those files must
crosoft\windows\start menu\programs\startup also be examined and verified as legitimate as well.
• c:\ProgramData\Microsof t\Windows\Star t DLL’s can also be started using entries called
Menu\Programs\Startup “ImagePath” or “ServiceDll” in the registry, and
these are even harder to find because they’re as-
Startups can also be tucked away in these locations: sociated with “UUID” and “CLSID” entries buried
in the registry. These can be searched for in the
• C:\autoexec.bat regedit utility and there are a LOT of them. These
• C:\Windows\Win.ini keys will directly call DLL’s, OCX’s and other li-
• C:\Windows\System.ini brary type files which can also contain malware.
• C:\Documents and Settings\Administrator\Lo- To further complicate matters, Windows will not
cal Settings\Temp\ allow you to simply delete malware while it is run-
50
Detecting and Defeating Unknown Malware
ning. Running processes and threads are protected [SC] DeleteService SUCCESS
by the operating system, and any attempt to delete
it will be met with one form or another of an “access Return to the Services window and press F5 to re-
denied” message and any attempts to remove the fresh the list, and confirm the service is now gone.
rogue file will fail. The only way to delete a running SC (or “Service Control”) is an often neglected, but
file is to either kill the process (and even here, ma- useful way to control running services, and can of-
ny protect themselves from this possibility) or to re- ten stop rogue services.
move the corresponding startup entry in the startup
folder and/or the registry and then reboot in hopes UNKILLABLE PROCESSES
that there aren’t other elements of the malware that Antivirus and other security software require ex-
will simply put the entry right back into the startup traordinary means in order to kill rogue programs.
location and then restart after a reboot. Some methods involve the abrupt “TerminatePro-
And it gets even worse with rogue DLL’s and librar- cess” function in code, while others require an even
ies which are used to “inject” code into other legiti- more extreme step in providing a kernel device driv-
mate, running processes. Code injection has been er that will literally unhook the file from the system
the preferred method of infecting computers since and then delete it. Absent special utilities designed
DLL’s cannot be killed, they must be “unhooked” to terminate unkillable processes, or unhook inject-
by means of “object dereferencing” instead. The ed threads, if the task manager doesn’t allow you to
only other alternative to unhooking DLL’s is to kill kill a rogue program, or it keeps coming back after
the process to which they’ve attached. Malware an apparently successful “kill” there are a few meth-
authors solved that problem as well by attaching ods which I’ve found can do the job without these
them to numerous processes including core op- specially written utilities. They include:
erating system processes themselves. Kill these Use the “ntsd” command to kill any process that
processes and the machine remains infected, but thinks it’s special and can’t be killed using the task
spontaneously reboots or freezes in order to spank manager:
you.
Hopefully, the entire malware “system” is start- ntsd -p [pid] -c
ed by an executable which then loads its other
components. If you find the main startup, you can If that fails, then try this trick using the following ex-
hopefully defeat the rest of the chain upon a reboot act command line in a command prompt window:
by preventing the starter application from running.
Pay particular attention to any startups however reg add “hklm\software\microsoft\windows nt\
which include that “RunDLL” command in front of currentversion\image file execution options\
a library file - that may be the startup as well. If you malware.exe” /v Debugger /t REG_SZ /d “C:\Windows\
can keep the rogue from starting after a reboot, System32\bogusfile.exe /F /IM malware.exe”
that’s the major part of the battle won! (the quotes are necessary)
www.eForensicsMag.com 51
They will also use permissions to disable access switch so they don’t get infected too. Having all of
to the system whereupon you will see a message your tools handy on a CD, DVD, or USB stick al-
indicating that the “Administrator” has denied ac- lows you to bring your arsenal to the machine in
cess to you. One of the methods of complete deni- question without risking installing from the internet
al to any resources is “Association hijacking” which on an infected machine. The “write inhibit” switch
can prevent programs from running as well as being on USB devices equipped with one will prevent
yet another automatic startup source for malware. any malware from the machines you’re working
To check for association hijacking, you’ll want to on from spreading via that USB device. Of course,
check these registry keys: having a bootable CD or DVD is even better be-
cause there’s no possible way to write to it at all.
HKEY_CLASSES_ROOT\.exe\PersistentHandler Most antivirus companies offer a downloadable
• (Default) value should equal: {098f2470-bae0- “rescue disk” which you can download and burn to
11cd-b579-08002b30bfeb} a CD, DVD or USB stick as well. Check with your
HKEY_CLASSES_ROOT\exefile\shell\open\com- security vendor to see if they have one available.
mand The only downside is that each vendor has their
• (Default) value should equal: “%1” %* own and therefore you depend on that vendor to
• IsolatedCommand value should equal: “%1” %* detect and deal with any malware on the machine
based on their detection database. And given that
Hijacking can occur for OTHER file associations you’ll be doing this only if they’ve failed, that might
such as HTML, PDF and many others. You will see not help. If you’re unable to boot the suspect ma-
those association keys in the same HKEY_CLASS- chine, this will at least let you gain access to it.
ES_ROOT areas as “.exe” and “exefile” but their In my situation, I use a custom build of our own
entries can often be more complex. It helps when product on a bootable USB stick, the KNOS Se-
checking to have the same registry entry open for cure Desktop. On it I have all of the necessary
cross-checking with a machine that is uninfected tools, including antivirus, network and malware
to confirm whether or not to edit the entry. scanners as well as other tools that will allow me
A cute little brute-force method that also works to investigate an infected Windows machine using
when programs cannot be started is to copy the KNOS itself in GUI mode. It even permits me to lo-
original utility file and then rename its file exten- cate and examine super-hidden items such as the
sion. For example, if you can’t start any EXE files, SONY Rootkit I mentioned earlier without difficulty.
try renaming the copied “.exe” to “.com” or “.scr” Some Linux live cd distributions will also suffice for
which are likely to work. If that gets regedit or your accessing Windows machines although they have
antivirus program running again, you’re home free. limits if there’s no other means available to gain
Some additional tips to work around disabled access to the infected machine.
functions can be read here: Having the tools you need beforehand though
cannot be emphasized strongly enough. Locating
• http://dottech.org/11980/re-enable-critical-win- and defeating undetected malware is a formidable
dows-components-disabled-by-malware/ challenge, and I hope this lengthy dissertation has
• http://malwaretips.com/Thread-Remove-mal- been helpful in proceeding with the task success-
ware-when-traditional-tools-fail fully. Good hunting!
52
STAFFCOP
PC monitoring, Corporate Security
and Data Loss Prevention Software
StaffCop Standard allows you to monitor all activities
on company computers and prevent the unauthorized
distribution of sensitive corporate information.
54
interview with Johnny Justice
the door to incidents that are being conducted by Johnny Justice: In my experience, I have found
known terrorist organizations whose goal is to at- that digital forensic investigators tend to error in
tempt to exploit or destroy specific infrastructures specific forensic examination requests, reporting
of their adversaries. I think the boundaries are how information, and in the area of creating case logs.
the specific attack is conducted over the Internet. Many times, I observed investigators invest too
much time in a partial area of the requested exam-
eForensics: What suggestions would you ination. The investigator, at times, gets lost in all
give to our readers? the data, following never ending rabbit holes and
Johnny Justice: For your readers who want to paths that were not even part of the original exami-
learn these forensic investigative methodologies, nation request. And at times, the information, when
there are two things that I would encourage them it is found, isn’t even admissible in court because
to do. First, I would tell them to seek out local fo- it was not covered in the discovery process. The
rensics chapters. These chapters are in most ma- examination requires time consuming extensions
jor cities world-wide. There you will find many re- that could have easily been avoided had a focused
sources for your learning. You will also be able to and sound forensics methodology been followed.
find other engineers who have the same interests Report writing is also a problem, especially when
and will be able to collaborate with you to be sure it comes to articulating specific information that is
you stay on the right track. Another option is to try related to the findings. As it relates to case logs, I
to find the computer forensics team within your or- am very careful to create a minute-by-minute log of
ganization. Do your best to tag along, especially each process that I conduct and follow during the
when they are in the process of an investigation. case examination. These logs are so important as
Request to intern within the company and gain on they are not only discoverable but will most like-
the job training. This could give you great insight as ly be repeated by the defense’s expert witness for
to what a career of a forensics examiner is like and the sole purpose of discrediting the case findings.
what you could expect in this ever growing field.
eForensics: What are the top three tips
eForensics: What kind of open source/ you can offer an investigator when they
commercial tools do you use and how do are expected to present evidence in a
they weigh up against each other? court of law?
Johnny Justice: When conducting computer fo- Johnny Justice: Intimately know the information
rensics, I use either AccessData’s FTK or Guid- that you are going to expound upon and try to envi-
ance Software’s EnCase. They are both great sion every angle the defense attorney can potential-
tools and although, in my estimation, they stack up ly bring up in respects to the information you pres-
to about the same, each has their own functional- ent. Do not get flustered in court and always keep
ity that really enables a full investigation process. a cool head. Don’t forget, your job is to present the
facts. Practice, practice, practice and be prepared.
eForensics: In your experience, what are This is a court of law; the information that you pres-
the biggest mistakes digital forensics ent can potentially make or break the case.
investigators make which cause cases to eForensics: Thank you very much for the inter-
fall apart? view and good luck with your work!
Johnny Justice
About mile2 and founder of the C)DFE Johnny Justice has been working with
certification computers since 2005. He has been
Mile2 is a Cyber Security training and consulting com- serving in the U.S. Army as a counter-
pany that develops and delivers information security intelligence agent for over 12 years, 7
training in line with government, military and private years being devoted particularily to Com-
sector specifications. Mile2 was founded in the after-
math of 9/11 as a response to the threat of information puter Forensics. He has vast experience
security attacks. in training – he has been teaching UNIX/
Mile2 governs the Certified Digital Forensics Exa- LINUX, Network Essentials, and Theo-
miner Certification and is taken through their online ries and Application / Digital Technology
examination system called MACS. at the college level and has developed
Raymond Friedman, CEO of Mile2, is largely respon-
sible for creating the C)DFE certification and was origi- several high level Linux and Digital Forensics courses cur-
nally designed for police personal. Raymond Friedman ricula. He co-authored the 2012 update to the Certified Digi-
is an author and international speaker as an expert in tal Forensics Examiner course at Mile2. He holds a variety of
both cyber warfare and cybercrime. Today, mile2 works certifications: C)DFE, CEI, CSSA, ECSA, CHFI, Linux+, and
and supports global police agencies such as ICAC (In- CEH. In 2012 Johnny Justice graduated Magna Cum-Laude
ternet Crimes Against Children) and INTERPOL (Interna-
tional Criminal Police Organization-Interpol). from Nova Southeastern University with a Master’s of Science
Degree in Computer Science Education.
www.eForensicsMag.com 55
Nevada PI Lic#1948 Expert Data Forensics is a d/b/a ICS of Nevada LLC.
2675 S. Jones St. Suite 207A, Las Vegas NV 89146
PO Box 35006 Las Vegas, NV 89133
T: 702-435-8885 O: 888-355-3888 F: 702-453-8887
[Lic#1498] [Tax ID: 20-4239533]
ExpertDataForensics.com
• First response
• Extraction & preservation of digital contents
• Electronic investigations (Lic#1498)
• Chain of custody
• Expert witness for court/depositions
• Digital data & electronic analysis
• Seizure of digital evidence for forensic purposes
• Investigation of digital evidence
• Recovery of deleted digital content
• Consultation & preventative strategy
• Corporate systems & security analysis
• Data analysis & recovery
• Cell phones & mobile devices data extraction, preservation & analysis
• Retrieve & analyse text messages, emails, images etc.
• Corporate digital crime reconstruction
• Web surfing pattern analysis
• Online hacking, Email investigation
• Authentication of digital data (certificate)
• Password recovery
• Cyber hacking, stalking and activity patterns
• Electronic fraud detection
• Digital corporate sabotage
• Corporate/private infringement
• Employee misuse