Digital Forensic Science

International Symposium on Cybercrime Response (ISCR) 2012

I’m just back from the 1st INTERPOL NCRP Cybercrime Training Workshop and International Symposium on Cybercrime Response 2012, held in Seoul, South Korea. The joint INTERPOL and Korea National Police (KNP) conference was hosted by the KNP Cyber Terror Response Center (CTRC).

ICSR 2012 Agenda

<div class="separator" style="clear: both; text-align: center;"></div>The first day was a look at Law Enforcement (LE) communication networks, including INTERPOL, the G8 24/7 High Tech Crime Network¹, and even more informal communication channels. The overall consensus seems to be that the more formal networks are too slow to deal with the requirements of international cybercrime investigation requests. This appears to be partially a limitation with the efficiency of the networks as well as the ability of receiving countries to process the requests either because of resource issues or laws (or lack of) in the requested country to deal with the investigation request.

It was determined that informal channels of LE communication are currently more effective since they bypass international bureaucracy. These channels appeared to be created mostly by networking (conferences, etc.), and luck.

There essentially seemed to be three camps: Formal communication networks like INTERPOL and G8 24/7, less formal networks created via bilateral agreements, and LE social networks (p2p). Each camp had success stories, and I know each has had failures.

The question is, how can the situation be improved? Criminal communication networks at an international level work much more efficiently than law enforcement networks. There are many reasons why, but what can be done?

The issue of trust in LE communication was brought up, where if you are requesting information or cooperation the person with whom you are communicating should be more than just a name on a list. This is an interesting point to me. If LE is given a list of contact points per country from a formal communication network, do they question the contact point? I think they would automatically trust the contact point via the reputation of the network referring them, even without meeting the contact personally. The issue comes when these contacts are slow or fail to respond to requests from the network. Trust, then, comes from showing you are reliable when something is requested, whether or not you physically meet the contact representative.

Another interesting point was the concept of “exercising” your team(s) in international request response. LE basically creates an incident response (IR) plan for international requests. Incident response is a huge topic in network security. If you read this article, for example, it is geared (at a high level) towards setting up an incident response plan. Each of the tips, however, could be directly transposed into international LE response. The discussed point of exercising your team would be the final testing requirement. Unfortunately, this is the phase that is often neglected, usually due to time and resources. In the case of LE, especially at an international level, it would be difficult to coordinate and perhaps even justify the time needed just for testing communication when it was not really requested.

The topic of international LE communication came down to looking at a few different questions (and I added a few): What exactly is the problem, and has a solution been identified? What type of information is needed? Who has legal authority? Have international procedures been established? Are all concerned bodies part of the procedure and willing to cooperate? How do we test the procedure? How do we measure success? Who is responsible for updates?

These questions are not exactly easy to answer, even within a single organization, and working with multiple organizations in multiple jurisdictions to find answers to these questions is even more difficult and time consuming. In my opinion, this is where providers of formal networks should be filling in the gaps. I should not expect my local investigators to create their own international networks, and unless this process is centralized then different procedures will be created, incomplete networks will be formed and there will be much duplication of effort.

The rest of the conference further discussed communication and law, examined current threats, and some gave case studies (success stories) involving international communication and collaboration between international law enforcement, private sector and sometimes academia.

Overall the conference is directed at practitioners. It did not get very technical nor theoretical, and could probably be understood by anyone regardless of their familiarity with cybercrime. Some cybercrime damage estimates were given, although how to accurately measure is a problem that was not addressed. The estimates looked impressively dramatic, but felt like the stats from different presentations did not relate to each other well.

Similarly, definitions used in each presentation were quite different for the same terminology. The group was composed of people from many different countries, all practitioners, but a lack of consistency in the use (and scope) of terms was an obvious communication problem, even for terms as general as “cybercrime”. Sometimes nonstandard term usage made it difficult for me to know exactly what the speaker really meant. This made me realize that even in the same area of cybercrime investigation, we are speaking different languages. How do we expect to be able to communicate at a practical level when it is so difficult to accurately communicate our needs in a way that can be understood by everyone in the area?

Many case studies were given by law enforcement that dealt with international communication, but other than “we need more / better communication” I really did not see any actionable solution proposed beyond ad-hoc cooperation. From these great case studies and information from the private sector, I was still left with a feeling of where do we start?

Overall, I found the conference to be interesting. Topics were mostly on communication, but, unfortunately, with little actionable items discussed. Case studies are useful for understanding problems and potential solutions. Some slightly more technical presentations outlined how technologies can potentially be used to help law enforcement’s current situation when dealing with cybercrime. The (potentially) most useful benefit of the conference, however, was the contacts made. There was not enough time to talk to everyone as much as I would have liked, but there appears to be potential in the group to help drive effective law enforcement communication on a global scale.

Image: FreeDigitalPhotos.net

^{1. The G8 24/7 High Tech Crime Network (HTCN) is an informal network that provides around-the-clock, high-tech expert contact points: IT Law Wiki ↩}

Digital Crime Categorization using the AFP CCPM

When attempting to gather statistics about digital crime and investigations in different countries, and sometimes on a national level, the inconsistency in categorization of different digital crimes makes measurement and analysis difficult. Looking at various digital crime categorization schemes, like those described in Casey’s Digital Evidence and Computer Crime categorization is limited to categorizing the role of the technology in the crime. Crime categorization by law enforcement, however, is based on crime type. From what I have seen, digital investigators would categorize crimes they are interested in not based on the role of technology in the crime, but the type of crime committed. The digital component seems to rarely be a factor in categorization - the digital component is assumed - but practical classification instead relies on the type of crime.

The Australian Federal Police have made available their crime categorization and prioritization model (CCPM), and to my knowledge this is the only publicly available one that I have found. If you know of another case categorization and prioritization model that is available, either publicly or for law enforcement specifically, please leave a comment or contact us. The CCPM is a good starting point for the categorization of all types of crime.

We are currently looking at applying the AFP’s model as a template for the categorization and prioritization of crime with a digital component. Prioritization is an interesting problem, that will be discussed further later. But in attempting to prioritize, it is important to have crime categories clearly and meaningfully defined. We will be working on this more over the next few days.

Update: Financial fraud category reference: http://fightfraud.nv.gov/fin_fraud_types.htm

Developing an Open Source Digital Forensics Laboratory

<div class="p1">The UCD CCI Forensic Summer School will be held here in Dublin from 20^th-30^th August, 2012. This year’s topic is the development of Open Source digital forensic laboratories.</div><div class="p1">
</div><div class="p1">You can find additional information on the summer school, including topic list and schedule. General information is available at www.cci.ucd.ie and registration for the event will remain open until Friday 29^th June.</div><div class="p1">
</div><div class="p2">To register for this event, please complete the form at http://cci.ucd.ie/content/digital-forensics-summer-school-2012

General topic areas include:</div>
<ul><li>Hardware:</li><ul><li>Computer Evidence Storage</li><li>Forensic Processing Hardware</li></ul><li>Software:</li><ul><li>Triage</li><li>Preliminary Analysis</li><li>Full Forensic Analysis</li></ul><li>Forensic Processes:</li><ul><li>Child abuse cases</li><li>Email retrieval </li><li>Chat retrieval</li><li>Fraud/Theft/Counterfeiting</li><li>Drug Case Examinations </li><li>Money Laundering Examinations</li></ul><li>Reporting on Forensic Examinations: </li><ul><li>Formulating a Triage Report </li><li>Formulating a Preliminary Analysis Report </li><li>Formulating a Full Forensic Report </li></ul><li>Exhibit and Case Management: </li><ul><li>Managing cases / updating examination results incrementally </li><li>Associating exhibits submitted for examination with individual cases </li><li>Associating forensic examination reports with cases and exhibits</li></ul></ul>

Project ATOM

Project: ATOM
<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Purpose: Digital forensic investigation process automation framework</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Status: Active</div><div class="p1" style="background-color: white; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">License: GNU GPLv3</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Developer(s): Joshua James, Martin Koopmans</div><div class="p2" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">
</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">More information:</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;"><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">Project ATOM is a digital forensic investigation process automation framework for triage, preliminary analysis and full examination automation tasks. It is designed to be an easily extendable framework that allows expert investigators to create fully-automated investigation process models that are ran from a CD/USB device against a suspect system. Investigators can configure process models per case type to allow extraction, and possible analysis of case-type-specific data.</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">
</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">Project ATOM also seeks to support localization as much as possible, allowing investigators and first responders to work in their own language irregardless of the process models and tools used.</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">
</div><div style="line-height: 22px; margin: 0px; outline: none; padding: 0px;">Related Publications:</div><div class="MsoNormal" style="line-height: 22px; margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">
</div><div class="MsoNormal" style="margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">Links:</div></div>

Automated Network Triage (ANT) / Profiler

Project: Automated Network Triage (ANT) / Profiler
<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Purpose: Client-server based triage of suspect systems for case relevance sorting</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Status: Active</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">License:
Developer(s): Martin Koopmans</div><div class="p2" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">
</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">More information:</div>ANT is a tool to conduct triage (artifact sorting) on-scene in large corporate networks. ANT is also very useful in a forensic lab to help reduce backlogs.

ANT has been developed using a client-server model, where the network clients will boot from a forensically sound Linux OS that is served by the ANT server using PXE. With ANT it’s easy to find targeted suspect data on network clients that can be centrally analyzed on the ANT server.

Profiler is an extension has been developed to get a fast overview of information on a system before starting a full investigation. Profiler parses all Windows Registry files (sam, system, software, security) and Internet files (Chrome, Firefox, Safari and Internet Explorer). Profiler reads EWF images, DD images and physical disks.

Profiler functions have been integrated into ANT.

<div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px;">Related Publications:</div><div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">
<ul><li>Koopmans, M.B., J.I. James (2013) “Automated Network Triage”. Digital Investigation. Elsevier. ISSN 1742-2876. 10.1016/i.diin.2013.03.002.</li><li>James, J. I., M. Koopmans, P. Gladyshev. (2011, June 14). Rapid Evidence Acquisition Project for Event Reconstruction. The Sleuth Kit & Open Source Digital Forensics Conference, McLean, VA, Basis Technology. <http://www.basistech.com/about-us/events/open-source-forensics-conference/2011/></li></ul></div><div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px 0px 0px 36pt; outline: none; padding: 0px; text-indent: -36pt;">Links:</div>

Goldfish

Project: Goldfish
<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Purpose: MAC OS X automated memory acquisition and analysis tool</div><div class="p1" style="background-color: white; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Status: Not Active</span>
License: GNU GPLv3</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">Developer(s): Afrah Almansoori, Pavel Gladyshev</div><div class="p2" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">
</div><div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; outline: none; padding: 0px; text-align: justify;">More information:</div><div class="p1" style="background-color: white; margin: 0px; outline: none; padding: 0px; text-align: justify;"><div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px;">Goldfish is a MAC OS X live forensic tool for use by law enforcement. Its main purpose is to provide an easy to use interface to dump system RAM of a target OS X machine via a firewire connection. It then automatically extracts the current user login password and any open AIM conversation fragments that may be available.</div><div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px;">
</div><div style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px;">Related Publications:</div>
<div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin-left: 36pt; text-indent: -36pt;">Gladyshev, P. and A. Almansoori (2010). Reliable Acquisition of RAM dumps from Intel-based Apple Mac computers over FireWire. Second International Conference on Digital Forensics and Cyber Crime (ICDF2C). Abu Dhabi, UAE, ICST.</div><div class="MsoNormal" style="color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 22px; margin-left: 36pt; text-indent: -36pt;">
</div><div class="MsoNormal" style="margin-left: 36pt; text-indent: -36pt;">Links:</div><div class="MsoNormal" style="margin-left: 36pt; text-indent: -36pt;"></div><ul><li>Publications</li><ul><li>http://www.springerlink.com/content/l5368587354m3724/</li></ul><li>Websites</li><ul><li>DigitalFIRE Goldfish Project Page</li><li>Goldfish on Foreniscs Wiki</li></ul></ul>
</div>