Post on 14-Jun-2015
description
Automated Production of Predetermined Digital
Evidence
Submitted byVipin Kumar1104331054
EC 3rd year
Prof J.P SAINI
Under the able guidance and support of
INTRODUCTION 2.4 Billion Internet user worldwide.
2/3 of online adults have been victim of cybercrime.
Estimated global loss of $110 billion annually.
TERMINOLOGY Digital evidence
Any probative information stored or transmitted
digitally. Ubiquitous, Immaterial, local, remote.
DIGITAL ALIBI Excuse supplied by a person suspected
FALSE DIGITAL ALIBI Tampering digital information
CASE STUDY Rodney Bradford -19 years old charged with
armed robbery case. Alberto Stasi -Suspect in the murder.
In both cases DNA traces and digital evidence on the PCs prove them innocent.
CREATION OF PREDETERMINED DIGITAL EVIDENCE
Alibi Maker (AM) - an individual interested in constructing a false digital alibi
Target System (TS) - Personal computer of AM
AIMTo produce remote digital evidence, or even a mix of local and remote evidence.
Different strategies to accomplish this-Involvement of another PersonRemotization and Automation.
REMOTIZATION Remote control of the TS from a different
machine. Two methods:
Using KVM device Software control from another PC
SOFTWARE CONTROL
Control software to pilot the TS from another computer Avoid installation Portable application such as TeamViewer Portable Success depends on the ability of obfuscating the server process
KVM METHOD KVM switch over IP (IP-KVM) creates remote connection to the KVM ports of the TS.
WHAT IT DOES? Digitizes and compresses the video signal of the TS for transmission to a remote controller Do not require any software to be installed.
PROBLEMS
Controller machine, MAC or IP addresses of the KVM, may be recorded by other components of the network, such as DHCP. The necessity of human intervention. Unwanted creation of logs and caches.
AUTOMATION Automation : To have false alibi at required time without human interference. It’s a type of program Can simulate any common user activity,
Web navigation authentication posting of messages sending of emails videogames
THE AUTOMATION METHODOLOGY
DIGITAL EVIDENCE OF AN AUTOMATION
May access resources on the TS Modification of system state TYPES Wanted Evidence Unwanted evidence
UNWANTED EVIDENCE TYPE
Filesystem Traces Execution Traces Virtual Memory Traces LOGIN Traces
UNWANTED EVIDENCE HANDLING
Require awareness on OS modules Other approaches
a-priori avoidance a-posteriori removal and obfuscation
A-PRIORI AVOIDANCE Disabling any logging mechanisms
Virtual Memory Prefetch Volume Shadow Copy
(Can be suspicious)
Executing the automation from an external device
A-POSTERIORI REMOVAL
Removal by secure deletion procedure Manual deletion
using Deft suite to avoid suspicion Automatic deletion
Difficult as executable files are read only Interpreted programming languages can do the job
OBFUSCATION
Using common file names
Storing the suspicious files in system folders.
DEVELOPMENT OF AN AUTOMATION
(1) Preparation of the development environment(2) Implementation of the automation(3) Testing of the(4) Automation procedure(5) Exportation of the automation(6) Destruction of the development environment
PREPARATION AND DESTRUCTION OF THE ENVIRONMENT
Should be totally isolated and similar from the TS
Techniques to create a proper development environment:
Virtual machine Live OS Physically isolated system
IMPLEMENTATION OF THE AUTOMATION
Depends on the choice of the automation techniques Some techniques are:
Using frameworks such as AutoIt By writing hundreds code lines in a whatever scripting language
Synchronization of all the automated operations
TESTING OF THE AUTOMATION PROCEDURE
Verify that the automation acts correctly Identify all the unwanted artifacts left by the automation Specific tools
Process monitoring tools Digital forensic tools
EXPORTING THE AUTOMATION
Network Transfer
External Memory Transfer
V. AUTOMATION TOOLS
Framework that allows the implementation of a program
Any programming languages supporting GUI events
VBScript
VBScript is a scripting language
Simulate user interaction such as mouse movements, clicks and keystrokes.
Does not require any third-party resources
Provides advance simulation features than AutoIt
UNWANTED EVIDENCE IN WINDOWS 7
Prefetch Registry Hibernation Restore Points
EXECUTION Load script onto SD card containing other multimedia files. Access SD card through File Explorer The script HexToDec.vb is launched with a simple double-click. Hardcode starting time
CASE STUDY: WINDOWS 7 An advanced automation for Windows 7 Alibi Timeline.
Time Activity
T0 Execution of a Web browser
T1 Access to Facebook
T2 Posting of a message on Facebook
T3 System shutdown
Execution of a Web Browser
Crucial steps to avoid failures :
Internet connection must be functioning and stable Disable the automatic saving of login information Add websites to “ Trusted sites”.
USE OF BROWSER AND FB
ANALYSIS
Verification of coherence of DE with the alibi timeline
Discover any unwanted evidence left by the automation
CONCLUSION
Given methodology could be exploited by a party Automation is a program able to simulate a series of human activities Problem of avoiding unwanted traces is also addressedCase study on a target system running Windows 7 is presented
REFERENCE
IEEE ACCESS Received April 17, 2013, accepted April 24, 2013, published May 10, 2013.
AUTHORS ANIELLO CASTIGLIONE (Member, IEEE), GIUSEPPE CATTANEO, GIANCARLO DE MAIO, AND ALFREDO DE SANTIS (Member, IEEE)
Department of Computer Science, University of Salerno, Via Ponte don Melillo, Fisciano I-84084, Italy
THANK YOU