Information Assurance Center Iowa State University 1 Computer Forensics – Iowa State University...

Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 11

Computer Forensics –

Iowa State University Experience

ISU Information Assurance Centerwww.iac.iastate.edu

April 18, 2003


Outline

Computer Forensics:ResearchEducationOutreach

About the ISU program:ResearchEducationOutreach


Forensics Research

Network Origin Identification (Tom Daniels)

Accountable Anonymity (Yong Guan, Tom Daniels)

Tracing Encrypted Connections (Yong Guan)


Network Origin Identification• Finding the wily hacker!

– Many ways that an attacker can conceal his computer/location/identity

• Lying about/Laundering of Identity– Authentication is too expensive/problematic to use for

everything– Forensic approaches are needed

• Passive Origin Id System for Networks (POISN)– Build an architecture that can trace numerous

different types of traffic– Leverage and incorporate past work in origin id.


Origin Identification Techniques

• Allows:– Prosecution/Civil

Litigation– Cessation/Filtering of

Attacks

● Past Work Focuses on Individual Types of Origin Concealment

● POISN develops a general architecture that incorporates past work and allows tracing new types of traffic.


POISN Approach• Distributed

Multisource– Incorporates network

and host data sources– Can trace many types

of traffic– Subject to covert

channel problems– Requires wide

deployment

• Distributed Network– Just network data

sources– Less intrusive to use– What traffic can be

traced without host access?


Accountable Anonymity

• Problem Definition

• Networked computer systems can be attacked from virtually anywhere in the world, the attackers can easily hide their identity and origin through stepping stones such as anonymity systems. Even worse, encrypted attack traffic makes tracing the source of attack substantially more difficult.

• Our proposed approaches make it possible to trace encrypted attack traffic through a chain of stepping stones in real-time, which can help to stop further attacks, apprehend and punish those who are responsible.

• Solution will be applicable to a wide range of forensic investigations at all levels.



• Technical Approach:

• We address this tracing problem through a novel correlation scheme based on statistical timing, size, and other properties of the incoming traffic and outgoing traffic of a stepping stone, rather than the contents of the network messages.

• The basic approaches include statistical traffic analysis, pattern recognition, and network tomography.



Target System

Stepping Stones

Attacker


Tracing Encrypted Connections

• Anonymity is key techniques for protecting people’s privacy. However, it can be used to launch attacks. The attackers can easily hide their identity and origin through anonymity systems.

• Our proposed research aim at developing an innovative concept “Accountable Anonymity” by introducing accountability into anonymity, and designing approaches to implement accountable anonymity.

• Solution will be applicable to a wide range of forensic investigations at all levels.


Tracing Encrypted Connections• Technical Approach:

• We address this by studying security implications of various anonymity mechanisms and impacts of human factors and law and policy issues, and designing a sweet spot (i.e., accountable anonymity) between accountability and anonymity.

• Our previous publications on anonymity research:– Y. Guan, et al, “An Optimal Strategy for Anonymous Communication

Protocols,” IEEE ICDCS 2002.– Y. Guan, et al, “A Quantitative Analysis of Anonymous Communications,”

in IEEE Transactions on Reliability, to appear. – T. Daniels, et al, “Identification of host audit data to detect attacks on low-

level IP vulnerabilities,” Journal of Computer Security, 1999.


Forensics Education

• Computer Forensics & Cyberspace Camouflaging


Computer Forensics & Cyberspace Camouflaging

• Graduate survey of modern topics in computer forensics and cyberspace camouflaging.

• Computer forensics studies cyber-attack prevention, planning, detection, and response with the goals of counteracting cybercrime, cyberterrorism, and cyberpredators and making them accountable.

• Cyberspace camouflaging (e.g. anonymity) are likely to be effective methods against hostile computer forensics.


Computer Forensics & Cyberspace Camouflaging

• Module I: Overview of Computer Forensics and Cyberspace Camouflaging & 1 week

• Module II: Basics of Computer Networks and Operating Systems & 1.5 weeks

• Module III: Advanced Topics of Computer Forensics & 4 weeks

• Module IV: Intrusion Detection and Response & 3 weeks

• Module V: Steganography & Steganalysis & 1 week • Module VI: Anonymity/Pseudonymity/Privacy

Protection (e.g., P3P) & 3 weeks • Module VII: Legal and ethical issues & 1 week

(optional)


Forensics Outreach

MFRC

DPS

Cyber Crime Lab


Midwest Forensics Resource Center

• Partnership of Crime Laboratories in IA, IL, WI, MN, ND, SD, NE, KS, and MO, with ISU and the USDOE Ames Laboratory

• Four-part Program– Casework– Training– Education– Research

• Funded by National Institute of Justice

• Director: David P. Baldwin, (515)294-2069



Initial DOJ funding started end of August, 2002. • A second round of funding was authorized

during February of 2003. Has held three Annual Meetings – also

specialized regional meetings for crime labs and: • rural law enforcement, • agencies charged with countering agro-

terrorism, • college/university forensic science programs



Progress in four program areas:• Casework Assistance performed work for crime lab or local law

enforcement – helped determine cause of 2 deaths, – employed university resources to investigate video tape, – identified biological materials found on a burglary suspect (thought to tie him

to a crime scene)

• Training: – Providing academic and R&D lectures and video to crime labs, – invited by FBI to become regional training partner

• Education: – held regional meeting of forensic science education programs and state/regional crime

labs• Research:

– Issuing RFP’s, performing R&D project for FBI


ISU Department of Public Safety

• Guest lectures in class– Legal issues– Ethical issues– Case studies

• Computer Case work– Over 10 cases– Helped serve search warrants– Educated officers in cyber crime


Case work

• Backdoor software installed on lab of computers to capture password

• Password capture software install on web server

• Computers are used for spam mail• New computer attacked within 15 minutes of

being installed• Child porn, IP theft, Software theft.


Cyber Crime Lab

• Partnership between:– MFRC – IAC – ISU’s Department of Public Safety

• Goals: – improve computer security education at ISU, – provide source of computer security R&D ideas, – improve campus and local computer forensic

investigation,– establish a new forensics resource for rural Iowa


Cyber Crime Lab

• Replaces State Cyber Crime Lab

• Faculty, Students, and Law enforcement will become certified in computer forensics

• Lab established in DPS facility

• Training ground for students.

• Work on both criminal and civil cases


Information Assurance at ISU

• Multidisciplinary: seven academic departments

• Synergistic: 30+ faculty, joint research

• Sustained Education: 12 IA courses offered each year

• Outreach: seminars and short courses to state agencies and industry; security awareness integrated in other curricula; significant inter-University projects

• University and Regents support: IA Center, MS degree, Graduate Certificate, Ph.D. & undergraduate minor under consideration


Research

IA C R e s e a rc h A re a s

P o lit ic a l S c ien c eE d u c atio n Po licy , le a de rs h ip, e th ics

A t ta ckTo le ra n tNe two rk s

- P r o to c o ls u r v iv ab ility

- I n ter n e ts u r v iv ab ility

- P h y s ic a ls u r v iv ab ility

C o m SC p r E

I n tru s io nD e te ct io nS y s te m s

- M AI D S- F I R E- D ata M in in g

C o m SC p r EM I SI M S E

A d-H o cNe two rkS e cu rity

C o m SC p r EM ath

- W ir e les s- S ec u r e g r o u p s- S ec u r e k ey ex c h an g e

D a ta Priv a cya n d S e cu rity

- D ata P r iv ac y- C o m p u ter F o r en s ic s- T r ac e b ac k- An o n y m o u s c o m p u tin g

C o m SC p r E


Education

• Graduate education– Courses since 1995– NSF CyberCorps fellowships– Masters of Science in Information Assurance– MS programs specializing in IA in: CprE, CS, Math,

PolySci, MIS, and IMSE– PhD programs specializing in IA: CprE and CS– Graduate Certificate in IA– Ph.D. Program planned for next year


Courses

CprE 530: Computer Network Protocols distance educationCprE 531: Computer System Security distance educationCprE 532: Information Warfare distance educationCprE/Math 533: Cryptography distance educationCprE 534: Legal & Ethical Issues in SecurityCprE 537: Security in Wireless CommunicationsComS 586: Network ArchitecturesComS 552: Advanced Operating SystemsCprE 592: Seminar (new topics)IE 581X: E-Commerce Systems EngineeringMIS 533: Data Management for Decision Makers MIS 534: Electronic Commerce MIS 535: Telecommunications Management MIS 538: Business Processes and Systems PolySci 421: Constitutional FreedomsPolySci 487/587: Electronic DemocracyPolySci 486/586: Science, Technology, and Public Policy

Note: CprE 530, 531, 532, and 533 lead to an Iowa State University Certificate in Information Assurance


Outreach

• Seminars, tutorials, media “experts”

• Membership on over 10 national panels, boards, and committees

• NSF faculty development workshop

– Summer workshops to increase the number of faculty who teach IA

– 20 faculty members invited from across the Midwest


Future

• IU/CRC Proposal

• Cyber protection lab

• Increased research funding

• Continued participation at state and national level.


NSF I/UCRC

• Center for Information Protection

• Needs at least 18 companies to commit to $600,000 a year in funding for 5 years.

• NSF funded support for the operation of the center


NSF I/UCRC

• NSF provided $10,000 planning grant to raise the funding to create the center

• University Partners:– Mississippi State University– University of Kansas– Other schools will be added

• (talking with NCSU and Duke)


• QUESTIONS?

Information Assurance Center Iowa State University 1 Computer Forensics – Iowa State University...

Documents

Transcript of Information Assurance Center Iowa State University 1 Computer Forensics – Iowa State University...