digital forensic reconstruction and the virtual security
play

Digital Forensic Reconstruction and the Virtual Security Testbed - PowerPoint PPT Presentation

Sep 14, 2023 •198 likes •433 views

1 Norwegian University of Science and Technology Digital Forensic Reconstruction and the Virtual Security Testbed ViSe DIMVA 2006 Andr rnes, Norwegian University of Science and Technology Paul Haas, University of California Santa Barbara

  1. 1 Norwegian University of Science and Technology Digital Forensic Reconstruction and the Virtual Security Testbed ViSe DIMVA 2006 André Årnes, Norwegian University of Science and Technology Paul Haas, University of California Santa Barbara Giovanni Vigna, University of California Santa Barbara Richard A. Kemmerer, University of California Santa Barbara A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  2. 2 The Problem • Test attack tools as part of a digital forensic reconstruction to support or refute a hypothesis • Analogy to testing firearms ballistics in physical forensics • We employ the ViSe virtualization environment to minimize resource usage • The goal is to perform testing in a forensically sound manner in order to present the results in court A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  3. 3 Digital Forensics • Digital crime scene – Attack hosts – Victim hosts – Third-party hosts • Digital evidence – E.g., network dump, file, log entries, IDS alerts, RAM, etc. – Evidence dynamics: ”any influence that changes, relocates, obscures, or obliterates physical evidence, regardless of intent” [Chisum 2000] • Event Reconstruction – We wish to determine the most probable sequence of events – Hypothesis – Event chain – Each event has causes and effects A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  4. 4 Methodology Configure testbed Replay attack Alternative Acquire+verify images hypothesis Perform analysis Compare to evidence A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  5. 5 Clarifications • This work does not subsitute the digital forensic investigation itself. • The event reconstruction is not a ”crime reenactment”. • The reconstruction can only be an approximation of the real case. Its purpose is only to support or refute a hypothesis. • A reconstruction with corresponding testing is still possible even if all the evidence in a digital crime scene may not be available to an investigation. A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  6. 6 Testbeds • Physical testbeds – Netbed, Deter • Virtualization platforms – Xen, MS Virtual PC, UML, VMware • Simulations and modeling – LLSIM, [Stephenson 2003], [Gladyshev et al 2004] A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  7. 7 ViSe • The Virtual Security Testbed, developed by Mike Richmond at UCSB. • Virtualization with VMware • Resource and time savings through the use of VMware snapshots. • 80GB for 70 system configurations based on 10 OSs. • Setup: Digital crime scene, analysis host A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  8. 8 Example Configuration • ViSe contains a tree of successive changes derived from base systems. • Each configuration is saved using the VMware snapshot feature. A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  9. 9 ViSe Integrity Issues • Data contamination between the host and guest operating system. • Virtual networks should be disconnected from physical networks during testing. • Shared folders should be disabled during testing. • Virtualized environment may differ from physical – this may be fingerprinted by intelligent tools and exploited. A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  10. 10 Forensic Analysis Image • The purpose is to acquire and verify images of the different snapshots. • Both hard drives and RAM can be imaged. • The tools used are dcfldd and md5sum . • The VMware files are proprietary, but we only care about the virtual file system that is contained within the VMware files. A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  11. 11 Example – Multistep Attack “An attack host running Fedora Core 3 has launched and completed a multi-step attack against the victim host running Fedora Core 3. The multi-step attack consists of an Nmap scan (e1), an exploit of the phpBB 2.0.10 viewtopic.php vulnerability (e2), an installation of bindshell on port 12497 named httpd (e3), an exploit of a vulnerable iwconfig buffer overflow vulnerability (e4), the creation of a non-root user and root backdoor (e5), and finally the removal of traces (e6).” A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  12. 12 Example – Multistep Attack 1. Network scan 2. Attacker exploits phpBB 2.0.10 viewtopic.php 3. Attacker retrieves a bindshell using wget 4. Attacker discovers vulnerable version of iwconfig 5. Attacker creates a user and retrieves a backdoor 6. Attacker becomes root A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006 André Årnes, Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  13. 13 Example -- Configuration A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  14. 14 Example – Event Chain DD DD DD DD DD DD DD image image image image image image image Effects Effects Effects Effects Effects Effects of e1 of e2 of e3 of e4 of e5 of e6 A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  15. 15 Example -- Effects of Event 1 Host Evidence Name Action Type Vulnerable File /var/log/messages M Vulnerable File /var/log/httpd/access_log M Vulnerable File /var/log/secure M Vulnerable File /var/lib/mysql/mysql/phpbb_sessions.MYI M Vulnerable File /var/lib/mysql/mysql/phpbb_sessions.MYD M Vulnerable File /etc/cups/certs/0 M Third-party File /var/log/snort/snort.log.* C Vulnerable IDS (portscan) TCP Portsweep: Attacker C Third-party IDS (portscan) TCP Portscan: Attacker to Victim C Third-party Network GET /phpBB2/ HTTP/1.1: Attacker to Victim:80 C A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  16. 16 Example -- Effects of Event 2 Host Evidence Name Action Type Vulnerable File /var/log/httpd/error_log M Vulnerable File /var/log/httpd/access_log M Vulnerable File /var/log/secure M Vulnerable File /var/lib/mysql/mysql/phpbb_sessions.MYI M Vulnerable File /var/lib/mysql/mysql/phpbb_sessions.MYD M Vulnerable File /var/lib/mysql/mysql/phpbb_topics.MYI M Vulnerable File /var/lib/mysql/mysql/phpbb_topics.MYD M Vulnerable File /etc/cups/certs/0 M Third-party IDS WEB-PHP viewtopic.php access: Attacker to C Victim:80 Third-party IDS (http inspect) DOUBLE DECODING ATTACK: C Attacker to victim:80 Third-party Network TCP Connection established: Attacker to Victim: 4321 C Third-party IDS ATTACK-RESPONSES id check returned userid: C Victim: 4321 to Attacker A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  17. 17 Example – alternative hypothesis • “An attack host running Fedora Core 3 has launched and completed a multi-step attack against the victim host running Fedora Core 3. The multi-step attack consists of an Nmap scan (e1), an exploit of the phpBB 2.0.10 viewtopic.php vulnerability (e2), an installation of bindshell on port 12497 named httpd (e3), an exploit of the cdrecord environment variable privilege escalation vulnerability (e4a), the creation of a non-root user and root backdoor (e5a), and finally the removal of traces (e6a).” A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  18. 18 Discussion • Presentation in court – Support interpretation of digital evidence Pentium 4 VMware – Explain discrepancies Boot time 1m9s 2m • Timing and complexity issues Reboot time 1m22s 2m20s – Some attacs are Take snapshot NA 8s nondeterministic Restore state NA 9s – Large number of hosts involved Clone full image (7,6GB) NA 8m6s • Performance issues Copy partition image (dcfldd) 11m21s 48m46s – Snapshots are efficiently saved Hash all files in image (sha256deep) 3m56s 26m38s and restored Extract all strings from image (strings) 6m57s 118m47s – Forensic analysis can be perfmormed outside ViSe for performance reasons A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

  19. 19 Conclusions • Efficient event reconstruction • Reusable snapshots • Focus on forensic analysis • Supports or refutes hypotheses in court A. Årnes, P. Haas, G. Vigna, R. A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Testbed ViSe, DIMVA 2006

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

6/21/09 Archeological Face Reconstruction Facial Modelling for Forensic Facial Reconstruction

6/21/09 Archeological Face Reconstruction Facial Modelling for Forensic Facial Reconstruction

6/21/09 Archeological Face Reconstruction Facial Modelling for Forensic Facial Reconstruction and Identification D. Vandermeulen 1 P. Claes 3 , S. De Greef 2 , G. Willems 2 , P. Suetens 1 1 Medical Imaging Research Center, Katholieke Universiteit

394 views • 11 slides
Digital Leave No One Behind Platform Virtual session on Digital Security civic --- 24th of

Digital Leave No One Behind Platform Virtual session on Digital Security civic --- 24th of

Gigi Pasco Ong-Alok - COC Nederland Digital Leave No One Behind Platform Virtual session on Digital Security civic --- 24th of March Space Why talk about digital civic space and digital rights? and Case Study: Digital space in the

418 views • 9 slides
A Probabilistic Model for Reconstruction of Torn Forensic Documents Ankush Roy 1 and Utpal

A Probabilistic Model for Reconstruction of Torn Forensic Documents Ankush Roy 1 and Utpal

A Probabilistic Model for Reconstruction of Torn Forensic Documents Ankush Roy 1 and Utpal Garain 2 1.Dept. of Computing Science, Univ. of Alberta, Canada. 2.CVPR Unit, Indian Statistical Institute, India. ICDAR 2013 Background Background

436 views • 17 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. History and definition of Digital Forensics 2. Context for an investigation 3. An overview of

1.04k views • 65 slides
3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video Using Kinect Raw Depth Image Infrared laser projector Monochrome CMOS sensor Demo Kinect Raw data Real-time Reconstruction Pipeline Measurement

508 views • 34 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* * Preliminary programme, subject to revision/update status 16 December 2014 4 February 2015 Day 1: Cyber Security Readiness Registration KU

306 views • 4 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute intro to Digital Forensics Some challenges scale cloud the encryption boundary anti-forensics Digital Forensics in 2 mins

415 views • 7 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
6.2 Surface Reconstruction Hao Li http://cs599.hao-li.com 1 Surface Reconstruction physical

6.2 Surface Reconstruction Hao Li http://cs599.hao-li.com 1 Surface Reconstruction physical

Spring 2015 CSCI 599: Digital Geometry Processing 6.2 Surface Reconstruction Hao Li http://cs599.hao-li.com 1 Surface Reconstruction physical captured reconstructed model point cloud model 2 Input Data Set of irregular sample points

879 views • 84 slides
6.2 Surface Reconstruction Hao Li http://cs621.hao-li.com 1 Surface Reconstruction physical

6.2 Surface Reconstruction Hao Li http://cs621.hao-li.com 1 Surface Reconstruction physical

Spring 2017 CSCI 621: Digital Geometry Processing 6.2 Surface Reconstruction Hao Li http://cs621.hao-li.com 1 Surface Reconstruction physical captured reconstructed model point cloud model 2 Input Data Set of irregular sample points

1.13k views • 84 slides
OSAC Update Mark D. Stolorow Director for OSAC Affairs Office of Special Programs National

OSAC Update Mark D. Stolorow Director for OSAC Affairs Office of Special Programs National

National Commission on Forensic Science Washington, DC May 13, 2014 OSAC Update Mark D. Stolorow Director for OSAC Affairs Office of Special Programs National Institute of Standards and Technology Current and Proposed NIST Forensic Science

632 views • 15 slides
p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

Introduction to logical reasoning for the evaluation of forensic evidence Geoffrey Stewart Morrison p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation of forensic evidence - ENFSI Guideline for

936 views • 67 slides
Lockpicking Forensics datagram datagram.layerone@gmail.com Black Hat USA Briefings, 2009

Lockpicking Forensics datagram datagram.layerone@gmail.com Black Hat USA Briefings, 2009

Lockpicking Forensics datagram datagram.layerone@gmail.com Black Hat USA Briefings, 2009 Agenda How locks/picks work Normal wear Lock Analysis Key Analysis Investigative process Destructive entry still #1! How Locks Work

1.39k views • 117 slides
Experimental Mathematics : And Its Implications Jonathan M. Borwein, FRSC Research Chair in IT

Experimental Mathematics : And Its Implications Jonathan M. Borwein, FRSC Research Chair in IT

Experimental Mathematics : And Its Implications Jonathan M. Borwein, FRSC Research Chair in IT Dalhousie University Halifax, Nova Scotia, Canada 2005 Clifford Lecture I Tulane, March 31April 2, 2005 Elsewhere Kronecker said In

685 views • 45 slides
rs ss

rs ss

trt t rss tr trtrs sss strt rs

568 views • 37 slides
Impact of Language Access and the Requirements of Title VI on Law Enforcement September 29, 2017

Impact of Language Access and the Requirements of Title VI on Law Enforcement September 29, 2017

Thank you for joining us today! Impact of Language Access and the Requirements of Title VI on Law Enforcement September 29, 2017 2-3:30pm Central Time Michael P. LaRiviere , Victim Services, Salem Police Department This project was supported

663 views • 9 slides
Linux and Law Enforcement Challenges and Opportunities Dr. Joshua I. James Digital Forensic

Linux and Law Enforcement Challenges and Opportunities Dr. Joshua I. James Digital Forensic

Linux and Law Enforcement Challenges and Opportunities Dr. Joshua I. James Digital Forensic Investigation Research Laboratory SoonChunHyang University Joshua@cybercrimetech.com http://forensics.sch.ac.kr whoami Dr. Joshua I. James

399 views • 36 slides
Promotion Test 2020 When is Promotion Test? Promotion Test would be held on the 20th of October

Promotion Test 2020 When is Promotion Test? Promotion Test would be held on the 20th of October

Promotion Test 2020 When is Promotion Test? Promotion Test would be held on the 20th of October 2020 for ALL batches. 2 16th Batch Promotions Test Ranks to be Taken All cadets in 16th Batch would be taking the test to promote to the rank of

160 views • 14 slides

More recommend