forensic feature extraction and cross drive analysis
play

Forensic Feature Extraction and Cross-Drive Analysis Simson L. - PowerPoint PPT Presentation

Oct 12, 2023 •196 likes •552 views

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1:15pm, Tuesday, August 15, 2006 1 Todays forensic tools are designed for one drive at a time.

  1. Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1:15pm, Tuesday, August 15, 2006 1

  2. Today’s forensic tools are designed for one drive at a time. Primary Goals: Search and Recovery. Interactive user interface. Usage scenarios: • Recovery of “deleted” files. • Child porn scanning. • Trial preparation. 2

  3. Today’s tools choke when confronted with hundreds or thousands of drives. Which drives were used by my target? Do any drives belong to the target’s associates? Who is talking to who? Where should I start? Police departments and intelligence agencies have thousands of drives... 3

  4. Additional problems with today’s tools • Improper prioritization Letting priority be determined by the statute of limitations. • Lost opportunities for data correlation Was a message on hard drive X sent to hard drive Y? • Emphasis on document recovery rather than in furthering the investigation. 4

  5. Correlating data between drives is an untapped opportunity. How large is my target’s reach? Who is in the organization? Captured drives are an ideal social network analysis. 5

  6. This talk introduces Cross Drive Analysis Large scale forensics problem 1. Get a lot of drives Image Collection & Library Building 2. Image to a big disk Feature Extraction 3. Extract the Features } 4. Apply statistics and correlation Architecture Single 1st order 2nd Order Drive Cross-Drive Cross-Drive Analysis Analysis Analysis Single-drive feature application: drive attribution. Drive #51: Top email addresses (sanitized) Count Address(es) 8133 ALICE@DOMAIN1.com 3504 BOB@DOMAIN1.com 2956 ALICE@mail.adhost.com 2108 JobInfo@alumni-gsb.stanford.edu 1579 CLARE@aol.com 1206 DON317@earthlink.net 1118 ERIC@DOMAIN1.com 1030 GABBY10@aol.com 989 HAROLD@HAROLD.com 960 ISHMAEL@JACK.wolfe.net 947 KIM@prodigy.net 845 ISHMAEL-list@rcia.com 802 JACK@nwlink.com 790 LEN@wolfenet.com 763 natcom-list@rcia.com Feature extraction Most common email address is (usually) drive’s primary user. 13 40 , 000 Drive #172 30 , 000 31348 CCNS Drive #202 11609 unique 1334 CCNS 498 unique 20 , 000 Drive #134 Drive #214 Drive #21 5875 CCNS 709 CCNS 5182 CCNS Drive #80 10 , 000 827 unique 223 unique 1356 unique 1247 CCNS 286 unique Drive #171 346 CCNS 81 unique 200 0 First order analysis . Second order analysis 6

  7. Forensic Feature Extraction and Cross-Drive Analysis 1. Get a lot of drives Image Collection & Library Building 2. Image to a big disk Feature Extraction 3. Extract the Features } 4. Apply statistics and correlation Single 1st order 2nd Order Drive Cross-Drive Cross-Drive Analysis Analysis Analysis 7

  8. Uses of Cross-Drive Analysis 1. Automatic identification of hot drives 2. Improvements to single-drive systems 3. Identification of social network membership 4. Unsupervised social network discovery Related Work: • Garfinkel & Shelat, 158 drives, 2002 • FTK 2.0 — indexing multiple drives • IntelliDact and Workshare Protect scan for confidential information 8

  9. Feature extractors find pseudo-unique features Pseudo-Unique characteristics: Typical Features: • Long enough so collisions by • email addresses chance are unlikely. • Message-IDs • Recognizable with regular expressions. • Subject: lines • Persistent over time. • Cookies • Correlated with specific documents, • US Social Security Numbers people or organizations. • Credit card numbers • Hash codes of drive sectors 9

  10. Example: The Credit Card Number Detector. The CCN detector scans bulk data for ASCII patterns that look like credit card numbers. • CCNs are found in certain typographical patterns. (e.g. XXXX-XXXX-XXXX-XXXX or XXXX XXXX XXXX XXXX or XXXXXXXXXXXXXXXX ) • CCNs are issued with well-known prefixes. • CCNs follow the Credit Card Validation algorithm. • Certain numeric patterns are unlikely. (e.g. 4454-4766-7667-6672) 10

  11. CCN detector: written in flex and C++ Scan of Drive #105: (642MB) Test # pass typographic pattern 3857 known prefixes 90 CCV1 43 numeric histogram 38 Sample output: ’CHASE NA|5422-4128-3008-3685| pos=13152133 ’DISCOVER|6011-0052-8056-4504| pos=13152440 .’GE CARD|4055-9000-0378-1959| pos=13152589 BANK ONE |4332-2213-0038-0832| pos=13152740 .’NORWEST|4829-0000-4102-9233| pos=13153182 ’SNB CARD|5419-7213-0101-3624| pos=13153332 11

  12. Even with the tests, there are occasional false positives. CCN scan of Drive #115: (772MB) Test # pass pattern 9196 known prefixes 898 CCV1 29 patterns 27 histogram 13 .................@:|44444486666108|:<@<74444:@@@<<44 pos=82473275 ............#"&’&&’|445447667667667|..050014&’4"1"&’. pos=86493675 ......221267241667&|454676676654450|&566746566726322. pos=86507818 3..30210212676677..|30232676630232|.1.........001.01 pos=86516059 "&#&&’&41&&’645445&|454454672676632|.3............0.. pos=86523223 ..........".#""#"&’|445467667227023|..............366 pos=87540819 D#9?.32400.,,+14%?B|499745255278101|*02)46+;<17756669 pos=118912826 .GGJJB...>.JJGG...G|3534554333511116|...............6 pos=197711868 %.....}}}}}}.......|44444322233345|.....}}}}}}...... pos=228610295 %6"!) .&*%,,%-0)07.|373484553420378|<67<038+.5(+0+.3. pos=638491849 %6"!) .&*%,,%-0)07.|373484553420378|<67<038+.5(+0+.3. pos=645913801 12

  13. CDA Prototype System 1000 drives purchased on secondary market (1998–2006) 750 images 1.5TB data compressed. Many different organizations. 13

  14. Single-drive feature application: drive attribution. Drive #51: Top email addresses (sanitized) Address(es) Count ALICE@DOMAIN1.com 8133 BOB@DOMAIN1.com 3504 ALICE@mail.adhost.com 2956 JobInfo@alumni-gsb.stanford.edu 2108 CLARE@aol.com 1579 DON317@earthlink.net 1206 ERIC@DOMAIN1.com 1118 GABBY10@aol.com 1030 HAROLD@HAROLD.com 989 ISHMAEL@JACK.wolfe.net 960 KIM@prodigy.net 947 ISHMAEL-list@rcia.com 845 JACK@nwlink.com 802 LEN@wolfenet.com 790 natcom-list@rcia.com 763 Most common email address is (usually) drive’s primary user. 14

  15. Attribution histogram works even with lightly-used drives. Count on Total drives Extracted Email Addresses Drive #80 with address premium-server@thawte.com 117 278 server-certs@thawte.com 104 278 CPS-requests@verisign.com 61 286 personal-premium@thawte.com 44 253 personal-basic@thawte.com 42 250 personal-freemail@thawte.com 40 250 info@netscape.com 36 58 ANGIE@ALPHA.com 32 1 BARRY@BETA.com 23 1 CHARLES@GAMMA.com 21 1 DAVE.HALL@DELTA.com 21 1 DAPHNE@UNIFORM.com 20 1 ELLY@LIMA.com 18 1 FRANK@ECHO.com 16 1 HUGH@LIMA.com 16 1 IGGY@LIMA.com 16 1 GRETTA@XYZZY.com 15 1 VISTA@SNARF .com 15 1 Email addresses found on ≈ > 20 drives are not pseudo-unique 15

  16. First Order Cross-Drive Analysis: O ( n ) operations on feature files Applications: • Automatically building stop lists • Hot drive identification 16

  17. Automatic “stop lists:” features on many drives are not pseudo-unique. Drives with Total count Extracted Email Address address in corpus CPS-requests@verisign.com 286 64424 server-certs@thawte.com 278 32873 premium-server@thawte.com 278 31141 Mouse.Exe@Mouse.Com 262 493 LMouse.Exe@LMouse.Com 262 493 personal-premium@thawte.com 253 14660 personal-freemail@thawte.com 250 14843 personal-basic@thawte.com 250 14290 inet@microsoft.com 244 31456 mazrob@panix.com(*) 221 3265 java-security@java.sun.com 200 1200 java-io@java.sun.com 198 413 someone@microsoft.com 195 6193 bugs@java.sun.com 192 351 ca@digsigtrust.com 173 36800 name@company.com 169 1763 * mazrob@panix.com appears in clickerx.wav (Utopia Sound Scheme) 17

  18. A graph of # email addresses on each drive automatically identified drives used by bulk e-mailers. 3 , 000 , 000 2 , 500 , 000 2 , 000 , 000 Email addresses Email addresses 1 , 500 , 000 1 , 000 , 000 500 , 000 0 18

  19. Hot drive identification: Drives with high response warrant further attention. Only 7 drives had more than 300 credit card numbers. 19

  20. Hot drive identification: Drives with high response warrant further attention. 40 , 000 Unique CCNs Drive #172 Total CCNs 31348 CCNS 30 , 000 11609 unique 20 , 000 Drive #21 5182 CCNS 10 , 000 1356 unique Drive #171 346 CCNS 81 unique 200 0 Auto ATM Dealership Supermarket Medical Software State Center Vendor Secretary's Office These drives represent significant privacy violations. . 20

  21. First order analysis of # SSNs Unique Total Drive SSNs SSNs Drive #959 260 447 Drive #974 178 674 Drive #696 33 872 Drive #969 33 33 Drive #690 8 14 Drive #680 2 4 Drive #959 contained consumer credit applications. 21

  22. Second-order analysis uses the multi-drive correlation = # of drives D = # of extracted features F = Drives in corpus d 0 . . . d D = Extracted features f 0 . . . f F � 0 f n not present on d n FP ( f n , d n ) = 1 f n present on d n Scoring Function: F � S 1 ( d 1 , d 2 ) = FP ( f n , d 1 ) × FP ( f n , d 2 ) n =0 22

  23. Graph of scoring function: 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Reducing Dimensionality Feature Selection 1 Steven J Zeil Feature Extraction 2

Outline Reducing Dimensionality Feature Selection 1 Steven J Zeil Feature Extraction 2

Feature Selection Feature Extraction Feature Selection Feature Extraction Outline Reducing Dimensionality Feature Selection 1 Steven J Zeil Feature Extraction 2 Principal Components Analysis (PCA) Old Dominion Univ. Factor Analysis (FA)

602 views • 6 slides
3. Feature Extraction 3.1 Feature Extraction from Speech or other types of audio like music

3. Feature Extraction 3.1 Feature Extraction from Speech or other types of audio like music

3. Feature Extraction 3.1 Feature Extraction from Speech or other types of audio like music See Schukat-Talamazzini Chapter 3 2 Goal of Feature Extraction Capture essential information about speech Be robust against background

741 views • 55 slides
Feature Extraction 7-1 Ronald Peikert SciVis 2007 - Feature Extraction What are features?

Feature Extraction 7-1 Ronald Peikert SciVis 2007 - Feature Extraction What are features?

Feature Extraction 7-1 Ronald Peikert SciVis 2007 - Feature Extraction What are features? Features are inherent properties of data, independent of coordinate frames etc. Dimension of a feature: 0: point feature (often defined by n

840 views • 30 slides
Feature Extraction 7-1 Ronald Peikert SciVis 2008 - Feature Extraction What are features?

Feature Extraction 7-1 Ronald Peikert SciVis 2008 - Feature Extraction What are features?

Feature Extraction 7-1 Ronald Peikert SciVis 2008 - Feature Extraction What are features? Features are inherent properties of data, independent of coordinate frames etc. Dimension of a feature: 0: point feature (often defined by n

322 views • 30 slides
Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object Recognition I.Levner and V.Bulitko http://ircl.cs.ualberta.ca Outline Outline Motivation System Overview Feature Extraction Problem

601 views • 15 slides
Reducing Dimensionality Steven J Zeil Old Dominion Univ. Fall 2010 1 Feature Selection

Reducing Dimensionality Steven J Zeil Old Dominion Univ. Fall 2010 1 Feature Selection

Feature Selection Feature Extraction Reducing Dimensionality Steven J Zeil Old Dominion Univ. Fall 2010 1 Feature Selection Feature Extraction Outline Feature Selection 1 Feature Extraction 2 Principal Components Analysis (PCA) Factor

479 views • 36 slides
AB Feature Extraction Experiments Discussion Noise Robust LVCSR Feature Extraction Based on

AB Feature Extraction Experiments Discussion Noise Robust LVCSR Feature Extraction Based on

Introduction AB Feature Extraction Experiments Discussion Noise Robust LVCSR Feature Extraction Based on the Stabilized Weighted Linear Prediction HUT-TUT Fall DSP Seminar 2008 Heikki Kallasjoki Adaptive Informatics Research Centre

316 views • 18 slides
AUDIO FEATURE EXTRACTION AND ANALYSIS FOR SCENE SEGMENTATION AND CLASSIFICATION Zhu Liu and Yao

AUDIO FEATURE EXTRACTION AND ANALYSIS FOR SCENE SEGMENTATION AND CLASSIFICATION Zhu Liu and Yao

AUDIO FEATURE EXTRACTION AND ANALYSIS FOR SCENE SEGMENTATION AND CLASSIFICATION Zhu Liu and Yao Wang Tsuhan Chen Polytechnic University Carnegie Mellon University Brooklyn, NY 11201 Pittsburgh, PA 15213 {zhul,yao}@vision.poly.edu

433 views • 39 slides
Feature extraction for sentiment analysis on twitter data with spanish language Victor Mu niz

Feature extraction for sentiment analysis on twitter data with spanish language Victor Mu niz

Feature extraction for sentiment analysis on twitter data with spanish language Victor Mu niz Research Center in Mathematics. Monterrey, Mexico. Victor Mu niz (CIMAT Mty) Sentiment Analysis Junio 2015 1 / 33 Introduction Sentiment

898 views • 40 slides
Object based feature extraction of Google based feature extraction of Google Object Earth

Object based feature extraction of Google based feature extraction of Google Object Earth

International Electronic Conference on Sensors and Applications 1 16 June 2014 Object based feature extraction of Google based feature extraction of Google Object Earth i imagery for mapping termite mounds in magery for mapping termite

279 views • 9 slides
Feature Extraction Aleix M. Martinez aleix@ece.osu.edu Continuous Feature Space Let us now

Feature Extraction Aleix M. Martinez aleix@ece.osu.edu Continuous Feature Space Let us now

Machine Learning &amp; Pattern Recognition Feature Extraction Aleix M. Martinez aleix@ece.osu.edu Continuous Feature Space Let us now look at the case where we represent the data in a feature space of p dimensions in the real

510 views • 3 slides
Variability Extraction and Analysis Toolkit (VEXA) VEXA Introduction The Variability Extraction

Variability Extraction and Analysis Toolkit (VEXA) VEXA Introduction The Variability Extraction

Variability Extraction and Analysis Toolkit (VEXA) VEXA Introduction The Variability Extraction and Analysis (VEXA) toolkit is a collection of complementary procedures to help with many different tasks of variability extraction , feature analysis

269 views • 5 slides
Principal Component Analysis (PCA) CE-717: Machine Learning Sharif University of Technology

Principal Component Analysis (PCA) CE-717: Machine Learning Sharif University of Technology

Principal Component Analysis (PCA) CE-717: Machine Learning Sharif University of Technology Spring 2016 Soleymani Dimensionality Reduction: Feature Selection vs. Feature Extraction Feature selection Select a subset of a given feature

5.23k views • 40 slides
Image Analysis System Example: Image Classification System pre feature feature segmentation

Image Analysis System Example: Image Classification System pre feature feature segmentation

Image Analysis System Example: Image Classification System pre feature feature segmentation processing description selection post feature classification classification extraction 1 IIP Image Segmentation Grey-level thresholding

422 views • 15 slides
Introduction to Mobile Robotics Basics of LSQ Estimation, Geometric Feature Extraction Wolfram

Introduction to Mobile Robotics Basics of LSQ Estimation, Geometric Feature Extraction Wolfram

Introduction to Mobile Robotics Basics of LSQ Estimation, Geometric Feature Extraction Wolfram Burgard, Cyrill Stachniss, Maren Bennewitz, Giorgio Grisetti, Kai Arras Slides by Kai Arras Last update: June 2010 1 Feature Extraction:

439 views • 20 slides
Feature Extraction and Aggregation for Predicting the Euro 2016 Maryam Tavakol Hamid

Feature Extraction and Aggregation for Predicting the Euro 2016 Maryam Tavakol Hamid

Feature Extraction and Aggregation for Predicting the Euro 2016 Maryam Tavakol Hamid Zafartavanaelmi, and Ulf Brefeld Riva del Garda, Sep 19, 2016 Agenda Introduction Feature Extraction Prediction &amp; Learning Performance

239 views • 20 slides
Artificial Intelligence Database Performance Tuning Roel Van de Paar Percona Agenda GA:

Artificial Intelligence Database Performance Tuning Roel Van de Paar Percona Agenda GA:

Artificial Intelligence Database Performance Tuning Roel Van de Paar Percona Agenda GA: How it works, terminology, variables, example Database Tuning &amp; Surrounding thoughts gaai POC Results 2 Define: GA A Genetic

791 views • 37 slides
Parallel and Hybrid Evolutionary Algorithm in Python E. Kieffer UL HPC Userssession -- UL

Parallel and Hybrid Evolutionary Algorithm in Python E. Kieffer UL HPC Userssession -- UL

Parrallel Computing &amp; University of Luxembourg Optimization Group Parallel and Hybrid Evolutionary Algorithm in Python E. Kieffer UL HPC Userssession -- UL HPC school 2017 Contents n Context and motivation n Clustering of the

228 views • 19 slides
Genetics and/of basket options Wolfgang Karl Hrdle Elena Silyakova Ladislaus von Bortkiewicz

Genetics and/of basket options Wolfgang Karl Hrdle Elena Silyakova Ladislaus von Bortkiewicz

Genetics and/of basket options Wolfgang Karl Hrdle Elena Silyakova Ladislaus von Bortkiewicz Chair of Statistics Humboldt-Universitt zu Berlin http://lvb.wiwi.hu-berlin.de Motivation 1-1 Basket derivatives Let us consider a basket of N

486 views • 26 slides
Consistent Biclustering via Fractional 01 Programming Panos Pardalos, Stanislav Busygin and

Consistent Biclustering via Fractional 01 Programming Panos Pardalos, Stanislav Busygin and

Consistent Biclustering via Fractional 01 Programming Panos Pardalos, Stanislav Busygin and Oleg Prokopyev Center for Applied Optimization Department of Industrial &amp; Systems Engineering University of Florida Consistent Biclustering via

937 views • 74 slides
Introduction to WHIDS, an Open Source Endpoint Detection System for Windows Github / Twitter:

Introduction to WHIDS, an Open Source Endpoint Detection System for Windows Github / Twitter:

Introduction to WHIDS, an Open Source Endpoint Detection System for Windows Github / Twitter: 0xrawsec Project: https://github.com/0xrawsec/whids Outline 1. Introduction to WHIDS 2. Writing rules: Gene Hands On 3. WHIDS Possible Deployments

607 views • 21 slides
REORGANIZATION STUDY Montgomery County School Study Commission Montgomery County Economic

REORGANIZATION STUDY Montgomery County School Study Commission Montgomery County Economic

REORGANIZATION STUDY Montgomery County School Study Commission Montgomery County Economic Development Corporation Midwest School Consultants Dr. William H. Phillips Dr. Scott L. Day Dr. Leonard R. Bogle Purpose of a Feasibility Study

961 views • 73 slides
www.rarecancerseurope.org Paolo G. Casali paolo.casali@istitutotumori.mi.it Rare Tumours in

www.rarecancerseurope.org Paolo G. Casali paolo.casali@istitutotumori.mi.it Rare Tumours in

www.rarecancerseurope.org Paolo G. Casali paolo.casali@istitutotumori.mi.it Rare Tumours in Europe Rare Tumours in Europe CHALLENGES AND SOLUTIONS CHALLENGES AND SOLUTIONS 6 November 2008 - Brussels Rare Tumours in Europe Rare Tumours in

1.01k views • 34 slides
Tobacco tax modelling and other cost-effectiveness studies for NZ: Latest BODE 3 Results Overview

Tobacco tax modelling and other cost-effectiveness studies for NZ: Latest BODE 3 Results Overview

Tony Blakely Nick Wilson Treasury 13 August 2014 Tobacco tax modelling and other cost-effectiveness studies for NZ: Latest BODE 3 Results Overview who we are what we do tobacco endgame game on! other examples: HPV

686 views • 64 slides

More recommend