vassil roussev candice quates the m57 case study
play

Vassil Roussev Candice Quates The M57 Case Study Introduction 2 - PowerPoint PPT Presentation

Feb 21, 2024 •155 likes •673 views

DFRWS12 /Aug 5-8 2012/Washington DC Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company & setup Employees: o President: Pat McGoo o IT: Terry o Researchers: Jo, Charlie Period o 11/16/2009

  1. DFRWS’12 /Aug 5-8 2012/Washington DC Vassil Roussev Candice Quates

  2. The M57 Case Study Introduction 2

  3. M57: The company & setup  Employees: o President: Pat McGoo o IT: Terry o Researchers: Jo, Charlie  Period o 11/16/2009 — 12/11/2009 o 11/20/2009 Jo’s computer replaced o Last day: police kick down the door  Data o Daily HDD, RAM, network captures 3

  4. M57: The data (1.5 TB)  HDD images 84 images, 10-40GB each o Total: 1,423 GB o  RAM snapshots 78 snapshots, 256-1024 MB each o Total: 107 GB o  Network: 49 traces, 4.6 GB o  USB 4.1 GB o  Kitty set 125 JPEGs, 224 MB o 4

  5. Scenario #1: Contraband  Setup: o From the detective reports in the scenario, there is reason to suspect that one of M57's computers (Jo’s) has been used in the contraband of "kitty porn".  Questions: o Were any M57 computers used in contraband? o If so, when did the accident happen? o Is there evidence of intent? o How was the content distributed? o Was any of the content sent outside the company network? 5

  6. Scenario #2: Eavesdropping  Setup: o It is suspected that somebody is spying on the CEO (Pat) electronically.  Plan? o Search for potentially rogue processes that might have been introduced on his computer. o First HDD image is clean and serves as baseline. 6

  7. Scenario #3: Corporate espionage  Setup: o There is suspicion that somebody has leaked company secrets.  Plan? o Search RAM snapshots for interesting processes 7

  8. The need for better triage 8

  9. Triage  Fast, reliable initial screen of the acquired data: o fast: all you can do in 5/10/15/ … min; o reliable: provides strong hints (low FP).  Goals: o Identify the most (ir)relevant targets/artifacts; o Build an overall understanding of the case — what are the likely answers?  Location of work: o We assume post-acquisition work in a lab, but o It could be done in the field (given enough hardware) 9

  10. Metadata- vs content-based analysis  Metadata-based analysis o Use FS metadata, registry, logs, etc. o Pro: small volume, high-level logical information o Con: not looking at the data, cannot see remnants, does not work on a data dump (e.g. RAM), metadata is fragile  Typical basis for (manual) triage  Content analysis o Works on actual data content  Flie/block hashes, indexing, carving, etc. o Pro: looking at actual data, can work with pieces o Con: large volume, lower level data  Almost never used in triage (perceived as too slow) 10

  11. Why is content analysis so slow? Forensic Target (1.5TB) Clone Process @ 150MB/s @10MB/s ~3 hrs ~42 hrs  We can start working on the case after 42 hours (!) 11

  12. Why is content analysis so slow? Forensic Target (1.5TB) Clone Process @ 150MB/s @10MB/s ~3 hrs ~42 hrs 12

  13. Why is content analysis so slow? Forensic Target (1.5TB) Clone Process @ 150MB/s @10MB/s ~3 hrs ~42 hrs 13

  14. Data Correlation with similarity digests 14

  15. Motivation for similarity approach: Traditional hash filtering is failing  Known file filtering: o Crypto-hash known files, store in library (e.g. NSRL) o Hash files on target o Filter in/out depending on interest  Challenges o Static libraries are falling behind  Dynamic software updates, trivial artifact transformations  We need version correlation o Need to find embedded objects  Block/file in file/volume/network trace o Need higher-level correlations  Disk-to-RAM  Disk-to-network 15

  16. Scenario #1: fragment identification Source artifacts (files) v Disk fragments (sectors) Network fragments (packets)  Given a fragment, identify source o Minimum fragments of interest are 1-4KB in size o Fragment alignment is arbitrary 16

  17. Scenario #2: artifact similarity Similar files Similar drives (shared content/format) (shared blocks/files)  Given two binary objects, detect similarity/versioning o Similarity here is purely syntactic; o Relies on commonality of the binary representations. 17

  18. Common solution: similarity digests sdhash sdhash sdhash sdhash sdbf 1 sdbf 2 sdbf 1 sdbf 2 sdhash sdhash Is this fragment present on the drive? Are these artifacts correlated?  0 .. 100  0 .. 100 All correlations based on bitstream commonality 18

  19. The M57 Case Study Using sdhash for triage 19

  20. sdhash-2.2 generation rates  sdhash generation is I/O-bound  it can be run in line with imaging 20

  21. sdhash generation times (M57)  Dell PowerEdge R710 server o 2 x Intel Xeon CPUs @2.93GHz six-core with H/T 12(24) threads o 72GiB of RAM @800MHz 21

  22. Scenario #1: Contraband  Setup: o From the detective reports in the scenario, there is reason to suspect that one of M57's computers (Jo’s) has been used in the contraband of "kitty porn".  Questions: o Were any M57 computers used in contraband? o If so, when did the accident happen? o Is there evidence of intent? o How was the content distributed? o Was any of the content sent outside the company network? 22

  23. Query 1: Search Jo’s HDD for kitty images 260GB  55 min  123 sec Jo’s computer: Number of instances found by date 23

  24. Query 2: What processes were running?  Search Jo’s RAM for traces of installed executables 18 min 12/03 .../Downloads/TrueCrypt Setup 6.3a.exe 092 .../TrueCrypt Format.exe 090 .../TrueCrypt Setup.exe 092 .../TrueCrypt.exe 092 12/04 .../Downloads/TrueCrypt Setup 6.3a.exe 063 .../TrueCrypt Setup.exe 063 12/09 .../Downloads/TrueCrypt Setup 6.3a.exe 084 .../TrueCrypt Format.exe 079 .../TrueCrypt Setup.exe 084 .../TrueCrypt.exe 090 12/10 .../TrueCrypt.exe 092 12/11 - pre-raid .../TrueCrypt Format.exe 086 .../TrueCrypt.exe 079 24

  25. Scenario #2: Eavesdropping  Setup: o It is suspected that somebody is spying on the CEO (Pat) electronically.  Plan? o Search for potentially rogue processes that might have been introduced on his computer. o First HDD image is clean and serves as baseline. 25

  26. Eavesdropping timeline 11/16, [71] not in baseline 20 min Present: Java, Firefox, python, mdd_1.3.exe. 11/19, [95] not in baseline Acrobat Reader 9 installed or updated, including Adobe Air. 12/03, [649] 18 other programs from 11/16 still present. AVG has been updated. 11/20, [289] XP Advanced Keylogger appears: Windows Update run: many new dlls in the XP Advanced/DLLs/ToolKeyloggerDLL.dll 087 _restore and SoftwareDistribution folders. XP Advanced/SkinMagic.dll 027 XP Advanced/ToolKeylogger.exe 024 11/23, [561] 12/07, [460] Windows Update has run More Brother printer related files. 11/30, [274] InstallShield leftovers present. Likely a Brother printer driver installed. win32dd present. Acrobat/Firefox still present. XP Advanced Keylogger is no longer here. RealVNC VNC4 has been installed and run: RealVNC/VNC4/logmessages.dll 068 RealVNC/VNC4/winvnc4.exe 046 RealVNC/VNC4/wm_hooks.dll 023 12/10, [1240] AVG updated. IE8 and Windows updated. VNC still present. 12/11, [634] VNC present. 26

  27. Scenario #3: Corporate espionage  Setup: o There is suspicion that somebody has leaked company secrets.  Plan? o Search RAM snapshots for interesting processes 27

  28. Scenario #3: Findings  RAM 31 min "Cygnus FREE EDITION" hex editor o  On 11/24, 11/30, 12/02, 12/03, and 12/10; "Invisible Secrets 2.1“ o  11/19, 11/20, 11/24, 11/30, and 12/02.  blowfish.dll, jpgcarrier.dll, bmpcarrier.dll  likely stego tool  USB insecr2.exe o /microscope.jpg o /microscope1.jpg o /astronaut.jpg o /astronaut1.jpg o /Email/Charlie_..._Sent_astronaut1.jpg o /Email/other/Charlie_..._Sent_microscope1.jpg o 28

  29. M57 Conclusions  Using sdhash , we can outline the solution of all three cases in about 120 min of extra processing. o This assumes HDD/RAM hash generation while cloning. o This could be further improved by running the queries in R/T in parallel with acquisition.  The tool enables differential analysis that is simple, fast, robust, and generic.  Most processing can run in parallel with acquisition.  In effect, it can replace carving/indexing during triage.  It does not require much expertise to apply; results are intuitive.  The analysis can be highly automated; higher-level analysis can be built on top. 29

  30. Development Status 30

  31. Architecture C++ Client: Web GUI Custom clients (python) (20+ languages) sdhash-cli Apache Thrift C/S Protocol Python Other Server: sdhash-srv CLI: sdhash SWIG-based APIs Cross-platform C++ API: libsdbf Third-party C++ libraries: boost,thrift,openssl (thrust,TBB) 31

  32. Availlability  sdhash.org o Source o Windows exe  32-/64-bit executables o Linux  rpm/deb packages o API documentation o Repository o Papers/presentations 32

  33. sdhash-2.2 comparison performance  Small file comparison (1 core, Intel X5670) 10KB vs. 10KB 0.0061 ms 100KB vs. 100KB 0.0125 ms 1MB vs. 1MB 0.4300 ms 10MB vs. 10MB 41.0000 ms  Large file/streaming comparison (12 cores) in seconds 100MB 125MB 150MB 200MB 500MB 1000MB 100MB 0.76 0.93 1.00 1.36 3.53 6.61 125MB 0.93 0.96 1.30 1.84 4.10 8.60 150MB 1.00 1.30 1.58 2.28 5.33 10.30 200MB 1.36 1.84 2.28 3.00 7.10 13.80 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s @10MB/s ~5.5 hrs ~82.5 hrs 129 * We can start working on the case after 88 hours. * http://accessdata.com/distributed-processing 2 Scalable

590 views • 30 slides
Micro Celebrities in Czech Republic: Literature Review and Case Study Xinchen (Candice) Shen

Micro Celebrities in Czech Republic: Literature Review and Case Study Xinchen (Candice) Shen

Social media Networking- Spring 18 Micro Celebrities in Czech Republic: Literature Review and Case Study Xinchen (Candice) Shen May 10 th , 2018 Theory of Micro Celebrity Forbes - the 77 most influential Czechs Research on social networks

720 views • 13 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
Presented by: Candice Skinner Candice M. Skinner Real Estate, LLC 337.353.4272 My Professional

Presented by: Candice Skinner Candice M. Skinner Real Estate, LLC 337.353.4272 My Professional

Presented by: Candice Skinner Candice M. Skinner Real Estate, LLC 337.353.4272 My Professional Experience My philosophy Customer relationships are at the heart of what I do. If you dont feel that Ive built a strong

148 views • 13 slides
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico Marziale, Golden G. Richard III, Vassil Roussev Me: Professor of Computer Science Co-founder, Digital Forensics Solutions golden@cs.uno.edu

489 views • 28 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Page 1 of 7 2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular, symbolic problem. The solution that we develop incorporates a task scheduling algorithm. 2.7.1

259 views • 7 slides
Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the Case Study found in the Assignment section of M005 and be ready to present your findings in a formal presentation in week 11. Each team member

319 views • 6 slides
Barb Stuckey y & Candice e Lin, Mattso son Intr trodu oductions: ctions: Barb Stuckey

Barb Stuckey y & Candice e Lin, Mattso son Intr trodu oductions: ctions: Barb Stuckey

Barb Stuckey y & Candice e Lin, Mattso son Intr trodu oductions: ctions: Barb Stuckey Candice Lin Mattson Par art t I: Bas asics ics of HPP P Produ oduct ct Develop elopme ment Par art t II: : Th The e Logisti istics

922 views • 56 slides
ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction

ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction

INTER AGENCY SHELTER CLUSTER ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction Most clusters (including shelter) used to inform sectoral planning without a capacity to effectively collect, analyze and

520 views • 15 slides
Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman

Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman

Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman who has a primary complaint of back pain with secondary complaints of migraines, anxiety, difficulty with sleep. Yoga Therapy has decreased her

576 views • 19 slides
DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008,

DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008,

DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008, DCK is the largest construction/ general contractor company in the Pittsburgh, PA region Industries served by DCK include hospitality, timeshare,

98 views • 7 slides
1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE

1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE

1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE METHODOLOGY Results analysis. Element definition Environmental impact Budget Unit Description (t CO2eq/Unit) (m3/Unit) MJ/Unit EUR/Unit The

639 views • 24 slides
A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE

A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE

A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE Fellow: Hannah Bacon CASE Mentor: Dr. Connie Mixon, PhD, MPA Elmhurst University Research focus: This study examines the correlation between

167 views • 15 slides
Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study

Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study

Cypress Creek Greenway Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study Case Study: What and Why? Part of Houston- Galveston Area Councils Regional Plan for Sustainable Development One

595 views • 31 slides
CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8

CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8

CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8 partners (coordinated by the organisation KIWI) proposes to provide: initial training of 36 months to 11 ESRs (total 396 person months) and

345 views • 10 slides
De-Anonymizing Live CDs through Physical Memory Analysis Andrew Case Senior Security Analyst

De-Anonymizing Live CDs through Physical Memory Analysis Andrew Case Senior Security Analyst

De-Anonymizing Live CDs through Physical Memory Analysis Andrew Case Senior Security Analyst Speaker Background Computer Science degree from the University of New Orleans Former Security Consultant for Neohapsis Worked for Digital

911 views • 61 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with Brian Levine & Patrick Stahlberg) University of Massachusetts, Amherst History a record of past data and operations performed on a system.

777 views • 29 slides
Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin

Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin

A A Conceptual Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin Bahi , Olaf Manuel Maennel Centre For Digital Forensics and Cyber Security Tallinn University of Technology Evolvement of Cyber

470 views • 13 slides
Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Einfhrung in Visual Computing Unit 5: Image Encoding and Compression http://

Einfhrung in Visual Computing Unit 5: Image Encoding and Compression http://

12.03.2013 Einfhrung in Visual Computing Unit 5: Image Encoding and Compression http:// www.caa.tuwien.ac.at/cvl/teaching/sommersemester/evc Content: Introduction to Encoding Image File Formats Information vs. Data Introduction

414 views • 40 slides
WWW Davide Rossi Aprile 2002 Table of contents Table of contents Part I Colors and Color

WWW Davide Rossi Aprile 2002 Table of contents Table of contents Part I Colors and Color

Formati grafici e Multimediali WWW Davide Rossi Aprile 2002 Table of contents Table of contents Part I Colors and Color Systems WWW Still Images: Bitmaps, Vectors & Metafiles Part II Data Compression Pixel Packing, RLE, LZ, Huffman,

937 views • 58 slides
What does the title mean? 1. part: R on Different Platforms on Different Platforms What is R ?

What does the title mean? 1. part: R on Different Platforms on Different Platforms What is R ?

Introduction Editors and GUIs Packages Platform specifics References 3 What does the title mean? 1. part: R on Different Platforms on Different Platforms What is R ? The useRs Point of View What is a platform ? Platform the

300 views • 10 slides

More recommend