Upload
andrew-bradford
View
229
Download
0
Tags:
Embed Size (px)
Citation preview
91.460.201 & 91.530.202 SELECTED TOPICS: DIGITAL
FORENSICS
Xinwen Fu, UMass Lowell, USA
Center for Cyber Forensics, UMass Lowell
Outline
Introduction Related Laws in Network Forensics
Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws
Conclusion
2
Introduction3
Based on Symantec Internet Security Threat Report 2011 Trends
Symantec blocked more than 5.5 billion attacks in 2011
Over 154 attacks took place per day in Dec. 2011
Attacks skyrocketed by more than 81% compared with 2010
More than 232.4 million identities were exposed
Digital Forensics Recovery and investigation of material found in
digital devices, often in relation to computer crime
Encompassment of the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence for the benefit of courts or employers (incrimination or exoneration)
4
Digital Forensics
Computer Forensics
Network Forensics
5
Xinwen Fu
Exam
ple
Com
pute
r Fo
rensi
c To
olk
it® (
FTK
®)
Network Forensics
Monitor and analyze computer network traffic for the purposes of information and legal evidence gathering, or intrusion detection
Deal with dynamic information
6
Demo – HAWK: mini-Helicopter-based Aerial Localization Wireless Kit
7
youtu.be/watch?v=ju86xnHbEq0
Xinwen Fu
Outline
Introduction Related Laws in Network Forensics
Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws
Conclusion
9
Traditional Crime10
Proactive Investigation
Real Time Investigation
Retroactive Investigation
Other Witnesses and clues
Cyber Crime11
P2P Networ
k
Search who owns the child pornography material
Proactive Investigation
Real Time Investigation
Retroactive Investigation
Classification of Strategies for Network Investigation
12
Proactive Investigatio
n
Real Time Investigation
Retroactive Investigatio
n
Cyber Crime Incident
Prepare for and detect the incident
Monitor and preserve incoming/outcoming
traffic during the cyber crime and conduct the traceback if possible
Collect and reassemble leftover data
among victim’s computer and
network
Where are the Laws and due
process?
E.g. search anonymous P2P
network and identify the source of illegal materials
E.g., UML server was attacked, police read the logs from the IDS, firewall and local ISPs and try to
reconstruct the past session.
E.g., Trace who is downloading illegal child
pornography videos.
Terminology of Related Laws
Reasonable Privacy: a person deserves reasonable privacy if he/she actually expects privacy and his/her subjective expectation of privacy is “one that
society is prepared to recognize as ‘reasonable.’”
Probable Cause “a reasonable belief that a person has committed a
crime”. the standard by which law enforcement officers have
the grounds to make an arrest, to conduct a personal or property search, or to obtain a warrant for arrest, etc. when criminal charges are being considered
13
Terminology (Cont’) Subpoena: A specific type of court order to compel a
witness to give a statement or to appear in court to testify Law enforcement with a subpoena can require an ISP for
logs to determine a particular subscriber’s identity Court Order: An official judge’s statement to compel
or order someone, or a party, to do something or to refrain from doing something Law enforcement officers can install a packet-sniffer on an
ISP’s router to collect all packets non-content information coming from a particular IP address to reconstruct a session
Search Warrant: A written court order authorizing law enforcement officers to search a certain area and/or seize property specifically described in the warrant Law enforcement officers can intercept an online
conversation and collect the content with a search warrant
14
Constitutional Law
The Fourth Amendment is the main constitutional restriction to network forensics investigation
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”
15
Statutory Laws The Wiretap Act (Title III)
Prohibit unauthorized government access to private electronic communications in real time
The Stored Communications Act Protect the privacy right for customers and subscribers of
Internet service providers (ISPs) and regulates government access to stored content and non-content records held by ISPs
The Pen Register Act Also known as the Pen Registers and Trap and Trace Devices
statute A pen register device records outgoing addressing information
(such as a phone number dialed and receiver’s email address) A trap and trace device records incoming addressing
information (such as incoming phone number and sender’s email address)
16
Network Forensics with Laws17
Proactive Investigatio
n
Real Time Investigation
Retroactive Investigatio
n
Cyber Crime Incident
People’s Reasonable
expected privacy (The Fourth
Amendment)
Title III and Pen Register Act OR
Constitutional Laws
Stored Communications
Act OR Constitutional
Laws
Subpoena/Court Order
Court Order/Search Warrant
Subpoena/Court Order/Search
Warrant
Outline
Introduction Related Laws in Network Forensics
Traditional Crime VS. Cyber Crime Terminology Constitutional Laws Statutory Laws
Conclusion
18
Conclusion
We study related laws in Network Forensics
We refine the framework of Network Forensics with three categories of investigations
Suggestion: while studying network forensics research, we should always consider the impact of laws
19
20 Xinwen Fu 20/15
Thank you!
Xinwen Fu
Network Forensics with Laws (Cont’)
21
Pen/Trap
Statute
Non-Content
Packets’ size, number;
IP address;Flags
Title III ContentEmail’s Subject,
Content;Packet’s Payload
SCAInfo. stored
in digital media
Emails, Logs, Subscriber’s
info.
Cyber Crime
Constitutional Issuse
Statutory Issue
The 4th Amendme
nt
Traditional crime and policing
A passenger is walking down the street. The passenger is attacked by a robber. The passenger or other witness calls “911”
during/after the robbery. Police center sends units to the site. Police may catch the criminal at the event place if
the robbery hasn’t finished yet. Police conduct the investigation if the robber flees
away. Police may or may not catch the robber. Law enforcement summarize the characters of the
crimes in that area and send more police patrolling in that area to deter the potential criminals.
22
Network crime and policing
A hacker intrudes a company server. Alert System (Firewall, IDS) detect the intrude or
not. Or system Administrator find abnormal activities.
Report to police. Police can watch the criminal activities on the
server if the intrusion hasn’t finished yet. Police conduct the investigation with probable
authorization whether or not the intrusion finished. Police may or may not find the hacker. System administrator patches the server, makes
more restrict rules on Firewall and IDS.
23
Network Forensics with Laws
Pro-active Investigation Summarize the characters of cyber crimes and set up
firewall and IDSs to prevent and detect cyber crimes. People’s Reasonable expected privacy (The Fourth
Amendment) Real time Investigation
Preserve income/outcome traffic during the cyber crime and trying to traceback the intruder.
Title III and Pen Register Act OR Constitutional Laws Retroactive Investigation
Collect and reassemble the left over data among victim computer and network.
Stored Communications Act OR Constitutional Laws
24