computer forensics in forensispeisert/research/2008-5-sadfe... · •symantec antivirus remote...
TRANSCRIPT
![Page 1: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/1.jpg)
Computer ForensicsIn ForensisSean Peisert, UC DavisMatt Bishop, UC Davis
Keith Marzullo, UC San Diego
SADFE ~ May 22, 2008Oakland, CA
1Thursday, May 22, 2008
![Page 2: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/2.jpg)
What happened??
2
2Thursday, May 22, 2008
![Page 3: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/3.jpg)
Tradeoffs & Forensics
• Security vs. Usability
• Forensic Logging vs. Privacy
• Any Forensic Data vs. Accurate Forensic Data
3Thursday, May 22, 2008
![Page 4: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/4.jpg)
Physical Forensics
• DNA evidence
• Physical mechanics
• Chemical analysis
4Thursday, May 22, 2008
![Page 5: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/5.jpg)
Claims in court
• “50% of the FBI’s cases involve a computer” (FBI, 2002)
• Computer objects
• Virtual world
• Computer events
5
5Thursday, May 22, 2008
![Page 6: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/6.jpg)
State of Connecticut v. Julie Amero
• Classroom computer displayed pornographic pop-ups.
• Investigators found child pornography on her (spyware-infected) computer and in logs.
• Convicted of “contributing to the delinquency of minors”
• QED.
6Thursday, May 22, 2008
![Page 7: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/7.jpg)
State of Connecticut v. Julie Amero
• What if the email was part of browser popups or email spam?
• What if someone else used the computer?
• What if malware hijacked the computer?
7Thursday, May 22, 2008
![Page 8: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/8.jpg)
Firewall Vulnerabilities• Symantec Raptor / Enterprise Firewall FTP Bounce Vulnerability
(2002, Bugtraq 4522)
• Symantec Enterprise Firewall SMTP Proxy Information Leak Vulnerability (2002, Bugtraq 4141)
• Multiple Firewall Vendor FTP Server Vulnerability (2000, Bugtraq 979)
• Microsoft Windows Internet Connection Firewall Filter Bypass Vulnerability (2004, Bugtraq 10930)
• SCO OpenServer reject Buffer Overflow Vulnerability (2001, Bugtraq 2592)
8Thursday, May 22, 2008
![Page 9: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/9.jpg)
Virus Scanner Vulnerabilities
• Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630)
• F-PROT Antivirus CHM File Heap Buffer Overflow Vulnerability (CVE-2006-6294, CVE-2006-6293
9Thursday, May 22, 2008
![Page 10: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/10.jpg)
NIST’s Role
• National Institute of Standards and Technology (NIST):
• “Computer Forensic Tool Testing Program”
• How well tools conform to specific requirements
• E.g., NIST Deleted File Recovery spec.
10Thursday, May 22, 2008
![Page 11: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/11.jpg)
The Players
• Forensic practitioners
• Judges
• Lawyers (prosecution & defense)
• Computer scientists
11Thursday, May 22, 2008
![Page 12: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/12.jpg)
Open Questions
• Language
• Goals/needs
• Tools
12Thursday, May 22, 2008
![Page 13: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/13.jpg)
Definitions
• forensis ~ “in public”
• forum ~ “a public square or marketplace used for judicial and other business”
• forensics
• computer/digital forensics
13Thursday, May 22, 2008
![Page 14: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/14.jpg)
Forensic Language andTerminology
• “The tools and techniques to recover, preserve, and examine data stored or transmitted in binary form.”
• “Valid tools and techniques applied against computer networks, systems, peripherals, software, data, and/or users—to identify actors, actions, and/or states of interest.”
• software forensics: “tracing code to its authors”
14Thursday, May 22, 2008
![Page 15: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/15.jpg)
Uses of Forensic Techniques
• Inside the courtroom:
• 80% of “computer crime” cases involve child pornography
• Outside of the courtroom:
• Compliance (HIPAA, SOx)
• Debugging
• Performance
• Accounting/Billing
15Thursday, May 22, 2008
![Page 16: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/16.jpg)
E-Voting Example
• Electronic voting machines were used in Goshen, New York
• After 999 votes, the counter reset and all votes were lost
16Thursday, May 22, 2008
![Page 17: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/17.jpg)
Forensic Questions
• Who attacked this computer system?
• What actions did they take?
• What damage did they do?
• With what degree of certainty can we assert the result?
• Will those assertions be acceptable in court?
17Thursday, May 22, 2008
![Page 18: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/18.jpg)
Forensic Systems• Two parts of forensics:
• Logging
• Analysis
• Two types of logging:
• State-based
• Transition-based
• Two more types of data collection:
• logging (syslog, BSM, IDS, firewall)
• post mortem examination (Coroner’s Toolkit, EnCase, FTK)
18Thursday, May 22, 2008
![Page 19: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/19.jpg)
Scientific Method
1. Define question
2. Form hypothesis
3. Perform experiment and collect data
4. Analyze data
5. Interpret data and draw conclusions
6. Publish results, return to #3 and iterate
19Thursday, May 22, 2008
![Page 20: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/20.jpg)
Forensic Models
• Practitioners
• A series of steps for examining evidence.
• Computer scientists
• An abstraction useful as a predictive formula.
20Thursday, May 22, 2008
![Page 21: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/21.jpg)
Carrier’s Model
21Thursday, May 22, 2008
![Page 22: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/22.jpg)
Brian Carrier’s Model
22Thursday, May 22, 2008
![Page 23: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/23.jpg)
Our Forensic Model(Laocoön)
• Attack graphs of intruder goals.
• Pre-conditions & post-conditions of those goals.
• Method of translating those conditions into logging requirements.
...
...
...
...
... ...
...
a b c d
start of attack
intermediate steps
(too many!) end goals of intruder
23Thursday, May 22, 2008
![Page 24: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/24.jpg)
Unified Forensic Model
One that answers...
• how accurate is the method used to produce the data?
• how accurate is the method used to analyze the data?
• what claims can be made about the data?
• what assumptions must be made to make those claims?
• what can we do to reduce the amount of assumptions without reducing utility of the data?
24Thursday, May 22, 2008
![Page 25: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/25.jpg)
Case Study #1:Gates v. Bando
• Facts• Former employee accused of stealing a
proprietary computer program.
• Gates subpoenaed the hard drive.
• Gates alleged that evidence on the drive had been destroyed.
• Norton Unerase was run by the prosecution’s expert witness from the target drive.
25Thursday, May 22, 2008
![Page 26: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/26.jpg)
Case Study #2:Electronic Voting
• Florida CD13 showed an anomaly: an order of magnitude more undervotes than expected.
• Only occurred in one race.
• No VVPATs
• State audit concluded that the software did not contribute to the problem.
• A VVPAT would not have helped.
26Thursday, May 22, 2008
![Page 27: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/27.jpg)
Evaluating Forensic Systems Example: Sleuth Kit
• What does it do?
• What doesn’t it do?
• How accurate is it?
• What can we say with the data?
• What assumptions must me made?
• What can we do to reduce the assumptions?
27Thursday, May 22, 2008
![Page 28: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/28.jpg)
Open Research Questions
• What does a unified model look like?
• How do we characterize the limits and assumptions of forensic tools?
• How can we compare the model of the process to the evaluations of the tools to find the gaps and overlaps?
28Thursday, May 22, 2008
![Page 29: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/29.jpg)
Forensics = Science
“The principle of science, the definition, almost, is the following: The test of all knowledge is experiment. Experiment is the sole judge of scientific “truth.”
—Nobel Laureate Richard P. Feynman, California Institute of Technology, September 26, 1961
29Thursday, May 22, 2008
![Page 30: Computer Forensics In Forensispeisert/research/2008-5-SADFE... · •Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability (CVE-2006-2630) •F-PROT Antivirus CHM File Heap](https://reader034.vdocuments.net/reader034/viewer/2022052004/6017ed0a40745b4f141eb10d/html5/thumbnails/30.jpg)
Final Thoughts
• Data accuracy
• Claims
• Assumptions
30Thursday, May 22, 2008