FINAL YEAR PROJECTTrevor BrosnanBSc(Hons) Computer Forensics20039663@mail.wit.ie

overview

• ORIGINS OF PROJECT

• HOW IT WORKS

• TECHNOLOGIES

• PROJECT TIMELINE

• FUNCTIONALITY

• COFEE COMPARISON

• DEMOSTRATION

• COMPATIBLE / TESTING

• FUTURE /CONCLUSION

• QUESTIONS/ISSUES

origins of project

Computer Fraud has many branches and none is more emerging then that caused by employees. This type of fraud is common place within the workforce, as it does not require an employee to have extensive I.T. knowledge, just the opportunity.

Cost is the Biggest concern in considering an investigation-Ernest&Young Report 2011

Fraud can be defined as the intentional deception made for personal gain and to damage another.

Make it as simple as possible…..

current applications

• EnCase Forensic, the industry-standard computer investigation solution, is for forensic practitioners who need to conduct efficient, forensically sounds data collection and investigations using a repeatable and defensible process.[ENCASE]

Strengths: The leader on the market for any professional forensic investigation.

Weaknesses: Extremely expensive ($4000-$4500).

• BackTrack5 was designed to be an all in one live cd used on security audits and was specifically crafted to not leave any remnants of itself on the laptop. It has since expanded to being the most widely adopted penetration testing framework in existence and is used by the security community all over the world.”[BackTrack]

Strengths: Extremely powerful, Has a massive repository of tools Weakness: Extremely complex to use, Separate Operating System

• Microsoft COFEE is a forensics tool, approximately 15MB in size that fits on a USB drive for law enforcement officials to use in PC An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device.

Strengths: Created by Microsoft for Microsoft systems. Weakness: Available only to Law Enforcements, Outdated tools.DECAF was invented by hackers to thwart all investigations done by this tool.

how it works

python

PyQt4PyQt is a set of Python bindings for Nokia's Qt application framework and runs on all platforms supported by Qt including Windows, MacOS/X and Linux. There are two sets of bindings: PyQt v4 supports Qt v4; and the older PyQt v3 supports Qt v3 and earlier. The bindings are implemented as a set of Python modules and contain over 300 classes and over 6,000 functions and methods.

[QT2012]

PythonPython is a programming language that lets you work more quickly and integrate your systems more effectively. You can learn to use Python and see almost immediate gains in productivity and lower maintenance costs.Python runs on Windows, Linux/Unix, Mac OS X, and has been ported to the Java and .NET virtual machines. [Python 2011]

For the development of fraudIT one main tool encompassed the entire project, this tool is the programming language known as Python

project timeline

Iteration 0 The main goals of this stage is to produce the first prototype Look into methods and technologies which will be used throughout my project

Creation of the projects Concept. Ensure that the project is viable. Assignment of a project supervisor. Creation of overall goals. Investigations into similar applications. Research into new tools to incorporate into the application. The development of the first Report.

Start 8/9/11 End 31/10/11

Iteration 1 The main goal of this stage is to develop the first working Prototype known as “Prototype version 1”

Obtain relevant skills in Python programming, techniques in Perl Scripting and understand how these work together with a QT based GUI.

Research into fraudulent activity within the work place. Research the Ethical foundation of my application. Create Report 2.

Iteration 2 The main goal of this iteration is to improve the GUI of the application and include additional functionality

Creation of PROTOTYPES v2. Increase the functionality with additional tools and create a

more visually appealing application. Test for bugs that could occur. Assess the way the application will be delivered along with

dependencies needed.

Start 13/12/11 End 2/2/12

Iteration 3 The final iteration of the project will see the creation of a fully functioning program

Creation of PROTOTYPE v3. Creation of FINAL APPLICATION. The main focus will be to test for any faults within the

application. The removal of any redundant code or features. The creation of the final reports and documentation. Final Report created and submitted.

Start 3/2/12End 1/5/12Start 1/11/12

End 12/12/11

tools used #1

• System Audit

Information– Logins, System Uptime, System

Information, Update History, Recycle Bin History,

Windows File System, Power On History, Scheduled

Events, Running Services.

Unusual Activity- Blue Screen Tracker, Open Files,

Event Log’s, Application Crashes, Windows Crash Reports, Whats in Startup

Devices – Battery Information, Bluetooth, USB History.

• Network AuditConnections – IP Information, Port Information, Check Firewall, Firewall Rules, Nearby Wifi, Networked PCs, Show Groups, Wireless Info.

Browser- Chrome/IE/Firefox History, Chrome/IE/Firefox Cache, Chrome/IE/Firefox Cookies

Email – Gathering and analysis

Additional – Skype History Logs, Live Contacts, Internet Passwords, Opera History, Safari History, Get Bookmarks, Search History

tools used #2

• Registry Audit

Initial– Gather Hives

User Hive- Shellbags, Printers, Recent Files, Recent Application, Typed URLs, Proxy Settings, IE Registry Entries, Recent Documents, Windows Searches, File Associations.

Software Hive– Application Paths, Network Cards, Wireless Associations, SQL last connected, Profile List, Internet Applications, Uninstalled Apps, Yahoo Message, Apps Associations, Port Devices

System Hive – Network Information, Mounted Devices, Removed Devices, Shutdown History, Event Logs, Safe Boot History, USB Information, Running Services.

Security/SAM – Parsing of Hive

• File Audit

General – Alternate Data Streams, Clipboard History, MSOffice Addons, Video Cache History

Text, Image Video and Audio Audits-

Pop up drag and drop audits using Alternate Data Streams, Metadata, File Duplication and Integrity checks

additional functionality

• Live Audit

runs the most important tools with a single click

• All in One Audits

runs all in 1 audits using the most important tools of

the system, network and registry tools

• Report Generation

Reports are generated for each of the Live Audits and All

in 1 tools ran, so that a user can review the information at

a later stage

• Evidence Uploads

All data gathered is with a click of a button uploaded to

an Amazon S3 Bucket

• Tutorials

These along with a few other features will help guide

the user in their use of the application

background functions

• Logging System• Evidence Duplication• Integrity Checking• Timestamps• Portability• Sub-processing• Application Centre• Icon Association• Re-encoding Outputs

• Global Variables• Folder creation• Text Browser• Use of Windows Functions• Progress Bars• Error Messages• Status Bar• OS commands

cofee comparison

• Design• Features/Tools• Ease of Use• Display

VS

• Integrity• Evidence• Connectivity• All in 1

Cofee is Microsoft’s incident response GUI which was made available to the Law Enforcement officers to help aid them in their investigations. Cofee uses around 30 unique tools while fraudIT uses over 80

demo

The Demonstration of the Project will include:

• Accessing application using a USB• Loading the application• Running various tools• Using the File Audit• Uploading Evidence• Reviewing Reports• Due to the length of time it takes to run a Live Audit this

will be demonstrated using a video clip as to speed up the time it would normally take.

code overview

Using ACTIVESTATE Komodo we will take a look at the python code which is use to build the application

compatible & testing

Compatibility is of major concern when creating fraudIT

Testing carried out:

Use case Testing:Whether the application can be used by a novice.Code Review /Debugging:Asking coders to see what I can do to increase the performance

Tool comparison:Different tools used for the same function

Windows Systems tested for compatibility : XP , 7 and 8 (different architectures)

issues

• Time Management

additional projects

• Display Issues

icons, centring, sizing

• Compatibly Issues XP->7 -> 8

• Tool Acquisition

command line only

• Programming Issues perl and python knowledge increase

• Project Concept

idea has changed over time

• Presentation Issues

time management and weigh of markings

future

• Alert Data

Allow for unusual results to be flashed to the user• Apple Compatible

Acquire tools for Mac PCs• Timelines

Incorporate timelines for the all in one audits• Central Application

Run the application from a central server• Python Power

Instead of using open source tools include python code to

preform the functions

conclusion

The skills which I have gained from this project have been immense, they have helped me gain confidence in my ability to learn new programming languages, improve my time management and was one of the main reasons I have been offered a job with Version 1 as a Graduate IT Consultant.

The time spent on the creation of the application has also proven quiet useful for other modules as with my understanding in python has been incorporated into projects (Development of an Android APK Analysis Application for a research project in Network Security). It has highlighted weaknesses and strengths which I never knew I had.

questions

references

• [BackTrack2011]BackTrack Linux - Penetration Testing Distribution. Available at:

http://www.backtrack-linux.org/ [Accessed October 26, 2011].• [Coffe2011]Computer Online Forensic Evidence Extractor (COFEE). Available at:

http://www.microsoft.com/industry/government/solutions/cofee/default.aspx [Accessed October 22, 2011].

• [Encase]Leading E-Discovery, Forensic Software. Available at: http://www.guidancesoftware.com [Accessed November 1, 2011]

• [Qt2011]Riverbank | Software | PyQt | What is PyQt? Available at: http://www.riverbankcomputing.co.uk/software/pyqt/intro

• [Accessed October 17, 2011].• [Python2011]Python Programming Language – Official Website. Available at:

http://www.python.org/ [Accessed October 22, 2011].