Wednesday 26 November 2014

Investigation and Intelligence Framework - About Evidence

Cybercrimes are advancing every day, investigators are facing more and more challenges, but they are often too focused technically, hence miss out to draw whole picture of the incident by correlating the seized / acquired evidences for the intelligence purpose.

The idea of Investigation and Intelligence Framework (iif) is to help to correlate evidence and intelligence to help investigation more effectively. To begin with, let's look at the evidence first. 
All network related evidences including Memory, Registry, Web-applications (e.g. Browser or Skype) and Network traffic (e.g. pcap) should be investigated.

Memory
We are not going to malware analysis when we got the memory dump, instead we are looking for any suspicious processes and interesting artifacts.


Registry
For registry, we will try to look at HIVE keys for the starting processes, to see if any suspicious findings. Besides, we can also check the Internet History (sometimes).



Web-applications
Web applications include Browser history as well as some Instant Messengers history like Skype, we should try to look for possible downloads from suspicious sources.


Network traffic
For network traffic, we will have to do packet analysis, searching for suspicious IP Addresses and Protocol, in the example here (of course it's intended to), a malware could be using FTP protocol to transfer something like keylogger history to the evil server.


So, you may ask how do we know if the evidence worth further investigation, and even if we sort out the evidence we want, what are we going to do next? We will be discussing about it in the next post, please stay tuned. :)
Posted by at No comments:
Labels: ,

Tuesday 25 November 2014

Investigation and Intelligence Framework

Digital forensics investigators face various daily challenges because there are a large variety of high-tech cybercrimes reported, for instance APT, Hacking, Ransomware and DDOS etc... During investigation, the investigators focus on the reverse engineering malware, illustrating its behaviour and conducting packets analysis to deal with any credentials leakage and the pattern of the network attack. They often only concentrate on the evidence itself, but seldom or having difficulties to draw out the whole picture of the incident by correlating the seized / acquired evidences for the intelligence purpose. All relevant data from seized media should be utilized and analyzed, later transformed to intelligence so as to build a profile of the potential suspect with his corresponding attributes.



Based on the principle of Zachman Framework, we propose and design an Investigation and Intelligence Framework, which is an automated mechanism to identify the potential suspect at the early stage for the ease of the further investigation, correlating evidence to oversee the entire picture of the cybercrime. Our framework has adopted four of the intersections, i.e. When, Where, Who and How. 4W of the incident should be the concerned factors no matter what type of cybercrimes happened. To fulfill this 4W concept, related artifacts including timeline, location, identity and attack path would be effectively recognized at the earlier phase, and investigators can tackle the cybercrimes more successfully.

The table summarizes the relationship of 4W concepts and evidence, and how IIFramework Tool and Maltego can help the situation.


Below is the basic flow of the IIFramework Tool, evidence data is imported to the engine, it will extract the IP Addresses, Domains and Email Addresses, with the Intelligence, it will rank which evidence data deserves more attention for further investigation. Maltego will help to correlate the important evidence to give a bigger picture of the incident.


A tool is developed to demonstrate the framework, correlating evidence and intelligence in order to provide a big picture of the cybercrime story and help investigation more effectively. Maltego is also contributing the functionalities of correlating the evidences found from tool, with the integration with MalProfile (developed by ran2), it will provide a clearer picture of the potential incident or cybercrime story.



The video is the demo of the Investigation and Intelligence Framework


Posted by at No comments:
Labels: ,

HITCON 2014 - Investigation and Intelligence Framework Abstract

Hacks in Taiwan (HITCON) is a highly technical security conference in Taiwan. We know there are a lot of information security researchers with very professional expertise and experience in Taiwan. It's held in 19-22 Aug 2014 (ref: http://hitcon.org/2014/)

The research topic Investigation and Intelligence Framework was selected in Playground Session of HITCON 2014. (ref :http://hitcon.org/2014/agenda/)



Posted by at No comments:
Labels: ,

DFRWS EU 2014 - Introduction of Investigation and Intelligence Framework

From the previous post, we provided a workshop about Real Network Security Kungfu in DFRWS EU 2014, in the workshop, we also introduced the concept of Investigation and Intelligence Framework.


The Investigation and Intelligence Framework aims at facilitating the following functions:

  • Import evidence data to our engine, for example Memory Dump, Registry and URLs
  • Our system grabs the data but not limited to IP Addresses, Domains, Emails Addresses.
  • The data grabbed is fed to our  intelligence Engine and give birth of the following information, working out threat forecasting:
    • Timelining
    • Relevance/Confidence Level
    • Activities Correlation


  • The demo is the prototype of Investigation  Intelligence Framework
  • Memory dump is imported, it further digs  out the detected URLs from the IP Address
  • The VirusTotal API finds the one of the IP  Addresses which is suspicious
The Investigation and Intelligence Framework is a on-going research in our team.
Posted by at No comments:
Labels: , ,

DFRWS EU 2014 Workshop - Real Network Forensics KungFu

The annual DFRWS conference allows leading digital forensics researchers from government, industry, and academia to present their work and results to fellow researchers and practitioners. DFRWS EU 2014 was in Amsterdam from 7-9 May 2014.

Our research fellows Kelvin Wong, Anthony Lai and myself held a workshop on Real Network Security Kungfu:

Abstract:
Most of the ‘Network Forensics’ only focus on the packet (pcap) and net-flow analysis but it is just a part of the investigation. Investigator is not a ’Prophet‘, it is impossible to capture the traffic before the incident occurred, to trace the intruder/attacker. Network Forensics should cover not only the captured traffic but also all of the network-related evidences (located at memory, registry, web-applications and, of course network traffic) acquired from the compromised machine. The workshop will concentrate on the practical skills and recommend a best solution to the forensics professionals by a case study. Also we will demonstrate a new project (proposed by Ran2) which could identify the attacker at the early stage for the ease of the further investigation.

(ref: http://www.dfrws.org/2014eu/tutorials.shtml#kungfu)






Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)