Information Security Consultants, Inc.

Automating Computer Forensics

Presented by:

Thomas Ianuzzi, CPP, CISSP, CFE, CCE

President, Information Security Consultants, Inc.

Scope of Discussion
1. The potential of automating computer forensics

Information Security Consultants, Inc.

Scope of Discussion
2. A glimpse at the current state of the art

Information Security Consultants, Inc.

Scope of Discussion
3. Future possibilities

Information Security Consultants, Inc.

Scope of Discussion
4. Building a community to move forward

Information Security Consultants, Inc.

Why Automate?
Dont you know we get paid by the hour?

Increased productivity
The size of Information systems are increasing (Moores Law) and there is more information to process A recent article claims corporate data has increased 50 times in the last three years The legal system is responding to the necessity of using forensic evidence
Information Security Consultants, Inc.

Standardization of Forensic

Protocols
If our protocols are not consistent and demonstrable, vital evidence may be excluded. Automation removes some of the human element from these activities reducing the possibility of error

Information Security Consultants, Inc.

Reduce Repetitive Tasks

Humans not well suited to repetitive tasks such as inspection of large quantities of evidence Safety in performing tasks which could prejudice case if accidents occurred, writing to disks etc.
Information Security Consultants, Inc.

Trickle Down To Less Skilled Users

As the volume of material which must be examined increases, some of the work must trickle down to less experienced workers.

Information Security Consultants, Inc.

Automation is Inevitable

Information Security Consultants, Inc.

Two Types of Investigations

Discovery Incident Response

Information Security Consultants, Inc.

Discovery
Non volatile media (generally) No change to media permitted Studied approach possible

Information Security Consultants, Inc.

Incident Response
Volatile and non volatile media Change to media may be unavoidable Decisions must be made quickly which could effect business operations and evidence

Information Security Consultants, Inc.

Differences
The two are similar differing mainly in the scope of the investigation and the time frame E Discovery tools are less complex and safer with regard to changing evidence. Incident response automation could be more valuable because of real time response
Information Security Consultants, Inc.

Whats Available
Some of the tools we will look at have the means to handle some of these tasks already

Information Security Consultants, Inc.

State of the Art Batch Files Designed in automation Macros in Scripting Languages Totally automated tools (research)

Information Security Consultants, Inc.

Batch Files
Batch files are the most basic form of automation. This is an excerpt form a popular incident response file.

Information Security Consultants, Inc.

Designed in Automation
Adding evidence in FTK

Information Security Consultants, Inc.

Scripted
EnCase EnScripts Pro Discover and Perl

Information Security Consultants, Inc.

Automated Incident Response

Encase Enterprise Incident Response Suite Integrates an IDS and Enterprise People dont use IDS data too much Manual response is not fast enough

Information Security Consultants, Inc.

The Future Whats Next

Information Security Consultants, Inc.

Longer and More Complex Scripts

Intelligent Agents, also known as bots Bots are usually longer scripts which may contain many conditional operations. They look for and respond to events Example: EnCase Enterprise Incident Response Suite
Information Security Consultants, Inc.

A Radical departure
Lets stop using these machines as little more than electronic file cabinets

Information Security Consultants, Inc.

New Automation
Lets produce tools that take their general direction from us and proceed somewhat autonomously

Information Security Consultants, Inc.

Possible Problems
They could dumb down the profession They could be easily challenged in court They could fail to find evidence and let the guilty go free Any other problems?

Information Security Consultants, Inc.

The Process

Forensics is both an art and a science

Information Security Consultants, Inc.

Automate Science?
The scientific or procedural part of computer forensics is easy to automate. Most of what has been done is this type of automation

Information Security Consultants, Inc.

Automate Art?
the HOAP2 humanoid robot from Fujitsu recently acquired by the Autonomous Systems Laboratory 3 (ASL3) at the University of Lausanne

Information Security Consultants, Inc.

The Hunch?
The classical view of a detective is someone following a hunch. It appears to be an art form, but is it? A hunch is a determination about possible human behavior based on the extensive study of human behavior

Information Security Consultants, Inc.

Human Behavior is Unpredictable

Psychologists struggle with this problem In spite of this, there are recurrent themes We can codify these themes into lists

Information Security Consultants, Inc.

Intellectual Property Has Been Stolen (example)

The thief: Dislikes the company or someone in it Has been paid to steal it Will use it to his personal benefit in business Is helping someone else

Information Security Consultants, Inc.

Which One?
Our human investigator will spend a minimum amount of time on several possibilities. The automated tool, without intrinsic time constraints can examine more of them at a low cost. The chess match between Deep Blue and Kasparov is a good example.
Information Security Consultants, Inc.

Techniques
Checklists Scripts Expert Systems Intelligent Agents Genetic Algorithms Neural Networks

Information Security Consultants, Inc.

Poor Mans Automation

Policies Procedures Checklists

Information Security Consultants, Inc.

A Quick Introduction to AI
Artificial Intelligence is The science of making machines do things which would require intelligence if done by man Marvin Minsky

Information Security Consultants, Inc.

Expert Systems
Expert systems are very useful where a highly specialized very narrow field of knowledge needs to be applied by less knowledgeable people. Does that sound familiar?

Information Security Consultants, Inc.

Rule Based
Expert systems operate using rules The following is an example of a system which could be used to locate child pornography. The program would search the suspect drives for any matches to a set of hash libraries

Information Security Consultants, Inc.

Rules (example)
If no matching images are found on the subject drive the possibility that drive contains child porn is low If one matching hash is found the possibility is moderate If three matches are found the possibility is high If images are found outside of mail systems the possibility is very high
Information Security Consultants, Inc.

Rules
If images are attached to outgoing email the probability is near certain A production program would probably assign numerical values, and might consider many other factors

Information Security Consultants, Inc.

Intelligent Agents Bots

Discussed previously IDS/IPS and Anitvirus programs are good examples of this type of program

Information Security Consultants, Inc.

Genetic Algorithms
In Jurassic Park Life will find a way became a tagline used several times throughout the movie. It refers to the fact that genetics is not limited by conceptual thinking. It tries a large number of random solutions to a problem. Programs can be written to mimic this process.
Information Security Consultants, Inc.

Neural Networks
composed of a large number of highly interconnected processing elements Mimic the operation of the brain Has potential to automate artistic functions.

Information Security Consultants, Inc.

Schematic of an E Discovery Tool

We are going to build a block model of one approach to an automated ediscovery tool

Information Security Consultants, Inc.

A Tool Must Address One Of Two Situations

The nature of the information sought in the investigation is known The information is not known and this is a fishing expedition. We will assume that the investigation has a defined purpose
Information Security Consultants, Inc.

Single Purpose Tools

Locate pornography Find evidence of a financial transaction Locate references to a romantic partner Locate evidence of a changed contract Find financial statements
Information Security Consultants, Inc.

General Purpose Tools

A much more ambitious project Would require a thorough understanding of how a good investigator thinks (expert system?) Would need strong language processing capability.

Information Security Consultants, Inc.

General Schematic of a Discovery Tool Acquire Evidence Analyze Report

Information Security Consultants, Inc.

Schematic of an Incident Response Tool

Detect a Possible Incident

Determine if an intrusion has taken place

Quarantine, replace or repair the affected system

Report
Information Security Consultants, Inc.

Digital Forensics Automation Forum

http://www.forensicautomation.org/

Information Security Consultants, Inc.

References
A Mechanism for Automatic Digital Evidence Collection on HighInteraction Honeypots June 2004 http://www.dcc.unicamp.br/~ra002193/index-en.html Standardization Of Forensic Protocols http://web.archive.org/web/20030318033317/http://www.first.org/eve nts/progconf/2002/d3-03-dosreis-slides.pdf Automating Case Reports http://cisr.nps.navy.mil/downloads/theses/05thesis_cassidy.pdf Automated Diagnosis http://www.mitre.org/work/tech_papers/tech_papers_01/elsaesser_for ensics/esaesser_forensics.pdf Incident Reporting http://www.giac.org/certified_professionals/practicals/gsec/0547.php
Information Security Consultants, Inc.

References

(continued)

State Machine Theory http://www.gladyshev.info/smforensics/ Pre Forensic Setup Automation http://www.las.ic.unicamp.br/paulo/papers/2002-CCN-IASTEDflavio.oliveira-PFSAF.pdf Automated Reassembly Of Fragmented Images http://isis.poly.edu/kulesh/research/pubs/icassp-2003.pdf A primer on Artificial Intelligence http://users.erols.com/jsaunders/papers/aitechniques.htm Robot Painting at the University of Lausanne http://humanoids.epfl.ch/research/upper_body/paint/paint.html
Information Security Consultants, Inc.

Contact Information
Thomas Ianuzzi, CISSP, CCE
President, Information Security Consultants, Inc 2243 NE15th Drive Jensen Beach, FL 34957 (772) 781-7300

tianuzzi@forensicautomation.org Forum: http://www.forensicautomation.org/ Email Group: http://tech.groups.yahoo.com/group/forensicautomation/

Information Security Consultants, Inc.