CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Similar documents
A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

Unification of Digital Evidence from Disparate Sources

Developing a New Digital Forensics Curriculum

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

Rapid Forensic Imaging of Large Disks with Sifting Collectors

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

Extracting Hidden Messages in Steganographic Images

File Classification Using Sub-Sequence Kernels

An Evaluation Platform for Forensic Memory Acquisition Software

Hypervisor Event Logs as a Source of Consistent Virtual Machine Evidence for Forensic Cloud Investigations

Monitoring Access to Shared Memory-Mapped Files

The Normalized Compression Distance as a File Fragment Classifier

A Functional Reference Model of Passive Network Origin Identification

Ranking Algorithms For Digital Forensic String Search Hits

Fast Indexing Strategies for Robust Image Hashes

On Criteria for Evaluating Similarity Digest Schemes

Can Digital Evidence Endure the Test of Time?

Hash Based Disk Imaging Using AFF4

Automated Identification of Installed Malicious Android Applications

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

Honeynets and Digital Forensics

Breaking the Performance Wall: The Case for Distributed Digital Forensics

Multidimensional Investigation of Source Port 0 Probing

File Fragment Encoding Classification: An Empirical Approach

Design Tradeoffs for Developing Fragmented Video Carving Tools

A Strategy for Testing Hardware Write Block Devices

Privacy-Preserving Forensics

Designing Robustness and Resilience in Digital Investigation Laboratories

A Study of User Data Integrity During Acquisition of Android Devices

Archival Science, Digital Forensics and New Media Art

A Framework for Attack Patterns Discovery in Honeynet Data

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

Volatile Data Acquisition & Analysis

TZWorks Windows Event Log Viewer (evtx_view) Users Guide

An Automated Timeline Reconstruction Approach for Digital Forensic Investigations

Using the JSON Parser

Surveying The User Space Through User Allocations

Availability of Datasets for Digital Forensics & what is missing

CSE 124: LAMPORT AND VECTOR CLOCKS. George Porter October 30, 2017

Help Document Series: Connecting to your Exchange mailbox via Outlook from off-campus

BinComp: A Stratified Approach to Compiler Provenance Attribution

How to make provisional booking..

Information Assurance In A Distributed Forensic Cluster

Introduction to EVOLVE for Staff

Webomania Solutions Pvt. Ltd. 2017

A Study of Forensic & Analysis Tools

Teleporter: An Analytically and Forensically Sound Duplicate Transfer System

Binary Markup Toolkit Quick Start Guide Release v November 2016

Faculty and Staff Instructions for connecting to the Hood College VPN to access your files on Blazer and/or your on-campus computer

Case Study. Log Analysis. Automated Windows event log forensics. Engagement Preliminary Results Final Report. Extract Repair. Correlate.

Testing the Date Maintenance of the File Allocation Table File System

Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity

A Road Map for Digital Forensic Research

CREATING SUPER TIMELINES IN WINDOWS INVESTIGATIONS

External Data Connector for SharePoint

BIC Innovation R & D Logger Mobile App

TZWorks Timeline ActivitiesCache Parser (tac) Users Guide

Can Digital Evidence Endure the Test of Time?

MAGIP Best Practice: Persistent Identifier. Michael Fashoway 2010 MAGIP Technical Session October 28, 2010

Automated Timeline Anomaly Detection

Deploying and Using SLIM Suite in a Global Environment

Lessons Learned from the Construction of a Korean Software Reference Data Set for Digital Forensics

GFI EventsManager 8 ReportPack. Manual. By GFI Software Ltd.

INSPIRE and SPIRES Log File Analysis

Digital Evidence Composition in Fraud Detection

LiXuid Manuscript. Sean MacRae, Business Systems Analyst

WINDOWS EVENT FORENSIC PROCESS

Forensic and Log Analysis GUI

USER GUIDE. Lync Standard. Contents. This guide will take you through the step by step features of Lync Standard. 1. Starting Lync

TESTING General & Automated Control

17 In big Data Centers it may be practical to collect event and error messages to a central syslog server.

Digital Evidence Composition in Fraud Detection

INSTRUCTIONS FOR CONNECTING TO THE UNION COLLEGE WIRELESS NETWORK WITH AN ACCOUNT USING A WINDOWS COMPUTER.

Resellers Guide Managing your Reseller Account

Desktop User Guide May 2014

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

User s Guide. Biomedical Research Alliance of New York

ABSTRACT. different digital devices to obtain evidence. In order to describe the circumstances of the

Network Forensics Analysis with Evidence Graphs

Time skew analysis using web cookies

Aims. How it started. Unique features. Collaboration. Innovation. Cursery at a glance. Contact. Independent Tests of Anti-Virus Software

TZWorks Prefetch Parser (pf) Users Guide

Getting Started With the Cisco PAM Desktop Software

Introduction to EVOLVE for Staff

SOS Development Bulletin Making Tax Digital Summary and User Guide 19th December 2018

Data Replication in Offline Web Applications:

Remote Access for End User Reference Guide for EpicConnect Access

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Amcache and Shimcache Forensics

Coding Categorical Variables in Regression: Indicator or Dummy Variables. Professor George S. Easton

The CECAM Electronic Structure Library: An Overview

Detecting Data Theft Using Stochastic Forensics

GFI WebMonitor 2009 ReportPack. Manual. By GFI Software Ltd.

App Orchestration 2.5. Upgrading Session Machine Catalogs in App Orchestration 2.5. Prepared by: Mohit Menghnani Last Updated: July 25, 2014

Adam Harrison Principal Consultant - Verizon VTRAC

Time. COS 418: Distributed Systems Lecture 3. Wyatt Lloyd

every Website Packages

HyundaiCX.com The new Customer Experience Platform replacing HyundaiCustomerInsights.com Quick Reference Guide

Implementing Web Content

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines By Andrew Marrington, Ibrahim Baggili, George Mohay and Andrew Clark Presented At The Digital Forensic Research Conference DFRWS 2011 USA New Orleans, LA (Aug 1 st - 3 rd ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Andrew Marrington, Ibrahim Baggili College of Information Technology, Zayed University George Mohay, Andrew Clark Information Security Institute, Queensland University of Technology

! Construction of timelines of computer activity is important to many investigations. From system logs, file MAC times, file metadata! Whether through deliberate tampering, software misconfiguration/bug, hardware clock skew/drift or other natural cause, these timestamps may be inconsistent or contradictory.

! A computer activity timeline is a sequence of events ordered by time.! Events have two sources: System logs (e.g. the Windows Event Logs) we call these recorded events Timestamps from the file system and metadata (e.g. MAC times, Exif creation times) we call these inferred events! A complete-as-possible timeline of computer activity combines recorded and inferred events, ordered by time.

! Out-of-sequence events Events whose timestamp is inaccurate These events appear to have taken place after other events, even though logically they should have taken place beforehand! Missing events Events which logically must have taken place but are absent from our timeline!

! Out-of-sequence events and missing events can be caused through normal operation or deliberate tampering or obfuscation.! Natural causes include: System logging configuration by default many events may go unrecorded, making them missing Clock skew and drift, and the variations in clock skew over time Laptops moving between timezones etc

Approach

Events Normalised Database CAT Detect System log parsers Event inferrer RecordedEvents table InferredEvents table Rules base

! Events are extracted from system logs (e.g. Windows Event Logs) using a log parsing tool. We have been using our own parser, but other tools are now available with a great deal more maturity, e.g. GrokEVT! Events are inferred from timestamps extracted from the file system and file metadata. These could extracted from other tools. We have been using our own event inferrer, which we hope to make available soon.

! Events are normalised into the following format: Time, Subject, Object, Result, Action.! With the addition of an Event ID field, these are stored in two database tables: RecordedEvents and InferredEvents.

! The rules base includes some template events e.g. template login and logoff events! The rules base also includes rules which define the relations which should exist between certain events in order for them to be consistent! CAT Detect checks the events in a given timeline against the rules base.! At the moment, these rules are statically defined in-code but this should be improved upon soon.

! Some types of events must logically happen before other events.! For example, the user must login before the user can create a file.! This sort of relation is described by Leslie Lamport (1978) as the happened-before relation. Expanded by Fidge (1991) and used in a DF context by Gladyshev and Patel (2005) and Willassen (2008).! This relation is used as the basis of our rules.

! A user x must login to the computer system before creating file y on the computer system s drive. Each of these is an event: evta = (t a, x, system, login, success) evtb = (t b, x, y, created, success)! The rule will specify that evta must happenbefore evtb (evta evtb).! If t a < t b, then evta and evtb are inconsistent.! If t a > t b, then the events break this rule and are inconsistent.

! In some relations, the presence of the second event necessarily implies the presence of the first event.! Extending our last example, we can say that evta is a precondition of evtb.! If evta does not exist in our database, therefore, it is a missing event whose presence has been inferred.

! Let us define a third event, whereby a user x logs off the computer system: evtc = (t c, x, system, logoff, success)! It is clear that evtb evtc, and that evta is a precondition of evtc.! It is also clear that evtb (a file creation event) is not necessary for evtc to take place.

Usage Experiment

! We extracted our data from a Windows XP test PC with several dummy user accounts created on it: baddie crook nefarious! We normalised the event logs and loaded them into the RecordedEvents table.! We ran our event inferrer over the disk image and loaded its output into the InferredEvents table.

! Timeline A consistent timeline, no tampering! Timeline B inconsistent timeline, crook logged in but files apparently created by baddie! Timeline C inconsistent timeline, missing logon event! Timeline D inconsistent timeline, timestamp of logoff event altered.

! This release of CAT Detect has several limitations! Most notably, as you will see, the user must provide a query to specify the timeline corresponding to the user login session in which they are interested.

! Query: SELECT * FROM ((SELECT * FROM RecordedEvents) UNION (SELECT * FROM InferredEvents)) AS AllEvents WHERE Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 188) AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 146) ORDER BY Time;

! Query: SELECT * FROM ((SELECT * FROM RecordedEvents) UNION (SELECT * FROM InferredEvents)) AS AllEvents WHERE Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 132) AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 76) ORDER BY Time;

! Query: SELECT * FROM ((SELECT * FROM RecordedEvents) UNION (SELECT * FROM InferredEvents)) AS AllEvents WHERE Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 180) AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 146) ORDER BY Time;

! Query: SELECT * FROM ((SELECT * FROM RecordedEvents) UNION (SELECT * FROM InferredEvents)) AS AllEvents WHERE Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 188) AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 149) ORDER BY Time;

DFRWS Release

! The CAT Detect DFRWS release is available to download from SourceForge now: http://sourceforge.net/projects/catdetect/files/! You will need Java 6 and MySQL 5.5 or later to run CAT Detect.! CAT Detect s source code is available under the Academic Free License.

! This is not final, production-quality software.! We have not released CAT Detect because it is perfect but rather, because it is far from perfect. A to do list will be posted on the SourceForge list soon!! If you are interested in contributing your ideas and effort to developing tools to detect inconsistencies in timelines, any input would be welcome.

! Dynamic rules specification.! Better parser integration (e.g. built-in Windows Event Log parser or close integration/front-end for GrokEVT or output).! Automatic detection of user sessions.! Obtain data sources and parsers to apply CAT Detect to non-windows operating systems and newer versions of Windows.! Fix some unfortunate user interface issues!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback