Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

Similar documents
Cyberattack Analysis and Information Sharing in the U.S.

Pull It Together. Enabling Interoperability of Digital Forensic Systems Using a Standard Representation and Supporting API

Enabling Distributed Event Management: Interoperability for Automated Response and Prevention. Sean Barnum George Saylor Aug 2011

Cyber Threat Intelligence Sharing Standards

Cyber Threat Intelligence Standards - A high-level overview

Unification of Digital Evidence from Disparate Sources

Designing Robustness and Resilience in Digital Investigation Laboratories

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

A Functional Reference Model of Passive Network Origin Identification

Automated Identification of Installed Malicious Android Applications

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

Multidimensional Investigation of Source Port 0 Probing

Rapid Forensic Imaging of Large Disks with Sifting Collectors

Supply Chain Information Exchange: Non-conforming & Authentic Components

On Criteria for Evaluating Similarity Digest Schemes

Cyber Observables and Integration with EMAP EMAP 2011 Developer Days

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Fast Indexing Strategies for Robust Image Hashes

A Framework for Attack Patterns Discovery in Honeynet Data

Windows Forensics Advanced

Extracting Hidden Messages in Steganographic Images

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Privacy-Preserving Forensics

Developing a New Digital Forensics Curriculum

Modern Cyber Defense with Automated Real-Time Response: A Standards Update

Monitoring Access to Shared Memory-Mapped Files

Course Outline. CCNA Cyber Ops SECOPS Official Cert Guide (Course & Labs)

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Certified Digital Forensics Examiner

A Study of User Data Integrity During Acquisition of Android Devices

Cybersecurity Auditing in an Unsecure World

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

SentinelOne Technical Brief

CNIT 121: Computer Forensics. 9 Network Evidence

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

The CASE standard can be used to represent all three of these categories throughout the electronic evidence lifecycle.

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

Training for the cyber professionals of tomorrow

Design Tradeoffs for Developing Fragmented Video Carving Tools

2018 Cyber Mission Training Course Catalog

COMPUTER FORENSICS (CFRS)

McAfee Network Security Platform Administration Course

Enabling Distributed Threat Analysis: Common Attack Patterns and Malware Characterization

Incident Response & Forensic Best Practice. Cyber Attack!

Certified Digital Forensics Examiner

DESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX

Hash Based Disk Imaging Using AFF4

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

Security+ SY0-501 Study Guide Table of Contents

SentinelOne Technical Brief

A Common Cyber Threat Framework: A Foundation for Communication

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

RSA INCIDENT RESPONSE SERVICES

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

BIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest

Can Digital Evidence Endure the Test of Time?

RSA INCIDENT RESPONSE SERVICES

An Evaluation Platform for Forensic Memory Acquisition Software

File Classification Using Sub-Sequence Kernels

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Indicators of Compromise

Symantec Ransomware Protection

Forensic and Log Analysis GUI

ADVANCED FORENSICS COURSE

Honeynets and Digital Forensics

BinComp: A Stratified Approach to Compiler Provenance Attribution

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

STIX Profile Development Tutorial

Assessing Your Incident Response Capabilities Do You Have What it Takes?

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

What are we going to talk about today?

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

Blue Team Handbook: Incident Response Edition

Implementing Cisco Cybersecurity Operations

Ethical Hacking. Content Outline: Session 1

Reducing the Cost of Incident Response

THE DESIGN AND IMPLEMENTATION OF AN EXTENSIBLE FORMAT FORMEMORY DUMPS

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Introduction to Computer Forensics

Syllabus: The syllabus is broadly structured as follows:

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

New Model for Cyber Crime Investigation Procedure

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

Building Resilience in a Digital Enterprise

RSA NetWitness Suite Respond in Minutes, Not Months

Digital Evidence Cabinets: A Proposed Framework for Handling Digital Chain of Custody

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cisco Networking Academy CCNA Cybersecurity Operations 1.1 Curriculum Overview Updated July 2018

Visualization is pre-installed using open industry-standard data file formats: PCAP & IPFIX records open in WireShark. Log searches open as CSV files

Understanding Cisco Cybersecurity Fundamentals

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Qualys Indication of Compromise

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Digital Forensics Lecture 01- Disk Forensics

Designing and Building a Cybersecurity Program

Source:

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information By Eoghan Casey, Greg Back, and Sean Barnum Presented At The Digital Forensic Research Conference DFRWS 2015 EU Dublin, Ireland (Mar 23 rd - 26 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

DFAX: Digital Forensic Analysis expression Leveraging CybOX TM to Standardize Representation and Exchange of Digital Forensic Information Eoghan Casey, Greg Back, Sean Barnum

Outline Motivation Related work DFAX ontology Introduce a Unified Cyber Ontology (UCO) Using CybOX to represent digital evidence Provenance Actions, Action Patterns, Action Lifecycle Next steps

Motivation Share digital forensic information Investigations involving 2+ jurisdictions/agencies Share digital forensic knowledge Distinctive behavioral patterns to search for Combine results from multiple forensic tools Compare results from multiple forensic tools Automate tool validation & verification Structured data enables more advanced analysis high timelines, graph queries, behavioral analysis

What is a Cyber Observable? a measurable event or stateful property in the cyber domain measurable events: registry key is created, file is deleted stateful properties: MD5 hash of a file, value of a registry key How these observables relate (patterns) Actions (context and tool provenance) Already used in digital forensics (intrusions, malware, IoC) Autopsy, Volatility

Various Defined Object Schemas Account Address API Code Device Disk Disk Partition DNS Cache DNS_Record Email Message File GUI GUI Dialog Box GUI Window Library Linux Package Memory Mutex Network Flow Network Packet Network Route Entry Network Route Network Subnet Pipe Port Process Product Semaphore Socket System Unix File Unix Network Route Entry Unix Pipe Unix Process Unix User Account Unix Volume URI User Account User Session Volume Win Computer Account Win Critical Section Win Driver Win Event Win Event Log Win Executable File Win File Win Kernel Win Kernel Hook Win Handle Win Mailslot Win Mutex Win Pipe Win Network Route Entry Win Network Share Win Pipe Win Prefetch Win Process Win Registry Key Win Semaphore Win Service Win System Win System Restore Win Task Win Thread Win User Account Win Volume Win Waitable Timer X509 Certificate (more on the way) Page 5

Disk (Contains) Email Open Attach.DOC file Execute Flash content Download.MP4 downloader Execute Create Create.EXE trojan Registry Connect C&C URLs/IPs

Use Case: Detect Malicious Activity Snort Rules Diverse Sensors Common Patterns of Attack (CAPEC) Attack Flow Description Cyber Observable Characterization (CybOX) Events Stateful Measures Yara Rules CERE Rules Cyber Observable Characterization (CybOX) Events Stateful Measures Einstein SIEM Rules

STIX: Structured Threat Information expressions

Android Example Page 9

Related Work Digital Evidence Bags (DEB) XIRAF RDF Digital Evidence Exchange (DEX) Digital Forensic XML (DFXML) AFF4 DFAX Turner, 2005 Alink et al, 2006 Schatz, 2007 Levine & Liberatore, 2009 Garfinkel, 2009 Cohen, et al 2009 Open Source (DHS/MITRE) Open source Y N N/A Y Y Y Y Case Information Y Y N N N Y Y Integrity assurance Y Y Y Y Y Y Y Chain of custody Y N P N N Y Y Evidence details Y Y Y N N Y Y Tool details Y Y Y Y Y Y Y Storage media contents Y Y Y N Y Y Y Mobile device contents Y Y N N N N Y Assign object multiple types Y Y Y N N Y Y Parent-child relationships Y Y Y Y Y N Y Non-hierarchical relationships N N Y N N Y Y Actions N N Y N N N Y Action Lifecycles N N N N N N Y

DFAX Ontology

DFAX Ontology

DFAX Ontology

Digital Evidence in CybOX Traces of wiping (Observable or Pattern) <ProductObj:Product>Secure Delete</ProductObj:Product> <FileObj:File_Name>sdelete.exe</FileObj:File_Name> <cybox:relationship>characterizes</cybox:relationship> <WinRegistryKeyObj:Key>Software\Sysinternal\SDelete</WinRegist <cybox:relationship>created</cybox:relationship> <FileObj:File_Name condition="fitspattern">z+.z+</fileobj:file_name> <cybox:relationship">renamed_by</cybox:relationship>

Provenance Evidence source and handling Continuity of possession / Chain of custody Evidence processing Tools and transformations Evidence analysis Evaluation of source Need to expand CybOX (e.g., PRNU and ENF)

Provenance in DFAX/CybOX Evidence source and handling dfax:evidence Record dfax:forensic Action Evidence processing cyboxcommon:tool Evidence analysis Defined relationships

Action Lifecycle: Forensic Process Different groups define process differently Forensic Process 1 Forensic Process 2 Forensic Process 3 Forensic Process 4 Authorization Planning Planning Preparation Identification Identification Notification Preservation Reconnaissance Search Incident Response Collection Transport & Storage Collection Data Collection Examination Transport Analysis Analysis Storage Data Analysis Presentation Proof and Defense Examination Presentation of Findings Archive Storage Presentation Proof/defense Dissemination Incident Closure

Action Lifecycle: Subject Grooming (Sexual Assault) Victim selection Establish trust Desensitization to sexual activity/abuse Kill Chain (Intrusion) Reconnaissance Development Delivery Maintain secrecy (persuasion/threats) Exploitation Arrange meeting Conceal evidence Configuration Beaconing and C2

Actions {Subject, Victim, System} Action = USB Device Connected Represent & search structured characteristics FileObj:File_Name = setupapi.log IN FileObj:File_Path = C:\Windows\setupapi.log CONTAINS cyboxcommon:string_value = \DISK&VEN_KINGSTON&PROD_DATATRAVELER_3.0&REV_PMAP\8606E6D418ABE6077179 FAE&0] OR WinRegistryKeyObj:Name = HardwareID IN WinRegistryKeyObj:Hive = HKEY_LOCAL_MACHINE WinRegistryKeyObj:Key = \SYSTEM\CurrentControlSet\Enum\USBSTOR\ Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\08606E6D418ABE6077179F AE&0 CONTAINS WinRegistryKeyObj:Data = USBSTOR\DiskKingstonDataTraveler_3.0PMAP

Note: Plaso Categorizes related events using tags Plaso events map to cybox:observables Plaso tags map to dfax:actions Plaso Application Execution tag includes: windows:prefetch:execution windows:lnk AND path contains.exe winreg AND userassist or mru winevt source = Security AND eventid = 592

Action Patterns Higher level, human understandable terms Reflect behaviors and objectives Assist in establishing modus operandi (a.k.a. TTP)

Representing Changes NIST Diskprint (before and after comparison) http://www.nsrl.nist.gov/dskprt/dpexample.html CybOX Actions Install program Execute program Use program Uninstall program

Next steps Community involvement https://github.com/dfax/dfax DFAX/CybOX Python library Periodic Mobile Forensics Plaso Abstract concepts common across cyber domains Tools Actions & Action Lifecycle

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback