The role of computers and portable media devices (e.g. cell phones, GPS devices) in criminal and terrorist activity has increased significantly in recent years. Criminals are utilizing digital media in all forms of criminal activity. As such, devices frequently contain vital evidence, including user information, call logs, location, text messages, email, images and audio and video recordings.
In the area of cyber forensics, a significant barrier for law enforcement is keeping abreast of technology changes. New technology, both hardware and software, is released into the market at a very rapid pace and used in criminal and terrorist activity almost immediately. The large volume of information contained on digital devices can make the difference in an investigation and law enforcement investigators require updated tools to address the changing technology.
Since its inception in November 2008, project requirements have come directly from the Cyber Forensics Working Group (CFWG). Run by the S&T Directorate's Cyber Security Division, CFWG is composed of representatives from Federal, State and local law enforcement agencies. Members meet bi-annually to provide requirements, discuss capability gaps and prioritize the areas of most immediate concern to focus technology development, and participate as test and evaluation partners of resultant solutions.
Current Cyber Forensics Efforts
GPS Logical Analysis: The effort is developing a unified tool specifically designed to examine GPS devices in a manner consistent with the best practices of handling digital evidence. The developed tool will be a single platform that is manufacturer agnostic and capable of supporting the needs of Federal, State, and local law enforcement agencies as well as other partners within the Homeland Security Enterprise.
Cell Phone Forensics: The small size and versatility of portable media devices makes them useful tools in the conduct of criminal and terrorist activity. The CSD Forensics project focuses on several areas of mobile device forensics including disposable phones and the investigation of flash memory resident on mobile devices.
- Disposable Phone Forensics - Mobile phones with pre-pay service are frequently utilized in criminal and terrorist activities largely due to their ease of procurement, lower upfront cost, ability to purchase with cash, and lack of personal identification required. These “burner” or “throw-away” phones are typically used for a relatively short periods of time before being tossed aside. When acquired by law enforcement however, these phones can contain valuable information regarding criminal activities. Acquiring this data is challenging because burner phones largely run on proprietary embedded operating systems and frequently have limited connection options or disabled universal serial bus (USB) ports. To address this issue, the effort is researching model-specific procedures for data acquisition and analysis.
- NAND Flash Memory Analysis - As powerful mobile computers, smart phones are evolving at an unprecedented pace and sophistication and store an enormous amount of data. Significant portions of the data on mobile devices cannot be accessed or devices have simply not been tested for data extraction. When law enforcement agencies come across these unsupported or under-supported mobile devices, they are not able to fully extract and analyze the evidence due to the lack of forensic technology. This effort is researching necessary techniques to support the challenges presented by NAND Flash memory.
Solid State Drive Forensics: The increasing popularity and presence of solid state drives (SSD) in consumer computer products such as laptops, netbooks, and other portable devices, presents challenging problems for law enforcement forensic investigators. Traditional forensic approaches utilizing write-blocking tools to image a magnetic hard drive, do not effectively translate to investigations involving NAND flash memory-based SSDs. This effort is researching novel approaches for forensic analysis of SSDs.
Cyber Forensics Tool Testing: Providing funding the Cyber Forensics Tool Testing Program at the National Institute for Standards and Technology (NIST), the project offers a measure of assurance that the tools used by law enforcement in the investigations of computer-related crimes produce valid results. The implementation of testing based on rigorous procedures provides impetus for vendors to improve their tools to provide consistent and objective test results to law enforcement that results will stand up in court. NIST test reports may be found published on the CyberFETCH website (www.cyberfetch.org).
Insider Threat: Cybersecurity measures are often focused on threats from outside an organization, rather than threats posed by untrustworthy individuals inside an organization. However, insider threats are the source of many losses in many critical infrastructure industries. These efforts focus on insider threats to our cyber systems to curtail some aspects of this problem.
- A study of malicious cyber activity in the banking and finance sector building on previous work accomplished in this area. This study updates the initial study in the banking and finance sector (Insider Threat Study: Illicit Activity in the Banking and Finance Sector, dated August 2004) to provide analysis of more recent cases. It also extends the coverage to include a comparison of internal and external attackers from a technical security controls perspective. In addition, results from this analysis will support law enforcement in cybercrime investigations by enabling them to more easily differentiate methods used by internal and external attackers.
- Experience has shown that insiders will frequently collect secret and sensitive information on their personal-use workstations prior to exfiltration. As such, the collection of information on these workstations diverges significantly from historical norms and norms within the organization. This effort is researching how to use that divergence as a way of detecting potentially hostile insiders by developing lightweight forensics agent run on each workstation within an organization and using data mining approaches to find outliers.
- Another effort is considering how actual insider behavior is critical to ensure that defensive technologies are meeting their intended purpose. Research is exploring three novel research directions: 1) Designing a model that can intelligently integrate multiple types of user behavior to improve the accuracy of identifying malicious insiders, 2) Designing an active learning approach to probe suspicious users to improve the efficiency of identifying malicious insiders, and 3) Developing privacy-preserved learning methods to protect users' privacy information in real world applications
TTA 4 – Insider Threat
Prime: Naval Postgraduate School | Sub: University of Texas, San Antonio
|Month Year||Document Title||Download|
|October 2012||Insider Threat Detection: Using Lightweight Media Forensics||PDF (2.1MB)|