Digital forensics : an integrated approach for the investigation of cyber/computer related crimes

Hewling, Moniphia Orlease

January 2013

Digital forensics has become a predominant field in recent times and courts have had to deal with an influx of related cases over the past decade. As computer/cyber related criminal attacks become more predominant in today’s technologically driven society the need for and use of, digital evidence in courts has increased. There is the urgent need to hold perpetrators of such crimes accountable and successfully prosecuting them. The process used to acquire this digital evidence (to be used in cases in courts) is digital forensics. The procedures currently used in the digital forensic process were developed focusing on particular areas of the digital evidence acquisition process. This has resulted in very little regard being made for the core components of the digital forensics field, for example the legal and ethical along with other integral aspects of investigations as a whole. These core facets are important for a number of reasons including the fact that other forensic sciences have included them, and to survive as a true forensics discipline digital forensics must ensure that they are accounted for. This is because, digital forensics like other forensics disciplines must ensure that the evidence (digital evidence) produced from the process is able to withstand the rigors of a courtroom. Digital forensics is a new and developing field still in its infancy when compared to traditional forensics fields such as botany or anthropology. Over the years development in the field has been tool centered, being driven by commercial developers of the tools used in the digital investigative process. This, along with having no set standards to guide digital forensics practitioners operating in the field has led to issues regarding the reliability, verifiability and consistency of digital evidence when presented in court cases. Additionally some developers have neglected the fact that the mere mention of the word forensics suggests courts of law, and thus legal practitioners will be intimately involved. Such omissions have resulted in the digital evidence being acquired for use in various investigations facing major challenges when presented in a number of cases. Mitigation of such issues is possible with the development of a standard set of methodologies flexible enough to accommodate the intricacies of all fields to be considered when dealing with digital evidence. This thesis addresses issues regarding digital forensics frameworks, methods, methodologies and standards for acquiring digital evidence using the grounded theory approach. Data was gathered using literature surveys, questionnaires and interviews electronically. Collecting data using electronic means proved useful when there is need to collect data from different jurisdictions worldwide. Initial surveys indicated that there were no existing standards in place and that the terms models/frameworks and methodologies were used interchangeably to refer to methodologies. A framework and methodology have been developed to address the identified issues and represent the major contribution of this research. The dissertation outlines solutions to the identified issues and presents the 2IR Framework of standards which governs the 2IR Methodology supported by a mobile application and a curriculum of studies. These designs were developed using an integrated approach incorporating all four core facets of the digital forensics field. This research lays the foundation for a single integrated approach to digital forensics and can be further developed to ensure the robustness of process and procedures used by digital forensics practitioners worldwide.

005.8

FORENSE COMPUTACIONAL EM AMBIENTE DE REDE BASEADO NA GERAÇÃO DE ALERTAS DE SISTEMAS DE DETECÇÃO DE INTRUSOS AUXILIADO PELA ENGENHARIA DIRIGIDA POR MODELOS / COMPUTATIONAL FORENSIC IN ENVIRONMENT OF NETWORK BASED ON GENERATING OF ALERTS OF INTRUDERS DETECTION SYSTEMS ASSISTED BY ENGINEERING DIRECTED BY MODELS

DUARTE, Lianna Mara Castro

19 October 2012

Made available in DSpace on 2016-08-17T14:53:23Z (GMT). No. of bitstreams: 1 Dissertacao Liana Mara.pdf: 7779999 bytes, checksum: eff54ba035aa6dab1569b8f121f7ee0a (MD5) Previous issue date: 2012-10-19 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / Even the great progress of techniques used by protection systems as firewalls, intrusion detection systems and antivirus to detect and prevent attacks are not enough to eliminate the cyber-attacks threat. Known attacks for decades still achieve success, and well-known vulnerabilities continue to exist and reappear on the Internet and corporate networks [1]. The intrusion detection technologies we have today provide rich information about attacks. However, the main focus of intrusion detection focuses on the fact that security has been compromised. The computer forensics, on the other hand, attempts to understand and explain what happened to the security environment and how a security violation can happen [2]. However, there is a lack of investigative mechanisms to work synergistically with these sensors and identify not only the attackers, but the malicious actions that were performed. The lack of standardization in the process of computer and network forensics [3], as well as the heterogeneity of tools and the fact that the log/alert files depend on developers, causes a large variety in the formats of these security alerts. Moreover, the knowledge used in the incidents investigation still restricted to security analysts in each case. This work proposes, the development of a model based on computer forensics that can be applied in a network environment to work with IDS NIDIA [4] and heterogeneous IDSs associating information to alerts about procedures that can be performed to investigate the incident using existing tools. The methodology used to develop this was initially use literature to achieve the proposed objectives, derived from books, theses, dissertations, research papers and hypermedia documents, followed by the gathering of information for the development of the solution and analysis tools that could assist in the implementation and modeling the prototype, that was assisted by Model Driven Architecture. / Mesmo o grande progresso das técnicas utilizadas pelos sistemas de proteção como firewalls, sistemas de detecção de invasão e antivírus para detecção e prevenção de ataques, não são suficientes para eliminar a ameaça dos ciberataques. Mesmo ataques que existem há décadas ainda alcançam sucesso, e as vulnerabilidades bem conhecidas continuam a existir e reaparecer na Internet e redes corporativas [1]. As tecnologias de detecção de intrusão atuais fornecem informações ricas sobre um ataque. No entanto, o principal foco de detecção de intrusão centra-se no fato da segurança ter sido comprometida. A computação forense, por outro lado, tenta entender e explicar o que aconteceu com o ambiente de segurança e como uma violação de segurança pode acontecer [2]. No entanto, existe uma carência de mecanismos investigativos que possam trabalhar em sinergia com estes sensores e identificar não só os atacantes, mas as ações maliciosas que foram executadas. A falta de padronização no processo de realização da forense computacional e de rede [3], assim como a heterogeneidade das ferramentas e o fato de que os tipos de arquivos de logs dependem dos desenvolvedores, faz com que haja uma grande variedade nos formatos destes alertas de segurança. Além disto, o conhecimento empregado na investigação dos incidentes fica restrito aos analistas de segurança de cada caso. Esta dissertação propõe, de forma geral, o desenvolvimento de um modelo baseado na forense computacional que possa ser aplicado em ambiente de rede para trabalhar em conjunto com o IDS NIDIA [4] e IDSs heterogêneos associando aos alertas informações sobre procedimentos que podem ser executados para a investigação dos incidentes utilizando ferramentas existentes. A metodologia empregada para o desenvolvimento deste trabalho utilizou inicialmente de pesquisa bibliográfica para atingir os objetivos propostos, oriundas de livros, teses, dissertações, artigos científicos e documentos hipermídia, seguida de levantamento das informações para a elaboração da solução e uma análise de ferramentas que pudessem auxiliar no processo de modelagem e implementação do protótipo que foi auxiliado pela Arquitetura Dirigida por Modelos.

Computação Forense

MDA

IDS

Forensics Computer

MDA

IDS

A eficiência da descentralização na computação forense do Departamento de Polícia Técnica do Estado da Bahia

Peixoto, Saulo Correa

20 April 2012

Submitted by Saulo Correa Peixoto (saulopeixoto@hotmail.com) on 2012-04-27T19:07:35Z No. of bitstreams: 1 DISSERTAÇÃO COMPLETA - SAULO 26-04-2012.pdf: 2276284 bytes, checksum: abb3608c7b05f31370d98593f219dcd0 (MD5) / Approved for entry into archive by ÁURA CORRÊA DA FONSECA CORRÊA DA FONSECA (aurea.fonseca@fgv.br) on 2012-05-11T19:55:06Z (GMT) No. of bitstreams: 1 DISSERTAÇÃO COMPLETA - SAULO 26-04-2012.pdf: 2276284 bytes, checksum: abb3608c7b05f31370d98593f219dcd0 (MD5) / Approved for entry into archive by Marcia Bacha (marcia.bacha@fgv.br) on 2012-05-16T20:08:27Z (GMT) No. of bitstreams: 1 DISSERTAÇÃO COMPLETA - SAULO 26-04-2012.pdf: 2276284 bytes, checksum: abb3608c7b05f31370d98593f219dcd0 (MD5) / Made available in DSpace on 2012-05-16T20:08:52Z (GMT). No. of bitstreams: 1 DISSERTAÇÃO COMPLETA - SAULO 26-04-2012.pdf: 2276284 bytes, checksum: abb3608c7b05f31370d98593f219dcd0 (MD5) Previous issue date: 2012-04-20 / This study aimed to determine to what extent the process of decentralization adopted by the Department of Technical Police of Bahia (BA-DPT) was effective in meeting the Computing Forensic Expertise demands generated by Regional Coordination of Technical Police (CRPTs) in the state countryside. DPT-BA was restructured following the principles of administrative decentralization, following the progressive trend. It assumed with the decentralization the commitment to coordinate actions to empower units in the state, with the creation of minimal structures in all involved spheres, with ample capacity to articulate with each other and provide services aiming at a model of high performance public organization. Seeking to address the relationship between decentralization and efficiency in meeting the demand of expertise coming from the state of Bahia, the study, because of instrumental limitations, remained attached to the field of experts in Forensics Computer Science, which reflects and illustrates, in a significant way, the scenario occurred in other areas of expertise. Initially we identified the theoretical approaches on decentralization, showing the different dimensions of the concept, and then on the Forensics Computer Science. We carried out documentary research at the Institute of Criminology Afrânio Peixoto (Icap) and field research using semi-structured interviews with judges at the districts related to the research landscape, and with criminal experts of the Regional Coordination, of the CRPTs and from Icap Forensics Computer Science Coordination. Comparing the periods of service that include the concept of efficiency - defined by the law judges interviewed, criminal experts’ clients - and real terms - obtained through document research - data revealed a high degree of inefficiency, delays and defaults, and conflicting realities between capital and countryside. The analysis of interviews with criminal experts revealed a widespread dissatisfaction and demotivation, with almost absolute centralization of decision-making, demonstrating that the decentralization process served, paradoxically, as a tool enabling the centralization and its camouflage. / Este estudo teve como objetivo verificar até que ponto o processo de descentralização adotado pelo Departamento de Polícia Técnica da Bahia (DPT-BA) foi eficiente no atendimento às demandas de perícias de Computação Forense geradas pelas Coordenadorias Regionais de Polícia Técnica (CRPTs) do interior do Estado. O DPT-BA foi reestruturado obedecendo aos princípios da descentralização administrativa, seguindo a corrente progressista. Assumiu, com a descentralização, o compromisso de coordenar ações para dar autonomia às unidades do interior do Estado, com a criação de estruturas mínimas em todas as esferas envolvidas, com ampla capacidade de articulação entre si e com prestação de serviços voltados para um modelo de organização pública de alto desempenho. Ao abordar a relação existente entre a descentralização e a eficiência no atendimento à demanda de perícias oriundas do interior do estado da Bahia, o estudo, por limitações instrumentais, se manteve adstrito ao campo das perícias de Computação Forense, que reflete e ilustra, de forma expressiva, o cenário ocorrido nas demais áreas periciais. Inicialmente foram identificadas as abordagens teóricas sobre descentralização, evidenciando as distintas dimensões do conceito, e, em seguida, sobre a Computação Forense. Foram realizadas pesquisa documental no Instituto de Criminalística Afrânio Peixoto (Icap) e pesquisa de campo por meio de entrevistas semiestruturadas com juízes de direito lotados nas varas criminais de comarcas relacionadas ao cenário de pesquisa e com peritos criminais das Coordenações Regionais, das CRPTs e da Coordenação de Computação Forense do Icap. Correlacionando os prazos de atendimento que contemplam o conceito de eficiência  definido pelos juízes de direito entrevistados, clientes finais do trabalho pericial  e os prazos reais  obtidos mediante a pesquisa documental  os dados revelaram alto grau de ineficiência, morosidade e inadimplência, além de realidades discrepantes entre capital e interior. A análise das entrevistas realizadas com os peritos criminais revelou um cenário de insatisfação e desmotivação generalizadas, com a centralização quase absoluta do poder decisório, demonstrando que o processo de descentralização praticado serviu, paradoxalmente, como uma ferramenta de viabilização e camuflagem da centralização.

Administração pública

Computação Forense

Criminalística

Descentralização

Eficiência

Public administration

Forensics computer science

Criminalistics

Decentralization

Efficiency

Administração de empresas

Descentralização na administração

Prática forense

Tecnologia e direito