Apr 082013
 

In many police investigations today, computer systems are somehow involved. The number and capacity of computer systems needing to be seized and examined is increasing, and in some cases it may be necessary to quickly find a single computer system within a large number of computers in a network. To investigate potential evidence from a large quantity of seized computer systems, or from a computer network with multiple clients, triage analysis may be used.

The current challenges to conducting on-scene investigations is that each system must be booted and examined in turn, many investigation processes are not automated, multiple boot media may be needed, and there is no centralized point where results can be stored. All of these challenges can make the on-scene investigation process very time consuming if the network consists of hundreds of computers divided over several floors. Prior works had a number of foundational benefits, but still had a number of limitations that did not fit our needs. The approach taken in this work was to redesign an open source, forensically sound PXE environment that meets the following conditions:

  • Clients are able to boot a “forensic” file-system using DHCP, PXE and TFTP
  • Client–server based model: the client and server can communicate with each other
  • Network storage between clients and server, to serve files and store search results
  • Keyword searching in ASCII and UNICODE
  • File hashing and comparing with a centralized hash database
  • Clients are accessible through the server via SSH
  • Client’s local hard disk drives are accessible as a local disk on the server through ATA Over Ethernet (AoE)

This approach is adopted, not to conduct a full digital forensic investigation on-scene, but to conduct digital forensic triage. Triage is a medical term defined as:

A process for sorting injured people into groups based on their need for or likely benefit from immediate medical treatment. Triage is used in hospital emergency rooms, on battlefields, and at disaster sites when limited medical resources must be allocated (Triage, n.d.).

To derive the definition of digital forensic triage, we apply the medical definition specifically to computer forensics, resulting in:

A process of sorting computer systems into groups, based on the amount of relevant information or evidence found on these computer systems (Koopmans, 2010).

Based on this definition, the goal of the solution is not explicitly for exhibit exclusion purposes, but to sort analyzed systems by likely relevance.

The result is a client-server based solution for automation of basic digital forensic investigation processes on many clients over a network (Figure 1).

Automated Network Triage

A Triage server is placed on a network (preferably a network physically separate to the suspect’s network), and clients (suspect computers) are booted into a live environment via PXE or boot disk. They connect to the Triage server, load data and analysis scripts, and begin to conduct analysis on the suspect machine’s connected hard drives automatically. All results are reported back to the Traige server, and any suspicious hits can be investigated remotely using a verity of standard digital forensic investigation tools.

Works cited:

  1. Triage. In: Dorland’s medical dictionary for health consumers; n.d.
  2. Koopmans M. The art of triage with (g)PXE. Dublin: University College Dublin; 2010. p.51

For more information, please see:

Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 1–9. doi:10.1016/j.diin.2013.03.002

Apr 082013
 

The Digital Forensic Investigation Research Laboratory conducts a lot of research on Cloud environments. However, Cloud environments can sometimes be cumbersome to create and configure, taking time away from testing and research. In order to streamline this process, DigitalFIRE has created a virtualised Cloud environment for Cloud security and investigation researchers. By virtualising Cloud components, this allows researchers to delete, change, prod and generally abuse the Cloud as much as they like while allowing the system to be easily reset. A description of the system as well as information about downloading and using the environment can be found below.

“OpenStack is an Infrastructure as a Service (IaaS) cloud computing project that is free open source software released under the terms of the Apache License” – Wikipedia

The Openstack project provides us with a cloud computing system. It’s an open source project, which is perfect for the more under-the-hood inclined user. If you are looking to work with Openstack, ready your hardware (you’ll need a few spare machines), head over to openstack.org, download and install it.

139 pages of install documentation later, if you managed to follow the instructions precisely, you’ll have an Openstack system.

This is where our research might help you. We’ve created a minimal Openstack system as an OVA (VirtualBox) virtual appliance. Currently, our appliance has two virtual machines “node1” and “node2”, a very minimal Openstack system, but it provides the required Openstack functionality for testing and research purposes.

What is provided in this Openstack installation?

nova http://100.10.10.110:8774/v2/949c06f05b9347928c22b7f87c5f6c90
glance http://100.10.10.110:9292/v1
volume http://100.10.10.110:8776/v1/949c06f05b9347928c22b7f87c5f6c90
ec2 http://100.10.10.110:8773/services/Cloud
swift http://100.10.10.111:8888/v1/AUTH_949c06f05b9347928c22b7f87c5f6c90
keystone http://100.10.10.110:5000/v2.0

 

Swift runs on node2 (100.10.10.111) and the rest of the Openstack services are running on node1 (100.10.10.110). To get you up and running quicker, we’ve added a CirrOS tiny cloud guest image so you can spin up VMs immediately after you install our appliance.

How do I use it?

  1. Download the DigitalFire Openstack OVA appliance. (1GB OVA file)
  2. Install Virtualbox on your OS. http://www.virtualbox.org/manual/ch01.html#intro-installing
  3. Make sure a host only network (ip: 100.10.10.1, DHCP off) exists. More info at http://www.virtualbox.org/manual/ch06.html#network_hostonly
  4. Import the appliance into your hypervisor. (Using Virtualbox, File->Import Appliance). Visit http://www.virtualbox.org/manual/ch01.html for more detailed instructions.
  5. Start the VMs node1 and node2.
  6. Wait about 30 seconds for the nodes to come up.

You now have a working Openstack system. Access the dashboard via your browser at http://100.10.10.110/horizon to begin using your cloud.

Installing Openstack from scratch is quite informative and gives you a good overview of the inner workings, however our appliance will allow you to get started with Openstack very quickly.

Installing a new image for use in Openstack

We’ve added a CirrOS image (very small linux) to our virtual Openstack system. However, If you want to add a new VM image to your Openstack you can. Just follow the steps below:

1. Download an image (quantal-server-cloudimg-i386-disk1.img from http://uec-images.ubuntu.com/ for example).

2. SSH into node1:

Set up our credentials for keystone, on a terminal in root’s home directory:

$ source openrc

Add our new image to Glance, using the Glance CLI:

$ glance image-create –name=ubuntu –disk-format=qcow2 –container-format=bare  < /home/root/quantal-server-cloudimg-i386-disk1.img

3. On Dashboard:

Create a keypair. (Project Tab -> Access & Security -> Keypairs -> Create Keypair)

Your new instance based on the new image with keypair is ready for use.(download .pem file)

In Windows you might want to puttygen -> load .pem -> save private key -> .ppk file

SSH to the new instance (with the .ppk file as auth)

Notes:

Make sure you have a Host-Only VNIC installed on your host system with the following configuration:

IPv4 address: 100.10.10.1 (the last octet is changable, but make sure to leave 100-200 of the last octet available to the openstack system as floating ip address, node addresses etc)

The virtual machines have a NAT connection to the host system, allowing for a guest VM internet connection. You can remove these from the virtual machines if you wish.  They are adapter 2 on each virtual machine.

This Openstack installation is configured for openness and ease of use, many network ports are open, security groups are quite relaxed and all the passwords are very weak. Bottom line, the installation is geared for testing/research purposes.

You’ll need at least 4GB of RAM (more would be a lot better) and a CPU supporting VT-x  in your host system.

Credentials (username/password):

  • Dashboard Admin (admin/password)
  • Dashboard Demo user (lee/lee)
  • Node1 login (100.10.10.110) (root/lee)
  • Mysql server on Node1 (root/root)
  • Node2 login (100.10.10.111) (root/lee)
  • Cirros image (cirros/cubswin:))

UPDATE: The latest version of Virtualbox has broken OVA importing. A (horrible) workaround is to import the OVA in an older version of Virtualbox and then upgrade!

Apr 042013
 

Last week, a number of Korean organizations fell victim to cyber attacks. This has prompted discussions about cybersecurity in Korea, and while following this issue I’ve realized that Korea’s main challenge appears to be understanding what cybersecurity actually is.

shutterstock_102491105

From many of the discussions, representatives from various organizations appear to believe that security is a force, much like the police or military. Cybersecurity, however, is not an organization. It is not something that can be prevented by a single group. Cybersecurity is a responsibility – a mindset – that each technology user must adopt. Everyone plays a part in the cybersecurity of Korea (and the world), and anyone not considering the security of their devices are putting not only themselves, but also their friends/family/workplace/bank/government/etc. in danger.

Indeed, organizations can play a part in helping to improve cybersecurity. Police investigations, for example, can lead to catching cyber criminals, and thus potentially reduce on-line crime. But Police cannot be everywhere, and are inherently reactionary. And unless citizens want the government protecting the people from themselves (via pre-incident monitoring to make sure you don’t click on the ‘wrong’ link), then security of the country should be achieved through education of everyone.

The thing that every citizen, company and government entity needs to realize that your device probably will be compromised. So think of security as a function of time. With enough time, even the strongest security can be broken. So just give hackers less time. Change your passwords often, factory reset your phone and reformat your computers every 6 to 12 months, make sure your software is always up to date, use anti-viruses and firewalls on all your devices, and be very selective about software and websites you use. There is a lot of information available about on-line security, so there is really no reason not to understand and implement the basics. It doesn’t take a lot of time, and it could end up saving you, or someone you love, a lot of inconvenience later.

Remember, cybercrime is not static. Security that worked yesterday may not work today. So securing devices should become a way of life, not a once-off effort.

Security resources: www.google.com/intl/ko/goodtoknow, www.kisa.or.kr and www.ctrc.go.kr

What is cybersecurity: [PDF ENG] [PDF KOR]

For a related piece on “Cybersecurity and Challenges to Democracy” please see: [PDF]