Catálogo de publicaciones - libros

Understanding the behavior of network forensic devices is important to support prosecutions of malicious conduct on computer networks as well as legal remedies for false accusations of network management negligence. Individuals who seek to establish the credibility of network forensic data must speak competently about how the data was gathered and the potential for data loss. Unfortunately, manufacturers rarely provide information about the performance of low-layer network devices at a level that will survive legal challenges. This paper proposes a first step toward an independent calibration standard by establishing a validation testing methodology for evaluating forensic taps against manufacturer specifications. The methodology and the theoretical analysis that led to its development are offered as a conceptual framework for developing a standard and to “operationalize” network forensic readiness. This paper also provides details of an exemplar test, testing environment, procedures and results.

This paper examines the legal issues related to the access and use of call detail records (CDRs) of telephone subscribers that are maintained by service providers. The scenarios considered involve a federal law enforcement agency obtaining CDRs to identify suspects in a terrorism investigation; a federal, state or local law enforcement agency analyzing CDRs to gain insight into drug trafficking activities by an organized crime family; and a state or local law enforcement agency using CDRs to identify parole violators or motorists who exceed the posted speed limit. In addition, the legality of a service provider analyzing CDRs to support its direct marketing efforts is discussed.

This paper analyzes state and local law enforcement agents’ perceptions about prosecutors’ knowledge of digital evidence and their willingness to prosecute cases involving digital evidence, and agents’ perceptions about judges’ knowledge of digital evidence and their willingness to admit digital evidence in legal proceedings, Statistical analysis indicates that a significant negative correlation exists between the size of the population served by law enforcement agents and their perceptions about judges’ knowledge of digital evidence and willingness to admit digital evidence. Also, positive relationships exist between the size of the population served and law enforcement perceptions of prosecutors’ knowledge of digital evidence and willingness to prosecute digital evidence cases, and perceptions about judges’ willingness to admit digital evidence. The implications of these findings are discussed along with suggestions for future research.

Capability acquisition graphs (CAGs) provide a powerful framework for modeling insider threats, network attacks and system vulnerabilities. However, CAG-based security modeling systems have yet to be deployed in practice. This paper demonstrates the feasibility of applying CAGs to insider threat analysis. In particular, it describes the design and operation of an information-centric, graphics-oriented tool called ICMAP. ICMAP enables an analyst without any theoretical background to apply CAGs to answer security questions about vulnerabilities and likely attack scenarios, as well as to monitor network nodes. This functionality makes the tool very useful for attack attribution and forensics.

This paper describes a proof-of-concept system for detecting insider threats. The system measures insider behavior by observing a user’s processes and threads, information about user mode and kernel mode time, network interface statistics, etc. The system is built using Microsoft’s Windows Management Instrumentation (WMI) implementation of the Web Based Enterprise Management (WBEM) standards. It facilitates the selection and storage of potential digital evidence based on anomalous user behavior with minimal administrative input.

Rootkits pose a dilemma in forensic investigations because hackers use them surreptitiously to mislead investigators. This paper analyzes the effectiveness of online and offline information analysis techniques in detecting rootkits and determining the processes and/or files hidden by rootkits. Five common rootkits were investigated using a live analysis tool, five rootkit detection tools (RDTs) and four offline analysis tools. The experimental results indicate that, while live analysis techniques provide a surprising amount of information and offline analysis provides accurate information, RDTs are the best approach for detecting rootkits and hidden processes.

Several methods exist for detecting Linux kernel module (LKM) rootkits, most of which rely on system-specific knowledge. We propose an alternative detection technique that only requires knowledge of the distribution of system call addresses in an uninfected system. Our technique relies on outlier analysis, a statistical technique that compares the distribution of system call addresses in a suspect system to that in a known uninfected system. Experimental results indicate that it is possible to detect LKM rootkits with a high degree of confidence.

Authorship attribution, the science of inferring characteristics of an author from the characteristics of documents written by that author, is a problem with a long history and a wide range of application. This paper surveys the history and present state of the discipline — essentially a collection of methods with little formal data available to select among them. It also makes some predictions about the needs of the discipline and discusses how these needs might be met.

The keyboard dilemma is the problem of identifying the authorship of a document that was produced by a computer to which multiple users had access. This paper describes a systematic methodology for authorship identification. Validation testing of the methodology demonstrated 95% cross validated accuracy in identifying documents from ten authors and 85% cross validated accuracy in identifying five-sentence chunks from ten authors.

While conducting a validation study of proficiency test media we found that applying the same hash algorithm against a single CD using different forensic applications resulted in different hash values. We formulated a series of experiments to determine the cause of the anomalous hash values. Our results suggest that certain write options cause forensic applications to report different hash values. We examine the possible consequences of these anomalies in legal proceedings and provide best practices for the use of hashing procedures.