Keeping Pace With Cybercrime

December 2011
By George I. Seffers, SIGNAL Magazine
E-mail About the Author


To demonstrate information-hiding techniques, officials with Backbone Security embedded a 122-page extract from a terrorist training manual in a photograph. The alteration cannot be detected with the human eye, or with most network security tools.

The digital forensics field faces challenges with evolving technologies.

Evolving technologies such as mobile devices, cloud computing and steganography present challenges for those tasked with finding digital evidence of a crime. But the cyber forensics field also is evolving, and experts in industry and government are finding innovative tools for overcoming the obstacles.

Cyber forensics—finding digital evidence of wrongdoing—comes into play whether the crime is an unauthorized breach of a network or mobile device, or in more traditional crimes such as theft, rape or murder. Regardless of the specific focus, digital forensics now is more difficult with the evolution of mobile devices and cloud computing, as well as the proliferation of information-hiding techniques such as steganography, experts say.

“Traditionally, computer forensics has involved a hard drive in a lab after a suspected crime has been committed,” says Josiah Dykstra, a doctoral student studying digital forensics for cloud computing at the University of Maryland Baltimore County, Catonsville, Maryland. “Over time, this evolved to include analyzing the computer while it was still running to see running processes, memory and network connections.”

Because cyber forensics professionals now are expected to analyze the evidence while keeping the network up and the mission going, the entire digital forensics field is evolving, explains Rohan Amin, a senior program manager with Lockheed Martin Information Systems and Global Solutions-Defense, Sterling, Virginia. “We’re seeing a merger between traditional forensics and the broader computer network defense activities. Defending the network and performing the investigation are becoming blended because of the pace at which bad guys are taking action. The need to be synchronized on those two fronts is critically important,” Amin says.

Tim McKnight, vice president and chief information security officer for the Cyber Security division within Northrop Grumman’s Information Systems sector, McLean, Virginia, cites cloud computing as one of the more interesting challenges for cyber forensics. Organizations entering into cloud computing agreements need to consider cyber forensics before signing a contract, he warns. “Some of the challenges are really on the front end of due diligence with the cloud provider. Incident response and forensics should be really well-articulated in the contractual language and the service-level agreement with the cloud provider—that’s a big deal,” McKnight says.

The proliferation of mobile devices is the most prominent challenge, according to Jesse Kornblum, whose official title is computer forensics research guru, Kyrus Tech Incorporated, a small business in Sterling, Virginia. “Everything is going mobile. That’s where the money is, and that’s where the bad guys go. As goes the money, so go the forensics,” Kornblum says.

He explains that mobile devices present a challenge simply because the operating systems are so varied and constantly changing. “Android, Symbian and Windows Mobile are all relatively new operating systems, and things are more likely to change on them. There’s a learning curve. We in the community don’t have as much experience,” Kornblum adds. On the flip side, however, mobile devices can provide information that desktops cannot, such as the user’s location before, during or after a crime.

Kornblum predicts that over time, mobile devices will become more similar—just as desktops have done over the years. “As the number of vendors shrinks, we’re going to see some standardization. From the vendors’ perspective, it’s easier to maintain one code base than seven,” he says. “For their own sanity, for their own ease of development, they will try to make things more homogenous, and that will be a boon to forensics.”

Kornblum also foresees forensics experts adopting techniques or technologies already used in other areas of computing. He cites artificial intelligence as an example and reveals that he is working on a product likely to be available in 2012 that will enable computers to better compare documents to discover similarities. While easy for humans, computers have a very difficult time with such comparisons. “Over the past 15 to 20 years, there has been a whole bunch of work to teach computers to recognize when things are similar. If we had a case where somebody is accused of stealing Company X’s secret sauce, we could have the computer look through terabytes of data for all documents, all emails related to the secret sauce while I go and do something else,” Kornblum says.

Kornblum’s company also has developed a program known as Carbonblack, which has been through free beta testing and is ready for sale. Carbonblack embeds a sensor in a kernel on each system in the network. The sensors send back data to a central server, which can be hosted either by the customer or by Kyrus, allowing searches by an array of criteria, including by host or by process. “You can see what process ran, when it ran, what other hosts it ran on, what modules it loaded and what files it modified,” he explains.

The U.S. Army Research Laboratory (ARL), Adelphi, Maryland, also relies on data being sent to a central location for its cyber forensics operations. The lab has implemented an innovative, government off-the-shelf solution known as the Interrogator Framework, reveals Curtis Arnold, chief of the Sustaining Base Network Assurance branch and director, Computer Network Defense Service Provider program, ARL.

The ARL began monitoring its own networks in the 1990s mostly to generate data needed for forensics research. Laboratory officials soon became dissatisfied with traditional monitoring and data collection methods, which rely on network intrusion detection devices on the border of the network to alert the analysts of a threat. With the ARL’s Interrogator Framework, more than 300 sensors around the world send data to the team of analysts, which uses a variety of tools to determine that a problem exists and quickly generate a response.

“Whatever the threat is, we can write a tool for it. Once we have the data, we can do whatever we want with it. If we find there’s something out there, we can write a tool to look for that problem,” Arnold says. “We can do that on an hourly basis.”

Because the Interrogator Framework is centralized, ARL officials upgrade systems at only one location, saving time and money. In addition, the data the cyber analyst uses is made available to all of the monitored sites so that everyone has the same cyber situational awareness as the analyst team.

Arnold concedes that one reason the ARL can be so responsive is that it has employees with relevant doctorate degrees, which is not common within other organizations. Still, advanced degrees are not a requirement to operate the Interrogator Framework, and Arnold says the ARL can arrange a memorandum of understanding or a technology transfer agreement if other agencies are interested in the system.

The ARL upgrades Interrogator on a quarterly basis. The most recent upgrade allows the system to handle larger amounts of data. A variety of causes results in a data increase, including a growing threat and more U.S. Defense Department employees boosting their use of social media sites for professional purposes. The upgrade also automated many processes such as incident reporting so that analysts have more time to focus on detecting threats and other more important matters.

The ARL monitors a wide range of systems, from individual laptops to supercomputers. The lab also monitors networks and devices that belong to others, including an Air Force supercomputer that was created by linking together more than 1,700 PlayStation 3s. The lab recently passed a series of inspections by the Defense Information Systems Agency and has been re-accredited for three additional years. “We’re Army, but we are a Defense Department function. I monitor all services, all components and federal government systems that connect to the Defense Department. We monitor everybody,” Arnold reveals.

Some experts also cite steganography as a particular challenge for experts in the digital forensics field. Steganography is the art of hiding data within an innocuous-looking file, including photographs or musical files. It can be used for legal purposes, such as watermarking a photograph to protect against copyright infringement. But it also can be used to steal classified or proprietary information, for sharing materials such as child pornography or terrorist manuals, or for hiding malicious code to infect a network.

Officials at Backbone Security, Fairmont, West Virginia, have identified more than 1,000 freeware or shareware programs on the Internet that can be used for hiding information with steganography. Backbone now has a device, Steganography Analyzer Real-Time Scanner (StegAlyzerRTS), which will detect the download of known steganography programs.

“This is a real-time scanner that would go onto an organization’s enterprise network, and it will scan up to a megabit per second—all network traffic in and out—looking for anybody downloading or uploading a stego application,” says Jim Wingate, Backbone Security vice president and director of the company’s Steganography Analysis and Research Center. “Information today is worth a fortune. And it can be resold and resold and resold. The threat is real.”

U.S. Army Research Laboratory:
Kyrus Tech Incorporated:
Backbone Security:


Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.