|< Day Day Up >|| |
The U.S. Department of Defense (DoD) cyber forensics includes evaluation and in-depth examination of data related to both the trans- and post-cyberattack periods. Key objectives of cyber forensics include rapid discovery of evidence, estimate of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator. Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally or maliciously hidden, destroyed, or modified in order to elude discovery. The Information Directorate’s cyber forensic concepts are new and untested. The directorate entered into a partnership with the National Institute of Justice via the auspices of the National Law Enforcement and Corrections Technology Center (NLECTC) located in Rome, New York, to test these new ideas and prototype tools. The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership. This first-of-a-kind event represents a new paradigm for transitioning cyber forensic technology from military research and development (R&D) laboratories into the hands of law enforcement. The experiment used a realistic cyber crime scenario specifically designed to exercise and show the value added of the directorate-developed cyber forensic technology.
The central hypothesis of CFX-2000 examined the possibility of accurately determining the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework. The execution of CFX-2000 required the development and simulation of a realistic, complex cyber crime scenario exercising conventional, as well as R&D prototype, cyber forensic tools.
The NLECTC assembled a diverse group of computer crime investigators from DoD and federal, state, and local law enforcement to participate in the CFX-2000 exercise hosted by the New York State Police’s Forensic Investigative Center in Albany, New York. Officials divided the participants into three teams. Each team received an identical set of software tools and was presented with identical initial evidence of suspicious activity. The objective of each team was to uncover several linked criminal activities from a maze of about 30 milestones that culminated in an information warfare crime (Figure 2.1).[i]
Figure 2.1: CFX-2000 schematic. (©Copyright 2002, Associated Business Publications. All rights reserved).
The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. The SI-FI integration environment, developed under contract by WetStone Technologies, Inc.,[ii] was the cornerstone of the technology demonstrated. SI-FI supports the collection, examination, and analysis processes employed during a cyber forensic investigation. The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof containers used to store digital evidence. Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations. Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of its contents. The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection. The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals. As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks.
[i]John Feldman and Joseph V. Giordano, “Cyber Forensics,” Air Force Research Laboratory’s Information Directorate, Associated Business Publications, 317 Madison Avenue, New York, NY 10017-5391, 2001.
[ii]WetStone Technologies, Inc., 273 Ringwood Road, Freeville, NY 13068, 2001.
|< Day Day Up >|| |