Law enforcement tools and technologies for investigating cyber attacks --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

Law enforcement tools and technologies for investigating cyber attacks

A National Research and Development Agenda - Foreword
Posted: Jul 06 2004
Supplied by Dartmouth College

In 2003, the cascading effects of a computer worm dubbed "Slammer" highlighted weaknesses in several interrelated computer networks that were not predicted beforehand. Exploiting a vulnerability in Microsoft's SQL database software, Slammer degraded performance in airline booking systems, bank Automated Teller Machines (ATMs) and the computer systems that control monitoring at the Davis-Besse nuclear power plant in Ohio. Further, analysis of the Slammer worm revealed that it contained no malicious payload. The damage Slammer caused was from its rapid infection of vulnerable computers, measurably hindering legitimate Internet traffic. Future cyber attacks promise to match Slammer's ability to compromise computer systems with strategically engineered payloads that could significantly impact both American national security and the economy.

In the United States, law enforcement is responsible for investigating and prosecuting the perpetrators of cyber attacks. This is no easy task. Attackers are free to mask their actions using computers in foreign countries. Readily available encryption and anonymizer technologies facilitate secure communications and privacy for law abiding citizens and cyber attackers alike. The data considered necessary to track cyber attackers is often kept for short periods of time if at all. Further, limited resources and inadequate statutes often hamper federal, state, and local agenc y efforts alike. The men and women who uphold our laws must have access to cutting edge technologies to facilitate their investigations and prosecutions.

This report, Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Research and Development Agenda, is a starting point for addressing United States law enforcement needs. Conducted over two years by the Institute for Security Technology Studies, the top band of technological problems of federal, state, and local cyber attack investigative community are presented. To be certain, there are no easy answers.

The effort that will be required to build solutions for law enforcement is far too large for any one institution to address. Solving these problems will require a collaborative national effort of the leading research and development centers in academia, the private sector, and government. The authors of this report have undertaken the challenge of identifying the priorities by working with law enforcement and with the research community. It is up to decision makers and researchers across government, industry, and academia to initiate and deliver innovative solutions. With no end to cyber attacks in sight, the application of science to investigative problems facing law enforcement is our only option.

Executive Summary

This paper, Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Research and Development Agenda, is the culmination of a multi-year research effort by the Technical Analysis Group at the Institute for Security Technology Studies (ISTS). Building on previous authoritative reports that call for further study of law enforcement needs, ISTS conducted a series of three focused national studies to identify, analyze and prioritize the technology needs of cyber attack investigators and prosecutors. ISTS researchers worked in cooperation with federal, state, and local law enforcement organizations, private sector groups, academic institutions, and government sponsored research and development entities in the United States to produce the Research and Development Agenda. The data in this report, third in the series, was collected and analyzed from September 2001 to December 2003.

In this document we present the top band of critical problem areas encountered during cyber attack investigations that may be addressed through research and development. Solving the needs outlined in this work would significantly increase law enforcement's capabilities to investigate and prosecute cyber attack cases. We offer this agenda to serve as a resource for decision makers, developers, and researchers, in government, industry, and academic institutions across the country.

The National Research and Development Agenda addresses the following question:

What are the highest priority technological impediments facing law enforcement when investigating and responding to cyber attacks, for which research and development might provide solutions?
This document presents study data and analysis from all three reports in the series in five topic areas. Summaries of each topic area are presented in the following passages.
The Investigative Process: Preliminary Investigation and Data Collection

Several problems faced by law enforcement during the initial stages of a cyber attack investigation may be addressed by research and development.

Data from multiple computers is often required to proceed with a cyber attack investigation. Although a significant number of tools were identified that purported to address data collection needs, practitioners cited high product costs and lack of law enforcement-specific functionality as current product deficiencies. Solutions that can automate the collection of data from multiple operating systems may contribute significantly to an investigator's ability to spend investigative time focused on analysis rather than collection.

Investigators outlined the need to quickly and accurately map a victim's network during the beginning of a cyber attack investigation. The process of manually mapping the physical and logical networks often requires the involvement of systems administrators and other staff who are familiar with the compromised network. Law enforcement investigators continually stressed that insiders may either be a suspect in the case or unskilled in their help with network mapping. Insiders pose a particularly difficult problem for law enforcement. Study participants articulated a desire for automated tools that map network topology and graphically represent results to speed up the investigative process and alleviate dependence on insiders during data collection tasks.

Determining the presence and location of log files on multiple computers running any number of software programs is no easy task. There are numerous differences in the way operating systems and software programs log events. Discussions wit h study participants suggested that locating log files is becoming more complicated as data is written across network area storage and filed remotely in organizations with geographically separated offices. Additionally, investigators have found that other applications, not directly related to operating system, often include some form of event logging that may provide investigative leads. Cyber attack investigators need technology solutions to search, recognize, and collect logs regardless of platform or format.

In some situations, hard drives or entire computers are seized by law enforcement as evidence. The seizure of computers and their magnetic medium usually entails the computer being turned off. The removal of power does not usually affect hard drives, but volatile resident memory data may only be captured from a computer that is turned on. Although investigators know evidence is present, once the computer is properly seized it can be exceptionally difficult, if not impossible, for them to reliably extract the relevant data for analysis and prosecution. Cyber attack investigators are facing new challenges from software that is designed to run primarily in memory. Solutions to capture resident memory data may produce an entirely new source of digital evidence for law enforcement.

Law enforcement officials involved in this study conveyed that working with very large data sets presents problems during cyber attack investigations. The cost of large capacity data storage devices continues to drop with no corresponding advances in technology to facilitate law enforcement's collection, analysis, or storage of large data sets. Feedback from the law enforcement community indicated that current software is not meeting their needs. For example, many of the tools in the current market are designed for forensic work on single machines in traditional crimes, not cyber attacks across networks. Study participants were clear that the amount of data in a typical cyber attack investigation is orders of magnitude larger than fo und in more traditional types of computer crime. In addition, the rapidly increasing size of digital storage devices is outstripping current software's ability to process the data in a timely manner. Research is needed into innovative methods to analyze very large data setsin cyber attack cases.

The Investigative Process: Log Analysis

The log analysis process begins after preliminary investigation and data collection tasks are completed. Logs are critical components in cyber attack cases since they often provide technical and temporal information that may further the investigation. Log analysis is a time consuming process often done manually or with the use of simple sorting and editing programs. Although finding log files manually can be difficult, correlating and examining thousands or hundreds of thousands of disparate log entries from multiple networks manually often proves impossible. Overall, solutions to assist law enforcement in processing and compiling logs into relevant case data are few. Law enforcement needs better solutions to: search, collect, and compile logs regardless of platform or format. Automating log analysis tasks would produce an immediate impact on law enforcement's ability to quickly develop investigative leads. Solutions that package logs into a common portable format would allow investigators to broadly share information, a difficult proposition in the current environment.

Law enforcement also needs solutions that help present detailed technical information in a graphical format. For example, a timeline presentation of the events that occurred during a cyber attack is a critical element in the iterative investigative process. Solutions to correct time and date stamps from logs retrieved from machines in different time zones would be useful as this task is often done manually. Study participants noted that some tools were very good at presenting data in a graphical format but their cost was too great for most law enforcement agencies. Other graphical data presentation tools in use by law enforcement were designed for criminal activity analysis and although they do have import features it is unclear if they are useful for analyzing cyber attack data. Cyber attack data may be presented in a trial situation to a judge, jury, and defense attorney. Study participants considered solutions that would facilitate a prosecutor leading a jury, step-by-step, through technical evidence to be essential to successful prosecution.

The Investigative Process: IP Tracing and Real-time Interception

To trace the origins of cyber attacks, law enforcement looks for Internet Protocol (IP) addresses during an investigation. Unfortunately, due to the limitations of the current Internet protocol attackers are able to spoof the IP address from which their attack is launched. Investigators see the development of technology solutions to provide the capability to detect, trace, and counter IP spoofing as a priority. For the foreseeable future, it will be difficult to use technical methods to reliably detect, counter or trace spoofed traffic over the Internet. Investigators desire solutions to minimize the time spent tracing spoofed traffic so that more effort may be focused on examining legitimate investigative leads. However, the limitations of the current IP make authentication and attribution difficult. New scientific approaches are required to address this difficult, yet essential, research challenge.

Legally authorized electronic surveillance may also be used by cyber attack investigators to acquire information on cyber attackers. Investigators require technology solutions to facilitate real-time interception and analysis of digital data including parsing, isolation, and analysis of relevant material from the large volumes of information that may be collected during surveillance. Study participants expressed a need for both speed and clarity to reduce the collected traffic to only that which is essential for the investigation, without losing any relevant data, while also protecting the rights of others whose traffic may simply be sharing the network infrastructure. Ensuring the privacy of law abiding citizens was articulated as a key issue by law enforcement during our research.

Emerging Technologies Requiring Research and Development

Encryption was the most critical concern of the participants that prioritized the top band of law enforcement needs presented in this study. Encryption technology is easy to use, available for all major computer operating systems, and may be applied to a variety of applications and file types. Currently law enforcement employs "work arounds" or technical means to circumvent encryption. Investigators discussed several past cases where a password was discovered either through witness cooperation or through discovery of the password text within another file. In another case, a keystroke logger was used to capture a password for an encrypted file. However, law enforcement needs additional solutions since the access, opportunity, technical skills, and resources to install a keystroke logger will not be available in many situations. Whether focusing on decryption, password recovery, or discovering other clues on a computer or networked system that ultimately lead to a password or pass phrase, it is clear there is an urgent need for significant research and new solutions in this area. Solutions to circumvent encryption could significantly benefit law enforcement and may require new scientific approaches.

Digital steganography is a term used to describe techniques for hiding data within a digital file in such a way that it is difficult to discern the presence or content of the hidden data. Commercial steganographic software programs and home-grown tools use any number of approaches and algorithms to hide messages or data. Study participants were aware of the use of steganography as a method of hiding evidence. They were also aware of the difficulties in detecting its presence. Study participants displayed an awareness of ongoing research concerning the discovery of steganography in digital files. Developing solutions to this challenge will likely involve innovative research and the application of new scientific approaches. The research and software development community faces a challenging task to develop solutions to assist investigators in discovering the use of steganography.

National Information Sharing

Investigators analyzing cyber attack case data look for patterns or profiles in cyber attack data to try and identify attackers. In many cases law enforcement indicated that multiple agencies may be working independently on cyber attack cases that all Institute for security technology studies originate from a single attacker. Law enforcement would welcome technological solutions such as a database for collecting attack profiles in concert with a solution for technical exploit matching to identify attack patterns. Such information sharing technologies may automate pattern analysis and technical exploit identification across geographic locations. Law enforcement would welcome technologies to act as a
database for cyber attack signatures that allows law enforcement to assess if their case is a component of larger criminal activity. Interagency communications are especially important in cyber attack cases due to the relatively narrow window of opportunity available to collect information to further the investigative process. Study participants noted a number of organizational systems are currently available to facilitate cross jurisdictional communications; but coordination is an ongoing problem. Although the organizations and technical solutions noted in this study are helping, study participants commented that they often rely on personal contacts to meet their needs.

We anticipated development of new solutions during the research period, however, many of the needs promise to be ongoing issues. Several cross cutting themes emerged during our research. First, there exists an immediate and growing need to automate tasks in the investigative processes. As speed is often essential to the success of cyber attack investigations, solutions that allow investigators to spend more time analyzing data rather than collecting and organizing it would be extremely useful. Second, many current tools do not produce evidence-quality data. Many of the tools law enforcement is using are not specifically designed for criminal investigative use. For example, we found that hacking, cracking, and system administration tools were employed by cyber attack investigators. Although evidence-quality data may not be critical in all task or applications, developers of new solutions should be aware of legal requirements. Third, law enforcement noted that many existing tools cost too much for some organizations to acquire. Fourth, solutions that will help alleviate law enforcement reliance on insiders and individuals who may be suspects in cyber attack cases are in short supply. Solutions that are able to collect data without insiders help would be of great benefit to law enforcement.

During this research the resourcefulness displayed by law enforcement when performing complex tasks with limited resources was extraordinary. Creativity and workarounds are often used in an asymmetric fashion to successfully investigate and prosecute cyber attacks. Although progress has been made, study participants noted that improvements are needed in all of the areas noted in this study. For example, public/private research partnerships are continuing to be developed nationwide to combat cyber attacks. These collaborative relationships are reported to partially meet law enforcement, academic, and private sector needs for research, development, and information sharing. However, law enforcement would like to see new scientific approaches and technologies brought to bear on their requirements so they needn't rely on creative, but often temporary, solutions. Solving any of the needs we outline on behalf of the law enforcement community would have a significant impact on our ability to successfully investigate and prosecute cyber attackers and contribute to national security.

Read more

©Copyright June 2004, Trustees of Dartmouth College. All rights reserved.

This project was supported under Award No. 2000-DT-CX-K001 from the Office for Domestic Preparedness, U.S. Department of Homeland Security.

Points of view in this document are those of the author(s) and do not necessarily represent the official position of the U.S. Department of Homeland Security.

Go Top