Improving Cyber Forensics & Cybersecurity through Block Chain Technology with Truth Based Systems

Similar documents
The Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities

Digital Evidence Search Kit

Fight fire with fire when protecting sensitive data

Security Policy JUNE 1, SalesNOW. Security Policy v v

Incident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software

Endpoint Threat Detection without the Pain

Incident Response and Computer Forensics

Central Agency for Information Technology

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Cyber Security Response to Physical Security Breaches

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Getting Physical with the Digital Investigation Process

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Persistence Mechanisms as Indicators of Compromise

Practical Performance Understanding the Performance of Your Application

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

plantemoran.com What School Personnel Administrators Need to know

Testing Network Virtualization For Data Center and Cloud VERYX TECHNOLOGIES

Merkle Hash Trees for Distributed Audit Logs

Design and Implementation of a Storage Repository Using Commonality Factoring. IEEE/NASA MSST2003 April 7-10, 2003 Eric W. Olsen

Incident Response. Six Best Practices for Managing Cyber Breaches.

Fault Tolerant Servers: The Choice for Continuous Availability

NEXT GENERATION ARCHIVE MIGRATION TOOLS

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

2.0. Quick Start Guide

CALIFORNIA SOFTWARE LABS

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Raytheon Oakley Systems

Unified Security, ATP and more

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Designing a Cloud Storage System

Standard: Event Monitoring

Bellevue University Cybersecurity Programs & Courses

Big data management with IBM General Parallel File System

1/26/15. Chapter 2 Crime Scene

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cloud security architecture

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

How To Solve A Violent Home Invasion With A United Force

Performing Advanced Incident Response Interactive Exercise

Enterprise Cybersecurity: Building an Effective Defense

Security Controls for the Autodesk 360 Managed Services

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Building Reliable, Scalable AR System Solutions. High-Availability. White Paper

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Automation Suite for. GPG 13 Compliance

Overview. Timeline Cloud Features and Technology

Computer Forensic Capabilities

Usher Mobile Identity for Higher Education Institutions. Rebecca Parks Associate Product Manager, MicroStrategy

Industrial Ethernet How to Keep Your Network Up and Running A Beginner s Guide to Redundancy Standards

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Things To Do After You ve Been Hacked

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Cloud Computing. Chapter 1 Introducing Cloud Computing

High Availability Essentials

How To Understand and Configure Your Network for IntraVUE

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Hyper-V Server Agent Version Fix Pack 2.

Digital Forensics for IaaS Cloud Computing

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst

Digital Evidence and Threat Intelligence

SAM Server Utility User s Guide

CYBER FORENSICS (W/LAB) Course Syllabus

Clustering and Queue Replication:

Product Review: James F. Koopmann Pine Horse, Inc. Quest Software s Foglight Performance Analysis for Oracle

MASTER OF PROFESSIONAL STUDIES IN FORENSIC SCIENCE INVESTIGATE THE POSSIBILITIES.

Sensitive Incident Investigations. Digital Risk Management. Forensics Testing.

Brainloop Cloud Security

Synchronization in. Distributed Systems. Cooperation and Coordination in. Distributed Systems. Kinds of Synchronization.

Computer Forensics as an Integral Component of the Information Security Enterprise

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Analyzing HTTP/HTTPS Traffic Logs

Top Ten Questions. to Ask Your Primary Storage Provider About Their Data Efficiency. May Copyright 2014 Permabit Technology Corporation

Certified Digital Forensics Examiner

How To Be A Computer Forensics Examiner

Security + Certification (ITSY 1076) Syllabus

Deploying System Center 2012 R2 Configuration Manager

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

Advanced Threats: The New World Order

Dr Markus Hagenbuchner CSCI319. Distributed Systems

white paper GoodSync Enterprise The Ideal Solution For Corporate File Synchronization and Backup

Transcription:

Improving Cyber Forensics & Cybersecurity through Block Chain Technology with Truth Based Systems Interna(onal Symposium on Forensic Science Error Management Ken Zatyko July 23, 2015

Introductions Experience: National federal labs and cyber center design expertise 28 Years experience in cyber crime, fraud investigations, counterterrorism and consulting Fortune 100 companies and US Government (former USAF Lt Colonel and Special Agent) Led world s largest accredited digital forensics lab (DCFL), co-chair FBI Regional Computer Forensics Lab, US Secret Service national lab consultant Education and certifications Master of Science in Crime In Commerce George Washington University (AF scholarship) Master of Arts Military Operational Art and Science Air Command & Staff College (AF scholarship) Dual Bachelor of Science degrees Computer Information Science & Business Administration Certified Cyber Forensics Professional and Distinguished Panelist Certified Information Systems Security Professional and Exam Developer 2

Data Breaches on the rise and many evidence systems are connected to the Internet. How do we ensure integrity? 3

Recent trusted insider threats to evidence in the news January 13, 2015: Missing police evidence includes thousands in cash, Providence, RI. A search warrant affidavit from a missing evidence investigation reveals that a shade under $12,000 in cash and two diamond rings are unaccounted for, and a now-suspended police officer was the one who logged the evidence into a storage locker. March 13, 2015: Cash missing from Springfield police evidence room Investigation launched last month when cash could not be located February 11, 2015: District Attorney launches investigation into evidence missing from Upper Darby police station. One of two people responsible for the evidence room discovered that an envelope, which contained drugs and cash, was missing May 15, 2015: Evidence Missing from Sheriff s Office. To get inside the evidence room, those with authorization to enter are equipped with a key fob to activate the door. Then they must submit a fingerprint with their right index finger to open the door. "It's all electronic and magnetic," Fisher said. Cameras, operating on a 90-day loop, continuously record inside and outside of the evidence room. Augusta County. Explanation given, $4000 fell in trash can.

Digital Forensics This scientific process contains the following eight steps: 1. Search authority 2. Chain of custody 3. Imaging/hashing function 4. Validated tools 5. Analysis 6. Repeatability 7. Reporting 8. Possible expert presentation Why data centric security? It is unique and ideal for forensics readiness! It performs hash validation with a block chain and timestamp. It also ensures a forensics workstation s clean state integrity and repeatability preventing contamination and inaccurate results with unique information on location, who had access, and when. (Source: Zatyko, Forensic Magazine) 5

Seven Rings of Threat Good Opera(ng Prac(ces and an Adequate Budget Physical Security Personnel Opera(ng Systems input/output Communica(ons Data

The digital forensics imaging process. Work with the duplicate and not the original, validate with a hash. 7

KSI is Based on Cryptographic Hash Functions A hash function takes arbitrarily-sized data as input and generates a unique fixed-size bit INPUT DATA HASH FUNCTION HASH VALUE ONE-WAY ONLY. REVERSING IMPOSSIBLE sequence as output. The output is known as the hash value, message digest, or digital 1.6 MB PDF CONTRACT SHA256 HASH FUNCTION 256-BIT HASH VALUE 41ADE674F7AF728AF83 fingerprint of the input. A hash value is often used as 2 GB VM IMAGE SHA256 HASH FUNCTION 256-BIT HASH VALUE FDA774719491984DFA/F representative of the input data. # 168 BYTES LOG FILE ENTRY SHA256 HASH FUNCTION 256-BIT HASH VALUE 19491984DFA/FDA77476

Chain of Custody: Where is the continuous integrity check for this file? 9

Value proposition Harnessing industrial data centric security block chain to support forensics activities bringing clear chain of custody on an examiner s interaction with the victim and/or any data or images/objects 10

Forensics services Traditionally, after the fact investigations upon alert of an incident Moving toward proactive approach or cyber crime diagnostics others call it hunting. New issue is the cloud as the crime scene New need: Cloud computing as a platform for forensics 11

Key discriminators for Data Centric Security: security, contamination prevention, and integrity safeguards Keyless Security Infrastructure (KSI) used to ensure validation of virtual machine gold copy operating system and forensics toolkit KSI used to ensure forensic workstation calibration KSI used to ensure no change to client data during exam process KSI used for chain of custody integrity KSI used to ensure lab workstation reset for next case 12

Turning Individual Hash Values into Hash Trees A hash tree takes hash Xroot = h(x14 X58) values as inputs and, via repeated hash function application, aggregates them into a single root hash value. The construct can be viewed as a special kind of hash function, and it has some very useful properties. X14 = h(x12 X34) X58 = h(x56 X78) X34 = h(x3 X4) X12 = h(x1 X2) X78 = h(x7 X8) INPUT VALUES X1 X2 X3 X4 X5 X6 X7 X8

Geographically Distributed Hash Trees A distributed hash tree is AGGREGATORS built by a hierarchy of geographically separate computational units called aggregators. Each aggregator operates asynchronously. It receives hash values from its children, generates its own hash tree, then sends its root hash value to multiple parents. This root hash value becomes a leaf at each connected parent.

KSI Scalability AT: Core sites Each parent aggregator can support up to 1000 children. This gives capacity of 10 3n signatures per round where n is the number of aggregation layers. KSI currently contains four aggregation layers. Up to 10 12 signatures per second can be generated when the system is fully built out. AN: Na(onal AS: Regional The top-level cluster beats once per second i.e. there is one top level root hash value generated each second. CLIENT 1 CLIENT 2 CLIENT N AL: Local

High Availability & Resiliency CORE Aggregators run in redundant clusters. Each logical aggregator is implemented as a cluster of fully redundant servers, hosted at independent locations. Each request is sent to each member of the upstream aggregation cluster. First correct response is accepted. This ensures there is no single point of failure. Re-routing around network and server failures is transparent, since there are multiple paths from each leaf to the root. CUSTOMER CUSTOMER

Introducing the Calendar Block Chain This Second The global aggregation Hash... Calendar infrastructure operates asynchronously. Hash values are submitted to the tree and unique hash Federated Hash Tree Subnet Subnet Subnet chains are returned. The same tree is never rebuilt. Only the root hashes are kept in a public calendar Hash Values Keyless Signatures Hash Values Keyless Signatures Hash Values Keyless Signatures database.

The Core Cluster Keeps the Hash Calendar DATABASE CORE SYSTEM Ag VERIFIER 1 2 n 1 2 n Ag Ag Ag VERIFIER VERIFIER VERIFIER 1 2 n 1 2 n Ag Ag Ag VERIFIER VERIFIER VERIFIER

Distributed Consensus The top of the hash tree would be a single point of failure; therefore we use a cluster of N servers. Selecting a single hash value from multiple nodes is a variation of the Byzantine Fault Tolerance problem. We use majority voting to ensure uniqueness of the top. Therefore, N / 2 sites can fail. Sites run as a synchronized state machine. Each core node is synchronized to UTC and contains an atomic clock.

Going further makes forensics native - eliminates costly ediscovery imaging and hashing Provide a ready environment for the remote incident response by the forensics technicians and examiners through hash enabled time stamped files, ease of timeline analysis, and secure forensics artifact storage with flawless chain of custody procedures. Moreover it provides for remote cyber forensics through cloud forensics increasing the speed of results and overcoming current cloud challenges. In a KSI enabled environment with signature tokens on each file, one could simply conduct hash set comparisons to find known good, known bad, and unknown or questionable files for further investigation speeding up incident response and investigations. This forensics ready environment is well suited for prompt investigative response and pre-defined data reduction techniques. 20

Today versus tomorrow: Slow Incident Response versus KSI Forensics Readiness A KSI enabled Cloud environment provides a forensics ready environment in which the time consuming task of Forensic hashes exists and forensics imaging is not required. This saves critical time during incident response for eradication and remediation. 21

Summary: Improving Cyber Forensics and Cybersecurity through Block Chain Technology with Truth Based Systems Cyber threats are dramatically on the rise. Its not just data ex-filtration, but data integrity is a growing concern Cyber forensics is maturing Hashing is improving with time stamps and block chaining Forensics workstations and systems integrity could be improved with block chain technologies Evidence control systems could be made forensics ready for improved security and validation 22

Questions? Ken.Zatyko@verizon.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information