| Projects |
|---|
| Chat log file analysis - After Conversation |
| Competency and Evaluation Framework for Forensic Examiners |
| Framework for first responders to 2nd generation and 3rd generation mobile phones |
| Honeypots (Various) |
| Image Preview System (SiMPLE) |
| Laptop Inspector And Recovery System (LIARS) |
| Medical Information and Network Security (Various) |
| Mobile Device Forensics (Various) |
| Radio Frequency Identification (RFID) Tag Forensics |
| Second-hand Hard Disk remnant data study |
| Snort Intrusion Detection System (IDS) Logfile Visualisation |
| Wireless Security (Various) |
July 2005 - December 2007
Kim Morfitt, Craig Valli
WA Police Computer Crime Tim Thomas
This was an undergraduate project resulted in the production of a tool for forensic analysis of ICQ (on-line chat tool) log files. The tool allows reconstruction of conversations held by two parties by analysing the binary log files. Chat tools are used by criminals eg pedophiles or rapists to groom victims. These chat tools are also extensively used by criminal gangs and terrorists to organise. The ability to forensically analyse these log files is of critical importance in many investigations.
This project is now continuing on as a honours project with the student now expanding the repertoire of log files from chat systems that can be analysed.
Release of After Conversation 0.2 to law enforcement
Morfitt, K. and Valli, C. (2005). After Conversation - An Forensic ICQ Logfile Extraction Tool, In Proceedings of the 3rd Australian Computer, Network & Information Forensics Conference, School of Computer and, Information Science, Edith Cowan University, Perth, Western Australia, pp. 54-61.
January 2006 - December 2008
Craig Valli, Andrew Woodward, Chris Bolan (Staff)
WA police computer crime - Tim Thomas, Duncan Armstrong
WA Australian Federal Police Computer Crime - Mike Wheeler
Electronic Evidence Special Advisory Group (EESAG)
This project involves the creation of a evaluative framework to assess a digital forensic examiners competency in relation to electronic evidence presentation, examination and analysis. This project started in January 2006 as a tool for the Western Australian police computer crime squad to certify and evaluate competencies within the squad. The project is now expanded as a result of getting acceptance from the EESAG. EESAG is comprised of the persons in charge of the computer crime squads of the Victorian, New South Wales, Queensland, Tasmania, South Australia, Western Australia, Northern Territory and the Australian Federal Police, as well as the Australian high-tech crime centre (AHTCC) who provide advice directly back to government on matters relating to electronic evidence in computer crime. We are now working with members from the EESAG on the development of a comprehensive competency and evaluation framework for forensic examiners to be used by the members of the group.
The framework is broken down into three distinct phases these are acquisition, analysis and presentation. The framework borrows heavily from blooms taxonomy of learning and other relevant educational and learning theory. The framework has six levels of expertise ranging from a rudimentary understanding based on definitions to highly complex cognitive tasks requiring synthesis of application of knowledge to electronic evidence scenarios.
Construction of primary framework presented to EESAG on 28th August 2006, Parramatta, NSW. Primary overarching framework accepted.
Completion of acquisition stage pilot December 2006
June 2005 – June 2008
Craig Valli , Marwan Al-Zarouni (Dubai Police – Doctoral Candidate)
This is a research project being undertaken by a doctoral candidate. The framework aim is to develop a tool that will allow law-enforcement first responders to better secure electronic evidence that may be contained on these mobile phones or devices such as PDA/Phones. Increasingly mobile phone technology and computer technology are merging as phone vendor's scramble for a strategic selling advantage via product differentiation strategies. Phone vendors are gaining advantage by adding features such as cameras, calendaring, Synchronisation with Microsoft Office or e-mail applications with many of the newer phones having increasingly greater compute, bigger storage capacity and expanded multimedia features. Mobile phones have been shown to be a primary communication tool of criminals and in particular criminal gangs or terrorists for the purposes of communication or organisation.
June 2002 – Now
The research group has conducted experiments and research using honeypots since 2002. The research group has worldwide recognised expertise in honeypot deployment and research. The group has extensive publication in the area as well as several higher degree research completions focused on honeypot technologies and their deployment. Honeypots are a potentially invaluable tool for network reconnaissance and intelligence gathering. In addition these technologies can be used to slow down and affect the attackers ability to conduct denial of service attacks or disrupt an critical infrastructures proper functioning for instance by deception. Deception plays a vital role in honeypot design and a thorough understanding of deception is needed to realise the full potential this technology.
Current Projects
A framework for deception in wireless honeypots - PhD
This project is applying a framework of deception to honeypot architecture. The framework is attempting to control/predict intruder activity by integrating deception theory into the construction of the honeypot artifice.
Honeypots as a viable internal countermeasure - PhD
This research is aimed at examining the deployment of honeypots as an internal viable countermeasure to reduce or stop insider malfeasance.
mwcollect - Botnet detection
This project involves the use of the mwcollect daemon to collect information on several ADSL based accounts to provide direct evidence of the level of attempted or potential successful compromise of computers. Currently there are 2 collectors conducting trial research which is about to conclude and then 8-12 collectors will be deployed across the Australian IP landscape.
SCADA honeypots
This aimed primarily at getting extensions to honeyd functional and testing the deployment for ” realism”. This is being done with the aim of extending the depth of deception and increasing the viability of such honeypots.
Valli, C. (2006) A Preliminary Investigation into Malware Propagation on Australian ISP networks using the mwcollect Malware Collector daemon, Journal of Information Warfare, Vol 5 Issue 1, pp. 1 - 9
Valli, C. (2006) A Tale of Two Daemons – mwcollect, 1st Conference on Digital Forensics, Imperial Palace, Las Vegas, Nevada.
Yek, S. (2006) Investigating the accuracy of wired and wireless TCP/IP fingerprinting on honeyd. Journal of Information Warfare, 5(1), 19-32.
Yek, S. (2006) Articulating the deception of an attacker under the guise of a honeynet. Paper presented at the 6th International Network Conference, University of Plymouth, Plymouth, England, U.K.
Yek, S. (2006) The development of a framework for applied deception in a honeynet. Paper presented at the 2006 International Conference on i-Warfare and Security, University of Maryland Eastern Shore, Maryland, U.S.A.
Valli, C. (2005) Honeypot technologies and their applicability as an internal countermeasure, In 3rd Australian Computer, Information and Network Forensics Conference, School of Computer and Information Science, Edith Cowan University, Mount Lawley, Western Australia.
Yek, S. (2005) Honeypots, honeynets and honeywalls - Finding the right honey for luring the attacker, In 6th Australian Information Warfare & Security Conference, Deakin University, Geelong, Victoria. 24 - 25th November 2005
Yek,S. (2005)Blackhat Fingerprinting Of The Wired And Wireless Honeynet, In Proceedings of the 3rd Australian Computer, Network & Information Forensics Conference, School of Computer and, Information Science, Edith Cowan University, Perth, Western Australia pp. 115-125
Yek, S. (2004) Implementing network defence using deception in a wireless honeypot, 2nd Australian Computer, Information and Network Forensics Conference, Fremantle, Western Australia
Gupta, N. & Valli, C. (2003) An initial investigation into the performance of the honeyd virtual honeypot system, Proceedings of the 4th Australian Information warfare and IT Security Conference, University of South Australia, Adelaide.
Valli, C. (2003) Honeyd - A fingerprinting Artifice, In 1st Australian Computer, Information and Network Forensics Conference(Eds, Valli, C. and Warren, M.) We-BCentre.COM, Scarborough, Western Australia.
Yek, S. (2003). Measuring the effectiveness of deception in a wireless honeypot. 1st Australian Computer, Information and Network Forensics Conference, Scarborough, Western Australia
July 2006 - December 2007
Craig Valli, Andrew Woodward (Staff)
3rd Project Students
WA police computer crime - Tim Thomas, Duncan Armstrong
WA Australian Federal Police Computer Crime - Mike Wheeler
This project is about the creation of a bootable Linux distribution that any police person can use to preview images that are stored on a computer in a forensically sterile manner. Unlike other projects of similar ilk this project aims to produce an iconic driven system to allow preview of systems with minimum expertise.
The base development system once tested will allow replication of purpose across several other areas of need for policing. This includes the creation of a similar bootable disk for searching and indexing of storage media for keyword or contextual searching for use in investigations or on-site triage.
The system is not merely built on top of another bootable Linux distributions such as Helix or Knoppix STD as similar projects from other Australian agencies have done. The system is being developed from first principles and is undergoing rigorous testing and validation using industry based testing regimes or standards such ISO 17025 and NIST to produce a product of high forensic validity.
The system in addition to allowing preview of topical images contained on the suspects secondary storage allows for the extraction and output of these images in a forensically sound manner. This then allows those images to be used by law enforcement in the interrogation or for use at committal hearings. The ability to use such images will allow investigating officers to gain potentially faster outcomes as a result of having these images available to them almost immediately.
Release of Development 0.1 (August 31)
July 2006 - July 2007 (Phase 1)
Andrew Woodward, Craig Valli (Staff)
WA police computer crime - Tim Thomas, Duncan Armstrong
Laptop theft is a major concern for individuals and corporations and the government. The WA Police have indicated that they do recover a large number of laptops as a result of their inquiries. However, most of these laptops are erased and sent to auction, as there are not sufficient resources to enable identification of the legitimate owner. In addition, in the course of their duties, the Police have occasion to search individuals, some of whom are in possession of laptops for which they may not be the legitimate owner. In these instances, it is useful for the Police to be able to identify on the spot whether the person in possession of the laptop is indeed the legal owner. Unless the laptop boots up and presents this information to the officer, this is not currently possible. There are two major aims of this project. The first is, to allow for on the spot identification of a laptops rightful owner, the second is to increase the clear up rate of laptops recovered that are currently erased and disposed of.
The primary goal of this project is to produce a tool which would enable someone with minimal knowledge of computers or forensic methods to identify the registered owner of a Windows XP based laptop. This will be done at a topical level, meaning that if the operating system has been formatted, then no information is likely to be found. Subsequent phases will see the drive examined at a level which will allow for owner registration data to be recovered from a formatted drive. The system will use the base live CD system being developed for the Purview system, with customised applications incorporated into it. The system is being developed from first principles and is undergoing rigorous testing and validation using industry based testing regimes or standards such ISO 17025 and NIST to produce a product of high forensic validity.
Release of Development 0.1 (October 31)
Woodward, A. (2006). LIARS – Laptop insepctor and recovery system. 4th Australian Digital Forensics Conference, Edith Cowan University, Perth, Western Australia. Accepted for Publication
State Insurance Commission, various commercial insurance companies
June 2004 - Ongoing
Trish Williams, Craig Valli, Andrew Woodward, Chris Bolan
This project is examing the security of medical systems and network security. It is conducted at a systemic level examing infrastructure and system issues as well as localised examining local infrastuctures for example general practise networks. As medical systems become more digitised, interconnected and dependent on the Internet as a communications backbone this has significant implications for local, regional and national security.
This research is targetted at improving outcomes for general practise and the medical system infrastructure as a whole. There are various on-going projects in the area.
Review of General Practise Security Posture and Awareness
This is ongoing action research project for a PhD. It aims to conduct a gap analysis in security stance for general practise. Having completed the gap analysis an action plan will be executed via a developed framework to increase the overall security posture and hardness of the medical practises. This will hopefully result in a generic framework that can assist medical practises to secure their assets. This is critical in protecting the national health infrastructure.
Review of the security of medical practise software against SQL injection attacks
This project is testing various medical practise management software and hospital management systems that uses SQL engines against attack from injection. This pertintent in that it will see if medical systems are vulnerable to automated attack and denial of service via this vulnerability. Its relation to security is if these systems can be rendered ineffective or useless during a terrorist attack for instance the effects could be devastating.
June 2004 – To Be Determined
Craig Valli, Andrew Woodward
Andy Jones (British Telecom) - UK
Wayne Jansen (NIST) - USA
This project is part of an ongoing study into the security aspects of mobile technology including PDA and phone technology. This focuses on the retrieval of evidence from mobile devices in a forensically sound manner. It is envisaged that with the increasing implementation of mobile technology this will be in increasing demand. Currently the investigation is concentrated on analysis methods for various phones and PDAs.
Current Projects
Mobile Phones
Symbian Phones
This project is involved with the analysis of the Symbian type of phone. Symbian is an operating system developed for mobile phones that is seeing wide use across a range of phone vendors.
Nokia Phones
This is specifically targetted at the Nokia family of mobile phones which is extensive. The other reason that this family examined is that it has one of the highest rates of adoption in Australia.
Problem Phones
This is specifically aimed at phones that law enforcement find problematic or unable to readily examine. Some of the current phones in this area are Motorola Razor for example.
Palm OS PDAs
This aimed at Palm OS enabled PDAs and has been conducted by the group since 2004. Current research is aimed at developing a framework for correct forensic acquisition of these devices and preservation of electronic evidence.
Linux enabled PDAs
This is aimed at acquiring Linux enabled Ipaq devices and has been conducted by the group since 2004.
June 2006 – To Be Determined
Christopher Bolan (Staff)
3rd Project Students
This project is part of an ongoing study into the security aspects of RFID technology. This section focuses on the retrieval of data from RFID Tags in a forensically sound manner. It is envisaged that with the increasing implementation of RFID technology the data on RFID Tags will eventually be needed as part of electronic forensic investigations.
Currently the investigation is concentrated on Tag data formats and modes of operation. Later stages of the project will include the development of forensically sound analysis tools that will allow forensic imaging and data retrieval.
Publications (Awaiting Acceptance):
Kogan, V., & Bolan, C. (2006). A Security Based Comparison of EPC Tags: Generation One versus Generation Two. Proceedings of the 4th Australian Information Security Management Conference. Perth, WA
Urosevic, U., & Bolan, C. (2006). A Security Based Analysis of the United States Department of Defence RFID Standard. Proceedings of the 7th Australian Information Warfare and Security Conference. Perth, WA
June 2004 - ?
Craig Valli , Andy Jones (British Telecom) - (ECU Adjunct)
Iain Sutherland (Glamorgan University), British Telecom(UK), Life-Cycle services(UK)
This is an ongoing study conducted by the group in collaboration with Glamorgan University, British Telecom and Life-Cycle services (UK). This involves the purchase of hard disks from physical auction sites and online auction sites on a random basis. Forensically valid images of the hard disks are then acquired and analysed. The analysis involves attempt to profile previous users by any remnant data that may be left on the drives.
The study has uncovered serious breaches and issues with the secure disposal of personal and corporate information. In all the studies data from national critical infrastructure providers was uncovered which could be used by terrorist organisations to create significant disruption of destruction of services. Furthermore, the types of data that were uncovered in the investigation would also be a rich repository of information for identity thieves.
The study has received significant press coverage and 2005 with over 90 news services running stories about the 2005 report. British Telecom public relations management estimated the net value of the exposure from the report at 370,000 UK pounds.
Jones, A., Valli, C., Sutherland, I. and Thomas, P. (2006) The 2006 Analysis of Information Remaining on Disks offered for sale on the second hand market, Journal of Digital Forensics, Science and Law, Vol 1. Issue 3
Valli, C. (2006) Your corporate information...going, going, gone to the highest bidder, Information Age, August, 2006
Valli,C., Jones, A. (2005). A UK And Australian Study Of Hard Disk Disposal, In Proceedings of the 3rd Australian Computer, Network & Information Forensics Conference, School of Computer and, Information Science, Edith Cowan University, Perth, Western Australia, pp.74-78.
Valli, C. (2004). Throwing out the Enterprise with the Hard Disk, In 2nd Australian Computer, Information and Network Forensics Conference, We-BCentre.COM, Fremantle Western Australia.
June 2006 – Mar 2008
Craig Valli, Andrew Woodward, Trish Williams, Chris Bolan
British Telecom (5000 UK Pounds)
This project involves the near real-time to real-time visualisation for Snort IDS logfile data. This will involve the use of Paraview modelling software running in real-time on the CRITS beowulf compute cluster to process outputs from a live IDS system. The intention of the project is to provide a mechanism to interpret and monitor threat from network intruders by visualising intrusion alerts or outputs from the IDS. One of the main problems with conventional IDS in large network pipes is the ability to process the IDS data into a meaningful, accurate and timely framework to enable timely, informed response to inbound or outbound threats on a network infrastructure.
January 2003 – Now
Craig Valli, Andrew Woodward
The group has extensive experience in wireless security. The expertise in this area is extensive in all aspects of wireless communication in the 802.11 protocols. The group has a high level of publication in this area. Wireless usage in the 802.11 protcool band is constantly increasing with most new laptop computers being equipped with 802.11 B/G capable cards as a standard. In addtion newer mobile phones and personal digital assistants are likewise having wireless LAN capabilities install as a default. The emergence of new protocols such as Wi-MAX that offers wireless broadband communication at distances of 70km from a base station will see increasing use of WiMAX in a range of devices and appliances.
The increasing use of wireless is also seeing a corresponding rise in crimes committed on these types of technologies. Furthermore, with this new technology it is possible for criminals and terrorists to rapidly establish their own secured private networks. Capacity is needed to be able to to monitor, intercede, intercept and interrupt such communications.
Current Research Projects
Development of a risk assessment framework for SOHO and Small business
A framework/checklist is being developed for use with SOHO and Small business companies that utilise wireless technology to measure risk and provide mitigation or reduction strategies. This has local, regional and national infrastructure implications by making the total network stronger against attack.
WIDS
This has been an on-going project attempting to develop a networked based solution to intrusion detection and response. Current investigation is around the placing of honeypot and wireless intrusion detection systems onto ASUS WD-200 access points that are capable of supporting 2.5” drives for storage of operating system and utilities. This involves cross compilation of existing network security programs for deployment on the access point and subsequent validation.