tive computer-system forensics are system structuring and ... online forensics tests with the best possible critical regions ... Of course, proactive forensics.
Towards Proactive Computer-System Forensics Phillip G. Bradford
Marcus Brown Bonnie Self
Josh Perdue
Department of Computer Science The University of Alabama Box 870290 Tuscaloosa, AL 35487-0290 { pgb, mbrown, joshua, bself } @cs.ua.edu
Abstract This paper examines principles and approaches for proactive computer-system forensics. Proactive computersystem forensics is the design, construction and configuring of systems to make them most amenable to digital forensics analyses in the future. The primary goals of proactive computer-system forensics are system structuring and augmentation for automated data discovery, lead formation, and efficient data preservation. This paper proposes: (1) using the Neyman-Pearson Lemma to proactively build online forensics tests with the best possible critical regions for hypothesis testing, and (2) using classical stopping rules for sequential hypothesis testing to determine which users are deviating from standard usage behavior and should be the focus of more investigative resources. Here the focus is on security breaches by the employees or stakeholders of an organization. The main measurements are event-driven logs of program executions.
1. Introduction Changing technology is one constant that concisely impacts computer forensics. What fixed points can a technologist leverage to proactively prepare for forensics investigations? Using good science and engineering, classical forensics is a sophisticated endeavor. Classical forensics is generally reactive and is applied after a transgression has taken place or after a suspected transgression has occurred. Alternatively, proactive computer-system forensics targets adjustments that allow greater data discovery and better lead formation. This may include preemptive system restructuring. That is, adjustments of security resources can be done on-line based on partial or circumstantial evidence.
This paper takes ‘proactive forensics’ to mean proactive computer-system forensics. Security violations are most likely from a firm’s current or former employees [7]: ‘‘Perpetrators generally were computer specialists: programmers, computer operators, data entry personnel, systems analysts, and computer managers--insiders. After all, they were the only ones who knew how to operate and use the technology and the only ones able to gain physical access to them.’’ Computer crimes are mostly perpetrated by people with a rudimentary knowledge of Computer Science. Alternatively, most often, computer forensics is applied to computer assisted crimes [3]. Of course, proactive forensics must eventually deal with both computer assisted crime as well as computer focused crime. This paper is about proactive system forensics for an organization’s employees or stakeholders. Proactive forensics is not as much about predicting behavior, as it is about adaptively focusing resources on potential transgressors. The focus in this paper is on event-driven system functions and not on illicit data. That is, suppose an employee moves stolen data to an organization’s network. This paper doesn’t propose searching for such data, rather our system looks for changes in behavior (as seen by system logs) of the individual user. This paper assumes instantaneous access to system logs of: processes, programs, and network events. It is natural to assume, proactive forensics will eventually include user generated data as part of its process.
There are differences between computer security and proactive system forensics: Computer Security focuses on preventative measures where proactive system forensics tries to generate appropriate data to provide good investigation leads and focus search appropriately. Investigative leads can be used to enhance data mining to more efficiently search for user events that may be coincident with security breaches. Such data mining can be initiated automatically by systems applying proactive forensics. Intrusion detection is closely related to proactive forensics. For example, honey pots can play roles in both proactive forensics and intrusion detection. However, intrusion detection generally targets quick detection and understanding of intruders. In contrast, proactive forensics works over the long term setting alerts and adjusting system parameters as appropriate.
1.1 Is it all about Audit Trails and Internal Logs? The physical demonstration and exhibition of digital evidence is central to computer forensics [3]. A chain-ofcustody [8] documents the details of when different people (investigators, prosecutors, defense, etc.) have access to potential evidence. It is imperative to keep a chain-of-custody easy to understand and well documented. Of course, digital media can be built to track its own chain-of-custody. These automated chain-of-custody mechanisms are useful for proactive forensics. Ideally, in a system we would be able to perform timetravel to discern what happened and when it occurred. The storage space required by time-travel is very expensive. Furthermore, the admissibility and chain-of-custody issues must be addressed for time-travel. This requires a good deal of security and authentication. Logs and audit trails are necessary to most notions of digital evidence. Event-driven data can indicate suspected deviant behavior of certain users. These users can be the focus of datamining to find coincident security events. These samples can be data-mined during a machine’s idle time, for example. Finding coincident events and determining their significance is a proactive method of searching out potential problems. Most operating systems allow the collection of application logs. For example, XP and variations of Unix [2] can collect log data. Windows XP can log events into one of three logs: application, security, and system. The application log contains program generated events. The System log contains events relating to Windows XP components like the failure of a driver. The Security log records events relating to permission violations. Audit trails are expensive to run in databases. In many cases, each transaction in a database system inserts or updates another entry in an audit database [9]. Generating full
audit trails increases the space cost by a factor of at least two. This may force heavily used systems to be doubled in size and power to accommodate extensive audit trails.
1.2 Previous Work Digital forensics is a substantial field. Perhaps this is because criminals can easily leverage the effectiveness of computer technology. Carrier and Spafford [3] give a model for digital investigations. In terms of their model, perhaps our work best fits into their “Infrastructure Readiness Phase.” Although, our approach focuses on proactive measures. The sequential hypothesis testing methods used here have long been used to detect deviant behavior. This aspect is not new to this paper. However, this paper proposes using sequential hypothesis tests to automatically initiate more investigation and data gathering. Honey pots and other intrusion traps give proactive forensics evidence trails. These are critical tools and can be integrated into the proactive forensics models this paper presents. A good deal of work on intrusion detection works with Bayesian statistics for detecting potential intrusions. This is different from proactive forensics, in that proactive forensics is about changes in user behavior over time and gathering evidence to document potential transgressions.
1.3 The Structure of this Paper Section 2 gives several principles that are subsequently assumed in this paper. These principles are not necessary for the thesis of this paper, but they do strengthen the approach. Section 3 gives the main ideas and observations of this paper. First, Subsection 3.1 presents and interprets the well-known Neyman-Pearson Lemma. The important point here is to design hypothesis tests to maximize their significance and power. This is essential for proactive forensics. Next, Subsection 3.2 presents classical work on sequential hypothesis testing. This is applied to proactive forensics. Subsection 3.3 discusses possible implementation issues. Finally, Section 4 concludes this paper and gives some new directions.
2 Principles for Proactive Forensics This section gives some elementary principles and observations that form the foundations of the framework of our models for proactive computer forensics. Keeping in mind, the focus is on an organization’s stakeholders and not security infractions from outside an organization. The small-security-breach principle: A single breach of a system can be catastrophic. Small and dangerous
computer viruses can be under 1000 bytes long [10]. The small-security-breach principle validates eventdriven logging and event initiated audit-trails. This deals with the common issue of miscreants dissociating their physical presence from illicit data transfers using systems like cron (Unix) or scheduler (Microsoft XP). The small-user-world principle: most users only use a very few systems or programs. They often use these in very similar ways to other employees or stakeholders in the same position. Using this principle, automatically observing the events of a user creating a RAM Drive in primary memory can alert the systems security staff of something awry. Of course, if many similarly suited users initiate the same event (creating a RAM Drive), then perhaps new requirements have been initiated. That is, user’s opportunity for mischief is often in narrowly defined areas. Thus sampling daily hard Disk changes in an event-driven basis may suffice in tracking potential problems. The incremental violation principle: when an internal user does attempt security breaches, they must ‘learn’ their way around security. This often leaves a trail of system logs and events. It is this learning-curve that proactive system forensics attempts to leverage as early as possible.
having the best possible confidence interval for hypothesis testing. Even though, on many systems this best-confidence interval leading to suspicion is apparently not legally necessary. Monitoring employees and stakeholders is expensive, let alone, the human effort for monitoring. Even, just consider the memory and CPU use. Individual users can generate very large amounts of data in their day-to-day functions. Furthermore, data points on potential transgressions may appear only occasionally.
3.1 Fixed Sample Size Hypothesis Testing Given distributions of events initiated and run by users, the first natural tests are hypothesis tests. Over time, distribution profiles of similar stakeholders can be developed. For example, it may be known that first-year analysts run programs outlined in Figure 1. Clearly, many other interesting sample statistics can be gathered as well. Program Spreadsheet Editor Mail Web browser Database Proprietary System1 Proprietary System2
Sample Mean 190.3 75.2 505.9 128.2 231.1 10.1 5.1
Sample Variance 22.9 91.4 120.5 34.1 34.2 2.3 1.1
3 Proactive Computer-System Forensics Proactive forensics is essentially setting up systems so that evidence will be maximized if an unfortunate transgression occurs. Consider the small-security-breach principle together with the small-user-world principle. The small-user-world principle encourages meticulous sampling of user’s behavior. This behavior should not deviate all that much from other users in the similar positions or job titles. The smallsecurity-breach principle indicates that differentiating unusual behavior is extremely important. Finally, the incremental violation principle says the learning-curve for committing computer crimes is an opportunity for more sophisticated observation, apprehension, or even interruption of potential transgressions. Users with similar-responsibilies should have statistically similar empirical statistical distributions of computer events. The main goal of a proactive forensics system is to be able to adaptively increase the amount and breadth of sampling given statistical justification. Ideally, the sampling can be as thorough and sophisticated as building resources for time-travel for highly suspect users. Furthermore, it is only advantageous to have the highest possible confidence to start investigations. This can be expressed in statistics as
Figure 1. Sample Statistics for an Analyst. All Values in Minutes Given sample statistics, such as in Figure 1, then suppose every month new statistics are aggregated from all users for comparison. Consider a fixed sample of n independent and identically distributed random values denoted by their probability density functions f (X1 , θ), f (X2 , θ), · · · , f (Xn , θ) to emphasize they are from the common (unknown) distribution θ. This paper only considers two simple hypotheses: H0 : θ = θ0 where H0 is the null hypothesis. The H1 : θ = θ1 , null hypothesis is generally the ‘most important’ hypothesis. Given these variables as input, then hypothesis testing tries to determine whether θ is θ0 or θ1 . Then fixed sample size hypothesis testing determines if θ = θ0 or θ = θ1 within a confidence limit. This confidence limit is computed using: α
=
IP[ accept H1 | θ = θ0 ] size of type I error
β
=
IP[ accept H0 | θ = θ1 ] size of type II error.
The value α is the probability of type I errors and it is sometimes called the critical value. The critical region C is the part of the sample space corresponding to α. That is, C is in both sample spaces for θ0 and θ1 , but if a sample point occurs in C, then it is taken as evidence to reject θ = θ0 and accept θ = θ1 . It is well known that reducing the probability of type I errors often increases the probability of type II errors, see for example [4, 5]. The critical region C is the best critical region of fixed size α iff IP[X ∈ C | θ = θ0 ] = α and for any critical region C 0 , IP[X ∈ C 0 | θ = θ0 ] ≤ α =⇒ IP[X ∈ C 0 | θ = θ1 ] ≤ IP[X ∈ C | θ = θ1 ]. Therefore, a critical region C is best if fixing α, the critical region C maximizes the probability that the sample point X correctly indicates accepting θ = θ1 . Getting a best critical region often requires modification of the test statistic. Thus, if an organization decides to (statistically, pragmatically or ethically) fix a particular α threshold, then they would clearly want to maximize the probability of correctly accepting the alternate hypothesis. In some sense, this method gives the optimal test statistic for known distributions while fixing α. This is particularly relevant for forensics analyses. To isolate the type I-error-type II-error trade-off, the next famous Lemma uses ratios of probabilities (likelihood ratios) to determine the best size critical region. Lemma 1 (Neyman-Pearson Lemma) Say θ ∈ {θ0 , θ1 } and f (Xi , θ) 6= 0 for all i ∈ {1, 2, · · · , n}. If there is a critical region C of size α so that there exists a constant k ≥ 0 such that, n Y f (Xi , θ1 ) i=1 n Y
f (Xi , θ0 )
f (Xi , θ1 ) f (Xi , θ0 ) i=1
≥ ≤
k for points in C k for points not in C,
then C is the best critical region of size α. Variations on Lemma 1 can be applied to searching for hypothesis with cost constraints [6]. Cost constraints model performing sophisticated analyses on users’ computers.
3.2 Sequential Hypothesis Testing SPRT (Sequential Probability Ratio Test) was developed independently by A. Wald and G. A. Barnard [11].
Given α and β the probabilities of type I and type II errors, respectively. Let f (X1 , θ), f (X2 , θ), · · · , f (Xn , θ) be sequential observations of events each independently and identically distributed according to θ. That is, f (Xi , θ) occurs at time step i. For example, f (Xi , θ) is the ith day’s average use of a spreadsheet for a particular user. Computing a SPRT ratio allows dynamic hypothesis testing, where each hypothesis test runs until it determines the data-points gathered show H0 holds with error probability α or that data points so far indicate H1 holds with error probability β. It is important to notice that this algorithm runs (and monitors) users until enough ‘evidence’ comes about to justify whether H0 or H1 hold within the pre-prescribed error level. Given α and β, then compute the bounds for the next stopping rule [11, 5]: A ←
1−β α
and
B ←
β . 1−α
The values A and B are bounds and they are not exact. But, they are sufficient for SPRT calculations [11, 5]. SPRT computes the likelihood ratio:
Rn
=
n X i=1
µ ln
f (Xi , θ1 ) f (Xi , θ0 )
¶ ,
where the logarithms are historically taken to simplify the computation of the sequential tests. The SPRT stopping rule: N
= inf{ n : ln B ≥ Rn ∨ Rn ≥ ln A },
indicates when to stop sampling the data and evaluate the decision rule. The SPRT decision rule: ½ H0 if Rn ≤ ln B χN = H1 if Rn ≥ ln A. Assuming one of the two hypotheses does hold, the next theorem is significant. Theorem 1 (Wald [11]) The stopping rule will eventually terminate the data-selection process with probability 1. Theorem 1 is important in that for any α and β chosen, eventually there is a large enough n so one can determine which group a user falls into. Wald and Wolfowitz [11] showed that sequential hypothesis testing using likelihood ratios is optimal in some sense. That is, they show the expected value of the number of steps to stopping for the SPRT with the correct conclusion is at least as good as for any other sequential ratio test.
A Classic Example. The next example follows Wald [11, Chapter 3] closely. Let the probability p be unknown and ½ p if X = 1 f (X, θ) = 1 − p if X = 0.
seems consonant to what the world outside Computer Science strives towards. We feel this way even though in an organization’s own computers, it is legal to search any machine for any data [3].
Given the fixed and known variables p0 and p1 , consider:
Acknowledgements
H0 : the hypothesis that θ = θ0 giving p = p0 H1 : the hypothesis that θ = θ1 giving p = p1 .
Thanks to David Cordes for his many insightful comments. Thanks to Gary McGraw for pointing out honey pots as proactive forensics tools.
Now, the observations f (X1 , θ), f (X2 , θ), · · · , f (Xn , θ) have the log-likelihood ratios, µ ¶ f (Xi , θ1 ) zi = ln f (Xi , θ0 ) ³ ´ ln p1 if Xi = 1 ³ p0 ´ = ln 1−p1 if Xi = 0. 1−p0 Therefore, start by choosing desired α and β, then computing A, B. Next, for each succeeding data point (n ← n + 1) compute Rn = z1 + · · · + zn and check the stopping rule N = inf{ n : ln B ≥ Rn ∨ Rn ≥ ln A }. The stopping rule determines when to stop sampling and accept either H0 or H1 .
References [1] Handbook of Computer Crime Investigation: Forensic Tools and Technology, E. Casey (editor), Academic Press, 2002. [2] M. Bishop: Computer Security: Art and Science, Addison-Wesley, 2003. [3] B. Carrier, E. H. Spafford: “Getting Physical with the Digital Investigation Process,” International Journal of Digital Evidence, Volume 2(2), Fall 2003. [4] J. E. Freund, R. E. Walpole: Mathematical Statistics, Third Edition, Prentice Hall, 1980.
3.3 Implementation Issues
[5] P. G. Hoel, S. C. Port, C. J. Stone: Introduction to Statistical Theory, Houghton Mifflin, 1971.
SPRTs can start running once other critical events occur, not just from the start of employment of a person, etc. There are some tools appearing, such as fupids by Wendzel [12] that implement data collection in a way that is suitable to our view of proactive forensics. fupids is for OpenBSD. For example, fupids assigns an attack level to all users. If a user runs a program which they have never run before or starts running lots of programs suddenly, then their attack level is raised. Although this system is designed for intrusion detection, it may serve as good foundations for proactive forensics.
[6] J. B. Kadane: “Discrete Search and the NeymanPearson Lemma,” Journal of Mathematical Analysis and Applications, Vol. 22(1), 156-170, 1969.
4 Conclusions and Further Directions Should such proactive system forensics be kept secret from the users? We believe so, though it may not build trust in management if a user discovers such monitoring. However, giving fixed (and small) confidence intervals to alert security to heighten analysis seems reasonable in many ways. This seems to be akin to probable-cause searches by law enforcement. In fact, using both the Neyman-Pearson Lemma and sequential hypothesis testing with fixed thresholds for α and β seems correct in this light. Using the best possible critical regions to discern potential transgressions
[7] G. L. Kovacich, W. C. Boni: High-Technology-Crime Investigator’s Handbook: Working in the Global Information Environment, Butterworth-Heinemann, 2000. [8] W. G. Kruse II, J. G. Heiser: Computer Forensics: Incident Response Essentials, Addison-Wesley, 2002. [9] R. Ramakrishnan, J. Gehrke: Database Management Systems, McGraw Hill, 2003. [10] P. Stephenson: “Modeling of Post-Incident Root Cause Analysis,” International Journal of Digital Evidence, Volume 2(2), Fall 2003. [11] A. Wald: Sequential Analysis, J. Wiley & Sons, 1950. [12] S. Wendzel: “fupids: fuzzy userprofile intrusion detection system,” http://cdp.doomed-reality.org/fupids/
