Gavin W. Manes

Network vulnerability analysis

The increasing volume of attacks on the Internet has increased the demand for sophisticated tools for vulnerability analysis, intrusion detection, forensic investigations, and possible responses. Current hacker tools and technologies warrant reengineering to address cyber crime and homeland security. The creation of network scanners is necessary to secure the information infrastructure by gathering network topology, intelligence, internal/external vulnerability analysis, and penetration testing. Scanners must be able to function on a variety of networks: Internet (IP), SS7, wireless, and converged networks. Scanners should be extendable and upgradable to facilitate use by a broad spectrum of users and platforms; such flexibility allows users to keep up with current hacker technology. This paper describes one such scanner, referred to as NetGlean.

Signaling system 7 (SS7) network security

This paper examines vulnerabilities present within SS7 networks-vulnerabilities whose threat has been magnified by deregulation and emerging trends in network technology. First, it provides an overview of the SS7 network and protocol. Then it explains how modem deregulated telephone networks combine with next-generation technologies in a manner that poses a threat to the security of the telecommunications signaling network. This paper details several attack scenarios made possible by accepting the assumption that an SS7 signaling point may be compromised to allow insertion of message traffic.

Detecting Hidden Data in Ext2/Ext3 File Systems

The use of digital forensic tools by law enforcement agencies has made it difficult for malicious individuals to hide potentially incriminating evidence. To combat this situation, the hacker community has developed anti-forensic tools that remove or hide electronic evidence for the specific purpose of undermining forensic investigations. This paper examines the latest techniques for hiding data in the popular Ext2 and Ext3 file systems. It also describes techniques for detecting hidden data in the reserved portions of these file systems.

A Network-Based Architecture for Storing Digital Evidence

The storage and handling of digital evidence are creating significant challenges for federal, state and local law enforcement agencies. The problems include acquiring and processing massive amounts of digital evidence, maintaining the integrity of the evidence, and storing digital evidence for extended periods of time. This paper describes a network-based storage architecture that helps address these issues. The architecture also supports collaborative efforts by examiners and investigators located at geographically dispersed sites.

A Framework for Unified Network Security Management: Identifying and Tracking Security Threats on Converged Networks

A comprehensive network security management system must coordinate detection and scanning tools for converged networks; derive fully-integrated attack and network models; perform vulnerability and multi-stage attack analysis; support large-scale attack visualization; and possibly orchestrate strategic responses to unwarranted actions that cross network boundaries. We present an architecture that embodies these principles. The unified network security management system described in this paper gleans data from a suite of detection tools for various networking domains. Aggregate real-time network data supplies a comprehensive modeling framework used for further analysis, correlation, and visualization. The resulting system not only provides network administrators with a heads-up cockpit display of their entire network, it also supports guided response and predictive capabilities for multi-stage attacks in converged networks.

Imaging and Analysis of GSM SIM Cards

Cellular phones are becoming ubiquitous. As of March 2005, there were more than 180 million cellular subscribers in the United States, over 60% of the population. Cellular devices invariably contain information that can aid criminal investigations. Nevertheless, extracting evidence from cellular phones is quite uncommon in the United States. The principal reasons are the lack of awareness and training on the part of law enforcement agents and the limited availability of inexpensive tools for extracting and analyzing evidence. This paper describes a toolkit for extracting and analyzing data from SIM cards, which are used for cryptographic authentication, key generation and data storage in GSM cellular phones.

A Framework for Redacting Digital Information from Electronic Devices

A reliable method for the removal of selected information from digital devices remains an open problem. A solution is particularly necessary for the legal profession, where it is required to produce information to opposing counsel during the discovery portion of court proceedings. The method outlined in this paper provides an efficient and effective system for redacting digital information beyond recovery by conventional forensic techniques. This paper also describes the major obstacles to achieving practical and comprehensive redaction of digital information from electronic devices. Of particular issue is the lack of a rational process for systematically handling encoded, encrypted, or otherwise complex data objects. Applications for this method extend well beyond the courtroom-it can be used in government and business to remove classified and proprietary information from documents and records.

NetGlean: A Methodology for Distributed Network Security Scanning

Network vulnerability analysis tools today do not provide a complete security awareness solution. Currently, network administrators utilize multiple analysis tools in succession or randomly in a patchwork fashion that provides only temporary assurance. This paper introduces NetGlean as a methodology for distributed network security scanning with a holistic approach to network analysis. NetGlean uses new and existing techniques in a continual, autonomous, evolutionary manner to provide powerful real-time and historical views of large and complex networks. This paper introduces the methodology and describes one implementation NetGleanIP, a scanner for IP and converged networks.

Overview of Licensing and Legal Issues for Digital Forensic Investigators

Digital forensic examiners face challenges outside the technical aspects of collecting, investigating, and storing digital information. Rules about admissibility and the licensing requirements for forensic professionals must also be taken into account. The use of digital data in an expanding number of US court cases and business investigations has precipitated changes in evidence handling and admissibility requirements, most notably in the 2006 changes to the Federal Rules of Civil Procedure. Knowledge of these rules and the ensuing case law is an essential component of any examiners toolkit because improper evidence handling can lead to inadmissible evidence. The courts acceptance of such evidence is also greatly affected by the examiners proper licensure. Unfortunately, these requirements vary by state (sometimes even by city) and are constantly changing. Therefore, digital forensic investigators must heed both the courts rules regarding evidence handling and the states rules for licensing in order to be most effective.

Evidence acquisition tools for cyber sex crimes investigations

Sexually explicit Internet chat rooms are increasingly used by pedophiles to reach potential victims. Logging and linking suspects to chat room conversations and e-mails exchanged with undercover detectives are crucial to prosecuting travelers, i.e., pedophiles who travel across state lines to engage in sexual acts with minors. This paper describes two tools, a chat room monitor and a remote fingerprinter, for acquiring and preserving evidence. The chat room monitor logs online communications as well as screen images and keystrokes of the undercover detective. stored to allow the chronological reconstruction and replay of the investigation. The remote fingerprinter uses sophisticated scanning techniques to capture and preserve a unique fingerprint of the suspects computer over the Internet. Once the suspects computer is seized, it is scanned again; matching this new fingerprint with the remotely acquired fingerprint establishes that the suspects computer was used to communicate with the detective.