160 likes | 271 Vues
Overview of Live Computer System Capture and Triage Tool (CCTT). Enabling Initial Computer Investigations by Non-Expert Law Enforcement Personnel. NCSA led project with collaboration from the FBI & local law enforcement Guide LE through initial investigation of computer related crimes
Overview of Live Computer System Capture and Triage Tool (CCTT)
Enabling Initial Computer Investigations by Non-Expert Law Enforcement Personnel • NCSA led project with collaboration from the FBI & local law enforcement • Guide LE through initial investigation of computer related crimes • Consent based complaints • Work on live systems • Gather evidence/information from SOHO Windows systems • Support on-site investigation • USB memory stick form factor (keep it in your glove box) National Institute Of Justice Funded Project National Center for Supercomputing Applications
Motivations • How critical are the actions of the law enforcement first responder to any crime? • How well prepared is the typical LEFR to answer computer related complaints such as; • I received an e-mail based threat. • I responded to an e-mail about my inheritance but ended up loosing my life savings. • My young son is getting indecent proposals from someone over IM. • My daughter did not come home last night and I think it might be related to something she is doing on-line. • How many LEFR resort to taking notes and referring the case on to the department’s computer investigation expert? • How overloaded is that expert? Live Computer System Capture and Triage Tool
Is your force ready to tackle computer crimes • How many LEFR understand the differences between different browsers and know how to capture evidence from them? Say IE versus Firefox versus Safari? • How many LEFR know their way around more than one email client? • How many LEFR know how to capture the logs off any of the handful of popular IM clients? • How many LEFR know their way around MySpace and Facebook? Live Computer System Capture and Triage Tool
Project Goals Enable non-experts LEFR to gather evidence/information from a Windows™ system and perform a preliminary examination. • Preserve evidence for subsequent investigation. • Lessen the number of computer based investigative situations in which an expert is required. • Increase the actions a LEFR can take by providing them with on-site triage of the information. • Provide configuration guidance, i.e. enable history and log caching for on-going investigations. Live Computer System Capture and Triage Tool
Driving Scenarios • Threats • Fraud • Missing persons • Suicide pacts • Theft • Additional evidence and or information for non-computer cases Live Computer System Capture and Triage Tool
Technology Challenges & Opportunities • New forms of communication present new challenges • Electronic Mail, Instant Messaging, Social Networking, Virtual Worlds, not to mention multiple client and service options. • Technology can be intimidating yet it also may provide opportunities that previously did not exist. • Before email and social networks people still communicated only those conversations were often times not recorded. • There is a potential treasure trove of information available on-line that may provide valuable time sensitive information Live Computer System Capture and Triage Tool
Live Computer Capture and Triage Tool (CCTT) Provides law enforcement personnel a simple, easy-to-use mechanism for capturing live data via step-by-step assistance. Provides a triage tool to aid the first responder in the initial examination and next step determination. Ensures that the evidence is collected from the initial contact and provides the investigator with something to analyze. Live Computer System Capture and Triage Tool
What Makes CCTT Unique? • The last thing we need is another forensics tool. • Wizard that guides LEFR through a collection of “typical” complaints. • On-site triage of the available information for immediate action. • Capture of web-based information/evidence. Live Computer System Capture and Triage Tool
What is Microsoft COFEE? From Microsoft’s website: • Announced in April of this year. • Focused on the extraction of “live” data from a Windows™ system before turning off the machine. • Preconfigured, automated, fast tool. • Up to 150 commands; previously would have taken a forensics expert hours to execute. • Over 2,000 LE officers have registered COFEE in over 15 countries. Live Computer System Capture and Triage Tool
How does CCTT work with COFEE? Immediate Action Live Computer System Capture and Triage Tool
Software Distribution and Upgrades • Exploring options for software distribution via the FBI • PD downloads software over the Internet • Software upgrades • Added support features • New capabilities Live Computer System Capture and Triage Tool
Prototype Feedback “I definitely see the need for this tool in my line of work. The live capture alone is helpful, but the CCTT wizard really helps my guys to target the specific kind of information I need, like email headers or instant messaging conversation logs. It’s simple to use, and that’s a good thing. We were excited to try it out, and you guys didn’t disappoint!” --Investigator Shaun Cook, Urbana, Illinois Police Department Live Computer System Capture and Triage Tool
Future Work • Social Networking support • This is our focus area right now • Capture, present and utilize browser cookies, passwords and history information to discover and collect web-based information • Automate as much as possible • Automatically find the social network service and login. • Collect the most relevant information and present in a straight-forward way – recent communications, to whom, content, friends, social network, blogs, pictures, and more • Support for Virtual Worlds Live Computer System Capture and Triage Tool
Contact Information Randy Butler rbutler@ncsa.uiuc.edu Live Computer System Capture and Triage Tool