terrifically as there are growing numbers of internet users and also social networking site. The victim are not limited to adult but also child, not only involve personal attack but also involve the organization or country. The need for finding evidence is crucial as cybercrimes are also need to be treated as physical crimes. In this paper we discuss a mechanism to find cyber evidence that integrate Intrusion Detection System (IDS) and firewall system called Evidence Cyborg (E-Cyborg). E-Cyborg is to provide a solution that can assist network forensic in their cybercrime case. Based on several testing on the system simulation, the system is able to produce high quality of evidence. Hence, the investigation task becomes more efficient and effective. Keywordscybercrime; network forensic; digital evidence. I. INTRODUCTION As the internet usage grown massively, cybercrime has also increased rapidly. Various tools such as desktop computers, mobile devices and other digital devices are used in cybercrime. Furthermore, various medium can be used in committing such crimes, for example email, web browser, social networking site, instant messaging, peer-to-peer and file exchange software and the list goes on. To find highly quality evidence is a crucial process and it is not an easy task to find evidence that can be used in court as the evidence might be tempered or modified. In fact, there are many tools to find evidence however, appropriate tools are needed to ensure the evidence meet the legal criteria which will discuss further in the next section. Research by Erin et.al [4] mentioned that evidence collection methodology need to be improved so that the efforts in terms of time and cost will be balanced with the requirements as well as demands from legal community. On the other perspective, there is legal issue regarding collected evidence. The need for legal consideration and cyber law is a must to ensure the evidence found is valid for further action and investigation. Considering this issue, we believe that there is need for finding admissible evidence so that the evidence collection process is not a vain and the evidence is valid for hearsay.
In this paper we consider IDS and firewall mechanism to be integrated in the framework. The structure will be examined and enhanced so that we are able to find and classify possible evidence for further investigation process. Based on our observation, by utilizing IDS and firewall mechanism, we could solve the problem of getting high quality evidence that admissible in court for further investigation. For this reason, this research will propose a new mechanism called E-Cyborg to find useful evidence.
In general, there are three main process: evidence collection, evidence identification and classification and result documentation. Details of this framework will be described in section 3. II. BACKGROUND A. Cybercrime In general, every cybercriminal activity has its own objective and mission. Thus, there are many consequences associated with cybercrime. According to Schell and Martin (2004), cybercrime can harm human being and property [17]. Cybercrimes committed against human being include cyber stalking and cyber pornography whereas cyber attack such as phreaking and infringing intellectual property rights can harm property. Besides, there are other additional classification on cybercrimes: against organization and society [18]. Cybercrimes against organization include unauthorized access to computer system, Denial of Service (DoS) attack, virus attack and data diddling. Finally, cybercrimes against society include forgery and web jacking. Fig.1.1 illustrates cybercrimes categories.
In addition, cybercrime can cause loss to the consumer. As reported by Norton in 2012, the average loss from cybercrime is USD 197 per victim and in every second, 18 adults become victim [18]. The value of loss due to cybercrime is definitely terrifying. In Malaysia specifically, as reported in The New Straits Times by Abu Hassan Alshari Yahaya, the assistant governor of Bank Negara Malaysia, the loss Eviyanti Saari School of Computer Science Universiti Sains Malaysia, USM Penang, Malaysia eviyanti@fskik.upsi.edu.my Aman Jantan (Assc. Prof, PhD) School of Computer Science Universiti Sains Malaysia, USM Penang, Malaysia aman@cs.usm.edu.my 2013 8th International Conference on Information Technology in Asia (CITA) 978-1-4799-1092-2/13/$31.00 2013 IEEE in internet banking due to fraud was 3.4 million in 2011 and 3.2 million last year [16]. Even though the amount is decreasing, however the number is still high and worrying.
Besides the loss to the consumer, there are also other measurements for cybercrime. Costs of cybercrime include criminal revenue, direct losses, indirect losses and defense costs [18]. Criminal revenue refers to gross receipt from a crime, direct losses include damage or harm caused by a cybercrime, indirect losses is loss that affects the society and defense cost is referring to cybercrime prevention cost. Figure 1.2 and 1.3, depicted the cost of cybercrime and cyber defense. It is clear that the increasing number of cybercrime lead to worldwide financial loss.
Furthermore, cybercrime can leave digital evidence behind for forensic professional to investigate. In fact, digital evidence has several roles based on the Federal Bureau of Investigation (FBI) of the Department of Justice in the United States, digital evidence can function as target of crime, instrument of crime, or repository of evidence that documents the crime itself. Figure 1.4 depicts the three roles of digital evidence.
The first role as target of crime for example a device such as a computer, mobile phone and storage are vulnerable and fragile. Thus, it can allow a person who has malicious intent to attack the system. DoS attack is one example that makes the particular computer as the subject or target. Hacking other person computer is another example of using computer as target. The second role of digital evidence is as instrument of crime. Digital evidence can be a tool for committing crime or assisting attacker in their crime agenda. Attacker can use computer in credit card fraud, distribute child pornography, intrude other system or steal information. The third role of digital evidence is as repository of evidence. System log files can provide valuable information as every activity in the system is logged into the system. Drug trade is one of the examples of the third role, possibly, all the transaction are stored in the repository can be used for investigation. It is clear that something has to be done Fig.1.3 Cost of Cyber Defense Fig.1.1 Cybercrimes Categories Fig.1.2. Cost of Cybercrime Fig.1.4 Roles of Digital Evidence 2013 8th International Conference on Information Technology in Asia (CITA) to collect high quality evidence since there are three different types of digital evidence that may create different scenarios and problems during investigation process.
B. Digital evidence Collecting digital evidence requires extra effort as forensic professionals need to carry out thorough investigation as physical evidence, for example they have to perform crime scene investigation and photograph the crime scene. Besides, forensic professionals also need to perform investigation and analysis of digital related data and network traffic. Both physical and digital evidence need to be handled accordingly to ensure the integrity of evidence for legal procedure. Basically, evidence is the proof that can be used in legal proceeding. In other word, anything related to the crime, or someone committed the crime, or the victim of the crime can become or give evidence. However, the evidence need to have certain criteria in order to be used as evidence.
In general, evidence must comprise of five unique features in order to be useful [2]. Failing to possess one of these features, the evidence will not qualify for further procedure in court. Evidence must be admissible, authentic, complete, reliable and believable. Figure 1.5 below depicts features of useful evidence mentioned previously.
C. Law and Legal Issues In general, there is legal issue regarding collected evidence. The need for legal consideration and cyber law is a must to ensure the evidence collected is valid for further action and investigation. Considering this issue, we believe that there is a need for collecting admissible evidence so that the evidence collection process is not a vain and the evidence is valid for hearsay. Another reason that motivate us to carry the research is the need of using valid and authentic evidences abide by legal authority besides protecting digital evidence during investigation.
D. Evidence Collection Tools and Techniques Every single second, a computer network is overwhelmed with continuous and immense volume of traffic that make collecting digital evidence not an easy task. Appropriate tools for investigation are vitally needed to assist forensic professionals in their work and to ensure the reliability and admissibility of the evidence in court. Research by Erin et.al [4] mentioned that evidence collection methodology need to be improved so that the effort in terms of time and cost will be balanced with the requirements as well as demands from legal community. The main reason for this is the need for using valid and authentic evidences abide by legal authority.
In order to deal with the evidences collected from Internet, we have to examine the packet from incoming and outgoing traffic. Network packet can be captured by using network monitoring tools like firewall, IDS, as well as other network devices. Thus these can be the source of evidence.
E. Intrusion Detection System In general, IDS is one of the tools that can be used to collect evidence. This technique could improve digital forensic evidence collection to be more efficient and effective. IDS can be divided into two categories, host-based IDS (HIDS) and network-based IDS (NIDS). NIDS can be classified into two general types known as signature based and heuristic based [6]. Signature based system is the system that detect threat based on the attack pattern matching. Heuristic based systems is similar with anomaly-based systems, detect attacks through deviations from a model of normal behavior [7]. Basically, IDS is the application that monitors network and purposely to detect network attack. IDS will send alert to the network administrator if there is an attack detected in the network. Any attacks, events or activities like port sniffing and packet scanning occur in the network will be stored in the log files.
However, the evidence collected by the Snort system is not accurate since the system faced a high rate of false positive and false negative. These problems caused by the limitation of signature based technique that unable to detect new malicious code or virus as supported by Garuba et al. [7] Therefore, the real important evidence might be overlooked and non- Fig.1.5 Features of Useful Evidence 2013 8th International Conference on Information Technology in Asia (CITA) related evidence captured, hence, invalid evidence will be presented in court.
Another open source intrusion detection system is Open Source Host-based Intrusion Detection System (OSSEC). OSSEC performs log analysis, and integrity checking, Windows registry monitoring, root kit detection, real-time alerting and active response [9]. OSSEC [9] can also be categorized in Log-based Intrusion Detection System (LIDS) as it detects attacks by analyzing logs from various sources for example firewall and router. However the integrity of log files has become the issue if the log files get edited by intruders if they successfully infringe the system.
Since packets come continuously to network system, it is impossible for us to investigate every packet to find the most probable evidence by using IDS, firewall, sniffer, and other tools. The large amounts of network packet come and go from the network system forcing us to devise a proper strategy to filter or classify the packets as possible evidence or not. For this reason, we will need an appropriate rule set to classify them as well as to increase the accuracy of the collected evidence. Various tools and techniques for collecting evidence will be described in the following section.
In general, various evidence collection tools and techniques have been developed and implemented. A research by Wang et al. [10] has introduced a dynamical network forensics model based on artificial immune theory and multi-agent theory. This technique is to collect real-time evidence automatically and to provide quick response to network criminals. Moreover, the technique is to overcome infeasibility in analyzing evidence due to manually execution of forensic tool instead of executes the tool automatically. However, this technique intended to collect evidence for further analysis rather than to classify the evidence according to the level of evidence possibility. Thus, evidence classification technique is also needed to produce high possibility of evidence.
Other researchers use integration technique in which multiple different approaches are used to generate possible evidence. For example, the research by Keppens et al. [11] has integrated symbolic crime scenario abduction and Bayesian forensic evidence evaluation to build decision support systems (DSS) for crime investigation. This integration is useful for differentiating competing crime scenarios by which the resulting DSS is capable to formulate effective evidence collection strategies. However, the weakness of this approach is the inability to determine time and space of the event in the built scenario since it is important for forensic agent to prepare analysis based on time and space as well.
There are also researches done on collecting evidence by adopting forensic profiling system. Research conducted by Yim et al. [12] for example, proposed the evidence collection of Denial of Service (DoS) attack in wireless environment by applying WLAN Forensic Profiling System. However the rate of packet collected that contain DoS attack by using this approach is lower compared to general IDS. There is the need to improve the efficiency of collecting evidence so that the rate of packet collected will be higher than general IDS thus the accuracy of possible evidence also will improve.
From the above discussion, we observe several problems faced by current tools and techniques: inefficient [12] and inability to classify evidence based on level of accuracy [6, 8, 10] and delay [13]. Arguably, there is a need for better and effective technique that can facilitate evidence collection process in the network to produce accurate evidence. Since IDS is a tool, we believe that by manipulating the IDS, we can solve problems discussed previously. Moreover, the general mechanism of IDS can be utilized in order to provide the best technique.
III. PROPOSED FRAMEWORK In general, the proposed architecture as shown in Fig.1.6 implements inference engine to ensure the accuracy of evidence collected from the network system. The inference engine implements rule-based expert system by using forward chaining method. Set of rules defined in the inference engine are used to classify possible evidence to different category, i.e. attack, malware and etc. First, packet from the network system will be collected and classified by the inference engine. Then the appropriate packet will be channeled to appropriate class for further analysis. Finally, the result will be stored in the evidence repository for future use.
Evidence Repository Internet 2013 8th International Conference on Information Technology in Asia (CITA) The framework consists of three main phases: evidence collection, evidence identification and classification and result documentation, as shown in Fig.1.7. Fig.1.7 The Framework
a) Phase 1: Evidence Collection The first phase involves collecting packet from the network system including real time and offline information. We utilized FADS to capture all ingress and outgress packets from the network system. FADS is implemented using hybrid approach by combining anomaly-based and signature-based IDS with adapting distributed multi agent approach and data mining engine. The rationale of using this approach is as solution for problems faced by previous researchers: such as the problem of false positive and false negative alarm, to improve the accuracy and detection rate as well as clustering the evidence captured for further forensic task. Different rule set is needed by different network users, thus the rule set need to be configured thoroughly to achieve maximum satisfaction result and highly accurate evidence. The outcome from this stage is the log file that contains compressed persistence filtered packet information from FADS. b) Phase 2: Evidence Identification and Classification At this phase, log analysis will be performed to analyze logs gathered in the first phase. The log analysis is to identify intrusion, that is whether the information can be classified as intrusion or not. After that, the intrusion will be classified according to the level of evidence accuracy so that forensic professionals will have smaller scope of evidence to investigate and analyze. In this phase, all the process will be done using inference engine for clustering purpose. The outcome from this phase is the possible evidence with high level of accuracy and will be stored in the evidence data storage.
c) Phase 3: Result and documentation Finally, report of the possible evidence will be generated and documented for further action in court. This process will take into account the custody form that is the basic form for evidence description for analysis. IV. SIMULATION & DISCUSSION Simulation for the proposed model conducted by using system developed in our SRG lab. Fig. 1.8 depicted the screen shot of the simulation result for the testing of the framework. There is a need for further experiment and analysis in order to get precise result. However, based on the results obtained shows the classification technique can contribute in getting more accurate possible evidence for network forensics.
Fig.1.8 The Screen shot V. CONCLUSION & FUTURE WORKS The main contribution in this paper is a framework for collecting evidence that can classify the most accurate possible evidence. This framework is also designed to limit the collection of evidence related information so that storage consumption will be reduced. Besides, forensic professional task will be more efficient and effective since the evidence already filtered and classified according to level of possibility. Besides, this research is also being able to contribute in a wise economy by reducing storage space that can reduce hardware costs.
ACKNOWLEDGMENT This work was supported by MOSTI Science Fund Grant No. 305/PKOMP/613144 and USM RUi Grant No. 1001/PKOMP/817048, School of Computer Science, Universiti Sains Malaysia, Penang, Malaysia.
REFERENCES [1] Ashcroft, Daniels and Hart, Forensic Examination of Digital Evidence: a Guide for Law Enforcement, National Institute 2013 8th International Conference on Information Technology in Asia (CITA) of Justice, USA (April 2004). http://www.ncjrs.gov/pdffiles1/nij/199408.pdf [2] Brezinski and Killalea, Guidelines for Evidence Collection and Archiving. RFC 3227 (Best Current Practice), Feb. 2002 [3] J. H. Wang, Cyber Forensics Issues and Approaches, book chapter in book: Managing Cyber Threats: Issues, Approaches and Challenge, edited by Kumar, et al, Kluwer Academic Publishers, 2005. [4] Erin E. Kenneally and Christopher L.T. Brown, Risk sensitive digital evidence collection, Digital Investigation, Volume 2, Issue 2, June 2005, pp. 101-119, ISSN 1742- 2876,DOI:10.1016/j.diin.2005.02.001,(http://www.sciencedir ect.com/science/ article/B7CW4-4G7X9TV- 2/2/9ccac2eb911d64d2570dbcf9837c1d21) [5] N. Liao, S. Tian, and T. Wang, Network forensics based on fuzzy logic and expert system, Comput. Commun, 32, 17 (November 2009), 1881-1892. DOI=10.1016/j.comcom.2009.07.013 http://dx.doi.org/10.1016/j.comcom.2009.07.013. [6] M. Garuba, L. Chunmei, and D. Fraites,. Intrusion Techniques: Comparative Study of Network Intrusion Detection Systems, Information Technology: New Generations, 2008. ITNG 2008. Fifth International Conference on Information Technology: New Generations, pp. 592 598, 7-9 April 2008. [7] C. F. Pfleeger and S. L. Pfleeger, Security in computing (3rd ed.). Upper Saddle River, NJ: Pearson Education. (2003). [8] Y.H. Choi, J.H. Park, S.K. Kim, S.W. Seo, Yu Kang, J.G. Choe, H.K. Moon and M.S. Rhee, An Efficient Forensic Evidence Collection Scheme of Host Infringement at the Occurrence Time, International Conference on Information Security and Cryptology, pp.0-0, Dec. 2006 [9] B. Daniel, Cid, Log Analysis using OSSEC, URL: http://www.ossec.net/ossec- docs/auscert-2007-dcid.pdf [10] Diangang Wang; Tao Li; Sunjun Liu; Jianhua Zhang; Caiming Liu; , "Dynamical Network Forensics Based on Immune Agent," Natural Computation, 2007. ICNC 2007. Third International Conference on Natural Computation, vol.3, no., pp.651-656, 24-27 Aug. 2007 doi: 10.1109/ICNC.2007.345 URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnum ber=4344592&isnumber=4344458 [11] Keppens, Shen and Schafer. "Probabilistic abductive computation of evidence collection strategies in crime investigation," Proceedings of the 10th International Conference on Artificial Intelligence and Law, pp. 215-225, 2005. [12] Yim, Lim, Yun, Lim, Yi and.Lim, "The Evidence Collection of DoS Attack in WLAN by Using WLAN Forensic Profiling System," In 2008 International Conference on Information Science and Security, 2008. [13] Luo Guangchun, Lu Xianliang, Li Jiong, and Zhang Jun. MADIDS: a novel distributed IDS based on mobile agent. SIGOPS Oper. Syst. Rev. 37, 1 (January 2003), 46-53. 2003. OI=10.1145/881775.881780 http://doi.acm.org/10.1145/881775.881780 [14] Richard A. Wasniowski. "Multi-sensor agent-based intrusion detection system," In Proceedings of the 2nd annual conference on Information security curriculum development (InfoSecCD '05). ACM, New York, NY, USA, 100-103. 2005. DOI=10.1145/1107622.1107645 http://doi.acm.org/10.1145/1107622.1107645 [15] FADS: Forensic Analysis and Discovery System. Security & Forensic Research Group, UniversitiSains Malaysia, Feb. 2012. [16] Abu Hassan AlshariYahaya (2013, Jan 16). Internet Banking Losses Decline. The New Straits Times, Retrieved April 22, 2013 from http://www.cybersecurity.my/en/knowledge_bank/new s/2013/main/detail/2261/index.html [17] Abu Hassan AlshariYahaya Schell, B. H. and Martin, C. Cyber crime: A Reference Handbook. Santa Barbara, California: ABC-CLIO. (2004). [18] Norton (2012, September 19). 2012 Norton Cybercrime Report. Security Asia Portal, .Retrieved April 22, 2013 fromhttp://security.networksasia.net/content/2012-norton- cybercrime-report.
2013 8th International Conference on Information Technology in Asia (CITA)