NSA Talk on Digital Forensics

I recently attended a talk given by Ken Shotting, Technical Director of the NSA’s Digital Forensics Branch, at Santa Clara University.

I expected more heavy duty info-sec people to attend, such as Peter Neumann who had publicized the event, but virtually no one else showed, and it was largely a recruiting pitch to 15 or so computer science students. Nevertheless Ken had some interesting things to say.

NSA handles DoD network security, but also assists the FBI when asked. Contrary to what you see on TV, everyone is very cooperative. Field commanders would like advance warning of attacks.

The USA PATRIOT Act imposed stiffer criminal penalties, making hacking a 3-year felony. This has deterred the pranksters seeking notoriety, and there is a marked shift towards professional criminals bent on financial gain.

SQL Slammer was only 376 bytes, but most exploits now seek to install an entire toolkit including keylogger, backdoor, and remote processes such as an e-mail or bit-torrent server, etc.

Hacker technology has definitely improved and new ideas are rapidly adopted. Now they like to encrypt their software and data, obfuscate their code, indirect their bot-net traffic, and so on. A while back it was rare but now “real hackers obfuscate.”

When investigating a modern hard drive for infections, one is confronted with vast amounts of data. His unit keeps a database of checksums of all “good” files so they can rapidly determine which ones to ignore. It’s harder to tell if picture files are benign.

Originally he figured he would do this for a few years, develop the procedures, and move on. But X years later he’s still there, and there are still no “standard procedures” for network security – the attacks keep evolving.

If you want to sell the NSA a tool, it must process large amounts of traffic and data with a low false positive rate. Data reduction must be at least 10 to the -9.

DoD is moving to IPv6 with a target date of 2008. The DoD network is so complex you could make money just developing tools to help them solve problems.

It is difficult to impute motives to attacks. Few DoD systems contain money, and DoD filters outbound bot-net traffic. Hence, many exploits are programmed to ignore dot mil addresses. Hackers prefer banks, commercial businesses, and universities.

Now that RIAA is actively suing people for downloading, some prefer to hack into machines, look for MP3 files, and steal them.

For examining compromised machines he prefers FTK (Forensic Tool Kit) from Access Data Corp, which requires a dongle although there is a trial version with a limit of 500 files. He also recommends Autopsy, which runs on Unix and is free, although it can examine most file systems.

Even if you think you've deleted your browsing history, it's all still there in the infamous Windows Registry. Hence you might be advised to master these tools.

In many cases it is not possible to take down a critical server that is having a problem, so they must perform "live" forensic analysis on it while it's running.

If you have a compromised laptop and it doesn’t contain super critical data, it may be quicker and cheaper to just buy a new one.

In terms of countries, the #1 origin of attacks is the US, while China (.cn) is #2.

The NSA does not get involved in criminal investigations, so they don’t need to worry about reasonable doubt. Matters pertaining to critical infrastructure handled by DHS.

Posted 3-14-07.