NTNU Cyber Security Research &

Testimon Digital Forensics Group

2017 Interpol Cyber Research Seminar

Carl Stuart Leichter, PhD

Carl.leichter@ntnu.no
11.09.2017
 Overview

● Motivation for Research

● NTNU Cyber Science
● Testimon Digital Forensics Group Research
● Topic Modelling Research for DFI and CTIS
 Cyber Related Productivity - Cybercrime Losses

10 % increase in digitisation
6.000.000.000 S$/year
(0.75% GDP)
Loses due to cybercrime: vs
5.000.000.000 S$/year
(0.64% GDP)

2014 World Economic forum;

The Norwegian Security Council's Darkness Survey
NTNU Department of Information Security &
Communication Technology
• 80 Full Time Employees (Gjøvik & Trondheim)
NTNU Department of Information Security &
Communication Technology
• Testimon Digital Forensics Group
• Norwegian Biometrics Laboratory (NBL)
• Norwegian Information Security Laboratory (NISlab)
• NTNU Applied Cryptography Laboratory (NaCl)
• NTNU Quantitative modelling of dependability and
performance (QAUM) Laboratory
• NTNU Intelligent Transportation Systems (ITS)
Laboratory
• Centre for Cyber and Information Security (CCIS)
Critical Infrastructure Security & Resilience
Risk Assessment

● Cyber security in
○ the oil and gas domain
○ The maritime industry, including autonomous ships
○ Internet of things

● Modeling of critical infrastructures, interdependencies,

attacks, and vulnerabilities
○ CyFor
○ Cyber-Range
Critical Infrastructure Security and
Resilience Projects at NTNU

○ Safeguarding Home IoT Environments

○ Internet of Energy

○ Secure Micro-Grids

○ Intrusion Detection in Process Control Networks

○ Training on cyber security on energy process control

○ ISO Security and Attack Models

10 New NTNU Cyber Science PhD Positions
(Summer 2017)
● Navigation System Security in Unmanned Autonomous
Marine Vessels
● Security of the Cyber Enabled Ship
● Understanding Resilience of Software-Defined Industrial
Control Networks
● Cybersecurity, Safety and Resilience of Smart Cities
● Post Quantum Cryptography
● Blockchain Analytics and Transactions Tracking
● Chatroom Security
● Gamification of Information Security Education and
Training
● Modelling and Analyzing Attack-Defence Scenarios for
Cyber Ranges
● Information Security Economics
 CCIS: Bridges Built Between.....

InfoSEC
Management
CCIS Centre for Cyber and Information Security
Cyber
Defence
Cyber Security
of Critical
Infrastructure
e-Health,
COINS Wellbeing
Research School
of Information
Security

Norwegian
Biometrics
NTNU Digital Laboratory
Forensics
Group
9
NTNU Testimon Digital Forensics Group

Forensic Reliability in Machine Learning,

Pattern Recognition & Artificial Intelligence

○ High-performance, fault-tolerant search through terabytes of data

○ Context-aware outlier and abnormality detection

○ Data-driven feature selection and algorithm design

○ Large-scale multinomial statistical analysis and classification

○ Behavioural malware analysis

○ Generation of human-understandable / verbatim processing /

decision results, e.g. for judges
 NTNU Digital Forensics Group
Joint Research Projects
○ ARS Forensica - Computational Forensics for Large-Scale Fraud
Detection, Crime Investigation and Prevention

○ Hansken(NFI) - Digital Forensic as a Service for Norway POD

○ Essential - Evolving Security Science through Networked

Technologies, Information Policy and Law,
 ArsForensica Research Project:

‘Gather and analyse massive amounts of data

in a forensically sound manner’

Digital Evidence Analysis and Linkages

 Digital Forensics, Network Analysis, etc

Cyber Threat Intelligence and Security Operations

 Malware, IDS, et

Public Sector partners

ØKOKRIM, KRIPOS, CYFOR, etc
Private Sector partners
Telenor, NorSIS, mnemonic, KMPG, PWC, etc
Testimon ArsForensica Team
 Some Topics of Interest

 Big Data Forensics

 Cyberthreat Intelligence

 Dark Web Analytics

 Adversary Social Network Discovery and Analysis

 Advanced Intrusion Detection

 Big Data Topics
 Machine Learning for Digital Forensics
 Expedited DF Examination and Analysis

 Semantic analysis of MASSIVE document corpora

 Topic Modeling

 Realtime Analysis of V2 Data Streams

 Cybervision

 Advanced Statistical Analysis Methods

 Data Sketching
 Explosion of Digital Evidence in
Conventional Law Enforcement
??! !
??! !
?!

16 Many conventional cases (murder, robbery, etc)

 Big Data Scenarios in Law Enforcement
• Many conventional cases (murder, robbery, etc)
– Oslo Police District
• Many small data seizures can add up to
many TB of data stored as evidence
• Analysis for each case is not complex
– Prefer analysis interface directly with front line investigators

• A few unconventional cases

– ØKOKRIM
– A single case can result in large data seizures equal to many TB
• Millions of documents
– Analysis for each case can take years

Both Scenarios = Many TBs of Data

17
Need More Advanced Tools for ØKOKRIM
ØKOKRIM Type of Big Data Problem in DF:
Panama Papers
• Enron e-mail corpus (from 2002) 160 GB with 1,7 mill messages
• Documents from 40 years of business in Law Firm Mossack Fonseca
• 11.5 million documents (2.6TB)
• Head office in Panama City with 35 branch offices all around the world
• 376 journalist from 100 media partners in 80 countries speaking 25 different
languages spent one year identifying 214.000 offshore companies in 21
offshore jurisdictions
Panama Papers in Size Perspective
International statistics - numbers

Across the "Relativity universe", separate percentages are tracked for each grouping.
Assessing the percentages over the past five years reveals that approximately two thirds of
cases fall in the Normal group, approximately a quarter of cases in the Large group, and
around 8% in the Very Large group. These percentages have held fairly constant over the
past five years with the exception of the Ridiculous cases, which first appeared in 2013, and
now, while increasing, account for less than 1% of the overall case size make up

Source: © kCura - Manufacturer of Relativity One of the Leading E-Discovery Tools

ØKOKRIMs Largest Ongoing Investigation

(2.6Tb Panama Papers)

= 20 x Panama Papers!
 DFaaS Platform for
Conventional Policing

• Numerous separate criminal investigations.

• Remote access to police all over the country.

• Provide suite of useful Digital Investigation tools

• Preservation of Digital Evidence integrity

• Preservation of Digital Evidence confidentiality

• Compliance with all requisite laws

22
DFaaS For Complex Cases?
 Testimon Digital Forensics Group Staff (Gjøvik)

Prof Katrin Franke (Testimon Digital Forensics Group Leader)

katrin.franke@ntnu.no

Assoc Prof Marius Nowostawski (Blockchain Technology)

mariusz.nowostawski@ntnu.no
Assoc Prof Geir Olav Dyrkolbotn (Malware)
geir.dyrkolbotn@ntnu.no
Dr Carl Stuart Leichter (Data Analysis)
carl.leichter@ntnu.no
Dr Edgar Alonso Lopez Rojas (Forensic Data Simulations)
edgar.lopez@ntnu.no

Advisor Maria Henningsson (Organizational Excellence)

maria.henningsson@ntnu.no
 Testimon Adjunct Staff

Assoc Prof Thomas Walmann (ØKOKRIM)

Assoc Prof André Årnes (Telenor)

Lecturer Jeff Hamm (Mandiant)

 Testimon DFG PhD Candidates
• Andrii Shalaginov: Adv. Neuro-Fuzzy Algorithm for Digital Forensics

• Dmytro Piatkivskyi : Blockchain (Lightning)

• Ambika Chitrakar: Approximate Search in IDS

• Kyle Porter: Approximate Search in DF

• Jan William Jensen: Criminal Network Analysis and Financial Fraud

• Sergii Banin: Machine Level Analysis of Malware

• Gunnar Allendale (KRIPOS): Security Vulnerabilities for DF

• Jens-Petter Sandvik (KRIPOS): IoT Forensics

• Stig Anderson (OPD): DF Investigation Processes

• Jul Fredrik Kaltenborn(PHS): DF and the Rule of Law

Simulating Fraudulent Transactions
 Adversarial Network Analysis

Feasibility Study of Social Network Analysis on Loosely Structured Communication Networks, Jan William Johnsen and
Katrin Franke, Procedia Computer Science
 Improve Approximate Search for Digital
Investigation and Intrusion Detection
• Improve precision
– Find more of what we want, without losing significant accuracy
– Good for beginning of investigation

29
 NFA With Greater Flexibility in
Types of Errors

30
 Malware Classification Based on
Analysis of Low-Level H/W Activity
• Signature-based malware detection is not robust
against simple obfuscation techniques.
• Malware developers try to conceal malware’s
functionality.
• It is impossible to avoid execution on the hardware.
• Can low-level features alone provide better detection rates?
• Can we use low-level features for malware classification?
• Can low-level features provide stealthy malware detection?

31
 Topic Modelling Research
• Latent Dirichlet Allocation (LDA)
• Topic Modelling in Digital Forensics Investigations (DFI)
• Topic Modelling for Cyber-Threat Intelligence (CTI)

32
 Dirichlet Allocation:
A Generative Model
For each document d in D:
Choose θ ∼ Dirichlet(α)
For each word wn in document d:
Choose a topic zn ∼ Multinomial(θ)
Choose φ ∼ Dirichlet(β)
Choose a word wn from p(wn | zn,β)

Steyvers, Mark, and Tom Griffiths.

"Probabilistic topic models." Handbook of
latent semantic analysis 427.7 (2007): 424-440
Graphic Representation of
Document Generation

34
Co-Occurance Matrix Representation of
Document Corpus
Matrix Analysis of
Document Corpus
 Topic Modelling for DFI
(Enron Corpus)

– Enron Accounting Scandal

– California Energy Crisis

37
Ten Topics Extracted From Enron Corpus
Topic 4: Author Participation Over Time
Topic 4: Author Participation Over Time
 Topic Modelling for CTI
Hacker Forum Data

– Nulled.IO
– http://leakforums.net/thread-719337
– 3,495,596 posts

41
Nulled.IO Hacker Forum Data
(16,000 Posts)
Nulled.IO Hacker Forum Posts
Estimated Topics (16K Posts)
1000K Posts [Security Relevant Only]
 Future Work:
DarkWeb Jihadi Forums
100002 11290 WALLAHI-laylatul Qadr is the 27th Night- Helping Everyone Out-
1283 Mu7aaribah Why do we tend to act the worst in this blessed month of
ramadhaan?
In the last 10 days of ramadhaan?Wallaahi we are so being tested here
by Allaah and some of you are just falling right into the trap. Subhan'AIIaah.
Please think, think, think and then act. 2006 1 O 17 2006-10-17 14:48:00.000
99629

1 00002 1283 2006-10-17 14:48:00.000 Why do we tend to act the worst in

this blessed month of ramadhaan In the last days of ramadhaan Wallaahi we are so
being tested here by Allaah and some of you are just falling right into the trap
SubhanAIIaah Please think think think and then act
 Thank You!

Questions?

Carl Stuart Leichter, PhD

Carl.leichter@ntnu.no
11.09.2017