| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | May 2, 2014 |
| Latest Amendment Date: | May 2, 2014 |
| Award Number: | 1442069 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Deborah Shands
CNS Division Of Computer and Network Systems CSE Direct For Computer & Info Scie & Enginr |
| Start Date: | June 1, 2014 |
| End Date: | May 31, 2016 (Estimated) |
| Total Intended Award Amount: | $99,894.00 |
| Total Awarded Amount to Date: | $99,894.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
101 COMMONWEALTH AVE AMHERST MA US 01003-9252 (413)545-0698 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
70 Butterfield Terr AMherst MA US 01003-9242 |
| Primary Place of Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Insider attacks are a critical issue for companies and governments in scenarios involving trade secrets, sensitive information, intellectual property, personally identifiable information, classified documents, and more. Too many existing approaches for responding to these attacks rely on mechanisms that assume the recovery of locally stored, unencrypted data. These techniques fail on the growing number of devices that employ file system encryption and cloud storage. This project advances novel methods of offering to an attacker's system covert evidence of their attack that may remain after primary data and documents are encrypted or securely wiped. The data has precise meaning to investigators that is demonstrable in court and to other third parties. The data is obfuscated from interpretation by third parties without investigator assistance, and thus is privacy preserving. The long-range outcome of this project will be the enabling of research including: generalized methods of attack response when the computers involved are outside or partially outside the administrator's control, automated methods of discovering channels for offering evidence, and defenses against these techniques. Our research is an important stepping stone towards the broader topic of privacy-preserving, proactive investigation of attacks committed using networked computer systems.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Many existing approaches to digital forensics rely on the recover of locally stored, unencrypted data that has been passively left behind. Built for a passing golden age of forensics, these "Locardian" techniques unfortunately fail on the growing number of devices that employ file system encryption and cloud storage. Advanced techniques are increasingly required of forensic investigators if they are to address these trends. A class of newer techniques for forensic investigation attempt to proactively acquire or store evidence ahead of or during an incident, to ensure it is available despite encryption, deletion, or obfuscation by the perpetrator. Previous approaches to this problem include tagging and beacons. These methods are able to create evidence despite a user obscured by an anonymous connection or using a machine outside the control of an administrator. We developed a software tool that embeds in a document (as a helper macro) and proactively and covertly leaves evidence behind on a system when the document is opened or altered. We assumed a model where the investigator does not have access to the target's machine, but can gain authorization later. The tool is the result of a manual search for opportunities for proactive creation of evidence. In future work, we will seek to develop methods for the automated discovery of opportunities to proactively create evidence.
Last Modified: 10/07/2016
Modified by: Brian N Levine
Please report errors in award information by writing to: awardsearch@nsf.gov.
