Team PSU Foxtrot
VAST 2009 Challenge
Grand Challenge
Authors and Affiliations:
Matt
Trout, Penn State University, matt@matt-trout.com
[PRIMARY CONTACT]
Dr.
Isaac Brewer, Penn State University, isaacbrewer@psu.edu
[Faculty Advisor]
Student Team: YES
Tool(s):
Analyst’s
Notebook v7
by i2 Inc.
http://www.i2inc.com/
Analyst’s Notebook is powerful visual analysis software developed by i2 Inc. This program allowed our team to easily import the datasets and visualize the data as part of an “out of the box” solution. We were able to perform crucial functions such as searching for the number of Flitter connections and also visualized patterns and relationships quickly and easily using this tool. This was used heavily throughout the investigative process in the grand challenge.
VideoAnalyst v 2.1
by intuVision, Inc.
http://www.intuvisiontech.com/
VideoAnalyst is another powerful tool we used during the investigative process for the video data. Developed by intuVision, Inc, our team was able to use the software with the provided VAST video footage and run content extraction tasks to find patterns and extract potential useful information and still images for review by the team. This software was useful in pulling out potential vehicles and suspects for further investigation and drawing conclusions based on potential meeting spots and also suspects involved.
Microsoft Office
by Microsoft
http://office.microsoft.com/en-us/excel/FX100487621033.aspx
Microsoft Excel was used in a small amount to initially analyze and sort the data. VBScripts and a plug-in were executed in an attempt to discard any data that was we felt was not pertinent to the solution.
Easy Filter Excel
Plug-In
by Ron de Bruin and Norman Harker
http://www.rondebruin.nl/easyfilter.htm
This plug-in was used for filtering out all Flitter users that were not International (users located outside of Flovania) quickly and easily using a GUI interface within Excel. This aided us in narrowing down potential international contacts.
Two Page Summary: NO
Video:
Click here to view our video submission
ANSWERS:
GC.1: Please describe the scenario
supported by your analysis of the three mini-challenges in a Debrief.
The network security team at the United States Embassy in the country of Flovania identified irregularities in the network traffic logs. They notified the Embassy Counterintelligence Officer of the network “red flags” that they suspect someone is sending classified information out of the Embassy to an unidentified source. Sixty employees at the embassy have the access to the classified information twenty four hours a day, seven days a week. One of these employees is the guilty party that is giving this classified information to an outside source or organization. This person is not working alone, as they are in contact with handlers of the leader of this organization, and may also have help on the inside.
All the employees at the embassy have an account on a social
network called Flitter, in which all of these suspects belong to. There is
evidence that suggests the employees with ID’s 11 and 37 are working
together. Employee 37, Flitter username @Ouhyoung, is from the city of
The evidence suggests that @Ouhyoung is collaborating with employee 11 (Flitter username @Cornell, also from Ryzkland). @Cornell is highly interconnected on the flitter site and the evidence suggests that he/she is the middleman between the suspected handlers and @Ouhyoung. The handlers, we believe are flitter connections Persons 66, 101 and 126, usernames @Lyonns, @Lonning, and @Encarnacion respectively.
|
Figure 1.1 – Network traffic log shows Person 37
(@Ouhyoung) in the embassy network emailing on Saturday January 14th
outside of the normal Monday to Friday schedule the rest of the embassy staff
follows. |
Figure 1.2 – Network traffic log shows Person 37 (@Ouhyoung) transmitting significant amount of more data than receiving. |
These three Handlers, one of whom we believe is a woman, do not have contact with each other but each are connected with the middleman, @Cornell. One of the handlers, @Lyonns, is the only one to have contact with the leader of the operation, Person 3 who is @Dykema from Koul. @Dykema has well over one hundred Flitter connections (three hundred eighty-six Flitter connections), which include many international contacts from the bordering nations Transak, Posana and Trium. His main international contact we identified is Person 1040, Flitter name @Cunliffe from the city Otello in Posana. “Fearless Leader” and International Contact @Cunliffe share a mutual contact in Person 66, @Lyonns, who is one of the handlers we identified. These seven individuals stand out as a possible conspiracy network for us which we served as a basis for investigation.
Figure 1.3
– Three handlers as displayed in Analyst’s Notebook chart.
Analysis of the video footage using intuVision’s VideoAnalyst identified two possible meetings and exchanges of items or information either during the hour of 8 a.m. or at the end of the workday around 6 p.m. A suspicious looking couple was walking along the sidewalk. The couple leaves the surveillance cameras view for a couple minutes, then the woman reappears and walks across the street, her bag in the opposite hand, possibly indicating that she put something in her purse such as a disk or documents. Also using VideoAnalyst, we have identified a possible vehicle that the male suspect who was seen walking and possibly meeting with the woman drives. It is believed to be an older make (between 1991 and 1995) red Nissan XE Hard body pick-up truck. The truck was seen parked on the street before the work day began and sitting at a red light shortly after the woman walked across the street. We believe that these two would know which way the cameras were facing and as they parted ways and the woman crossed the street and the male, who is the suspected employee @Ouhyoung or the middleman @Cornell was unseen walking to his vehicle.
|
|
Figure 1.4
– Shows type of truck suspect could be driving as gathered from video
surveillance footage, found using VideoAnalyst.
|
|
Figure 1.5
– Shows that around the time the meeting between the man and the woman
finished, the suspects red truck is no longer in the same spot it was earlier in
the day.
|
|
Figure 1.5
– Shows that before the meeting occurred, the woman had her bag on the
opposite side of her body. Following the meeting, she is carrying it meaning
she could have inserted something such as a disk or other type of media in it
with information on it she received from the man.
The pair walking on the sidewalk struck our eye due to their meeting area. The man and the woman are seen walking at the beginning of the Part 1 video footage and go out of the cameras view. Nearly two and a half minutes later, the same woman crosses the street from the corner where it appears the couple left the cameras sight. We think the male, who is believed to be one of the employees, exchanged some kind of removable media with the woman at the conclusion of the meeting, as she is carrying her purse with her opposite hand. This indicated to us that she may have put something into her purse before crossing the street as she took it off the opposite side of her body. The employee would have possibly known where the cameras “blind spot” was and chose to meet there to attempt to stay out of sight.
Our hypothesis is that @Ouhyoung and @Cornell are smuggling
data out of the embassy via email and/or meeting in person with one of the
handlers. The handler’s are then working amongst themselves and the main
handler, Person 66 or Flitter username @Lyonns, is in contact with Fearless
Leader @Dykema and his International Contact @Cunliffe in plotting some kind of
event in the city of
Figure 1.7
– Summary of suspects broken down by ID, username and role in the plot.
If the suspicion and evidence against them fit, make a move
on the employee and get them to set up a meeting with the handler. Climb the
ladder of order eventually apprehending the mastermind of the operation,
Fearless Leader @Dykema. It seems that this organization has a unique agenda,
though their purpose remains a mystery.
We hypothesize that it could be a plot between the bordering nations
moving in on territory in the nation of Flovania. These nations of Posana,
Trium and Transak may want to expand. Another potential scenario could be a
terrorist plot against the city of
GC.2: Who are the major
players in the scenario and what are their relationships?
Out of the entire employee’s at the United States Embassy, we have narrowed suspected network down to seven individuals using a variety of methods and logging many hours. First, the two suspected employees, @Ouhyoung and @Cornell, are responsible for managing the data transfer out of the Embassy and coordinating with the Handlers. Initially, the data from VAST was imported into Excel on @Ouhyoung and @Cornell. The Handlers, @Lyonns, @Lonning and @Encarnacion coordinate with Fearless Leader, @Dykema, however, they do not communicate directly with each other. This could include transfer of data by either Internet or a type of removable media. Fearless Leader keeps contact with his international contact, @Cunliffe, discussing the data pertinent to their plans of the possible scenarios.
Arriving at this conclusion involved taking many steps, and many hours using a variety of tools. First, the network data was analyzed using Microsoft Excel and Analyst’s Notebook. The data was initially imported into Excel and sorted by IP address and also by port number. Carefully, the data was examined manually by Matt Trout. After looking at the amount of data sent versus received through both the HTTP and Email ports (80 or 8080 and 25), we determined that @Ouhyoung and @Cornell had the most suspicious network activity as large amounts of data (in bytes) were transferred to a few IP addresses multiple times over a span of a couple weeks. We determined email was the way in which information was being transferred from the embassy. After two hours of importing, the data was finally fully imported and visualized in Analyst’s Notebook. Using the different layout features of Analyst’s Notebook such as Hierarchical and Peacock view, we were able to see which IP’s had the strongest link between our suspects and the amount of data that was being transferred on a nearly regular basis. This formed our initial opinion of what employee’s were involved, and decided to focus our efforts on @Ouhyoung and @Cornell. However, we needed to examine the data gathered regarding the social network, Flitter, which all the suspects in this scenario are using.
According to the VAST scenario, the suspected employee has between thirty and forty Flitter contacts. After sorting through the data using Microsoft Excel and deleting all unnecessary data, we imported it into Analyst’s Notebook for visualization. Using the Visual Search function within the program, which displays how many connections there are for a certain entity, we searched both @Ouhyoung and @Cornell. @Ouhyoung had thirty-seven Flitter connections, fitting the VAST scenario description. @Cornell had one hundred and sixty-eight connections; however had the strongest links to potential Handler’s. We hypothesized that @Ouhyoung was the employee who was responsible for data transfer and that @Cornell was the middleman between @Ouhyoung and the Handler’s. Using intuVision’s VideoAnalyst, we uncovered video surveillance footage outside the Embassy of a couple walking along the sidewalk. They go out of the cameras view and into a blind spot for around two minutes before the woman walks across the street, carrying her bag with the opposite hand than when she was walking on the sidewalk. This indicated to us that she potentially put something into her bag, such as a disk or documents. We concluded that she could possibly be a Handler for Fearless Leader and should be investigated as such.
Figure 2.1
– Shows overall Analyst’s Notebook chart with identified entities
highlighted
Once we determined @Cornell was the point-of-contact, we focused on his connections, examining them manually using Microsoft Word and and Analyst’s Notebook’s Visual Search function to see how many connections each of these contacts of @Cornell’s had and jotting down notable users that fit the Handler’s descriptions of between thirty and forty connections. Once we had a list of potential handler’s, we manually examined each of their contacts and jotted them down in a MS Word document, highlighted contacts that were connected with multiple suspected handler’s and analyzed further to form a conclusion. It was determined that there were three Handlers instead of just one. These suspected Handlers are @Lyonns, @Lonning, and @Encarnacion. None of the Handlers are connected with one another, but are all contacts of the same user, who is @Cornell, the middleman of the operation. Only one of the contacts of any of the Handlers had well over one hundred connections, and that was a connection of @Lyonns. @Dykema, who we believe to be is the Fearless Leader of the operation, has three hundred and eighty-six connections.
International contacts are also involved in this scenario, and we needed to pinpoint @Dykema’s international contact(s). Using a plug-in called EasyFilter, which was downloaded from the Internet, we took the base Flitter user location list, and deleted rows of data where the city was not equal to Transplasko, Tulamuk, or Otello. This narrowed the process down greatly. Finally, using the Visual Search feature of Analyst’s Notebook, we searched the connections of @Dykema and listed them in a table. The table was sorted through manually, searching for users who we found to be international users. We determined that @Cunliffe, a Flitter connection of @Dykema’s from Otello, Posana, was his international contact. We noticed @Cunliffe was also a connection of @Lyonns, one of the Handlers for Fearless Leader @Dykema, which yielded a red flag for us.
Figure 2.2
– By using EasyFilter plug-in for Microsoft Excel, we were able to narrow
down the international contacts and examine them manually.
Figure 2.3
– Analyst’s Notebook chart that shows Persons 3, 66 and 1040 are
connected.
This is our suspected network of individuals involved. What they are planning we can only speculate, but we considered terrorism events such as bombing the Embassy, assassination of an important individual arriving at the Embassy, or simply a take over by the surrounding countries who are looking to expand. However, using this suspect list, we can take necessary precautions and investigate these individuals further, before it is too late.
Figure 2.4
– Summary connections chart put together using Analyst’s Notebook
and VideoAnalyst.