Internet Forensic platform for tracking the money flow of financially-motivated malware

The Internet has become a key piece of any business activity. Criminal activity is not an exception. Some crimes previous to the Internet, such as thefts and scams, have found in the Internet the perfect tool for developing their activities. The Internet allows criminals hiding their real identity and the possibility to purchase specific tools for stealing sensitive data with a very low investment.

For this reason, the overall objective of the EU-Project RAMSES is to design and develop a holistic, intelligent, scalable and modular platform for Law Enforcements Agencies to facilitate digital Forensic Investigations. The system will extract, analyse, link and interpret information extracted from the internet related with financially-motivated malware. Customers, developers and malware victims will be included in order to obtain a better understanding of how and where malware is spread and to get to the source of the threat. To achieve these ambitious objectives, this project will rely on disruptive Big Data technologies to firstly extract and storage, and secondly look for patterns of fraudulent behaviour in enormous amounts of unstructured and structured data.

During the project the consortium achieved the following results.

Identification and analysis of the privacy, ethical, and social issues of the RAMSES research project. We carried out an impact assessment, as well as monitored and evaluated the ethical and privacy aspects of the RAMSES platform and the tools. In the course of the project, we monitored the ethical and privacy compliant development of the RAMSES platform and its tools, provided an ethics, privacy, and data protection evaluation of RAMSES based on the answers provided by end-users during the RAMSES pilots and created a report that focused on the ethical and legal aspects of digital forensics and surveillance in Europe.

Design, analysis and deployment of a Big Data platform to serve as the basis for the analytical software components. This scalable software system provides capabilities for data acquisition, data storage, data processing, and data exploitation, taking into account the massive and unstructured nature of the information managed in the project. In particular, the main objectives achieved are:
- To provide a ready-to-use system with improved capabilities for the LEAs to conduct investigations by using information traveling and stored on the Internet obtained under a lawful warrant.
- To provide a secure platform in order to avoid attacks on the application and to keep the confidentiality, integrity, and availability of the data.
- To create an innovative solution following the Open Source concepts.

Deployment and integration into the RAMSES platform of:
- Banking Trojan analyzer and the Bitcoin tracker, whose prototypes were designed and implemented during RP1. The Banking Trojan analyzer is based on a memory forensics framework for banking Trojan and ransomware analysis and detection. The Bitcoin Tracker is based on a modular framework for extracting intelligence from the Bitcoin network to analyze the malicious use of this cryptocurrency.
- An integrated tool for:
- The image source acquisition identification of mobile devices.
- Video source acquisition identification of mobile devices.
- Detecting image and video manipulation.
- Steganalysis analysis.

Continuous maintenance and improvement of all tools systems taking into account the needs of the Law Enforcement Agencies (LEAs). We further improved the tools by making them more user-friendly, improving the memory forensics analysis, improving the synchronization process with the RAMSES platform, and fixing reported bugs.

Analysis of inherent characteristics of Ransomware.

Analysis of Banking Trojan behavior

Methodology and test of guidelines and platform in terms of impact, usability, functionality, and efficacy. We validated and evaluated the results achieved through a number of PILOT-CASES that took place in different EU countries, whose implementation has been based on a set of common guidelines developed by the consortium. During this reporting period, LEAs tested the platform through real life-like exercises and use cases scenarios. Each testing phase was followed by an evaluation of the degree of satisfaction of the end-users. This was then assessed, and it was done so to provide partners with feedback and inputs to further improve RAMSES’ tools.The implementation of pilots throughout the project was, therefore, a functional activity, necessary to concretely test the platform and prove its efficacy. It included the development of six use cases, based on the two areas of interest of the project, i.e. ransomware and banking Trojans. Pilot 1 was run through use cases 1, 2, 3 and 4, while Pilot 2 was run through use cases 5 and 6. Both activities involved internal LEAs. Within the validation context, external LEAs were also engaged (such as Interpol), through testing and evaluating the platform.

The consortium disseminated the project results, the developments, and the outcomes known to and exploited by the relevant parties and interested members of the public through different means. In particular, the promotion of the project processes and outcomes.

RAMSES impact was analysed from two different perspectives:

• External: The proposal has a clear focus on reaching tangible assets towards improving the tools for Internet Forensics in Europe. Additionally, RAMSES aims to use open-source and free software.

• Internal: The RAMSES impact is particularly relevant as a result of the research and innovation capacities of the consortium. For technological partners, RAMSES enables them to leverage and improve existing technology, putting it in value for a very specific problem. For LEAs, it materializes the exploitation of existing knowledge and enhances their care cycle, improving data collection for practitioners and constituting new communication channels with citizens.