Digital Forensics as a Big Data Challenge

Transcription

1 Digital Forensics as a Big Data Challenge Bruxelles, October 23rd 2013 Alessandro Guarino CEO, StudioAG Slide 1 of 20

2 Digital Forensics 1 DFRWS definition 2001 Digital Forensics is the use of scientifically derived [ ] methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence [ ] for the purpose [of reconstructing events] found to be criminal [ ] or disruptive to planned operations Slide 2 of 20

3 Digital Forensics 2 Points: Scientific nature and methods Corporate vs criminal environments Deals with DIGITAL EVIDENCE Academic vs practice The transition from craft to science Slide 3 of 20

4 Digital Forensics 3 So, digital evidence (& the ISO debate)... Potential digital evidence Digital evidence Legal (digital) evidence Slide 4 of 20

5 Digital Forensics 4 Principles Validation Reliability Repeatability Documentation Preservation Slide 5 of 20

6 Digital Forensics 5 (Typical) Workrflow Identification Collection Acquisition Preservation Analysis Presentation / Reporting Slide 6 of 20

7 Data Science 1 Statistics & and Machine Learning (as of now...) Domain knowledge needed: add to forensics panoplia (tech, legal...) DS tools Even more interdisciplinary A.k.a. big data analytics Slide 7 of 20

8 Data Science 2 Powered by big datasets Big data? Trend & figures Installed storage capacity 2.5 Zettabytes in 2012 (1ZB = 1 billion TB) Slide 8 of 20 Source: Latitude magazine #29

9 Challenges Variety of data sources Complexity of investigation Need to correlate these disparate data sources in an investigation Slide 9 of 20

10 Data Science 3 Big datasets? Not only that... Volume, Variety, Velocity Variety mix of structured & unstructured data Lots of different sources Velocity online activities always refreshed Slide 10 of 20

11 Data Science 3 Visualization Necessary to interpret results Slide 11 of 20

12 Challenges The golden age has ended Now investigation has to contend with big data Cost fall Diffusion of solid state media in a variety of devices Mobile revolution Cloud Virtualization Internet of things & ubiquitous connectivity Slide 12 of 20

13 Challenges Velocity Pre-forensics activities needed (for instance in corporate environments) Rapid response times Sometimes encumbered by legal issues Non-consistency See Facebook, Twitter use of nosql Slide 13 of 20

14 Rethinking digital forensics The principles: remodeling the postulates? The challenges of validation Accuracy Repeatability: leaving the holy Graal? Documentation Accurate logs and descriptions Slide 14 of 20

15 Rethinking digital forensics A new workflow? Identification and collection Complete collection could be impossible Prioritization (triage) right at the start Acquisition From copy-all, analyse later To acquire what is necessary, evaluate on the scene Slide 15 of 20

16 Rethinking digital forensics Rethinking the workflow Preservation Big data storage Reporting Log details of examinations, precise algorithms applied Explain validity of machine learning techniques Slide 16 of 20

17 Rethinking digital forensics Tools (to cope) Hadoop Sleuth Kit Hadoop Framework... Slide 17 of 20

18 Conclusions Forensics models challenges Forensic analysts need to Adapt methods to the new scenery Relax some requirements Add some new tools to the arsenal Slide 18 of 20

19 Thank you! Any questions? StudioAG ICT Consulting & Engineering Blog Information Security & ICT law Slide 19 of 20

20 References Barreno, M. et al.: Open Problems in the Security of Learning. In: D. Balfanz and J. Staddon, eds., AISec, ACM, 2008, p FBI: RCFL Program Annual Report fir Fiscal Year 2008, FBI FBI: RCFL Program Annual Report fir Fiscal Year 2010, FBI ISACA: What Is Big Data and What Does It Have to Do with IT Audit? ISO/IEC International Standard Khan, M. and Chatwin, C. and Young, R.: A framework for post-event timeline reconstruction using neural networks Digital Investigation 4, 2007 Yiu, C: The Big Data Opportunity: Making Government Faster, Smarter and More Personal - London: Policy Exchange 2012 Slide 20 of 20