A Road Map for Digital Forensic Research

Transcription

1 1 Outline of Today s Lecture! A Road Map for Digital Forensic Research o Report from the 1 st Digital Forensic Research Workshop (DFRWS) 2001! Defining Digital Forensic Examination and Analysis Tools o (DFRWS 2002)! Preservation of Fragile Digital Evidence by First Response o (DFRWS 2002) A Road Map for Digital Forensic Research - Report for DFRWS 2001 Yong Guan 3216 Coover Tel: (515) guan@ee.iastate.edu Oct. 17,

2 3 Background! On Aug. 7-8, 2001, the 1 st Digital Forensic Research workshop was held in Utica, NY.! The objectives:! Spark discussion among academic and practitioners with experience and interest in the field of Digital Forensics.! Five keynote speakers:! Eugene Spafford, Charles Boeckman, Chet Hosmer, David baker, and John Hoyt 4 Introduction! Providing accurate information derived through the use of proven and well-understood methodologies! Forensic science applied in courts of law has sought to use commonly applied techniques and tools only after rigorous, repetitive testing and thorough scientific analysis.! E.g., DNA as evidence! First time in 1987, presented in U.S. court! 32 years after DNA was described.! Factual discovery takes time and an insatiable desire for accuracy of results as well as precision in the methodologies employed in its production.! Without rigorous process that leads to proven scientific discovery, decision-makers in the courts and elsewhere are left to reply on supposition or worse yet intuition in the pursuit of justice. 2

3 5 Introduction (cont.) Courts Law Enforcement Homeland Security Information Warfare Military Operations Digital Forensic Research Critical Infrastructure Protection Business & Industry 6 Workshop Discussions! Foundations! Framework for Digital Forensic Science! Trustworthy of Digital Evidence! Network Forensics! Challenges! Detection and Recovery of Hidden Data 3

4 7 A Framework for Digital Forensic Science! Build a taxonomy to guide and direct research.! Identify the areas or categories that define the universe of digital forensic science! Digital forensics should be characterized by:! Theory: a body of statements and principles that explain how things work! Abstractions and models: considerations beyond the obvious, factual, or observed! Elements of practice: related techniques, tools, and methods! Corpus of literature and professional practice! Confidence and trust in results: usefulness, purpose 8 A Framework for Digital Forensic Science! Current Status! DFS only exhibits some of these characteristics and are not tied to specific discipline practices considered by any group as scientifically rigorous! There is a level of trust and precedence established for some of these tools and techniques in common use. However, the fidelity of the trusted placed on these tools and techniques is yet to be tested.! More formal research needs to be performed. 4

5 9 A Framework for Digital Forensic Science! The definition: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operatons 10 A Framework for Digital Forensic Science! The process See the next page. 5

6 11 12 The Trustworthyness of Digital Evidence! Questions:! Is the abstract, transformed nature of digital data troublesome?! If so, can it be overcome?! The fact that many tools and methodologies exist that allow to modify almost any attribute associated with digital data cast doubt on or at least occasionally suspect the integrity of digital evidence.! Integrity! Fidelity: How closely does the data accurately or truthfully represent fact or factual events? 6

7 13 The Trustworthyness of Digital Evidence! Issues:! Tranform process of information: Correctness! Trained and certified forensic serologists can comment on the correctness of DNA evidence via explanations that incorporate findings from molecular biology.! However, most analysts in DFS can not make similar claims.! What can be done to reduce the analytical subjectivity in DFS? It seems that human interaction with digital evidence was determined to be a fact of life in DFS into foreseeable future. Do you agree? 14 The Trustworthyness of Digital Evidence Research Solutions:! Methods to detect digital tampering! Securing or assuring protection of repositories from tampering! Correctness in digital transform methodology! Studies of hardware imperfection or electronic signature may produce data that links data to a source platform with higher confidence! Time synchronization and assessing measurable temporal drift per platform. 7

8 15 Detection and Recovery of Hidden Data Identify hiding methods and hiding places likely to be employed in digital realms.! Steganography! Anonymity! And many others! Categories of Data Hiding See the next page. 16 8

9 17 Detection and Recovery of Hidden Data Research in Detection and Recovery! Blind detection! Watermarking! Image Quality Standards! Hashing and encryption! Signature analysis 18 Network Forensics The defition: The use of scientifically proven techniques to collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities. 9

10 19 Network Forensics Issues:! Time! Performance! Complexity! Tools! Correlation! Collection: Who, When, What! Emerging Technologies! Wireless technology! Merging or absorbing wired services into wireless architectures, PDA, etc.! Legal hurdles Defining Digital Forensic Examination & Analysis Tools Brian Carrier 10

11 21 Definition of Digital Forensic Science "As defined at DFRWS 2001: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. 22 Identification and Analysis " We are restricting ourselves to the digital forensic phases of identification and analysis " Using the previous definition, the goal of these phases can be expressed as: To identify digital evidence using scientifically derived and proven methods that can be used to facilitate or further the reconstruction of events in an investigation. " All evidence is needed: Inculpatory Evidence: verifies existing data and theory Exculpatory Evidence: contradicts existing data and theory Traces of tampering: shows signs of tampering to hide data 11

12 23 Digital Forensics Complexity Problem " Data is typically acquired in its most raw format " This is generally difficult for investigators to understand " This problem has been solved by using tools to translate data through one or more layers of abstraction until it can be understood. " Abstraction Layer Examples: File System Directories ASCII HTML Network Packets Intrusion Detection Systems (IDS) 24 Digital Forensic Analysis Tools "It is proposed that the purpose of digital forensic analysis tools is to accurately present all data at a layer of abstraction and format that can be effectively used by an investigator to identify evidence. "The needed layer of abstraction is dependent on the case and investigator 12

13 25 Abstraction Layers " Used by all digital systems to customize generic interfaces " Function with two inputs and two outputs " The input rule set is typically the design specification 26 Tool Implementation Error " Errors introduced by bugs in the tools " Examples: General programming bugs Tool used an incorrect specification Tool used the correct specification, but the original source did not " One can assume that the bugs are fixed when identified " To factor in the potential for unknown bugs, a value could be calculated based on the history of a tool Likely be difficult to maintain for closed source tools that hide bugs that are not made public 13

14 27 Abstraction Error "Errors introduced by the abstraction theory "Exists in layers that were not part of the original design "Examples: Log processing IDS alerts "This error can improve with research and better abstraction theories 28 Analysis Tool Error Problem "Data from digital forensic analysis tools will have some margin of error associated with them. This does not include the errors associated with previous tampering, acquisition, or interpretation. It only includes Tool Implementation Error and Abstraction Error. "Evidence must have a margin of error associated with it and the output must be verified. 14

15 29 Layer Characteristics " Abstraction Error: Lossy Layers have an Abstraction Error and Lossless Layers have none " Mapping: A One-to-One Layer can identify the input data given the output data and a Multiple-to-One Layer cannot " Levels: Multiple levels of abstraction can occur, each having several layers of abstraction. A Boundary Layer is the last layer in a level (i.e. file contents). " Tool Types: Translation Tools translate data from one layer to another. Presentation Tools present the layer data in a format that is useful for an investigator: Directory Entries sorted by directory Directory Entries sorted by MAC times 30 Tool Requirements " Usability: Present data a layer of abstraction that is useful to an investigator (Complexity Problem) " Comprehensive: Present all data to investigator so that both Inculpatory and Exculpatory Evidence can be identified " Accuracy: Tool output must be able to be verified and a margin of error must be given (Error Problem) " Deterministic: A tool must produce the same output when given the same rule set and input data. " Verifiable: To ensure accuracy, one must be able to verify the output by having access to the layer inputs and outputs. Verification can be done by hand or a second tool set. 15

16 31 Tool Recommendations "Read-Only: Because digital data can be easily duplicated, this is not a requirement. Although, to verify the results a copy of the input will be required at a later date. 32 Conclusion "Layers of abstraction are everywhere and have always been used "Formal discussion of them has not occurred with Digital Forensics "Lossy layers will be more common as new approaches are developed to decrease analysis time and log processing times "A Tool Implementation Error value could help quantify the accuracy of a tool 16

17 Preservation of Fragile Digital Evidence by First Response Jesse Kornblum 34 Fragility of Digital Evidence " Traditional investigations Dead Body Theorem Once a crime scene has been secured, the evidence of a traditional crime such as fingerprints/firearms are not going anywhere. Preserving evidence can be done quickly and with a minimum of expertise on the investigator s behalf. E.g., if rain starts to fall on footprints in the dirt, the area can be covered with a tarp. " When a computer is involved, the very existence of evidence may not be obvious upon initial examination. No bullet holes, nor blood stains " The nature of computer-based evidence makes it inherently fragile. Data can be erased or changed without a trace 17

18 35 Types of Fragile Evidence "We are concerning with three major types of fragile evidence Transient data: Information that will be lost at shutdown, such as open network connections, memory resident programs, etc. Fragile data: Data that is stored on the hard disk, but can easily be altered, such as last accessed time stamps. Temporarily accessible data: Data that is stored on the disk, but that can only be accessed at certain times. 36 Methods of Preserving Fragile Evidence "Transport them to a non-volatile medium as quickly as possible without disrupting any other part of the system. Victim s hard drive is not safe Floppy disk for small amount of data Network connection 18