Unification of Digital Evidence from Disparate Sources

Similar documents
Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags)

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

Rapid Forensic Imaging of Large Disks with Sifting Collectors

Monitoring Access to Shared Memory-Mapped Files

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

Extracting Hidden Messages in Steganographic Images

Developing a New Digital Forensics Curriculum

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

An Evaluation Platform for Forensic Memory Acquisition Software

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Fast Indexing Strategies for Robust Image Hashes

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

Information Assurance In A Distributed Forensic Cluster

A Functional Reference Model of Passive Network Origin Identification

Honeynets and Digital Forensics

SECURE, AUDITED PROCESSING OF DIGITAL EVIDENCE: FILESYSTEM SUPPORT FOR DIGITAL EVIDENCE BAGS

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

Can Digital Evidence Endure the Test of Time?

Automated Identification of Installed Malicious Android Applications

Hash Based Disk Imaging Using AFF4

File Classification Using Sub-Sequence Kernels

A Study of User Data Integrity During Acquisition of Android Devices

Breaking the Performance Wall: The Case for Distributed Digital Forensics

Multidimensional Investigation of Source Port 0 Probing

Design Tradeoffs for Developing Fragmented Video Carving Tools

On Criteria for Evaluating Similarity Digest Schemes

The Normalized Compression Distance as a File Fragment Classifier

Designing Robustness and Resilience in Digital Investigation Laboratories

File Fragment Encoding Classification: An Empirical Approach

Privacy-Preserving Forensics

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

Ranking Algorithms For Digital Forensic String Search Hits

A Strategy for Testing Hardware Write Block Devices

Archival Science, Digital Forensics and New Media Art

BinComp: A Stratified Approach to Compiler Provenance Attribution

A Framework for Attack Patterns Discovery in Honeynet Data

Digital Evidence Cabinets: A Proposed Framework for Handling Digital Chain of Custody

Computer forensics Aiman Al-Refaei

Cian Kinsella CEO, Digiprove

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

ANALYSIS AND VALIDATION

CIS Business Computer Forensics and Incident Response. Lab Protocol 03: Acquisition

THE DESIGN AND IMPLEMENTATION OF AN EXTENSIBLE FORMAT FORMEMORY DUMPS

An open architecture for digital evidence integration

Document Security. Security Course Exercises for PIM powered by Union Square

Michigan Department of Education

MOBILE DEVICE FORENSICS

EnPROVE Workflow and Tooling for Professional Lighting Retrofits

Resource Management Surplus Property Program Surplus Property Program Database User s Manual. Online Database. Property Adoption Process User s Manual

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Deloitte Discovery Caribbean & Bermuda Countries Guide

COMP116 Final Project. Shuyan Guo Advisor: Ming Chow

Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity

Getting the best digital evidence is what matters XRY extracts more data faster, with full integrity

UCD Centre for Cybersecurity & Cybercrime Investigation

Electronic Records Management the role of TNA. Richard Blake Head of the Records Management Advisory Service

Financial Forensic Accounting

Getting the best digital evidence is what matters XRY extracts more data faster, with full integrity

Digital Forensics as a Big Data Challenge

Welcome to a world where technology flows through the heart of your business environment. Welcome to CDC

RECRUITMENT VACANCY STRATEGIC ACCOUNT MANAGER 2016 BULLETPROOF. ALL RIGHTS RESERVED.

Incident Response & Forensic Best Practice. Cyber Attack!

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

Cloud Security Standards Supplier Survey. Version 1

A Comparative Study of Teaching Forensics at a University Degree Level

Forensic and Log Analysis GUI

Working with investment professionals

Chapter 4 After Incident Detection

A Road Map for Digital Forensic Research

Sage Data Security Services Directory

Building Automation & Control System Vulnerabilities

Digital Forensics UiO

Digital Forensics UiO. Digital Forensics in Incident Management. About Me. Outline. Incident Management. Finding Evidence.

MFP: The Mobile Forensic Platform

DATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS

Digital Forensics UiO

Can Digital Evidence Endure the Test of Time?

Digital Forensics UiO

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

DuncanPowell RESTRUCTURING TURNAROUND FORENSIC

Lessons Learned from the Construction of a Korean Software Reference Data Set for Digital Forensics

The Integrated Research on Disaster Risk Programme (IRDR)

Initial CITP and CSci (partial fulfilment). *Confirmation of full accreditation will be sought in 2020.

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

PROGRAMME SPECIFICATION

BENEFITS OF EXCIPACT CERTIFICATION TO SUPPLIERS, USERS AND PATIENTS The role in Supplier Qualification. March 2011

Full-Time: 4 Years, Sandwich Thick: 5 Years All LJMU programmes are delivered and assessed in English

Security Program Design:

Recruitment Pack Marketing Officer Battersea Dogs & Cats Home

Established Leaders in Actuation Technology. In-Vision PC based supervisory control. Publication S210E issue 04/03

ISO/IEC ISO/IEC White Paper

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

AUSIM: Auburn University SIMulator - Version L2.2

Analysis of the Db Windows Registry Data Structure

Resource Management Surplus Property Program Surplus Property Program Database PCT User s Manual. Online Database. Property Custodian User s Manual

Enabling efficiency through Data Governance: a phased approach

Digital Forensics Validation, Performance Verification And Quality Control Checks. Crime Scene/Digital and Multimedia Division

BIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest

MX Control Console. Administrative User Manual

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE Unification of Digital Evidence from Disparate Sources By Philip Turner Presented At The Digital Forensic Research Conference DFRWS 2005 USA New Orleans, LA (Aug 17 th - 19 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Unification of Digital Evidence from Disparate Sources Philip Turner Digital Investigation Services QinetiQ, Malvern, UK. pbturner@qinetiq.com

Digital Forensics The Problems! Quantity of data Increasing range of digital devices Proprietary capture formats/tools for different devices Entire image has to be available to analysis tool No real-time support for evidence capture No multi-processor / distributed system support

Traditional Evidence Capture Bags Store items that are considered relevant at time of capture Not everything is captured Tags Exhibit Reference / Description / Date & Time seized / Name of investigator Continuity evidence custody transfer Provenance Seals Tamper detection / prevention

Digital Evidence Capture Capture Everything. Regardless Plain dd image No integrity checking No provenance / continuity information Proprietary formats Limited integrity checking No interoperability between tools Limited provenance information No in-built continuity tracking

Digital Evidence Bags (DEBs) - Aims To provide a simple to use and understandable structure To provide a flexible structure that is capable of storing information from a disparate range of digital devices Scaleable and able to hold an ever increasing amount of information Provide in-built continuity / provenential information Capable of storing information from static and realtime environments

DEB Structure (1).tag Digital Information Source.index0 1.index0 2.indexn n.bag0 1.bag0 2.bagn n Digital Evidence Bag

DEB Structure (2) Tag file plain text DEB reference identifier Details of information contained in the DEB Name and organisation of person capturing information Date and Time Evidence Unit (EU) Tag Continuity Block (TCB) Index file format definition meta tags

DEB Structure (3) Index file text based tab delimited Details the contents of the corresponding bag Exact format varies depending upon content type of EU May contain details such as filenames, file sizes, timestamp information, make model and S/N of devices Bag file the information that may be used as evidence

DEBs How they work (1) DEB access Update tag file New TCB appended to tag file includes application identifier, application description / function, application version information, application hash, EU accessed, processing host identifier New tag seal number calculated

DEBs How they work (2) Evidence Unit contents Full bit image data capture everything regardless Imaging Options Partial / Selective / Intelligent Real-Time evidence acquisition Time constrained evidence acquisition Particular type of information Customer driven Investigation focussed Forensic triage Covert

DEBs How they work (3) Evidence Unit processing Multi-processor / distributed capable Audit trail of DEB access Audit trail of DEB/EU processing tasks

DEBs Enhancing Best Practice Replicating what is done in the Traditional evidence capture environment in the Digital environment Audit trail Learning the successful AND unsuccessful way of performing investigations / finding case relevant information Education

DEB Implementations DEB Viewer View contents of a DEB Update tag - TCB DEB Application Wrapper Command line application wrapper Selective imager / data capture Full media imager

DEB Benefits Scaleable approach to evidence acquisition Scaleable approach to forensic processing, allowing for the first time the digital evidence to be processed across multi-processor and distributed systems Increased evidential material throughput, directing the most applicable techniques at the appropriate types of evidence Incorporate some of the current evidence capture and analysis methods thus not negating the financial investment in current tools and methods The ability to process evidence from a diverse range of digital devices Allow the integration of real-time data acquisition into a sound forensic framework Permit a selective and/or intelligent data acquisition approach to be implemented as opposed to the current collect everything approach The ability to automatically create an audit trail of processes carried out on an item of evidence. The metric from which could allow analysis of the most effective way to process digital evidence and be used to educate new practitioners in the best way to undertake a forensic investigation

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback