Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

Similar documents
Developing a New Digital Forensics Curriculum

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

Extracting Hidden Messages in Steganographic Images

A Functional Reference Model of Passive Network Origin Identification

The Normalized Compression Distance as a File Fragment Classifier

Honeynets and Digital Forensics

Monitoring Access to Shared Memory-Mapped Files

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Rapid Forensic Imaging of Large Disks with Sifting Collectors

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

An Evaluation Platform for Forensic Memory Acquisition Software

File Classification Using Sub-Sequence Kernels

Unification of Digital Evidence from Disparate Sources

Fast Indexing Strategies for Robust Image Hashes

File Fragment Encoding Classification: An Empirical Approach

Ranking Algorithms For Digital Forensic String Search Hits

Hash Based Disk Imaging Using AFF4

Design Tradeoffs for Developing Fragmented Video Carving Tools

Privacy-Preserving Forensics

On Criteria for Evaluating Similarity Digest Schemes

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

Multidimensional Investigation of Source Port 0 Probing

Automated Identification of Installed Malicious Android Applications

Breaking the Performance Wall: The Case for Distributed Digital Forensics

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

A Study of User Data Integrity During Acquisition of Android Devices

A Strategy for Testing Hardware Write Block Devices

Can Digital Evidence Endure the Test of Time?

Archival Science, Digital Forensics and New Media Art

Designing Robustness and Resilience in Digital Investigation Laboratories

A Framework for Attack Patterns Discovery in Honeynet Data

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

A Road Map for Digital Forensic Research

BinComp: A Stratified Approach to Compiler Provenance Attribution

Information Assurance In A Distributed Forensic Cluster

New Model for Cyber Crime Investigation Procedure

PROOF OF THE COLLATZ CONJECTURE KURMET SULTAN. Almaty, Kazakhstan. ORCID ACKNOWLEDGMENTS

An Automated Timeline Reconstruction Approach for Digital Forensic Investigations

CERIAS Tech Report ON THE ROLE OF FILE SYSTEM METADATA IN DIGITAL FORENSICS. by Florian Buchholz and Eugene Spafford

Network Forensics Analysis with Evidence Graphs

Massive Data Analysis

Introduction. Advanced Econometrics - HEC Lausanne. Christophe Hurlin. University of Orléans. October 2013

Teleporter: An Analytically and Forensically Sound Duplicate Transfer System

In the recent past, the World Wide Web has been witnessing an. explosive growth. All the leading web search engines, namely, Google,

Communication Protocols Testability Improvement by Narrow Input/Output (NIO) Sequences

Surveying The User Space Through User Allocations

Implementing Cryptography: Good Theory vs. Bad Practice

2- Computer Essentials

Digital Forensics Lecture 01- Disk Forensics

Detecting Data Theft Using Stochastic Forensics

Computer Science Curriculum Content, KS5

Introduction to EVOLVE for Staff

Department of Computer Science Faculty of Engineering, Built Environment & IT University of Pretoria. COS122: Operating Systems

Getting Started with Blackboard

Introduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:

Foundations of Cryptography CS Shweta Agrawal

Forging a New Era in Lab Benchmarking

Time attributes. User behaviors. Crime Scene

EEE 435 Principles of Operating Systems

SDP Memo 048: Two Dimensional Sparse Fourier Transform Algorithms

TRB Annual Meeting Event Planner (Volunteer) User Guide

Computational Statistics and Mathematics for Cyber Security

Lessons Learned from the Construction of a Korean Software Reference Data Set for Digital Forensics

Can Digital Evidence Endure the Test of Time?

BUILDING A DIGITAL EVIDENCE CLASSIFICATION MODEL

UNIT 2 TOPICS IN COMPUTER SCIENCE. Exploring Computer Science 2

Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence

Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity

Walchand College of Engineering, Sangli

Combining Induction, Deduction and Structure for Synthesis

Student & Exchange Visitor Information System (SEVIS) SEVIS II Briefing

Android Forensics: Investigation, Analysis And Mobile Security For Google Android PDF

Applications of inductive types in artificial intelligence and inductive reasoning

FRAME BASED RECOVERY OF CORRUPTED VIDEO FILES

Data Engineering Fuzzy Mathematics in System Theory and Data Analysis

CSE 4392/5369. Dr. Gian Luca Mariottini, Ph.D.

WAVELET USE FOR IMAGE RESTORATION

Data Mining and. in Dynamic Networks

UCD Centre for Cybersecurity & Cybercrime Investigation

Genetic Programming: A study on Computer Language

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

CS415 Compilers Overview of the Course. These slides are based on slides copyrighted by Keith Cooper, Ken Kennedy & Linda Torczon at Rice University

Cybercrime Capacity Building a cooperative process

Comparing the Expressive Power of Access Control Models

Ieee Journal Template

Introducing Network Delays in a Distributed Real- Time Transaction Processing System

Using Hashing to Improve Volatile Memory Forensic Analysis

First Experiences with Intel Cluster OpenMP

Unit 29. Installing and Upgrading Software Level 3

Forensic and Log Analysis GUI

Improving Quality of Products in Hard Drive Manufacturing by Decision Tree Technique

PROGRAMME SPECIFICATION

Adversarial Policy Switching with Application to RTS Games

School of Engineering & Built Environment

Part B Finite-state Machines

Initial CITP and CSci (partial fulfilment). *Confirmation of full accreditation will be sought in 2020.

A Study of Forensic & Analysis Tools

A Short History of Markov Chain Monte Carlo

Digital Forensics as a Big Data Challenge

Full-Time: 4 Years, Sandwich Thick: 5 Years All LJMU programmes are delivered and assessed in English

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE Categories of Digital Investigation Analysis Techniques Based On The Computer History Model By Brian Carrier, Eugene Spafford Presented At The Digital Forensic Research Conference DFRWS 2006 USA Lafayette, IN (Aug 14 th - 16 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Categories of Digital Investigation Analysis Techniques Based on the Computer History Model Brian D. Carrier and Eugene H. Spafford

DFRWS 2004 Frameworks More like process models But, there is no unique process for an investigation Number of phases were subjective (including ours ) Completeness cannot be shown Useful for teaching, but not as useful for research and development

The New Approach 1. Define an investigation model based on a standard computation model. i.e. mathematical model 2. Define analysis technique categories based on the investigation model.

Finite State Machine Finite State Machine (FSM) Set of possible states: Q Set of possible event symbols:! State change function:! Q x! " Q We assume that a computer CAN be represented by a FSM Reduction is not performed during an investigation FSM used for hardware / software independence

Basic Event Visualization

Computer History A computer s history contains the sequence of its previous states and events A digital investigation is a process to answer questions about previous and current states and events. Starts with one or more known states Makes inferences about the others Searches the known and inferred states and events If you know the history, you can answer any question.

Computer History Model Goal is to mathematically represent the computer s history. Define a set T with the times that the history exists. Map times in set T to the states in Q and events in! that occurred. h ps : T " Q h pe : T "!

Dynamic FSM Problem: The set of possible states and events at 2 times can be different in real systems. Why?

Dynamic FSM Problem: The set of possible states and events at 2 times can be different in real systems. Why? Sets Q and! can change based on: The devices that were connected. The possible states for each device Number of addresses Domain of each address The possible events for each device

Summary (thus far) We assume a computer CAN be represented as a FSM. FSM must be dynamic and account for removable devices. We can represent the primitive history of the computer as a mapping from times to the FSM.

Complex Systems Modern computers operate at complex levels Complex states: Defined by virtual storage locations that map and transform to primitive and lower-level storage locations. Files, process memory, data structures Complex events: A single event that causes multiple lower-level events to occur. User-level events, buttons, system calls.. A history exists for complex states and events

Dynamic Complex Systems Number of possible complex events and states is based on: The primitive devices connected The programs on each device The capabilities of each program A file exists only if programs on the computer supports the file system. We can map between the different layers (file type rules, event decomposition )

Summary (thus far) The computer history model can represent complex states and events. Complex capabilities are based on the devices and programs that exist. There is (at least) one mapping between the primitive and complex histories.

Analysis Technique Categories If the computer history is known, we can answer any question. Our Hypothesis: The techniques required to define the computer history model are the same as required for a digital investigation.

Category Overview Eight categories and each defines specific variables (27 variables total) Organizing into eight is intuitive, but not required There is still subjectivity Each category has at least one class of techniques defined based on model and practice Classes may increase over time

History Duration Category (#1) Defines the set T of times when the computer has a history. When did the computer first exist? Did the computer exist during the timeframe being investigated? Examples: Manufactured date OS Install date Earliest MAC time

Primitive Storage Capabilities Category (#2) Defines the possible states of the system at each time. Which storage devices existed. The possible states of each device. When each device was connected. Examples: Hard disk spec or query commands Logs that record connected devices

Primitive Event Capabilities Category (#3) Defines the possible events that could have occurred at each time. The event devices that existed. The possible events and state change functions for each event device. When each device was connected. Examples: Processor spec or query commands Logs that record connected devices

Primitive State and Event Definition Category (#4) Defines the states and events that are believed to have occurred Observed states Event and state reconstruction Event and state construction Sampling Capabilities Can use one technique for defining a state or event and others for testing.

Layers of Abstraction Definition Category (#5) Defines the layers of event abstractions Nearly impossible to determine Requires knowledge about development process over lifetime of programs on system Multiple equivalent layers exist In practice, make assumptions: User-level events File systems

Complex Storage Capabilities Category (#6) Defines the possible complex storage states Identify the programs that exist at each time (in theory) Identify the complex storage types for each time. Examples: Reverse engineer stored data Static / dynamic analysis of programs Program specifications

Complex Event Capabilities Category (#7) Defines the possible complex events at each time. Identify the programs that exist at each time (in theory) Identify the complex events defined by each program Examples: Static / dynamic analysis of programs Program specifications

Complex State and Event Definition Category (#8) Defines complex states and events that are believed to have occurred. Make inferences about previous events and states. Examples: Event and state abstraction Event and state materialization Event and state reconstruction Event and state construction

Summary Previous frameworks / classifications not based on mathematical models. This work defined an investigation model based on a standard computation model. Categories of techniques can be shown to be complete, but structure is still subjective. The difference between previous frameworks is how they organize these categories.

Questions? Brian Carrier carrier@digital-evidence.org Eugene Spafford spaf@cerias.purdue.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback