Digital Forensics - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Digital Forensics

Description:

Mark Pollitt has stated that digital forensics is not an elephant, it is a ... In fact, many digital forensics investigation processes and tasks were defined ... – PowerPoint PPT presentation

Number of Views:401
Avg rating:3.0/5.0
Slides: 32
Provided by: chrisc8
Category:

less

Transcript and Presenter's Notes

Title: Digital Forensics


1
Digital Forensics
  • Dr. Bhavani Thuraisingham
  • The University of Texas at Dallas
  • Lecture 25
  • Frameworks for Digital Forensics
  • October 29, 2007

2
Papers to discuss
  • FORZA Digital forensics investigation framework
    that incorporate legal issues
  • http//dfrws.org/2006/proceedings/4-Ieong.pdf
  • A cyber forensics ontology Creating a new
    approach to studying cyber forensics
  • http//dfrws.org/2006/proceedings/5-Brinson.pdf
  • Arriving at an anti-forensics consensus
    Examining how to define and control the
    anti-forensics problem
  • http//dfrws.org/2006/proceedings/6-Harris.pdf

3
Outline
  • Review of Lectures 23-24
  • Discussion of the papers on Frameworks for
    Digital Forensics

4
Review of Lectures 23-24
  • Papers on Intelligent Digital Analysis
  • Image annotation
  • Guest lectures by Profs. Latifur Khan and Ravi
    Sandhu

5
Abstract of Paper 1
  • Mark Pollitt has stated that digital forensics is
    not an elephant, it is a process and not just one
    process, but a group of tasks and processes in
    investigation. In fact, many digital forensics
    investigation processes and tasks were defined on
    technical implementation details Investigation
    procedures developed by traditional forensics
    scientist focused on the procedures in handling
    the evidence, while those developed by the
    technologist focused on the technical details in
    capturing evidence. As a result, many digital
    forensics practitioners simply followed technical
    procedures and forget about the actual purpose
    and core concept of digital forensics
    investigation. With all these technical details
    and complicated procedures, legal practitioners
    may have difficulties in applying or even
    understanding their processes and tasks in
    digital forensics investigations. In order to
    break the technical barrier between information
    technologists, legal practitioners and
    investigators, and their corresponding tasks
    together, a technical-independent framework would
    be required.

6
Abstract of Paper 1 (Concluded)
  • In this paper, the authors first highlight the
    fundamental principle of digital forensics
    investigations (Reconnaissance, Reliability and
    Relevancy). Based on this principle, they
    re-visit the investigation tasks and outlined
    eight different roles and their responsibilities
    in a digital forensics investigation. For each
    role, they defined the sets of six key questions.
    They are the What (the data attributes), Why (the
    motivation), How (the procedures), Who (the
    people), Where (the location) and When (the time)
    questions. In fact, among all the investigation
    processes, there are six main questions that each
    practitioner would always ask. By incorporating
    these sets of six questions into the Zachmans
    framework, a digital forensic investigation
    framework FORZA is composed. We will further
    explain how this new framework can incorporate
    legal advisors and prosecutors into a bigger
    picture of digital forensics investigation
    framework. Usability of this framework will be
    illustrated in a web hacking example. Finally,
    the road map that interconnects the framework to
    automatically zero-knowledge data acquisition
    tools will be briefly described.

7
Outline
  • Introduction
  • Principles of Digital Forensics Investigative
    Procedures
  • FORZA Framework
  • Legal Aspects
  • Applying FORZA Framework
  • Directions

8
Introduction
  • Many digital forensics procedures were developed
    for tackling different technology used in the
    inspected device, when underlying technology of
    the target device changes, new procedures has to
    be developed.
  • Among those procedures, Lee Casey DFRWS and
    Reith, Carr and Gunsch procedures are the most
    frequently quoted procedures. They are known to
    be the standard procedures in digital forensics
    investigations.
  • However, discrepancy still lies between them the
    four procedures are not aligned. Instead of
    difference in definition, the processes they
    recommend and their coverage are different.
  • Digital forensics procedures have been extended
    to cover a wider prospective and area, one core
    issue has not been solved.
  • That is the gap between technical aspects of
    digital forensics and judicial process

9
Principles of Digital Forensics Investigative
Procedures 3Rs
  • Reconnaissance Similar to what needs to be
    performed before ethical hacking, a digital
    forensics investigator needs to exhaust different
    methods, practices and tools that were developed
    for particular operating environment to collect,
    recover, decode, discover, extract, analyze and
    convert data that kept on different storage media
    to readable evidence. No matter where data are
    stored, digital forensics investigators should be
    revealing, and focusing retrieval of the truth
    behind the data.
  • Reliability Extracting of data is not simply
    copying of data
  • using Windows Explorer or saving files to a disk.
    Chain of evidence should be preserved during
    extracting, analyzing, storing and transporting
    of data. In general, chain of evidence, time,
    integrity of the evidence and the person
    relationship with the evidence could be
    collectively considered as the non-repudiation
    feature of digital forensics. If the evidence
    cannot be repudiated and rebutted, then the
    digital evidence would be reliable and admissible
    for judicial review.

10
Principles of Digital Forensics Investigative
Procedures 3Rs
  • Relevancy Even though, evidence could be
    admissible, relevancy of the evidence with the
    case affects the weight and usefulness of the
    evidence. If the legal practitioner can advise on
    what should be collected during the process, time
    and cost spent in investigation could be
    controlled better.

11
FORZA Framework
  • A framework depends on the participants in the
    organization. In a typical digital forensics
    investigation process, system owners, digital
    forensics investigators and legal practitioners
    are expected to be involved. However, if we
    further separate the roles and responsibilities
    of these participants, they could be further
    categorized into eight individual roles of
    participants in investigation. These roles are
    different in nature but could be handled by the
    same person if required.
  • More Rs Roles and Responsibilities
  • Case Leader, System Business Owner, Legal
    Advisor, Security/system architect/auditor,
    digital forensics specialist, digital forensics
    investigator/system administrator/operator,
    digital forensics analyst, legal prosecutor

12
FORZA Framework
  • In order to bind roles, responsibilities and
    procedures together, a technology-independent
    digital forensics investigation framework would
    be required. Through the Zachman framework
    derivatives FORensics ZAchman framework (FORZA)
    framework, these eight roles and their
    responsibilities are linked together.
  • Similar to the nature and concept of Systems and
    Business Security Architecture (SABSA) framework,
    layers are interconnected to each other through
    sets of six categories of questions namely
  • Questions The Ws and H
  • What (data attributes), Why (motivation) How
    (procedures), Who (people), Where (location),
    When (time)

13
Legal Aspects
  • Legal objectives (Why)
  • What is the purpose of the dispute? What is the
    law of dispute?Is the case criminal or civil
    case?
  • Legal background and preliminary issues (What)
  • What is/are the relevant law/ordinance? Which
    sections of the ordinance should be referred to?
    What are the key elements in the ordinance? What
    is the required and related information? What
    data should be collected? What are the issues of
    law and issues of fact?
  • Legal procedures for further investigation (How)
  • Is there any injunction action (e.g. Anton Pillar
    Injunction) required? Is any warrant, search
    warrant required? Any actions required to be
    applied for protecting the evidence?

14
Legal Aspects
  • Legal geography (Where
  • Is that within jurisdiction of the country?
  • Legal entities and participants (Who)
  • Who is/are the claimant/respondent? Who are the
    Legal Councilor, Prosecutor, Legal Staff and
    other legal staff?
  • Legal timeframe (When)
  • What is the time limit of the case? Is that
    within the time bar limit? What is the time span
    of the case? What is the usual time and cost of
    similar cases?

15
Legal Aspects
  • Legal presentation objectives (Why)
  • Should the case proceed or close? Is sufficient
    evidence collected? Which litigation mechanism
    should be used?
  • Legal presentation attributes (What)
  • What charge should be issued? - What information
    should be included/excluded? What evidence
    should be presented? Which piece of evidence is
    relevant and admissible?
  • Legal presentation procedures (How)
  • What litigation scheme should be used?
    (International Arbitration, local litigation?)
    What tactic should be applied in the litigation
    procedure?
  • Legal jurisdiction location (Where)
  • Where should be the place of litigation? Where
    should be the place of enforcement? Where should
    be the place of hearing?

16
Legal Aspects
  • Entities in litigation procedures (Who)
  • Which witnesses should be called? Should any
    expert witnesses be called? Which Judge, Council
    and Arbitrator are involved?
  • Timeline of entire event for presentation (When)
  • Is the entire story board re-constructed? Any
    timeline missing in the evidence? When should the
    case be presented?

17
Applying FORZA Framework Web Hacking
  • Contextual Investigation Layer (why)
  • Contextual layer (understand)
  • Legal advisory layer (ask legal advise)
  • Conceptual security layer (design of the
    information system)
  • Technical presentation layer (plan before on-site
    investigation)
  • Data acquisition layer (acquire data)
  • Data analyses layer (analyze data)
  • Legal presentation layer (how to present the
    information)

18
Directions
  • Build the framework
  • Modeling and analysis
  • Implementation and tools
  • Test the framework with example cases
  • Enhance the framework

19
Abstract of Paper 2
  • The field of cyber forensics, still in its
    infancy, possesses a strong need for direction
    and definition. Areas of specialty within a
    professional environment, certifications, and/or
    curriculum development are still questioned. With
    the continued need to standardize parts of the
    field, methodologies need to be created that will
    allow for uniformity and direction. This paper
    focuses on creating an ontological for the
    purpose of finding the correct layers for
    specialization, certification, and education
    within the cyber forensics domain. There is very
    little information available on this topic and
    what is present, seems to be somewhat varied.
    This underscores the importance of creating a
    method for defining the correct levels of
    education, certification and specialization. This
    ontology can also be used to develop curriculum
    and educational materials. This paper is meant to
    spark discussion and further research into the
    topic.

20
Outline
  • Introduction
  • Ontological Model
  • Certification Areas
  • Curriculum Development
  • Directions

21
Introduction
  • Ontology creates a common definition among a
    domain of information within a certain area. By
    doing this, common information structures can be
    formed, knowledge can be reused, assumptions
    within a domain can be made, and every piece can
    be analyzed.
  • There are two types of ontologies. One ontology
    starts with a capital O and the other starts
    with a lower case o. The latter describes
    situations where classification schemes are being
    built. The former is a term borrowed from
    philosophy where Ontology is a systematic account
    of existence For the purposes of outlining cyber
    forensics tracks, a small o ontology was
    created by the authors for classifying data
    tracks.

22
Ontological model
  • Five layer hierarchy was created.
  • The first main subtopics consist of technology
    and profession. When examining the topics at
    hand, specialization, certification, and
    education, all the relevant topics can fall into
    these subheadings.
  • For the most part, the technology portion will
    examine areas of study within a topic as well as
    areas where certifications could be obtained. The
    profession side focuses on what professional
    specialty areas should be considered as well as
    areas of study for curriculum development.
  • Technology is then broken down into hardware and
    software. This breakdown is logical because it
    keeps the technology that is being examined
    separate from the examining tools.
  • The coinciding level on the profession side is
    broken down into the areas of law, academia,
    military, and private sector. These four areas
    are already recognized as the distinct areas of
    cyber forensics and therefore follow standard
    thinking

23
Certification and Curriculum Development
  • While, it has been noted that particular
    certifications at the fifth layer, such as
    EnCase, FTK, Microsoft XP, or on the other side,
    first responder, would be good ideas it should
    also be noted that one would not want to be
    certified in only one of these particular areas.
    Depends on the need.
  • This ontological model can also be utilized for
    the purpose of curriculum development. This is
    done by following areas of the model to find
    topics to study within a potential course. For
    example, the third layer topics could become the
    potential courses. Underneath the hardware layer
    are the subtopics of large-scale digital devices,
    small-scale digital devices, computers, storage
    devices, and other miscellaneous devices. (See
    ontology in paper)

24
Directions
  • There is much research being done to create best
    practices, processes, and procedures by entities
    including the government, scientists, and
    educators.
  • This is extremely important as proper
    field/discipline definition right from the
    beginning can help decrease problems later.
  • However, the one area that seems to be lacking in
    this research is what exactly the people involved
    in cyber forensics are supposed to do to prepare
    them, not the discipline. How do they specialize
    or certify themselves?
  • The paper has focused on creating an ontological
    model that addresses those issues, and
    additionally created a tool for curriculum
    development.
  • Future Enhance ontologies

25
Abstract of Paper 3
  • There are no general frameworks with which we may
    analyze the anti-forensics situation. Solving
    anti-forensic issues requires that we create a
    consensus view of the problem itself. This paper
    attempts to arrive at a standardized method of
    addressing anti-forensics by defining the term,
    categorizing the anti-forensics techniques and
    outlining general guidelines to protect forensic
    integrity.

26
Outline
  • Introduction
  • Anti Forensics
  • Types of Anti Forensics
  • Reducing the effectiveness of Anti Forensics
    Methods
  • Directions

27
Introduction
  • Criminals may use anti-forensic methods to work
    against the process or interfere with the
    evidence itself.
  • Solving anti-forensic issues will require that we
    understand the actual problem itself.
  • There are no general frameworks in existence
    which allow us to analyze the anti-forensics
    situation as a whole.
  • We do not even have a consensus on the proper
    definition of anti-forensics.
  • Likewise, there are no general groupings of
    anti-forensic methods to aid our analysis.
  • The paper attempts to create a framework

28
Anti Forensics
  • Authors define anti-forensics to be
  • any attempts to compromise the availability or
    usefulness of evidence to the forensics process.
    Compromising evidence availability includes any
    attempts to prevent evidence from existing,
    hiding existing evidence or otherwise
    manipulating evidence to ensure that it is no
    longer within reach of the investigator.
    Usefulness maybe compromised by obliterating the
    evidence itself or by destroying its integrity.

29
Types of Anti Forensics
  • Destroying evidence
  • Evidence destruction involves dismantling
    evidence or otherwise making it unusable to the
    investigative process
  • Hiding evidence
  • Hiding evidence is the act of removing evidence
    from view so that it is less likely to be
    incorporated into the forensic process.
  • Eliminating evidence sources
  • Evidence source elimination involves neutralizing
    evidentiary sources.
  • Counterfeiting evidence
  • evidence counterfeiting is the act of creating a
    faked version of the evidence which is
    designed to appear to be something else.

30
Reducing the Effectiveness of Anti Forensics
Methods
  • The human element
  • Many aspects influence how effective an
    investigator will be when encountering
    anti-forensic measures. The alertness of the
    investigator, educational level, real world
    experience and willingness to think in new
    directions could all affect the detection of
    anti-forensics.
  • Dependence on tools
  • The problem with depending on tools is that the
    tools are not immune to attack. One method of
    mitigating this problem is to use a variety of
    tools. Another approach would be to encourage the
    vendors of the tools to improve the accuracy and
    efficacy of the tools as applied to
    antiforensics.
  • Physical/logical limitations
  • Physical limitations include things such as
    hardware connectors and protocols as well as
    media storage formats. Storage space limitations
    and time and money factors are some examples of
    logical limitations.

31
Directions
  • The number of scholarly papers on protecting
    against antiforensic methods is greatly
    outnumbered by the number of websites about how
    to exploit the forensic process.
  • Perpetrators are working harder to subvert the
    system than academia is working to strengthen
    forensics.
  • Part of the reason for the lack of papers could
    be that we have not decided exactly what we are
    looking for. The current definitions all seem to
    concentrate on specific aspects of the problem
  • We need to agree on a definition and ways of
    evaluating anti-forensic methods before we can
    determine how to respond.
  • Perhaps we are placing too much emphasis on
    forensic technology and ignoring the necessary
    training of people and development of processes.
  • Maybe we need to take time to reprioritize our
    look at forensics and create novel ways of ways
    of fixing the root issues that anti-forensic
    methods exploit.
Write a Comment
User Comments (0)
About PowerShow.com