Title: Digital Forensics and Data Recovery
1Digital Forensics and Data Recovery
Improving Computer Forensics Media Analysis with
Modeling LanguagesChris Bogen
(bogen_at_cse.msstate.edu)Advisor Dr. David A.
DampierCenter for Computer Security
ResearchDepartment of Computer Science
EngineeringMississippi State University
AbstractWhile computer crime increases, computer
forensics technicians are scarce. This shortage
of certified personnel is an obvious cause of
computer forensics case backlog. However, there
are also secondary contributing factors that are
important to consider the increasing popularity
of digital devices, the constant growth of
digital storage media capacity and the lack of
standard technical methodologies for computer
forensics. When searching for evidence on a 100
GB (or bigger) hard drive, it is insufficient to
rely on ad hoc, best-guess keyword search
techniques for finding evidence. In software
engineering, modeling languages such as UML have
proven useful for managing complexity, improving
quality, and improving productivity of software
projects. It is possible that such modeling
language tools may also be useful for managing
and improving computer forensics media analysis.
In order to evaluate the previous assumption,
prototype computer forensic modeling languages
must be defined, computer forensics quality and
productivity metrics must be defined, and
experiments must be conducted. Further
applications of modeling languages in computer
forensics include establishing a knowledge
repository, data mining applications, training,
and forensic software tool design.
A Generic Data Recovery Computer Forensics
Process
Who Uses Computer Forensics?
A Simple Computer Forensics Case Ontology Model
- Law Enforcement
- Police, FBI, Secret Service, State Police
- Military and Homeland Security
- Intelligence Gathering, Terrorist Identification
- Systems Administrators IT Staff
- Insider Threat Investigations
- Internal Investigations
- Network Attack Trace Back
Computer Forensics Collecting, analyzing, and
preserving evidence from digital storage
media Network Forensics Collecting, analyzing,
and preserving evidence in a network of
computers Software Forensics Determining the
identity of the original author of a piece of
software, malware, virus, malicious code, etc.
Evidence Preservation in all phases when
practicing computer forensics