Dr. Bhavani Thuraisingham The University of Texas at Dallas Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #25 Frameworks for Digital Forensics November 10, 2008
Papers to discuss FORZA – Digital forensics investigation framework that incorporate legal issues http://dfrws.org/2006/proceedings/4-Ieong.pdf A cyber forensics ontology: Creating a new approach to studying cyber forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem http://dfrws.org/2006/proceedings/6-Harris.pdf
Abstract of Paper 1 Mark Pollitt has stated that digital forensics is not an elephant, it is a process and not just one process, but a group of tasks and processes in investigation. In fact, many digital forensics investigation processes and tasks were defined on technical implementation details Investigation procedures developed by traditional forensics scientist focused on the procedures in handling the evidence, while those developed by the technologist focused on the technical details in capturing evidence. As a result, many digital forensics practitioners simply followed technical procedures and forget about the actual purpose and core concept of digital forensics investigation. With all these technical details and complicated procedures, legal practitioners may have difficulties in applying or even understanding their processes and tasks in digital forensics investigations. In order to break the technical barrier between information technologists, legal practitioners and investigators, and their corresponding tasks together, a technical-independent framework would be required.
Abstract of Paper 1 (Concluded) In this paper, the authors first highlight the fundamental principle of digital forensics investigations (Reconnaissance, Reliability and Relevancy). Based on this principle, they re-visit the investigation tasks and outlined eight different roles and their responsibilities in a digital forensics investigation. For each role, they defined the sets of six key questions. They are the What (the data attributes), Why (the motivation), How (the procedures), Who (the people), Where (the location) and When (the time) questions. In fact, among all the investigation processes, there are six main questions that each practitioner would always ask. By incorporating these sets of six questions into the Zachman’s framework, a digital forensic investigation framework – FORZA is composed. We will further explain how this new framework can incorporate legal advisors and prosecutors into a bigger picture of digital forensics investigation framework. Usability of this framework will be illustrated in a web hacking example. Finally, the road map that interconnects the framework to automatically zero-knowledge data acquisition tools will be briefly described.
Outline Introduction Principles of Digital Forensics Investigative Procedures FORZA Framework Legal Aspects Applying FORZA Framework Directions
Introduction Many digital forensics procedures were developed for tackling different technology used in the inspected device, when underlying technology of the target device changes, new procedures has to be developed. Among those procedures, Lee; Casey; DFRWS; and Reith, Carr and Gunsch procedures are the most frequently quoted procedures. They are known to be the standard procedures in digital forensics investigations. However, discrepancy still lies between them; the four procedures are not aligned. Instead of difference in definition, the processes they recommend and their coverage are different. Digital forensics procedures have been extended to cover a wider prospective and area, one core issue has not been solved. That is the gap between technical aspects of digital forensics and judicial process
Principles of Digital Forensics Investigative Procedures: 3Rs Reconnaissance: Similar to what needs to be performed before ethical hacking, a digital forensics investigator needs to exhaust different methods, practices and tools that were developed for particular operating environment to collect, recover, decode, discover, extract, analyze and convert data that kept on different storage media to readable evidence. No matter where data are stored, digital forensics investigators should be revealing, and focusing retrieval of the truth behind the data. Reliability: Extracting of data is not simply copying of data using Windows Explorer or saving files to a disk. Chain of evidence should be preserved during extracting, analyzing, storing and transporting of data. In general, chain of evidence, time, integrity of the evidence and the person relationship with the evidence could be collectively considered as the non-repudiation feature of digital forensics. If the evidence cannot be repudiated and rebutted, then the digital evidence would be reliable and admissible for judicial review.
Principles of Digital Forensics Investigative Procedures: 3Rs Relevancy: Even though, evidence could be admissible, relevancy of the evidence with the case affects the weight and usefulness of the evidence. If the legal practitioner can advise on what should be collected during the process, time and cost spent in investigation could be controlled better.
FORZA Framework A framework depends on the participants in the organization. In a typical digital forensics investigation process, system owners, digital forensics investigators and legal practitioners are expected to be involved. However, if we further separate the roles and responsibilities of these participants, they could be further categorized into eight individual roles of participants in investigation. These roles are different in nature but could be handled by the same person if required. More Rs: Roles and Responsibilities: Case Leader, System Business Owner, Legal Advisor, Security/system architect/auditor, digital forensics specialist, digital forensics investigator/system administrator/operator, digital forensics analyst, legal prosecutor
FORZA Framework In order to bind roles, responsibilities and procedures together, a technology-independent digital forensics investigation framework would be required. Through the Zachman framework derivatives – FORensics ZAchman framework (FORZA) framework, these eight roles and their responsibilities are linked together. Similar to the nature and concept of Systems and Business Security Architecture (SABSA) framework, layers are interconnected to each other through sets of six categories of questions namely: Questions: The Ws and H What (data attributes), Why (motivation) How (procedures), Who (people), Where (location), When (time)
Legal Aspects Legal objectives (Why) What is the purpose of the dispute? What is the law of dispute?Is the case criminal or civil case? Legal background and preliminary issues (What) What is/are the relevant law/ordinance? Which sections of the ordinance should be referred to? What are the key elements in the ordinance? What is the required and related information? What data should be collected? What are the issues of law and issues of fact? Legal procedures for further investigation (How) Is there any injunction action (e.g. Anton Pillar Injunction) required? Is any warrant, search warrant required? Any actions required to be applied for protecting the evidence?
Legal Aspects Legal geography (Where Is that within jurisdiction of the country? Legal entities and participants (Who) Who is/are the claimant/respondent? Who are the Legal Councilor, Prosecutor, Legal Staff and other legal staff? Legal timeframe (When) What is the time limit of the case? Is that within the time bar limit? What is the time span of the case? What is the usual time and cost of similar cases?
Legal Aspects Legal presentation objectives (Why) Should the case proceed or close? Is sufficient evidence collected? Which litigation mechanism should be used? Legal presentation attributes (What) What charge should be issued?; - What information should be included/excluded?; What evidence should be presented? Which piece of evidence is relevant and admissible? Legal presentation procedures (How) What litigation scheme should be used? (International Arbitration, local litigation?) What tactic should be applied in the litigation procedure? Legal jurisdiction location (Where) Where should be the place of litigation? Where should be the place of enforcement? Where should be the place of hearing?
Legal Aspects Entities in litigation procedures (Who) Which witnesses should be called? Should any expert witnesses be called? Which Judge, Council and Arbitrator are involved? Timeline of entire event for presentation (When) Is the entire story board re-constructed? Any timeline missing in the evidence? When should the case be presented?
Applying FORZA Framework: Web Hacking Contextual Investigation Layer (why) Contextual layer (understand) Legal advisory layer (ask legal advise) Conceptual security layer (design of the information system) Technical presentation layer (plan before on-site investigation) Data acquisition layer (acquire data) Data analyses layer (analyze data) Legal presentation layer (how to present the information)
Directions Build the framework Modeling and analysis Implementation and tools Test the framework with example cases Enhance the framework
Abstract of Paper 2 The field of cyber forensics, still in its infancy, possesses a strong need for direction and definition. Areas of specialty within a professional environment, certifications, and/or curriculum development are still questioned. With the continued need to standardize parts of the field, methodologies need to be created that will allow for uniformity and direction. This paper focuses on creating an ontological for the purpose of finding the correct layers for specialization, certification, and education within the cyber forensics domain. There is very little information available on this topic and what is present, seems to be somewhat varied. This underscores the importance of creating a method for defining the correct levels of education, certification and specialization. This ontology can also be used to develop curriculum and educational materials. This paper is meant to spark discussion and further research into the topic.
Outline Introduction Ontological Model Certification Areas Curriculum Development Directions
Introduction Ontology creates a common definition among a domain of information within a certain area. By doing this, common information structures can be formed, knowledge can be reused, assumptions within a domain can be made, and every piece can be analyzed. There are two types of ontologies. One ontology starts with a capital ‘‘O’’ and the other starts with a lower case ‘‘o’’. The latter describes situations where classification schemes are being built. The former is a term borrowed from philosophy where Ontology is a systematic account of existence For the purposes of outlining cyber forensics tracks, a small ‘‘o’’ ontology was created by the authors for classifying data tracks.
Ontological model Five layer hierarchy was created. The first main subtopics consist of technology and profession. When examining the topics at hand, specialization, certification, and education, all the relevant topics can fall into these subheadings. For the most part, the technology portion will examine areas of study within a topic as well as areas where certifications could be obtained. The profession side focuses on what professional specialty areas should be considered as well as areas of study for curriculum development. Technology is then broken down into hardware and software. This breakdown is logical because it keeps the technology that is being examined separate from the examining tools. The coinciding level on the profession side is broken down into the areas of law, academia, military, and private sector. These four areas are already recognized as the distinct areas of cyber forensics and therefore follow standard thinking
Certification and Curriculum Development While, it has been noted that particular certifications at the fifth layer, such as EnCase, FTK, Microsoft XP, or on the other side, first responder, would be good ideas; it should also be noted that one would not want to be certified in only one of these particular areas. Depends on the need. This ontological model can also be utilized for the purpose of curriculum development. This is done by following areas of the model to find topics to study within a potential course. For example, the third layer topics could become the potential courses. Underneath the hardware layer are the subtopics of large-scale digital devices, small-scale digital devices, computers, storage devices, and other miscellaneous devices. (See ontology in paper)
Directions There is much research being done to create best practices, processes, and procedures by entities including the government, scientists, and educators. This is extremely important as proper field/discipline definition right from the beginning can help decrease problems later. However, the one area that seems to be lacking in this research is what exactly the people involved in cyber forensics are supposed to do to prepare them, not the discipline. How do they specialize or certify themselves? The paper has focused on creating an ontological model that addresses those issues, and additionally created a tool for curriculum development. Future” Enhance ontologies
Abstract of Paper 3 There are no general frameworks with which we may analyze the anti-forensics situation. Solving anti-forensic issues requires that we create a consensus view of the problem itself. This paper attempts to arrive at a standardized method of addressing anti- forensics by defining the term, categorizing the anti-forensics techniques and outlining general guidelines to protect forensic integrity.
Outline Introduction Anti Forensics Types of Anti Forensics Reducing the effectiveness of Anti Forensics Methods Directions
Introduction Criminals may use anti-forensic methods to work against the process or interfere with the evidence itself. Solving anti-forensic issues will require that we understand the actual problem itself. There are no general frameworks in existence which allow us to analyze the anti-forensics situation as a whole. We do not even have a consensus on the proper definition of anti- forensics. Likewise, there are no general groupings of anti-forensic methods to aid our analysis. The paper attempts to create a framework
Anti Forensics Authors define anti-forensics to be any attempts to compromise the availability or usefulness of evidence to the forensics process. Compromising evidence availability includes any attempts to prevent evidence from existing, hiding existing evidence or otherwise manipulating evidence to ensure that it is no longer within reach of the investigator. Usefulness maybe compromised by obliterating the evidence itself or by destroying its integrity.
Types of Anti Forensics Destroying evidence Evidence destruction involves dismantling evidence or otherwise making it unusable to the investigative process Hiding evidence Hiding evidence is the act of removing evidence from view so that it is less likely to be incorporated into the forensic process. Eliminating evidence sources Evidence source elimination involves neutralizing evidentiary sources. Counterfeiting evidence evidence counterfeiting is the act of creating a ‘‘faked’’ version of the evidence which is designed to appear to be something else.
Reducing the Effectiveness of Anti Forensics Methods The human element Many aspects influence how effective an investigator will be when encountering anti-forensic measures. The alertness of the investigator, educational level, real world experience and willingness to think in new directions could all affect the detection of anti-forensics. Dependence on tools The problem with depending on tools is that the tools are not immune to attack. One method of mitigating this problem is to use a variety of tools. Another approach would be to encourage the vendors of the tools to improve the accuracy and efficacy of the tools as applied to antiforensics. Physical/logical limitations Physical limitations include things such as hardware connectors and protocols as well as media storage formats. Storage space limitations and time and money factors are some examples of logical limitations.
Directions The number of scholarly papers on protecting against antiforensic methods is greatly outnumbered by the number of websites about how to exploit the forensic process. Perpetrators are working harder to subvert the system than academia is working to strengthen forensics. Part of the reason for the lack of papers could be that we have not decided exactly what we are looking for. The current definitions all seem to concentrate on specific aspects of the problem We need to agree on a definition and ways of evaluating anti- forensic methods before we can determine how to respond. Perhaps we are placing too much emphasis on forensic technology and ignoring the necessary training of people and development of processes. Maybe we need to take time to reprioritize our look at forensics and create novel ways of ways of fixing the root issues that anti-forensic methods exploit.