Defining Digital Forensic Examination & Analysis Tools Brian Carrier.

Slides:

Advertisements

Similar presentations

Chapter 2 The Process of Experimentation

Advertisements

Animal, Plant & Soil Science

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

System Integration Verification and Validation

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Auditing Computer-Based Information Systems

MSc in Business Information Technology

Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.

Guide to Computer Forensics and Investigations, Second Edition

Requirements and Design

BACS 371 Computer Forensics

Forensic and Investigative Accounting

Lecture 7 Model Development and Model Verification.

Outline Chapter 1 Hardware, Software, Programming, Web surfing, … Chapter Goals –Describe the layers of a computer system –Describe the concept.

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

Lineage February 13, 2006 Geog 458: Map Sources and Errors.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Systems engineering 1.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics

T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.

An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.

Introduction to Systems Analysis and Design Trisha Cummings.

Topics Covered: Data preparation Data preparation Data capturing Data capturing Data verification and validation Data verification and validation Data.

Testing. Definition From the dictionary- the means by which the presence, quality, or genuineness of anything is determined; a means of trial. For software.

1 BTEC HNC Systems Support Castle College 2007/8 Systems Analysis Lecture 9 Introduction to Design.

SoITSSpecifications of IT systems? 1 Specifications of IT systems checking and validating Jens Bennedsen and Peter Gorm Larsen

Dan Parish Program Manager Microsoft Session Code: OFC 304.

Topics Covered: Software requirement specification(SRS) Software requirement specification(SRS) Authors of SRS Authors of SRS Need of SRS Need of SRS.

© Yanbu University College YANBU UNIVERSITY COLLEGE Women’s Campus © Yanbu University College Introduction to Quantitative Analysis Chapter 1 Ms.Atiya.

Study of Comparison of Digital Forensic Investigation Models.

Computer Maintenance and Troubleshooting

The Nature of Evidence Chapter 3 ©2010 Elsevier, Inc.

System Development Lifecycle Verification and Validation.

Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.

Scientific Processes Mrs. Parnell. What is Science? The goal of science is to investigate and understand the natural world, to explain events in the natural.

ES Model development Dr. Ahmed Elfaig The ES attempts to predict results from available information, data and knowledge The model should be able to infer.

Introduction to Software Engineering. Why SE? Software crisis manifested itself in several ways [1]: ◦ Project running over-time. ◦ Project running over-budget.

AUDIT IN COMPUTERIZED ENVIRONMENT

Week 1 Theory 2 B usiness I nformation S ystems Batch Processing Assignment 6 - Batch Processing 1 Batch Processing Method.

Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.

Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science

 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.

Data Collection. Data Capture This is the first stage involved in getting data into a computer Various input devices are used when getting data to the.

A Hierarchical, Objectives-Based Framework for the Digital Investigations Process Nicole Beebe & Jan Guynes Clark University of Texas at San Antonio DFRWS.

CSI 1340 Introduction to Computer Science II Chapter 1 Software Engineering Principles.

Chapter 3 Data Control Ensure the Accurate and Complete data is entering into the data processing system.

Software Quality Assurance and Testing Fazal Rehman Shamil.

 CMMI  REQUIREMENT DEVELOPMENT  SPECIFIC AND GENERIC GOALS  SG1: Develop CUSTOMER Requirement  SG2: Develop Product Requirement  SG3: Analyze.

24 Nov 2007Data Management and Exploratory Data Analysis 1 Yongyuth Chaiyapong Ph.D. (Mathematical Statistics) Department of Statistics Faculty of Science.

SCOPE DEFINITION,VERIFICATION AND CONTROL Ashima Wadhwa.

1 CEN 4020 Software Engineering PPT4: Requirement analysis.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

Requirement Elicitation Review – Class 8 Functional Requirements Nonfunctional Requirements Software Requirements document Requirements Validation and.

Design Evaluation Overview Introduction Model for Interface Design Evaluation Types of Evaluation –Conceptual Design –Usability –Learning Outcome.

Crime Scene Investigation. “There is not only the effect of the criminal on the scene to be considered, but also the manner in which the scene may have.

 System Requirement Specification and System Planning.

The Scientific Method 7M Science.

Oracle Subledger Accounting

The Project Management Framework

Look for a PAIR… Ask a classmate about himself/herself and tell the class about what have you learned about the person.

Test Planning Mike O’Dell (some edits by Vassilis Athitsos)

Introduction to Systems Analysis and Design

Chapter 8: Monitoring the Network

Verification and Validation

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

Introduction to Digital Forensics

Exam Information CSI5107 Network Security.

1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.

Scientific Method Vocabulary

Biological Science Applications in Agriculture

Presentation transcript:

Defining Digital Forensic Examination & Analysis Tools Brian Carrier

@stake  Definition of Digital Forensic Science  As defined at DFRWS 2001: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

@stake  Identification and Analysis  We are restricting ourselves to the digital forensic phases of identification and analysis  Using the previous definition, the goal of these phases can be expressed as: To identify digital evidence using scientifically derived and proven methods that can be used to facilitate or further the reconstruction of events in an investigation.  All evidence is needed: –Inculpatory Evidence –Exculpatory Evidence –Traces of tampering

@stake  Digital Forensics Complexity Problem  Data is typically acquired in its most raw format  This is generally difficult for investigators to understand  This problem has been solved by using tools to translate data through one or more layers of abstraction until it can be understood.  Abstraction Layer Examples: –File System Directories –ASCII –HTML –Network Packets –Intrusion Detection Systems (IDS)

@stake  Digital Forensic Analysis Tools  It is proposed that the purpose of digital forensic analysis tools is to accurately present all data at a layer of abstraction and format that can be effectively used by an investigator to identify evidence.  The needed layer of abstraction is dependent on the case and investigator

@stake  Abstraction Layers  Used by all digital systems to customize generic interfaces  Function with two inputs and two outputs  The input rule set is typically the design specification

@stake  Tool Implementation Error  Errors introduced by bugs in the tools  Examples: –General programming bugs –Tool used an incorrect specification –Tool used the correct specification, but the original source did not  One can assume that the bugs are fixed when identified  To factor in the potential for unknown bugs, a value could be calculated based on the history of a tool –Likely be difficult to maintain for closed source tools that hide bugs that are not made public

@stake  Abstraction Error  Errors introduced by the abstraction theory  Exists in layers that were not part of the original design  Examples: –Log processing –IDS alerts  This error can improve with research and better abstraction theories

@stake  Analysis Tool Error Problem  Data from digital forensic analysis tools will have some margin of error associated with them. This does not include the errors associated with previous tampering, acquisition, or interpretation. It only includes Tool Implementation Error and Abstraction Error.  Evidence must have a margin of error associated with it and the output must be verified.

@stake  Layer Characteristics  Abstraction Error: Lossy Layers have an Abstraction Error and Lossless Layers have none  Mapping: A One-to-One Layer can identify the input data given the output data and a Multiple-to-One Layer cannot  Levels: Multiple levels of abstraction can occur, each having several layers of abstraction. A Boundary Layer is the last layer in a level (i.e. file contents).  Tool Types: Translation Tools translate data from one layer to another. Presentation Tools present the layer data in a format that is useful for an investigator: –Directory Entries sorted by directory –Directory Entries sorted by MAC times

@stake  Tool Requirements  Usability: Present data a layer of abstraction that is useful to an investigator (Complexity Problem)  Comprehensive: Present all data to investigator so that both Inculpatory and Exculpatory Evidence can be identified  Accuracy: Tool output must be able to be verified and a margin of error must be given (Error Problem)  Deterministic: A tool must produce the same output when given the same rule set and input data.  Verifiable: To ensure accuracy, one must be able to verify the output by having access to the layer inputs and outputs. Verification can be done by hand or a second tool set.

@stake  Tool Recommendations  Read-Only: Because digital data can be easily duplicated, this is not a requirement. Although, to verify the results a copy of the input will be required at a later date.

@stake  Conclusion  Layers of abstraction are everywhere and have always been used  Formal discussion of them has not occurred with Digital Forensics  Lossy layers will be more common as new approaches are developed to decrease analysis time and log processing times  A Tool Implementation Error value could help quantify the accuracy of a tool