Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science

Slides:

Advertisements

Similar presentations

Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.

Advertisements

Hydrological information systems Svein Taksdal Head of section, Section for Hydroinformatics Hydrology department Norwegian Water Resources and Energy.

SysLogix Inc. eProducerPortal.com by. Introduction "'Onboarding” - the process of contracting and appointing new agents. It is used to refer to the administrative.

Evidence Collection & Admissibility Computer Forensics BACS 371.

We’ve got what it takes to take what you got! NETWORK FORENSICS.

Access Control Chapter 3 Part 5 Pages 248 to 252.

BACS 371 Computer Forensics

TAC Vista Security. Target  TAC Vista & Security Integration  Key customer groups –Existing TAC Vista users Provide features and hardware for security.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

Open Statistics: Envisioning a Statistical Knowledge Network Ben Shneiderman Founding Director ( ), Human-Computer Interaction.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Technology for Computer Forensics by Alicia Castro.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

8/28/97Information Organization and Retrieval Files and Databases University of California, Berkeley School of Information Management and Systems SIMS.

Business process management (BPM) Petra Popovičová.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

An Automated Timeline Reconstruction Approach for Digital Forensic Investigations Written by Christopher Hargreaves and Jonathan Patterson Presented by.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Intelligent Digital Forensics September 30, 2009.

Databases & Data Warehouses Chapter 3 Database Processing.

LÊ QU Ố C HUY ID: QLU OUTLINE  What is data mining ?  Major issues in data mining 2.

D ATA, D ATABASE, DBMS, DBMS SOFTWARE, R ELATION, A PPLICATION, ENVIRONMENT, BENEFITS. Week 8 Mr.Mohammed Rahmath.

An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.

Advances in Technology and CRIS Nikos Houssos National Documentation Centre / National Hellenic Research Foundation, Greece euroCRIS Task Group Leader.

A summary of the report written by W. Alink, R.A.F. Bhoedjang, P.A. Boncz, and A.P. de Vries.

Defining Digital Forensic Examination & Analysis Tools Brian Carrier.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.

Minor Thesis A scalable schema matching framework for relational databases Student: Ahmed Saimon Adam ID: Award: MSc (Computer & Information.

A semi autonomic infrastructure to manage non functional properties of a service Pierre de Leusse Panos Periorellis Paul Watson Theo Dimitrakos UK e-Science.

Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.

TECHONOLOGY experts INDUSTRY Some of our clients Link Translation’s extensive experience includes translation for some of the world's largest and leading.

1 Introduction to Software Engineering Lecture 1.

Systems Life Cycle A2 Module Heathcote Ch.38.

1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.

Taguchi. Abstraction Optimisation of manufacturing processes is typically performed utilising mathematical process models or designed experiments. However,

© Federal Statistical Office, Institute for Research and Development in Federal Statistics, Elmar Wein Federal Statistical Office Concepts, materials and.

Network design Topic 6 Testing and documentation.

Implementation of a Relational Database as an Aid to Automatic Target Recognition Christopher C. Frost Computer Science Mentor: Steven Vanstone.

26/05/2005 Research Infrastructures - 'eInfrastructure: Grid initiatives‘ FP INFRASTRUCTURES-71 DIMMI Project a DI gital M ulti M edia I nfrastructure.

Forensics Jeff Wang Code Mentor: John Zhu (IT Support)

CISC 849 : Applications in Fintech Namami Shukla Dept of Computer & Information Sciences University of Delaware iCARE : A Framework for Big Data Based.

Extracting value from grey literature Processes and technologies for aggregating and analysing the hidden Big Data treasure of the organisations.

RCDL 2007, Pereslavl-Zalessky, Oct 2007 Converting Desktop into a Personal Activity Dataset Sergey Chernov, Enrico Minack, and Pavel Serdyukov.

CoRD Meeting 12 March 2003 STIPES (Lot 4) STIPES = Statistical Inquiries from Popular European Software.

Collection and storage of provenance data Jakub Wach Master of Science Thesis Faculty of Electrical Engineering, Automatics, Computer Science and Electronics.

Origami: Scientific Distributed Workflow in McIDAS-V Maciek Smuga-Otto, Bruce Flynn (also Bob Knuteson, Ray Garcia) SSEC.

Digital Forensics Market Analysis: By Forensic Tools; By Application (Network Forensics, Mobile Forensics, Database Forensics, Computer Forensics) - Forecast.

Chang, Wen-Hsi Division Director National Archives Administration, 2011/3/18/16:15-17: TELDAP International Conference.

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI OpenSource GeoSpatial Catalogue Platform-as-a-Service Salvatore Pinto Cloud.

Online School Management System Supervisor Name: Ashraful Islam Juwel Lecturer of Asian University of Bangladesh Submitted By: Bikash Chandra SutrodhorID.

The information systems lifecycle Far more boring than you ever dreamed possible!

Advanced Higher Computing Science The Project. Introduction Worth 60% of the total marks for the course Must include: An appropriate interface using input.

Media analyses based on Microsoft NTFS file ownership Writer ： Fred C. Kerr Information Systems Management, Applied Management and Decision Sciences, Walden.

Models of Models: Digital Forensics and Domain-Specific Languages

Horizon 2020 Secure Societies European Info Day and Brokerage Event

PhD Oral Exam Presentation

Business process management (BPM)

Automate Does Not Always Mean Optimize

Business process management (BPM)

Joseph JaJa, Mike Smorul, and Sangchul Song

ICT meeting Business needs

Considerations for the Paperless Laboratory

FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.

(VIP-EDC) Point 6 of the agenda

Dr. Bhavani Thuraisingham The University of Texas at Dallas

Introduction to Digital Forensics

Business Document Platform

A SIEM for the Forensic Analysis of Database Management System Logs

ACSC 155 System Analysis and Design 4. Systems Design

Presentation transcript:

Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science Supervisor: Dr Elena Sitnikova Research Fields: Computer Forensics & Network Security

Outline  Introduction  Motivation  Research Question  Methodology  Research Activities  References

Introduction to Digital Forensics  Digital Forensics: Is a branch of forensic science dealing with the acquisition and analysis of data found in digital devices and is often combined with the presentation of the results of the analysis in court.  Digital forensics has three major phases: (Carrier, 2002) – Acquisition – Analysis – Presentation

Motivation Digital forensics has three major phases: (Carrier, 2002) – Acquisition (Manual process) – Analysis(Time consuming with room for improvement) – Presentation (Manual process)  Storage sizes – Storage constantly increasing in size – More places to store evidence (Cloud, mobile devices … etc) – Overall more evidence for analysis  Complexity increasing – New operating systems, mobile devices as well as more types of metadata to extract and analyse (e.g. jumplists ) – Additional complexity increases analysis and reporting time  Time –Digital forensic analysis time consuming

Research Question How can automation be used to improve the Digital Forensic analysis of computer evidence ? Analysis process includes: Metadata collection/extraction - Currently many different tools & output formats, Analysis (linking the dots) Comparing extracted information Statistics Blacklists/Whitelists (hash de-Nist & filenames)

Research sub-questions Q: How can automation be used to improve the Digital Forensic analysis of computer evidence ? Sub-questions: 1. What are the existing tools for extracting relevant information from evidence as well as the quality of the extracted information from these tools ? 2. What solutions are there for parsing the many undocumented file and metadata formats which are yet to be discovered and documented but could contain information of interest?.

Research sub-questions Q: How can automation be used to improve the Digital Forensic analysis of computer evidence ? Sub-questions: 3. How to ensure a low false-positive and false-negative detection rate while keeping a high detection rate of relevant information? 4.How would a tool be implemented to validate the proposed automatic analysis method?.

Methodology ● Metadata extraction – Research into current tools & formats ● Undocumented potential sources of information – Examine industries current solutions ● Mining for Gold (keeping relevant remove irrelevant) – Methods for culling irrelevant information as well as amplifying relevant information ● Automated analysis – Research papers discussing proposals and current solutions – Research into potential SIEM like multi source correlation of events – Examine any currently existing tools

Research Activities  Plaso – Compare to Log2Timeline (Guðjónsson 2010) – test python object integration – Feasibility study regarding expansion for automated analysis  Rule analysis system – Simple but flexible rule system ( compare Snort & prelude IDS)  Statistics – Research and test potentially useful types (e.g. Spam/bayes, markov chains, Principal component analysis (PCA)) – Evaluate for potential for too much information. Issues storage & processing optimise  Performance – Potential for bottlenecks in analysis. Optimal usage of resources  Reporting – What information needed for generation of a computer and user profile report.

References Carrier, B. (2002). Open source digital forensics tools: The legal argument. Stake Research Report. Guðjónsson, K (2010), ‘Mastering the super timeline with log2timeline’, SANS Institute