Download presentation
Presentation is loading. Please wait.
1
Triage and Analysing Large Numbers of Files Michael Jones
2
The Challenges of Digital Forensics Main issues: – Limitations of current forensic software tools – Proliferation of hardware – The cloud – Proliferation of software – People Michael JonesTriage and Analysing Large Numbers of Files2
3
Limitations of Forensics Tools Current forensics tools: – Are ‘evidence oriented’ – Garfinkel 2010 Available at: http://www.dtic.mil/dtic/tr/fulltext/u2/a549288.pdf http://www.dtic.mil/dtic/tr/fulltext/u2/a549288.pdf – Designed for paedophile cases not for hacking incidents – Objective: completeness rather than speed – Cross-case analysis not possible due to risk of contamination Michael JonesTriage and Analysing Large Numbers of Files3
4
Advances in Hardware More devices – Phones, tablet, SD cards, printers, wearable computers? More storage – Including network devices More networking Hardware encryption – Or through software Michael JonesTriage and Analysing Large Numbers of Files4
5
Software Developments Apps – Large number and growing – Potential for proprietary file formats – Most common apps already handled: Facebook, Twitter, etc. Michael JonesTriage and Analysing Large Numbers of Files5
6
People Limited number of certified people Cost of certification, training Cost of investigations and prosecutions – Forensic personnel – Equipment – Others: CPS, police, judge, etc. Michael JonesTriage and Analysing Large Numbers of Files6
7
Additional Issue: feinting Feint – Noun A deceptive or pretended blow, thrust, or other movement, especially in boxing or fencing. – Verb Make a deceptive or distracting movement, typically during a fight. Example: – A paedophile might place some ‘low-level’ images in an easy to reach location Michael JonesTriage and Analysing Large Numbers of Files7
8
Responses Many of these issues are difficult to address Pre-emptive action: lowering the bar – More draconian usage agreements Constant monitoring – E.g., ‘listening to the network’ Triage Michael JonesTriage and Analysing Large Numbers of Files8
9
Triage Definitions: – Noun The action of sorting according to quality. – Verb Assign degrees of urgency to (wounded or ill patients). In digital forensics – Used to prioritise activities E.g., in a live capture or where large storage is included Michael Jones9Triage and Analysing Large Numbers of Files
10
Scenario There is a suspicion of fraud being conducted in a small office within a larger building. – Many computers may be involved – Other devices? What will be priorities be? – ‘pull the plug’ – What to look at first? Michael JonesTriage and Analysing Large Numbers of Files10
11
Triage Process E.g., Rogers et al. Available at: http://www.macforensicslab.com/ProductsAn dServices/index.php?main_page=document_g eneral_info&cPath=11&products_id=228 http://www.macforensicslab.com/ProductsAn dServices/index.php?main_page=document_g eneral_info&cPath=11&products_id=228 Question: how to identify the priorities? – Answers linked to: Time available, staff skills and software available, crime being investigated Michael JonesTriage and Analysing Large Numbers of Files11
12
General Triage Priorities If crime involves mobility (e.g., drug dealer): – Priorities: small devices, phones – ISP – for call information If crime linked to fixed locations (e.g., fraud) – Consider live forensics And look for confessions – Or: software to scan and process large numbers of files Michael JonesTriage and Analysing Large Numbers of Files12
13
Analysing a Large Number of Files Multiple processes need to be applied – Identify file type – Extract metadata – Custom processing Tools: – Scripting – Bespoke software Michael JonesTriage and Analysing Large Numbers of Files13
14
Example: iterating through a directory To apply the same process to each file in a directory #!/bin/bash for file in /etc/* do echo ${file} done Michael JonesTriage and Analysing Large Numbers of Files14
15
Example: Using PHP <?php //exif.php $fromDir = $argv[1]; $toDir = $argv[2]; $entries = glob("$fromDir/*"); foreach ($entries as $entry){ $parts = explode($fromDir, $entry); $toFile = implode($toDir, $parts); $toFile.= '.txt'; exec("exiftool '$entry' > '$toFile'"); } ?> Usage: php exif.php physical/jpg analysis/jpg Michael JonesTriage and Analysing Large Numbers of Files15
![Example: Using PHP < php //exif.php $fromDir = $argv[1]; $toDir = $argv[2]; $entries = glob( $fromDir/* ); foreach ($entries as $entry){ $parts = explode($fromDir, $entry); $toFile = implode($toDir, $parts); $toFile.= .txt ; exec( exiftool $entry > $toFile ); } > Usage: php exif.php physical/jpg analysis/jpg Michael JonesTriage and Analysing Large Numbers of Files15](http://images.slideplayer.com./35/10489376/slides/slide_15.jpg "Example: Using PHP < php //exif.php $fromDir = $argv[1]; $toDir = $argv[2]; $entries = glob( $fromDir/* ); foreach ($entries as $entry){ $parts = explode($fromDir, $entry); $toFile = implode($toDir, $parts); $toFile.= .txt ; exec( exiftool $entry > $toFile ); } > Usage: php exif.php physical/jpg analysis/jpg Michael JonesTriage and Analysing Large Numbers of Files15")
16
Verification When writing (or using) scripts (or software) it is important to verify them Axiomatic verification – Assume that the script/software is forensically sound Inductive verification – Set up one or more experiments (to which the answers are known) and run the script/software Compare answer with the expected answer Formal verification – Using (formal) mathematics Michael JonesTriage and Analysing Large Numbers of Files16
17
Summary Processing a large number of files generally involves scripts or bespoke software These must be inductively verified using some test data There are risks: – That the software does not (always) perform as required – That the software performs additional actions that contaminate the results Michael JonesTriage and Analysing Large Numbers of Files17
Similar presentations
