Presentation is loading. Please wait.

Presentation is loading. Please wait.

Models of Models: Digital Forensics and Domain-Specific Languages

Published byStephanie Gallagher Modified over 7 years ago

Similar presentations

Presentation on theme: "Models of Models: Digital Forensics and Domain-Specific Languages"— Presentation transcript:

1 Models of Models: Digital Forensics and Domain-Specific Languages
Daniel A. Ray and Phillip G. Bradford The University of Alabama Tuscaloosa, AL

2 Outline Summary Motivation Models for Digital Forensics
Proactive Forensics Sequential Statistics Models for Digital Forensics Different from Classical Forensics Some Digital Forensics Models Leverage Computer Science Domain Specific Languages Conclusions

3 Summary Modeling the investigative process
Different investigation processes for different incidents Classical forensics: different tools and procedures for different incidents Digital forensics: different tools and procedures for different incidents Final objective: make the criminal case obvious to a lay-person Depends on the method and procedure of the model A failure on evidence gathering may damage or destroy the case

4 Motivation: Classical & Digital Forensics
Computer Security is often preventative Focus on preventative measures IDS--anomaly detection may be proactive Classical Forensics is reactive Post-mortem Digital forensics is reactive A lot of focus on file recovery from disks Generally reactive Digital Forensics has opportunity to be proactive Proactive Forensics! Online Monitoring stakeholders…

5 Motivation: Proactive Computer-System Forensics
System structuring and augmentation for Automated data discovery Lead formation Efficient data preservation Make these issues proactive How? Challenges System resources Exposure Double edged sword…

6 Proactive Computer-System Forensics
What data should we capture? Different crimes may require different investigative procedures Static: when and where illicit data was placed on a disk Dynamic: what system states do we document when there is an intrusion? What is being written to logs or disks? Which programs are being run? Where is the smoking-gun? Depending on the nature of our online investigation, we may need to secure evidence in several different models

7 Crime Types Computer Assisted Crimes Computer Enabled crimes Focus:
Computers provide basic help in criminal activity Computer Enabled crimes Computers are a Primary focus on criminal activity Focus: Dynamic: computer enabled crimes Range from viruses to spam to sophisticated attacks Static: Computer Assisted Crimes Stolen data, spreadsheets to compute illicit gains, etc.

8 Variations on Digital Equipment and Software
Mobility & wireless Cell phones, PDAs, Laptops, etc. Enterprise Level Systems Database systems, dynamic Internet sites, large proprietary systems, Distributed systems Virtual private networks, network file systems, user mobility, distributed computation, etc.

9 Gathering Statistics for Proactive Forensics
Running sequential statistical procedures What data to save? The data we need may change as things progress Proactive not reactive How much data do we save? How costly?

10 The DFRWS Model http://www.dfrws.org/2001/dfrws-rm-final.pdf

11 Ciardhuain Model by S. O. Ciardhuain
Extends DRFWS Model by working on information flows Class-based model Authorization activity Planning activity Notification activity Hypothesis activity etc. An augmented “waterfall model” supports iterative backtracking between consecutive activities models information flows Feedback critique

12 Mobile Forensics Platform (MFP) by F. Adelstein
To remotely perform early investigations into mobile incidents Analyze a live running (mobile) machine Maintains original evidence which is verifiable by a cryptographic hash Connect to same LAN as the suspect machine

13 DSLs DSLs are, “. . . languages tailored to a specific application domain” Mernik, Heering, and Sloane Most Digital Forensics Models Have a good deal in common Evidence verification and storage Flow of investigation Pulling together data storage, data modeling and authentication-verification Combining other DSLs: XML, UML, DB Blobs, etc.

14 DSLs May be fairly complex to build a single DSL
However, worth investigating Must be a very trusted language Numerous cases may depend on the trust-level of the language Move from “best practices” to more formal “programming patterns for digital forensics”

15 Conclusions Digital forensics is complex
Digital Forensics Models are complex Static and Dynamic There may be a need to automatically choose from a diversity of digital forensics models A programming language

Download ppt "Models of Models: Digital Forensics and Domain-Specific Languages"

Similar presentations

Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
Network Systems Sales LLC

Network Systems Sales LLC
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.

4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
COEN 152 Computer Forensics Introduction to Computer Forensics.

COEN 152 Computer Forensics Introduction to Computer Forensics.
Securing Information Systems

Securing Information Systems
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB

1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
MANAGEMENT INFORMATION SYSTEMS Data Raw facts and figures. Information Knowledge gained from processing data. Management information system (MIS) Organized.

MANAGEMENT INFORMATION SYSTEMS Data Raw facts and figures. Information Knowledge gained from processing data. Management information system (MIS) Organized.
PROCESS OF CONDUCTING A DOS/IDS INCIDENT ANALYSIS

PROCESS OF CONDUCTING A DOS/IDS INCIDENT ANALYSIS
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.

Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
M2M Connecting Real-World Things with Cloud Computing T. Osawa 1IoT+Cloud.

M2M Connecting Real-World Things with Cloud Computing T. Osawa 1IoT+Cloud.

Similar presentations

Ads by Google