Presentation is loading. Please wait.

Presentation is loading. Please wait.

Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.

Published byColten Spence Modified over 9 years ago

Similar presentations

Presentation on theme: "Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc."— Presentation transcript:

1 Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.

2 Once upon a time, there were six blind men from Indostan…

3 One thought that the elephant looked like a snake Another a leaf Another a spear Another a wall Another a rope Another a tree trunk

4 So what does that have to do with digital forensics? We approach DF from different perspectives and with different goals Is DF: –An investigative task? –A forensic science? –Sensors for computer security? –Part of incident response?

5 The answer to these questions is

6 But…

7 Forensics is not an elephant, it is a process! But, we just can’t seem to agree on what the process is…

8 NIST Incident Response Model NIST SP 800-61

9 End to End Digital Investigation Collecting Evidence Analysis of individual events Preliminary correlation Event normalizing Event deconfliction Second level correlation (normalized and non-normalized events) Timeline analysis Chain of evidence construction Corroboration (non-normalized events) Digital Investigation Peter Stephenson, APPLICATION OF FORMAL METHODS TO ROOT CAUSE ANALYSIS OF DIGITAL INCIDENTS, 2003

10 Forensic Science Process Acquisition & Preservation ExaminationAnalysisPresentation Forensic Process

11

12 The DFRWS 2001 “Process” Chart courtesy of Peter Stephenson

13 Zachman EA Framework http://www.feacinstitute.org/enterprise_architecture/federal_enterprise_architecture/index.htm#

14 Zachman EA Framework Views Artifacts Functions http://www.feacinstitute.org/enterprise_architecture/federal_enterprise_architecture/index.htm#

15 Viewing the DFRWS as a Framework Chart courtesy of Peter Stephenson

16 IDENTIFICATIONPRESERVATIONCOLLECTIONEXAMINATIONANALYSISPRESENTATION Functions

17 IDENTIFICATIONPRESERVATIONCOLLECTIONEXAMINATIONANALYSISPRESENTATION Hidden data extraction Pattern Matching Filtering Tasks

18 IDENTIFICATIONPRESERVATIONCOLLECTIONEXAMINATIONANALYSISPRESENTATION Hidden data extraction Pattern Matching Filtering Legal Authority Legal Authority Traceability Tasks Constraints

19 IDENTIFICATIONPRESERVATIONCOLLECTIONEXAMINATIONANALYSISPRESENTATION Roles, aka Views? Roles

20 Might look something like this: Role IDENTIFICATIONPRESERVATIONCOLLECTIONEXAMINATIONANALYSISPRESENTATION Incident Response Security Management Criminal Investigations LE Forensic Examination Civil Discovery Intelligence

21 IDENTIFICATIONPRESERVATIONCOLLECTIONEXAMINATIONANALYSISPRESENTATION Time?

22 This is where it gets difficult, we don’t seem to agree on the same temporal order. In fact, we don’t seem to use the same functions for each case/view/role.

23 Maybe we don’t have to… The temporal order is not defined by “forensics”, as a process, but rather constrained by the role’s purpose for using forensics.

24 Another way to describe this: Forensics is not a single process, but is A set of tasks that can be grouped into Functions that are selected based upon The purpose for which the process is being applied (role) and are Bound by constraints that are Defined by either internal or external requirements

25 Another way to describe this: Forensics is not a single process, but is A set of tasks that can be grouped into Functions that are selected based upon The purpose for which the process is being applied (role) and are Bound by constraints that are Defined by either internal or external requirements

26 Is this THE answer? Of course not! Frameworks are always “works in progress” That should not stop us from taking new steps each day Frameworks get better with application

27 Applying this to Research Issues Research can be focused on: –Functions –Tasks –Constraints –Process –Roles –Or the interrelationships between these

28 Conclusion The core DFRWS framework is sound It can be developed, extended and refined It can be used as both a framework and a vocabulary for research and practice The next steps are in your hands!

29 I Sincerely Thank You for Your Time Your Attention Your Contributions to the field Your participation in the remainder of this conference Mark M. Pollitt President Digital Evidence Professional Services, Inc.

Download ppt "Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc."

Similar presentations

Five Blind Men and an Elephant. Five blind men were taken to see an elephant. Each examined it as best he could, and described it in terms of his experience.

Five Blind Men and an Elephant. Five blind men were taken to see an elephant. Each examined it as best he could, and described it in terms of his experience.
A Paradigm - a perspective of way of looking at the world.

A Paradigm - a perspective of way of looking at the world.
The Blind Men and the Elephant

The Blind Men and the Elephant
Database Principles Conceptual Modeling. Database Principles What is a Conceptual Model? A mental model of the world around us Models necessarily mean.

Database Principles Conceptual Modeling. Database Principles What is a Conceptual Model? A mental model of the world around us Models necessarily mean.
Observation, Perception & Theory Theoretical Framework.

Observation, Perception & Theory Theoretical Framework.
Evaluating Training. Aims 1. To share and explore purposes and processes for evaluation 2. To examine attitudes and beliefs about evaluation.

Evaluating Training. Aims 1. To share and explore purposes and processes for evaluation 2. To examine attitudes and beliefs about evaluation.
December 13, 2011 ICSD facilitated by Dr. Heather Sheridan-Thomas & Cheryl Covell TST BOCES Network Team Lead Evaluator of Teachers Training: Session 4.

December 13, 2011 ICSD facilitated by Dr. Heather Sheridan-Thomas & Cheryl Covell TST BOCES Network Team Lead Evaluator of Teachers Training: Session 4.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
INTRODUCTION TO INVESTIGATION Mr. Cappello Sir Robert Borden High School 9-1-1 Specialist High Skills Major Program.

INTRODUCTION TO INVESTIGATION Mr. Cappello Sir Robert Borden High School Specialist High Skills Major Program.
Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.

Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Pilot test Group 6. Pilot test We conducted 2 tests with the same person. Test 1: Blindfolded Test 2: User A (one of 4 users in our protocol) Data collecting:

Pilot test Group 6. Pilot test We conducted 2 tests with the same person. Test 1: Blindfolded Test 2: User A (one of 4 users in our protocol) Data collecting:
University of Wisconsin - Extension, Cooperative Extension, Program Development and Evaluation Unit 6: Analyzing and interpreting data “There’s a world.

University of Wisconsin - Extension, Cooperative Extension, Program Development and Evaluation Unit 6: Analyzing and interpreting data “There’s a world.
Chapter 1 The Nature of Science

Chapter 1 The Nature of Science
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Reliability & Validity Qualitative Research Methods.

Reliability & Validity Qualitative Research Methods.
Introduction to Investigation

Introduction to Investigation
An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.

An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.
Preparing for Data Collection Need to recognize that data collection is a high level activity that cannot be just passed off to graduate assistant Need.

Preparing for Data Collection Need to recognize that data collection is a high level activity that cannot be just passed off to graduate assistant Need.

Similar presentations

Ads by Google