Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.

Published byCharles Beasley Modified over 9 years ago

Similar presentations

Presentation on theme: "An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004."— Presentation transcript:

1 An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004

2 Outline Basic concepts The big picture of investigations Digital crime scene investigation Summary

3 Digital Data & Objects Digital data: Data represented in a numerical form Digital object: A discrete collection of digital data All digital data has a physical form –Magnetic Fields –Voltage Levels

4 States & Events State: The value of an object’s characteristics Event: An occurrence that changes the state of one or more objects –Cause: An object whose state was used by the event –Effect: An object whose state was changed by an event

5 Basic Event: Appending a File

6 Incidents & Investigations Incident/Crime: An event that violates a policy or law Investigation: A process that develops and tests hypotheses to answer questions about events that occurred

7 Evidence There is evidence of an event if the effect objects still exist Digital Evidence: A digital object that contains reliable information that supports or refutes a hypothesis about the incident –A hard disk is physical evidence

8 What about “Forensics”? “Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law” –American Heritage Dictionary Digital Investigation vs. Digital Forensic Investigation: The legal requirements

9 Digital Forensic Investigation A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred.

10 The Big Picture

11

12 Digital Crime Scene Investigation

13 Digital Crime Scene Investigation Goal: To determine what digital events occurred by recognizing digital evidence Three Phases: –Crime Scene Preservation & Documentation –Evidence Search & Documentation –Event Reconstruction & Documentation

14 Phase 1: Digital Crime Scene Preservation & Documentation

15 Scene Preservation & Documentation Goal: Preserve the state of as many digital objects as possible and document the crime scene. Methods: –Shut system down and copy it –Unplug from network & kill processes –Do nothing

16 Is it Necessary? An investigation does not need preservation A forensic investigation may need preservation Are bitwise-images needed? –Do we take buildings as evidence? Legal requirements dictate the technical requirements of this phase

17 Phase 2: Digital Evidence Searching and Documentation

18 Evidence Searching & Doc Need to find evidence of events Goal: To recognize the digital objects that may contain information about the incident and document them.

19

20 Existing Research (1) Target definition –Stallard & Levitt - Automated Analysis for Digital Forensic Science: Semantic Integrity Checking –Carrier & Spafford - Defining Searches of Digital Crime Scenes –Manually - experience and training –Stego & malware signatures –Many others….

21 Existing Research (2) Extraction –All current “forensic” tools –Carrier - Defining Digital Forensic Examination and Analysis Tools Comparison –Visual (most tools) –Equality (keyword searching)

22 Phase 3: Digital Event Reconstruction and Documentation

23 Event Reconstruction Need to translate evidence into events Goal: To determine and document the events for which evidence exists and has been collected Not currently supported by many tools

24

25 Evidence Examination Role Classification

26 Event ConstructionEvent Sequencing

27 Existing Research Carney & Rogers - The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction - IJDE Carrier & Spafford - Defining Digital Crime Scene Event Reconstruction - JFS Gladyshev & Patel - Finite State Machine Approach to Digital Event Reconstruction - JDI Stephenson - Modeling of Post-Incident Root Cause Analysis - IJDE

28 Conclusion High-level phases based on investigation goals: –Digital Crime Scene Preservation –Digital Evidence Search –Digital Event Reconstruction Similar to physical crime scene investigation

Download ppt "An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004."

Similar presentations

Complex Recovery/ Data Reduction DFRWS 2002. Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.

Complex Recovery/ Data Reduction DFRWS Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.
Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.

Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.
Crime Scene Investigation Roles 1.0 Describe responsibilities of various personnel involved in crime scene investigations. Examples: police, detectives,

Crime Scene Investigation Roles 1.0 Describe responsibilities of various personnel involved in crime scene investigations. Examples: police, detectives,
MSc in Business Information Technology

MSc in Business Information Technology
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Computer Forensics and Digital Investigation – a brief introduction Ulf Larson/Erland Jonsson.

Computer Forensics and Digital Investigation – a brief introduction Ulf Larson/Erland Jonsson.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J. 2009 w/ T. Scocca.

COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.
T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.

T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.
COEN 152 Computer Forensics Introduction to Computer Forensics.

COEN 152 Computer Forensics Introduction to Computer Forensics.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Defining Digital Forensic Examination & Analysis Tools Brian Carrier.

Defining Digital Forensic Examination & Analysis Tools Brian Carrier.
Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Digital Crime Scene Investigative Process

Digital Crime Scene Investigative Process
Introduction to ForensicsSection 1 Section 1: Introduction to Forensic Science Preview Bellringer Key Ideas What Is Forensic Science? Tools of Forensic.

Introduction to ForensicsSection 1 Section 1: Introduction to Forensic Science Preview Bellringer Key Ideas What Is Forensic Science? Tools of Forensic.

Similar presentations

Ads by Google