Presentation is loading. Please wait.

Presentation is loading. Please wait.

Models of Models: Digital Forensics and Domain-Specific Languages Daniel A. Ray and Phillip G. Bradford The University of Alabama Tuscaloosa, AL

Published byErik King Modified over 9 years ago

Similar presentations

Presentation on theme: "Models of Models: Digital Forensics and Domain-Specific Languages Daniel A. Ray and Phillip G. Bradford The University of Alabama Tuscaloosa, AL"— Presentation transcript:

1 Models of Models: Digital Forensics and Domain-Specific Languages Daniel A. Ray and Phillip G. Bradford The University of Alabama Tuscaloosa, AL DanielRay@cs.ua.eduDanielRay@cs.ua.edu, pgb@cs.ua.edu pgb@cs.ua.edu DanielRay@cs.ua.edupgb@cs.ua.edu

2 Outline  Summary  Motivation –Proactive Forensics –Sequential Statistics  Models for Digital Forensics –Different from Classical Forensics –Some Digital Forensics Models –Leverage Computer Science  Domain Specific Languages  Conclusions

3 Summary  Modeling the investigative process –Different investigation processes for different incidents  Classical forensics: different tools and procedures for different incidents  Digital forensics: different tools and procedures for different incidents  Final objective: make the criminal case obvious to a lay-person –Depends on the method and procedure of the model  A failure on evidence gathering may damage or destroy the case

4 Motivation: Classical & Digital Forensics  Computer Security is often preventative –Focus on preventative measures  IDS--anomaly detection may be proactive  Classical Forensics is reactive –Post-mortem  Digital forensics is reactive –A lot of focus on file recovery from disks –Generally reactive –Digital Forensics has opportunity to be proactive  Proactive Forensics! –Online Monitoring stakeholders…

5 Motivation: Proactive Computer-System Forensics  System structuring and augmentation for –Automated data discovery –Lead formation –Efficient data preservation  Make these issues proactive –How?  Challenges –System resources –Exposure  Double edged sword…

6 Proactive Computer-System Forensics  What data should we capture? –Different crimes may require different investigative procedures  Static: when and where illicit data was placed on a disk  Dynamic: what system states do we document when there is an intrusion? –What is being written to logs or disks? Which programs are being run? Where is the smoking-gun? –Depending on the nature of our online investigation, we may need to secure evidence in several different models

7 Crime Types  Computer Assisted Crimes –Computers provide basic help in criminal activity  Computer Enabled crimes –Computers are a Primary focus on criminal activity  Focus: –Dynamic: computer enabled crimes  Range from viruses to spam to sophisticated attacks –Static: Computer Assisted Crimes  Stolen data, spreadsheets to compute illicit gains, etc.

8 Variations on Digital Equipment and Software  Mobility & wireless –Cell phones, PDAs, Laptops, etc.  Enterprise Level Systems –Database systems, dynamic Internet sites, large proprietary systems,  Distributed systems –Virtual private networks, network file systems, user mobility, distributed computation, etc.

9 Gathering Statistics for Proactive Forensics  Running sequential statistical procedures –What data to save?  The data we need may change as things progress –Proactive not reactive –How much data do we save? –How costly?

10 The DFRWS Model http://www.dfrws.org/2001/dfrws-rm-final.pdf

11 Ciardhuain Model by S. O. Ciardhuain  Extends DRFWS Model by working on  Extends DRFWS Model by working on information flows   Class-based model – –Authorization activity – –Planning activity – –Notification activity – –Hypothesis activity – –etc.   An augmented “waterfall model” – –supports iterative backtracking between consecutive activities – –models information flows – –Feedback critique

12 Mobile Forensics Platform (MFP) by F. Adelstein   To remotely perform early investigations into mobile incidents   Analyze a live running (mobile) machine   Maintains original evidence which is verifiable by a cryptographic hash   Connect to same LAN as the suspect machine

13 DSLs   DSLs are, “... languages tailored to a specific application domain” Mernik, Heering, and Sloane  Most Digital Forensics Models – Have a good deal in common  Evidence verification and storage  Flow of investigation  Pulling together data storage, data modeling and authentication-verification –Combining other DSLs: XML, UML, DB Blobs, etc.

14 DSLs  May be fairly complex to build a single DSL –However, worth investigating  Must be a very trusted language –Numerous cases may depend on the trust-level of the language  Move from “best practices” to more formal “programming patterns for digital forensics”

15 Conclusions  Digital forensics is complex –Digital Forensics Models are complex  Static and Dynamic  There may be a need to automatically choose from a diversity of digital forensics models –A programming language

Download ppt "Models of Models: Digital Forensics and Domain-Specific Languages Daniel A. Ray and Phillip G. Bradford The University of Alabama Tuscaloosa, AL"

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta.

Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta.
2 Language of Computer Crime Investigation

2 Language of Computer Crime Investigation
4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.

4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Requirements Specification

Requirements Specification
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Nadine Malone. Blogs A Blog is a website where entries are written in chronological order and commonly displayed in reverse chronological order. Blog

Nadine Malone. Blogs A Blog is a website where entries are written in chronological order and commonly displayed in reverse chronological order. "Blog"
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project 234313 Advanced Tool for Automatic Testing Final Presentation.

Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project Advanced Tool for Automatic Testing Final Presentation.
COEN 152 Computer Forensics Introduction to Computer Forensics.

COEN 152 Computer Forensics Introduction to Computer Forensics.
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB

1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
A summary of the report written by W. Alink, R.A.F. Bhoedjang, P.A. Boncz, and A.P. de Vries.

A summary of the report written by W. Alink, R.A.F. Bhoedjang, P.A. Boncz, and A.P. de Vries.
MANAGEMENT INFORMATION SYSTEMS Data Raw facts and figures. Information Knowledge gained from processing data. Management information system (MIS) Organized.

MANAGEMENT INFORMATION SYSTEMS Data Raw facts and figures. Information Knowledge gained from processing data. Management information system (MIS) Organized.

Similar presentations

Ads by Google