Digital Forensics

What is forensic? Forensic Science is any aspect of science as it relates to the law. What is Digital Forensic? Digital forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. ‡ Forensic science is the application of natural science to matters of law ‡ Forensic science seeks to find the root cause of an event ‡ To be considered a discipline, Digital Forensic Science must be characterized by the following associated entities: ± Theory: a body of statements and principles that attempts to explain how things work ± Abstractions and models: considerations beyond the obvious, factual, or observed ± Elements of practice: related technologies, tools, and methods ± Corpus of literature and professional practice ± Confidence and trust in results: usefulness and purpose ‡ The current state of Digital Forensic Science exhibits only some of these characteristics and they are not tied to specific disciplinary practices considered by any group as scientifically rigorous. * Formally digital forensic is: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or

helping to anticipate unauthorized actions shown to be disruptive to planned operations. Framework for an Investigative Process for Digital Forensics: ‡ Identification ± Event/crime detection ± Resolve signature ± Profile detection ± Anomalous detection ± Complaints ± System monitoring ± Audit analysis ‡ Preservation ± Case management ± Imaging technologies ± Chain of custody ± Time synchronization ‡ Collection ± Preservation ± Approved methods ± Approved software ± Approved hardware ± Legal authority .

± Lossless compression ± Sampling ± Data reduction ± Recovery techniques ‡ Examination ± Preservation ± Traceability ± Validation Techniques ± Filtering techniques ± Pattern matching ± Hidden data discovery ± Hidden data extraction ‡ Analysis ± Preservation ± Traceability ± Statistical ± Protocols ± Data mining ± Timeline ± Link ± Special .

‡ Presentation ± Documentation ± Expert testimony ± Clarification ± Mission impact statement ± Recommended countermeasure ± Statistical interpretation Structuring and Formalizing the Digital Forensic Process: ‡ eliable methods* ± Help distinguish evidence from coincidence without ambiguity ± Allow alternative results to be ranked by some principle basic to the sciences applied ± Allow for certainty considerations Wherever appropriate through this ranking of available alternatives ± Disallow hypotheses more extraordinary than the facts themselves ± Pursue general impressions to the level of specific details ± Pursue testing by breaking hypotheses (alternative explanations) into their smallest logical components. risking one part at a time ± Allow tests either to prove or disprove alternative explanations (hypotheses) ‡ A formalized approach ± Has specific rules. structure and vocabulary ± Allows repeatability .

± May be used to verify a process ‡ End-to-end digital investigation (EEDI) ± Complex attacks begin with the attacker and end with the victim ± Requires a corroborated or linked chain of evidence ‡ Using the Digital Investigation Process Language (DIPL) to describe the investigative process ± Allows us to describe the process ± Allows us to describe the attack as perceived by the investigator ± Permits verification of a complex investigation during the investigation to identify holes in the evidence chain and suggest how to plug those gaps ± Permits verification that the investigative process was complete and correct and followed a reliable method of inquiry* ‡ Integrity ‡ Competence ‡ Defensible technique ‡ Relevant experience Problems We Want to Solve: ‡ Inconsistency in forensic analysis of digital events ‡ Inconsistencies in interpreting digital evidence in complex attacks .

Evidence that does not fit this description. but does serve to corroborate some other piece of evidence without itself being corroborated. ± Exception: the first piece of evidence in the chain from the Identification layer ‡ Must be well corroborated with secondary evidence An Example of an End-to-End Investigation: ‡ Identification ± Call received ‡ Preservation ± Case file opened ± Server imaged . and includes everything in between ‡ First rule of end-to-end forensic digital analysis ± Primary evidence must always be corroborated by at least one other piece of relevant primary evidence to be considered a valid part of the evidence chain. is considered to be secondary evidence. ends at the victim.‡ Inconsistencies in representing results of digital investigations ‡ Incomplete or unsupported evidence chains in complex digital investigations possibly leading to erroneous conclusions ‡ Current tendency to focus upon specific platforms or environments instead of a generalized process The End-to-End Digital Investigative Process (EEDI): ‡ EEDI takes the view that the incident begins at the attacker.

‡ Image in chain of custody ± Server logs preserved ± Entry in case file ‡ Collection ± Safe Back used ± Policies reviewed for authority to proceed ± Began interviews ± Event described ‡ Unavailable mortgage database ‡ Server checked: db gone ‡ Observed action by admin including remote login ‡ Restore from backup unsuccessful data bad ± Entry in case file .

Sign up to vote on this title
UsefulNot useful