SlideShare ist ein Scribd-Unternehmen logo

Digital forensics lessons

Als PPTX, PDF herunterladen
Amr Nasr
Amr Nasr

this presentation is taking about lessons learned in digital forensics tools development

Technologie
1 von 35
Lessons Learned in digital forensics
Abstract Writing digital forensics(DF) tools is difficult because of the diversity of
Introduction As the field of digital forensics (DF) continues to grow Few of today’s forensic tool developers have formal t
Meaning of digital forensics software ry dumps, network packet captures, program executable
The use of DF tools 1-criminal investigations 2-internal investigations. 3-audits. of which have different standards for chain-of-custody , admissibility , and scientific validit
Hackers hide data in several ways and steganography techniques but can be caught by artifacts , copy forge techniqu bad sectors or using alternate data stream (ADS) like C:notepade file.txt:hide (he e files securely for good you need to use Gutmann algorithm for writing 35 times ra
Distinct Sector Hashes for Target file detection Hashing files to check for file changes Hashing sectors to discover changes in file segment Hashing algorithm depends on probability so it won't hash the whole drive bec Looking for distinct hashes and repeated file patterns using Government data, Algorithm using urn statistic problem for finding sectors that need to be inspec
Finding distinct and repeated hashes in hard disk sectors
Using different data structures and testing the speed for the file system
Network forensics Network forensics challenges : Cloud computing challenges needed new tools New frontiers in network intrusion starting from the firewall Emerging Network forensic areas: Social networks Data mining Digital imaging and data visualization
Applying network forensics in critical infrastructures Botnets Wireless networks still lacking good forensic tools Sink holes:accept,analyze and forensically store attack traffic
SCADA (Supervisory control and data acquisition) Challenges Installs forensic tools at layers 0-2
Smart phone security challenges Smart phone threat model showing malware spreading from the application layer to th
Lessons in digital forensics The challenge of data diversity 1-processing incomplete or corrupt data. 2-Why data will not validate? 3-Windows inconsistencies. 4-Eliminate data that are consistent. Data Scale challenges 1-The amount of data. 2-Applying big data solutions to DF.
ub-linear algorithms for reading secto hms that operate by sampling data. Sampling is a powerful technique and can frequently fi he absence of data: the only way to establish that there are no written sectors on a hard d
Temporal diversity: the never-ending upgrade cycle Many computer users have learned that upgrades are 1-Upgrading forensics tools 2-Software Versions to be upgraded 3-Encase forensics tool 4-Intelligent forensics tools
Human capital demands and limitations 1-It was found that users of DF software come overwhelming 2-Examiners that have substantial knowledge in one area (e.g 3-developers also with skills like opcodes, multi-threading, Organization of processes and operating system data structu
The CSI Effect Hard to recover data in reality Hard to recover data from Hard disk Recovering data from hard drives typically involves decoding Funding problems The differences between Windows Explorer and EnCase Fore
Lessons learned managing a research corpus This project started in 1998 and has expanded to incl downloaded from US Government web servers, disk i
Corpus management --technical issues 1-Imaging ATA drives Lesson: read the documentation for the computer that you are using. Lesson: make the most of the tools that you have and follow the technical innovation (Because you are dealing with hard disks with different technologies whether
2-Automation as the key to corpus management Needed a process for capturing the hard disk make,model, serial numb Lesson: automation is key; any process that involves manual record ke Lesson: useful data will outlive the system in which it is stored, so mak
3-Evidence file formats(customer container file) Trying to use his own container files did not work well and he had to use standard co Lesson: avoid developing new file formats has never been possible. Lesson: kill your darlings. 4-Crashes from bad drives Causes of crash are many as it could be kernel memory overwritten or faulty drive or Lesson: many technical options remain unexplored.
5- Drive failures produce better data Algorithm1: Developed an algorithm that reads from Algorithm2: developed a disk imaging program called
Lessons learned Lesson: Drives with some bad sectors invariably have more sensitive in Lesson: do research, and only to maintain software that implements a p
6- Numbering and naming Algorithm1: developed an algorithm that was generating files Lesson: Names must be short enough to be usable but long e When I started acquiring data outside the US I discovered that the country of origin w a batch number allows different individuals in the same country to assign their own n Lesson: although it is advantageous to have names that contain no semantic content, it is significantly easier to work with names that have some semantic meaning.
7- Path names • Lesson: place access-control information as near to the root of a path name as possible.
8- Anti-virus and indexing Lesson: Configure anti-virus scanners and other indexing tools to ignore directo 9- Distribution and updates Lesson: solutions developed by other disciplines for distributing large files rarely wor
Corpus management–policy issues 1- Privacy issues Lesson: just because something is legal, you may wish to think twice before you do it. 2- Illegal content financial, passwords, and copyright Lesson: never sell access to DF data, even if you have personal ownership. Lesson: understand Copyright Law before copying other people’s data. Lesson: make sure your intent is scientific research, not fraud, so that any collection of access 3- Illegal content pornography Lesson: do not give minors access to real DF data; do not intentionally extract pornography fro 4- Institutional Review Boards Lesson: While IRBs exist to protect human subjects, many have expanded their role to protect institutions and experimenters. Unfortunately this expanded role occasionally decreases the protection afforded human subje the IRB watching over you, it’s important to watch your back.
Lessons learned developing DF tools 1- Platform and language 2- Parallelism and high performance computing 3- All-in-one tools vs. single-use tools 4- Evidence container file formats
1- Platform and language 1- The easiest way to write multi-platform tools is to write command-li 2-Although C has historically been the DF developer’s language of choic 3-Java has a reputation for being slow especially for high computationa 4-While it is easy to write programs in Python, experience to date has s
2-Parallelism and high performance computing ications bottlenecks and a lot of times host computer processor is better th
3- All-in-one tools vs. single-use tools My experience argues that it is better to have a single tool than many: If there are many tools, most investigators will want to have them all. Splitting functi Much of what a DF tools does ---data ingest, decoding and enumerating data structu There is a finite cost to packaging, distributing, and promoting a tool. When a tool ha
4- Evidence container file formats should be allowed to process inputs in any format and transparently handle disk images in 2-With network packets the situation is better, with pcap being the universal format.
Famous digital forensics tools Encase FTK PTK Forensics Nuix Microsoft Intilla Cofee
Conclusion 1-Digital Forensics is an exciting area in which to work, but it is exceedingly difficult b 2-These problems are likely to get worse over time, and our only way to survive the c 3-in building and maintaining this corpus he encountered many problems that are in

Empfohlen

Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Back
x0rz x0rz
 
A Method to Detect License Inconsistencies for Large-Scale Open Source Projects
A Method to Detect License Inconsistencies for Large-Scale Open Source ProjectsA Method to Detect License Inconsistencies for Large-Scale Open Source Projects
A Method to Detect License Inconsistencies for Large-Scale Open Source Projects
Yuhao Wu
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
Jinalkakadiya
 
Deep Learning | Speaker Indentification
Deep Learning | Speaker IndentificationDeep Learning | Speaker Indentification
Deep Learning | Speaker Indentification
Sai Kiran Kadam
 
Deep Learning - Speaker Recognition
Deep Learning - Speaker Recognition Deep Learning - Speaker Recognition
Deep Learning - Speaker Recognition
Sai Kiran Kadam
 
When Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningWhen Cyber Security Meets Machine Learning
When Cyber Security Meets Machine Learning
Lior Rokach
 
Towards a new paradigm to resolve the software crisis
Towards a new paradigm to resolve the software crisisTowards a new paradigm to resolve the software crisis
Towards a new paradigm to resolve the software crisis
Jeff Long
 

Empfohlen

Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Back
x0rz x0rz
 
A Method to Detect License Inconsistencies for Large-Scale Open Source Projects
A Method to Detect License Inconsistencies for Large-Scale Open Source ProjectsA Method to Detect License Inconsistencies for Large-Scale Open Source Projects
A Method to Detect License Inconsistencies for Large-Scale Open Source Projects
Yuhao Wu
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
Jinalkakadiya
 
Deep Learning | Speaker Indentification
Deep Learning | Speaker IndentificationDeep Learning | Speaker Indentification
Deep Learning | Speaker Indentification
Sai Kiran Kadam
 
Deep Learning - Speaker Recognition
Deep Learning - Speaker Recognition Deep Learning - Speaker Recognition
Deep Learning - Speaker Recognition
Sai Kiran Kadam
 
When Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningWhen Cyber Security Meets Machine Learning
When Cyber Security Meets Machine Learning
Lior Rokach
 
Towards a new paradigm to resolve the software crisis
Towards a new paradigm to resolve the software crisisTowards a new paradigm to resolve the software crisis
Towards a new paradigm to resolve the software crisis
Jeff Long
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
Mehedi Hasan
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
yash sawarkar
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
Kranthi
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Lalit Garg
 
Exercises portfolio-Digital Curation Tools (IS40620)
Exercises portfolio-Digital Curation Tools (IS40620)Exercises portfolio-Digital Curation Tools (IS40620)
Exercises portfolio-Digital Curation Tools (IS40620)
softwaresatish
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Digital Forensics: The next 10 years
Digital Forensics: The next 10 yearsDigital Forensics: The next 10 years
Digital Forensics: The next 10 years
Al Imran, CISA
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdfHow to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
uzair
 
Cyber security course near me | Cyber security institute near me.pdf
Cyber security course near me | Cyber security institute near me.pdfCyber security course near me | Cyber security institute near me.pdf
Cyber security course near me | Cyber security institute near me.pdf
shyamv3005
 
Cyber security course in Kerala, Kochi.pdf
Cyber security course in Kerala, Kochi.pdfCyber security course in Kerala, Kochi.pdf
Cyber security course in Kerala, Kochi.pdf
amallblitz0
 
cyber forensic courses in kerala,kochi..
cyber forensic courses in kerala,kochi..cyber forensic courses in kerala,kochi..
cyber forensic courses in kerala,kochi..
mohammadbinshad332
 
Cyber security course in kerala | C|HFI | Blitz Academy
Cyber security course in kerala | C|HFI | Blitz AcademyCyber security course in kerala | C|HFI | Blitz Academy
Cyber security course in kerala | C|HFI | Blitz Academy
trashbin306
 
" Become a Certified Ethical Hacker at Blitz Academy | Near Me"
" Become a Certified Ethical Hacker at Blitz Academy | Near Me"" Become a Certified Ethical Hacker at Blitz Academy | Near Me"
" Become a Certified Ethical Hacker at Blitz Academy | Near Me"
sharinblitz
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Development
amiable_indian
 
1435488539 221998
1435488539 2219981435488539 221998
1435488539 221998
Shree Krishna Shrestha
 
INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...
INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...
INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...
apidays
 
Comparison of image fusion methods
Comparison of image fusion methodsComparison of image fusion methods
Comparison of image fusion methods
Amr Nasr
 
6 big google buys of 2012
6 big google buys of 20126 big google buys of 2012
6 big google buys of 2012
Amr Nasr
 

Weitere ähnliche Inhalte

Ähnlich wie Digital forensics lessons

Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
yash sawarkar
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
Kranthi
 
Exercises portfolio-Digital Curation Tools (IS40620)
Exercises portfolio-Digital Curation Tools (IS40620)Exercises portfolio-Digital Curation Tools (IS40620)
Exercises portfolio-Digital Curation Tools (IS40620)
softwaresatish
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdfHow to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
uzair
 

Ähnlich wie Digital forensics lessons (20)

Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Exercises portfolio-Digital Curation Tools (IS40620)
Exercises portfolio-Digital Curation Tools (IS40620)Exercises portfolio-Digital Curation Tools (IS40620)
Exercises portfolio-Digital Curation Tools (IS40620)
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Digital Forensics: The next 10 years
Digital Forensics: The next 10 yearsDigital Forensics: The next 10 years
Digital Forensics: The next 10 years
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdfHow to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
 
Cyber security course near me | Cyber security institute near me.pdf
Cyber security course near me | Cyber security institute near me.pdfCyber security course near me | Cyber security institute near me.pdf
Cyber security course near me | Cyber security institute near me.pdf
 
Cyber security course in Kerala, Kochi.pdf
Cyber security course in Kerala, Kochi.pdfCyber security course in Kerala, Kochi.pdf
Cyber security course in Kerala, Kochi.pdf
 
cyber forensic courses in kerala,kochi..
cyber forensic courses in kerala,kochi..cyber forensic courses in kerala,kochi..
cyber forensic courses in kerala,kochi..
 
Cyber security course in kerala | C|HFI | Blitz Academy
Cyber security course in kerala | C|HFI | Blitz AcademyCyber security course in kerala | C|HFI | Blitz Academy
Cyber security course in kerala | C|HFI | Blitz Academy
 
" Become a Certified Ethical Hacker at Blitz Academy | Near Me"
" Become a Certified Ethical Hacker at Blitz Academy | Near Me"" Become a Certified Ethical Hacker at Blitz Academy | Near Me"
" Become a Certified Ethical Hacker at Blitz Academy | Near Me"
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Development
 
1435488539 221998
1435488539 2219981435488539 221998
1435488539 221998
 
INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...
INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...
INTERFACE by apidays 2023 - Nuclear Rust, John Darrington, Idaho National Lab...
 

Mehr von Amr Nasr

Comparison of image fusion methods
Comparison of image fusion methodsComparison of image fusion methods
Comparison of image fusion methods
Amr Nasr
 
6 big google buys of 2012
6 big google buys of 20126 big google buys of 2012
6 big google buys of 2012
Amr Nasr
 
Video watermarking
Video watermarkingVideo watermarking
Video watermarking
Amr Nasr
 
Scaling compression2
Scaling compression2Scaling compression2
Scaling compression2
Amr Nasr
 
Compression one example
Compression one exampleCompression one example
Compression one example
Amr Nasr
 
Video watermarking
Video watermarkingVideo watermarking
Video watermarking
Amr Nasr
 

Mehr von Amr Nasr (16)

Comparison of image fusion methods
Comparison of image fusion methodsComparison of image fusion methods
Comparison of image fusion methods
 
6 big google buys of 2012
6 big google buys of 20126 big google buys of 2012
6 big google buys of 2012
 
Video watermarking
Video watermarkingVideo watermarking
Video watermarking
 
Scaling compression2
Scaling compression2Scaling compression2
Scaling compression2
 
Compression one example
Compression one exampleCompression one example
Compression one example
 
Video watermarking
Video watermarkingVideo watermarking
Video watermarking
 
Watermark
WatermarkWatermark
Watermark
 
Whitebalance
WhitebalanceWhitebalance
Whitebalance
 
Wavelet
WaveletWavelet
Wavelet
 
Wavelet watermark level3
Wavelet watermark level3Wavelet watermark level3
Wavelet watermark level3
 
Wavelet watermark level2
Wavelet watermark level2Wavelet watermark level2
Wavelet watermark level2
 
Two dimensional true wavelet compression
Two dimensional true wavelet compressionTwo dimensional true wavelet compression
Two dimensional true wavelet compression
 
Image fft
Image fftImage fft
Image fft
 
Image dct shifting
Image dct shiftingImage dct shifting
Image dct shifting
 
Tcp snoop protocols
Tcp snoop protocols Tcp snoop protocols
Tcp snoop protocols
 
Crypt
CryptCrypt
Crypt
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Kürzlich hochgeladen (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Digital forensics lessons

  • 1. Lessons Learned in digital forensics
  • 2. Abstract Writing digital forensics(DF) tools is difficult because of the diversity of
  • 3. Introduction As the field of digital forensics (DF) continues to grow Few of today’s forensic tool developers have formal t
  • 4. Meaning of digital forensics software ry dumps, network packet captures, program executable
  • 5. The use of DF tools 1-criminal investigations 2-internal investigations. 3-audits. of which have different standards for chain-of-custody , admissibility , and scientific validit
  • 6. Hackers hide data in several ways and steganography techniques but can be caught by artifacts , copy forge techniqu bad sectors or using alternate data stream (ADS) like C:notepade file.txt:hide (he e files securely for good you need to use Gutmann algorithm for writing 35 times ra
  • 7. Distinct Sector Hashes for Target file detection Hashing files to check for file changes Hashing sectors to discover changes in file segment Hashing algorithm depends on probability so it won't hash the whole drive bec Looking for distinct hashes and repeated file patterns using Government data, Algorithm using urn statistic problem for finding sectors that need to be inspec
  • 8. Finding distinct and repeated hashes in hard disk sectors
  • 9. Using different data structures and testing the speed for the file system
  • 10. Network forensics Network forensics challenges : Cloud computing challenges needed new tools New frontiers in network intrusion starting from the firewall Emerging Network forensic areas: Social networks Data mining Digital imaging and data visualization
  • 11. Applying network forensics in critical infrastructures Botnets Wireless networks still lacking good forensic tools Sink holes:accept,analyze and forensically store attack traffic
  • 12. SCADA (Supervisory control and data acquisition) Challenges Installs forensic tools at layers 0-2
  • 13. Smart phone security challenges Smart phone threat model showing malware spreading from the application layer to th
  • 14. Lessons in digital forensics The challenge of data diversity 1-processing incomplete or corrupt data. 2-Why data will not validate? 3-Windows inconsistencies. 4-Eliminate data that are consistent. Data Scale challenges 1-The amount of data. 2-Applying big data solutions to DF.
  • 15. ub-linear algorithms for reading secto hms that operate by sampling data. Sampling is a powerful technique and can frequently fi he absence of data: the only way to establish that there are no written sectors on a hard d
  • 16. Temporal diversity: the never-ending upgrade cycle Many computer users have learned that upgrades are 1-Upgrading forensics tools 2-Software Versions to be upgraded 3-Encase forensics tool 4-Intelligent forensics tools
  • 17. Human capital demands and limitations 1-It was found that users of DF software come overwhelming 2-Examiners that have substantial knowledge in one area (e.g 3-developers also with skills like opcodes, multi-threading, Organization of processes and operating system data structu
  • 18. The CSI Effect Hard to recover data in reality Hard to recover data from Hard disk Recovering data from hard drives typically involves decoding Funding problems The differences between Windows Explorer and EnCase Fore
  • 19. Lessons learned managing a research corpus This project started in 1998 and has expanded to incl downloaded from US Government web servers, disk i
  • 20. Corpus management --technical issues 1-Imaging ATA drives Lesson: read the documentation for the computer that you are using. Lesson: make the most of the tools that you have and follow the technical innovation (Because you are dealing with hard disks with different technologies whether
  • 21. 2-Automation as the key to corpus management Needed a process for capturing the hard disk make,model, serial numb Lesson: automation is key; any process that involves manual record ke Lesson: useful data will outlive the system in which it is stored, so mak
  • 22. 3-Evidence file formats(customer container file) Trying to use his own container files did not work well and he had to use standard co Lesson: avoid developing new file formats has never been possible. Lesson: kill your darlings. 4-Crashes from bad drives Causes of crash are many as it could be kernel memory overwritten or faulty drive or Lesson: many technical options remain unexplored.
  • 23. 5- Drive failures produce better data Algorithm1: Developed an algorithm that reads from Algorithm2: developed a disk imaging program called
  • 24. Lessons learned Lesson: Drives with some bad sectors invariably have more sensitive in Lesson: do research, and only to maintain software that implements a p
  • 25. 6- Numbering and naming Algorithm1: developed an algorithm that was generating files Lesson: Names must be short enough to be usable but long e When I started acquiring data outside the US I discovered that the country of origin w a batch number allows different individuals in the same country to assign their own n Lesson: although it is advantageous to have names that contain no semantic content, it is significantly easier to work with names that have some semantic meaning.
  • 26. 7- Path names • Lesson: place access-control information as near to the root of a path name as possible.
  • 27. 8- Anti-virus and indexing Lesson: Configure anti-virus scanners and other indexing tools to ignore directo 9- Distribution and updates Lesson: solutions developed by other disciplines for distributing large files rarely wor
  • 28. Corpus management–policy issues 1- Privacy issues Lesson: just because something is legal, you may wish to think twice before you do it. 2- Illegal content financial, passwords, and copyright Lesson: never sell access to DF data, even if you have personal ownership. Lesson: understand Copyright Law before copying other people’s data. Lesson: make sure your intent is scientific research, not fraud, so that any collection of access 3- Illegal content pornography Lesson: do not give minors access to real DF data; do not intentionally extract pornography fro 4- Institutional Review Boards Lesson: While IRBs exist to protect human subjects, many have expanded their role to protect institutions and experimenters. Unfortunately this expanded role occasionally decreases the protection afforded human subje the IRB watching over you, it’s important to watch your back.
  • 29. Lessons learned developing DF tools 1- Platform and language 2- Parallelism and high performance computing 3- All-in-one tools vs. single-use tools 4- Evidence container file formats
  • 30. 1- Platform and language 1- The easiest way to write multi-platform tools is to write command-li 2-Although C has historically been the DF developer’s language of choic 3-Java has a reputation for being slow especially for high computationa 4-While it is easy to write programs in Python, experience to date has s
  • 31. 2-Parallelism and high performance computing ications bottlenecks and a lot of times host computer processor is better th
  • 32. 3- All-in-one tools vs. single-use tools My experience argues that it is better to have a single tool than many: If there are many tools, most investigators will want to have them all. Splitting functi Much of what a DF tools does ---data ingest, decoding and enumerating data structu There is a finite cost to packaging, distributing, and promoting a tool. When a tool ha
  • 33. 4- Evidence container file formats should be allowed to process inputs in any format and transparently handle disk images in 2-With network packets the situation is better, with pcap being the universal format.
  • 34. Famous digital forensics tools Encase FTK PTK Forensics Nuix Microsoft Intilla Cofee
  • 35. Conclusion 1-Digital Forensics is an exciting area in which to work, but it is exceedingly difficult b 2-These problems are likely to get worse over time, and our only way to survive the c 3-in building and maintaining this corpus he encountered many problems that are in