Bringing Science to Digital Forensics with Standardized Forensic Corpora.

Similar documents
A Short Introduction to Digital and File System Forensics

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Gaming System Monitoring and Analysis Effort

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Deleted File Recovery Tool Testing Results

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Hands-On How-To Computer Forensics Training

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Using Open Source Digital Forensics Software for Digital Archives Workshop

Welcome to new students seminar!! Security is a people problem. forensic proof.com JK Kim

Incident Response and Computer Forensics

Survey of Disk Image Storage Formats

Strengthening Forensic Science in the United States: A Path Forward

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Open Source Digital Forensics Tools

Where is computer forensics used?

COMPUTER FORENSICS. DAVORY: : DATA RECOVERY

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/ Fax: 802/

Research Data Management PROJECT LIFECYCLE

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

McGraw-Hill Technology Education McGraw-Hill Technology Education

ediscovery 6.0 Release Notes

4 II. Installation. 6 III. Interface specification Partition selection view Partition selection panel

Web Security, Privacy, and Commerce

Digital Forensics, ediscovery and Electronic Evidence

Computer Forensic Tools. Stefan Hager

CCE Certification Competencies

Massive Data Storage

Paraben s P2C 4.1. Release Notes

User Manual. Published: 12-Mar-15 at 09:36:51

Top Ten Questions. to Ask Your Primary Storage Provider About Their Data Efficiency. May Copyright 2014 Permabit Technology Corporation

Introduction to File Carving

(U) Converged Analysis of Smartphone Devices

ELEN 115 Computer Components and Peripherals

Using TrueCrypt to protect data

Performance Monitor. Intellicus Web-based Reporting Suite Version 4.5. Enterprise Professional Smart Developer Smart Viewer

EC-Council Ethical Hacking and Countermeasures

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

(b) slack file space.

WildPackets engaged Miercom to conduct comprehensive,

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Journal of Digital Forensic Practice

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane

Multiple Digital Content Types in a Single Collection. Dina Sokolova and Jane Gorjevsky, Columbia University

File System Management

Automating the Computer Forensic Triage Process With MantaRay

Lab V: File Recovery: Data Layer Revisited

Dr. Lodovico Marziale Managing Partner 504ENSICS, LLC

Web Archiving and Scholarly Use of Web Archives

Computing Orientation

NTFS Undelete User Manual

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

Cloud Computing TODAY S TOPICS WHAT IS CLOUD COMPUTING? ICAC Webinar Cloud Computing September 4, What Cloud Computing is and How it Works

DATA RECOVERY SOLUTIONS EXPERT DATA RECOVERY SOLUTIONS FOR ALL DATA LOSS SCENARIOS.

Redefining High Speed ediscovery Processing & Production

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Paragon ExtFS for Mac OS X

EnCase v7 Essential Training. Sherif Eldeeb

Overview of Computer Forensics

AppBoard TM 2.6. System Requirements. Technical Documentation. Version July 2015

Edinburg Napier University. Cloud-based Digital Forensics Evaluation Test (D-FET) Platform

Forensic Decryption of FAT BitLocker Volumes

BIOS Update Release Notes

e-discovery Forensics Incident Response

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Securing Data on Portable Media.

Viewpoint ediscovery Services

See Criminal Internet Communication as it Happens.

Chapter 4. Operating Systems and File Management

Digital Forensics at the National Institute of Standards and Technology

RecoverIt Frequently Asked Questions

Understanding Flash SSD Performance

Chapter 7 Securing Information Systems

Master of Science in Information Systems & Security Management. Courses Descriptions

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

In the Cloud. Scoville Memorial Library February, 2013

Republic Polytechnic School of Information and Communications Technology C226 Operating System Concepts. Module Curriculum

Transcription:

Bringing Science to Digital Forensics with Standardized Forensic Corpora. Digital Evaluation and Exploitation (DEEP) Group http://domex.nps.edu/ February 2010 1

NPS is the Navyʼs Research University. Location: " Monterey, CA Campus Size: "627 acres Students: 1500 US Military (All 5 services) US Civilian (Scholarship for Service & SMART) Foreign Military (30 countries) All students are fully funded Schools: Business & Public Policy Engineering & Applied Sciences Operational & Information Sciences International Graduate Studies 2

Digital Forensics is at a turning point. Yesterdayʼs work was primarily reverse engineering. Key technical challenges: Evidence preservation. File recovery (file system support); Undeleting files Encryption cracking. Keyword search. 3

Digital Forensics is at a turning point. Todayʼs work is increasingly scientific. Evidence Reconstruction Files (fragment recovery carving) Timelines (visualization) Clustering and data mining Social network analysis Sense-making Same Community College Drives #74 x #77 25 CCNS in common Drives #171 & #172 13 CCNS in common Same Medical Center Same Car Dealership Drives #179 & #206 13 CCNS in common 4

Science requires the scientific process. Hallmarks of Science: Controlled and repeatable experiments. No privileged observers. Publication of data and results. Sharing of scientific materials. Today's Digital Forensics is not Scientific! Researchers work on their own data Data can't be shared with other researchers (privacy) Data can't be published (copyright) Results can't be meaningfully compared. 5

Our solution: Standardized Corpora for Digital Forensics Research. "Standardized" Known contents Documented provenance "Corpora" Many data sets Realistic lifelike, but no Personally Identifiable Information (PII) Real Public and Private "Digital Forensics Research" Created to enable research Legally obtained (c.f. wiretap law) Publishable results Specific attention to privacy and copyright issues 6

UNCLASSIFIED Many different kinds of forensic corpora are needed. Test Data Constructed for the purpose of testing a specific feature. CFReDS Russian Tea Room floppy disk image to validate Unicode search & display. Sampled Data A subset of a large data source e.g., sampled web pages or packets. Hard to randomly sample. Realistic Data Not real made in a lab, not in the field. Real and Restricted Data Created by actual human beings during activities that were not performed for the purpose of creating forensic data. Controlled for privacy reasons. Real but Unrestricted Released for some reason. e.g. the Enron Email Dataset Photos on Flickr; User profiles on Facebook. UNCLASSIFIED 7

http://domex.nps.edu/corp/files/govdocs1: 1 Million files available now 1 million(*) documents from US Government web servers Specifically for file identification, data & metadata extraction. Found by random word searches on Google & Yahoo DOC, DOCX, HTML, ASCII, SWF, etc. Free to use; Free to redistribute No copyright issues US Government work is not copyrightable. Other files have simply been moved from one USG webserver to another. No PII issues These files were already released. 034164.jpg Distribution format: ZIP files 1000 ZIP files with 1000 files each. 10 threads of 1000 randomly chosen files for student projects. Full provenance for every file (how found; when downloaded; SHA1; etc.) (*Approximately 3000 files redacted after release.) 8

http://domex.nps.edu/corp/images/nps/ "Test" and "Realistic" disk images Test Images Designed to demonstrate a particular aspect nps-2009-hfstest1" (HFS+) nps-2009-ntfs1 " (NTFS) Realistic Images Like real life, but no personally identifiable info. nps-2009-canon2" (FAT32) nps-2009-ubnist1" (FAT32) nps-2009-casper-rw " (embedded EXT3) nps-2009-domexusers" (NTFS) Each image has: Narrative of how the image was created and expected uses. Image file in RAW/SPLITRAW, AFF and E01 formats SHA1 of raw image Ground truth report 9

http://domex.nps.edu/corp/scenarios/ Complete Scenarios Typical scenarios include: Distribution of simulated pornography ("kitty porn.") Theft of corporate data. Nitroba University: University harassment case m57 theft Theft of corporate data m57 patents 3 week simulation of a small business Four computers Daily disk and memory images Complete Network Packet Capture 10

The Real Data Corpus: "Real Data from Real People." Most forensic work is based on realistic data created in a lab. We get real data from CN, IN, IL, MX, and other countries. Real data provides: Real-world experience with data management problems. Unpredictable OS, software, & content Unanticipated faults We have multiple corpora: Non-US Persons Corpus US Persons Corpus (@Harvard) Releasable Real Corpus Realistic Corpus IRB approval required for federally funded research. 11

UNCLASSIFIED Real Data Corpus: Current Status Country HDs Flash Optical GB (uncomp) BA 7 38 CA 73 1 1,064 CE 1 82 CH 2 5 CN 143 568 98 3,627 DE 36 1 755 GR 13 27 IL 229 4 2,226 IN 317 66 19,540 MX 175 1,110 NZ 1 4 PS 98 957 TH 1 13 UA 22 55 1,118 643 98 30,008 UNCLASSIFIED 12

UNCLASSIFIED RDC has been provided to a range of researchers. Received and satisfied data sharing request for Real Data: CMU Software Engineering Institute. AccessData I.D.E.A.L. Technology Pending Agreements: University of Texas San Antonio University of California, Santa Cruz Georgetown University Data sharing for use in training: West Point DC3/DCCI CMU Computer Science Department UNCLASSIFIED 13

Conclusion: Digital forensics needs digital corpora! National Research Council 2009 Report found a lack of science in forensics... Substantive information and testimony based on faulty forensic science analysis may have contributed to wrongful convictions of innocent people... PREPUBLICATION COPY Moreover, imprecise or exaggerated expert testimony has sometimes contributed to the admission of erroneous or misleading evidence. National Research Council, 2009 STRENGTHENING FORENSIC SCIENCE IN THE UNITED STATES: A PATH FORWARD Contact Information: http://domex.nps.edu/deep Joshua B. Gross <jbgross@nps.edu> Simson L. Garfinkel <slgarfin@nps.edu> Committee on Identifying the Needs of the Forensic Science Community Committee on Science, Technology, and Law Policy and Global Affairs Committee on Applied and Theoretical Statistics Division on Engineering and Physical Sciences Questions? 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information