Computer Forensics Standards:



Similar documents
Digital Forensics at the National Institute of Standards and Technology

HAVE YOUR COMPUTER FORENSICS TOOLS BEEN TESTED?

Digital Forensics Tutorials Acquiring an Image with FTK Imager

NIST CFTT: Testing Disk Imaging Tools

Open Source Digital Forensics Tools

Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test. Reports; The Computer Forensics Tool Catalog Website: Connecting

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Useful Computer Forensics Tools Updated: Jun 10, 2003

Course Title: Computer Forensic Specialist: Data and Image Files

Guide to Computer Forensics and Investigations, Second Edition

efolder White Paper: The Truth about Data Integrity: 5 Questions to ask your Online Backup Provider

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. March 19, 2015

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Digital Evidence Search Kit

Edinburg Napier University. Cloud-based Digital Forensics Evaluation Test (D-FET) Platform

BlackLight v Test Results for Mobile Device Acquisition Tool

Computer Forensic Tools. Stefan Hager

Battling Current Technological Trends

Is the Open Way a Better Way? Digital Forensics using Open Source Tools

Case 9:14-cr KAM Document 135 Entered on FLSD Docket 07/27/2015 Page 1 of 2 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA

Tableau TD3 Forensic Imager Test Results for Digital Data Acquisition Tool

John Mathieson US Air Force (WR ALC) Systems & Software Technology Conference Salt Lake City, Utah 19 May 2011

Digital Forensic Techniques

A STUDY OF FORENSIC IMAGING IN THE ABSENCE OF WRITE-BLOCKERS

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006

GUIDELINES FOR FORENSIC LABORATORY MANAGEMENT PRACTICES INTRODUCTION

Hands-On How-To Computer Forensics Training

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Design and Implementation of a Live-analysis Digital Forensic System

Computer Forensic Functions Testing: Media Preparation, Write Protection and Verification

information security and its Describe what drives the need for information security.

Test Results for Hardware Write Block Device: Tableau T5 Forensic IDE Bridge (FireWire Interface)

Survey of Disk Image Storage Formats

Forensic Readiness. Presented by: Jack J. Murphy, Ph.D.

EC-Council Ethical Hacking and Countermeasures

Requirements Management

Quantifying Hardware Selection in an EnCase v7 Environment

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Recover My Files v Test Results for Video File Carving Tool

Mac Marshal: A Tool for Mac OS X Operating System and Application Forensics

Where is computer forensics used?

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Guide to Computer Forensics and Investigations, Second Edition

Taxonomy of Anti-Computer Forensics Threats

Getting Physical with the Digital Investigation Process

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

Term Report. Forensics for IT

70250 Graduate Certificate in Digital Forensics

Strengthening Forensic Science in the United States: A Path Forward

Executable Integrity Verification

EWF specification. Expert Witness Compression Format specification. By Joachim Metz

Information Technologies and Fraud

If you are working with the H4D-60 or multi-shot cameras we recommend 8GB of RAM on a 64 bit Windows and 1GB of video RAM.

UNCLASSIFIED Version 1.0 May 2012

MARK J. ESKRIDGE, OWNER / INVESTIGATOR DIGITAL FORENSIC INVESTIGATIONS, INC. California Private Investigator license #26633

What is Digital Forensics?

Certified Digital Forensics Examiner

Network Security: Policies and Guidelines for Effective Network Management

NETS for Teachers: Achievement Rubric

Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

POSTGRADUATE PROGRAMME SPECIFICATION

Incident Response and Computer Forensics

Ethical Hacking and Penetration Testing Presented by: Adam Baneth Managing director

CDFE Certified Digital Forensics Examiner (CFED Replacement)

InfoSec Academy Forensics Track

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Evaluation of Software Write Blocking In SAFE Block XP V1.1

Evaluating Digital Forensic Tools (DFTs)

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Hash Functions. Integrity checks

Constructing a Stable and Verifiable Computer Forensic System

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane

Mobile Device Forensics. Rick Ayers

The Role of Digital Forensics within a Corporate Organization

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Things To Do After You ve Been Hacked

Transcription:

Computer Forensics Standards: National Software Reference Library Computer Forensics Tool Testing Computer Forensics Reference Data Sets PDA Forensics Research Barbara Guttman bguttman@nist.gov September 21, 2007

Computer Forensics in NIST Goals of Computer Forensics Projects Support use of automated processes into the computer forensics investigations Provide stable foundation built on scientific rigor to support the introduction of evidence and expert testimony in court

Goals of CF at NIST Provide international standard reference data that tool makers and investigators can use in investigations (NSRL) Establish computer forensic tool testing methodology (CFTT) Provide test material for proficiency testing and lab-based tool testing (CFReDs) Research emerging PDA forensics

NSRL Project

What is the NSRL? The National Software Reference Library is: A physical collection of over 8,000 software packages A database of 34 million file fingerprints and additional information to uniquely identify each file A Reference Data Set (RDS) extracted from the database onto CD, used by law enforcement, investigators and researchers

Use of the RDS Eliminate known files from the examination process using automated means Discover expected file name with unknown contents Identify origins of files Look for malicious files, e.g., hacker tools Provide rigorously verified data for forensic investigations Used by many forensics tools (ILook, EnCase, FTK)

RDS Field Use Example You are looking for images on a computer which is running Windows 2000. Windows 2000 operating system software contains 5933 images which are known gifs, icons, jpeg files e.g., By using the RDS and an analysis program the investigator would not have to look at these files to complete his investigation.

Are Hashes broken? Both MD-5 and SHA-1 have been shown to have weaknesses The weaknesses do not affect the use of hashes for forensic analysis Hash attacks are not pre-image attacks

Computer Forensics Tool Testing (CFTT)

A Problem for Investigators Do forensic tools work as they should? Software tools must be Tested: accurate, reliable & repeatable Peer reviewed Generally accepted by whom? Results of a forensic analysis must be admissible in court

Project Tasks Identify forensics functions Develop specification for each category Peer review of specification Test methodology for each function Report results

Specifications "What should it do?" Hardware Write Blocker (HWB) Tool Specification Test Methodology "How do we test it?" HWB Assertions and Test Plan Tool Testing "Does it meet specifications?" Execute HWB Test Cases Forensic Community Feedback NIJ: Test Results for HWB Device: FastBloc IDE (Firmware Version 16) Test Reports "How well did a Tool do?" Publish HWB Reports Through National Institute of Justice NIJ NIJ Test Results for HWB Device: Digital Intelligence Firefly 800 IDE NIJ Test Results for HWB Device: WiebeTech FireWire DriveDoc Combo NIJ Test Results for HWB Device: Digital Intelligence UltraBlock SATA NIJ Test Results for HWB Device: MyKey NoWrite NIJ Test Results for HWB Device: ICS ImageMasster DriveLock IDE

Benefits of CFTT Benefits of a forensic tool testing program Users can make informed choices Odd sector problem Reduce challenges to admissibility of digital evidence Moussaoui case Tool creators make better tools Safeback 2.18 EnCase documentation

NIST Standard Reference Computer Forensic Test Sets CFReDS

Uses of CFReDS The CFReDS project provides documented sets of simulated digital evidence. Uses for Data Sets Calibration of Forensic Tools Proficiency Testing Tool Testing Training

Graphics Multimedia Application Data and Documents Baseline File-System Images Prototype Data Sets Russian Team Room (Big-endian, UTF-8) Hacking Case Mac Image (Multiple File-Systems) Rhino Hunt

PDA Forensics NIST also performs research on PDA forensics including mobile phones Provide overview information and guidelines

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information