Digital Forensics Research: The Next 10 Years
Digital Forensics Research:The Next 10 YearsSimson L. GarfinkelNaval Postgraduate SchoolMay 10, 20101
Digital Forensics: The Sky is FallingDF is widely used within Government & Private Sector Law Enforcement, Defense, E-Discovery, Document Recovery, etc. Hacker Investigations, Audit, etcI argue that we have been in a "Golden Age of Digital Forensics." This Golden Age is quickly coming to an end. Organizations increasingly encounter cases with data that cannot be analyzed. Even when data can be analyzed, customers can wait weeks, months or longer.Needed dramatic improvements in research and op efficiency: Shorten the introduction to exploitation gap (from years to months) Dramatically increased reliability and accuracy 10x – 100x improvement in processing speed.Approach: improved data representation & composability2
Prior Work 1/1DFRWS Common Digital Evidence Storage Format Working Group. Created in August 2006 to standardize disk image formats. Goal — standardize a range of evidence formats. Disbanded in August 2007—"because DFRWS did not have resources required to achive the goals of the group."Various "next-generation digital forensics systems." Richard and Roussev; Corey et al; Cohen (PyFlag); Ayers Many combine High Performance Computing (HPC) concepts with automated workflow. FTK3 — Uses Oracle Back End for processing.Conceptional Frameworks. Mocas to "define a set of properties and terms ." Pollitt; CISSE 2008 brainstorming Session (Nance, Hay & Bishop); Beebe3
Prior Work 1/2 — Data Collection"The anatomy of electronic evidence — quantitative analysis ofpolice e-crime data." Turnbull, Taylor and Blundell,—Reports specific digital media formats collectedFBI Regional Computer Forensic Laboratory Program Annual report with the amount of media and cases processed.4
Digital Forensics:A Brief History5
Digital Forensics — A Brief HistoryDigital Forensics is roughly 40 years old. Originally data recovery Late 1980s — Norton & Mace Utilities provided "Unformat, Undelete."Early days were marked by: Diversity — Hardware, Software & Application Proliferation of file formats Heavy reliance on time-sharing and centralized computing Absence of formal process, tools & trainingForensics of end-user systems was hard, but it didn't matter much. Most of the data was stored on centralized computers. Experts were available to assist with investigations. There wasn't much demand!6
The Golden Age of Digital Forensics: 1999—2007Widespread use of Microsoft Windows, especially Windows XPRelatively few file formats: Microsoft Office (.doc, .xls & .ppt) JPEG for images AVI and WMV for videoMost examinations confined to a single computer belonging to asingle subjectMost storage devices used a standard interface. IDE/ATA USB7
This Golden Age gave us good tools and rapid growth.Commercial tools:Open Source Tools:Content Extraction Toolkits:8
The Golden Age was aided by target conditions.Widespread market failure of Data At Rest (DAR) Encryption TrueCrypt — not widely deployed Microsoft's EFS — hard to use Apple's File Vault — buggy until MacOS 10.4 / 10.5Anti-Forensics Tools Largely academic curiositiesRapid Growth of Research & Professionalization DFRWS, IFIP WG 11.9 Consulting firms 14 certificate programs 5 associates programs 16 bachelor programs 2 doctoral programs9
Shopping results for 2tb driveEverythingGet ready for the coming digital forensics crisis.1 - Dramatically increased costs of extraction & analysis.ShoppingNewsWeb Images Videos Maps News Shopping GmailMoremore !Google2tb drivesimsong@gmail.com Web History Settings ! Sign outWD ElementsDesktop 2 TBSearchExternal hardAdvancedsearchdrive- 480(421) 110 new80 storesSeagateBarracuda LP 2TB Internalhard drive(101) 105 new165 storesWD CaviarGreen 2 TBInternal harddrive - 300(58) 99 new117 storesMuch of the last decade's progress is quickly becoming irrelevant.About 3,500,000 results (0.32 seconds)Everything Increased size of storage systems. Non-Removable FlashShopping results for 2tb driveShoppingNewsMoreWD ElementsDesktop 2 TBExternal harddrive - 480(421) 110 new80 storesSeagateBarracuda LP 2TB Internalhard drive(101) 105 new165 storesWD CaviarGreen 2 TBInternal harddrive - 300(58) 99 new117 storesSamsungSpinPointF3EG DesktopClass 2 TB(8) 108 new44 storesWD CaviarBlack 2 TBInternal harddrive - 300(404) 169 new125 stores2 Tb Hard Drive - Hard Drives - ComparePrices, Reviews and Buy at .SamsungSpinPointF3EG DesktopClass 2 TB(8) 108 new44 storesWD CaviarBlack 2 TBInternal harddrive - 300(404) 169 new125 stores Proliferation of operating systems, file formats and connectors—JFFS2, YAFFS2, Symbian, Pre, iOS,—Most evident in mobile computingJul 26, 2010 . 2 Tb Hard Drive - 1037 results like theWestern Digital Green, Western Digital 2TB ElementsExternal Hard Drive - Black, .www.nextag.com/2-tb-hard-drive/search-html Cached - SimilarWD Caviar Green 2 TB SATA Hard Drives (WD20EADS )Physical Specifications. Formatted Capacity, 20003982 Tb Hard Drive - Hard Drives - CompareMB. Capacity, 2 TB. Interface, SATA 3 Gb/s. UserSectors Per Drive, 3907029168 .Prices, Reviews and Buy at .www.wdc.com/en/products/products.asp?driveid 576 Jul 26, 2010 . 2 Tb Hard Drive - 1037 results like theCached - SimilarWestern Digital Green, Western Digital 2TB ElementsExternal Hard Drive - Black, .Amazon.com: LaCie 2TB USB/FireWire Hardwww.nextag.com/2-tb-hard-drive/search-html Drive: ElectronicsCached - SimilarThe LaCie Bigger Disk Extreme with Triple InterfaceWD Caviar Green 2 TB SATA Hard Drivesoffers( the highest hard drive capacity available, packingan unprecedented amount of storage into a .WD20EADS )www.amazon.com › . › External Hard Drives Physical Specifications. Formatted Capacity, 2000398Cached - SimilarMB. Capacity, 2 TB. Interface, SATA 3 Gb/s. UserSectors Per Drive, 3907029168 .News for 2tb drivewww.wdc.com/en/products/products.asp?driveid 576 OWC provides a closer look at iMac's SSDCached - Similar20 hours agoIt's 2449 for the 27-inch Core i3 iMac withAmazon.com: LaCie 2TB USB/FireWire Hard Cases now require analyzing multiple devices—Typical — 2 desktops, 6 phones, 4 iPods, 2 digital cameras—How many storage devices did you bring to this conference?10
The Coming Digital Forensics Crisis:Part 2 — Encryption and Cloud ComputingPervasive Encryption — Encryption is increasingly present. TrueCrypt BitLockerHomeDocumentation File sFAQForumContactT r ue Cr y pt DRM TechnologyFree open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and LinuxDonationsMain Features:Secureencrypted USBBuy safehardware basedUSB drive 1 GB to32GBwww.altawareonline.comCreates a virtual encrypted disk within a file and mounts it as a real disk.Encrypts an entire partition or storage device such as USB flash drive or hard drive.Encrypts a partition or drive where Windows is installed (pre-boot authentication).Encryption is automatic, real-time (on-the-fly) and transparent.Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.256-bit AESencryptionProtect your datawith encryptionsoftware. Freehow to guide.Cloud Computing — End-user systems won't have the data.Encryption can be hardware-accelerated on modern processors.Provides plausible deniability, in case an adversary forces you to reveal the password: Google AppsHidden volume (steganography) and hidden operating system.News 2010-07-19TrueCrypt 7.0Released Microsoft Office 2010 Apple Mobile MeMore information about the features of TrueCrypt may be found in the documentation.What is new in True e evidence.—"Tell me everything that's on this hard drive." Increasingly, tools are used in time-constrained environments.—"Show me the best stuff you can find in the next five minutes."digiToday's tools were developed to find documents.S94digital investigation 6 (2009) S88–S98 We know how to show documents to juries.Table 2 – Averaged occurrence frequencies all of 16-bitpatterns in images A, B and C. Patterns are generatedfrom three different sets of Huffman tables, i.e., HA, HBand HC. Each row provides the frequencies of three sets ofpatterns in the same image. We don't know how to make arguments about "distinct sectors." As a result, research into incomplete documents has been slow.Image AImage BImage CHA patternsHB patternsHC E!051.29E!051.23E!051.49E!05 It was only in 2009 that Sencar and Memon showedthe second half of a JPEG could be displayed.a random pattern. (Had we averaged over all 2n possible n-bitpatterns, we would not see an increase.) To more reliablyquantify the significance of the bias, large scale experimentshave to be conducted and statistical tests have to be performed.A related issue is the diversity of Huffman tables used inencoding of images. If all images were to be encoded with thesame set of Huffman tables, then the described approach herewould not offer any advantage. However, many digital camerasare known to use their own Huffman tables and image editingsoftware tools typically generate Huffman tables optimized fora given image. Therefore, even if this approach may not be usedin identifying fragments of individual images (as many imagesmay use the same set of tables), it will, at worst, providea differentiation of fragments at a class level.5.dataRecovery of fragmented files with missingIn this section, we address the problem of file recovery undertwo scenarios. First concerns file fragments for which there isFig. 4 – Original JPEG file.originalreconstructedtherefore, they can be directly searched in the file data. Restartmarkers are inserted periodically in the data and they repeatin sequence from 0 to 7, as indicated by the value of themarker code. The number of MCUs between the markers hasto be defined in the (DRI marker segment of the) file header.Although insertion of restart markers is optional, they aregenerally used in coding of large sized images.5 –colorRecoveredfilesareafter erasure of randoIn JPEG files, DC coefficientsFig.of allcomponents18
Today's tools follow a "Visibility, Filter and Report" model.ExtractfilesExtractmetadataStore inDBSearchApplyFiltersShowResultsProblems: Analyst must prioritize data that is recovered. Tools do not correlate within this case and between this case and others. Does not readily lend itself to parallelized processingMany tools are monolithic applications: Difficult to integrate with other tools. Difficult to automate. Difficult to combine tools from multiple vendors Difficult to integrate with the results of academic research.19
Much of today's "research" is hacks, not science.Most of today's “research” is really reverse-engineering. New formats are reverse-engineered by smart people with primitive tools No interoperability between tools. Little effort spent on performance. Many tools do not generalize.—There are thousands of different Windows versions.—Little attention to disks/memory/network commonalities & data fusion.Most of today's "research" is not scientific: No validation over a large data sets; Little attention to repeatability or completeness.Increasing diversity is increasingly a problem. Some devices are never supported by tools.20
A New Research Direction21
We need more standardized forensic data abstractions.Today we have limited data formats and abstractions: Disk images — raw & EnCase E01 files Packet Capture files — BPF format Files — distributed as files or as ZIP for collections of files File Signatures — List of MD5 (or SHA1) hashes in hex. Extracted Named Entities — Stop lists. (typically in ASCII, rarely in Unicode)We need new structured formats for distributing: Signatures Metrics (parts of files; n-grams; piecewise hashes; similarity metrics) File Metadata (e.g. Microsoft Office document properties) File system metadata (MAC times, etc.) Application Profiles (e.g. collections of files that make up an application.) Internet and social network informationCreating, testing, and adopting schema and formats is hard work.22
Digital Forensics XML:One approach for standardizing metadata.Per-Image tags fiwalk — outer tag fiwalk version 0.4 /fiwalk version Start time Mon Oct 13 19:12:09 2008 /Start time Imagefile dosfs.dmg /Imagefile volume startsector ”512” Per volume tags: Partition Offset 512 /Partition Offset block size 512 /block size ftype 4 /ftype ftype str fat16 /ftype str block count 81982 /block count Per fileobject tags: filesize 4096 /filesize partition 1 /partition filename linedash.gif /filename libmagic GIF image data, version 89a, 410 x 143 /libmagic DFXML can be used by file extractors, carvers, report generators.Other approaches: standardized SQL schema.23
API standards are needed to support tool composability.Forensic software is marked by diversity. C, C , Java, perl, Python, EnScript; Windows, Macintosh, Linux.Other communities faced with such diversity developed APIs.We can too! Language-independent. Disk, Sector, IP packet, bytestream object processing. File extraction File recognition & identificaiton Data & metadata extraction Standardized representations for timestamps, email addresses, names, etc.A plug-in system would allow scale Handheld devices Desktop Multi-Core System Blade Centers HPC Callback model allows the same code to be used in different deployments. PyFlag[17], OCFA[6] and DFF[9] all have significant usability barriers. Beware of using SQL as an integration framework (performance issues).24
We must explore alternative analysis models to"Visibility, Filter and Report."Stream-Based Forensics Process the contents of the hard drive without reconstructing files. Designed to overcome head seek latency; is this needed or useful with SSDs?—c.f. Cohen's AFF4 file-based disk imaging.Stochastic Analysis Random sampling (files & sectors) to speed partial analysis.Triage and Prioritized Analysis Analysis without (or during) acquisition. "5 minute analysis" Examples:—I.D.E.A.L. Technology Corp.'s STRIKE—ADF Triage25
Scale and ValidationResearchers need to work with large datasets. Algorithms developed for (n 100) frequently fail when applied to (n 10,000). True for n measured in # JPEGS; TB; # hard drives; or # cell phones.Validation with standardized corpora.Validation with standardized reporting metrics.1.0 Other researchers must be able to replicate your work!—Show ROC curves!0.80.6- - - FS 0, SD 0, MCO 3- - - FS 1, SD 1, MCO 10.4 Many algorithms have tunable parameters.- - - FS 1, SD 0, MCO 1SD Value0.2—True Positive Rate & False Positive Rate- - - FS 0, SD 0, MCO 1012340.0—f-scoreTrue Postive Rate (TPR) "Accuracy" is okay, but also report:0.00.20.40.60.81.0False Postive Rate (FPR)26
Today's DF metrics are few and poorly articulated.NIST Computer Forensic Tool Testing Program Limited testing of imaging tools & file recovery tools. Primary to satisfy law enforcement requirements (Daubert).http://www.cftt.nist.gov/Academic Publishing DFRWS, IFIP 11.9, etc. "Publish or perish" evaluation.Forensic Challenges (DC3 & DFRWS) Stuff that's hard to do. Not scientifically evaluated. The "winner" is the group that— finds the most stuff?— writes the most informative report?27
Moving up the Abstraction LadderIdentity Management: Approaches for modeling individuals. Simple data elements: names; email addresses; identification numbers More advanced: represent a person's knowledge, capabilities & social networks Goals: identity resolution & disambiguation.Data Visualization and Visual Analytics Is visualization good for discovery, or just for presentation?Collaboration How can multiple investigators be used more effectively on a single case? How can the system automatically recognize when multiple cases are connected?—Stealth Software's private search for secret identities.Autonomous OperationGET EVIDENCE28
Conclusion: Digital Forensics faces an impending crisis!Technological progress is making our job harder, not easier. Increasing storage densities Cloud Computing Pervasive EncryptionGiven these trends, research must be smarter and more applicable Standardized abstractions & formats. Standardized APIs for analysis. Forensic Data sharing. Composable tools.Funding agencies need to: Adopt open standards and procedures. Insist on interoperability & validation.29
OWC provides a closer look at iMac's SSD slot - 20 hours ago It's 2449 for the 27-inch Core i3 iMac with a 256GB SSD and 1TB hard drive, and 2560 for the same system with the SSD and 2TB hard 2tb drive Search About 3,500,000 results (0.
-- Computer forensics Computer forensics -- Network forensics Network forensics - Live forensics -- Software forensics Software forensics -- Mobile device forensics Mobile device forensics -- "Browser" forensics "Browser" forensics -- "Triage" forensics "Triage" forensics ¾Seizing computer evidence
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
digital forensics investigation is recommended. DIGITAL FORENSICS OFTEN STANDS ALONE We feel that it is important to mention that while digital forensics may be employed during an e-discovery effort, digital forensics often exists independently from e-discov-ery. Digital forensics can be used anytime there is a need to recover data or establish the
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
