Digital ForensicsPapers to discussAbstract of Paper 1Abstract of Paper 1 (Concluded)OutlineIntroductionPrinciples of Digital Forensics Investigative Procedures: 3RsSlide 8FORZA FrameworkSlide 10Legal AspectsSlide 12Slide 13Slide 14Applying FORZA Framework: Web HackingDirectionsAbstract of Paper 2Slide 18Slide 19Ontological modelCertification and Curriculum DevelopmentSlide 22Abstract of Paper 3Slide 24Slide 25Anti ForensicsTypes of Anti ForensicsReducing the Effectiveness of Anti Forensics MethodsSlide 29Digital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #25 Frameworks for Digital ForensicsNovember 10, 2008Papers to discussFORZA – Digital forensics investigation framework that incorporate legal issues-http://dfrws.org/2006/proceedings/4-Ieong.pdfA cyber forensics ontology: Creating a new approach to studying cyber forensics-http://dfrws.org/2006/proceedings/5-Brinson.pdfArriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem-http://dfrws.org/2006/proceedings/6-Harris.pdfAbstract of Paper 1Mark Pollitt has stated that digital forensics is not an elephant, it is a process and not just one process, but a group of tasks and processes in investigation. In fact, many digital forensics investigation processes and tasks were defined on technical implementation details Investigation procedures developed by traditional forensics scientist focused on the procedures in handling the evidence, while those developed by the technologist focused on the technical details in capturing evidence. As a result, many digital forensics practitioners simply followed technical procedures and forget about the actual purpose and core concept of digital forensics investigation. With all these technical details and complicated procedures, legal practitioners may have difficulties in applying or even understanding their processes and tasks in digital forensics investigations. In order to break the technical barrier between information technologists, legal practitioners and investigators, and their corresponding tasks together, a technical-independent framework would be required.Abstract of Paper 1 (Concluded)In this paper, the authors first highlight the fundamental principle of digital forensics investigations (Reconnaissance, Reliability and Relevancy). Based on this principle, they re-visit the investigation tasks and outlined eight different roles and their responsibilities in a digital forensics investigation. For each role, they defined the sets of six key questions. They are the What (the data attributes), Why (the motivation), How (the procedures), Who (the people), Where (the location) and When (the time) questions. In fact, among all the investigation processes, there are six main questions that each practitioner would always ask. By incorporating these sets of six questions into the Zachman’s framework, a digital forensic investigation framework – FORZA is composed. We will further explain how this new framework can incorporate legal advisors and prosecutors into a bigger picture of digital forensics investigation framework. Usability of this framework will be illustrated in a web hacking example. Finally, the road map that interconnects the framework to automatically zero-knowledge data acquisition tools will be briefly described.OutlineIntroductionPrinciples of Digital Forensics Investigative ProceduresFORZA FrameworkLegal AspectsApplying FORZA FrameworkDirectionsIntroductionMany digital forensics procedures were developed for tackling different technology used in the inspected device, when underlying technology of the target device changes, new procedures has to be developed.Among those procedures, Lee; Casey; DFRWS; and Reith, Carr and Gunsch procedures are the most frequently quoted procedures. They are known to be the standard procedures in digital forensics investigations. However, discrepancy still lies between them; the four procedures are not aligned. Instead of difference in definition, the processes they recommend and their coverage are different.Digital forensics procedures have been extended to cover a wider prospective and area, one core issue has not been solved. That is the gap between technical aspects of digital forensics and judicial processPrinciples of Digital Forensics Investigative Procedures: 3RsReconnaissance: Similar to what needs to be performed before ethical hacking, a digital forensics investigator needs to exhaust different methods, practices and tools that were developed for particular operating environment to collect, recover, decode, discover, extract, analyze and convert data that kept on different storage media to readable evidence. No matter where data are stored, digital forensics investigators should be revealing, and focusing retrieval of the truth behind the data.Reliability: Extracting of data is not simply copying of datausing Windows Explorer or saving files to a disk. Chain of evidence should be preserved during extracting, analyzing, storing and transporting of data. In general, chain of evidence, time, integrity of the evidence and the person relationship with the evidence could be collectively considered as the non-repudiation feature of digital forensics. If the evidence cannot be repudiated and rebutted, then the digital evidence would be reliable and admissible for judicial review.Principles of Digital Forensics Investigative Procedures: 3RsRelevancy: Even though, evidence could be admissible, relevancy of the evidence with the case affects the weight and usefulness of the evidence. If the legal practitioner can advise on what should be collected during the process, time and cost spent in investigation could be controlled better.FORZA FrameworkA framework depends on the participants in the organization. In a typical digital forensics investigation process, system owners, digital forensics investigators and legal practitioners are expected to be involved. However, if we further separate the roles and responsibilities of these participants, they could be further categorized into eight individual roles of participants in investigation. These roles are different in nature but could be handled by the same person if required.More Rs: Roles and Responsibilities:-Case Leader, System Business Owner, Legal Advisor, Security/system architect/auditor, digital forensics specialist, digital forensics
View Full Document
Unlocking...