Digital ForensicsOutlineReview of Lectures 29Papers to discussAbstract of Paper 1Slide 6IntroductionFILEHOUNDExample InvestigationDirectionsAbstract of Paper 2Slide 12Slide 13Fine Grained MappingMonitoringSlide 16Slide 17Abstract of Paper 3 (repeat)Slide 19Example Prototype System: OverviewExample Prototype System: ModulesSlide 22Digital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #30 Network Forensics (Revisited)November 7, 2007OutlineReview of Lectures 29Discussion of the papers on Network forensicsReview of Lectures 29Data Hiding in Journaling File Systems -http://dfrws.org/2005/proceedings/eckstein_journal.pdfEvaluating Commercial Counter-Forensic Tools-http://dfrws.org/2005/proceedings/geiger_couterforensics.pdfAutomatically Creating Realistic Targets for Digital Forensics Investigation -http://dfrws.org/2005/proceedings/adelstein_falcon.pdfPapers to discussFile Hound: A Forensics Tool for First Responders-http://dfrws.org/2005/proceedings/gillam_filehound.pdfMonitoring Access to Shared Memory-Mapped File-http://dfrws.org/2005/proceedings/sarmoria_memorymap.pdfNetwork Forensics Analysis with Evidence Graphs-http://dfrws.org/2005/proceedings/wang_evidencegraphs.pdfAbstract of Paper 1Since the National Institute of Justice (NIJ) released their Electronic Crime Needs Assessment for State and Local Law Enforcement study results in 2001, several critical strides have been made in improving the tools and training that state and local law enforcement organizations have access to. One area that has not received much attention is the computer crime first responder. This paper focuses on the development and current results from File Hound, a “field analysis” software program for law enforcement first responders that is currently used by over 14 law enforcement agencies around the State of Indiana. It has been successfully used in several cases ranging from child pornography to fraud.OutlineIntroductionFILE HOUNDExample InvestigationDirectionsIntroductionCurrent tools are excellent for case management and investigations in a laboratory Time-sensitive investigations can occur out in the field. This has led to a new classification of investigators--the first responders. These officers are the first on the scene and have basic training dealing with searching and handling digital evidence. File Hound was developed by Purdue to assist first responders in conducting a quick field analysis to satisfy 4th Amendment (protection against unreasonable search and seizure) and issued warrant requirements.FILEHOUNDSearch for images. The software had to be able to search a hard drive for image files. Since a filename search may not be thorough enough for a forensics investigation, the search must focus on file headers to determine a file’s true identity. Identify relevant images. Since several hundred or thousand files may be found during a search, the software had to present an interface for an examiner to browse through the images found and select those relevant to an investigation. This interface should be simple but yield the results in an intuitive form. Generate a report of the results. The software had to generate a report of the results. At a bare minimum, the report must include the full logical path of the file. Require minimal user training. A user should be able to fully utilize the software with minimal user training. A powerful but intuitive user interface was determined to be the best means to accomplish this goal.Example InvestigationThe investigation begins when the suspect’s hard drive is connected and mounted to the investigator’s laptop using a hardware write blocker. File Hound is started and the suspect’s hard drive is selected from a drop down list. By clicking search without changing any options, an image search is initiated. Once the search has completed, the results are displayed in a tabular formatThe total time needed for the initial search depends on the size of the files being searched. File Hound typically searches through a gigabyte of data in 15 minutes. Next, image identification can occur using the identify tab. The investigator can select any of the images for inclusion in the final report.DirectionsWhat is not clear is the uniqueness of FILEHOUND? That is, the authors claim that it is suitable to be used in the field. How do they accomplish this?Abstract of Paper 2The post-mortem state of a compromised system may not contain enough evidence regarding what transpired during an attack to explain the attacker’s modus operandi. Current systems that reconstruct sequences of events gather potential evidence at runtime by monitoring events and objects at the system call level. The reconstruction process starts with a detection point, such as a file with suspicious contents, and establishes a dependency chain with all the processes and files that could be related to the compromise, building a path back to the origin of the attack. However, system call support is lost after a file is memory-mapped because all read and write operations on the file in memory thereafter are through memory pointers. Authors present a runtime monitor to log read and write operations in memory-mapped files. The basic concept of the approach is to insert a page fault monitor in the kernel’s memory management subsystem. This monitor guarantees the correct ordering of the logs that represent memory access events when two or more processes operate on a file in memory. The monitor increases accuracy to current reconstruction systems by reducing search time, search space, and false dependencies.OutlineIntroductionFine grained monitoringMonitoring techniquesDirectionsIntroductionAuthors claim that logging to detect intrusions are carried out at the applications levelThey argue that it is better to log at the Operating system level as the intruder will find it difficult to hide his/her tracksThey describe a run time monitor to log read and write operations in memory-mapped filesKey to their approach is VMA which is the virtual memory area which is a memory region (contiguous memory frames) allocated to a process. Finer grained monitoring is carried outFine Grained MappingAuthors consider memory-mapped files as objects with constituent parts such as pages. Goal is not only to trace read and write operations to memory, but also to
View Full Document