Digital ForensicsOutlineReview of Lecture #8Duplication and Preservation of EvidenceDigital Evidence Process ModelStandards for Digital EvidenceVerifying Digital EvidenceVerification/Validation/Certification: StandardsConclusionLinks: Preserving Digital EvidenceLinks: Verifying Digital EvidenceHoney pots: Mehdy MasudDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #9Preserving Digital Evidence; Image Verifications and AuthenticationSeptember 17, 2007OutlineReview of Lecture #8Duplications and Preservation of Digital EvidenceImage VerificationHoney pots Overview: Mehdy MasudReview of Lecture #8Data RecoveryDigital Evidence CollectionLinks and DiscussionsChapter 7 and 8 of Text BookDuplication and Preservation of EvidencePreserving the Digital Crime Scene-First task is to make a compete bit stream backup of all computer data before review or process-Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups. -http://www.forensics-intl.com/def2.htmlMake sure that the legal requirements are met and proper procedures are followed-Details in Chapter 7 of text bookDigital Evidence Process ModelThe U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: -1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation.2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation.3. Analysis; this looks at the product of the examination for its significance and probative value to the case.4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdfStandards for Digital EvidenceThe Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices.The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies.http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htmVerifying Digital EvidenceEncryption techniques-Public/Private key encryption-Certification Authorities-Digital ID/CredentialsStandards for Encryption-Export/Import lawsCourse in Cryptography-Details in Chapter 8Verification/Validation/Certification: StandardsDigital forensic teams and laboratories are now common place within Australia, particularly associated with law enforcement and intelligence agencies. The digital forensics discipline is rapidly evolving to become a scientific practice with domain-specific guideline. These guidelines are still under discussion in an attempt to progress the discipline so as to become as solid and robust in its scientific underpinnings as other forensic disciplines.Influential players, practitioners and observers all agree that rigorous standards need to be adopted to align this science with other forensic sciences. How does one assess the scientific nature of digital forensics with so many independent computing and IT elements combined, and what are the outcomes of each assessment method? Solutions are proposed regularly justifying their use but to date no one international or national standard exists. This paper does not propose a solution but rather explores the concept of Validation and Verification (V&V) with particular respect to digital forensic tools. The paper also explores ISO17025 “General requirements for the competence of testing and calibration laboratories” and develops the testing process to satisfy this standard to allow for Australian digital forensic laboratories to be eligible for certification.http://esm.cis.unisa.edu.au/new_esml/resources/publications/digital%20forensics%20-%20exploring%20validation,%20verification%20and%20certification.pdfConclusionStandards and processes have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidenceNumerous techniques are out there; need to determine which ones are useful for the particular evidence at handNeed to make it a scientific disciplineLinks: Preserving Digital EvidencePreserving Digital Evidence-http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm (standards)-https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf (process)-http://www.logicube.com/logicube/articles/cybersleuth_collecting_digital_evidence.asp (hard drive duplication)-http://www.crime-scene-investigator.net/admissibilityofdigital.html (digital photographs)-http://faculty.ncwc.edu/toconnor/426/426lect06.htm-http://www.freepatentsonline.com/7181560.html (US Patent)-http://www.mediasec.com/downloads/veroeffentlichungen/thorwirth2004.pdf (survey)-http://www.forensics-intl.com/def2.html (bit stream backup)Links: Verifying Digital EvidenceVerifying Digital Evidence-http://esm.cis.unisa.edu.au/new_esml/resources/publications/digital%20forensics%20-%20exploring%20validation,%20verification%20and%20certification.pdf (verification and validation)-http://www.forensicmag.com/articles.asp?pid=21
View Full Document