DOC PREVIEW
UTD CS 4398 - Lecture #6 Digital Forensics Analysis

This preview shows page 1-2-3-25-26-27 out of 27 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Digital ForensicsOutlineReviewDigital Evidence Examination and Analysis TechniquesSearch TechniquesSlide 6Slide 7Slide 8Slide 9Slide 10Event ReconstructionSlide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21What is Lazarus?Time AnalysisSlide 24ConclusionLinksTopic for Lecture #7Digital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #6Digital Forensics AnalysisSeptember 15, 2008OutlineReviewDigital Forensics Analysis TechniquesReconstructing past eventsConclusion and LinksReferences-http://www.gladyshev.info/publications/thesis/Formalizing Event Reconstruction in Digital Investigations Pavel Gladyshev, Ph.D. dissertation, 2004, University College Dublin, Ireland (Main Reference)-http://www.porcupine.org/forensics/forensic-discovery/chapter3.html (Background on file systems)ReviewLecture 1: Overview of Digital Forensics (Chapter 1 of textbook)Lecture 2: Information Security ReviewLecture 3: Data Recovery, Verification, Lab Tour (Chapter 3 of textbook – constructing a forensics lab)Lecture 4: Data Acquisition: Chapter 4 of textbookLecture 5: Malicious Code Detection (e.g., Computer is the Victim of the Crime; applying data mining techniques)Digital Evidence Examination and Analysis TechniquesSearch techniquesReconstruction of EventsTime AnalysisSearch TechniquesSearch techniques-This group of techniques searches collected information to answer the question whether objects of given type, such as hacking tools, or pictures of certain kind, are present in the collected information. -According to the level of search automation, techniques can be grouped into manual browsing and automated searches. Automated searches include keyword search, regular expression search, approximate matching search, custom searches, and search of modifications.Manual browsing-Manual browsing means that the forensic analyst browses collected information and singles out objects of desired type. The only tool used in manual browsing is a viewer of some sort. It takes a data object, such as file or network packet, decodes the object and presents the result in a human-comprehensible form. Manual browsing is slow. Most investigations collect large quantities of digital information, which makes manual browsing of the entire collected information unacceptably time consuming.Search TechniquesKeyword search-This is automatic search of digital information for data objects containing specified key words. It is the earliest and the most widespread technique for speeding up manual browsing. The output of keyword search is the list of found data objects -Keywords are rarely sufficient to specify the desired type of data objects precisely. As a result, the output of keyword search can contain false positives, objects that do not belong to the desired type even though they contain specified keywords. To remove false positives, the forensic scientist has to manually browse the data objects found by the keyword search. -Another problem of keyword search is false negatives. They are objects of desired type that are missed by the search. False negatives occur if the search utility cannot properly interpret the data objects being searched. It may be caused by encryption, compression, or inability of the search utility to interpret novel data -It prescribes (1) to choose words and phrases highly specific to the objects of the desired type, such as specific names, addresses, bank account numbers, etc.; and (2) to specify all possible variations of these words.Regular expression search-Regular expression search is an extension of keyword search. Regular expressions provide a more expressible language for describing objects of interest than keywords. Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses, and files of specific type. Forensic utility EnCase performs regular expression searches.-Regular expression searches suffer from false positives and false negatives just like keyword searches, because not all types of data can be adequately defined using regular expressions.Search TechniquesApproximate matching search-Approximate matching search is a development of regular expression search. It uses matching algorithm that permits character mismatches when searching for keyword or pattern. The user must specify the degree of mismatches allowed.-Approximate matching can detect misspelled words, but mismatches also increase the umber of false positives. One of the utilities used for approximate search is agrep.Search TechniquesCustom searches-The expressiveness of regular expressions is limited. Searches for objects satisfying more complex criteria are programmed using a general purpose programming language. For example, the FILTER_1 tool from new Technologies Inc. uses heuristic procedure to find full names of persons in the collected information. Most custom searches, including FILTER_1 tool suffers from false positives and false negatives.Search TechniquesSearch of modifications-Search of modification is automated search for data objects that have been modified since specified moment in the past. Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash. A library of expected hashes must be built prior to the search. Several tools for building libraries of expected hashes are described in the “file hashes" -Modification of a file can also be inferred from modification of its timestamp. Although plausible in many cases, this inference is circumstantial. Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too. This is a form of event reconstructionSearch TechniquesEvent ReconstructionSearch techniques are commonly used for finding incriminating information, because ”currently, mere possession of a digital computer links a suspect to all the data it contains" However, the mere fact of presence of objects does not prove that the owner of the computer is responsible for putting the objects in it. Apart from the owner, the objects can be generated automatically by the system. Or they can be planted by an intruder or virus program. Or they can be left by the previous owner of the computer. To determine who is


View Full Document

UTD CS 4398 - Lecture #6 Digital Forensics Analysis

Documents in this Course
Botnets

Botnets

33 pages

Botnets

Botnets

33 pages

Load more
Download Lecture #6 Digital Forensics Analysis
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture #6 Digital Forensics Analysis and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture #6 Digital Forensics Analysis 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?