We have developed a program called |fiwalk| which produces detailedXML describing all of the partitions and files on a hard drive or diskimage, as well as any extractable metadata from the document filesthemselves. We show how it is relatively simple to create automateddisk forensic applications using a Python module we have written thatreads |fiwalk|'s XML files. Finally, we present threeapplications using this system: a program to generate maps ofdisk images; an image redaction program; and a data transfer kioskwhich uses forensic tools to allow the migration of data from portablestorage devices without risk of infection from hostile software thatthe portable device may contain.
{"title":"Automating Disk Forensic Processing with SleuthKit, XML and Python","authors":"S. Garfinkel","doi":"10.1109/SADFE.2009.12","DOIUrl":"https://doi.org/10.1109/SADFE.2009.12","url":null,"abstract":"We have developed a program called |fiwalk| which produces detailedXML describing all of the partitions and files on a hard drive or diskimage, as well as any extractable metadata from the document filesthemselves. We show how it is relatively simple to create automateddisk forensic applications using a Python module we have written thatreads |fiwalk|'s XML files. Finally, we present threeapplications using this system: a program to generate maps ofdisk images; an image redaction program; and a data transfer kioskwhich uses forensic tools to allow the migration of data from portablestorage devices without risk of infection from hostile software thatthe portable device may contain.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132488570","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
When prosecuting crimes, the main question to answer is often who had a motive and the possibility to commit the crime. When investigating cyber crimes, the question of possibility is often hard to answer, as in a networked system almost any location can be accessed from almost anywhere. The most common tool to answer this question, analysis of log files, faces the problem that the amount of logged data may be overwhelming. This problems gets even worse in the case of insider attacks, where the attacker's actions usually will be logged as permissible, standard actions---if they are logged at all. Recent events have revealed intimate knowledge of surveillance and control systems on the side of the attacker, making it often impossible to deduce the identity of an inside attacker from logged data. In this work we present an approach that analyses the access control configuration to identify the set of credentials needed to reach a certain location in a system. This knowledge allows to identify a set of (inside) actors who have the possibility to commit an insider attack at that location. This has immediate applications in analysing log files, but also non-technical applications such as identifying possible suspects, or, beyond cyber crimes, picking the "best" actor for a certain task. We also sketch an online analysis that identifies where an actor can be located based on observed actions.
{"title":"Analysing Access Control Specifications","authors":"Christian W. Probst, René Rydhof Hansen","doi":"10.1109/SADFE.2009.13","DOIUrl":"https://doi.org/10.1109/SADFE.2009.13","url":null,"abstract":"When prosecuting crimes, the main question to answer is often who had a motive and the possibility to commit the crime. When investigating cyber crimes, the question of possibility is often hard to answer, as in a networked system almost any location can be accessed from almost anywhere. The most common tool to answer this question, analysis of log files, faces the problem that the amount of logged data may be overwhelming. This problems gets even worse in the case of insider attacks, where the attacker's actions usually will be logged as permissible, standard actions---if they are logged at all. Recent events have revealed intimate knowledge of surveillance and control systems on the side of the attacker, making it often impossible to deduce the identity of an inside attacker from logged data. In this work we present an approach that analyses the access control configuration to identify the set of credentials needed to reach a certain location in a system. This knowledge allows to identify a set of (inside) actors who have the possibility to commit an insider attack at that location. This has immediate applications in analysing log files, but also non-technical applications such as identifying possible suspects, or, beyond cyber crimes, picking the \"best\" actor for a certain task. We also sketch an online analysis that identifies where an actor can be located based on observed actions.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"2152 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127467853","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Increasingly advances in file carving, memory analysis and network forensics requires the ability to identify the underlying type of a file given only a file fragment. Work to date on this problem has relied on identification of specific byte sequences in file headers and footers, and the use of statistical analysis and machine learning algorithms taken from the middle of the file. We argue that these approaches are fundamentally flawed because they fail to consider the inherent internal structure in widely used file types such as PDF, DOC, and ZIP. We support our argument with a bottom-up examination of some popular formats and an analysis of TK PDF files. Based on our analysis, we argue that specialized methods targeted to each specific file type will be necessary to make progress in this area.
{"title":"File Fragment Classification-The Case for Specialized Approaches","authors":"Vassil Roussev, S. Garfinkel","doi":"10.1109/SADFE.2009.21","DOIUrl":"https://doi.org/10.1109/SADFE.2009.21","url":null,"abstract":"Increasingly advances in file carving, memory analysis and network forensics requires the ability to identify the underlying type of a file given only a file fragment. Work to date on this problem has relied on identification of specific byte sequences in file headers and footers, and the use of statistical analysis and machine learning algorithms taken from the middle of the file. We argue that these approaches are fundamentally flawed because they fail to consider the inherent internal structure in widely used file types such as PDF, DOC, and ZIP. We support our argument with a bottom-up examination of some popular formats and an analysis of TK PDF files. Based on our analysis, we argue that specialized methods targeted to each specific file type will be necessary to make progress in this area.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"213 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134548365","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Live forensic tools provide investigators with new sources of information. Unfortunately, the amount of data gathered by such tools can be overwhelming, with a low signal-to-noise ratio. The authors use an innovative method of monitoring the resource use of running processes to build a profile of the application’s normal resource use, which they then exploit to filter out extraneous, forensically uninteresting data from a list of open file handles and dynamically loaded libraries attached to a process. Preliminary results show a dramatic reduction in the number of file and registry handles and DLLs, greatly reducing the forensic haystack, allowing the investigator to more easily spot the needles.
{"title":"Snapshot Filtering Based on Resource-Usage Profiles","authors":"F. Adelstein, C. Marceau","doi":"10.1109/SADFE.2009.15","DOIUrl":"https://doi.org/10.1109/SADFE.2009.15","url":null,"abstract":"Live forensic tools provide investigators with new sources of information. Unfortunately, the amount of data gathered by such tools can be overwhelming, with a low signal-to-noise ratio. The authors use an innovative method of monitoring the resource use of running processes to build a profile of the application’s normal resource use, which they then exploit to filter out extraneous, forensically uninteresting data from a list of open file handles and dynamically loaded libraries attached to a process. Preliminary results show a dramatic reduction in the number of file and registry handles and DLLs, greatly reducing the forensic haystack, allowing the investigator to more easily spot the needles.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"2011 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133297558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose a distributed triage model for digital forensic services to state local law enforcement. This would permit efficient use of forensic resources by using local law enforcement for basic digital forensic analysis and assigning more complex matters to intermediate and advanced examiners.
{"title":"A Distributed Triage Model for Digital Forensic Services to State and Local Law Enforcement","authors":"M. Losavio, D. Keeling, Adel Said Elmaghraby","doi":"10.1109/SADFE.2009.10","DOIUrl":"https://doi.org/10.1109/SADFE.2009.10","url":null,"abstract":"We propose a distributed triage model for digital forensic services to state local law enforcement. This would permit efficient use of forensic resources by using local law enforcement for basic digital forensic analysis and assigning more complex matters to intermediate and advanced examiners.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123040220","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper examines an existing cost model of digital forensic examination and describes a new model of examination. Alternative approaches to the previous techniques are identified including optimization approaches for determining examination order and alternative evaluation methods for optimization criteria.
{"title":"Two Models of Digital Forensic Examination","authors":"F. Cohen","doi":"10.1109/SADFE.2009.8","DOIUrl":"https://doi.org/10.1109/SADFE.2009.8","url":null,"abstract":"This paper examines an existing cost model of digital forensic examination and describes a new model of examination. Alternative approaches to the previous techniques are identified including optimization approaches for determining examination order and alternative evaluation methods for optimization criteria.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128215574","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We examine concerns relating to digital devices and forensics in jails, prison and supervisedrelease environments. Despite being one of the most controlled physical environments ingovernment, digital devices continue to breach institutional security and increase risks tocorrectional staff and the community.
{"title":"Digital Device & Forensics Concerns in Jails, Prisons and Supervisory Environments","authors":"Natalie Armstrong, M. Losavio, D. Keeling","doi":"10.1109/SADFE.2009.9","DOIUrl":"https://doi.org/10.1109/SADFE.2009.9","url":null,"abstract":"We examine concerns relating to digital devices and forensics in jails, prison and supervisedrelease environments. Despite being one of the most controlled physical environments ingovernment, digital devices continue to breach institutional security and increase risks tocorrectional staff and the community.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"85 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124646495","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Existing investigation schemes are not suitable to cope with attacks in wireless networks, especially in MANet. We propose in this paper a formal approach for digital investigation of security attacks in wireless networks. We provide a model for describing attack scenarios in wireless environment, and system and network evidences generated consequently. We develop an inference system that integrates the two types of evidences, handles incompleteness and duplication of information in them, and allows to generate potential and provable actions and attack scenarios. To exemplify the proposal, we consider a case study dealing with a Denial of Service attack on a web server, where the attacker and the target represent mobile nodes.
{"title":"A Formal Rule-Based Scheme for Digital Investigation in Wireless Ad-hoc Networks","authors":"S. Rekhis, N. Boudriga","doi":"10.1109/SADFE.2009.16","DOIUrl":"https://doi.org/10.1109/SADFE.2009.16","url":null,"abstract":"Existing investigation schemes are not suitable to cope with attacks in wireless networks, especially in MANet. We propose in this paper a formal approach for digital investigation of security attacks in wireless networks. We provide a model for describing attack scenarios in wireless environment, and system and network evidences generated consequently. We develop an inference system that integrates the two types of evidences, handles incompleteness and duplication of information in them, and allows to generate potential and provable actions and attack scenarios. To exemplify the proposal, we consider a case study dealing with a Denial of Service attack on a web server, where the attacker and the target represent mobile nodes.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127908667","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jean West, U. Lindqvist, P. Vasquez, M. Losavio, S. Peisert
A systematic approach to digital forensic engineering acknowledges the close, intertwine relationship between digital forensics and information security. Just as their technical structures are interrelated, so, too, are issues relating to legal and social frameworks within which they are used. We examine this critical relationship as to critical cyber infrastructure and the threats to it from domestic and transnational criminals and state actors.
{"title":"Panel: Technical, Social and Legal Frameworks for Digital Forensics and CyberInfrastructure Security","authors":"Jean West, U. Lindqvist, P. Vasquez, M. Losavio, S. Peisert","doi":"10.1109/SADFE.2009.11","DOIUrl":"https://doi.org/10.1109/SADFE.2009.11","url":null,"abstract":"A systematic approach to digital forensic engineering acknowledges the close, intertwine relationship between digital forensics and information security. Just as their technical structures are interrelated, so, too, are issues relating to legal and social frameworks within which they are used. We examine this critical relationship as to critical cyber infrastructure and the threats to it from domestic and transnational criminals and state actors.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128582713","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In these times of trendy LPU1 papers, you may consider this as two papers in one. If you like controversial positions and observations, then I suggest you focus on the second part of this paper (sections V and VI). If you like history, institutional knowledge, definitions, and the wisdom of senior scientist-practitioners, then I suggest you focus on the first part of this paper (sections II through IV). I wrote both as parts of an integrated whole in the hope that you will like that as well.In the first part of this paper (sections II through IV), I attempt to give an adequate working definition of the term “high assurance” for use in the context of “high assurance digital forensics,” with assistance by many luminaries in the field.In the second part of this paper (sections V and VI), I give my observations and reactions to my panelist experience for the “High Assurance Digital Forensics” panel for the Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering2 (SADFE). I also examine my overall workshop experiences. In particular, I examine how the computer science paradigm does not compose very well with the legal paradigm and the truly massive problems and dangers that this causes. I sum up with a list of questions that we must answer if we truly wish high assurance digital forensics used properly.
{"title":"High Assurance Digital Forensics: A Panelist's Perspective","authors":"S. Greenwald","doi":"10.1109/SADFE.2009.17","DOIUrl":"https://doi.org/10.1109/SADFE.2009.17","url":null,"abstract":"In these times of trendy LPU1 papers, you may consider this as two papers in one. If you like controversial positions and observations, then I suggest you focus on the second part of this paper (sections V and VI). If you like history, institutional knowledge, definitions, and the wisdom of senior scientist-practitioners, then I suggest you focus on the first part of this paper (sections II through IV). I wrote both as parts of an integrated whole in the hope that you will like that as well.In the first part of this paper (sections II through IV), I attempt to give an adequate working definition of the term “high assurance” for use in the context of “high assurance digital forensics,” with assistance by many luminaries in the field.In the second part of this paper (sections V and VI), I give my observations and reactions to my panelist experience for the “High Assurance Digital Forensics” panel for the Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering2 (SADFE). I also examine my overall workshop experiences. In particular, I examine how the computer science paradigm does not compose very well with the legal paradigm and the truly massive problems and dangers that this causes. I sum up with a list of questions that we must answer if we truly wish high assurance digital forensics used properly.","PeriodicalId":101922,"journal":{"name":"2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121890796","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: