Upload
mehedi-hasan
View
242
Download
1
Embed Size (px)
Citation preview
Welcome to “Kernel”
Presentation on Digital forensics research: The next 10 years
MISS-2016A (Master of Information systems Security)
Bangladesh University of Professionals
Team Members
Mehedi Hasan Sorfaraz Uddin Al ImranRezaul Islam Team Leader.
Rajiv Kumar
Contents
Objective►
• Objectives • Key Observations• Potential Constraints• Research Directions• Challenges• Questions and Comments
1.0 Objectives
Key Observations►
Proposes a plan for achieving a dramatic improvement in Digital Forensic(DF) research.
Achieving operational efficiency for representing forensic data and performing forensic computation
Describing the today's challenges in DF field Proposes a new DF research methodology
2.1 Key Observations Forensic & Digital forensic:
Forensics is the application of science to solve a legal problem Digital forensics is about the investigation of crime including using
digital/computer methods
In a word, It is recovery Science
Major Classification of Digital forensic: Computer forensics Network forensics Database forensics Chip-off forensics
Previous Forensic History: Diversity, in the bad way Bad documentation for lots of file types Centralized computing facilities, and time-sharing No formal tools, training, education
Source: MISS1103: Digital Forensics @ Prof. Syed Akhter Hossain (SAH), 2016, Page no 5,6
Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010
Lifecycle of Digital ForensicsEarly years (1970s-
1990s)
• Hardware, software, and application diversity
• A proliferation of data file formats
• Heavy reliance on time-sharing and centralized computing ffacilities
• Absence of formal process, tools, and training
„Golden years“(1990s-2000s)
• The widespread use of Microsoft Windows, and specifically Windows XP
• Relatively few file formats of forensic interest
• Examinations largely confined to a single computer system belonging to the subject of the investigation
• Storage devices equipped with standard interfaces (IDE/ ATA)
Era of crisis(2010s-...)
• Growing size of storage devices
• Increasing prevalence of embedded flash storage
• Proliferation of hardware interfaces
• Proliferation of operating systems and file formats
• Pervasive encryption• Use of the “cloud” for
remote processing and storage, splitting a single data structure into elements
2.2 Key Observations
2.3 Key Observations2014 Overall Statistics & Current Record
Source: www.fbi.gov
2.4 Key Observations
• Academic ravel– Cyber-criminals are becoming the muster’s of international
Cooperation
• Fundamental Problem– Today's tools ware creating for solving child pornography cases, not
computer hacking case.
• Difficulty of reverse engineering– Software tool is being sold without restrictions, there is no standard
set of tools. Random file format.
• Cyber Criminals weapon– Mobile phones are becoming a primary tool of cyber criminal &
terrorist. There are no standard way to extract information from cell phones.
Major Barrier according to Researcher
Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010
2.5 Key Observations
• Better Technology– Ability to handle volume– Ability to handle complexity
• Better Research– Formal Methods of Analysis– Intelligent Data Mining– Structured Processes
• Better Communication– Computer Scientists– Legal Experts
Obligation of future
Potential Constraints ►
3.1. Potential Constraints Slower analysis
The growing size of storage devices means that there is frequently insufficient time to create a forensic image of a subject device, or to process all of the data once it is found.
Great diversity: The increasing prevalence of embedded flash storage and the
proliferation of hardware interfaces means that storage devices can no longer be readily removed or imaged.
Multiple analyses: The proliferation of operating systems and file formats is dramatically
increasing the requirements and complexity of data exploitation tools and the cost of tool development.
Whereas cases were previously limited to the analysis of a single device, increasingly cases require the analysis of multiple devices followed by the correlation of the found evidence.
3.2. Potential Constraints Encryption:
Pervasive encryption means that even when data can be recovered, it frequently cannot be processed.
Cloud computing: Use of the “cloud” for remote processing and storage, and to split a single
data structure into elements, means that frequently data or code cannot even be found.
Hidden malware: Malware that is not written to persistent storage necessitates the need for
expensive RAM forensics. Legal trouble:
Legal challenges increasingly limit the scope of forensic investigations.
Research Directions ►
to develop new digital forensic methodology by creating wide range of abstractions-standardized of thinking, representing and
computing with information
creating alternative analysis modela) Stream based disk forensicsb) Stochastic analysisc) Prioritized analysisd) Scale and validation
to help coming digital forensic crisis by creating new techniques, tools and procedures
4.1. Research Directions
Challenges►
5.1 Upcoming Crisis/Challenges Today’s examiners frequently cannot obtain data in a
forensically sound manner or process data to completion. Evidence may be routinely missed. Most common are cell phone data and other mobile computing platform. There are 1000 of cell
phone models around us. There is no standard way to extract information from cell phone. But it’s a primary tool for
criminal or terrorist. Similar problem exist with diversity and data extraction exist with telecommunication
equipment, video game consoles even eBook readers. Inability to extract information from devices in a clean and repeatable manner means that we
are unable to analyze this devices for malware/ Trojan attack. Encryption and cloud computing both threaten forensic visibility. RAM based forensic can capture current state of a machine but RAM DF tools are more difficult
to create. DF tools face extraordinarily high research and development cost. Otherwise its rapidly become
obsolete. DF professionals often rely on open source tools, but there is no recognized or funded clearing
house for open source forensic software. Training is a serious problem facing organization that deliver forensic services A variety of legal challenges are combining to make very process of computer forensics more
complicated, time consuming, and expensive.
►
5.2 Research ChallengesEvidence oriented design
Today’s tools were designed to help examiners find specific piece of evidence, not to assist in investigation Today’s tools were created for solving crimes committed against people where evidence resides in computer;
they were not created to assist in solving typical crimes committed with computers or against computers.
The visibility, filter & report , model This model does not readily lend itself to parallel processing. As a result, ingest delays are increasing
with each passing year.
The difficulty of reverse engineering: There is no standard set of tools or procedures for a systematic approach to reverse engineering
Monolithic application: Binding all capabilities (data format, cryptographic scheme) into a single application, its not possible for
end users to mix and match this capabilities.
Lost Academic research Academic researchers can distribute open source tools that can be directly used, but most end users
lack the skills to download and use the tools. AR can license technology to a vendor, which then sells technology directly or incorporate it into an
existing tool. Vendor can read and learn from academic papers, but they are relatively uninformed regarding current
state of academic forensic research.
►
6. Advancement
in the paper titled "Fast contraband detection in large capacity disk drives" proposes Triage solution for achieving the efficiency of DF tools use for forensic analysis
THANK YOU