Real Time Event Recording System, the tool for Digital

Forensics Investigation

Madhav Limayemlimaye@gmail.com

Practice today

• Investigator finds device been used• Attempt to dig out all events in past, e.g.– an object (file/registry) deleted from the Disk/Device– executing an EXE– Cookies– contents sent out, e.g. for printing– access the network resource– Calls made through IP phones– Etc.

Success factors

• Success rate depends on multiple factors• Need multiple tools• Need expertise• Total failure if,– Device Reset– physically damaged

• Etc.

Things available native…

• Native tools/repository is present– Cookies– Windows • Event Log• Registry

– Cell phone• call history

• Those are local, can be cleaned or overflow

The proposed tool

• Record When It Happens/Occurs• Should support all Devices• Can be Agent Based/Less• Records to central server• Can work On-line/Off-line

Challenges for implementation

• Biggest – data storage• Switching off the agent• Taking the device off the n/w, in case

Agentless

Other Utilization

• At nation level, for national security– Monitor activities at public places, e.g. Net cafes

• At Enterprise to enforce policies of device usage

• At home, to monitor usage by minors

Approaches for implementation• Agent Based

– To avoid device, being monitored, performance does not degrade– Have “off-line” monitor– Avoid n/w bandwidth conservation

• Protecting the Agent– Heartbeat: poll for agent alive– Tie it to Device Kernel, somehow, so if someone tries to “kill” it, it will take the device down

• Configurable Events/Devices– The Events/Devices, depth/detail etc. should be configurable– There should be “white-list” for Devices and Events/Applications– E.g.

• the “Exchange” server is “trusted”• Not monitoring the Events for tools Source Code Control

• Pushing the logs to server– On “configurable” interval– On “shut-down” of the device

Q & A

Thank you

Madhav Limayemlimaye@gmail.com