study of comparison of digital forensic investigation models
TRANSCRIPT
Study of Comparison of Digital Study of Comparison of Digital Forensic Investigation ModelsForensic Investigation Models
What is Digital Forensics?
ForensicsForensics - The use of science and technology to - The use of science and technology to investigate and establish facts in criminal or civil investigate and establish facts in criminal or civil courts of law. courts of law.
Computer forensicsComputer forensics is a branch of forensic is a branch of forensic science pertaining to legal evidence found in science pertaining to legal evidence found in computers and digital storage mediums. Computer computers and digital storage mediums. Computer forensics is also known as forensics is also known as Digital Forensics.Digital Forensics.
Ref: http://en.wikipedia.org/wiki/Computer_forensics
►Inculpatory EvidenceInculpatory Evidence – Supports a – Supports a given theorygiven theory
►Exculpatory EvidenceExculpatory Evidence – Contradicts – Contradicts a given theorya given theory
►Evidence of TamperingEvidence of Tampering – Shows that – Shows that the system was tampered with to the system was tampered with to avoid identificationavoid identification
Types of EvidenceTypes of Evidence
Ref: T. Lillard Consulting, Inc. Copyright @ 2002
Computer Forensics Methodologies Computer Forensics Methodologies consist of Three Basic Componentsconsist of Three Basic Components
►Acquiring the evidence Acquiring the evidence while while ensuring that the integrity is ensuring that the integrity is preserved; preserved;
►Authenticating the validity Authenticating the validity of the of the extracted data, which involves making extracted data, which involves making sure that it is as valid as the original sure that it is as valid as the original
►Analyzing the data Analyzing the data while keeping its while keeping its integrity. integrity.
Ref: Kruse II, Warren and Jay, G. Heiser (2002) Computer Forensics: Incident Response Essentials. Addison-Wesley
The Forensics Process The Forensics Process ModelModel
►CollectionCollection
►ExaminationExamination
►AnalysisAnalysis
►ReportingReportingRef: National Institute of Justice. (July 2001) Electronic Crime Scene Investigation. A Guide for First Responders. http://www.ncjrs.org/pdffiles1/nij/187736.pdf.
The Abstract Digital Forensics The Abstract Digital Forensics ModelModel
► IdentificationIdentification► PreparationPreparation► Approach strategyApproach strategy► PreservationPreservation► CollectionCollection► ExaminationExamination► AnalysisAnalysis► PresentationPresentation► Returning evidenceReturning evidence
Ref: Mark Reith, Clint Carr and Gregg Gunsch.(2002)An Examination of Digital Forensic Models International Journal of Digital Evidence, Fall 2002,Volume 1, Issue 3
Pollitt 1995 Pollitt 1995
Ref: Pollitt, M. “Computer Forensics: an Approach to Evidence in Cyberspace”, Proceedings (Vol. II, pp 487-491) of the National Information Systems Security Conference, Baltimore, MD. 1995
Noblett, et al 2000Noblett, et al 2000
Ref: Noblett, M., Pollitt, M., Presley, L. “Recovering and Examining Computer Forensic Evidence”, Forensic Science Communications, Volume 2 Number 4 2000
Digital Forensic Research Workshop 2001Digital Forensic Research Workshop 2001
Ref: Digital Forensic Research Workshop (DFRWS) Research Road Map, Utica, NY. (2001)
Reith, Carr and Gunsch 2002 Reith, Carr and Gunsch 2002
They offer a model comprised of nine steps:They offer a model comprised of nine steps:► IdentificationIdentification► PreparationPreparation► Approach StrategyApproach Strategy► PreservationPreservation► CollectionCollection► ExaminationExamination► AnalysisAnalysis► PresentationPresentation► Returning Evidence.Returning Evidence.
Ref: Reith, M., Carr C. and Gunsch, G. “An Examination of Digital Forensic Models”, IJDE Fall 2002 Volume 1, Issue 3.
Carrier and Spafford 2003 Carrier and Spafford 2003
►ReadinessReadiness►DeploymentDeployment►Physical Crime Scene InvestigationPhysical Crime Scene Investigation►Digital Crime Scene Investigation Digital Crime Scene Investigation ►Review PhasesReview Phases
Ref: Carrier, B. and Spafford, E. “Getting Physical with the Digital Investigation Process”, International Journal of Digital Evidence Fall 2003, Volume 2, Issue 2.
Carrier 2003 Carrier 2003
► In Carrier’s outlines the layers of abstraction In Carrier’s outlines the layers of abstraction that constitute Forensic Examinationthat constitute Forensic Examination
Ref: Carrier, B. “Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers”, International Journal of Digital Evidence Winter 2003, Volume 1, Issue 4.
Mocas 2003 Mocas 2003
She identified multiple contexts for She identified multiple contexts for digital forensics:digital forensics:
►Law Enforcement ContextLaw Enforcement Context►A Military Context A Military Context ►Business System Security Context. Business System Security Context.
Ref: Mocas, S. (2003) “Building Theoretical Underpinnings for Digital Forensics”,
Baryamueeba and Tushabe Baryamueeba and Tushabe 2004 2004
They suggested a modification to Carrier and Spafford’s They suggested a modification to Carrier and Spafford’s Integrated Digital Investigation Model Integrated Digital Investigation Model of 2003.of 2003.
► They describes two additional phasesThey describes two additional phases Trace backTrace back DynamiteDynamite They seek to separate the investigation into primary They seek to separate the investigation into primary
crime scene (the computer) and the secondary crime crime scene (the computer) and the secondary crime scene (the physical crime scene). The goal is to scene (the physical crime scene). The goal is to reconstruct the two crime scenes concurrently to reconstruct the two crime scenes concurrently to avoid inconsistenciesavoid inconsistencies
Ref: Baryamureeba V. and Tushabe, F. “The Enhanced Digital Investigation Process Model”, DFRWS 2004, Baltimore, MD.
Beebe and Clark 2004Beebe and Clark 2004
He proposes previous models were single tier, in fact He proposes previous models were single tier, in fact the process tends to be multi-tiered.the process tends to be multi-tiered.
He proposes SEE approach:He proposes SEE approach:► SurveySurvey► Extract Extract ► ExamineExamine
They introduce the concept of objectives-based tasks.They introduce the concept of objectives-based tasks.
Ref: Beebe, N. and Clark, J. “A Hierarchical, Objectives-Based Framework for the Digital Investigations Process”, DFRWS 2004 Baltimore, MD.
Carrier and Spafford 2004Carrier and Spafford 2004
►Carrier and Spafford add new Carrier and Spafford add new elements to the digital forensic elements to the digital forensic frameworkframework Events and Events and Event ReconstructionEvent Reconstruction
Ref: Carrier, B. and Spafford, E. “An Event-based Digital Forensic Investigation Framework”, DFRWS 2004, Baltimore, MD
Ruibin, Yun and Gaertner Ruibin, Yun and Gaertner 20052005
Ref: Pollitt, M. “Six Blind Men from Indostan”, DFRWS, 2004, Baltimore, MD.
Erbacher, Christensen and Erbacher, Christensen and SundbergSundberg
Ref: Robert F. Erbacher, Kim Christensen, and Amanda Sundberg, "Visual Forensic Techniques and Processes," Proceedings of the 9th Annual NYS Cyber Security Conference Symposium on Information Assurance, Albany, NY, June 2006, pp. 72-80.
Kent, Chevalier, Grance and Kent, Chevalier, Grance and Dang 2006Dang 2006
►CollectionCollection►ExaminationExamination►AnalysisAnalysis►ReportingReporting
Ref: Kent, K., Chevalier, S., Grance, T. and Dang, H. “ Guide to Integrating Forensics into Incident Response”, Special Publication 800-86, Computer Security Division Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD August 2006
Project GoalsProject Goals
► Study all existing digital forensic investigation models.Study all existing digital forensic investigation models.► Capture their timeline and basis for development.Capture their timeline and basis for development.► Compare them for their use in various situations and Compare them for their use in various situations and
their pro and cons for those situations.their pro and cons for those situations.► Suggest drawbacks and need for further development.Suggest drawbacks and need for further development.► Evaluate their scalability and growth and technology Evaluate their scalability and growth and technology
adaptation.adaptation.► Find various important parameters to rate compare Find various important parameters to rate compare
the existing and upcoming models.the existing and upcoming models.► Tell their usage in Indian and Global context.Tell their usage in Indian and Global context.