Digital forensics research: The next 10 years

Welcome to “Kernel”

Presentation on Digital forensics research: The next 10 years

MISS-2016A (Master of Information systems Security)

Bangladesh University of Professionals

Team Members

Mehedi Hasan Sorfaraz Uddin Al ImranRezaul Islam Team Leader.

Rajiv Kumar

Contents

Objective►

• Objectives • Key Observations• Potential Constraints• Research Directions• Challenges• Questions and Comments

1.0 Objectives

Key Observations►

Proposes a plan for achieving a dramatic improvement in Digital Forensic(DF) research.

Achieving operational efficiency for representing forensic data and performing forensic computation

Describing the today's challenges in DF field Proposes a new DF research methodology

2.1 Key Observations Forensic & Digital forensic:

Forensics is the application of science to solve a legal problem Digital forensics is about the investigation of crime including using

digital/computer methods

In a word, It is recovery Science

Major Classification of Digital forensic: Computer forensics Network forensics Database forensics Chip-off forensics

Previous Forensic History: Diversity, in the bad way Bad documentation for lots of file types Centralized computing facilities, and time-sharing No formal tools, training, education

Source: MISS1103: Digital Forensics @ Prof. Syed Akhter Hossain (SAH), 2016, Page no 5,6

Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010

Lifecycle of Digital ForensicsEarly years (1970s-

1990s)

• Hardware, software, and application diversity

• A proliferation of data file formats

• Heavy reliance on time-sharing and centralized computing ffacilities

• Absence of formal process, tools, and training

„Golden years“(1990s-2000s)

• The widespread use of Microsoft Windows, and specifically Windows XP

• Relatively few file formats of forensic interest

• Examinations largely confined to a single computer system belonging to the subject of the investigation

• Storage devices equipped with standard interfaces (IDE/ ATA)

Era of crisis(2010s-...)

• Growing size of storage devices

• Increasing prevalence of embedded flash storage

• Proliferation of hardware interfaces

• Proliferation of operating systems and file formats

• Pervasive encryption• Use of the “cloud” for

remote processing and storage, splitting a single data structure into elements

2.2 Key Observations

2.3 Key Observations2014 Overall Statistics & Current Record

Source: www.fbi.gov


• Academic ravel– Cyber-criminals are becoming the muster’s of international

Cooperation

• Fundamental Problem– Today's tools ware creating for solving child pornography cases, not

computer hacking case.

• Difficulty of reverse engineering– Software tool is being sold without restrictions, there is no standard

set of tools. Random file format.

• Cyber Criminals weapon– Mobile phones are becoming a primary tool of cyber criminal &

terrorist. There are no standard way to extract information from cell phones.

Major Barrier according to Researcher

Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010


• Better Technology– Ability to handle volume– Ability to handle complexity

• Better Research– Formal Methods of Analysis– Intelligent Data Mining– Structured Processes

• Better Communication– Computer Scientists– Legal Experts

Obligation of future

Potential Constraints ►

3.1. Potential Constraints Slower analysis

The growing size of storage devices means that there is frequently insufficient time to create a forensic image of a subject device, or to process all of the data once it is found.

Great diversity: The increasing prevalence of embedded flash storage and the

proliferation of hardware interfaces means that storage devices can no longer be readily removed or imaged.

Multiple analyses: The proliferation of operating systems and file formats is dramatically

increasing the requirements and complexity of data exploitation tools and the cost of tool development.

Whereas cases were previously limited to the analysis of a single device, increasingly cases require the analysis of multiple devices followed by the correlation of the found evidence.

3.2. Potential Constraints Encryption:

Pervasive encryption means that even when data can be recovered, it frequently cannot be processed.

Cloud computing: Use of the “cloud” for remote processing and storage, and to split a single

data structure into elements, means that frequently data or code cannot even be found.

Hidden malware: Malware that is not written to persistent storage necessitates the need for

expensive RAM forensics. Legal trouble:

Legal challenges increasingly limit the scope of forensic investigations.

Research Directions ►

to develop new digital forensic methodology by creating wide range of abstractions-standardized of thinking, representing and

computing with information

creating alternative analysis modela) Stream based disk forensicsb) Stochastic analysisc) Prioritized analysisd) Scale and validation

to help coming digital forensic crisis by creating new techniques, tools and procedures

4.1. Research Directions

Challenges►

5.1 Upcoming Crisis/Challenges Today’s examiners frequently cannot obtain data in a

forensically sound manner or process data to completion. Evidence may be routinely missed. Most common are cell phone data and other mobile computing platform. There are 1000 of cell

phone models around us. There is no standard way to extract information from cell phone. But it’s a primary tool for

criminal or terrorist. Similar problem exist with diversity and data extraction exist with telecommunication

equipment, video game consoles even eBook readers. Inability to extract information from devices in a clean and repeatable manner means that we

are unable to analyze this devices for malware/ Trojan attack. Encryption and cloud computing both threaten forensic visibility. RAM based forensic can capture current state of a machine but RAM DF tools are more difficult

to create. DF tools face extraordinarily high research and development cost. Otherwise its rapidly become

obsolete. DF professionals often rely on open source tools, but there is no recognized or funded clearing

house for open source forensic software. Training is a serious problem facing organization that deliver forensic services A variety of legal challenges are combining to make very process of computer forensics more

complicated, time consuming, and expensive.

►

5.2 Research ChallengesEvidence oriented design

Today’s tools were designed to help examiners find specific piece of evidence, not to assist in investigation Today’s tools were created for solving crimes committed against people where evidence resides in computer;

they were not created to assist in solving typical crimes committed with computers or against computers.

The visibility, filter & report , model This model does not readily lend itself to parallel processing. As a result, ingest delays are increasing

with each passing year.

The difficulty of reverse engineering: There is no standard set of tools or procedures for a systematic approach to reverse engineering

Monolithic application: Binding all capabilities (data format, cryptographic scheme) into a single application, its not possible for

end users to mix and match this capabilities.

Lost Academic research Academic researchers can distribute open source tools that can be directly used, but most end users

lack the skills to download and use the tools. AR can license technology to a vendor, which then sells technology directly or incorporate it into an

existing tool. Vendor can read and learn from academic papers, but they are relatively uninformed regarding current

state of academic forensic research.

►

6. Advancement

in the paper titled "Fast contraband detection in large capacity disk drives" proposes Triage solution for achieving the efficiency of DF tools use for forensic analysis

THANK YOU