1 2007. 2. 8. Kyo-il Chung, Ph. D. Convergence Security Group Kyo Kyo - - il il Chung, Ph. D. Chung, Ph. D. Convergence Security Group Convergence Security Group Digital Forensics Technologies… Digital Forensics Digital Forensics Technologies Technologies … …
35
Embed
Digital Forensics TechnologiesTechnologies……old.hsn.or.kr/hsn2007/document/8_SS/S-3.pdf · Certification of Digital Forensics Tool Computer Forensics Tool Test Program (CFTT),
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
2007. 2. 8.
Kyo-il Chung, Ph. D.Convergence Security Group
KyoKyo--ilil Chung, Ph. D.Chung, Ph. D.Convergence Security GroupConvergence Security Group
Digital Forensics Technologies…
Digital Forensics Digital Forensics TechnologiesTechnologies……
2 ::: ETRI, The Future Wave :::
ContentsContents
Introduction of Digital ForensicsIntroduction of Digital ForensicsI
Chain of Custody & TechnologiesChain of Custody & TechnologiesII
Case StudiesCase StudiesIII
ConclusionsConclusionsIV
3 ::: ETRI, The Future Wave :::
ETRI
Established in 1976Established in 1976
KoreaKorea’’s largest government s largest government funded research facility in funded research facility in the fields of IT & Comm.the fields of IT & Comm.
R&D Fields : R&D Fields : Semiconductors, Mobile Semiconductors, Mobile Communications, Networks, Communications, Networks, Security, etc. Security, etc.
4 ::: ETRI, The Future Wave :::
Organization of ISRD
Information Security Research Division
Applied Security Group Convergence Security Group
Project Supporting Department
• Network Security Architecture Team
• Secure OS Research Team
• Active Security Research Team
• Privacy Protection Research Team
• P2P Security Research Team
• Wireless Security Application Research Team
• Cryptography Research Team
• Digital ID Security Research Team
• RFID/USN Security Research Team
• Biometrics Technology Research Team
• Biometrics Chipset Research Team
• Bio-medical Information Security Research Team
• Home Network Security Research Team
5 ::: ETRI, The Future Wave :::
Next Generation Security System Tech.
Security Gateway System
Secure Router System
Security Management System
Network Security Tech. for P2P Overlay Networks over Wired/Wireless IPV6 Infrastructures
Development of Secure Platform for Wireless Network
Digital ID SecurityInternet ID Management TechnologyAutonomous Identity Federation Bridging Technology
RFID/USN SecurityLight-weight Crypto Algorithm for RFID & Sensor NetworkLow Power & High Speed ProcessorSecurity Mechanism for RFID/USN Environments
Convergence Security Group
7 ::: ETRI, The Future Wave :::
User Identification Technology Using BiometricsMulti-modal Biometric & Searching Technology
Biometric Chipset
Biometric Data Protection
Security in HealthcareBio Sensor Technology
Security Tech. for EHR, u-Hospital
Authentication and Authorization Tech. for Home Networkslightweight authentication and access control mechanism for homenetworks
8 ::: ETRI, The Future Wave :::
Done
Design and development of information security algorithm for IMT- 2000 system
Electronic certificate based PKI system
USB token containing biometric functions
Wireless LAN information security technology
Next generation IC card
USIM chipset for 3rd generation mobile communications
9 ::: ETRI, The Future Wave :::
Where to apply?Where to apply?Where to apply?
I. Introduction of Digital ForensicsI. Introduction of Digital Forensics
What is Digital Forensics?What is Digital Forensics?
Why Digital Forensics?Why Digital Forensics?
10 ::: ETRI, The Future Wave :::
Forensics?Forensics?
We are very familiar CSI (crime scene investigation) …
11 ::: ETRI, The Future Wave :::
Computer crime? Computer crime?
Your company has recently hired a new salesman.
6 months after his hire, he leaves your company and forms a competing interest, sending letters to all of your clients.
You may think this a bit odd and contact an attorney to consider filing a suit.
What has occurred is a virtual theft -- -- the salesman stole a copy of your client database.
Note that this is a VIRTUAL theft -- since you were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to prosecute him criminally.
by Jkizza, UT Chattanooga
12 ::: ETRI, The Future Wave :::
How much information?How much information?
“How much Information?” (Berkeley, USA)
Before 1999 (about 300 thousand years), human have produced 12 Exabyte Information,
We have made 9 Exabyte Information, after 1999 only 4 years.
Quantity of information is raised as double as year.. Accelerate the information digitalization
Only 0.03% of produced information is recorded by paper, 2002
* 1 Exabyte : 1018 byte (1Gigabyte x 1 billion)Storage Medium 1999-2000 2002 %
Paper 1,200 1,634 36%
Film 431,690 420,254 -3%
Magnetic 2,779,760 5,187,130 87%
Optical 81 103 28%
TOTAL 3,212,731 5,609,121 74.5%
13 ::: ETRI, The Future Wave :::
Increasing of digital evidences in criminal investigationIncreasing of digital evidences in criminal investigation
2000년 2001년 2002년 2003년
0
2000
4000
6000
8000
10000
12000
[CERT, Prosecutor’s office] [CERT, Police Agency]
Hacking, Viruses, Extraction of Private informationCyber Game, Cyber terror, etc
20012001 20042004
33,32533,325 77,09977,099
YearYear
# Crime# CrimeIncreasing transition of computer & cyber crime
Increasing transition of computer & cyber crime
Digital EvidenceIncrease the case that the important evidences are located in computer as crimes related in computer or the general crimes.
Features of Digital EvidenceDigital evidences are easy to copy, difficult to classify the original and copied materials, and easy to manipulate and delete
14 ::: ETRI, The Future Wave :::
DefinitionDefinition
Logical procedure to acquire, store, analyze and report the digital evidence to make legal evidence
To clarify and prove the relations of the events occurred with a computer using the digital data stored in the computer
The sequential procedure such as the acquisition of the digital evidence without damaging the digital data, proving the existence of the data at the specific time, making the legal evidence after analyzing the digital evidence
Civil Trial – Defamation of character, Negligence, Audit
Prevention and Response against Intrusion– Constructing the database of data, Rapid processing of vast data, Analyzing
the accidents, Response (Trace, Acquisition of evidence, Information Sharing)
16 ::: ETRI, The Future Wave :::
Purpose of Digital ForensicsPurpose of Digital Forensics
Computer crime investigation
Evidence analysis for civil trial
Data analysis of digital devices
Purpose of Digital Forensics
Device
Data C&A
System & Network
Application Analysis
Technologies of Digital Forensics
Acquisition of evidence
Chain of custody
Management of digital evidence
Analysis report
+ =
Procedures of Digital Forensics
17 ::: ETRI, The Future Wave :::
Market Forecast..Market Forecast..
Market forecastMarket forecast
Digital forensic is mainly used in the computer-crime-related trial such as hacking, and forensic market has increased rapidly.Digital forensic is mainly used in the computer-crime-related trial such as hacking, and forensic market has increased rapidly.
20042004
20012001
(Unit : 100million dollar)
1.91.9
1.01.01.331.33
2.642.64
Source : IDC (2004)
6.06.0
forensicproduct
Accident response service
20082008
7.867.86
(Growth rate (year) = 29%)forensicproduct
Accident response service
forensicproduct
Accident response service
18 ::: ETRI, The Future Wave :::
Procedure of Digital ForensicsProcedure of Digital Forensics
Technologies for Digital ForensicsTechnologies for Digital Forensics
ⅡⅡ. Chain of Custody & Technologies. Chain of Custody & Technologies
Classificaion of technologiesClassificaion of technologies
ProductsProducts
19 ::: ETRI, The Future Wave :::
Procedure of Digital Forensic Procedure of Digital Forensic -- Chain of CustodyChain of Custody
PreliminaryPreliminary AcquisitionAcquisition Chain of custodyChain of custody AnalysisAnalysis ReportReport
Forensic tool testing
Preparing tools
Cooperative system
Scene investigation
Disk imaging
Authentication of evidence
Making copy of image
Transfer of evidence
Search hidden dataTime-line analysisSignature analysisData recovery and searchLog analysis
Evidence analysis
Investigator list
Opinion of expert
20 ::: ETRI, The Future Wave :::
Classification of technologiesClassification of technologies
File Decryption, Crack
Information Hiding
File Repair
Internet
Email
Application
Network Data Collection & Analysis
Software (Program files) Analysis
Live Data Collection & Analysis
System Monitoring
Network Trace
System & Network
File Identification (Find)
File systems Repair
Browsing
TimeLine
Search
Data
Storage Media Duplication
Storage Media Repair
Device
21 ::: ETRI, The Future Wave :::
Technologies for Digital ForensicsTechnologies for Digital Forensics (Device)(Device)
DeviceStorage Media Duplication
• Imaging: making an image of the storage by copying bit by bit
• Write Block: protecting a storage to keep the information of the storage intact
• Mounting: uploading an image as a sub-directory to the forensic system
Storage Media Repair• Physical or electronic recovery of a storage
: recover a storage from the physically or electronically damaged state
22 ::: ETRI, The Future Wave :::
Technologies for Digital ForensicsTechnologies for Digital Forensics (System)(System)
SystemLive Data Collection & Analysis
• Acquisition and analysis of the volatile data of the live system