Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of...
-
Upload
grace-mcdonald -
Category
Documents
-
view
212 -
download
0
Transcript of Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of...
![Page 1: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/1.jpg)
Using automation to enhance the process of Digital Forensic analysis
Daniel Walton
School of Computer and Information Science
Supervisor: Dr Elena Sitnikova
Research Fields: Computer Forensics & Network Security
![Page 2: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/2.jpg)
Outline
Introduction Motivation Research Question Methodology Research Activities References
![Page 3: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/3.jpg)
Introduction to Digital Forensics
Digital Forensics: Is a branch of forensic science dealing with the acquisition and analysis of data found in digital devices and is often combined with the presentation of the results of the analysis in court.
Digital forensics has three major phases: (Carrier, 2002)
– Acquisition
– Analysis
– Presentation
![Page 4: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/4.jpg)
Motivation
Digital forensics has three major phases: (Carrier, 2002)
– Acquisition (Manual process)
– Analysis (Time consuming with room for improvement)
– Presentation (Manual process) Storage sizes
– Storage constantly increasing in size
– More places to store evidence (Cloud, mobile devices … etc)
– Overall more evidence for analysis Complexity increasing
– New operating systems, mobile devices as well as more types of metadata to extract and analyse (e.g. jumplists )
– Additional complexity increases analysis and reporting time Time
– Digital forensic analysis time consuming
![Page 5: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/5.jpg)
Research Question
How can automation be used to improve the Digital Forensic analysis of computer evidence ?
Analysis process includes:Metadata collection/extraction- Currently many different tools & output formats,
Analysis (linking the dots) Comparing extracted information Statistics Blacklists/Whitelists (hash de-Nist & filenames)
![Page 6: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/6.jpg)
Research sub-questions
Q: How can automation be used to improve the Digital Forensic analysis of computer evidence ?
Sub-questions:1. What are the existing tools for extracting relevant information from
evidence as well as the quality of the extracted information from these tools ?
2. What solutions are there for parsing the many undocumented file and metadata formats which are yet to be discovered and documented but could contain information of interest?
.
![Page 7: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/7.jpg)
Research sub-questions
Q: How can automation be used to improve the Digital Forensic analysis of computer evidence ?
Sub-questions:
3. How to ensure a low false-positive and false-negative detection rate while keeping a high detection rate of relevant information?
4. How would a tool be implemented to validate the proposed automatic analysis method?
.
![Page 8: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/8.jpg)
Methodology
● Metadata extraction
– Research into current tools & formats
● Undocumented potential sources of information
– Examine industries current solutions● Mining for Gold (keeping relevant remove irrelevant)
– Methods for culling irrelevant information as well as amplifying relevant information
● Automated analysis
– Research papers discussing proposals and current solutions
– Research into potential SIEM like multi source correlation of events
– Examine any currently existing tools
![Page 9: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/9.jpg)
Research Activities
Plaso– Compare to Log2Timeline (Guðjónsson 2010)– test python object integration– Feasibility study regarding expansion for automated analysis
Rule analysis system– Simple but flexible rule system ( compare Snort & prelude IDS)
Statistics – Research and test potentially useful types (e.g. Spam/bayes,
markov chains, Principal component analysis (PCA))– Evaluate for potential for too much information.
• Issues storage & processing• optimise
Performance– Potential for bottlenecks in analysis.
• Optimal usage of resources Reporting
– What information needed for generation of a computer and user profile report.
![Page 10: Using automation to enhance the process of Digital Forensic analysis Daniel Walton School of Computer and Information Science waldj007@mymail.unisa.edu.au.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697bfc11a28abf838ca48a8/html5/thumbnails/10.jpg)
References
Carrier, B. (2002). Open source digital forensics tools: The legal argument. Stake Research Report.
Guðjónsson, K (2010), ‘Mastering the super timeline with log2timeline’, SANS Institute