Using automation to enhance the process of Digital Forensic analysis

Daniel Walton

School of Computer and Information Science

waldj007@mymail.unisa.edu.au

Supervisor: Dr Elena Sitnikova

Research Fields: Computer Forensics & Network Security

Outline

Introduction Motivation Research Question Methodology Research Activities References

Introduction to Digital Forensics

Digital Forensics: Is a branch of forensic science dealing with the acquisition and analysis of data found in digital devices and is often combined with the presentation of the results of the analysis in court.

Digital forensics has three major phases: (Carrier, 2002)

– Acquisition

– Analysis

– Presentation

Motivation

Digital forensics has three major phases: (Carrier, 2002)

– Acquisition (Manual process)

– Analysis (Time consuming with room for improvement)

– Presentation (Manual process) Storage sizes

– Storage constantly increasing in size

– More places to store evidence (Cloud, mobile devices … etc)

– Overall more evidence for analysis Complexity increasing

– New operating systems, mobile devices as well as more types of metadata to extract and analyse (e.g. jumplists )

– Additional complexity increases analysis and reporting time Time

– Digital forensic analysis time consuming

Research Question

How can automation be used to improve the Digital Forensic analysis of computer evidence ?

Analysis process includes:Metadata collection/extraction- Currently many different tools & output formats,

Analysis (linking the dots) Comparing extracted information Statistics Blacklists/Whitelists (hash de-Nist & filenames)

Research sub-questions

Q: How can automation be used to improve the Digital Forensic analysis of computer evidence ?

Sub-questions:1. What are the existing tools for extracting relevant information from

evidence as well as the quality of the extracted information from these tools ?

2. What solutions are there for parsing the many undocumented file and metadata formats which are yet to be discovered and documented but could contain information of interest?

.

Research sub-questions

Q: How can automation be used to improve the Digital Forensic analysis of computer evidence ?

Sub-questions:

3. How to ensure a low false-positive and false-negative detection rate while keeping a high detection rate of relevant information?

4. How would a tool be implemented to validate the proposed automatic analysis method?

.

Methodology

● Metadata extraction

– Research into current tools & formats

● Undocumented potential sources of information

– Examine industries current solutions● Mining for Gold (keeping relevant remove irrelevant)

– Methods for culling irrelevant information as well as amplifying relevant information

● Automated analysis

– Research papers discussing proposals and current solutions

– Research into potential SIEM like multi source correlation of events

– Examine any currently existing tools

Research Activities

Plaso– Compare to Log2Timeline (Guðjónsson 2010)– test python object integration– Feasibility study regarding expansion for automated analysis

Rule analysis system– Simple but flexible rule system ( compare Snort & prelude IDS)

Statistics – Research and test potentially useful types (e.g. Spam/bayes,

markov chains, Principal component analysis (PCA))– Evaluate for potential for too much information.

• Issues storage & processing• optimise

Performance– Potential for bottlenecks in analysis.

• Optimal usage of resources Reporting

– What information needed for generation of a computer and user profile report.

References

Carrier, B. (2002). Open source digital forensics tools: The legal argument. Stake Research Report.

Guðjónsson, K (2010), ‘Mastering the super timeline with log2timeline’, SANS Institute