Computerized Forensics Research: The Good, the Bad, and the Unaddressed .

Uploaded on:
Category: News / Events
Exchange Topics. General SuccessesGeneral FailuresResearch Needs. Foundation (Bias). My backgroundEx-Law Enforcement (AFOSI, 1998-2007)Private Sector Forensics (2001-Present)Educational backgroundB.S. Electrical engineeringM.S. Criminal justicePh.D. Data systemsAssistant Professor in Information Systems Dept..
Slide 1

Computerized Forensics Research: The Good, the Bad, and the Unaddressed by Nicole L. Beebe, Ph.D. 5 th Annual IFIP WG 11.9 January 27, 2009

Slide 2

Discussion Topics General Successes General Failures Research Needs

Slide 3

Background (Bias) My experience Ex-Law Enforcement (AFOSI, 1998-2007) Private Sector Forensics (2001-Present) Educational foundation B.S. Electrical building M.S. Criminal equity Ph.D. Data frameworks Assistant Professor in Information Systems Dept.

Slide 4

Background – Contributors Dr. Sujeet Shenoi – Univ. of Tulsa Mark Pollitt – Ex-FBI, Univ. of Central Florida Eoghan Casey – Stroz Friedberg LLC, Johns Hopkins Univ. Dr. Simson Garfinkel – Naval Post Grad School (Harvard, MIT) Eric Thompson – CEO, Access Data Inc. Ovie Carroll – Ex-AFOSI, DoJ CCIPS Cybercrime Lab Dir. Dave Baker – Miter John Garris – Ex-AFOSI, NASA OIG Computer Crimes SAiC Randy Stone – Detective, Wichita Police Dept. Dr. Marc Rogers – Purdue Univ. Dr. Honest Adelstein – ATC-NY Dr. Wietse Venema – IBM

Slide 5

Background – Contributors Gary King – AFOSI Computer Crime Investigations Program Mngr Dr. Florian Bucholz – James Madison Univ. Dr. Vassil Roussev – Univ. of New Orleans Jesse Kornblum – ManTech Russell McWhorter – Bexar County Sherriff\'s Office, Veridicus Inc. DeWayne Duff – Ex-AFOSI, Stroz Friedberg LLC Rod Gregg – Ex-FBI, Stroz Friedberg LLC Drew Fahey – Ex-AFOSI, e-fense Inc. (engineer of Helix) … in addition to seven different analysts & professionals … and, obviously, me.

Slide 6

The Good Unequivocal change in noticeable quality & estimation of advanced confirmation in examinations Becoming more logical Formalization/institutionalization of procedures/methodologies Formulating DF issues into logical research Q\'s DF look into beginning to enter standard research Archeology of computerized ancient rarities (Windows/Linux) Cross-train information sharing Tackling the DF issue de jour (e.g. memory)

Slide 7

More Kudos HW compose blocking industry Acquisition/gathering stage when all is said in done Live crime scene investigation Contributions to capability, accreditation, and so on dialog Honorable notices The Sleuth Kit (top notch, open-source apparatus) AFF (merchant impartial, pack capable imaging design)

Slide 8

The Bad Hyper-formalization of procedures/methodologies Agencies getting hazardously near agendas Cross-teach learning sharing inadequate Lack of expansion of data science inquire about Insufficient research into different OS & FS HFS+, UFS, ZFS, restrictive frameworks, and so on. Information driven not data/learning driven Researchers & specialists are both blameworthy

Slide 9

More Criticisms Lacking a typical assortment of information Accreditation "machine" has spun crazy Bridging the hole between research & application Still deficient with regards to meticulousness & significance in research Lack of an unmistakable research motivation Common CFP points, yet cover full-range Lack of government subsidizing of research (U.S. protest) Commercial industry molding the plan Decisively toward e-disclosure look into inquiries

Slide 10

The Unaddressed (or if nothing else requiring more consideration)

Slide 11

Volume & Scalability Acquire & prepare all the more quicker Logical acquisitions – choice emotionally supportive networks And/or non-"finish" physical acquisitions Collaborative, dispersed examination Collaboration administration Data stockpiling/exchange (unified, decentralized) Lagging S/W improvement H/W propels (multi-threading/gigantic parallelism) Tools to deal with expansive volumes of email Data investigation, linkages & design investigation

Slide 12

Intelligent Analytical Approaches Need to broaden counterfeit consciousness and other keen inquiry/recovery calculations/approaches Semantic versus strict looking procedures Improved information ordering/social information streamlining Similarity coordinating components "Fluffy hashing" requires outlook change & logical sureness examine/bolster Intelligent secret word recuperation Passphrase ID/extraction Probabilistic methodologies (length, area, marks) PW reserving moving to CPU store

Slide 13

Fast-Paced Technological Landscape Small gadget crime scene investigation (e.g. mobile phones, PDAs, GPS, and so forth.) "Homegrown" gadget criminology Gaming gadgets Virtual situations Cloud processing situations

Slide 14

"Usability" Tool – need to rearrange convenience for specialist Not excessively specialized Easy, making it impossible to utilize UI Protections against human mistake however permit propelled mode for customizations Information – announced discoveries must be usable Data perception Cross-relationship, connect examination (robotized) Reduce issue of data over-burden (require "zoom" capacity) Paradigm move from various leveled to worldly view

Slide 15

S/W Development/Engineering S/W should completely use H/W progresses Increased robotization Increased interoperability Standardized, interoperable information designs (I/O) Standardized APIs Need OS autonomous DF stages (e.g. Pyflag ) Need DF stages that are across the board wrt information Static media, unstable information, arrange dumps, and so on

Slide 16

"Other" Database forensics Steganography Live record frameworks More work required on unpredictable memory examination Knowledge of aggravation/mutilation created Non-windows/linux document frameworks (HFS+, UFS, ZFS) Solid state memory procurement & investigation Investigations including different, conveyed frameworks New XML office report gauges

Slide 17

Issues of Science An approach to indicate mistake rates like in conventional scientific sciences Is this practical? Outlook change toward deciding/measuring assurance/certainty? Formalization of speculations era & testing Repeatable experimentation & relative eval . Requirement for a typical test corpora

Slide 18

Philosophical Questions Is DF field losing its "virtue" to e-revelation field? It is safe to say that we are insusceptible to DMCA suits? Can the examination group impact specialized detail documentation regarding DF needs? Is it true that we are keeping pace with against crime scene investigation examine?

Slide 19

Research Agenda Summation Volume Non-gadget level securing Intelligent looking, extraction & examination Technological changes Move far from incremental information commitments toward harder difficulties of noteworthy commitment Paradigm shifts Non-binomial conclusions (logically inferred) Conclusion assurance versus device/handle blunder rates Need to study usability, HCI & selection issues

Slide 20

Questions/Comments? (210) 269-5647

View more...