WORLDCOMP'08 Tutorial: Robert F. Erbacher
|Introduction to Digital Forensics Research
Robert F. Erbacher
Assistant Professor, Department of Computer Science
Utah State University, Utah, USA
Date: July 16, 2008
Time: 6:00 - 9:30 PM
Location: Ballroom 1
- Identify methods by which data can be hidden on a hard drive
- Identify the needs for the forensic validity of raw data
- Specify and analyze typical digital forensic processes
- Analyze the forensic validity of digital data
- Specify current research directions and needs in digital forensics
- Identify requirements for the legal admissibility of digital evidence
Digital forensics is a growing area of concern to governments, corporations, and law enforcement. Intrinsically, digital forensics revolves around the need to analyze digital data, whether it is from an isolated computer system, a network of computer systems, or databases and data storage devices. Digital forensics is unique from other analysis tasks as the data needing to be located and analyzed can be carefully hidden within a morass of irrelevant data and the need to consider the legal validity of the raw data, the analysis results, and the analysis process itself. Unfortunately, technology has not kept pace with the challenges or legal requirements of digital forensics. This tutorial will discuss these challenges, identifying how analysts currently analyze digital data and how anti-forensics is being used to counter the forensics tools; i.e., how data can be hidden such that it will be more difficult to detect. This tutorial will also discuss the requirements imposed on forensic research by the necessity of legal admissibility. Current research directions, needs, and challenges will also be discussed.
As an example, when considering computer forensics the goal is to locate criminally relevant information on a computer system. Today’s systems allow such relevant information to be stored in many places within a computer system; in addition to the hard drive, this could include storage of data in flash bioses, in video card ram, etc. Even when limiting analysis to the hard drive locating relevant data can be difficult due to the number of locations and ways that data can be hidden. For instance, data can be appended to other files, embedded into files, stored in the windows registry file, stored in free clusters, stored in clusters marked as bad, etc. Given the size of today’s hard drives, locating small snippets of criminally relevant data can be extremely cumbersome, especially when sophisticated data hiding paradigms are used. A digital forensic analyst must be able to locate the evidence, or lack thereof, that might be found on any number of various types of digital storage devices. Rather than simply having to locate files containing criminal activity hidden within the morass of files, analysts must locate the information hidden within otherwise innocuous files. This tutorial will discuss how data can be hidden and current research designed to improve the ability to locate such data.
The need for legal validity of data also leads to the need to ensure the validity of raw data. For instance, consider syslog files, which provide detailed electronic traces of activity related to a computer system. These electronic traces in verifiable forms can be considered as digital evidence. In order to validate system log files we must ensure that the log files are resistant to deletions and modifications; i.e., it may not be possible to prevent truncation of a log file but such modifications must be detectable. Additionally, further verification must be added to the syslog protocol to validate where the syslog entries came from. Specifically, this could be done using system fingerprints, user fingerprints, and application fingerprints. This tutorial will discuss the requirements for validating raw data and the research needed to improve the legal admissibility of raw data such as syslog files.
This tutorial will teach the participants about the fundamentals of digital forensics and associated research needs. More specifically, upon completion of the tutorial participants will be able to:
This tutorial is intended for beginning and advanced researchers interested in understanding the current state of the art of digital forensics, the unique issues intrinsic to digital forensics, and current directions of research. The tutorial would be applicable to scientists, engineers, graduate students, or faculty interested in digital forensics research. Security managers, system administrators/analysts, and law enforcement interested in understanding forensics issues would also benefit from this tutorial.
Biography of Instructor
Dr. Erbacher is an Assistant Professor in the Department of Computer Science at Utah State University. Before joining Utah State University, he was an assistant professor at SUNY-Albany. He is an Associate Editor for the Journal of Electronic Imaging, Chaired the SPIE Conference on Visualization and Data Analysis for 13 years, is on numerous other program committees related to digital forensics, computer security, and visualization and performs extensive reviewing for conferences and journals in these areas. His research interests include Digital Forensics, Computer Security, Intrusion Detection, Information and Scientific Visualization, and Computer Graphics. Dr. Erbacher has over 50 publications in these areas, including a best paper award from the Systematic Approaches to Digital Forensics Engineering Conference.
In keeping with his research interests in computer security and visualization, Dr. Erbacher spent the summers of 2004 through 2006 at AFRL's Rome Labs developing techniques for intrusion detection and digital forensics for the air force under their summer faculty fellowship program. Dr. Erbacher received his BS in Computer Science from The University of Lowell in 1991 and his MS and ScD degrees in Computer Science from the University of Massachusetts-Lowell in 1993 and 1998, respectively.