Personal tools
You are here: Home Tutorials WORLDCOMP'08 Tutorial: Robert F. Erbacher
Current Events
WORLDCOMP'09
Click Here

Past Events
WORLDCOMP'07
Click Here
WORLDCOMP'06
Click Here

Join Our Mailing List
Sign up to receive email announcements and updates about conferences and future events




 
Document Actions

WORLDCOMP'08 Tutorial: Robert F. Erbacher

Last modified 2008-06-21 11:54

Introduction to Digital Forensics Research
Robert F. Erbacher
 Assistant Professor, Department of Computer Science
Utah State University, Utah, USA

Date: July 16, 2008
Time: 6:00 - 9:30 PM
Location: Ballroom 1

    Abstract

      Digital forensics is a growing area of concern to governments, corporations, and law enforcement. Intrinsically, digital forensics revolves around the need to analyze digital data, whether it is from an isolated computer system, a network of computer systems, or databases and data storage devices. Digital forensics is unique from other analysis tasks as the data needing to be located and analyzed can be carefully hidden within a morass of irrelevant data and the need to consider the legal validity of the raw data, the analysis results, and the analysis process itself. Unfortunately, technology has not kept pace with the challenges or legal requirements of digital forensics. This tutorial will discuss these challenges, identifying how analysts currently analyze digital data and how anti-forensics is being used to counter the forensics tools; i.e., how data can be hidden such that it will be more difficult to detect. This tutorial will also discuss the requirements imposed on forensic research by the necessity of legal admissibility. Current research directions, needs, and challenges will also be discussed.

      As an example, when considering computer forensics the goal is to locate criminally relevant information on a computer system. Today’s systems allow such relevant information to be stored in many places within a computer system; in addition to the hard drive, this could include storage of data in flash bioses, in video card ram, etc. Even when limiting analysis to the hard drive locating relevant data can be difficult due to the number of locations and ways that data can be hidden. For instance, data can be appended to other files, embedded into files, stored in the windows registry file, stored in free clusters, stored in clusters marked as bad, etc. Given the size of today’s hard drives, locating small snippets of criminally relevant data can be extremely cumbersome, especially when sophisticated data hiding paradigms are used. A digital forensic analyst must be able to locate the evidence, or lack thereof, that might be found on any number of various types of digital storage devices. Rather than simply having to locate files containing criminal activity hidden within the morass of files, analysts must locate the information hidden within otherwise innocuous files. This tutorial will discuss how data can be hidden and current research designed to improve the ability to locate such data.

      The need for legal validity of data also leads to the need to ensure the validity of raw data. For instance, consider syslog files, which provide detailed electronic traces of activity related to a computer system. These electronic traces in verifiable forms can be considered as digital evidence. In order to validate system log files we must ensure that the log files are resistant to deletions and modifications; i.e., it may not be possible to prevent truncation of a log file but such modifications must be detectable. Additionally, further verification must be added to the syslog protocol to validate where the syslog entries came from. Specifically, this could be done using system fingerprints, user fingerprints, and application fingerprints. This tutorial will discuss the requirements for validating raw data and the research needed to improve the legal admissibility of raw data such as syslog files.

    Objectives

      This tutorial will teach the participants about the fundamentals of digital forensics and associated research needs. More specifically, upon completion of the tutorial participants will be able to:

        • Identify methods by which data can be hidden on a hard drive
        • Identify the needs for the forensic validity of raw data
        • Specify and analyze typical digital forensic processes
        • Analyze the forensic validity of digital data
        • Specify current research directions and needs in digital forensics
        • Identify requirements for the legal admissibility of digital evidence

    Intended Audience

      This tutorial is intended for beginning and advanced researchers interested in understanding the current state of the art of digital forensics, the unique issues intrinsic to digital forensics, and current directions of research. The tutorial would be applicable to scientists, engineers, graduate students, or faculty interested in digital forensics research. Security managers, system administrators/analysts, and law enforcement interested in understanding forensics issues would also benefit from this tutorial.


    Biography of Instructor

      Dr. Erbacher is an Assistant Professor in the Department of Computer Science at Utah State University. Before joining Utah State University, he was an assistant professor at SUNY-Albany. He is an Associate Editor for the Journal of Electronic Imaging, Chaired the SPIE Conference on Visualization and Data Analysis for 13 years, is on numerous other program committees related to digital forensics, computer security, and visualization and performs extensive reviewing for conferences and journals in these areas. His research interests include Digital Forensics, Computer Security, Intrusion Detection, Information and Scientific Visualization, and Computer Graphics. Dr. Erbacher has over 50 publications in these areas, including a best paper award from the Systematic Approaches to Digital Forensics Engineering Conference.

      In keeping with his research interests in computer security and visualization, Dr. Erbacher spent the summers of 2004 through 2006 at AFRL's Rome Labs developing techniques for intrusion detection and digital forensics for the air force under their summer faculty fellowship program. Dr. Erbacher received his BS in Computer Science from The University of Lowell in 1991 and his MS and ScD degrees in Computer Science from the University of Massachusetts-Lowell in 1993 and 1998, respectively.

Academic Co-Sponsors

Computational Biology and Functional Genomics Laboratory, Harvard University, Cambridge, Massachusetts, USA

International Society of Intelligent Biological Medicine
Horvath Laboratory, University of California, Los Angeles (UCLA), USA
Minnesota Supercomputing Institute, University of Minnesota, USA
Functional Genomics Laboratory, University of Illinois at Urbana-Champaign, USA
BioMedical Informatics & Bio-Imaging Laboratory, Georgia Institute of Technology and Emory University, Atlanta, Georgia, USA
Intelligent Data Exploration and Analysis Laboratory, University of Texas at Austin, Austin, Texas, USA
Biomedical Cybernetics Laboratory, HST of Harvard University and MIT, USA
Center for the Bioinformatics and Computational Genomics, Georgia Institute of Technology, Atlanta, Georgia, USA
Harvard Statistical Genomics and Computational Laboratory, Harvard University, Cambridge, Massachusetts, USA
Bioinformatics & Computational Biology Program, George Mason University, Virginia, USA
Hawkeye Radiology Informatics, Department of Radiology, College of Medicine, University of Iowa, Iowa, USA
Medical Image HPC & Informatics Lab (MiHi Lab), University of Iowa, Iowa, USA
The University of North Dakota, Grand Forks, North Dakota, USA
PSU - Prince Sultan University, Saudi Arabia
Institute for Informatics Problems of the Russian Academy of Sciences, Moscow, Russia.
NEMO/European Union at Institute of Discrete Mathematics and Geometry, TU Vienna

Corporate Sponsors


Other Co-Sponsors

High Performance Computing for Nanotechnology (HPCNano)

International Technology Institute (ITI)

GRIDtoday

HPCwire
Hodges' Health

 

Administered by UCMSS
Universal Conference Management Systems & Support
San Diego, California, USA
Contact: Kaveh Arbtan
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)