Академический Документы
Профессиональный Документы
Культура Документы
Complex Digital
Investigations
* Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Copyright © 2003 QinetiQ Trusted Information Management
6
Framework for an Investigative Process
for Digital Forensics
• Identification
– Event/crime detection
– Resolve signature
– Profile detection
– Anomalous detection
– Complaints
– System monitoring
– Audit analysis
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Copyright © 2003 QinetiQ Trusted Information Management
12
Structuring and Formalizing the Digital
Forensic Process
• Reliable methods*
– “Help distinguish evidence from coincidence without ambiguity
– Allow alternative results to be ranked by some principle basic to the sciences
applied
– Allow for certainty considerations Wherever appropriate through this ranking
of available alternatives
– Disallow hypotheses more extraordinary than the facts themselves
– Pursue general impressions to the level of specific details
– Pursue testing by breaking hypotheses (alternative explanations) into their
smallest logical components, risking one part at a time
– Allow tests either to prove or disprove alternative explanations (hypotheses)”
• A formalized approach
– Has specific rules, structure and vocabulary
– Allows repeatability
– May be used to verify a process
Source: “A Common Intrusion Specification Language (CISL)” Feiertag, et al, last revised 11 June 1999
Copyright © 2003 QinetiQ Trusted Information Management
22
Developing the Process Language
• CISL structure
– S-expressions
• Data structure developed by Rivest in 1997 that is “…suitable for
representing arbitrary complex data structures.” (Rivest, S-Expressions, 4
May 1997)
• May be byte strings or lists of simpler S-expressions
– Semantic Identifiers (SIDs)
• Tags added at the beginning of an S-expression that give a
semantic clue to the interpretation of the rest of the S-expression
– Verb SIDs
– Role SIDS
– Atom SIDS
– Conjunction SIDs
– Referent SIDs
(OpenApplicationSession
(When
(Time 14:57:36 24 Feb 1998)
)
(Initiator Interpretation
(HostName ‘big.evil.com’)
) At 14:57:36 on 24 Feb 1998, someone at
(Account big.evil.com opened a telnet session on
(UserName ‘joe’) ten.ada.net logging in as username: joe,
(RealName ‘Joe Cool’) real name: Joe Cool.
(HostName ‘ten.ada.net’)
)
(Receiver
(standardTCPPort 23)
)
)
Source: “A Common Intrusion Specification Language (CISL)” Feiertag, et al, last revised 11 June 1999