The Future of Digital Forensics


Published on

RSA Asia Pacific 2013 Conference(Singapore, Jun 5-6) presentation

Published in: Technology, Business

The Future of Digital Forensics

  1. 1. Session ID: Session Classification: SungKyong Un ETRI CLE‐W04 Intermediate THE FUTURE OF DIGITAL FORENISCS
  2. 2. Forensics Source: mlhradio@flickr
  3. 3. Digital Forensics
  4. 4. ► DFRWS (2001) defines ► The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. Digital Forensics
  5. 5. Digital Forensics Procedure Start Identify Storage Duplicate? Duplicate Imaging? Imaging Analysis Report End No No Yes Yes Write Protect Write Protect Source : TTAS.KO-12.0058 “Computer Forensics Guideline”
  6. 6. Imaging Hardware Duplicator source: HDD Imaing source : joncrel@flickr
  7. 7. Recovery
  8. 8. Keyword Search source : Konrad Andrews@flickr
  9. 9. Index Search
  10. 10. Registry
  11. 11. Web History
  12. 12. Email
  13. 13. Messenger
  14. 14. Anti-Forensics - Eraser Magnatic Eraser source: Automatic Eraser source:
  15. 15. Anti-Forensics - Encryption Apple FileVault Encrypted File System (AES) Mac OS X v10.3 MS BitLocker Drive Encryption (AES) Windows Vista, 7 MS Office Encryption Option Various Algorithm
  16. 16. Anti-Forensics - Countermeasure GPU based parallel password search Source : ETRI FPGA based password search Source :
  17. 17. The Present
  18. 18. SmartPhone Forensics
  19. 19. SmartPhone Forensics Item Dummy Smart Target Models >1,000/Year >10/Year OS Symbian, Qualcomm iOS, Android, Windows  Mobile, BlackberryOS Interface Various USB Acquisition Logical, Physical Logical, Physical, Backup Data Phone book, Call history,  SMS, Photo, Schedule + Email, Web History, Map,  Location, SNS, Message,  App, ID/PW DB Format Various Sqlite 3rd Party App ‐ App Market
  20. 20. Analysis - Briefing
  21. 21. Analysis -Timeline
  22. 22. Analysis –Web Browsing
  23. 23. Analysis – Location & Routing
  24. 24. Analysis – App Category App Phone Call Skype, Viber, Google Voice, ... Message Cacao Talk, iMessage, Twitter DM, Facebook Message, ... SNS Twitter, Facebook, me2day, ... Storage Dropbox, uCloud, SugarSync,, iCloud, ... Key DataVault, 1Password, Strip, ...
  25. 25. Analysis – Communication Network source:
  26. 26. Analysis – Social Network
  27. 27. The Future
  28. 28. Problem or Inconvience Large Storage Search Space++ 1TB 14H? (20MB/s) New Device/Service New Tools Buy/Educate? Forensics= Tool Expert? New Environment Internet (Blog,Cafe, SNS) Smart PhoneCloud Computing (Seizure & Search Warrant?) Binary Search Index Search What if keyword is not known?
  29. 29. NewViewpoint Investigating the case, not the device Need information, not data Multiple device/services per user Need multi(source) data integration Continuous device/service creation/change Need a framework to host Multiple remote sites Need mobility & connectivity Volatile evidences Need acquisition method & third party attestation
  30. 30. The Future of Digital Forensics Data Centric Analysis Conduct Centric Analysis Forensic Tools Forensic Services
  31. 31. ► Multi-source Evidence Acquisition ► Relationship Analysis ► Intuitive Analysis ► Automatic Analysis Based on the Profile Conduct Centric Analysis
  32. 32. ► Parallel/Distributed Platform for Large Data Handling ► Adapting Fast Changing Device/Tools ► User Mobility & Connectivity Forensic Services
  33. 33. Forensic Cloud: Forensics as a Service Attestation Forensic File  Filter Forensic VFS Multi‐vision GUI Mobile GUI Web GUI PW/Anti‐Forensic Front‐End Layer Presentation Layer Data Processing Layer Platform Layer Single Platform (Win/Linux) Distributed Platform  (Cloud/Grid) Data CategorizationForensic Index File/Memory Analysis Multi‐source  Acquisition Online Forensic  Data Acquisition Real‐time Digital Forensic Service Visualization e‐Discovery Service Forensic Cloud Technology Framework Centralized Repository Analysis Automation e‐Discovery Review/Reporting
  34. 34. Forensic Cloud: Forensics as a Service 디지털 증거 실시간 공증 기술 Forensic File  Filter Forensic VFS Windows GUI Smart Phone GUI Web GUI 패스워드 해독/ 안티포렌식 기술 Front‐End Layer Client Layer Data Processing Layer Platform Layer Single Platform (Win/Linux) Distributed Platform  (Cloud/Grid) 데이터 식별/분류/연관성 분석 기술 포렌식 인덱스/고속 검색 기술 시스템 파일/물리 메모리 분석 기술 멀티 소스 데이터 획득/변환 기술 온라인 포렌식 데이터 수집 기술 Real‐time Digital Forensic Service 시각화 기술 e‐Discovery Service Forensic Cloud Technology Framework Centralized Repository 분석 자동화 기술 e‐Discovery기술 Review/Reporting  기술 Parallel/Distributed Computing  Core Function Acceleration  Visualization  Intuitive Analysis Mobile Support  User Mobility/Connectivity
  35. 35. Forensic Cloud: Forensics as a Service Data Categorization Relationship Analysis Visualization Forensic VFS Forensic Filter Analysis Automation eDiscovery Online Forensic Data Acquisition Attestation Multi-source Data Acquization /Conversion Keyword Search File/Memory Analysis Review/ Reporting Anti Forensic Indexed Search PW Recovery Forensic Cloud
  36. 36. Forensic Cloud: Forensics as a Service source: