SlideShare a Scribd company logo

File000162

Desmond Devendran
Desmond Devendran
TechnologyDesign
1 of 19
Download to read offline
Module XLIX - Investigating Search Keywords
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Logicube Launches Digital Forensic Data Capture Device Logicube® Inc., the industry’s leader in hard drive duplication technology, has launched the Forensic Dossier™, the newest addition to its line of eForensics data capture solutions. The Dossier is the fastest digital forensic data capture device on the market today, allowing investigators to capture and authenticate at speeds approaching 6GB/min. Users can capture data from one or two suspect drives to one or two evidence drives. This sophisticated solution provides built-in support for capture from a RAID drive pair (0, 1, JBOD) and can capture data from a variety of flash media devices with a built-in media reader. The versatile Dossier features built-in support for SATA and IDE drives with optional support for SCSI and SAS drives scheduled to be available in late spring of this year. The Dossier also provides built-in USB and firewire connectivity and features support for most solid state drives and supports microSATA and eSATA drives with optional cables. “Developed to meet the complex challenges of digital forensic investigators, the Dossier is the cornerstone of a future- focused platform of forensic products from Logicube. Sophisticated but easy to use, the Dossier’s design ensures investigators will keep pace with advanced digital technology used in criminal activities”, commented Farid Emrani, Vice President and COO of Logicube. The Dossier features the highest level of authentication with the ability to compute MD5 and SHA-256 hash concurrently. The Dossier also includes a drive spanning feature (scheduled to be available in spring 2009) that allows users to capture from one large suspect drive to two smaller evidence drives. Other features include DD image files, keyword search, audit trail reporting, and an internal flash memory to store keyword lists, software updates and reports and a touch screen display for easy navigation. The Dossier will be featured in the Logicube booth (#73640) at the 2009 International CES show held in Las Vegas, Nevada January 8th through January 11th. Source: http://pr-usa.net/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Keyword Search • Keyword Search List • Index-Based Keyword Searching • Bitwise Searching • Keyword Search Techniques • Odyssey Keyword Search This module will familiarize you with:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Odyssey Keyword Search Bitwise SearchingKeyword Search Index-Based Keyword Searching Keyword Search List Keyword Search Techniques
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Keywords are also known as Seed Information as they are the starting point of the investigation Keyword searching for terms relating to a case can be an important source for experts charged with uncovering digital clues in a forensic investigation Experts frequently conduct keyword searches of active files, deleted files, unallocated space, cookies, logs, temporary Internet files, etc. to search for evidence Crafting a keyword search term list that will help pinpoint relevant information is crucial to successful keyword search results Crafting the best keyword search may require trial and error, and the list may need to be refined as the expert begins to uncover virtual clues
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search (cont’d) An experienced investigator usually maintains a collection of search lists from his previous cases Keyword search list can be built on an existing list Keyword list can be re-used for a similar case directly Search list is a part of systematic mechanism for knowledge collection, management, sharing, and reuse that offer decision support for the investigators
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List • The number of keywords in a given list will vary depending upon the type of the forensic investigation and the facts of the case • When choosing which words to incorporate in the list, concentrate on the terms that are at the heart of the case • Focusing on the most relevant terms will avoid being over inclusive of the irrelevant data while offering the greatest likelihood of finding responsive information Select keywords with care: • Searching for “whole words,” which match exact instances of a word, will significantly cut down on search time • For example, the term Sally (instead of Sal) will avoid finding irrelevant words like salmon, salamander or salt Reduce search time using “whole words”: When formulating a keyword search list, consider the following tips:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List (cont’d) • When looking for a particular document, isolating specific phrases likely to be found in the document can help achieve good results Consider multiple word phrases: • Noise words, such as “it, a, an, and, the,” initials, numbers, and acronyms can result in an unreasonably high number of matches being returned Avoid noise words, initials, numbers, and acronyms: • In addition to sorting through gigabytes of information during a keyword search, a computer forensic expert can assist users in selecting a set of keywords most likely to yield relevant results Engage expert assistance:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index-Based Keyword Searching Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Indexing allows the time consuming task of keyword searching to be divided into an indexing phase which may run unattended and an interactive searching phase where the index is used to rapidly locate keywords An index is in a sense simply a list of offsets for occurrences of keywords
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bitwise Searching Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space A full bitwise search may be more relevant if a hard disk is being searched for deleted files or residual fragments of their content and when searching for complex regular expressions(for example, looking for all strings that match a credit card number or phone number) The ability to perform regular expression searches enables the examiner to search for non-text (binary) values such as file headers as well as complex text terms The criminal might change the extension of files to hide the files but the investigator can find all files of the given type even if someone has changed his name by searching for files based on signatures in his header
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques • Regular expressions provide a more expressible language for describing objects of interest than keywords • Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses and files of specific type • Forensic utilities such as EnCase can be used for regular expression searches • Regular expression searches suffer from false positives and false negatives because not all types of data can be adequately defined using regular expressions Regular expression search: • It uses matching algorithm that permits character mismatches when searching for keyword or pattern • User must specify the degree of mismatches allowed • Approximate matching can detect misspelled words, but mismatches also increase the number of false positives Approximate matching search:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques (cont’d) • Custom searches are programmed using a general purpose programming language for satisfying more complex criteria Custom searches: • Search of modification is an automated search for data objects that have been modified since specified moments in the past • Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash • A library of expected hashes must be built prior to the search • Modification of a file can also be inferred from modification of its timestamp • Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too Search of modifications:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Choice of Searching Methodology Investigations require a combination of context specific searching techniques and the methodology Factors affecting the choice and order of searching include: • If the suspect is aware that he is under investigation, file-based content may have been deleted, which leans toward bitwise searching • If the content is likely to be present on the drive intact, index-based searching may be more effective Awareness of suspect: • If there is a chance that the content resides in PDF, XLS, or HWP file, index-based searching will be more thorough • A preliminary bitwise search for the header bytes from these file types and subsequent recovery of deleted files before the index-based search will combine both techniques for the maximum effectiveness Likely data format:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues with Keyword Searching Keywords are rarely sufficient to specify the desired type of data objects precisely Output of keyword search can contain false positives and negatives Encryption, compression, or inability of the search utility to interpret certain data format lead to false negative
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Odyssey Keyword Search http://basistech.com/ Odyssey Digital Forensics is software that finds all keyword variations with one search Odyssey combines industry-leading language technology from Basis Technology, the Rosette® Linguistics Platform, with a high-performance search system that can analyze disk image files acquired from standard forensic tools • Displayed left to right or right to left (as in Middle-Eastern languages) • Stored with bits aligned left to right or right to left (“little Endian” or “big Endian”) • Encoded in UTF-8, UTF-16, or UTF-32 Unicode or any of dozens of legacy text encoding systems Odyssey recognizes text regardless of whether the text:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Keywords are also known as Seed Information as they are the starting point of the investigation Keyword search list can be built on an existing list Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space Investigations require a combination of context specific searching techniques, and the methodology Odyssey Digital Forensics is software that finds all keyword variations with one search
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Recommended

File000163
File000163File000163
File000163Desmond Devendran
 
File000169
File000169File000169
File000169Desmond Devendran
 
File000176
File000176File000176
File000176Desmond Devendran
 
File000168
File000168File000168
File000168Desmond Devendran
 
File000166
File000166File000166
File000166Desmond Devendran
 
File000172
File000172File000172
File000172Desmond Devendran
 
CHFI
CHFICHFI
CHFIDesmond Devendran
 
File000116
File000116File000116
File000116Desmond Devendran
 

Recommended

File000163
File000163File000163
File000163Desmond Devendran
 
File000169
File000169File000169
File000169Desmond Devendran
 
File000176
File000176File000176
File000176Desmond Devendran
 
File000168
File000168File000168
File000168Desmond Devendran
 
File000166
File000166File000166
File000166Desmond Devendran
 
File000172
File000172File000172
File000172Desmond Devendran
 
CHFI
CHFICHFI
CHFIDesmond Devendran
 
File000116
File000116File000116
File000116Desmond Devendran
 
File000118
File000118File000118
File000118Desmond Devendran
 
File000117
File000117File000117
File000117Desmond Devendran
 
File000114
File000114File000114
File000114Desmond Devendran
 
File000113
File000113File000113
File000113Desmond Devendran
 
File000120
File000120File000120
File000120Desmond Devendran
 
File000167
File000167File000167
File000167Desmond Devendran
 
File000119
File000119File000119
File000119Desmond Devendran
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVArthyR3
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
File000175
File000175File000175
File000175Desmond Devendran
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Developmentamiable_indian
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VArthyR3
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensicsKabul Education University
 
Forensic laboratory setup requirements
Forensic laboratory setup requirements Forensic laboratory setup requirements
Forensic laboratory setup requirements Sonali Parab
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...Dr. Haxel Consult
 

More Related Content

What's hot

Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVArthyR3
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Developmentamiable_indian
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VArthyR3
 
Forensic laboratory setup requirements
Forensic laboratory setup requirements Forensic laboratory setup requirements
Forensic laboratory setup requirements Sonali Parab
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 

What's hot (20)

File000118
File000118File000118
File000118
 
File000117
File000117File000117
File000117
 
File000114
File000114File000114
File000114
 
File000113
File000113File000113
File000113
 
File000120
File000120File000120
File000120
 
File000167
File000167File000167
File000167
 
File000119
File000119File000119
File000119
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
File000175
File000175File000175
File000175
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Development
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensics
 
Forensic laboratory setup requirements
Forensic laboratory setup requirements Forensic laboratory setup requirements
Forensic laboratory setup requirements
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 

Similar to File000162

Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...Dr. Haxel Consult
 
Technical skills in multimedia for odl learners
Technical skills in multimedia for odl learnersTechnical skills in multimedia for odl learners
Technical skills in multimedia for odl learnersDaniel Koloseni
 
Routine Maintenance of Computer Systems and Basic Internet Search Skills
Routine Maintenance of Computer Systems and Basic Internet Search SkillsRoutine Maintenance of Computer Systems and Basic Internet Search Skills
Routine Maintenance of Computer Systems and Basic Internet Search SkillsIdowu Adegbilero-Iwari
 
FAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech ProposalsFAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech ProposalsFAIRDOM
 
ERA CoBioTech Data Management Webinar
ERA CoBioTech Data Management WebinarERA CoBioTech Data Management Webinar
ERA CoBioTech Data Management WebinarFAIRDOM
 
Improving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesNikos Katirtzis
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Nikos Katirtzis
 
CS6007 information retrieval - 5 units notes
CS6007 information retrieval - 5 units notesCS6007 information retrieval - 5 units notes
CS6007 information retrieval - 5 units notesAnandh Arumugakan
 
PatSeer Overview
PatSeer OverviewPatSeer Overview
PatSeer OverviewGridlogics
 
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted Data
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted DataPrivacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted Data
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted DataCloudTechnologies
 
Enterprise Search Share Point2009 Best Practices Final
Enterprise Search Share Point2009 Best Practices FinalEnterprise Search Share Point2009 Best Practices Final
Enterprise Search Share Point2009 Best Practices FinalMarianne Sweeny
 
Reveal - An Enterprise Clinical Data Search Solution
Reveal - An Enterprise Clinical Data Search SolutionReveal - An Enterprise Clinical Data Search Solution
Reveal - An Enterprise Clinical Data Search Solutiond-Wise Technologies
 
Research Data (and Software) Management at Imperial: (Everything you need to ...
Research Data (and Software) Management at Imperial: (Everything you need to ...Research Data (and Software) Management at Imperial: (Everything you need to ...
Research Data (and Software) Management at Imperial: (Everything you need to ...Sarah Anna Stewart
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentAnders Eknert
 
Demystifying analytics in e discovery white paper 06-30-14
Demystifying analytics in e discovery white paper 06-30-14Demystifying analytics in e discovery white paper 06-30-14
Demystifying analytics in e discovery white paper 06-30-14Steven Toole
 
Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...
Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...
Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...Jenn Riley
 
Info 2402 irt-chapter_2
Info 2402 irt-chapter_2Info 2402 irt-chapter_2
Info 2402 irt-chapter_2Shahriar Rafee
 

Similar to File000162 (20)

Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software Identification
 
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
 
Technical skills in multimedia for odl learners
Technical skills in multimedia for odl learnersTechnical skills in multimedia for odl learners
Technical skills in multimedia for odl learners
 
Routine Maintenance of Computer Systems and Basic Internet Search Skills
Routine Maintenance of Computer Systems and Basic Internet Search SkillsRoutine Maintenance of Computer Systems and Basic Internet Search Skills
Routine Maintenance of Computer Systems and Basic Internet Search Skills
 
FAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech ProposalsFAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech Proposals
 
ERA CoBioTech Data Management Webinar
ERA CoBioTech Data Management WebinarERA CoBioTech Data Management Webinar
ERA CoBioTech Data Management Webinar
 
Improving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilities
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...
 
CS6007 information retrieval - 5 units notes
CS6007 information retrieval - 5 units notesCS6007 information retrieval - 5 units notes
CS6007 information retrieval - 5 units notes
 
PatSeer Overview
PatSeer OverviewPatSeer Overview
PatSeer Overview
 
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted Data
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted DataPrivacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted Data
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted Data
 
Enterprise Search Share Point2009 Best Practices Final
Enterprise Search Share Point2009 Best Practices FinalEnterprise Search Share Point2009 Best Practices Final
Enterprise Search Share Point2009 Best Practices Final
 
Reveal - An Enterprise Clinical Data Search Solution
Reveal - An Enterprise Clinical Data Search SolutionReveal - An Enterprise Clinical Data Search Solution
Reveal - An Enterprise Clinical Data Search Solution
 
Research Data (and Software) Management at Imperial: (Everything you need to ...
Research Data (and Software) Management at Imperial: (Everything you need to ...Research Data (and Software) Management at Imperial: (Everything you need to ...
Research Data (and Software) Management at Imperial: (Everything you need to ...
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
 
What is Document Indexing? A tutorial for intelligent data capture.
What is Document Indexing? A tutorial for intelligent data capture.What is Document Indexing? A tutorial for intelligent data capture.
What is Document Indexing? A tutorial for intelligent data capture.
 
Demystifying analytics in e discovery white paper 06-30-14
Demystifying analytics in e discovery white paper 06-30-14Demystifying analytics in e discovery white paper 06-30-14
Demystifying analytics in e discovery white paper 06-30-14
 
Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...
Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...
Tools and Techniques for Creating, Maintaining, and Distributing Shareable Me...
 
Info 2402 irt-chapter_2
Info 2402 irt-chapter_2Info 2402 irt-chapter_2
Info 2402 irt-chapter_2
 

More from Desmond Devendran

Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guidesDesmond Devendran
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeDesmond Devendran
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentialsDesmond Devendran
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management Desmond Devendran
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDesmond Devendran
 

More from Desmond Devendran (20)

Siam key-facts
Siam key-factsSiam key-facts
Siam key-facts
 
Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guides
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentials
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
 
CHFI 1
CHFI 1CHFI 1
CHFI 1
 
File000174
File000174File000174
File000174
 
File000173
File000173File000173
File000173
 
File000171
File000171File000171
File000171
 
File000170
File000170File000170
File000170
 
File000165
File000165File000165
File000165
 
File000164
File000164File000164
File000164
 
File000161
File000161File000161
File000161
 
File000160
File000160File000160
File000160
 
File000159
File000159File000159
File000159
 
File000158
File000158File000158
File000158
 
File000157
File000157File000157
File000157
 
File000156
File000156File000156
File000156
 
File000155
File000155File000155
File000155
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

File000162

  • 1. Module XLIX - Investigating Search Keywords
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Logicube Launches Digital Forensic Data Capture Device Logicube® Inc., the industry’s leader in hard drive duplication technology, has launched the Forensic Dossier™, the newest addition to its line of eForensics data capture solutions. The Dossier is the fastest digital forensic data capture device on the market today, allowing investigators to capture and authenticate at speeds approaching 6GB/min. Users can capture data from one or two suspect drives to one or two evidence drives. This sophisticated solution provides built-in support for capture from a RAID drive pair (0, 1, JBOD) and can capture data from a variety of flash media devices with a built-in media reader. The versatile Dossier features built-in support for SATA and IDE drives with optional support for SCSI and SAS drives scheduled to be available in late spring of this year. The Dossier also provides built-in USB and firewire connectivity and features support for most solid state drives and supports microSATA and eSATA drives with optional cables. “Developed to meet the complex challenges of digital forensic investigators, the Dossier is the cornerstone of a future- focused platform of forensic products from Logicube. Sophisticated but easy to use, the Dossier’s design ensures investigators will keep pace with advanced digital technology used in criminal activities”, commented Farid Emrani, Vice President and COO of Logicube. The Dossier features the highest level of authentication with the ability to compute MD5 and SHA-256 hash concurrently. The Dossier also includes a drive spanning feature (scheduled to be available in spring 2009) that allows users to capture from one large suspect drive to two smaller evidence drives. Other features include DD image files, keyword search, audit trail reporting, and an internal flash memory to store keyword lists, software updates and reports and a touch screen display for easy navigation. The Dossier will be featured in the Logicube booth (#73640) at the 2009 International CES show held in Las Vegas, Nevada January 8th through January 11th. Source: http://pr-usa.net/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Keyword Search • Keyword Search List • Index-Based Keyword Searching • Bitwise Searching • Keyword Search Techniques • Odyssey Keyword Search This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Odyssey Keyword Search Bitwise SearchingKeyword Search Index-Based Keyword Searching Keyword Search List Keyword Search Techniques
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Keywords are also known as Seed Information as they are the starting point of the investigation Keyword searching for terms relating to a case can be an important source for experts charged with uncovering digital clues in a forensic investigation Experts frequently conduct keyword searches of active files, deleted files, unallocated space, cookies, logs, temporary Internet files, etc. to search for evidence Crafting a keyword search term list that will help pinpoint relevant information is crucial to successful keyword search results Crafting the best keyword search may require trial and error, and the list may need to be refined as the expert begins to uncover virtual clues
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search (cont’d) An experienced investigator usually maintains a collection of search lists from his previous cases Keyword search list can be built on an existing list Keyword list can be re-used for a similar case directly Search list is a part of systematic mechanism for knowledge collection, management, sharing, and reuse that offer decision support for the investigators
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List • The number of keywords in a given list will vary depending upon the type of the forensic investigation and the facts of the case • When choosing which words to incorporate in the list, concentrate on the terms that are at the heart of the case • Focusing on the most relevant terms will avoid being over inclusive of the irrelevant data while offering the greatest likelihood of finding responsive information Select keywords with care: • Searching for “whole words,” which match exact instances of a word, will significantly cut down on search time • For example, the term Sally (instead of Sal) will avoid finding irrelevant words like salmon, salamander or salt Reduce search time using “whole words”: When formulating a keyword search list, consider the following tips:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List (cont’d) • When looking for a particular document, isolating specific phrases likely to be found in the document can help achieve good results Consider multiple word phrases: • Noise words, such as “it, a, an, and, the,” initials, numbers, and acronyms can result in an unreasonably high number of matches being returned Avoid noise words, initials, numbers, and acronyms: • In addition to sorting through gigabytes of information during a keyword search, a computer forensic expert can assist users in selecting a set of keywords most likely to yield relevant results Engage expert assistance:
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index-Based Keyword Searching Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Indexing allows the time consuming task of keyword searching to be divided into an indexing phase which may run unattended and an interactive searching phase where the index is used to rapidly locate keywords An index is in a sense simply a list of offsets for occurrences of keywords
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bitwise Searching Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space A full bitwise search may be more relevant if a hard disk is being searched for deleted files or residual fragments of their content and when searching for complex regular expressions(for example, looking for all strings that match a credit card number or phone number) The ability to perform regular expression searches enables the examiner to search for non-text (binary) values such as file headers as well as complex text terms The criminal might change the extension of files to hide the files but the investigator can find all files of the given type even if someone has changed his name by searching for files based on signatures in his header
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques • Regular expressions provide a more expressible language for describing objects of interest than keywords • Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses and files of specific type • Forensic utilities such as EnCase can be used for regular expression searches • Regular expression searches suffer from false positives and false negatives because not all types of data can be adequately defined using regular expressions Regular expression search: • It uses matching algorithm that permits character mismatches when searching for keyword or pattern • User must specify the degree of mismatches allowed • Approximate matching can detect misspelled words, but mismatches also increase the number of false positives Approximate matching search:
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques (cont’d) • Custom searches are programmed using a general purpose programming language for satisfying more complex criteria Custom searches: • Search of modification is an automated search for data objects that have been modified since specified moments in the past • Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash • A library of expected hashes must be built prior to the search • Modification of a file can also be inferred from modification of its timestamp • Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too Search of modifications:
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Choice of Searching Methodology Investigations require a combination of context specific searching techniques and the methodology Factors affecting the choice and order of searching include: • If the suspect is aware that he is under investigation, file-based content may have been deleted, which leans toward bitwise searching • If the content is likely to be present on the drive intact, index-based searching may be more effective Awareness of suspect: • If there is a chance that the content resides in PDF, XLS, or HWP file, index-based searching will be more thorough • A preliminary bitwise search for the header bytes from these file types and subsequent recovery of deleted files before the index-based search will combine both techniques for the maximum effectiveness Likely data format:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues with Keyword Searching Keywords are rarely sufficient to specify the desired type of data objects precisely Output of keyword search can contain false positives and negatives Encryption, compression, or inability of the search utility to interpret certain data format lead to false negative
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Odyssey Keyword Search http://basistech.com/ Odyssey Digital Forensics is software that finds all keyword variations with one search Odyssey combines industry-leading language technology from Basis Technology, the Rosette® Linguistics Platform, with a high-performance search system that can analyze disk image files acquired from standard forensic tools • Displayed left to right or right to left (as in Middle-Eastern languages) • Stored with bits aligned left to right or right to left (“little Endian” or “big Endian”) • Encoded in UTF-8, UTF-16, or UTF-32 Unicode or any of dozens of legacy text encoding systems Odyssey recognizes text regardless of whether the text:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Keywords are also known as Seed Information as they are the starting point of the investigation Keyword search list can be built on an existing list Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space Investigations require a combination of context specific searching techniques, and the methodology Odyssey Digital Forensics is software that finds all keyword variations with one search
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited