Information overload is one of the biggest problems facing professionals working in the fields of Digital Forensics and Cybersecurity. The sheer volume of cases requiring digital forensic analysis in law enforcement agencies throughout the world is outstripping the capacities of digital forensic laboratories. This has resulted in huge digital evidence backlogs becoming commonplace and cases being ruled upon in court without the inclusion of potentially pertinent information, which is sitting idle in some evidence store. As is commonly relayed in the media, the frequency of cyberattacks being faced by governments, law enforcement agencies, and industry is increasing, alongside the sophistication of the techniques used. Current rules-based network intrusion detection systems are predominantly based on historic, known threat vectors and result in a very high amount of false positive alerts being generated. Intelligent, real-time, automated data processing and event categorisation is one solution that shows great promise to combat this information overload.

2.  Challenges Facing Digital Forensics
 Challenges Facing Cybersecurity
 Where Data Analytics Can Help
 [Sample Current Research Projects]
Agenda 2

3. Data Analytics for Digital Forensics
3

4. Digital Forensic Challenges
 The consistency and correlation problem
 Results from the fact that existing tools are designed to find fragments
of evidence, but not to otherwise assist in investigations.
 The unified time lining problem
 Multiple sources present different time zone references, timestamp
interpretations, clock skew/drift issues, and the syntax aspects involved
in generating a unified timeline.
 The diversity problem
 Results from ever-increasing volumes of data
 Lack of standard techniques to examine and analyse the increasing
numbers and types of sources, which bring a plurality of operating
systems, file formats, etc.
4

5.  The number of cases whereby digital evidence is
deemed pertinent is ever increasing.
 An increase in the number of devices that are seized
for analysis per case.
 The volume of potentially evidence-rich data stored on
each item seized is also increasing.
Digital Forensics:
The Volume Challenge
5

6. Digital Forensic Backlog
 Backlogs have become commonplace in recent years
 Commonly exceeds 18 months
 Often exceeds 2 years
 According to a report by An Garda Síochána, delays of up
to four years
 ``Seriously impacted on the timeliness of criminal investigations'' in
recent years.
 In some cases, these delays have resulted in prosecutions being
dismissed in courts.
6

7. One Solution: Deduplication
 Digital Forensics as a Service (DFaaS) model
 Centralisation of digital forensic processing
 Elimination of duplicated effort from the typical forensic
process:
 Eliminate duplicated acquisition
 Eliminate duplicated storage
 Eliminate duplicated analysis and processing
7

8. 8Intelligent Automated Evidence
Processing
 Research towards automated evidence processing
 Leverages centralised record of evidence analysis
 Learns what makes evidence pertinent/non-pertinent
 Photographic and Video Human/Object Identification
 Biometric estimation; ageing, height, weight, etc.
 Location determination

9. Data Analytics for Cybersecurity
9

10. Information Overload 10
 Information overload facing cybersecurity professionals
 False positive alert rate is too high
 Attack Sophistication
 Difficult to identify anomalies
 Data Analytics can enable behavioural anomaly detection
 Similar premise to what antivirus systems followed to combat
polymorphic and metamorphic malware

11. Network Behavioural Analysis
 Build a baseline of each node’s activity on the network
 Categorise nodes based on their normal behaviour
 Alert when a deviation from this norm is identified
 Intrusion Detection
 Botnet Investigation
11

12.  Effectively the same idea! Includes:
 Network Traffic
 Device Utilisation
 Correlation between devices
 Can identify specific users in multiuser environments
User Behavioural Analysis 12

13. Data Analytics to Break Encryption
 Software defined radio to capture leaking CPU
electromagnetic radiation
 Becomes a Big Data/Data Analytics problem
13

14. MARK.SCANLON@UCD.IE
WWW.FORENSICSANDSECURITY.COM
@MRKSCN / @FORSECRESEARCH
14