Dr. Richard Adams, profile picture
Uploaded byDr. Richard Adams
PDF, PPTX989 views

Fusing digital forensics, electronic discovery and incident response

Professor Richard Adams discusses advancements in digital forensics and the limitations of current data collection tools used by organizations. He highlights issues such as inefficiencies and legal considerations in the collection process, particularly regarding live acquisitions and the need for more effective tools. Recommendations for ideal functionality in collection methods emphasize the importance of minimizing network disruption and expanding tool capabilities to include extensive data types and remote access features.

Embed presentation

Download as PDF, PPTX
Collection Technology Professor Richard Adams University of Western Australia
Digital forensics – 10 years ago
Covert operations were challenging
Dealing with multiple computers - even more challenging!
Things have moved on
In-house skills Every large organisation has access to IT professionals who are able to collect data from their own networks for electronic discovery, internal digital forensic investigations and incident response purposes with the right tools and the appropriate training. Unfortunately, with regard to the collection process, the current tools are limited in their application.
What are the current collection tool limitations? ESI collection tools – These usually result in large quantities of data needlessly being dragged across the network to be processed centrally (such as indexing) and then most of the data being discarded - this impacts the networks, increases the time taken to complete the collection and adds to the costs for the business. Digital forensic collection tools – These do not scale well in the business environment and tie a person to the process because they can’t be automated. Remote collection features are limited.
Digital forensic considerations There is no legal requirement to capture a full bit-for-bit image of a device in order to provide potential evidence in court In the majority of cases the documents that are significant in a case are not found in ‘free space’ but are intact files (although they may have been undeleted with intact metadata) Courts are starting to push back on electronic evidence that cannot be attributed to a particular person (such as some items found in unallocated space) Live acquisitions are now much more commonplace in a corporate environment in order to capture RAM and encrypted data as well as address increasing data volumes
Ideal situation – digital forensic investigation On a matter in which many people could be involved you would capture a ‘forensic’ image of each machine for processing later in a forensic tool. This collection process would typically involve either: (a) one person being physically located with each target machine or (b) the image being captured across the network and requiring an operator to connect to each machine
Considerations - One person being physically located with each target machine Do you have enough trained staff to acquire each machine? Do you have enough time to acquire the images? What if the machines are in remote locations? Do you have enough equipment for each machine? (write- blockers/dongles/boot discs/storage drives) What if this needs to be done covertly? For multiple machines spread across different sites/countries this is not a realistic scenario to contemplate for an organisation.
Considerations - the image being captured across the network and requiring an operator to connect to each machine Can the network handle the load? Is the network fast enough? Can you prevent interference with the target machine during the operation? Do you have enough time to collect this way? Experience shows that few organisations have the network capacity to handle multiple collections in this fashion in a timely manner
Ideal functionality – ESI collection tool From any machine on the network identify an unlimited number of target machines and start processing on those machines based on pre- defined selection criteria that includes keywords and phrases Exclude file types and directories from searching All files matching the selection criteria (including emails, compressed files and unknown file types) must be collected All data (including the selection criteria) is encrypted Only collect files that match the selection criteria Unicode, UTF, ASCII search capability Minimise disruption of the target machine users Suspend power-saving settings Suspend defined processes Output for processing on any review platform
Alternative ‘ideal’ situation for a digital forensic investigation Deploy the ‘ideal’ ESI tool but with added functionality: Capture RAM Capture Pagefile Capture Swapfile Capture Hibernation file Capture the Windows Registry Identify scanned documents that can’t be text-searched Covert capabilities
So what functionality does a common tool need?
Technology features that can make the ideal ESI/Forensic collection tool possible Running purely in memory on the target Searching and extracting emails from OSTs, PSTs, etc. that are in use Searching through unknown file types on the target Collecting system files from a running machine Searching and extracting data from compressed files Command-based or hidden interface capabilities Identifying scanned documents Undeleting files on the target Collect details of running processes Suspend defined processes Input criteria for review tools well established for designing an API The ability to re-start the process if interrupted The ability to notify on completion/failure The ability to undertake plain text searches at the disk level rather than at the file system level
Potential Scenarios for a Forensic Discovery (FD) Tool
Network deployment Define selection criteria and the storage location for collected data in a ‘configuration’ file Identify target machines Create a network share Load FD tool and configuration files into network share Assign target machines to a group Create a script to load the FD tool from the share when any target machine is connected to the network Receive email when each target collection is completed and then review/process the collected data as appropriate
Individual machine deployment - overt Define selection criteria and the storage location for collected data in a ‘configuration’ file Load FD tool and configuration files onto the required number of external collection devices (e.g. USB backup drives) Provide the collection devices to any staff member (such as the user of the target machine) for them to attach to the target machine Provide instructions to run the FD tool from the collection device Receive email on completion Instruct the staff member to unplug and return the collection device
Individual machine deployment - covert Define selection criteria and the storage location for collected data in a ‘configuration’ file Load FD tool and configuration files onto the required number of external collection devices (e.g. USB backup drives) Provide the collection devices to authorised staff for them to attach to the target machine(s) out of office hours Provide instructions to run the FD tool from the collection device (alternatively RDP to the target(s) and run the FD tool) Receive email(s) on completion Instruct the staff member(s) to unplug and return the collection device
Benefits of an FD tool COST – reduction in data collected means a reduction in collection costs and a consequential reduction in processing costs RESOURCES – Remove the requirement for skilled staff to be tied up in the collection process INFRASTUCTURE – Reduce the impact on networks by dramatically reducing the amount of data transferred SPEED – By using the target machines for processing the total collection time is reduced to the time of the slowest machine COMPLETENESS – by undertaking plain text searches at the disk level rather than at the file system level all data is searched rather than a limited number of file types
Questions? Toggle between an eDiscovery and a Digital Forensic collection with pre-set options?
Proof of concept:- a plain text search of a live machine Looking for ANY files on a remote target with ‘ttest’ in them (a statistics reference)
Setting collection options
Add search term
Exclusions
Overt completion message
Notification via email
Initial review
‘Unknown’ file types

More Related Content

PPT
Introduction to computer forensic
byOnline
 
PDF
The Adam - A process model for digital forensic practice
byDr. Richard Adams
 
PPT
Understanding computer investigation
byOnline
 
PPT
Computer forensics
byLalit Garg
 
PPTX
Processing Crimes and Incident Scenes
byprimeteacher32
 
PPTX
Computer forensics
bydeaneal
 
PPT
Forensic Lab Development
byamiable_indian
 
PPTX
2.5 safety and security of data in ict systems 13 12-11
bymrmwood
 
Introduction to computer forensic
byOnline
 
The Adam - A process model for digital forensic practice
byDr. Richard Adams
 
Understanding computer investigation
byOnline
 
Computer forensics
byLalit Garg
 
Processing Crimes and Incident Scenes
byprimeteacher32
 
Computer forensics
bydeaneal
 
Forensic Lab Development
byamiable_indian
 
2.5 safety and security of data in ict systems 13 12-11
bymrmwood
 

What's hot

PPTX
Computer forensic 101 - OWASP Khartoum
byOWASP Khartoum
 
PDF
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
DOCX
Forensic laboratory setup requirements
bySonali Parab
 
DOCX
computer forensics
bysamantha jarrett
 
PPT
Computer +forensics
byRahul Baghla
 
PPT
Preserving and recovering digital evidence
byOnline
 
KEY
Mis
bymisecho
 
PPT
Digital Forensics
byNicholas Davis
 
PPT
Role of a Forensic Investigator
byAgape Inc
 
PPT
Computer Forensic
byTawhidur Rahman
 
PPTX
Computer Forensic Softwares
byDhruv Seth
 
PPTX
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
byDr Raghu Khimani
 
PPTX
Cyber Incident Response & Digital Forensics Lecture
byOllie Whitehouse
 
PPTX
Case study on Physical devices used in Computer forensics.
byVishal Tandel
 
PPTX
cyber forensics
byAmbuj Kumar
 
PDF
File000162
byDesmond Devendran
 
PPT
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
byAlchemist095
 
PDF
04 Evidence Collection and Data Seizure - Notes
byKranthi
 
PDF
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
bycscpconf
 
PPT
Collecting and preserving digital evidence
byOnline
 
Computer forensic 101 - OWASP Khartoum
byOWASP Khartoum
 
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
Forensic laboratory setup requirements
bySonali Parab
 
computer forensics
bysamantha jarrett
 
Computer +forensics
byRahul Baghla
 
Preserving and recovering digital evidence
byOnline
 
Mis
bymisecho
 
Digital Forensics
byNicholas Davis
 
Role of a Forensic Investigator
byAgape Inc
 
Computer Forensic
byTawhidur Rahman
 
Computer Forensic Softwares
byDhruv Seth
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
byDr Raghu Khimani
 
Cyber Incident Response & Digital Forensics Lecture
byOllie Whitehouse
 
Case study on Physical devices used in Computer forensics.
byVishal Tandel
 
cyber forensics
byAmbuj Kumar
 
File000162
byDesmond Devendran
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
byAlchemist095
 
04 Evidence Collection and Data Seizure - Notes
byKranthi
 
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
bycscpconf
 
Collecting and preserving digital evidence
byOnline
 

Similar to Fusing digital forensics, electronic discovery and incident response

PPTX
Computer forensics toolkit
byMilap Oza
 
PPTX
CYB 305 Forensics and Digital Computer Security.pptx
byMuhammad54342
 
PPT
computer forensicsPPT4-SESI4-20220406071621.ppt
byBimo Septyo Prabowo
 
PDF
EDRM Foundational e-Discovery Practices-ilta
byDavid Kearney
 
PPTX
Digital Forensic ppt
bySuchita Rawat
 
PDF
csdf unit 6 current computer forensics tools.pdf
byAditya880646
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
PDF
Watching the Detectives: Using digital forensics techniques to investigate th...
byGarethKnight
 
PPTX
DIGITAL FORENSICS_PRESENTATION
byAmina Baha
 
PPTX
Latest presentation
byAdetunji Adeoje
 
PPTX
Digital Forensics introduction lab 1 2023.pptx
bymoehab2020
 
PPTX
Digital forensic tools
byParsons Corporation
 
PPT
Lecture 9 and 10 comp forensics 09 10-18 file system
byAlchemist095
 
PDF
Design for A Network Centric Enterprise Forensic System
byCSCJournals
 
PPTX
Digital forensics lessons
byAmr Nasr
 
PPTX
cyberforensicsv2-191113184409.pptx
byPrasannaKumarpanda2
 
PPT
computer forensics, involves the preservation, identification, extraction, an...
bypable2
 
PDF
csdf unit 3 intro to digital forensics.pdf
byAditya880646
 
PPTX
Digital Forensics by William C. Barker (NIST)
byAltheimPrivacy
 
PPTX
Forensic imaging
byDINESH KAMBLE
 
Computer forensics toolkit
byMilap Oza
 
CYB 305 Forensics and Digital Computer Security.pptx
byMuhammad54342
 
computer forensicsPPT4-SESI4-20220406071621.ppt
byBimo Septyo Prabowo
 
EDRM Foundational e-Discovery Practices-ilta
byDavid Kearney
 
Digital Forensic ppt
bySuchita Rawat
 
csdf unit 6 current computer forensics tools.pdf
byAditya880646
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
Watching the Detectives: Using digital forensics techniques to investigate th...
byGarethKnight
 
DIGITAL FORENSICS_PRESENTATION
byAmina Baha
 
Latest presentation
byAdetunji Adeoje
 
Digital Forensics introduction lab 1 2023.pptx
bymoehab2020
 
Digital forensic tools
byParsons Corporation
 
Lecture 9 and 10 comp forensics 09 10-18 file system
byAlchemist095
 
Design for A Network Centric Enterprise Forensic System
byCSCJournals
 
Digital forensics lessons
byAmr Nasr
 
cyberforensicsv2-191113184409.pptx
byPrasannaKumarpanda2
 
computer forensics, involves the preservation, identification, extraction, an...
bypable2
 
csdf unit 3 intro to digital forensics.pdf
byAditya880646
 
Digital Forensics by William C. Barker (NIST)
byAltheimPrivacy
 
Forensic imaging
byDINESH KAMBLE
 

Recently uploaded

PPTX
Vector Space Modelin Information Storage and Retrieval .pptx
byhermelamisganew
 
PPTX
SlideEgg_66421-Data Lifecycle Management.pptx
byakashsarkar0424
 
PPTX
Pakistan Tableau User Group Event: A guide to Salesforce Certified Data Analyst
byWaqarAhmedShaikh8
 
PPTX
Pink Cream Scrapbook Decorative Creative Portfolio Presentation.pptx
byCarlosAlama2
 
PPTX
Scrum Master V5.2 - Trainer PPT new doc.pptx
byjaladi1231
 
PPTX
Theories of Evolution_7_Slides_Presentation.pptx
byprenzjaydumlao3
 
PDF
exnesfzxufjchfugiysrsigyWtRitzutoyyqKyculYezulcgydueapvlcxiycyu
bysamiabriham12
 
DOCX
An Educational Overview, Historical Context, and Key Lessons for Crypto Users...
bytopsellerit 4543
 
PPTX
Sales_Analysis_Presentation.pptx dashboard
bydheerendras984
 
PPTX
TISSUE EMBEDDING SYSTEM machine machine machine
byanantcyrix
 
PPTX
project physics.pptx for class 12th students for therir schhol and enough
bykhantdevanshi12
 
PPTX
Chapter_3_v9.0.pptxChapter_3_v9.0.pptxChapter_3_v9.0.pptx
bylolagom166
 
PDF
AI 1.pdf AI in Business Training - Revolutionizing Business Operations
byCA Suvidha Chaplot
 
PDF
NY26_Gov.uk_List__Final__18_12_25.pdf New Years Honours 2026
byHenry Tapper
 
PPTX
21986-security powerpoint templates-security powerpoint presentation-16-9-sty...
bymohammadlardhi
 
PDF
Is Java Full Stack a Good Career Option in 2025? A Data-Driven Guide
byitviewinspiredlearni
 
PDF
Azure Data Factory Overview for SSIS Developers.pdf
bySrinivas V
 
PPTX
Universidad de Almería Transcripts
byfin3dbxcn7
 
PPTX
Natural Language Processing (NLP) .How machine understand?
byrajchaudhary11223344
 
PDF
Intune Suite - An Introductory Guide.pdf
byhanenchhibiii
 
Vector Space Modelin Information Storage and Retrieval .pptx
byhermelamisganew
 
SlideEgg_66421-Data Lifecycle Management.pptx
byakashsarkar0424
 
Pakistan Tableau User Group Event: A guide to Salesforce Certified Data Analyst
byWaqarAhmedShaikh8
 
Pink Cream Scrapbook Decorative Creative Portfolio Presentation.pptx
byCarlosAlama2
 
Scrum Master V5.2 - Trainer PPT new doc.pptx
byjaladi1231
 
Theories of Evolution_7_Slides_Presentation.pptx
byprenzjaydumlao3
 
exnesfzxufjchfugiysrsigyWtRitzutoyyqKyculYezulcgydueapvlcxiycyu
bysamiabriham12
 
An Educational Overview, Historical Context, and Key Lessons for Crypto Users...
bytopsellerit 4543
 
Sales_Analysis_Presentation.pptx dashboard
bydheerendras984
 
TISSUE EMBEDDING SYSTEM machine machine machine
byanantcyrix
 
project physics.pptx for class 12th students for therir schhol and enough
bykhantdevanshi12
 
Chapter_3_v9.0.pptxChapter_3_v9.0.pptxChapter_3_v9.0.pptx
bylolagom166
 
AI 1.pdf AI in Business Training - Revolutionizing Business Operations
byCA Suvidha Chaplot
 
NY26_Gov.uk_List__Final__18_12_25.pdf New Years Honours 2026
byHenry Tapper
 
21986-security powerpoint templates-security powerpoint presentation-16-9-sty...
bymohammadlardhi
 
Is Java Full Stack a Good Career Option in 2025? A Data-Driven Guide
byitviewinspiredlearni
 
Azure Data Factory Overview for SSIS Developers.pdf
bySrinivas V
 
Universidad de Almería Transcripts
byfin3dbxcn7
 
Natural Language Processing (NLP) .How machine understand?
byrajchaudhary11223344
 
Intune Suite - An Introductory Guide.pdf
byhanenchhibiii
 

Fusing digital forensics, electronic discovery and incident response

  • 1.
    Collection Technology ProfessorRichard Adams University of Western Australia
  • 2.
  • 3.
  • 4.
    Dealing with multiplecomputers - even more challenging!
  • 5.
  • 6.
    In-house skills Everylarge organisation has access to IT professionals who are able to collect data from their own networks for electronic discovery, internal digital forensic investigations and incident response purposes with the right tools and the appropriate training. Unfortunately, with regard to the collection process, the current tools are limited in their application.
  • 7.
    What are thecurrent collection tool limitations? ESI collection tools – These usually result in large quantities of data needlessly being dragged across the network to be processed centrally (such as indexing) and then most of the data being discarded - this impacts the networks, increases the time taken to complete the collection and adds to the costs for the business. Digital forensic collection tools – These do not scale well in the business environment and tie a person to the process because they can’t be automated. Remote collection features are limited.
  • 8.
    Digital forensic considerations There is no legal requirement to capture a full bit-for-bit image of a device in order to provide potential evidence in court In the majority of cases the documents that are significant in a case are not found in ‘free space’ but are intact files (although they may have been undeleted with intact metadata) Courts are starting to push back on electronic evidence that cannot be attributed to a particular person (such as some items found in unallocated space) Live acquisitions are now much more commonplace in a corporate environment in order to capture RAM and encrypted data as well as address increasing data volumes
  • 9.
    Ideal situation –digital forensic investigation On a matter in which many people could be involved you would capture a ‘forensic’ image of each machine for processing later in a forensic tool. This collection process would typically involve either: (a) one person being physically located with each target machine or (b) the image being captured across the network and requiring an operator to connect to each machine
  • 10.
    Considerations - Oneperson being physically located with each target machine Do you have enough trained staff to acquire each machine? Do you have enough time to acquire the images? What if the machines are in remote locations? Do you have enough equipment for each machine? (write- blockers/dongles/boot discs/storage drives) What if this needs to be done covertly? For multiple machines spread across different sites/countries this is not a realistic scenario to contemplate for an organisation.
  • 11.
    Considerations - theimage being captured across the network and requiring an operator to connect to each machine Can the network handle the load? Is the network fast enough? Can you prevent interference with the target machine during the operation? Do you have enough time to collect this way? Experience shows that few organisations have the network capacity to handle multiple collections in this fashion in a timely manner
  • 12.
    Ideal functionality –ESI collection tool From any machine on the network identify an unlimited number of target machines and start processing on those machines based on pre- defined selection criteria that includes keywords and phrases Exclude file types and directories from searching All files matching the selection criteria (including emails, compressed files and unknown file types) must be collected All data (including the selection criteria) is encrypted Only collect files that match the selection criteria Unicode, UTF, ASCII search capability Minimise disruption of the target machine users Suspend power-saving settings Suspend defined processes Output for processing on any review platform
  • 13.
    Alternative ‘ideal’ situationfor a digital forensic investigation Deploy the ‘ideal’ ESI tool but with added functionality: Capture RAM Capture Pagefile Capture Swapfile Capture Hibernation file Capture the Windows Registry Identify scanned documents that can’t be text-searched Covert capabilities
  • 14.
    So what functionalitydoes a common tool need?
  • 15.
    Technology features thatcan make the ideal ESI/Forensic collection tool possible Running purely in memory on the target Searching and extracting emails from OSTs, PSTs, etc. that are in use Searching through unknown file types on the target Collecting system files from a running machine Searching and extracting data from compressed files Command-based or hidden interface capabilities Identifying scanned documents Undeleting files on the target Collect details of running processes Suspend defined processes Input criteria for review tools well established for designing an API The ability to re-start the process if interrupted The ability to notify on completion/failure The ability to undertake plain text searches at the disk level rather than at the file system level
  • 16.
    Potential Scenarios fora Forensic Discovery (FD) Tool
  • 17.
    Network deployment Defineselection criteria and the storage location for collected data in a ‘configuration’ file Identify target machines Create a network share Load FD tool and configuration files into network share Assign target machines to a group Create a script to load the FD tool from the share when any target machine is connected to the network Receive email when each target collection is completed and then review/process the collected data as appropriate
  • 18.
    Individual machine deployment- overt Define selection criteria and the storage location for collected data in a ‘configuration’ file Load FD tool and configuration files onto the required number of external collection devices (e.g. USB backup drives) Provide the collection devices to any staff member (such as the user of the target machine) for them to attach to the target machine Provide instructions to run the FD tool from the collection device Receive email on completion Instruct the staff member to unplug and return the collection device
  • 19.
    Individual machine deployment- covert Define selection criteria and the storage location for collected data in a ‘configuration’ file Load FD tool and configuration files onto the required number of external collection devices (e.g. USB backup drives) Provide the collection devices to authorised staff for them to attach to the target machine(s) out of office hours Provide instructions to run the FD tool from the collection device (alternatively RDP to the target(s) and run the FD tool) Receive email(s) on completion Instruct the staff member(s) to unplug and return the collection device
  • 20.
    Benefits of anFD tool COST – reduction in data collected means a reduction in collection costs and a consequential reduction in processing costs RESOURCES – Remove the requirement for skilled staff to be tied up in the collection process INFRASTUCTURE – Reduce the impact on networks by dramatically reducing the amount of data transferred SPEED – By using the target machines for processing the total collection time is reduced to the time of the slowest machine COMPLETENESS – by undertaking plain text searches at the disk level rather than at the file system level all data is searched rather than a limited number of file types
  • 21.
    Questions? Toggle betweenan eDiscovery and a Digital Forensic collection with pre-set options?
  • 22.
    Proof of concept:-a plain text search of a live machine Looking for ANY files on a remote target with ‘ttest’ in them (a statistics reference)
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.