Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye


Published on

This is the Tool kind of Application that records the system events, e.g. File Delete, File Execute etc., on the central Server, which are the potential events used by Digital Forensic Investigators while investigating Offensive Event, e.g. Hosting an Attack.

  • Be the first to comment

  • Be the first to like this

Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye

  1. 1. Real Time Event RecordingSystem, the tool for Digital Forensics Investigation Madhav Limaye
  2. 2. Practice today• Investigator finds device been used• Attempt to dig out all events in past,e.g. – an object (file/registry) deleted from the Disk/Device – executing an EXE – Cookies – contents sent out, e.g. for printing – access the network resource – Calls made through IP phones – Etc.
  3. 3. Success factors• Success rate depends on multiple factors• Need multiple tools• Need expertise• Total failure if, – Device Reset – physically damaged• Etc.
  4. 4. Things available native…• Native tools/repository is present – Cookies – Windows • Event Log • Registry – Cell phone • call history• Those are local, can be cleaned or overflow
  5. 5. The proposed tool• Record When It Happens/Occurs• Should support all Devices• Can be Agent Based/Less• Records to central server• Can work On-line/Off-line
  6. 6. Challenges for implementation• Biggest – data storage• Switching off the agent• Taking the device off the n/w, in case Agentless
  7. 7. Other Utilization• At nation level, for national security – Monitor activities at public places, e.g. Net cafes• At Enterprise to enforce policies of device usage• At home, to monitor usage by minors
  8. 8. Approaches for implementation• Agent Based – To avoid device, being monitored, performance does not degrade – Have “off-line” monitor – Avoid n/w bandwidth conservation• Protecting the Agent – Heartbeat: poll for agent alive – Tie it to Device Kernel, somehow, so if someone tries to “kill” it, it will take the device down• Configurable Events/Devices – The Events/Devices, depth/detail etc. should be configurable – There should be “white-list” for Devices and Events/Applications – E.g. • the “Exchange” server is “trusted” • Not monitoring the Events for tools Source Code Control• Pushing the logs to server – On “configurable” interval – On “shut-down” of the device
  9. 9. Q &A
  10. 10. Thank you Madhav Limaye