In this presentation we will introduce current state of digital forensics, its positioning in general IT security and relations with data science and data analyses. Many strong links exist among this technical and scientific fields, usually this links are not taken into consideration. For data owners, forensic researchers and investigators this connections and data views presents additional hidden values.

1. Current state of Digital
Forensic and Data Science
Damir Delija
INSig2

2. What I’ll Talk About Loudly
• What is Digital Forensics
• definitions
• and what it is not ..
• Its relations with IT security or Cybersecurity
• Relations with data science
• Is there any gain ?
• Yes, you can get rich on other people security related data ..
• Interesting history of Bruce Schneier and „Counterpane Internet Security, Inc”

3. Idea
• I’d like to make you think about possibilities
• I’d like to show there is nothing new, just scale and tools changes, also
again opportunity
• Reality needs hard reliable data to make sensible decisions to survive
• There is no more urgent need than in fight and control
• Old WW2 operational research is perfect example
• IT security is in deep trouble
• Digital forensics is also in crisis we can sense reaching end of models,
there will be probably a paradigm change

4. Definitions
• Forensics Science
• Forensics is “The application of scientific knowledge to legal problems" (Merriam-Webster), what
Includes forensic medicine, physics, chemistry, dentistry, fingerprints, DNA, firearm analysis,
accounting, all traditional fields
• Forensic Computing
• Forensic Computing” by V. Venema, D. Farmer late in 1990’s: „Gathering and analyzing data in a
manner as free from distortion or bias as possible to reconstruct data or what has happened in the
past on a system.”
• Digital Forensics (cyber forensic ?)
• “Digital forensics and Computer forensics” is: defined as “Computer forensics, sometimes known
as computer forensic science is a branch of digital forensic science pertaining to evidence found in
computers and digital storage media. The goal of computer forensics is to examine digital media in
a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and
presenting facts and opinions about the digital information”
• Digital Evidence
• digital evidence or electronic evidence is defined as “any probative information stored or
transmitted in digital form that a party to a court case may use at trial.”

5. Digital Forensics and Forensic Science
• Its about extracting digital evidence from data
• what amount of data, what is amount of digital evidence
• what are specifics about this data
• Forensics Science
• used to relatively small amount of data, part of experiment
• physical evidence – solid hard, golden standard, easy to prove not changed
• Digital Forensics
• huge volume of data (1 TB disk is a normal)
• digital evidence – in digital form, hashing to prove it is not changed since
collecting / acquisition

6. Definitions in Simple Words
• Digital Forensics = Forensic Computing + Digital Evidence
• Digital forensics is part of IT security responsible for finding out what
happened
• Key element to spot:
• data has to be processed to find digital evidence
• huge amount of data
• working with read only copy of original data , so possibility of parallel
processing

7. Data in Which Digital Forensic is Interested
• All data available in your system is of interest
• A lot of external data too / Locard princeiple
• Example: one of the oldest in the book: log analyses
• remember Bruce Schneier
• Log collecting and analyses
• key concept in IT sec since ever
• everything is logging tremendous amount of formats, locations rules,
structures, patterns, tools SIEM, intrusion detection ..
• log analyses is one of the oldest branches in digital forensics
• Not only your logs, but other people logs too, whole event scope

8. Data in Which Digital Forensic is Interested
Sources of data, can be live or static
• logs of all kinds
• disk images
• live disk images
• live memory images
• memory dumps
• network captures,
• process memory,
• file entropy, file hashes
• live filesystems and databases, files, slack, unallocated space. metadata
• web and web dumps
• specific protocols and api level access
• SNMP
• DNS
• ARP
• DHCP
• Facebook, twitter, SharePoint

9. Links among IT sec, digital forensics and data
science
• How to find out what is going on in your system ?
• IT sec. provides tools and intrepretations
• SANS Critical Controls
• Digital forensic answer what happend
• There is ahuge amont of data – tools and methods sholud follow best
practices from computer science and data science in particular

10. What we are doing with data – classic post
mortem
• Example standard PC analyses 1 Tera byte disk,
• machine is turned off, no live actions
• Acquisition 3 hours at last to create forensic disk image
• Analyses from image (read only copy of disk data)
• reconstruct file system and other structures
• apply some test to see if operations makes sense
• extract relevant digital evidence based on description
• set of hypothesis to prove or disprove
• basically keyword search / structure pattern finding / timeline creation
• can take days
• Reporting Create a report about findings
• Does this look familiar , like data mining ?

11. What we are doing with data – live access
• live data access – state into snapshots
• Can be from raw dump up to exact access of one record
• Can be on many end nodes (involved machines) in parallel
• We ae doing it forensically sound
• Enterprise forensic tools,
• Preventive forensic (bit strange title)
• Special type - eDiscovery

12. What this data means ?
• It is how your system lives
• SANS CIS Critical Security Controls „The CIS Critical Security Controls
for Effective Cyber Defense” are based and derived from this data
• Processing of such data is not simple
• Prediction how system will react / behave in future or in incident
situation
• Digital forensic to access data approach, methods tools based on data
science

13. Current Digital Forensics Tools and Practices
• In the core of digital forensics today is problem of processing huge
volume of data.
• To be honest this is really a big, unspoken obstacle
• Often overlooked and not understand by digital forensic practitioners
and vendors
• Parallelism / automatisation not supported
• No real standards
• Lack of cooperability

14. What are Benefits if Forensics and Data are
Properly Used
• Cycle speed up
• usually it takes weeks and months to detect and handle sec. incident
• with combination of digital forensics and data we can speed up things into
hours or minutes
• Much better understanding how your system is behaving and what is
your system
• what are hidden and what is unknown in your system
• Verizon reports about big unknowns
• For all that proper science and engineering approach is needed
especially in planning and understanding of data and systems

15. Conclusion ?
• We are at the end of one type of digital forensics
• Also we are at the end of one approach to IT sec.
• How to cope with ever increasing complexity and unknown dangers ?
• Your own data probably has some answers
• Probably also a specialized artificial intelligence based on knowledge
extracted from your system and global data
• (various sec. grids etc.)
• PS:
I’m sure attackers are also using data science methods

16. Questions ?
Damir Delija
damir.delija@insig2.eu