Professional Documents
Culture Documents
Scope of Discussion
1. The potential of automating computer forensics
Scope of Discussion
2. A glimpse at the current state of the art
Scope of Discussion
3. Future possibilities
Scope of Discussion
4. Building a community to move forward
Why Automate?
Dont you know we get paid by the hour?
Increased productivity
The size of Information systems are increasing (Moores Law) and there is more information to process A recent article claims corporate data has increased 50 times in the last three years The legal system is responding to the necessity of using forensic evidence
Information Security Consultants, Inc.
Standardization of Forensic
Protocols
If our protocols are not consistent and demonstrable, vital evidence may be excluded. Automation removes some of the human element from these activities reducing the possibility of error
Humans not well suited to repetitive tasks such as inspection of large quantities of evidence Safety in performing tasks which could prejudice case if accidents occurred, writing to disks etc.
Information Security Consultants, Inc.
As the volume of material which must be examined increases, some of the work must trickle down to less experienced workers.
Automation is Inevitable
Discovery
Non volatile media (generally) No change to media permitted Studied approach possible
Incident Response
Volatile and non volatile media Change to media may be unavoidable Decisions must be made quickly which could effect business operations and evidence
Differences
The two are similar differing mainly in the scope of the investigation and the time frame E Discovery tools are less complex and safer with regard to changing evidence. Incident response automation could be more valuable because of real time response
Information Security Consultants, Inc.
Whats Available
Some of the tools we will look at have the means to handle some of these tasks already
State of the Art Batch Files Designed in automation Macros in Scripting Languages Totally automated tools (research)
Batch Files
Batch files are the most basic form of automation. This is an excerpt form a popular incident response file.
Designed in Automation
Adding evidence in FTK
Scripted
EnCase EnScripts Pro Discover and Perl
A Radical departure
Lets stop using these machines as little more than electronic file cabinets
New Automation
Lets produce tools that take their general direction from us and proceed somewhat autonomously
Possible Problems
They could dumb down the profession They could be easily challenged in court They could fail to find evidence and let the guilty go free Any other problems?
The Process
Automate Science?
The scientific or procedural part of computer forensics is easy to automate. Most of what has been done is this type of automation
Automate Art?
the HOAP2 humanoid robot from Fujitsu recently acquired by the Autonomous Systems Laboratory 3 (ASL3) at the University of Lausanne
The Hunch?
The classical view of a detective is someone following a hunch. It appears to be an art form, but is it? A hunch is a determination about possible human behavior based on the extensive study of human behavior
Which One?
Our human investigator will spend a minimum amount of time on several possibilities. The automated tool, without intrinsic time constraints can examine more of them at a low cost. The chess match between Deep Blue and Kasparov is a good example.
Information Security Consultants, Inc.
Techniques
Checklists Scripts Expert Systems Intelligent Agents Genetic Algorithms Neural Networks
A Quick Introduction to AI
Artificial Intelligence is The science of making machines do things which would require intelligence if done by man Marvin Minsky
Expert Systems
Expert systems are very useful where a highly specialized very narrow field of knowledge needs to be applied by less knowledgeable people. Does that sound familiar?
Rule Based
Expert systems operate using rules The following is an example of a system which could be used to locate child pornography. The program would search the suspect drives for any matches to a set of hash libraries
Rules (example)
If no matching images are found on the subject drive the possibility that drive contains child porn is low If one matching hash is found the possibility is moderate If three matches are found the possibility is high If images are found outside of mail systems the possibility is very high
Information Security Consultants, Inc.
Rules
If images are attached to outgoing email the probability is near certain A production program would probably assign numerical values, and might consider many other factors
Genetic Algorithms
In Jurassic Park Life will find a way became a tagline used several times throughout the movie. It refers to the fact that genetics is not limited by conceptual thinking. It tries a large number of random solutions to a problem. Programs can be written to mimic this process.
Information Security Consultants, Inc.
Neural Networks
composed of a large number of highly interconnected processing elements Mimic the operation of the brain Has potential to automate artistic functions.
Report
Information Security Consultants, Inc.
References
A Mechanism for Automatic Digital Evidence Collection on HighInteraction Honeypots June 2004 http://www.dcc.unicamp.br/~ra002193/index-en.html Standardization Of Forensic Protocols http://web.archive.org/web/20030318033317/http://www.first.org/eve nts/progconf/2002/d3-03-dosreis-slides.pdf Automating Case Reports http://cisr.nps.navy.mil/downloads/theses/05thesis_cassidy.pdf Automated Diagnosis http://www.mitre.org/work/tech_papers/tech_papers_01/elsaesser_for ensics/esaesser_forensics.pdf Incident Reporting http://www.giac.org/certified_professionals/practicals/gsec/0547.php
Information Security Consultants, Inc.
References
(continued)
State Machine Theory http://www.gladyshev.info/smforensics/ Pre Forensic Setup Automation http://www.las.ic.unicamp.br/paulo/papers/2002-CCN-IASTEDflavio.oliveira-PFSAF.pdf Automated Reassembly Of Fragmented Images http://isis.poly.edu/kulesh/research/pubs/icassp-2003.pdf A primer on Artificial Intelligence http://users.erols.com/jsaunders/papers/aitechniques.htm Robot Painting at the University of Lausanne http://humanoids.epfl.ch/research/upper_body/paint/paint.html
Information Security Consultants, Inc.
Contact Information
Thomas Ianuzzi, CISSP, CCE
President, Information Security Consultants, Inc 2243 NE15th Drive Jensen Beach, FL 34957 (772) 781-7300