Digital Forensics: What Is Forensic?
Digital Forensics: What Is Forensic?
Digital Forensics: What Is Forensic?
What is forensic?
• The current state of Digital Forensic Science exhibits only some of these
characteristics and they are not tied to specific disciplinary practices
considered by any group as scientifically rigorous.”*
“The use of scientifically derived and proven methods toward the preservation,
collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to planned
operations.”
• Identification
– Event/crime detection
– Resolve signature
– Profile detection
– Anomalous detection
– Complaints
– System monitoring
– Audit analysis
• Preservation
– Case management
– Imaging technologies
– Chain of custody
– Time synchronization
• Collection
– Preservation
– Approved methods
– Approved software
– Approved hardware
– Legal authority
– Lossless compression
– Sampling
– Data reduction
– Recovery techniques
• Examination
– Preservation
– Traceability
– Validation Techniques
– Filtering techniques
– Pattern matching
• Analysis
– Preservation
– Traceability
– Statistical
– Protocols
– Data mining
– Timeline
– Link
– Special
• Presentation
– Documentation
– Expert testimony
– Clarification
– Recommended countermeasure
– Statistical interpretation
• Reliable methods*
• A formalized approach
– Allows repeatability
– May be used to verify a process
– Complex attacks begin with the attacker and end with the victim
• Integrity
• Competence
• Defensible technique
• Relevant experience
• EEDI takes the view that the incident begins at the attacker, ends at the
victim, and includes everything in between
• Identification
– Call received
• Preservation
– Server imaged
• Image in chain of custody
• Collection
– Began interviews
– Event described