Dark Datain

Live Forensics

Rob ZirnsteinPresident

Forensic InnovationsMay 7th, 2010

Dark Matter?

• Dark Matter in the Universe– Undetectable– Light bends around it– Gravitational effects

What is Dark Data?

• Dark Data in our digital devices– Everyone creates it (unintentionally)– Criminals may hide it (Anti-Forensics)– Forensic tools can’t see it– But it is there!

• Data that we can’t see– On our hard drives– On out flash drives– In our computer files

Where is Dark Data?

• Unknown Computer Files– eDiscovery & Document Management handle

500 types of files– Types of files in the world = over 50,000*– Types of files typically in use = 5,000

• Hiding in Common Files– MS Office, Adobe PDF, …(Slack & Steganography)

• Deleted Data isn’t really gone– Unused Disk Space, File Slack Space, Object

Slack Space, Caches / Swap Files*http://filext.com

Unknown Files

Typical Tools FI Tools (23 wrong files) (26 Correct Files)

Steganography

Intentional Data Hiding

Deleted Data

Deleted Data that evades Redaction

Is Dark Data Important?

• Cases are won or lost based on the ability to find evidence.– The strongest evidence may be hidden accidentally or

intentionally.

• Corporate Digital Assets may be lost, but recoverable.

• Employee misconduct is tracked by the hidden trail of improper acts.

• Intellectual Property theft can put a company out of business.– Identify in-house criminals by detecting the data

they’re hiding before being moved.

Live Forensics

• Traditional Digital Forensics– Create image/copy of a hard drive– Analyze the static disk image

• Live Forensics– Analyze the data while still being used in the

device/computer– Bypass Hard Drive encryption– Collect only data pertinent to a case

• Live Forensics Trends– Some judges are requiring it– More hard drives are getting encrypted– Large hard drives are cumbersome to image

Dark Data in Live Forensics

– Live Forensics software tools run on the live system.• The RAM that they use affects the memory cache files

on the hard drive.• The running computer deletes & creates files on the

hard drive constantly.• Hard drive activity can destroy some of the Dark Data!

– Dark Data must be collected first!• Before other tools interfere with the data…

1. Image RAM2. Analyze Unused Disk Space3. Analyze File Slack Space4. Collect relevant file types

What We Do

• Internationally– Empower our partners to capture Dark

Data• File Investigator, File Expander & File Harvester

– Equip law enforcement with tools• FI TOOLS, FI Object Explorer

• Locally– Developing the next generation of

Dark Data software technologies– Digital Asset Auditing (Coming Soon)

Forensic Innovations Technologies

• File Investigator– Discovers Files Hiding as something else– Identifies 3,700+ File Types– High Accuracy & Speed

• File Expander– Discovers Hidden Data within common files– Data missed by all forensic tools

• File Harvester (Under Development)

– Recovers deleted files that the rest of the industry can’t

Thank you

• ContactRob ZirnsteinRob.Zirnstein@ForensicInnovations.comwww.ForensicInnovations.com(317) 430-6891

• Strategic PartnershipsNew partners are welcome