Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye
description
Transcript of Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye
![Page 1: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/1.jpg)
Real Time Event Recording System, the tool for Digital
Forensics Investigation
Madhav [email protected]
![Page 2: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/2.jpg)
Practice today
• Investigator finds device been used• Attempt to dig out all events in past, e.g.– an object (file/registry) deleted from the Disk/Device– executing an EXE– Cookies– contents sent out, e.g. for printing– access the network resource– Calls made through IP phones– Etc.
![Page 3: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/3.jpg)
Success factors
• Success rate depends on multiple factors• Need multiple tools• Need expertise• Total failure if,– Device Reset– physically damaged
• Etc.
![Page 4: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/4.jpg)
Things available native…
• Native tools/repository is present– Cookies– Windows • Event Log• Registry
– Cell phone• call history
• Those are local, can be cleaned or overflow
![Page 5: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/5.jpg)
The proposed tool
• Record When It Happens/Occurs• Should support all Devices• Can be Agent Based/Less• Records to central server• Can work On-line/Off-line
![Page 6: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/6.jpg)
Challenges for implementation
• Biggest – data storage• Switching off the agent• Taking the device off the n/w, in case
Agentless
![Page 7: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/7.jpg)
Other Utilization
• At nation level, for national security– Monitor activities at public places, e.g. Net cafes
• At Enterprise to enforce policies of device usage
• At home, to monitor usage by minors
![Page 8: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/8.jpg)
Approaches for implementation• Agent Based
– To avoid device, being monitored, performance does not degrade– Have “off-line” monitor– Avoid n/w bandwidth conservation
• Protecting the Agent– Heartbeat: poll for agent alive– Tie it to Device Kernel, somehow, so if someone tries to “kill” it, it will take the device down
• Configurable Events/Devices– The Events/Devices, depth/detail etc. should be configurable– There should be “white-list” for Devices and Events/Applications– E.g.
• the “Exchange” server is “trusted”• Not monitoring the Events for tools Source Code Control
• Pushing the logs to server– On “configurable” interval– On “shut-down” of the device
![Page 9: Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye](https://reader036.fdocuments.in/reader036/viewer/2022082603/5492614db47959654d8b45c3/html5/thumbnails/9.jpg)
Q & A