Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.
-
Upload
colten-spence -
Category
Documents
-
view
216 -
download
0
Transcript of Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.
![Page 1: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/1.jpg)
Six Blind Men from Indostan
Mark M. Pollitt
Digital Evidence Professional Services, Inc.
![Page 2: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/2.jpg)
Once upon a time, there were six blind men from Indostan…
![Page 3: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/3.jpg)
• One thought that the elephant looked like a snake
• Another a leaf
• Another a spear
• Another a wall
• Another a rope
• Another a tree trunk
![Page 4: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/4.jpg)
So what does that have to do with digital forensics?
• We approach DF from different perspectives and with different goals
• Is DF:– An investigative task?– A forensic science?– Sensors for computer security?– Part of incident response?
![Page 5: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/5.jpg)
The answer to these questions is
![Page 6: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/6.jpg)
The answer to these questions is
But…
![Page 7: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/7.jpg)
Forensics is not an elephant,it is a process!
But, we just can’t seem to agree on what the process is…
![Page 8: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/8.jpg)
NIST Incident Response Model
NIST SP 800-61
![Page 9: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/9.jpg)
End to End Digital Investigation
Collecting EvidenceAnalysis of individual events Preliminary correlation Event normalizing Event deconfliction Second level correlation (normalized and
non-normalized events) Timeline analysis Chain of evidence construction Corroboration (non-normalized events)
Digital
Investigation
Peter Stephenson, APPLICATION OF FORMAL METHODS TO ROOTCAUSE ANALYSIS OF DIGITAL INCIDENTS, 2003
![Page 10: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/10.jpg)
Forensic Science Process
Acquisition &Preservation
Examination Analysis Presentation
Forensic Process
![Page 11: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/11.jpg)
![Page 12: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/12.jpg)
The DFRWS 2001 “Process”
Chart courtesy of Peter Stephenson
![Page 13: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/13.jpg)
Zachman EA Framework
http://www.feacinstitute.org/enterprise_architecture/federal_enterprise_architecture/index.htm#
![Page 14: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/14.jpg)
Zachman EA Framework
View
s Artifacts
Functions
http://www.feacinstitute.org/enterprise_architecture/federal_enterprise_architecture/index.htm#
![Page 15: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/15.jpg)
Viewing the DFRWS as a Framework
Chart courtesy of Peter Stephenson
![Page 16: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/16.jpg)
IDENTIFICATION PRESERVATION COLLECTION EXAMINATION ANALYSIS PRESENTATION
Functions
![Page 17: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/17.jpg)
IDENTIFICATION PRESERVATION COLLECTION EXAMINATION ANALYSIS PRESENTATION
Hidden data extraction
Pattern
Matching
Filtering
Tasks
![Page 18: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/18.jpg)
IDENTIFICATION PRESERVATION COLLECTION EXAMINATION ANALYSIS PRESENTATION
Hidden data extraction
Pattern
Matching
Filtering
Legal
Authority
Legal
Authority
Traceability Traceability
Tasks
Constraints
![Page 19: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/19.jpg)
IDENTIFICATION PRESERVATION COLLECTION EXAMINATION ANALYSIS PRESENTATION
Roles, aka Views?
Roles
![Page 20: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/20.jpg)
Might look something like this:
Role IDENTIFICATION PRESERVATION COLLECTION EXAMINATION ANALYSIS PRESENTATION
Incident
Response
Security Management
Criminal
Investigations
LE Forensic
Examination
Civil
Discovery
Intelligence
![Page 21: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/21.jpg)
IDENTIFICATION PRESERVATION COLLECTION EXAMINATION ANALYSIS PRESENTATION
Time?
![Page 22: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/22.jpg)
This is where it gets difficult,we don’t seem to agree on the same temporal order.
In fact, we don’t seem to usethe same functions for eachcase/view/role.
![Page 23: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/23.jpg)
Maybe we don’t have to…
The temporal order is not defined by “forensics”, as a process, but rather constrained by the role’s purpose for using forensics.
![Page 24: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/24.jpg)
Another way to describe this:
• Forensics is not a single process, but is• A set of tasks that can be grouped into• Functions that are selected based upon• The purpose for which the process is
being applied (role) and are• Bound by constraints that are• Defined by either internal or external
requirements
![Page 25: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/25.jpg)
Another way to describe this:
• Forensics is not a single process, but is• A set of tasks that can be grouped into• Functions that are selected based upon• The purpose for which the process is
being applied (role) and are• Bound by constraints that are• Defined by either internal or external
requirements
![Page 26: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/26.jpg)
Is this THE answer?
• Of course not!
• Frameworks are always “works in progress”
• That should not stop us from taking new steps each day
• Frameworks get better with application
![Page 27: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/27.jpg)
Applying this to Research Issues
• Research can be focused on:– Functions– Tasks– Constraints– Process– Roles– Or the interrelationships between these
![Page 28: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/28.jpg)
Conclusion
• The core DFRWS framework is sound
• It can be developed, extended and refined
• It can be used as both a framework and a vocabulary for research and practice
• The next steps are in your hands!
![Page 29: Six Blind Men from Indostan Mark M. Pollitt Digital Evidence Professional Services, Inc.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649c775503460f9492c3b9/html5/thumbnails/29.jpg)
I Sincerely Thank You for
• Your Time• Your Attention• Your Contributions
to the field• Your participation in
the remainder of this conference
Mark M. PollittPresident
Digital Evidence Professional
Services, Inc.