Real Time Event Recording System, the tool for Digital
Forensics Investigation
Madhav [email protected]
Practice today
• Investigator finds device been used• Attempt to dig out all events in past, e.g.– an object (file/registry) deleted from the Disk/Device– executing an EXE– Cookies– contents sent out, e.g. for printing– access the network resource– Calls made through IP phones– Etc.
Success factors
• Success rate depends on multiple factors• Need multiple tools• Need expertise• Total failure if,– Device Reset– physically damaged
• Etc.
Things available native…
• Native tools/repository is present– Cookies– Windows • Event Log• Registry
– Cell phone• call history
• Those are local, can be cleaned or overflow
The proposed tool
• Record When It Happens/Occurs• Should support all Devices• Can be Agent Based/Less• Records to central server• Can work On-line/Off-line
Challenges for implementation
• Biggest – data storage• Switching off the agent• Taking the device off the n/w, in case
Agentless
Other Utilization
• At nation level, for national security– Monitor activities at public places, e.g. Net cafes
• At Enterprise to enforce policies of device usage
• At home, to monitor usage by minors
Approaches for implementation• Agent Based
– To avoid device, being monitored, performance does not degrade– Have “off-line” monitor– Avoid n/w bandwidth conservation
• Protecting the Agent– Heartbeat: poll for agent alive– Tie it to Device Kernel, somehow, so if someone tries to “kill” it, it will take the device down
• Configurable Events/Devices– The Events/Devices, depth/detail etc. should be configurable– There should be “white-list” for Devices and Events/Applications– E.g.
• the “Exchange” server is “trusted”• Not monitoring the Events for tools Source Code Control
• Pushing the logs to server– On “configurable” interval– On “shut-down” of the device
Q & A
Thank you
Madhav [email protected]
Top Related