Information Technology Reference
In-Depth Information
ing (even using identical hardware) an event or chain of events. Logical reproduction
refers to the situation where the reproduction environment is completely or partially
similar to the original but not identical physically. Lastly, “theoretical” reproduction
comprises revealing a pattern of abstract reasoning in order to identify a possible set
of events that led to the current state of a specific piece of evidence.
A group of researchers has presented a three-component model of a digital inves-
tigation which comprises: determination of input-output layers, assignment of read
and write operations associated with use of forensic tools, and time-stamping of read
and write operations. This builds on work of several authors, culminating in the new
model presented at DFRWS which is generic, scalable, compatible with all functions
in the system, and guaranteed to produce high quality reproducibility. It uses sci-
entifically derived and proven methods for the collection, identification, validation,
preservation, analysis, interpretation, documentation, and presentation of digital ev-
idence derived from digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate unauthorized
actions shown to be disruptive to planned operations.
While the above research has focused on the incident reproduction phase or at
least on the findings, another group of researchers has dedicated their attention to
the search step. Before I go on, however, I should point something out. There is an
important difference between the “survey” phase and the “search” phase. The latter,
also known as the “analysis phase,” has two infungible requisites:
1. The work is much more meticulous and in-depth than the survey phase. Auto-
mated tools may be used, but in cases where special skills are required for the
reconstruction of scattered digital evidence (a procedure known as “chaining”)
human intervention is vital;
2. In many cases the search phase requires greater expertise than the survey phase,
which is usually the purview of the so-called community of practitioners. That
is why we are beginning to see a gap between “simple” digital investigators
and the true computer forensic analysts.
Having said this, at Purdue University automated search functions have been de-
veloped. It is almost a countertrend to the preponderance of manual activity seen
over the past three years. The research presented in DFRWS 2005 starts from a prac-
tical experience with the Honeynet Project. In the research paper, authors introduce
techniques to automate the searching process by suggesting what searches could be
helpful. Researchers also use data mining techniques to find files and directories cre-
ated during the incident. The results from using these techniques on a compromised
honeypot system were pretty good and showed that the data mining techniques detect
a higher percentage of files than a random sampling would, but there are still many
