Information Technology Reference
In-Depth Information
false positives. More research into the error rates of manual searches is needed to
fully understand the impact of automated techniques.
Managing digital forensics cases is becoming more and more complex in a way
that is directly proportional to the capacity of the media that are the objects of in-
vestigation. As has been said before, it is not possible to create a complete image
of the file system of Google. For this reason, in any forensic investigation, planning
and analysis activities are required in order to determine what digital media will be
seized, what types of information will be sought in the examination, and how the ex-
amination will be conducted. Existing literature [Bogen and Dampier] and suggested
practices indicate that such planning should occur, but few tools provide support for
such activities. Planning an examination may be an essential activity when investi-
gators and technicians are faced with unfamiliar case types or unusually complex,
large-scale cases. In complex, large-scale cases it is critical that the investigators
provide computer forensics technicians with the appropriate amount of case data
supplemented with keyword lists; too much case data or too little case data can make
the forensics technician's task very difficult.
Bogen and Dampier's paper presents the concept for a novel application of ontol-
ogy/domain modeling (known as case domain modeling) as a structured approach
for analyzing case facts, identifying the most relevant case concepts, determining
the critical relationships between these concepts, and documenting this information.
This method may be considered as a foundational analytical technique in computer
forensics that may serve as the basis for useful semi-automated tools. The approach
sounds very interesting but, like every model related paper, it lacks implementa-
tion.
6 . 1 A n t i F o r e n s i c To o l s
So far we have talked about what the scientific community is doing to improve
digital forensics techniques and management on a large scale. The Black Hat com-
munity, on the other hand, is researching tools and processes for obfuscating data
that the investigators would like to analyze. At the Black Hat Conference 2005, the
Metasploit Anti-Forensic Investigation Arsenal (MAFIA) was presented. It is a mul-
tilevel tool which claims to be able to modify a range of information that is usually
sought both in the survey and in the search & analysis phases. The Timestomp mod-
ule, for example, is a first-ever tool that can modify all four NTFS timestamp values:
modified, accessed, created, and entry modified. Another component of MAFIA is
Slacker, another first ever tool that allows you to hide files within the slack space of
the NTFS file system.
It is clear that there are potential problems of obfuscation here, not only at this
level but also at others. There are tools, in fact, that do the same thing as Slacker but
