selective and intelligent imaging using digital evidence bags
DESCRIPTION
Selective and Intelligent Imaging Using Digital Evidence Bags. Presented by Ryan O’Donnell. Introduction. Selective Imaging Intelligent Imaging Digital Evidence Bags. Current Method. Current methods use the bitstream image Suitable for smaller sized sources Works for the majority of cases - PowerPoint PPT PresentationTRANSCRIPT
Selective and Intelligent Imaging Using Digital Evidence
BagsPresented by Ryan O’Donnell
•Selective Imaging•Intelligent Imaging•Digital Evidence Bags
Introduction
Current methods use the bitstream image•Suitable for smaller sized sources•Works for the majority of cases•Is there anything better?
Current Method
With this method the entire drive is NOT captured.
In some best practice guidelines (ACPO) selective imaging may be used as an alternative to the traditional bitstream imaging capture method
Selective Imaging (SI)
•large source (primary reason)•forensic triage•intelligence gathering•legal requirements
Why use Selective Imaging?
•Manualo choose exact files that are captured•Semi-Automatico choose categories (file extensions, file
hash, file signature, etc)•Automatico imager uses configuration for acquisition
Selective Imaging Techniques
To maintain integrity of collected data, we must record all files and their provenance.
Provenance can be recorded by •physical sector location•logical cluster location and offset•folder location
Integrity of Selective Imaging -1
Which is best? Keep in mind, the provenance must be•unique•unambiguous•concise •repeatable
Integrity of Selective Imaging -2
•Primary key- physical sectors•Secondary key- logical clusters and offset•Tertiary key- folder location
All keys should be documented, but use the appropriate key for your audience.
Integrity of Selective Imaging -3
•Automatically images and processes drive•No need for technologically proficient investigator•Acquires all relevant information that would normally be relevant to the case
Intelligent Imaging
• How do you go about capturing the knowledge of the technical experts that are familiar with digital technical complexities and legal domain experts and combine them?
• How do you know that you have captured everything relevant to the case under investigation or have not missed evidence of other offences?
Intelligent Imaging Concerns
DEB is a universal container for digital information from any source. They allow provenance to be recorded and provide continuity maintenance throughout the life of the exhibit.
Digital Evidence Bags (DEB)
DEB Overview Diagram
•tag file•index files•bag files
The index and bag files together are known as an Evidence Unit (EU).
DEB Components
DEB Framework
A plain text file made up of•DEB Header•Evidence Units•DEB Footero records the number of EU in the DEB; sealed
with hash•Tag continuity blocks (TCB)o application function, signature and timestamp
DEB Tag file
•investigating officer•creation timestamp•evidence description•Index format using metatags
Header File
•Labelso file name, origin, attributes, command•Timestampso modified, accessed, created•Numerico sector, cluster, logical size, physical size• Integrityo hash values
Header Index Metatags
•records all EUso includes integrity hash of both index and
bag files•EU 0 is reserved for case noteso imager information
configuration, revision, hash, selection criteriao any case information
Tag File - Evidence Units
Imager Configuration File
DEB Tag File Example
DEB Diagram
Evidence Unit Detail
There must be sufficient information about the provenance so when restored it is identical to what would have been acquired with a bitstream image
The Ultimate Test
The container is key to selectively capturing data.
Utilizing these methods provides structure in investigations with vast amounts of information.
Conclusion