SlideShare a Scribd company logo

Digital Forensics by William C. Barker (NIST)

Download as PPTX, PDF
AltheimPrivacy
AltheimPrivacy
Business
1 of 13
Digital Forensics NIST Information Technology Laboratory William C Barker October 23, 2012 Forensic science is generally defined as the application of science to the law.
Examples of digital forensic Some examples of data types: evidence: • Standard computer systems • Electronic mail messages • Networking equipment • Video/photo/audio attachments • Computing peripherals • Unstructured data • Mobile devices • Protocol information such as • Consumer electronic devices IP addresses • GPS data • Various types of media • Cell phone data • Metadata • Internet history • Deleted data residues in various types of IT devices. 2
Some Uses of Digital Forensics Techniques • Investigating crimes and internal policy violations, • Pre-trial e-discovery in civil litigations, • Reconstructing computer security incidents, • Troubleshooting operational problems, and • Recovering from accidental system damage. 3
Performing Digital Forensics Phases specified in NIST’s Guide To Integrating Forensic Techniques Into Incident Response • Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data. • Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data. • Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination. • Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process. 4
Policies and Procedures for Digital Forensics • Organizations should ensure that their policies contain clear statements addressing all major forensic considerations, such as contacting law enforcement, performing monitoring, and conducting regular reviews of forensic policies and procedures. • Organizations should create and maintain procedures and guidelines for performing forensic tasks, based on the organization’s policies and all applicable laws and regulations. • Organizations should ensure that their policies and procedures support the reasonable and appropriate use of forensic tools. Policies and procedures should clearly explain what forensic actions should and should not be performed under various circumstances, as well as describing the necessary safeguards for sensitive information that might be recorded by forensic tools, such as passwords, personal data, and the contents of e-mails. • Legal advisors should carefully review all forensic policy and high-level procedures. • Organizations should ensure that their IT professionals are prepared to participate in forensic activities.IT professionals throughout an organization, especially incident handlers and other first responders to incidents, should understand their roles and responsibilities for forensics, receive training and education on forensics-related policies and procedures. 5
Chain of Evidence Maintaining source and content integrity of forensics information Electronic authentication, access control mechanisms, and audit trails are needed for: • Control of forensic data • To record generation of forensic data • Access to forensic data • Change management for forensic data. Cryptographic technologies such as time stamped digital signature or signed hashes, can be employed to identify the source of forensic data, establish the time(s) at which each access to the data occurred and by whom, and whether or not modifications to the information has occurred (and, if so, at which point in the chain). 6
Overview of Existing NIST Computer Forensics Work Overall NIST ITL Forensics Program Lead: Martin Herman, martin.herman@nist.gov http://www.nist.gov/itl/ssd/computerforensics.cfm. Current Projects: – Computer Forensics Tool Testing (including mobile device tool testing) – National Software Reference Library, and – Computer Forensic Reference Data Sets. Initiating projects on: – Performing forensics as part of incident response – Cloud forensics (e.g., when a cloud computing environment is used by criminals for their illegal activities such as child pornography, or when there is an attack on a cloud computing). Privacy is a huge 7 issue here because clouds are typically multi-tenants.
Computer Forensics Tool Testing (CFTT) • Goal: Establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. • The Computer Forensics Tool Testing Project Handbook is now available in PDF format for downloading (http://www.cftt.nist.gov/CFTT-Booklet- Revised-02012012.pdf). • A description of NIST mobile device forensics tool testing activity is now available at (http://www.cftt.nist.gov/documents/MobileDeviceForensics- MFW08.pdf). Rick Ayers (richard.ayers@nist.gov) is a good resource for additional information on this topic. 8
Sample Case: Problems Facing Deleted Files Recovery Tools (http://www.cftt.nist.gov/DFR-req-1.1-pd-01.pdf) • The files that have been deleted have to be identified and located. Although this could be as simple as scanning directory entries for a particular key (e.g. ‘0xE5’ in Fat 32), it may be a more complex process. • From a file system perspective, the data to be recovered is latent, and needs the assistance of a tool to recover the data. As with most other latent data recovery, since the results depend on the output of a particular tool, the tool must be shown to operate correctly (i.e., undelete files correctly). • The potential uncertainty present in any recovery effort leads to a reduced level of confidence in the information recovered. Specifically with deleted file recovery, the data recovered may be commingled with data from other deleted files, allocated files, or even from non- 9 allocated space.
National Software Reference Library (NSRL) Goal: Promote efficient and effective use of computer technology in the investigation of crimes involving computers. • The Reference Data Set (RDS) is a collection of digital signatures of known, traceable software applications . • The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into Reference Data Sets of information. • The NSRL RDS is released four times each year - in March, June, September and December. The current release, June 2012 RDS 2.37, contains 26,911,012 unique entries. 10
Computer Forensic Reference Data Sets(CFReDS) • Computer Forensic Reference Data Sets provide to an investigator documented sets of simulated digital evidence for examination. • Applications for Computer Forensic Reference Data Sets: - Data sets for tool testing need to be completely documented. The user of the data set needs to know exactly what is in the data set and where it is located. These data sets should also provide specification for a set of explicit tests. Examples of focused function areas are string searching, deleted file recovery and email extraction. - Data sets for equipment check out need to focus on issues in acquisition, access and restoration of data. These data sets might need to have a strong procedural component. - Data sets for staff training are primarily investigation scenario based tests intended to give a real flavor to the data set (similar to the data sets for proficiency testing). - Proficiency Testing and Skill Testing data sets are primarily investigation scenario based tests designed to give a real flavor to the data set (for example, a data set that would require the examiner to demonstrate some system skill such as loading a new font onto an analysis computer). 11
Some Other NIST Computer Forensics Publications Guide to SIMfill Use and Development, NIST IR-7658, February 2010, Wayne Jansen, AurelienDelaitre. Mobile Forensic Reference Materials: A Methodology and Reification, NIST IR-7617, October 2009, Wayne Jansen, AurélienDelaitre. Forensic Protocol Filtering of Phone Managers, International Conference on Security and Management (SAM'08), July 2008. Wayne Jansen, AurelienDelaitre Overcoming Impediments to Cell Phone Forensics, Hawaii International Conference on System Sciences (HICSS), January 2008. Wayne Jansen, AurelienDelaitre, LudovicMoenner. Reference Material for Assessing Forensic SIM Tools, International Carnahan Conference on Security Technology, October 2007. Wayne Jansen, AurelienDelaitre. Guidelines on Cell Phone Forensics, SP 800-101, May 2007, Wayne Jansen, Rick Ayers. Cell Phone Forensic Tools: An Overview and Analysis Update, NISTIR 7387, March 2007. Rick Ayers, Wayne Jansen, LudovicMoenner, AurelienDelaitre. Guide to Integrating Forensic Techniques into Incident Response, SP 800-86, August 2006, Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang. Forensic Software Tools for Cell Phone Subscriber Identity Modules, Conference on Digital Forensics, Association of Digital Forensics, Security, and Law (ADFSL), April 2006. Wayne Jansen, Rick Ayers. Cell Phone Forensic Tools: An Overview and Analysis, NISTIR 7250, October 2005. Rick Ayers, Wayne Jansen, Nicolas Cilleros, Ronan Daniellou. An Overview and Analysis of PDA Forensic Tools, Digital Investigation, The International Journal of Digital Forensics and Incident Response, Volume 2, Issue 2, April 2005. Wayne Jansen, Rick Ayers. Guidelines on PDA Forensics, SP 800-72, November 2004. Wayne Jansen, Rick Ayers. PDA Forensic Tools: An Overview and Analysis, NISTIR 7100, August 2004. Rick Ayers, Wayne Jansen. 12
Digital Forensics by William C. Barker (NIST)

Recommended

Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 

Recommended

Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail InvestigationDr Raghu Khimani
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 

More Related Content

What's hot

Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 

What's hot (20)

CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 

Similar to Digital Forensics by William C. Barker (NIST)

cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
Digital forensic
Digital forensicDigital forensic
Digital forensicChandan Sah
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer ForensicEditor IJCTER
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Malware analysis
Malware analysisMalware analysis
Malware analysisAnne ndolo
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensicsJohnson Ubah
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceDr. Richard Otieno
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemCSCJournals
 

Similar to Digital Forensics by William C. Barker (NIST) (20)

Computer forencis
Computer forencisComputer forencis
Computer forencis
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
180 184
180 184180 184
180 184
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital Evidence
 
CF.ppt
CF.pptCF.ppt
CF.ppt
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
 
SFScon19 - Alessandro Farina - Open Source Forensics
SFScon19 - Alessandro Farina - Open Source ForensicsSFScon19 - Alessandro Farina - Open Source Forensics
SFScon19 - Alessandro Farina - Open Source Forensics
 

More from AltheimPrivacy

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
NYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationNYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationAltheimPrivacy
 
Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data PrivacyRipped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data PrivacyAltheimPrivacy
 
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...AltheimPrivacy
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...AltheimPrivacy
 
How to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social AdsHow to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social AdsAltheimPrivacy
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...AltheimPrivacy
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...AltheimPrivacy
 
Three Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on FacebookThree Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on FacebookAltheimPrivacy
 
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West CoastAltheimPrivacy
 
Facebook New Changes 2011
Facebook New Changes 2011Facebook New Changes 2011
Facebook New Changes 2011AltheimPrivacy
 

More from AltheimPrivacy (11)

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 
NYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationNYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentation
 
Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data PrivacyRipped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
 
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
 
How to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social AdsHow to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
 
Three Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on FacebookThree Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on Facebook
 
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
 
Facebook New Changes 2011
Facebook New Changes 2011Facebook New Changes 2011
Facebook New Changes 2011
 

Recently uploaded

MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...ssuserf63bd7
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Send Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSendBig4
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
Pitch deck sample detail for New Business Proposal
Pitch deck sample detail for New Business ProposalPitch deck sample detail for New Business Proposal
Pitch deck sample detail for New Business ProposalEvelina300651
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 

Recently uploaded (20)

MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Send Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.com
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
Pitch deck sample detail for New Business Proposal
Pitch deck sample detail for New Business ProposalPitch deck sample detail for New Business Proposal
Pitch deck sample detail for New Business Proposal
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 

Digital Forensics by William C. Barker (NIST)

  • 1. Digital Forensics NIST Information Technology Laboratory William C Barker October 23, 2012 Forensic science is generally defined as the application of science to the law.
  • 2. Examples of digital forensic Some examples of data types: evidence: • Standard computer systems • Electronic mail messages • Networking equipment • Video/photo/audio attachments • Computing peripherals • Unstructured data • Mobile devices • Protocol information such as • Consumer electronic devices IP addresses • GPS data • Various types of media • Cell phone data • Metadata • Internet history • Deleted data residues in various types of IT devices. 2
  • 3. Some Uses of Digital Forensics Techniques • Investigating crimes and internal policy violations, • Pre-trial e-discovery in civil litigations, • Reconstructing computer security incidents, • Troubleshooting operational problems, and • Recovering from accidental system damage. 3
  • 4. Performing Digital Forensics Phases specified in NIST’s Guide To Integrating Forensic Techniques Into Incident Response • Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data. • Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data. • Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination. • Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process. 4
  • 5. Policies and Procedures for Digital Forensics • Organizations should ensure that their policies contain clear statements addressing all major forensic considerations, such as contacting law enforcement, performing monitoring, and conducting regular reviews of forensic policies and procedures. • Organizations should create and maintain procedures and guidelines for performing forensic tasks, based on the organization’s policies and all applicable laws and regulations. • Organizations should ensure that their policies and procedures support the reasonable and appropriate use of forensic tools. Policies and procedures should clearly explain what forensic actions should and should not be performed under various circumstances, as well as describing the necessary safeguards for sensitive information that might be recorded by forensic tools, such as passwords, personal data, and the contents of e-mails. • Legal advisors should carefully review all forensic policy and high-level procedures. • Organizations should ensure that their IT professionals are prepared to participate in forensic activities.IT professionals throughout an organization, especially incident handlers and other first responders to incidents, should understand their roles and responsibilities for forensics, receive training and education on forensics-related policies and procedures. 5
  • 6. Chain of Evidence Maintaining source and content integrity of forensics information Electronic authentication, access control mechanisms, and audit trails are needed for: • Control of forensic data • To record generation of forensic data • Access to forensic data • Change management for forensic data. Cryptographic technologies such as time stamped digital signature or signed hashes, can be employed to identify the source of forensic data, establish the time(s) at which each access to the data occurred and by whom, and whether or not modifications to the information has occurred (and, if so, at which point in the chain). 6
  • 7. Overview of Existing NIST Computer Forensics Work Overall NIST ITL Forensics Program Lead: Martin Herman, martin.herman@nist.gov http://www.nist.gov/itl/ssd/computerforensics.cfm. Current Projects: – Computer Forensics Tool Testing (including mobile device tool testing) – National Software Reference Library, and – Computer Forensic Reference Data Sets. Initiating projects on: – Performing forensics as part of incident response – Cloud forensics (e.g., when a cloud computing environment is used by criminals for their illegal activities such as child pornography, or when there is an attack on a cloud computing). Privacy is a huge 7 issue here because clouds are typically multi-tenants.
  • 8. Computer Forensics Tool Testing (CFTT) • Goal: Establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. • The Computer Forensics Tool Testing Project Handbook is now available in PDF format for downloading (http://www.cftt.nist.gov/CFTT-Booklet- Revised-02012012.pdf). • A description of NIST mobile device forensics tool testing activity is now available at (http://www.cftt.nist.gov/documents/MobileDeviceForensics- MFW08.pdf). Rick Ayers (richard.ayers@nist.gov) is a good resource for additional information on this topic. 8
  • 9. Sample Case: Problems Facing Deleted Files Recovery Tools (http://www.cftt.nist.gov/DFR-req-1.1-pd-01.pdf) • The files that have been deleted have to be identified and located. Although this could be as simple as scanning directory entries for a particular key (e.g. ‘0xE5’ in Fat 32), it may be a more complex process. • From a file system perspective, the data to be recovered is latent, and needs the assistance of a tool to recover the data. As with most other latent data recovery, since the results depend on the output of a particular tool, the tool must be shown to operate correctly (i.e., undelete files correctly). • The potential uncertainty present in any recovery effort leads to a reduced level of confidence in the information recovered. Specifically with deleted file recovery, the data recovered may be commingled with data from other deleted files, allocated files, or even from non- 9 allocated space.
  • 10. National Software Reference Library (NSRL) Goal: Promote efficient and effective use of computer technology in the investigation of crimes involving computers. • The Reference Data Set (RDS) is a collection of digital signatures of known, traceable software applications . • The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into Reference Data Sets of information. • The NSRL RDS is released four times each year - in March, June, September and December. The current release, June 2012 RDS 2.37, contains 26,911,012 unique entries. 10
  • 11. Computer Forensic Reference Data Sets(CFReDS) • Computer Forensic Reference Data Sets provide to an investigator documented sets of simulated digital evidence for examination. • Applications for Computer Forensic Reference Data Sets: - Data sets for tool testing need to be completely documented. The user of the data set needs to know exactly what is in the data set and where it is located. These data sets should also provide specification for a set of explicit tests. Examples of focused function areas are string searching, deleted file recovery and email extraction. - Data sets for equipment check out need to focus on issues in acquisition, access and restoration of data. These data sets might need to have a strong procedural component. - Data sets for staff training are primarily investigation scenario based tests intended to give a real flavor to the data set (similar to the data sets for proficiency testing). - Proficiency Testing and Skill Testing data sets are primarily investigation scenario based tests designed to give a real flavor to the data set (for example, a data set that would require the examiner to demonstrate some system skill such as loading a new font onto an analysis computer). 11
  • 12. Some Other NIST Computer Forensics Publications Guide to SIMfill Use and Development, NIST IR-7658, February 2010, Wayne Jansen, AurelienDelaitre. Mobile Forensic Reference Materials: A Methodology and Reification, NIST IR-7617, October 2009, Wayne Jansen, AurélienDelaitre. Forensic Protocol Filtering of Phone Managers, International Conference on Security and Management (SAM'08), July 2008. Wayne Jansen, AurelienDelaitre Overcoming Impediments to Cell Phone Forensics, Hawaii International Conference on System Sciences (HICSS), January 2008. Wayne Jansen, AurelienDelaitre, LudovicMoenner. Reference Material for Assessing Forensic SIM Tools, International Carnahan Conference on Security Technology, October 2007. Wayne Jansen, AurelienDelaitre. Guidelines on Cell Phone Forensics, SP 800-101, May 2007, Wayne Jansen, Rick Ayers. Cell Phone Forensic Tools: An Overview and Analysis Update, NISTIR 7387, March 2007. Rick Ayers, Wayne Jansen, LudovicMoenner, AurelienDelaitre. Guide to Integrating Forensic Techniques into Incident Response, SP 800-86, August 2006, Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang. Forensic Software Tools for Cell Phone Subscriber Identity Modules, Conference on Digital Forensics, Association of Digital Forensics, Security, and Law (ADFSL), April 2006. Wayne Jansen, Rick Ayers. Cell Phone Forensic Tools: An Overview and Analysis, NISTIR 7250, October 2005. Rick Ayers, Wayne Jansen, Nicolas Cilleros, Ronan Daniellou. An Overview and Analysis of PDA Forensic Tools, Digital Investigation, The International Journal of Digital Forensics and Incident Response, Volume 2, Issue 2, April 2005. Wayne Jansen, Rick Ayers. Guidelines on PDA Forensics, SP 800-72, November 2004. Wayne Jansen, Rick Ayers. PDA Forensic Tools: An Overview and Analysis, NISTIR 7100, August 2004. Rick Ayers, Wayne Jansen. 12

Editor's Notes

  1. Regardless of the data sources, effective use of forensic information requires maintaining the source and content integrity of the information - that is, maintaining the integrity of the chain of evidence. Electronic authentication, access control mechanisms, and audit trails are needed to control and record generation of, access to, and change management for forensic data. Cryptographic technologies such as time stamped digital signature or signed hashes, can be employed to identify the source of forensic data, establish the time(s) at which each access to the data occurred and by whom, and whether or not modifications to the information has occurred (and, if so, at which point in the chain).
  2. Existing computer forensics work in NIST’s Information Technology Laboratory includes Computer Forensics Tool Testing (including mobile device tool testing), the National Software Reference Library, and Computer Forensic Reference Data Sets. The forensics program manager at the Information Technology Laboratory is also interested in initiating more work in cybersecurity forensics, which involves performing forensics as part of incident response. The Laboratory is also starting a project in cloud forensics, which involves forensics activities when a cloud computing environment is used by criminals for their illegal activities (e.g., child pornography), or when there is an attack on a cloud computing system and we want to use forensics as part of incident response. Certainly privacy is a huge issue here because clouds are typically multi-tenants. The overall NIST Information Technology Laboratory forensics program is coordinated by Dr. Martin Herman.
  3. There is a critical need in the law enforcement community to ensure the reliability of computer forensic tools. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. A capability is required to ensure that forensic software tools consistently produce accurate and objective test results. Our approach for testing computer forensic tools is based on well-recognized international methodologies for conformance testing and quality testing.   Frequently during a forensic examination, data is discovered on the target media that is not part of any active or visible file. Although this data can still be examined such as by string searching, if the data associated with a particular file could be identified and recovered in its original form, this could provide additional useful information. An example of this would be where a graphics file, if undeleted and recovered, could be viewed—potentially providing more information than a simple string search.
  4. Many of the forensic tools used by investigators identify files that have been deleted, and allow the operator to undelete them. This may allow the investigator to examine the file in the original format such as a graphics file viewer, or identify when a particular file was deleted and its original location. To reconstruct deleted files within a forensic setting, three fundamental problems have to be addressed by a deleted file recovery (DFR) tool. A NIST document Active File Identification & Deleted File Recovery Tool Specification, currently out for public comment, defines functional requirements for tools used within forensic investigations to address these issues associated with identifying active files, deleted files and to reconstruct deleted files.
  5. The National Software Reference Library project is supported by the U.S. National Institute of Justice and by Federal, state, and local law enforcement organizations.The Reference Data Sets can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles, or “hashes” in the sets. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations. There are application hash values which may be considered malicious in the profiles, such as for steganography tools and hacking scripts, but there are no hash values of illicit data, such as child abuse images.
  6. NIST is also developing Computer Forensic Reference Data Sets for digital evidence.. Since the sets would have documented contents, such as target search strings seeded in known locations of reference data sets, investigators could compare the results of searches for the target strings with the known placement of the strings.Investigators could use these sets in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation.The site contains test images and resources to aid in creating tailored test images. These aids will be in the form of interesting data files, software tools and procedures for specific tasks.The four most obvious applications for these data sets are testing forensic tools, establishing that lab equipment is functioning properly, testing  proficiency in specific skills, and training laboratory staff. Each type of data set has slightly different requirements, and most data sets can be used for more than one function.Prototype data sets are available for public comment. For more information contact Jim Lyle at jlyle@nist.gov.