250 likes | 374 Vues
Selective and Intelligent Imaging Using Digital Evidence Bags. Presented by Ryan O’Donnell. Introduction. Selective Imaging Intelligent Imaging Digital Evidence Bags. Current Method. Current methods use the bitstream image Suitable for smaller sized sources Works for the majority of cases
 
                
                E N D
Selective and Intelligent Imaging Using Digital Evidence Bags Presented by Ryan O’Donnell
Introduction • Selective Imaging • Intelligent Imaging • Digital Evidence Bags
Current Method Current methods use the bitstream image • Suitable for smaller sized sources • Works for the majority of cases • Is there anything better?
Selective Imaging (SI) With this method the entire drive is NOT captured. In some best practice guidelines (ACPO) selective imaging may be used as an alternative to the traditional bitstream imaging capture method
Why use Selective Imaging? • large source (primary reason) • forensic triage • intelligence gathering • legal requirements
Selective Imaging Techniques • Manual • choose exact files that are captured • Semi-Automatic • choose categories (file extensions, file hash, file signature, etc) • Automatic • imager uses configuration for acquisition
Integrity of Selective Imaging -1 To maintain integrity of collected data, we must record all files and their provenance. Provenance can be recorded by • physical sector location • logical cluster location and offset • folder location
Integrity of Selective Imaging -2 Which is best? Keep in mind, the provenance must be • unique • unambiguous • concise • repeatable
Integrity of Selective Imaging -3 • Primary key- physical sectors • Secondary key- logical clusters and offset • Tertiary key- folder location All keys should be documented, but use the appropriate key for your audience.
Intelligent Imaging • Automatically images and processes drive • No need for technologically proficient investigator • Acquires all relevant information that would normally be relevant to the case
Intelligent Imaging Concerns • How do you go about capturing the knowledge of the technical experts that are familiar with digital technical complexities and legal domain experts and combine them? • How do you know that you have captured everything relevant to the case under investigation or have not missed evidence of other offences?
Digital Evidence Bags (DEB) DEB is a universal container for digital information from any source. They allow provenance to be recorded and provide continuity maintenance throughout the life of the exhibit.
DEB Components • tag file • index files • bag files The index and bag files together are known as an Evidence Unit (EU).
DEB Tag file A plain text file made up of • DEB Header • Evidence Units • DEB Footer • records the number of EU in the DEB; sealed with hash • Tag continuity blocks (TCB) • application function, signature and timestamp
Header File • investigating officer • creation timestamp • evidence description • Index format using metatags
Header Index Metatags • Labels • file name, origin, attributes, command • Timestamps • modified, accessed, created • Numeric • sector, cluster, logical size, physical size • Integrity • hash values
Tag File - Evidence Units • records all EUs • includes integrity hash of both index and bag files • EU 0 is reserved for case notes • imager information • configuration, revision, hash, selection criteria • any case information
The Ultimate Test There must be sufficient information about the provenance so when restored it is identical to what would have been acquired with a bitstream image
Conclusion The container is key to selectively capturing data. Utilizing these methods provides structure in investigations with vast amounts of information.