1 / 25

Selective and Intelligent Imaging Using Digital Evidence Bags

Selective and Intelligent Imaging Using Digital Evidence Bags. Presented by Ryan O’Donnell. Introduction. Selective Imaging Intelligent Imaging Digital Evidence Bags. Current Method. Current methods use the bitstream image Suitable for smaller sized sources Works for the majority of cases

torn
Download Presentation

Selective and Intelligent Imaging Using Digital Evidence Bags

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Selective and Intelligent Imaging Using Digital Evidence Bags Presented by Ryan O’Donnell

  2. Introduction • Selective Imaging • Intelligent Imaging • Digital Evidence Bags

  3. Current Method Current methods use the bitstream image • Suitable for smaller sized sources • Works for the majority of cases • Is there anything better?

  4. Selective Imaging (SI) With this method the entire drive is NOT captured. In some best practice guidelines (ACPO) selective imaging may be used as an alternative to the traditional bitstream imaging capture method

  5. Why use Selective Imaging? • large source (primary reason) • forensic triage • intelligence gathering • legal requirements

  6. Selective Imaging Techniques • Manual • choose exact files that are captured • Semi-Automatic • choose categories (file extensions, file hash, file signature, etc) • Automatic • imager uses configuration for acquisition

  7. Integrity of Selective Imaging -1 To maintain integrity of collected data, we must record all files and their provenance. Provenance can be recorded by • physical sector location • logical cluster location and offset • folder location

  8. Integrity of Selective Imaging -2 Which is best? Keep in mind, the provenance must be • unique • unambiguous • concise • repeatable

  9. Integrity of Selective Imaging -3 • Primary key- physical sectors • Secondary key- logical clusters and offset • Tertiary key- folder location All keys should be documented, but use the appropriate key for your audience.

  10. Intelligent Imaging • Automatically images and processes drive • No need for technologically proficient investigator • Acquires all relevant information that would normally be relevant to the case

  11. Intelligent Imaging Concerns • How do you go about capturing the knowledge of the technical experts that are familiar with digital technical complexities and legal domain experts and combine them? • How do you know that you have captured everything relevant to the case under investigation or have not missed evidence of other offences?

  12. Digital Evidence Bags (DEB) DEB is a universal container for digital information from any source. They allow provenance to be recorded and provide continuity maintenance throughout the life of the exhibit.

  13. DEB Overview Diagram

  14. DEB Components • tag file • index files • bag files The index and bag files together are known as an Evidence Unit (EU).

  15. DEB Framework

  16. DEB Tag file A plain text file made up of • DEB Header • Evidence Units • DEB Footer • records the number of EU in the DEB; sealed with hash • Tag continuity blocks (TCB) • application function, signature and timestamp

  17. Header File • investigating officer • creation timestamp • evidence description • Index format using metatags

  18. Header Index Metatags • Labels • file name, origin, attributes, command • Timestamps • modified, accessed, created • Numeric • sector, cluster, logical size, physical size • Integrity • hash values

  19. Tag File - Evidence Units • records all EUs • includes integrity hash of both index and bag files • EU 0 is reserved for case notes • imager information • configuration, revision, hash, selection criteria • any case information

  20. Imager Configuration File

  21. DEB Tag File Example

  22. DEB Diagram

  23. Evidence Unit Detail

  24. The Ultimate Test There must be sufficient information about the provenance so when restored it is identical to what would have been acquired with a bitstream image

  25. Conclusion The container is key to selectively capturing data. Utilizing these methods provides structure in investigations with vast amounts of information.

More Related