Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Published byAbigail Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011."— Presentation transcript:

1 Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011

2 Data handling workflow Obtain data from depositor / donor Examine the acquired data to locate user generated content Appraise data to select data of potential value to the institution Transfer selected data into digital repository for curation & preservation

3 Acquisition

4 Data Acquisition Methods Act of obtaining copy of digital data from depositor media and transferring into a managed environment for subsequent analysis: 1.File copy: Files are copied/moved from the donor’s media to AIM-owned storage, e.g. FTP, DVD-R, hard disk 2.Disk clone: Bit copy of files on source disk copied to mirror disk 3.Disk image: Bit copy of disk is created and stored as a file on other media. Different Hardware Different Media

5 Decision tree for choosing capture method

6 Analysis

7 7 Data held on a digital media Content held on digital media serves many purposes: Operating system files, e.g. Windows has 30,000+ after fresh install Software: Applications, utilities, games, etc. Log data: Windows Registry, browser cache, cookies, temp files User-generated content: Documents, images, sound, emails, etc. Different data layers available: 1.Active data: Information readily available as normally seen by an OS 2.Inactive/residual data: Information that has been deleted or modified Deleted files located in unallocated space that have yet to be overwritten (retrieved using undelete application) Data fragments that contains information from a partially deleted file (retrieved through carving) Inactive data useful, but need to consider ethical issues

8 1. Analysis techniques for active data Common techniques: Navigate directory structure to get a ‘feel’ for data files held on disk Search by: File name, e.g. *report* File type, e.g. *.doc, *.pdf, etc. Creation/modification date Content type, e.g. word usage File size Additional parameters configurable Windows search easy to perform, but does not identify everything – investigation process can leave artefacts, e.g. thumbs.db behind

9 1. OSForensic Search UI for active files Sort by: Name, Folder, Size Type, Creation date, Modification date, Hash set, Foreground colour, Background colour

10 10 2. Recovering deleted files Data files deleted by user continue to exist on disk! filename is changed and occupied space is simply labelled as ‘unallocated’, i.e. available for use. May be recovered if the space has not been reallocated to new data. However, likelihood of retrieving entire file decreases with usage of disk. Recovering partial/complete files Recoverable using Undelete\File recovery software to search unallocated space and relabel found files as available. Recovering Data Fragments Fragments of files may be recovered using Data carving technique - raw bits of disk analysed to identify recognisable patterns that may indicate a data file, e.g. header/footer, semantic information. Carving software designed to take a linear approach to locating data files – ineffective on fragmented disks Creates Franken-Files! – incomplete files, large files containing info from multiple sources, extracts embedded images from Powerpoints, etc Img source: http://www.flickr.com/photos/jwthompson2/160835456/

11 2. OSForensic Deleted File UI 99-50% complete content Data carving identifies data fragments, but frequently wrong about file type

12 3. Keyword Search Scan the content of a disk, including all emails, documents and other text content, to locate a particular search term. Commonly used by police to identify illegal content, e.g. bank numbers, telephone numbers, drug references, etc. Archival use: Does the disk contain reference to topic X? What trends may be identified in use of concept – when did term appear and disappear?

13 4. Analysis of research behaviour Hard disk contain large amount of other information: Web sites visited/bookmarked for research Chat logs indicating discussion with colleagues Other digital media that may have been used to store data This may be useful for understanding researcher work process, but be wary of the ethical issues

14 Decision tree for choosing appropriate analysis method

15 Forensic Hardware 1) Desktop PC Intel Pentium Dual Core E5800 CPU (3.20Ghz) 2GB DDR 500GB HD Super multi DVD-RW (2) USB Write Blocker Prevents OS writing to connected devices (4) Kryoflux USB Floppy disk controller to enable attachment of disparate disk devices & forensic imaging (3) Drive enclosure Enables connection of internal ATA/SATA disks via USB

16 16 Thank You! Gareth Knight Centre for e-Research, King’s College London gareth.knight@kcl.ac.uk @gknight2000 020 7848 1979 http://fido.cerch.kcl.ac.uk/ @jiscfido Questions

Download ppt "Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011."

Similar presentations

Watching the Detectives Forensic Information in Digital Objects (FIDO)

Watching the Detectives Forensic Information in Digital Objects (FIDO)
The Windows File System and Windows Explorer To move around the file system and examine your files or get to one you want (say, to modify, delete or copy.

The Windows File System and Windows Explorer To move around the file system and examine your files or get to one you want (say, to modify, delete or copy.
GETTING BITS OFF DISKS Using Open Source Tools to Prepare Born-Digital Materials for Long-Term Preservation and Access To connect to the audio portion.

GETTING BITS OFF DISKS Using Open Source Tools to Prepare Born-Digital Materials for Long-Term Preservation and Access To connect to the audio portion.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Digital Record Management (HyperKYC) By. A Financial Institution or Stock Broker has many lines of services that it offers to its clients like share trading,

Digital Record Management (HyperKYC) By. A Financial Institution or Stock Broker has many lines of services that it offers to its clients like share trading,
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
Backing Up Your Computer Hard Drive Lou Koch June 27, 2006.

Backing Up Your Computer Hard Drive Lou Koch June 27, 2006.
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Return to the Office 2007 web page Lesson 3: Managing Computer Files.

Return to the Office 2007 web page Lesson 3: Managing Computer Files.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
IT Infrastructure: Software September 18, 2014. LEARNING GOALS Identify the different types of systems software. Explain the main functions of operating.

IT Infrastructure: Software September 18, LEARNING GOALS Identify the different types of systems software. Explain the main functions of operating.
Computer & Network Forensics

Computer & Network Forensics
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
With Microsoft Office 2007 Introductory© 2008 Pearson Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Office 2007 Introductory.

With Microsoft Office 2007 Introductory© 2008 Pearson Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Office 2007 Introductory.
1 SOFTWARE TECHNOLOGIES BUS3500 - Abdou Illia, Spring 2007 (Week 2, Thursday 1/18/2007)

1 SOFTWARE TECHNOLOGIES BUS Abdou Illia, Spring 2007 (Week 2, Thursday 1/18/2007)
C81MPR Practical Methods File Handling for Practicals Jonathan Stirk & Danielle Ropar.

C81MPR Practical Methods File Handling for Practicals Jonathan Stirk & Danielle Ropar.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Similar presentations

Ads by Google