SADFE-2007

Home
Call For Papers
Sponsorship
Submissions
Program
Registration
Committees

Accommodation
Transportation

Visitor Information

 
SADFE-2007
 
2nd International Workshop on

Systematic Approaches to Digital Forensic Engineering

April 10-12, 2007

Bell Harbor International Conference Center
Seattle, Washington, USA

Argosy Cruises Banquet

 


Preliminary Program

Day
Time Plenary
Tue
07:30 AM-05:00 PM Registration: Tutorial and Workshop
 
08:00 AM-05:00 PM Tutorial
 
05:00 PM-08:00 PM Welcome Social
Wed
07:30 AM-05:00 PM Registration: Workshop Only
 
08:30 AM-08:45 AM Welcome Workshop Day 1
 
08:45 AM-10:30 AM Use of Models in Forensics (Part I)
 
10:30 AM-10:50 AM Morning Break Workshop Day 1
 
10:50 AM-11:50 AM Use of Models In Forensics (Part II - Panel)
 
11:50 AM-01:00 PM Lunch Workshop Day 1
 
01:00 PM-02:45 PM Gathering and Understanding Digital Forensic Data (Papers)
 
02:45 PM-03:00 PM Afternoon Break Workshop Day 1
 
03:00 PM-04:00 PM Gathering and Understanding Digital Forensic Data (Panel)
 
04:10 PM-05:00 PM Panel: Courtroom Implications of Presenting Digital Evidence - Phil Attfield
Thu
08:30 AM-08:45 AM Welcome Workshop Day 2
 
08:45 AM-10:30 AM Forensic Analysis Tools: Are they performing the way they should?
 
10:30 AM-10:45 AM Morning Break Workshop Day 2
 
10:45 AM-11:45 AM Challenge Papers
 
11:45 AM-01:00 PM Lunch Workshop Day 2
 
01:00 PM-02:45 PM Education and Training
 
01:35 PM-01:45 PM Afternoon break Workshop Day 2 (short; for panel setup)
 
02:45 PM-03:00 PM Closing Remarks and Plans for Next Time

Tuesday, Apr 10

 7:30 AM - 5:00 PM

 Registration: Tutorial and Workshop

 8:00 AM - 5:00 PM

 Tutorial

 5:00 PM - 8:00 PM

 Welcome Social

Wednesday, Apr 11

 7:30 AM - 5:00 PM

 Registration: Workshop Only

 8:30 AM - 8:45 AM

 Welcome Workshop Day 1

Chair: Ming-Yuh Huang (The Boeing Company, USA)
Chair: Deborah Frincke (Pacific Northwest National Laboratory, USA)

 8:45 AM - 10:30 AM

 Use of Models in Forensics (Part I)
Chair: Mark Pollitt (University of Central Florida, USA)
Toward Models for Forensic Analysis
Sean Peisert (University of California, San Diego, USA); Matt Bishop (University of California, Davis, USA); Sidney Karin (University of California, San Diego, USA); Keith Marzullo (University of California at San Diego, USA)
The existing solutions in the field of computer forensics are largely ad hoc. This paper discusses the need for a rigorous model of forensics and outlines qualities that such a model should possess. It presents an overview of a forensic model and an example of how to apply the model to a real-world, multi-stage attack. We show how using the model can result in forensic analysis requiring a much smaller amount of carefully selected, highly useful data than without the model.
Defining a Process Model for Forensic Analysis of Digital Devices and Storage Media
Michael Andrew (CyberSecurity Institute, USA)
The concept of accuracy in digital forensics is foundational to the purposes of an analysis. Current practices define methodologies and processes for the acquisition and preservation phases of a digital forensic examination. This paper proposes a broad-based process model for the analysis phase of the digital forensic process. The model facilitates the pursuit of accuracy in the analysis phase by serving to clarify the goals of the technical analysis, provide a framework for the analyst to use in qualifying data as evidence, and assist the expert in substantiating opinions and conclusions drawn from the analysis.
A Log Correlation Model to Support the Evidence Search Process in a Forensic Investigation
Roberto Gómez Cárdenas (Instituto Tecnologico y de Estudios Superiores de Monterrey, Mexico); Jorge Herrerias (Instituto Tecnologico y de Estudios Superiores de Monterrey, Mexico)
Computer forensics searches for evidence to reassemble the actions that led the system from a secure state to the moment an intrusion was detected. The main source of data for a forensic investigation is the information provided by log files. Log files are generated by applications to keep a register of the actions occurred on the system. However, the massive amount of recorded events complicates the forensic investigation. A model composed by a set of agents in order to collect, filter, normalize, and to correlate events coming from diverse log files is proposed in this paper. The purpose of the model is to assist the analyst in the evidence search process of a forensic investigation.

 10:30 AM - 10:50 AM

 Morning Break Workshop Day 1

 10:50 AM - 11:50 AM

 Use of Models In Forensics (Part II - Panel)

Chair: Mark Pollitt (University of Central Florida, USA)

An Ad Hoc Review of Digital Forensic Models
Mark Pollitt (University of Central Florida, USA)
Digital forensics has been the subject of academic study for a relatively brief period of time. One of the foundational ways in which researchers try to understand the scientific basis of a discipline is to construct models which reflect their observations. This paper reviews a collection of fifteen published papers which represent data points in the development of digital forensic models. It is neither an exhaustive review, nor exhaustive list of all available papers.

 11:50 AM - 1:00 PM

 Lunch Workshop Day 1

 1:00 PM - 2:45 PM

 Gathering and Understanding Digital Forensic Data (Papers)
Chair: Antonio Savoldi (University of Brescia, Italy)
Identification and Localization of Data Types within Large-Scale File Systems
Robert Erbacher (Utah State University, USA); John Mulholland (Utah State University, USA)
This research examines the application of statistical analysis techniques for the identification of data types embedded within a file to assist analysts with the location of potentially criminally relevant data. The results show that the statistical analysis can effectively aid identification of the types of data embedded in a file and the approximate location of these data types. This analysis becomes irrespective of the type of file being analyzed. But rather identifies its component data types. When applied, this technique will allow analysts to more effectively and efficiently locate relevant data on a hard drive, especially on today’s particularly large hard drives.
 
The Rules of Time on NTFS File System
K. P. Chow (The University of Hong Kong, Hong Kong); Frank, Yuet Wing LAW (University of Hong Kong, Hong Kong); Yuk Kwan Kwan (The University of Hong Kong, Hong Kong); Ka Ying Lai (The University of Hong Kong, Hong Kong)
With the rapid development and popularity of IT technology, criminals and mischievous computer users are given avenues to commit crimes and malicious activities. As forensic science has long been used to resolve legal disputes regarding different branches of science, computer forensics is developed naturally in the aspects of computer crimes or misbehaviors. In computer forensics, temporal analysis plays a significant role in the reconstruction of events or crimes. Indeed, temporal analysis is one of the attractive areas in computer forensics that caused a large number of researches and studies. It is the purpose of this paper to focus on temporal analysis on NTFS file system and to project intuitional rules on the behavioral characteristics of related digital files.
Data Hiding in SIM/USIM Cards: A Steganographic Approach
Antonio Savoldi (University of Brescia, Italy); Paolo Gubian (University of Brescia, Italy)
The aim of this paper is twofold. First, the real structure of a SIM/USIM card filesystem will be presented, analyzing what is valuable from a forensics perspective and showing what evidence is not detectable and extractable with the tools present in the arena of open-source and proprietary software. After that, the paper will focus on a framework that can be used to detect and extract the so-called nonstandard part of a SIM/USIM filesystem, which is a concealed part usable also to store arbitrary and sensitive information. As a proof-of-concept, an interesting example will be presented on the methods usable to obtain the data hiding in an ordinary SIM/USIM card.

 2:45 PM - 3:00 PM

 Afternoon Break Workshop Day 1

 3:00 PM - 4:00 PM

 Gathering and Understanding Digital Forensic Data (Panel)

Chair: Antonio Savoldi (University of Brescia, Italy)

Panel Topic: Lawyers, Judges and Digital Forensics: Evaluating Situational Awareness and Evidentiary Skills with Electronic Evidence, from Cybercrime to Civil Lawsuits
Michael Losavio (University of Louisville, USA)
This panel of attorneys, and others, will discuss situational awareness and skills of lawyers, judges and computing professionals relating to evidence law and rules of procedure for using electronic evidence and digital forensics. The panel may address the new Federal Rules of Civil Procedure for the discovery and handling of electronic evidence that are effective December 1, 2006, their impact in federal courts and their influence in state courts.

 4:10 PM - 5:00 PM

 Panel: Courtroom Implications of Presenting Digital Evidence - Phil Attfield

Chair: Philip Attfield (IDELIX Software Inc.; NorthWest Security Institute, USA)

Thursday, Apr 12

 8:30 AM - 8:45 AM

 Welcome Workshop Day 2

 8:45 AM - 10:30 AM

 Forensic Analysis Tools: Are they performing the way they should?

Chair: Lei Pan (Deakin University, Australia)

X-Online: An Online Interface for Digital Decryption Tools
Sudhir Aggarwal (Florida State University, USA); Daniel Beech (Florida State University, USA); Rajarshi Das (Florida State University, USA); Breno de Medeiros (FLORIDA STATE UNIVERSITY, USA); Eric Thompson (AccessData Corporation, USA)
In this paper, we describe X-Online, a Web application designed to interface with a password-recovery and/or decryption tool such as AccessData’s Distributed Network Attack (DNA™) tool. X-Online allows for submission of documents in a highly secure and reliable manner for digital forensic processing. The output of the digital forensic tool interfaced with X-online is displayed back to the user. We anticipate that web service-based applications such as X-Online will be increasingly important as e-Forensic tools. In this paper, we give an overview of the need for such systems, describe our system’s design, and discuss the key security and reliability aspects associated with the system. X-Online is based on two different Operating System platforms (Linux and Windows), and uses a secure webserver as well as additional authentication protocols for security. File sharing supports interfacing to the widely used DNA Digital Decryption tool, and protecting this service was accordingly a major component of our overall security design. We also discuss the features that we plan to support in the future, and our designs to use it in connection with a broader forensic research initiative.
 
A Lower Bound on Effective Performance Testing for Digital Forensic Tools
Lei Pan (Deakin University, Australia); Lynn Batten (Deakin University, Australia)
The increasing complexity and number of digital forensic tasks required in criminal investigations demands the development of an effective and efficient testing methodology, enabling tools of similar functionalities to be compared based on their performance. Assuming that the tool tester is familiar with the underlying testing platform and has the ability to use the tools correctly, we provide a numerical solution for the lower bound on the number of testing cases needed to determine comparative capabilities of any set of digital forensic tools. We also present a case study on the performance testing of password cracking tools, which allows us to confirm that the lower bound on the number of testing runs needed is closely related to the row size of certain orthogonal arrays. We show how to reduce the number of test runs by using knowledge of the underlying system.
 
Establishing Tap Reliability in Expert Witness Testimony: Using Scenarios to Identify Calibration Needs
Barbara Endicott-Popovsky (University of Washington, USA); JD Fluckiger (PNNL, USA); Deborah Frincke (Pacific Northwest National Laboratory, USA)
Abstract— A means to establish a degree of soundness for network data gathering devices is important to support pursuit of legal remedies for misuse or malicious intrusions or to defend against accusations of network management negligence. Those seeking to establish the credibility of network data must speak competently to the reliability of how that data was gathered—in particular, the possibility that critical information might have been lost. However, manufacturers rarely provide conclusive information about the performance of low-layer network device performance at a level that will survive legal challenge. This paper applies a model for developing a calibration test for a forensic tap [1] to several misuse/intrusion scenarios. The insights gained result in recommendations for a calibration regime for taps that will prepare the device to support expert testimony. Index Terms—Network forensics, calibration, forensic (aggregator) tap.

 10:30 AM - 10:45 AM

 Morning Break Workshop Day 2

  10:45 AM - 11:45 AM

 Challenge Papers

Chair: Sean Peisert (University of California, San Diego, USA)

  Challenge Papers

Chair: Sean Peisert (University of California, San Diego, USA)

SADFE Challenge Paper - Construction of an Adequate Digital Forensics Testbed
Michael Losavio (University of Louisville, USA); James Graham (University of Louisville, USA); Adel Elmaghraby (University of Louisville, USA); Jana Godwin (University of Louisville, USA)
The Challenge - What is an adequate laboratory specification for emulating network attacks and experimenting with network forensics, other digital forensics techniques and social behavioral traits? Could published specifications for different scales of research assist in research development? Is the specification described here adequate for research purposes? What additional considerations are needed for simulating network attacks and validating forensic tools?
 
Challenge Paper: Validation of Forensic
Robert Erbacher (Utah State University, USA); Barbara Endicott-Popovsky (University of Washington, USA); Deborah Frincke (Pacific Northwest National Laboratory, USA)

 11:45 AM - 1:00 PM

 Lunch Workshop Day 2

 1:00 PM - 2:45 PM

 Education and Training

Chair: Carol Taylor (University of Idaho, USA)

Forensics Education: Assessment and Measures of Excellence
Carol Taylor (University of Idaho, USA); Barbara Endicott-Popovsky (University of Washington, USA); Amelia Phillips (Highline Community College, USA)
In this paper we assess current academic and certificate based education and training programs in digital forensics education. Strong interest in the digital forensics field has led to a proliferation of education options in both academia and professional training programs. Yet, few studies have attempted to define quality attributes or measures of excellence for these programs. This study defines a set of excellence measures for academic programs seeking to teach digital forensics distilled from existing training documents, author experience and other studies. The expectation is that this first attempt to define program excellence will generate discussion and stimulate others in the forensics community to add their own measures of excellence in addition to critiquing ours. We also describe other needed components for digital forensics education in order for the field to move forward.
 
Panel Topic: Education and Interdisciplinary Issues in Digital Forensics, Computer Science and Judicial Process
Michael Losavio (University of Louisville, USA); Adel Elmaghraby (University of Louisville, USA)
This panel will review issues associated with the development of an interdisciplinary educational program on digital forensics practice, computer science and judicial process. In particular, it will discuss: 1) Issues in developing curricula in each of the key areas, including a. Justice administration and police science b. Attorney training c. Judicial training d. Computer science 2) Challenges for implementing such teaching and training, particularly in an interdisciplinary context 3) Integrating each discipline’s expertise as to a. the “presumption of reliability,” b. authentication challenges v. expert evidence challenges and c. “weight” along the evidentiary spectrum.

 1:35 PM - 1:45 PM

 Afternoon break Workshop Day 2 (short; for panel setup)

 2:45 PM - 3:00 PM

 Closing Remarks and Plans for Next Time

Chair: Ming-Yuh Huang (The Boeing Company, USA)