SLIDE 1 rjwalls@cs.umass.edu forensics.umass.edu 1
Effective
Digital Forensics
Research is
Investigator- Centric
Robert J. Walls Brian Neil Levine Marc Liberatore Clay Shields University of Massachusetts Amherst Georgetown University
Digital Forensics Research is Investigator- Centric Robert J. - - PowerPoint PPT Presentation
Digital Forensics Research is Investigator- Centric Robert J. - - PowerPoint PPT Presentation
Effective Digital Forensics Research is Investigator- Centric Robert J. Walls Brian Neil Levine Marc Liberatore Clay Shields University of Massachusetts Amherst Georgetown University rjwalls@cs.umass.edu 1 forensics.umass.edu
SLIDE 2 rjwalls@cs.umass.edu forensics.umass.edu 2
SLIDE 3 rjwalls@cs.umass.edu forensics.umass.edu 2
SLIDE 4 rjwalls@cs.umass.edu forensics.umass.edu 3
SLIDE 5 rjwalls@cs.umass.edu forensics.umass.edu 3
SLIDE 6 rjwalls@cs.umass.edu forensics.umass.edu 4
Digital forensics contends with
the CSI-effect.
SLIDE 7 rjwalls@cs.umass.edu forensics.umass.edu 4
Digital forensics contends with
the CSI-effect.
and security
^
SLIDE 8 rjwalls@cs.umass.edu forensics.umass.edu 5
Digital forensics lacks a solid
scientific foundation.
SLIDE 9 rjwalls@cs.umass.edu forensics.umass.edu 6
Digital forensics struggles with
practical challenges.
SLIDE 10 rjwalls@cs.umass.edu forensics.umass.edu 7
Digital forensics impacts
people directly.
SLIDE 11 rjwalls@cs.umass.edu forensics.umass.edu 8
SLIDE 12 rjwalls@cs.umass.edu forensics.umass.edu 9
Security, privacy,
& forensics?
SLIDE 13 rjwalls@cs.umass.edu forensics.umass.edu 10
SLIDE 14 rjwalls@cs.umass.edu forensics.umass.edu 11
principles for
researchers.
5
SLIDE 15 rjwalls@cs.umass.edu forensics.umass.edu 12
SLIDE 16 rjwalls@cs.umass.edu forensics.umass.edu 13
SLIDE 17 rjwalls@cs.umass.edu forensics.umass.edu 14
Investigator-Centric
Digital Forensics is
1
SLIDE 18 rjwalls@cs.umass.edu forensics.umass.edu 15
1: Forensics is Investigator-Centric
> Research is investigator driven.
SLIDE 19 rjwalls@cs.umass.edu forensics.umass.edu 15
1: Forensics is Investigator-Centric
> Consider both goals and constraints. > Research is investigator driven.
SLIDE 20 rjwalls@cs.umass.edu forensics.umass.edu 15
1: Forensics is Investigator-Centric
> Consider both goals and constraints. > Research is investigator driven. > Break the rules lose the case.
SLIDE 21 rjwalls@cs.umass.edu forensics.umass.edu 15
1: Forensics is Investigator-Centric
> Consider both goals and constraints. > Research is investigator driven. > Break the rules lose the case. > The rules change.
SLIDE 22 rjwalls@cs.umass.edu forensics.umass.edu 16
inseparable
Forensics and law are
2
SLIDE 23 rjwalls@cs.umass.edu forensics.umass.edu 17
2: Forensics and law are inseparable
> Law is struggling to keep up.
SLIDE 24 rjwalls@cs.umass.edu forensics.umass.edu 17
2: Forensics and law are inseparable
> How does seizure apply to data? > Law is struggling to keep up.
SLIDE 25 rjwalls@cs.umass.edu forensics.umass.edu 17
2: Forensics and law are inseparable
> How does seizure apply to data? > Law is struggling to keep up. > Unproven techniques are risky.
SLIDE 26 rjwalls@cs.umass.edu forensics.umass.edu 18
People
Investigations are about
3
SLIDE 27 rjwalls@cs.umass.edu forensics.umass.edu 19
3: Investigations are about people
> Focus on the person, not the machine.
SLIDE 28 rjwalls@cs.umass.edu forensics.umass.edu 19
3: Investigations are about people
> Intent is outside of security domain. > Focus on the person, not the machine.
SLIDE 29 rjwalls@cs.umass.edu forensics.umass.edu 19
3: Investigations are about people
> Intent is outside of security domain. > Focus on the person, not the machine. > Crime may not violate security.
SLIDE 30 rjwalls@cs.umass.edu forensics.umass.edu 20
4
Dumb Ones
Still useful to catch the
SLIDE 31 rjwalls@cs.umass.edu forensics.umass.edu 21
4: Still useful to catch the dumb ones
> Doesn’t have to be foolproof to be useful.
SLIDE 32 rjwalls@cs.umass.edu forensics.umass.edu 21
4: Still useful to catch the dumb ones
> Tech savvy criminals aren’t more dangerous. > Doesn’t have to be foolproof to be useful.
SLIDE 33 rjwalls@cs.umass.edu forensics.umass.edu 21
4: Still useful to catch the dumb ones
> Tech savvy criminals aren’t more dangerous. > Doesn’t have to be foolproof to be useful. > 40% is still good.
SLIDE 34 rjwalls@cs.umass.edu forensics.umass.edu 22
5 Simple
Keep it
SLIDE 35 rjwalls@cs.umass.edu forensics.umass.edu 23
5: Keep it simple
> Make it simple for investigators to use it.
SLIDE 36 rjwalls@cs.umass.edu forensics.umass.edu 23
5: Keep it simple
> Must be within Investigator capabilities. > Make it simple for investigators to use it.
SLIDE 37 rjwalls@cs.umass.edu forensics.umass.edu 23
5: Keep it simple
> Must be within Investigator capabilities. > Make it simple for investigators to use it. > Often simpler non-computer solutions.
SLIDE 38 rjwalls@cs.umass.edu forensics.umass.edu 24
Forensics research without
these principles is
not forensics.
SLIDE 39 rjwalls@cs.umass.edu forensics.umass.edu 25
1: Forensics is Investigator-Centric. 2: Forensics and law are inseparable. 3: Investigations are about people. 4: Still useful to catch the dumb ones. 5: Keep it simple.
This work was supported in part by NSF awards CNS-1018615, CNS-0905349, and DUE-0830876, and in part by NIJ award 2008-CE-CX- K005.