vassil roussev the current forensic workflow
play

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) - PowerPoint PPT Presentation

Aug 26, 2023 •288 likes •590 views

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s @10MB/s ~5.5 hrs ~82.5 hrs 129 * We can start working on the case after 88 hours. * http://accessdata.com/distributed-processing 2 Scalable

  1. Vassil Roussev

  2. The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s @10MB/s ~5.5 hrs ~82.5 hrs 129 *  We can start working on the case after 88 hours. * http://accessdata.com/distributed-processing 2

  3. Scalable Forensic Workflow Clone Forensic Target (3TB) Process @150MB/s  We can start working on the case immediately . 3

  4. Current Forensic Processing  Hashing/filtering/correlation  File carving/reconstruction  Indexing The ultimate goal of this work is to make similarity hash-based correlation scalable & I/O-bound. 4

  5. Motivation for similarity approach: Traditional hash filtering is failing  Known file filtering: o Crypto-hash known files, store in library (e.g. NSRL) o Hash files on target o Filter in/out depending on interest  Challenges o Static libraries are falling behind  Dynamic software updates, trivial artifact transformations  We need version correlation o Need to find embedded objects  Block/file in file/volume/network trace o Need higher-level correlations  Disk-to-RAM  Disk-to-network 5

  6. Scenario #1: Fragment Identification Source artifacts (files) v Disk fragments (sectors) Network fragments (packets)  Given a fragment, identify source o Fragments of interest are 1-4KB in size o Fragment alignment is arbitrary 6

  7. Scenario #2: Artifact Similarity Similar files Similar drives (shared content/format) (shared blocks/files)  Given two binary objects, detect similarity/versioning o Similarity here is purely syntactic; o Relies on commonality of the binary representations. 7

  8. Solution: Similarity Digests sdhash sdhash sdhash sdhash sdbf 1 sdbf 2 sdbf 1 sdbf 2 sdhash sdhash Is this fragment present on the drive? Are these artifacts correlated?  0 .. 100  0 .. 100 All correlations based on bitstream commonality 8

  9. Quick Review: Similarity digests & sdhash 9

  10. Generating sdhash fingerprints (1) Digital artifact (block/file/packet/volume) as byte stream … Features (all 64-byte sequences) 10

  11. Generating sdhash fingerprints (2) Digital artifact … Select characteristic features (statistically improbable/rare) 11

  12. Generating sdhash fingerprints (3) Feature Selection Process All features Weak H norm  Feature 0..1000 Filter 0.18 0.16 0.14 Data with low information content 0.12 Probability 0.10 0.08 Rare 0.06 Local 0.04 0.02 Feature 0.00 0 100 200 300 400 500 600 700 800 900 1000 Selector (a) H norm distribution: doc H norm  doc files 12

  13. Generating sdhash fingerprints (4) 8-10K avg 8-10K avg 8-10K avg SHA-1 SHA-1 SHA-1 … = Artifact SD fingerprint bf 3 bf 1 + bf 2 + Sequence of Bloom filters (sdbf) Bloom filter  local SD fingerprint  256 bytes  up to 128/160 features 13

  14. Bloom filter (BF) comparison A bf A 0 .. 100 BF Score bitwise AND B bf B Based on BF theory, overlap due to chance is analytically predictable. Additional BF overlap is proportional to overlap in features. BF Score is tuned such that BF Score (A random , B random ) = 0. 14

  15. SDBF fingerprint comparison … SD B 1 2 m SD A bf B bf B bf B … 1 1 ,bf B 1 ) 1 ,bf B 2 ) 1 ,bf B m ) bf A BF Score (bf A BF Score (bf A BF Score (bf A max 1 … 2 bf A 2 ,bf B 1 ) 2 ,bf B 2 ) 2 ,bf B m ) BF Score (bf A BF Score (bf A BF Score (bf A max 2 … … … … … n bf A n ,bf B 1 ) n ,bf B 2 ) n ,bf B m ) max n BF Score (bf A BF Score (bf A BF Score (bf A SD Score (A,B) = Average(max 1 , max 2 , …, max n ) 15

  16. Scaling up: Block-aligned digests & parallelization 16

  17. Block-aligned similarity digests ( sdbf-dd ) 16K 16K 16K SHA-1 SHA-1 SHA-1 … = Artifact SD fingerprint bf 3 bf 1 + bf 2 + Sequence of Bloom filters (sdbf-dd) Bloom filter  local SD fingerprint  256 bytes  up to 192 features 17

  18. Advantages & challenges for block- aligned similarity digests (sdbf-dd)  Advantages Parallelizable computation o Direct mapping to source data o Shorter (1.6% vs 2.6% of source) o  Faster comparisons (fewer BFs)  Challenges Less reliable for smaller files o Sparse data o Compatibility with sdbf digests o  Solution Increase features for sdbf filters: 128  160 o Use 192 features per BF for sdbf-dd filters o Use compatible BF parameters to allow sdbf  sdbf-dd comparisons o 18

  19. sdhash 1.6: sdbf vs. sdbf-dd accuracy 19

  20. Sequential throughput: sdhash 1.3  Hash generation rate o Six-core Intel Xeon X5670 @ 2.93GHz ~27MB/s per core o Quad-Core Intel Xeon @ 2.8 GHz ~20MB/s per core  Hash comparison o 1MB vs. 1MB: 0.5ms  T5 corpus (4,457 files, all pairs) o 10mln file comparisons in ~ 15min  667K file comps per second  Single core 20

  21. sdhash 1.6: File-parallel generation rates on 27GB real data (in RAM) 21

  22. sdhash 1.6: Optimal file-parallel generation: 5GB synthetic target (RAM) 22

  23. sdhash-dd: Hash generation rates 10GB in-RAM target (RAM) 23

  24. Throughput summary: sdhash 1.6  Parallel hash generation o sdbf: file-parallel execution  260 MB/s on 12-core/24-threaded machine o sdbf-dd: block-parallel execution  370 MB/s (SHA1 — > 330MB/s)  Optimized hash comparison rates o 24 threads: 86.6 mln BF/s  1.4 TB/s for small file comparison (<16KB) I.e., we can search for a small file in a reference set of 1.4TB in 1s 24

  25. The Envisioned Architecture 25

  26. The Current State libsdbf CLI: sdhash Service: sdbf_d API Files: Network: Client: Disk: Cluster: Client: sdhash- sdhash- C/C++ C# Python sdhash-dd sdbfCluster sdbfWeb sdbfViz file pcap 26

  27. Todo List (1)  libsdbf o C++ rewrite (v2.0) o TBB parallelization  sdhash-file o More command line options/compatibility w/ssdeep o Service-based processing (w/ sdbf_d )  GPU acceleration  sdhash-pcap o Pcap-aware processing:  payload extraction, file discovery, timelining 27

  28. Todo List (2)  sdbf_d o Persistance: XML o Service interface: JSON o Server clustering  sdbfWeb o Browser-based management/query  sdbfViz o Large-scale visualization & clustering 28

  29. Further Development  Integration w/ RDS sdhash-set : construct SDBF s from existing SHA1 sets o  Compare/identify whole folders, distributions, etc.  Structural feature selection E.g., exe/dll, pdf , zip, … o  Optimizations Sampling o Skipping o  Under min continuous block assumption Cluster “core” extraction/comparison o  Representation Multi-resolution digests o New crypto hashes o Data offsets o 29

  30. Thank you!  http://roussev.net/sdhash wget http://roussev.net/sdhash/sdhash-1.6.zip o make o ./sdhash o  Contact: Vassil Roussev vassil@roussev.net  Reminder DFRWS’12: Washington DC, Aug 6-8 Paper deadline: Feb 20, 2012 Data sniffing challenge to be released shortly 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company &amp; setup

Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company &amp; setup

DFRWS12 /Aug 5-8 2012/Washington DC Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company &amp; setup Employees: o President: Pat McGoo o IT: Terry o Researchers: Jo, Charlie Period o 11/16/2009

673 views • 50 slides
Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Epigenetic age signatures in the forensically relevant body fluid of semen Hwan Yong Lee Department of Forensic Medicine Yonsei University College of Medicine Seoul, Korea Current Forensic DNA Typing o Forensic cases -- matching suspect with

533 views • 14 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico Marziale, Golden G. Richard III, Vassil Roussev Me: Professor of Computer Science Co-founder, Digital Forensics Solutions golden@cs.uno.edu

489 views • 28 slides
workflow: workflow: QSPR = Quantitative Structure Property

workflow: workflow: QSPR = Quantitative Structure Property

workflow: workflow: QSPR = Quantitative Structure Property Relationship workflow: workflow: 1600 1500 1400 1300 1200 1100 1000 900 mass (Da) 800 700 600 500 400 300 200 100 0 -5 -4 -3 -2 -1

793 views • 33 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides
Day 8 Workflow Cloud Resource Provisioning Todays Agenda Introduction What is workflow?

Day 8 Workflow Cloud Resource Provisioning Todays Agenda Introduction What is workflow?

2/7/2018 Day 8 Workflow Cloud Resource Provisioning Todays Agenda Introduction What is workflow? What are major QoS requirements? How is workflow represented? Our work in workflow scheduling Research problems

470 views • 13 slides
10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI, the prevalence of containment in prison/forensic system is high: men 15%; women 31% For people exhibiting symptoms: 67 % greater likelihood of

366 views • 7 slides
Se Search arch for for th the e Lep Lepton ton Fl Flavor avor Vio Violating lating De

Se Search arch for for th the e Lep Lepton ton Fl Flavor avor Vio Violating lating De

Se Search arch for for th the e Lep Lepton ton Fl Flavor avor Vio Violating lating De Decay cay in in () Naf afis isa a Tas asne neem em Uni nivers rsity ity of Vic f Victori ria, a, Ca

818 views • 22 slides
ACESIII Outline Collaborators Design philosophy Mr. Mark Ponton, ACES Q. C.

ACESIII Outline Collaborators Design philosophy Mr. Mark Ponton, ACES Q. C.

ACESIII Outline Collaborators Design philosophy Mr. Mark Ponton, ACES Q. C. (SIP/SIAL/Compiler) Implementation Dr. Norbert Flocke, QTP Results (Integral package) Conclusions Dr. Erik Deumens,

531 views • 30 slides
The dual Voronoi diagrams with respect to representational Bregman divergences Frank Nielsen and

The dual Voronoi diagrams with respect to representational Bregman divergences Frank Nielsen and

The dual Voronoi diagrams with respect to representational Bregman divergences Frank Nielsen and Richard Nock frank.nielsen@polytechnique.edu Ecole Polytechnique, LIX, France Sony Computer Science Laboratories Inc, FRL, Japan International

437 views • 32 slides
More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 &gt; www.iaik.tugraz.at www.iaik.tugraz.at

1.63k views • 60 slides
Matching and Inequality in the World Economy Arnaud Costinot Jonathan Vogel MIT &amp; Columbia

Matching and Inequality in the World Economy Arnaud Costinot Jonathan Vogel MIT &amp; Columbia

Matching and Inequality in the World Economy Arnaud Costinot Jonathan Vogel MIT &amp; Columbia March 2009 Costinot &amp; Vogel (MIT &amp; Columbia) Matching and Inequality March 2009 1 / 33 Question Question: How do changes in factor supply

1.07k views • 91 slides
Online Algorithms Lecture 3 Ji r Sgall Computer Science Institute of the Charles Univ.,

Online Algorithms Lecture 3 Ji r Sgall Computer Science Institute of the Charles Univ.,

Online Algorithms Lecture 3 Ji r Sgall Computer Science Institute of the Charles Univ., Praha EWSCS, Palmse, March 2020 Ji r Sgall Online Algorithms Lecture 3 A Brief Review of Bin Packing Bin packing Input: Sequence of

815 views • 58 slides
Randomness with CA Bruno Martin Universit e C ote dAzur, I3S-CNRS Journ ee Al ea

Randomness with CA Bruno Martin Universit e C ote dAzur, I3S-CNRS Journ ee Al ea

Randomness with CA Bruno Martin Universit e C ote dAzur, I3S-CNRS Journ ee Al ea I3S 1/41 Bruno Martin Contents Definitions Related results LHCA Non-linear HCA construction Uniform CA approach Questions we address Results

525 views • 35 slides
Mesh Denoising via L 0 Minimization Lei He Scott Schaefer Texas A&amp;M University Surface

Mesh Denoising via L 0 Minimization Lei He Scott Schaefer Texas A&amp;M University Surface

Mesh Denoising via L 0 Minimization Lei He Scott Schaefer Texas A&amp;M University Surface Denoising Related Work [Vollmer et al. 1999] [Desbrun et al. 1999] [Kim et al. 2005] [Nealen et al. 2006] [Clarenz et al. 2000] [Bajaj and Xu

866 views • 50 slides

More recommend