Difference between pages "Carver 2.0 Planning Page" and "Upcoming events"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Ideas)
 
(Conferences)
 
Line 1: Line 1:
This page is for planning Carver 2.0.
+
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
 +
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
 +
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
  
Please, do not delete text (ideas) here. Use something like this:
+
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
  
<pre>
+
This listing is divided into three sections (described as follows):<br>
<s>bad idea</s>
+
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
:: good idea
+
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
</pre>
+
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
  
This will look like:
+
== Calls For Papers ==
 +
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
  
<s>bad idea</s>
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
:: good idea
+
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="30%|Title
 +
! width="15%"|Due Date
 +
! width="15%"|Notification Date
 +
! width="40%"|Website
 +
|-
 +
|5th International Conference on Digital Forensics & Cyber Crime (ICDF2C 2013)
 +
|Apr 30, 2013
 +
|Jun 01, 2013
 +
|http://d-forensics.org/2013/show/cf-papers
 +
|-
 +
|2nd Cyberpatterns: Unifying Design Patterns with Security, Attack and Forensic Patterns Workshop
 +
|May 20, 2013
 +
|Jun 10, 2013
 +
|http://tech.brookes.ac.uk/CyberPatterns2013
 +
|-
 +
|29th Annual Computer Security Applications Conference
 +
|Jun 01, 2013
 +
|Aug 15, 2013
 +
|http://www.acsac.org/2013/cfp/
 +
|-
 +
|AAFS 66th Annual Scientific Meeting
 +
|Aug 01, 2013
 +
|
 +
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
 +
|-
 +
|}
  
= License =
+
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
  
BSD-3.
+
== Conferences ==
:: [[User:Joachim Metz|Joachim]] library based validators could require other licenses
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="40%"|Title
 +
! width="20%"|Date/Location
 +
! width="40%"|Website
 +
|-
 +
|8th Annual Workshop on Digital Forensics and Incident Analysis (WDFIA)
 +
|May 08-10<br>Lisbon, Portugal
 +
|http://www.wdfia.org/default.asp
 +
|-
 +
|European Information Security Multi-Conference (EISMC 2013)
 +
|May 08-10<br>Lisbon, Portugal
 +
|http://www.eismc.org/
 +
|-
 +
|IEEE Symposium on Security & Privacy
 +
|May 19-23<br>San Francisco, CA
 +
|http://www.ieee-security.org/TC/SP2013/index.html
 +
|-
 +
|International Workshop on Cyber Crime
 +
|May 24<br>San Francisco, CA
 +
|http://stegano.net/IWCC2013/
 +
|-
 +
|Techno Security and Forensics Investigation Conference
 +
|Jun 02-05<br>Myrtle Beach, SC
 +
|http://www.thetrainingco.com/html/Security%20Conference%202013.html
 +
|-
 +
|Mobile Forensics World
 +
|Jun 02-05<br>Myrtle Beach, SC
 +
|http://www.techsec.com/html/MFC-2013-Spring.html
 +
|-
 +
|ADFSL 2013 Conference on Digital Forensics, Security and Law
 +
|Jun 10-12<br>Richmond, VA
 +
|http://www.digitalforensics-conference.org/index.htm
 +
|-
 +
|FIRST Conference
 +
|Jun 16-21<br>Bangkok, Thailand
 +
|http://conference.first.org/2013/
 +
|-
 +
|The 1st ACM Workshop on Information Hiding and Multimedia Security
 +
|Jun 17-19<br>Montpellier, France
 +
|http://ihmmsec.org/
 +
|-
 +
|28th IFIP TC-11 SEC 2013 International Information Security and Privacy Conference
 +
|Jul 08-10<br>Auckland, New Zealand
 +
|http://www.sec2013.org/
 +
|-
 +
|The Second International Workshop on Cyber Patterns: Unifying Design Patterns with Security, Attack and Forensic Patterns
 +
|Jul 08-09<br>Abingdon, Oxfordshire, United Kingdom
 +
|http://tech.brookes.ac.uk/CyberPatterns2013
 +
|-
 +
|Symposium On Usable Privacy and Security
 +
|Jul 24-26<br>Newcastle, United Kingdom
 +
|http://cups.cs.cmu.edu/soups/2013/
 +
|-
 +
|BlackHat USA
 +
|Jul 27-Aug 01<br>Las Vegas, NV
 +
|https://www.blackhat.com/us-13/
 +
|-
 +
|DFRWS 2013
 +
|Aug 04-07<br>Monterey, CA
 +
|http://dfrws.org/2013
 +
|-
 +
|Regional Computer Forensics Group GMU 2013
 +
|Aug 05-09<br>Fairfax, VA
 +
|http://www.rcfg.org
 +
|-
 +
|6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '13)
 +
|Aug 12<br>Washington, DC
 +
|https://www.usenix.org/conferences?page=1
 +
|-
 +
|8th USENIX Workshop on Hot Topics in Security (HotSec '13)
 +
|Aug 13<br>Washington, DC
 +
|https://www.usenix.org/conferences?page=1
 +
|-
 +
|22nd USENIX Security Symposium - USENIX Security '13
 +
|Aug 14-16<br>Washington, DC
 +
|https://www.usenix.org/conference/usenixsecurity13
 +
|-
 +
|6th International Workshop on Digital Forensics (WSDF 2013)
 +
|Sep 02-06<br>Regensburg, Germany
 +
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
 +
|-
 +
|2013 HTCIA International Conference & Training Expo
 +
|Sep 08-11<br>Summerlin, NV
 +
|http://www.htciaconference.org/
 +
|-
 +
|New Security Paradigms Workshop (NSPW)
 +
|Sep 09-12<br>The Banff Center, Canada
 +
|http://www.nspw.org/current/
 +
|-
 +
|Black Hat | Regional Summit
 +
|Sep 10-12<br>Istanbul, Turkey
 +
|https://www.blackhat.com/is-13/
 +
|-
 +
|French-Speaking Days on Digital Investigations - Journées Francophones de l'Investigation Numérique
 +
|Sep 10-12<br>Neuchâtel, Switzerland
 +
|https://www.afsin.org/
 +
|-
 +
|5th International Conference on Digital Forensics & Cyber Crime
 +
|Sep 25-27<br>Moscow, Russia
 +
|http://d-forensics.org/2013/show/home
 +
|-
 +
|VB2013 - the 23rd Virus Bulletin International Conference
 +
|Oct 02-04<br>Berlin, Germany
 +
|http://www.virusbtn.com/conference/vb2013/index
 +
|-
 +
|16th International Symposium on Research in Attacks, Intrusions and Defenses
 +
|Oct 23-25<br>St. Lucia
 +
|http://www.raid2013.org/
 +
|-
 +
|4th Annual Open Source Digital Forensics Conference
 +
|Nov 04-05<br>Chantilly, VA
 +
|http://www.basistech.com/about-us/events/open-source-forensics-conference/
 +
|-
 +
|Black Hat Regional Summit
 +
|Nov 26-27<br>Sao Paulo, Brazil
 +
|https://www.blackhat.com/sp-13
 +
|-
 +
|29th Annual Computer Security Applications Conference
 +
|Dec 09-13<br>New Orleans, LA
 +
|http://www.acsac.org
 +
|-
 +
|AAFS 66th Annual Scientific Meeting
 +
|Feb 17-22<br>Seattle, WA
 +
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
 +
|-
 +
|}
  
= OS =
+
==See Also==
 
+
* [[Training Courses and Providers]]
Linux/FreeBSD/MacOS
+
==References==
: Shouldn't this just match what the underlying afflib & sleuthkit cover? [[User:RB|RB]]
+
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
:: Yes, but you need to test and validate on each. Question: Do we want to support windows? [[User:Simsong|Simsong]] 21:09, 30 October 2008 (UTC)
+
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
:: [[User:Joachim Metz|Joachim]] I think we would do wise to design with windows support from the start this will improve the platform independence from the start
+
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
:::: Agreed; I would even settle at first for being able to run against Cygwin.  Note that I don't even own or use a copy of Windows, but the vast majority of forensic investigators do. [[User:RB|RB]] 14:01, 31 October 2008 (UTC)
+
:: [[User:Capibara|Rob J Meijer]] Leaning heavily on the autotools might be the way to go. I do however feel that support requirements for windows would not be essential. Being able to run from a virtual machine with the main storage mounted over cifs should however be tested and if possible tuned extensively.
+
:::: [[User:Joachim Metz|Joachim]] You'll need more than autotools to do native Windows support i.e. file access, UTF-16 support, wrap some basic system functions or have them available otherwise
+
 
+
= Name tooling =
+
 
+
* [[User:Joachim Metz|Joachim]] A name for the tooling I propose coldcut
+
:: How about 'butcher'?  ;)  [[User:RB|RB]] 14:20, 31 October 2008 (UTC)
+
:: [[User:Joachim Metz|Joachim]] cleaver ( scalpel on steroids ;-) )
+
* I would like to propose Gouge or Chisel :-) [[User:Capibara|Rob J Meijer]]
+
 
+
= Requirements =
+
 
+
[[User:Joachim Metz|Joachim]] Could we do a MoSCoW evaluation of these.
+
 
+
* AFF and EWF file images supported from scratch. ([[User:Joachim Metz|Joachim]] I would like to have raw/split raw and device access as well)
+
:: If we base our image i/o on afflib, we get all three with one interface. [[User:RB|RB]] Instead of letting the tools use afflib, better to write an afflib module for carvfs, and update the libewf module. The tool could than be oblivious of the file format. [[User:Capibara|Rob J Meijer]]
+
:::: [[User:Joachim Metz|Joachim]] this layer should support multi threaded decompression of compressed image types, this speeds up IO
+
* [[User:Joachim Metz|Joachim]] volume/partition aware layer (what about carving unpartioned space)
+
* File system aware layer. This could be or make use of tsk-cp.
+
** By default, files are not carved. (clarify: only identified? [[User:RB|RB]]; I guess that it operates like [[Selective file dumper]] [[User:.FUF|.FUF]] 07:00, 29 October 2008 (UTC)). Alternatively, the tool could use libcarvpath and output carvpaths or create a directory with symlinks to carvpaths that point into a carvfs mountpoint [[User:Capibara|Rob J Meijer]].
+
* Plug-in architecture for identification/validation.
+
** [[User:Joachim Metz|Joachim]] support for multiple types of validators
+
*** dedicated validator
+
*** validator based on file library (i.e. we could specify/implement a file structure API for these)
+
*** configuration based validator (Can handle config files,like Revit07, to enter different file formats used by the carver.)
+
* Ship with validators for:
+
[[User:Joachim Metz|Joachim]] I think we should distinguish between file format validators and content validators
+
** JPEG
+
** PNG
+
** GIF
+
** MSOLE
+
** ZIP
+
** TAR (gz/bz2)
+
 
+
[[User:Joachim Metz|Joachim]] For a production carver we need at least the following formats
+
** Grapical Images
+
*** JPEG (the 3 different types with JFIF/EXIF support)
+
*** PNG
+
*** GIF
+
*** BMP
+
*** TIFF
+
** Office documents
+
*** OLE2 (Word/Excell content support)
+
*** PDF
+
*** Open Office/Office 2007 (ZIP+XML)
+
:: Extension validation? AFAIK, MS Office 2007 [[DOCX]] format uses plain ZIP (or not?), and carved files will (or not?) have .zip extension instead of DOCX. Is there any way to fix this (may be using the file list in zip)? [[User:.FUF|.FUF]] 20:25, 31 October 2008 (UTC)
+
:: [[User:Joachim Metz|Joachim]] Addition: Office 2007 also has a binary file format which is also a ZIP-ed data
+
 
+
** Archive files
+
*** ZIP
+
*** 7z
+
*** gzip
+
*** bzip2
+
*** tar
+
*** RAR
+
** E-mail files
+
*** PFF (PST/OST)
+
*** MBOX (text based format, base64 content support)
+
** Audio/Video files
+
*** MPEG
+
*** MP2/MP3
+
*** AVI
+
*** ASF/WMV
+
*** QuickTime
+
*** MKV
+
** Printer spool files
+
*** EMF (if I remember correctly)
+
** Internet history files
+
*** index.dat
+
*** firefox (sqllite 3)
+
** Other files
+
*** thumbs.db
+
*** pagefile?
+
 
+
* Simple fragment recovery carving using gap carving.
+
** [[User:Joachim Metz|Joachim]] have hook in for more advanced fragment recovery?
+
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
+
** [[User:Joachim Metz|Joachim]] I would propose a generic fragment detection and recovery
+
* Autonomous operation (some mode of operation should be completely non-interactive, requiring no human intervention to complete [[User:RB|RB]])
+
** [[User:Joachim Metz|Joachim]] as much as possible, but allow to be overwritten by user
+
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
+
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time) [[User:RB|RB]]
+
** [[User:Joachim Metz|Joachim]] have multiple carving phases for precision/speed trade off?
+
* Parallelizable
+
** [[User:Joachim Metz|Joachim]] tunable for different architectures
+
* Configuration:
+
** Capability to parse some existing carvers' configuration files, either on-the-fly or as a one-way converter.
+
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
+
** [[User:Joachim Metz|Joachim]] The validator should deal with the file structure the carving algorithm should not know anything about the file structure (as in revit07 design)
+
**  Either extend Scalpel/Foremost syntaxes for extended features or use a tertiary syntax ([[User:Joachim Metz|Joachim]] I would prefer a derivative of the revit07 configuration syntax which already has encountered some problems of dealing with defining file structure in a configuration file)
+
* Can output audit.txt file.
+
* [[User:Joachim Metz|Joachim]] Can output database with offset analysis values i.e. for visualization tooling
+
* [[User:Joachim Metz|Joachim]] Can output debug log for debugging the algorithm/validation
+
* Easy integration into ascription software.
+
** [[User:Joachim Metz|Joachim]] I'm no native speaker what do you mean with "ascription software"?
+
:: I think this was another non-native requesting easy scriptability. [[User:RB|RB]] 14:20, 31 October 2008 (UTC)
+
:::: [[User:Joachim Metz|Joachim]] that makes sense ;-)
+
* [[User:Joachim Metz|Joachim]] When the tool output files the filenames should contain the offset in the input data (in hexadecimal?)
+
* [[User:Joachim Metz|Joachim]] Should the tool allow to export embedded files?
+
* [[User:Joachim Metz|Joachim]] Should the tool allow to export fragments separately?
+
* [[User:Mark Stam|Mark]] I really like the fact carved files are named after the physical or logical sector in which the file is found (photorec)
+
* [[User:Mark Stam|Mark]] I personally use photorec often for carving files in the whole volume (not only unallocated clusters), so I can store information about all potential interesting files in MySQL
+
* [[User:Mark Stam|Mark]] It would also be nice if the files can be hashed immediately (MD5) so looking for them in other tools (for example Encase) is a snap
+
 
+
= Ideas =
+
* Use as much TSK if possible. Don't carry your own FS implementation the way photorec does.
+
:: [[User:Joachim Metz|Joachim]] using TSK as much as possible would not allow to add your own file system support (i.e. mobile phones, memory structures, cap files) I would propose wrapping TSK and using it as much as possible but allow to integrate own FS implementations.
+
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
:: [[User:Joachim Metz|Joachim]] this poses an interesting addition to the carver do we want to support (let's call it) 'recursive in file carving' (for now) this is different from embedded files because there is a file system structure in the file and not just another file structure
+
 
+
[[User:Capibara|Rob J Meijer]] :
+
* Use libcarvpath whenever possible and by default to avoid high storage requirements.
+
:: [[User:Joachim Metz|Joachim]] For easy deployment I would not opt for making an integral part of the tool solely dependant on a single external library or the library must be integrated in the package
+
::[[User:Capibara|Rob J Meijer]] Integrating libraries (libtsk,libaff.libewf,libcarvpath etc) is bad practice, autotools are your friend IMO.
+
:: [[User:Joachim Metz|Joachim]] I'm not talking about integrating (shared) libraries. I'm talking about that an integral part of a tool should be part of it's package. Why can't the tool package contain shared or static libraries for local use? A far worse thing to do is to have a large set of dependencies. The tool package should contain the most necessary code. afflib/libewf support could be detected by the autotools a neat separation of functionality.
+
* Dont stop with filesystem detection after the first match. Often if a partition is reused with a new FS and is not all that full yet, much of the old FS can still be valid. I have seen this with ext2/fat. The fact that you have identified a valid FS on a partition doesn't mean there isn't an(almost) valid second FS that would yield additional files. Identifying doubly allocated space might in some cases also be relevant.
+
:: [[User:Joachim Metz|Joachim]] What your saying is that dealing with file system fragments should be part of the carving algorithm
+
* Allow use where filesystem based carving is done by other tool, and the tool is used as second stage on (sets of) unallocated block (pseudo) files and/or non FS partition (pseudo) files.
+
:: [[User:Joachim Metz|Joachim]] I would not opt for this. The tool would be dependent on other tools and their data format, which makes the tool difficult to maintain. I would opt to integrate the functionality of having multiple recovery phases (stages) and allow the tooling to run the phases after one and other or separately.
+
::[[User:Capibara|Rob J Meijer]] More generically, I feel a way should exist to communicate the 'left overs' a previous (non open, for example LE-only) tool left.
+
:: [[User:Joachim Metz|Joachim]] I guess if the tool is designed to handle multiple phases it should store its data somewhere. So it should be possible to convert results of such non open tooling to the format required. However I would opt to design the recovery functionality of these non-open tools into open tools. And not to limit ourselves making translators due to the design of these non-open tools.
+
* Ability to be used as a library instead of a tool. Ability to access metadata true library, and thus the ability to set metadata from the carving modules. This would be extremely usefull for integrating the project into a framework like ocfa.
+
:: [[User:Joachim Metz|Joachim]] I guess most of the code could be integrated into libraries, but I would not opt integrating tool functionality into a library
+
* A wild idea that I hope at least one person will have a liking for: It might be very interesting to look at the possibilities of using a multi process style of module support and combine it with a least authority design. On platforms that support AppArmor (or similar) and uid based firewall rules, this could make for the first true POLA (principle of least authority) based forensic tool ever. POLA based forensics tools should make for a strong integrity guard against many anti forensics. Alternatively we could look at integrating a capability secure language (E?) for implementation of at least validation modules. I don't expect this idea to make it, but mentioning it I hope might spark off less strong alternatives that at least partially address the integrity + anti-forensics problem. If we can in some way introduce POLA to a wider forensics public, other tools might also pick up on it what would be great. 
+
* [[User:Mark Stam|Mark]] I think it would be very handy to have a CSV, TSV, XML or other delimited output (log)file with information about carved files. This output file can then be stored in a database or Excel sheet (report function)
+
 
+
== Format syntax specification ==
+
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat [[User:.FUF|.FUF]] 20:51, 28 October 2008 (UTC)
+
** This has the opportunity to be extended to the concept of "point at blob FOO and interpret it as BAR"
+
.FUF added:
+
The main idea is to allow users to define structures, for example (in pascal-like form):
+
 
+
<pre>
+
Field1: Byte = 123;
+
SomeTextLength: DWORD;
+
SomeText: string[SomeTextLength];
+
Field4: Char = 'r';
+
...
+
</pre>
+
 
+
This will produce something like this:
+
<pre>
+
Field1 = 123
+
SomeTextLength = 5
+
SomeText = 'abcd1'
+
Field4 = 'r'
+
</pre>
+
 
+
(In text or raw forms.)
+
 
+
Opinions?
+
 
+
Opinion: Simple pattern identification like that may not suffice, I think Simson's original intent was not only to identify but to allow for validation routines (plugins, as the original wording was).  As such, the format syntax would need to implement a large chunk of some programming language in order to be sufficiently flexible. [[User:RB|RB]]
+
 
+
[[User:Joachim Metz|Joachim]]
+
In my option your example is too limited. Making the revit configuration I learned you'll need a near programming language to specify some file formats.
+
A simple descriptive language is too limiting. I would also go for 2 bytes with endianess instead of using terminology like WORD and small integer, it's much more clear. The configuration also needs to deal with aspects like cardinality, required and optional structures.
+
:: This is simply data structures carving, see ideas above. Somebody (I cannot track so many changes per day) separated the original text. There is no need to count and join different structures. [[User:.FUF|.FUF]] 19:53, 31 October 2008 (UTC)
+
:::: [[User:Joachim Metz|Joachim]] This was probably me is the text back in it's original form?
+
:::: I started it by moving your Revit07 comment to the validator/plugin section in [http://www.forensicswiki.org/index.php?title=Carver_2.0_Planning_Page&diff=prev&oldid=7583 this edit], since I was still at that point thinking operational configuration for that section, not parser configurations. [[User:RB|RB]]
+
:::: [[User:Joachim Metz|Joachim]] I renamed the title to format syntax, clarity is important ;-)
+
 
+
Please take a look at the revit07 configuration. It's not there yet but goes a far way. Some things currently missing:
+
* bitwise alignment
+
* handling encapsulated streams (MPEG/capture files)
+
* handling content based formats (MBOX)
+
 
+
=Caving algorithm =
+
[[User:Joachim Metz|Joachim]]
+
* should we allow for multiple carving phases (runs/stages)?
+
:: I opt yes (separation of concern)
+
* should we allow for multiple carving algorithms?
+
:: I opt yes, this allows testing of different approaches
+
* Should the algorithm try to do as much in 1 run over the input data? To reduce IO?
+
:: I opt that the tool should allow for multiple and single run over the input data to minimize the IO or the CPU as bottleneck
+
* Interaction between algorithm and validators
+
** does the algorithm passes data blocks to the validators?
+
** does a validator need to maintain a state?
+
** does a validator need to revert a state?
+
** How do we deal with embedded files and content validation? Do the validators call another validator?
+
* do we use the assumption that a data block can be used by a single file (with the exception of embedded/encapsulated files)?
+
* Revit07 allows for multiple concurrent result files states to deal with fragmentation. One has the attribute of being active (the preferred) and the other passive. Do we want/need something similar? The algorithm adds block of input data (offsets) to these result files states.
+
** if so what info would these result files states require (type, list of input data blocks)
+
* how do we deal with file system remainders?
+
** Can we abstract them and compare them against available file system information?
+
* Do we carve file systems in files?
+
:: I opt that at least the validator uses this information
+
 
+
==Caving scenarios ==
+
[[User:Joachim Metz|Joachim]]
+
* normal file (file structure, loose text based structure (more a content structure?))
+
* fragmented file (the file entirely exist)
+
* a file fragment (the file does not entirely exist)
+
* intertwined file
+
* encapsulated file (MPEG/network capture)
+
* embedded file (JPEG thumbnail)
+
* obfuscation ('encrypted' PFF) this also entails encryption and/or compression
+
* file system in file
+
 
+
=File System Awareness =
+
==Background: Why be File System Aware?==
+
Advantages of being FS aware:
+
* You can pick up sector allocation sizes
+
:: [[User:Joachim Metz|Joachim]] do you mean file system block sizes?
+
* Some file systems may store things off sector boundaries. (ReiserFS with tail packing)
+
* Increasingly file systems have compression (NTFS compression)
+
* Carve just the sectors that are not in allocated files.
+
 
+
==Tasks that would be required==
+
 
+
==Discussion==
+
:: As noted above, TSK should be utilized as much as possible, particularly the filesystem-aware portion.  If we want to identify filesystems outside of its supported set, it would be more worth our time to work on implementing them there than in the carver itself.  [[User:RB|RB]]
+
 
+
:::: I guess this tool operates like [[Selective file dumper]] and can recover files in both ways (or not?). Recovering files by using carving can recover files in situations where sleuthkit does nothing (e.g. file on NTFS was deleted using ntfs-3g, or filesystem was destroyed or just unknown). And we should build the list of filesystems supported by carver, not by TSK. [[User:.FUF|.FUF]] 07:08, 29 October 2008 (UTC)
+
 
+
:: This tool is still in the early planning stages (requirements discovery), hence few operational details (like precise modes of operation) have been fleshed out - those will and should come later.  The justification for strictly using TSK for the filesystem-sensitive approach is simple: TSK has good filesystem APIs, and it would be foolish to create yet another standalone, incompatible implementation of filesystem(foo) when time would be better spent improving those in TSK, aiding other methods of analysis as well.  This is the same reason individuals that have implemented several other carvers are participating: de-duplication of effort.  [[User:RB|RB]]
+
 
+
[[User:Joachim Metz|Joachim]] I would like to have the carver (recovery tool) also do recovery using file allocation data or remainders of file allocation data.
+
 
+
[[User:Joachim Metz|Joachim]]
+
I would go as far to ask you all to look beyond the carver as a tool and look from the perspective of the carver as part of the forensic investigation process. In my eyes certain information needed/acquired by the carver could be also very useful investigative information i.e. what part of a hard disk contains empty sectors.
+
 
+
=Supportive tooling=
+
[[User:Joachim Metz|Joachim]]
+
* validator (definitions) tester (detest in revit07)
+
* tool to make configuration based definitions
+
* post carving validation
+
* the carver needs to provide support for fuse mount of carved files (carvfs)
+
 
+
=Testing =
+
[[User:Joachim Metz|Joachim]]
+
* automated testing
+
* test data
+
 
+
=Validator Construction=
+
Options:
+
* Write validators in C/C++
+
** [[User:Joachim Metz|Joachim]] you mean dedicated validators
+
* Have a scripting language for writing them (python? Perl?) our own?
+
** [[User:Joachim Metz|Joachim]] use easy to embed programming languages i.e. Phyton or Lua
+
* Use existing programs (libjpeg?) as plug-in validators?
+
** [[User:Joachim Metz|Joachim]] define a file structure api for this
+
 
+
=Existing Code that we have=
+
[[User:Joachim Metz|Joachim]]
+
Please add any missing links
+
 
+
Documentation/Articles
+
* DFRWS2006/2007 carving challenge results
+
* DFRWS2008 paper on carving
+
 
+
Carvers
+
* DFRWS2006/2007 carving challenge results
+
* photorec (http://www.cgsecurity.org/wiki/PhotoRec)
+
* revit06 and revit07 (http://sourceforge.net/projects/revit/)
+
* s3/scarve
+
 
+
Possible file structure validator libraries
+
* divers existing file support libraries
+
* libole2 (inhouse experimental code of OLE2 support)
+
* libpff (alpha release for PFF (PST/OST) file support) (http://sourceforge.net/projects/libpff/)
+
 
+
Input support
+
* AFF (http://www.afflib.org/)
+
* EWF (http://sourceforge.net/projects/libewf/)
+
* TSK device & raw & split raw (http://www.sleuthkit.org/)
+
 
+
Volume/Partition support
+
* disktype (http://disktype.sourceforge.net/)
+
* testdisk (http://www.cgsecurity.org/wiki/TestDisk)
+
* TSK
+
 
+
File system support
+
* TSK
+
* photorec FS code
+
* implementations of FS in Linux/BSD
+
 
+
Content support
+
 
+
Zero storage support
+
* libcarvpath
+
* carvfs
+
 
+
POLA
+
* joe-e (java)
+
* Emily (ocaml)
+
* the E language
+
* AppArmor
+
* iptables/ipfw
+
* minorfs
+
* plash
+
 
+
=Implementation Timeline=
+
# gather the available resources/ideas/wishes/needs etc. (I guess we're in this phase)
+
# start discussing a high level design (in terms of algorithm, facilities, information needed)
+
## input formats facility
+
## partition/volume facility
+
## file system facility
+
## file format facility
+
## content facility
+
## how to deal with fragment detection (do the validators allow for fragment detection?)
+
## how to deal with recombination of fragments
+
## do we want multiple carving phases in light of speed/precision tradeoffs
+
# start detailing parts of the design
+
## Discuss options for a grammar driven validator?
+
## Hard-coded plug-ins?
+
## Which existing code can we use?
+
# start building/assembling parts of the tooling for a prototype
+
## Implement simple file carving with validation.
+
## Implement gap carving
+
# Initial Release
+
# Implement the ''threaded carving'' that [[User:.FUF|.FUF]] is describing above.
+
 
+
[[User:Joachim Metz|Joachim]] Shouldn't multi threaded carving (MTC) not be part of the 1st version?
+
The MT approach makes for different design decisions
+

Revision as of 09:42, 15 April 2013

PLEASE READ BEFORE YOU EDIT THE LISTS BELOW
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).
Some events may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

This is a BY DATE listing of upcoming events relevant to digital forensics. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic conferences page, but entries in this list have specific dates and locations for the upcoming event.

This listing is divided into three sections (described as follows):

  1. Calls For Papers - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)

  2. Conferences - Conferences relevant for Digital Forensics (Name, Date, Location, URL)

  3. Training Courses and Providers - Training

Contents

Calls For Papers

Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.

Title Due Date Notification Date Website
5th International Conference on Digital Forensics & Cyber Crime (ICDF2C 2013) Apr 30, 2013 Jun 01, 2013 http://d-forensics.org/2013/show/cf-papers
2nd Cyberpatterns: Unifying Design Patterns with Security, Attack and Forensic Patterns Workshop May 20, 2013 Jun 10, 2013 http://tech.brookes.ac.uk/CyberPatterns2013
29th Annual Computer Security Applications Conference Jun 01, 2013 Aug 15, 2013 http://www.acsac.org/2013/cfp/
AAFS 66th Annual Scientific Meeting Aug 01, 2013 http://www.aafs.org/aafs-66th-annual-scientific-meeting

See also WikiCFP 'Forensics'

Conferences

Title Date/Location Website
8th Annual Workshop on Digital Forensics and Incident Analysis (WDFIA) May 08-10
Lisbon, Portugal
http://www.wdfia.org/default.asp
European Information Security Multi-Conference (EISMC 2013) May 08-10
Lisbon, Portugal
http://www.eismc.org/
IEEE Symposium on Security & Privacy May 19-23
San Francisco, CA
http://www.ieee-security.org/TC/SP2013/index.html
International Workshop on Cyber Crime May 24
San Francisco, CA
http://stegano.net/IWCC2013/
Techno Security and Forensics Investigation Conference Jun 02-05
Myrtle Beach, SC
http://www.thetrainingco.com/html/Security%20Conference%202013.html
Mobile Forensics World Jun 02-05
Myrtle Beach, SC
http://www.techsec.com/html/MFC-2013-Spring.html
ADFSL 2013 Conference on Digital Forensics, Security and Law Jun 10-12
Richmond, VA
http://www.digitalforensics-conference.org/index.htm
FIRST Conference Jun 16-21
Bangkok, Thailand
http://conference.first.org/2013/
The 1st ACM Workshop on Information Hiding and Multimedia Security Jun 17-19
Montpellier, France
http://ihmmsec.org/
28th IFIP TC-11 SEC 2013 International Information Security and Privacy Conference Jul 08-10
Auckland, New Zealand
http://www.sec2013.org/
The Second International Workshop on Cyber Patterns: Unifying Design Patterns with Security, Attack and Forensic Patterns Jul 08-09
Abingdon, Oxfordshire, United Kingdom
http://tech.brookes.ac.uk/CyberPatterns2013
Symposium On Usable Privacy and Security Jul 24-26
Newcastle, United Kingdom
http://cups.cs.cmu.edu/soups/2013/
BlackHat USA Jul 27-Aug 01
Las Vegas, NV
https://www.blackhat.com/us-13/
DFRWS 2013 Aug 04-07
Monterey, CA
http://dfrws.org/2013
Regional Computer Forensics Group GMU 2013 Aug 05-09
Fairfax, VA
http://www.rcfg.org
6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '13) Aug 12
Washington, DC
https://www.usenix.org/conferences?page=1
8th USENIX Workshop on Hot Topics in Security (HotSec '13) Aug 13
Washington, DC
https://www.usenix.org/conferences?page=1
22nd USENIX Security Symposium - USENIX Security '13 Aug 14-16
Washington, DC
https://www.usenix.org/conference/usenixsecurity13
6th International Workshop on Digital Forensics (WSDF 2013) Sep 02-06
Regensburg, Germany
http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
2013 HTCIA International Conference & Training Expo Sep 08-11
Summerlin, NV
http://www.htciaconference.org/
New Security Paradigms Workshop (NSPW) Sep 09-12
The Banff Center, Canada
http://www.nspw.org/current/
Regional Summit Sep 10-12
Istanbul, Turkey
https://www.blackhat.com/is-13/
French-Speaking Days on Digital Investigations - Journées Francophones de l'Investigation Numérique Sep 10-12
Neuchâtel, Switzerland
https://www.afsin.org/
5th International Conference on Digital Forensics & Cyber Crime Sep 25-27
Moscow, Russia
http://d-forensics.org/2013/show/home
VB2013 - the 23rd Virus Bulletin International Conference Oct 02-04
Berlin, Germany
http://www.virusbtn.com/conference/vb2013/index
16th International Symposium on Research in Attacks, Intrusions and Defenses Oct 23-25
St. Lucia
http://www.raid2013.org/
4th Annual Open Source Digital Forensics Conference Nov 04-05
Chantilly, VA
http://www.basistech.com/about-us/events/open-source-forensics-conference/
Black Hat Regional Summit Nov 26-27
Sao Paulo, Brazil
https://www.blackhat.com/sp-13
29th Annual Computer Security Applications Conference Dec 09-13
New Orleans, LA
http://www.acsac.org
AAFS 66th Annual Scientific Meeting Feb 17-22
Seattle, WA
http://www.aafs.org/aafs-66th-annual-scientific-meeting

See Also

References