Difference between pages "Upcoming events" and "Research Topics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
m
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
==Research Projects==
 +
===Flash Forensics===
 +
Flash storage devices offer opportunities for recovering information that is not visible by going beneath the logical layer visible to users and most operating systems. 
 +
* Access the physical layer of SD cards and/or USB flash devices. Reverse-engineer the Flash Translation Layer to find deleted data and files.
 +
''Necessary skills: social engineering the flash vendors; kernel programming; reverse-engineering.''
 +
===Stream Forensics===
 +
* Process the entire disk with one pass, or at most two, to minimize seek time. 
 +
===Evidence Falsification===
 +
* Automatically detect falsified digital evidence.
 +
===Sanitization===
 +
* Detect and diagnose sanitization attempts.
 +
===Timeline Analysis===
 +
Write a new timeline viewer that supports:
 +
* Logfile fusion (with offsets)
 +
* Logfile correlation
 +
* View logfiles in the frequency domain.
  
This listing is divided into four sections (described as follows):<br>
+
===Online Social Network Analysis===
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
* Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
===Cell Phone Exploitation===
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations. This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
====Imaging====
 +
* Image the contents of a cell phone physical memory using the JTAG interface.
 +
====Interpretation====
 +
* Develop a tool for reassembling information in a cell phone memory
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv.
+
==Programming Projects==
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
===SleuthKit Enhancements===
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
[[SleuthKit]] is the popular open-source system for forensics and data recovery.
 +
* Add support for a new file system:
 +
** The [[YAFFS]] [[flash file system]]. (YAFFS2 is currently used on the Google G1 phone.)
 +
** The [[JFFS2]] [[flash file system]]. (JFFS2 is currently used on the One Laptop Per Child laptop.)
 +
** [[XFAT]], Microsoft's new FAT file system.
 +
* Enhance support for an existing file system:
 +
** EXT4
 +
** Add support for NTFS encrypted files.
 +
** Report the physical location on disk of compressed files.
 +
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK. (I've already started on this if you want the code.)
 +
''Necessary skills: C programming and filesystem familiarity.''
  
== Calls For Papers ==
+
===fiwalk Enhancements===
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* Rewrite the metadata extraction system.
|- style="background:#bfbfbf; font-weight: bold"
+
* Extend [[fiwalk]] to report the NTFS "inodes."
! Title
+
! Due Date
+
! Website
+
|-
+
|6th International Conference on Applied Cryptography and Network Security
+
|Jan 14, 2008 (11:59PM EST)
+
|http://acns2008.cs.columbia.edu/cfp.html
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Jan 15, 2008 (11:59PM EST)
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|17th USENIX Security Symposium
+
|Jan 30, 2008 (11:59 PM PST)
+
|http://www.usenix.org/sec08/cfp/
+
|-
+
|JDFSL - Special Issue on Security Issues in Online Communities
+
|Jan 31, 2008
+
|http://www.jdfsl.org/cfp-special-issue.htm
+
|-
+
|Black Hat Europe 2008 Briefings
+
|Feb 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|IEEE/SADFE-2008
+
|Feb 01, 2008
+
|http://conf.ncku.edu.tw/sadfe/sadfe08/cfp.html
+
|-
+
|Black Hat USA 2008 Briefings
+
|OPEN ON Feb 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|Digital Forensic Research Workshop (DFRWS) 2008
+
|Mar 17, 2008
+
|http://www.dfrws.org/2008/cfp.shtml
+
|-
+
|11th International Symposium on Recent Advances in Intrusion Detection
+
|Apr 04, 2008
+
|http://www.ll.mit.edu/IST/RAID2008/index.html
+
|-
+
|Black Hat Japan 2008 Briefings
+
|OPEN ON May 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|Techno-Security 2008
+
|May 04, 2008
+
|http://www.techsec.com/html/TechnoPapers.html
+
|-
+
|}
+
  
== Conferences ==
 
{| border="0" cellpadding="2" cellspacing="2" align="top"
 
|- style="background:#bfbfbf; font-weight: bold"
 
! Title
 
! Date/Location
 
! Website
 
|-
 
|SANS Security 2008
 
|Jan 11-19, New Orleans, LA
 
|http://www.sans.org/security08/
 
|-
 
|DoD Cyber Crime Conference 2008
 
|Jan 13-18, St. Louis, MO
 
|http://www.dodcybercrime.com/
 
|-
 
|e-Forensics 2008
 
|Jan 21-23, Adelaide, SA, Australia
 
|http://www.e-forensics.eu
 
|-
 
|4th Annual IFIP WG 11.9 International Conference on Digital Forensics
 
|Jan 27-30, Kyoto, Japan
 
|http://www.ifip119-kyoto.org/doku.php
 
|-
 
|ShmooCon
 
|Feb 15-17, Washington, DC
 
|http://www.shmoocon.org/
 
|-
 
|AAFS Annual Meeting 2008
 
|Feb 18-23, Washington, DC
 
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
 
|-
 
|Blackhat DC 2008 Briefings & Training
 
|Feb 18-21, Washington, DC
 
|http://www.blackhat.com/html/bh-link/briefings.html
 
|-
 
|International Workshop on Digital Forensics (WSDF’08) in Conjunction with ARES 2008
 
|Mar 04–07, Polytechnic University of Catalonia, Barcelona, Spain
 
|http://www.ares-conference.eu/conf/index.php?option=com_content&task=view&id=45
 
|-
 
|CanSecWest Security Conference 2008
 
|Mar 19-21, Vanouver, BC, Canada
 
|http://cansecwest.com/
 
|-
 
|Blackhat Europe 2008 Briefings & Training
 
|Mar 25-28, Amsterdam, Netherlands
 
|http://www.blackhat.com/html/bh-link/briefings.html
 
|-
 
|ADFSL 2008 Conference on Digital Forensics, Security and Law
 
|Apr 23-25, Oklahoma City, OK
 
|http://www.digitalforensics-conference.org
 
|-
 
|Microsoft Law Enforcement Tech Conference 2008
 
|Apr 28-30, Redmond, Washington
 
|-
 
|HTCIA/ASIS High Technology Crime Conference
 
|May 06-08, San Francisco, CA
 
|http://htciatraining.org/general_info.asp
 
|-
 
|EuSecWest Security Conference 2008
 
|May 21-22, London, England
 
|http://eusecwest.com/
 
|-
 
|3rd International Workshop on Systematic Approaches to Digital Forensic Engineering
 
|May 22, Oakland, CA
 
|http://conf.ncku.edu.tw/sadfe/sadfe08/
 
|-
 
|Techno-Security 2008
 
|Jun 01-04, Myrtle Beach, SC
 
|http://www.techsec.com/html/Techno2008.html
 
|-
 
|6th International Conference on Applied Cryptography and Network Security
 
|Jun 03-06, Columbia University, New York City, NY
 
|http://acns2008.cs.columbia.edu/
 
|-
 
|Usenix Annual Technical Conference
 
|Jun 22-27, Boston, MA
 
|http://www.usenix.com/events/usenix08/
 
|-
 
|International Association of Forensic Sciences Annual Meeting
 
|Jul 21-26, New Orleans, LA
 
|http://www.iafs2008.com/
 
|-
 
|17th USENIX Security Symposium
 
|Jul 28-Aug 01, San Jose, CA
 
|http://www.usenix.org/events/sec08/
 
|-
 
|Blackhat USA 2008 Briefings & Training
 
|Aug 02-07, Las Vegas, NV
 
|http://www.blackhat.com/html/bh-link/briefings.html
 
|-
 
|Defcon 16
 
|Aug 08-10, Las Vegas, NV
 
|http://www.defcon.org
 
|-
 
|Digital Forensic Research Workshop
 
|Aug 11-13, Baltimore, MD
 
|http://www.dfrws.org
 
|-
 
|11th International Symposium on Recent Advances in Intrusion Detection 2008
 
|Sep 15-17, Cambridge, MA
 
|http://www.ll.mit.edu/IST/RAID2008/
 
|-
 
|}
 
  
== On-going / Continuous Training ==
+
==Corpora Development==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
===Realistic Disk Corpora===
|- style="background:#bfbfbf; font-weight: bold"
+
There is need for realistic corpora that can be freely redistributed but do not contain any confidential personally identifiable information (PII).  These disk images may be either of an external drive or of a system boot drive. The drive images should have signs of ''wear'' --- that is, they should have resident files, deleted files, partially overwritten files, contiguous files, and fragmented files.
! Title
+
 
! Date/Location or Venue
+
See:
! Website
+
* Frank Adelstein (ATC-NY), Yun Gao and Golden G. Richard III (University of New Orleans): Automatically Creating Realistic Targets for Digital Forensics Investigation http://www.dfrws.org/2005/program.shtml
|-
+
 
|Basic Computer Examiner Course - Computer Forensic Training Online
+
===Realistic Network Traffic===
|Distance Learning Format
+
Generating realistic network traffic requires constructing a test network and either recording interactions within the network or with an external network.
|http://www.cftco.com
+
 
|-
+
__NOTOC__
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month (Fri-Mon), Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
==[[Scheduled Training Courses]]==
+

Revision as of 08:48, 3 September 2009

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.

Research Projects

Flash Forensics

Flash storage devices offer opportunities for recovering information that is not visible by going beneath the logical layer visible to users and most operating systems.

  • Access the physical layer of SD cards and/or USB flash devices. Reverse-engineer the Flash Translation Layer to find deleted data and files.

Necessary skills: social engineering the flash vendors; kernel programming; reverse-engineering.

Stream Forensics

  • Process the entire disk with one pass, or at most two, to minimize seek time.

Evidence Falsification

  • Automatically detect falsified digital evidence.

Sanitization

  • Detect and diagnose sanitization attempts.

Timeline Analysis

Write a new timeline viewer that supports:

  • Logfile fusion (with offsets)
  • Logfile correlation
  • View logfiles in the frequency domain.

Online Social Network Analysis

  • Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
  • Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.

Cell Phone Exploitation

Imaging

  • Image the contents of a cell phone physical memory using the JTAG interface.

Interpretation

  • Develop a tool for reassembling information in a cell phone memory

Programming Projects

SleuthKit Enhancements

SleuthKit is the popular open-source system for forensics and data recovery.

  • Add support for a new file system:
  • Enhance support for an existing file system:
    • EXT4
    • Add support for NTFS encrypted files.
    • Report the physical location on disk of compressed files.
  • Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK. (I've already started on this if you want the code.)

Necessary skills: C programming and filesystem familiarity.

fiwalk Enhancements

  • Rewrite the metadata extraction system.
  • Extend fiwalk to report the NTFS "inodes."


Corpora Development

Realistic Disk Corpora

There is need for realistic corpora that can be freely redistributed but do not contain any confidential personally identifiable information (PII). These disk images may be either of an external drive or of a system boot drive. The drive images should have signs of wear --- that is, they should have resident files, deleted files, partially overwritten files, contiguous files, and fragmented files.

See:

  • Frank Adelstein (ATC-NY), Yun Gao and Golden G. Richard III (University of New Orleans): Automatically Creating Realistic Targets for Digital Forensics Investigation http://www.dfrws.org/2005/program.shtml

Realistic Network Traffic

Generating realistic network traffic requires constructing a test network and either recording interactions within the network or with an external network.