Difference between pages "Upcoming events" and "Disk Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(On-going / Continuous Training)
 
(Decryption while imaging)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{expand}}
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
  
This listing is divided into four sections (described as follows):<br>
+
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
This can be a time consuming process especially for disks with a large capacity.
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations. This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv. 
+
The process of disk imaging is also referred to as disk duplication.
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
== Disk Imaging Solutions ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
See: [[:Category:Disk Imaging|Disk Imaging Solutions]]
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Due Date
+
! Website
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Sep 8, 2008
+
|http://www.ieee-icc.org/2009/cfp.html
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Oct 15, 2008
+
|http://www.ifip119.org/Conferences/WG11-9-CFP-2009.pdf
+
|-
+
|ShmooCon 2009
+
|Dec 01, 2008
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|3rd Edition of Small Scale Digital Device Forensics Journal
+
|Jan 31, 2009
+
|http://www.ssddfj.org/Call.asp
+
|-
+
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|Feb 01, 2009
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
|Feb 20, 2009
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|}
+
  
== Conferences ==
+
== Common practice ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
It common practice to use a [[Write Blockers|Write Blocker]] when imaging a pyhical disk. The write blocker is an additional measure to prevent write access to the disk.
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location
+
! Website
+
|-
+
|2nd French-Speaking Days on Digital Investigations - Journées Francophones de l'Investigation Numérique 2008
+
|Sep 03-05, Vandoeuvre-lès-Nancy, France
+
|http://www.afsin.org/
+
|-
+
|1st Workshop on Open Source Software for Computer and Network Forensics
+
|Sep 07-10, Milan Italy
+
|http://conferenze.dei.polimi.it/ossconf/index.php
+
|-
+
|11th International Symposium on Recent Advances in Intrusion Detection
+
|Sep 15-17, Cambridge, MA
+
|http://www.ll.mit.edu/IST/RAID2008/
+
|-
+
|4th International Conference on IT Incident Management & IT Forensics
+
|Sep 23-25, Mannheim,  Germany
+
|http://www.imf-conference.org/
+
|-
+
|Open Web Application Security Project (OWASP) AppSec 2008 Conference
+
|Sep 24-25, New York City, NY
+
|http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
+
|-
+
|VB2008 anti-malware conference
+
|Oct 01-03, Ottawa, Canada
+
|http://www.virusbtn.com/conference/vb2008/
+
|-
+
|ENFSI Forensic IT Working Group meeting Limited to law enforcement
+
|Oct 01-03, Madrid, Spain
+
|http://www.enfsi.eu/page.php?uid=2
+
|-
+
|ANZFSS - 19th International Symposium on the Forensic Sciences
+
|Oct 06-09, Melbourne, Australia
+
|http://www.anzfss2008.org.au/
+
|-
+
|13th European Symposium on Research in Computer Security
+
|Oct 06-08, Malaga, Spain
+
|http://www.isac.uma.es/esorics08/
+
|-
+
|Economic and High Tech Crime Summit 2008
+
|Oct 07-08, Memphis, TN
+
|http://summit.nw3c.org/
+
|-
+
|3rd International Conference on Malicious and Unwanted Software
+
|Oct 07-08, Alexandria, VA
+
|http://isiom.wssrl.org/index.php?option=com_docman&task=cat_view&gid=45&Itemid=53
+
|-
+
|First Eurasian Congress of Forensic Sciences
+
|Oct 08-11, Istanbul, Turkey
+
|http://www.adlitip2008.com/indexen.asp
+
|-
+
|3nd International Annual Workshop on Digital Forensics & Incident Analysis
+
|Oct 09, Malaga, Spain
+
|http://www.icsd.aegean.gr/wdfia08/
+
|-
+
|Anti-Phishing Working Group eCrime Researchers Summit
+
|Oct 15-16, Atlanta, GA
+
|http://www.ecrimeresearch.org/
+
|-
+
|2008 HTCIA International Training Conference
+
|Oct 22-28, Atlantic City, NJ
+
|http://www.htcia.org/conference.shtml
+
|-
+
|2008 International Video Evidence Symposium and Training Conference
+
|Oct 22-24, Orlando, FL
+
|http://leva.org/index.php?option=com_content&task=view&id=56&Itemid=98
+
|-
+
|Hack in the Box Security Conference 2008
+
|Oct 27-30, Malaysia
+
|http://conference.hitb.org/hitbsecconf2008kl/
+
|-
+
|Paraben Forensics Innovation Conference
+
|Nov 09-12, Park City, UT
+
|http://www.pfic2008.com/
+
|-
+
|DeepSec 2008
+
|Nov 11-14, Vienna, Austria
+
|https://deepsec.net/
+
|-
+
|Digital Forensics Forum Arabia 2008
+
|Dec 15-17, Manama, Bahrain
+
|http://dff-worldwide.com/index.php?page=dff-arabia-2008-conference&hl=en_US
+
|-
+
|2009 DoD Cyber Crime Conference
+
|Jan 24-30, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 25-28, Orlando, FL
+
|http://www.ifip119.org/Conferences/
+
|-
+
|ShmooCon 2009
+
|Feb 06-08, Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21, Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
|Mar 08-12, Honolulu, HI
+
|http://www.acm.org/conferences/sac/sac2009
+
|-
+
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22, Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
|May 20-22, Burlington, VT
+
|http://www.digitalforensics-conference.org
+
|-
+
|2009 Techno Security Conference
+
|May 31- Jun 03, Myrtle Beach, SC
+
|http://www.techsec.com/index.html
+
|-
+
|Mobile Forensics World 2009
+
|Jun 03 - Jun 06, Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18, Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19, Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
Also see: [[DCO and HPA|Device Configuration Overlay (DCO) and Host Protected Area (HPA)]]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location or Venue
+
! Website
+
|-
+
|Distance Learning
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Recurring Training
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month (Fri-Mon), Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
  
==[[Scheduled Training Courses]]==
+
== Integrity ==
 +
Often when creating a disk image a [http://en.wikipedia.org/wiki/Cryptographic_hash_function cryptographic hash] is calculated of the entire disk. Commonly used cryptographic hashes are MD5, SHA1 and/or SHA256.
 +
 
 +
 
 +
By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but can indicate that the data was altered, e.g. due to corruption. The integrity hash does not indicate where int he data the alteration has occurred. Therefore some image tools and/or formats provide for additional integrity checks like:
 +
* A checksum
 +
* Parity data
 +
* [[Piecewise hashing]]
 +
 
 +
== Smart imaging ==
 +
Smart imaging is a combination of techniques to make the imaging process more intelligent.
 +
* Compressed storage
 +
* Deduplication
 +
* Selective imaging
 +
* Decryption while imaging
 +
 
 +
=== Compressed storage ===
 +
 
 +
A common technique to reduce the size of an image file is to compress the data. Where the compression method should be [http://en.wikipedia.org/wiki/Lossless_data_compression lossless].
 +
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
 +
Since the write speed of the target disk can be a bottleneck in imaging process, parallel compression can reduce the total time of the imaging process.
 +
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression for the [[Encase image file format]]. This technique is now used by various imaging tools including [http://www.tableau.com/index.php?pageid=products&model=TSW-TIM Tableau Imager (TIM)]
 +
 
 +
Other techniques like storing the data sparse, using '''empty-block compression''' or '''pattern fill''', can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
 +
 
 +
=== Deduplication ===
 +
Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image.
 +
It is even possible to store the data once for a corpus of images using techniques like hash based imaging.
 +
 
 +
=== Selective imaging ===
 +
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
 +
 
 +
[[EnCase]] Logical Evidence Format (LEF) is an example of a selective image; although only file related contextual information is stored in the format by [[EnCase]].
 +
 
 +
=== Decryption while imaging ===
 +
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic, a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it again on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
 +
 
 +
== Also see ==
 +
* [[:Category:Forensics_File_Formats|Forensics File Formats]]
 +
* [[Write Blockers]]
 +
* [[Piecewise hashing]]
 +
* [[Memory Imaging]]
 +
 
 +
== External Links ==
 +
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
 +
 
 +
=== Hash based imaging ===
 +
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
 +
 
 +
[[Category:Disk Imaging]]

Revision as of 04:29, 28 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time consuming process especially for disks with a large capacity.

The process of disk imaging is also referred to as disk duplication.

Disk Imaging Solutions

See: Disk Imaging Solutions

Common practice

It common practice to use a Write Blocker when imaging a pyhical disk. The write blocker is an additional measure to prevent write access to the disk.

Also see: Device Configuration Overlay (DCO) and Host Protected Area (HPA)

Integrity

Often when creating a disk image a cryptographic hash is calculated of the entire disk. Commonly used cryptographic hashes are MD5, SHA1 and/or SHA256.


By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but can indicate that the data was altered, e.g. due to corruption. The integrity hash does not indicate where int he data the alteration has occurred. Therefore some image tools and/or formats provide for additional integrity checks like:

Smart imaging

Smart imaging is a combination of techniques to make the imaging process more intelligent.

  • Compressed storage
  • Deduplication
  • Selective imaging
  • Decryption while imaging

Compressed storage

A common technique to reduce the size of an image file is to compress the data. Where the compression method should be lossless. On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process. Since the write speed of the target disk can be a bottleneck in imaging process, parallel compression can reduce the total time of the imaging process. Guymager was one of the first imaging tools to implement the concept of multi-process compression for the Encase image file format. This technique is now used by various imaging tools including Tableau Imager (TIM)

Other techniques like storing the data sparse, using empty-block compression or pattern fill, can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.

Deduplication

Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image. It is even possible to store the data once for a corpus of images using techniques like hash based imaging.

Selective imaging

Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an NTFS volume with the necessary contextual information.

EnCase Logical Evidence Format (LEF) is an example of a selective image; although only file related contextual information is stored in the format by EnCase.

Decryption while imaging

Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic, a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it again on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.

Also see

External Links

Hash based imaging