Difference between pages "Upcoming events" and "Disk Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(Decryption while imaging)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{expand}}
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
  
This listing is divided into four sections (described as follows):<br>
+
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
This can be a time consuming process especially for disks with a large capacity.
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations. This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
== Calls For Papers ==
+
The process of disk imaging is also referred to as disk duplication.
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
== Disk Imaging Solutions ==
|- style="background:#bfbfbf; font-weight: bold"
+
See: [[:Category:Disk Imaging|Disk Imaging Solutions]]
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|23rd Computer Security Foundations Symposium
+
|Feb 04, 2010
+
|Mar 19, 2010
+
|http://www.floc-conference.org/CSF-cfp.html
+
|-
+
|USENIX Security Symposium 2010
+
|Feb 05, 2010
+
|Jul 05, 2010
+
|http://www.usenix.org/events/sec10/cfp/
+
|-
+
|Seventh GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment
+
|Feb 05, 2010
+
|Apr 05, 2010
+
|http://dimva2010.fkie.fraunhofer.de/cfp-dimva2010.pdf
+
|-
+
|7th International Symposium on Risk Management and Cyber-Informatics: RMCI 2010
+
|Feb 10, 2010
+
|Mar 03, 2010
+
|http://www.iiis2010.org/wmsci/Contents/CallForPapers-RMCI-2010.pdf
+
|-
+
|Thirtieth Annual International Cryptology Conference
+
|Feb 18, 2010
+
|Apr 30, 2010
+
|http://www.iacr.org/conferences/crypto2010/cfp.php
+
|-
+
|2010 Conference on Digital Forensics, Security and Law
+
|Feb 19, 2010
+
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|Digital Forensic Research Workshop (DFRWS) 2010
+
|Feb 28, 2010
+
|Apr 05, 2010
+
|http://dfrws.org/2010/cfp.shtml
+
|-
+
|Blackhat Europe 2010
+
|Mar 01, 2010
+
|
+
|http://blackhat.com/html/bh-eu-10/registration/bh-eu-10-cfp.html
+
|-
+
|Symposium On Usable Privacy and Security
+
|Mar 05, 2010
+
|Apr 30, 2010
+
|http://cups.cs.cmu.edu/soups/2010/cfp.html
+
|-
+
|20th Virus Bulletin International Conference
+
|Mar 05, 2010
+
|
+
|http://www.virusbtn.com/conference/vb2010/call/index
+
|-
+
|European Symposium on Research in Computer Security
+
|Apr 01, 2010
+
|Jun 10, 2010
+
|http://www.esorics2010.org/index.php?option=com_content&view=article&id=1&Itemid=3
+
|-
+
|13th Annual Recent Advances in Intrusion Detection
+
|Apr 04, 2010
+
|Jun 07, 2010
+
|http://www.raid2010.org/calls-for-participation
+
|-
+
|6th International Conference on Security and Privacy in Communication Networks
+
|Apr 05, 2010
+
|May 31, 2010
+
|http://www.securecomm.org/cfp.shtml
+
|-
+
|ACM Computer and Communications Security Conference
+
|Apr 17, 2010
+
|Jun 21, 2010
+
|http://www.sigsac.org/ccs/CCS2010/cfp.shtml
+
|-
+
|2010 IEEE International Conference on Technologies for Homeland Security
+
|Apr 24, 2010
+
|
+
|http://ieee-hst.org/
+
|-
+
|2nd International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C)
+
|May 01, 2010
+
|Jun 15, 2010
+
|http://www.d-forensics.org/callforpapers.shtml
+
|-
+
|2nd International Workshop on Security in Cloud Computing (SCC'2010)
+
|May 01, 2010
+
|Jun 07, 2010
+
|http://bingweb.binghamton.edu/~ychen/SCC2010.htm
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
== Common practice ==
 +
It common practice to use a [[Write Blockers|Write Blocker]] when imaging a pyhical disk. The write blocker is an additional measure to prevent write access to the disk.
  
== Conferences ==
+
Also see: [[DCO and HPA|Device Configuration Overlay (DCO) and Host Protected Area (HPA)]]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|DoD Cyber Crime Conference
+
|Jan 22-29<br>St. Louis, MO
+
|http://www.dodcybercrime.com/10CC/
+
|-
+
|ShmooCon VI
+
|Feb 05-07<br>Washington, DC
+
|http://www.shmoocon.org
+
|-
+
|International Conference on Technical and Legal Aspects of the e-Society
+
|Feb 10-15<br>St. Maarten, Netherlands Antilles
+
|http://www.iaria.org/conferences2010/CYBERLAWS10.html
+
|-
+
|Third International Workshop on Digital Forensics
+
|Feb 15-18<br>Krakow, Poland
+
|http://www.ares-conference.eu/conf/index.php/workshops/wsdf
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb. 22-27<br>Seattle, WA
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|17th Network and IT Security Conference
+
|Feb 38-Mar 03<br>San Diego, CA
+
|http://www.isoc.org/isoc/conferences/ndss/10/
+
|-
+
|RSA Conference 2010
+
|Mar 01-05<br>San Francisco, CA
+
|http://www.rsaconference.com/2010/usa/index.htm
+
|-
+
|CanSecWest 2010
+
|Mar 22-26<br>Vancouver, British Columbia, Canada
+
|http://cansecwest.com/index.html
+
|-
+
|Blackhat Europe 2010
+
|Apr 12-15<br>Barcelona, Spain
+
|http://blackhat.com/html/bh-eu-10/bh-eu-10-home.html
+
|-
+
|31st IEEE Symposium on Security and Privacy
+
|May 16-19<br>Oakland, CA
+
|http://oakland31.cs.virginia.edu/
+
|-
+
|AusCERT Asia Pacific Information Security Conference
+
|May 16-21<br>Kenmore Hills, Queensland, Australia
+
|http://conference.auscert.org.au/conf2010/index.html
+
|-
+
|Conference on Digital Forensics, Security and Law 2010
+
|May 19-21<br>St. Paul, MN
+
|http://www.digitalforensics-conference.org/index.htm
+
|-
+
|Blackhat Abu Dhabi 2010
+
|May 30-Jun 02<br>Abu Dhabi, UAE
+
|http://blackhat.com/html/events.html
+
|-
+
|Techno-Security 2010
+
|Jun 06-09<br>Myrtle Beach, SC
+
|http://www.thetrainingco.com/html/Security_Conference_2010.html
+
|-
+
|7th International Symposium on Risk Management and Cyber-Informatics
+
|Jun 29-Jul 02<br>Orlando, FL
+
|http://www.2010iiisconferences.org/RMCI
+
|-
+
|Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment
+
|Jul 08-09<br>Bonn, Germany
+
|http://dimva2010.fkie.fraunhofer.de/
+
|-
+
|Symposium On Usable Privacy and Security
+
|Jul 14-16<br>Redmond, WA
+
|http://cups.cs.cmu.edu/soups/2010/
+
|-
+
|CSF 2010 - 23rd Computer Security Foundations Symposium
+
|Jul 17-19<br>Edinburgh, Scotland, UK
+
|http://www.floc-conference.org/CSF-home.html
+
|-
+
|Blackhat USA 2010
+
|Jul 24-29<br>Las Vegas, NV
+
|http://blackhat.com/html/events.html
+
|-
+
|Digital Forensic Research Workshop (DFRWS) 2010
+
|Aug 02-04<br>Portland, OR
+
|http://dfrws.org/2010/
+
|-
+
|19th USENIX Security Symposium
+
|Aug 11-13(br>Washington, DC
+
|http://www.usenix.org/events/sec10/
+
|-
+
|30th International Cryptology Conference
+
|Aug 15-19<Santa Barbara, CA
+
|http://www.iacr.org/conferences/crypto2010/
+
|-
+
|6th International Conference on Security and Privacy in Communication Networks
+
|Sep 07-10<br>Singapore
+
|http://www.securecomm.org/index.shtml
+
|-
+
|2nd International Workshop on Security in Cloud Computing (SCC'2010)
+
|Sep 13-16<br>San Diego, CA
+
|http://bingweb.binghamton.edu/~ychen/SCC2010.htm
+
|-
+
|13th International Symposium on Recent Advances in Intrusion Detection
+
|Sep 15-17<br>Ottowa, Ontario, Canada
+
|http://www.raid2010.org/
+
|-
+
|European Symposium on Research in Computer Security
+
|Sep 20-22<br>Athens, Greece
+
|http://www.esorics2010.org/
+
|-
+
|2010 HTCIA International Training Conference & Exposition
+
|Sep 20-22<br>Atlanta, GA
+
|http://www.htciaconference.org/
+
|-
+
|VB2010 Fighting malware and spam
+
|Sep 29-Oct 01<br>Vancouver, BC, Canada
+
|http://www.virusbtn.com/conference/vb2010/
+
|-
+
|17th ACM Computer and Communications Security Conference
+
|Oct 04-08<br>Chicago, IL
+
|http://www.sigsac.org/ccs/CCS2010/
+
|-
+
|2nd International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C)
+
|Oct 04-06<br>Abu Dhabi, UAE
+
|http://www.d-forensics.org/
+
|-
+
|Techno Forensics 2010
+
|Oct 25-26<br>Gaithersburg, MD
+
|http://www.techsec.com/html/TechnoForensics2010.html
+
|-
+
|2010 IEEE International Conference on Technologies for Homeland Security
+
|Nov 08-10<br>Waltham, MA
+
|http://ieee-hst.org/
+
|-
+
|IFIP Working Group 11.9 - Digital Forensics
+
|January 2011<br>Unknown
+
|http://www.ifip119.org/Conferences/
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
== Integrity ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Often when creating a disk image a [http://en.wikipedia.org/wiki/Cryptographic_hash_function cryptographic hash] is calculated of the entire disk. Commonly used cryptographic hashes are MD5, SHA1 and/or SHA256.
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Champlain College - CCE Course
+
|Online / Distance Learning Format
+
|http://extra.champlain.edu/cps/wdc/alliances/cce/landing/
+
|-
+
|Las Positas College
+
|Online Computer Forensics Courses
+
|http://www.laspositascollege.edu
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|MaresWare Suite Training
+
|First full week every month<br>Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
  
==See Also==
+
 
* [[Scheduled Training Courses]]
+
By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but can indicate that the data was altered, e.g. due to corruption. The integrity hash does not indicate where int he data the alteration has occurred. Therefore some image tools and/or formats provide for additional integrity checks like:
==References==
+
* A checksum
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
* Parity data
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
* [[Piecewise hashing]]
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
 
 +
== Smart imaging ==
 +
Smart imaging is a combination of techniques to make the imaging process more intelligent.
 +
* Compressed storage
 +
* Deduplication
 +
* Selective imaging
 +
* Decryption while imaging
 +
 
 +
=== Compressed storage ===
 +
 
 +
A common technique to reduce the size of an image file is to compress the data. Where the compression method should be [http://en.wikipedia.org/wiki/Lossless_data_compression lossless].
 +
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
 +
Since the write speed of the target disk can be a bottleneck in imaging process, parallel compression can reduce the total time of the imaging process.
 +
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression for the [[Encase image file format]]. This technique is now used by various imaging tools including [http://www.tableau.com/index.php?pageid=products&model=TSW-TIM Tableau Imager (TIM)]
 +
 
 +
Other techniques like storing the data sparse, using '''empty-block compression''' or '''pattern fill''', can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
 +
 
 +
=== Deduplication ===
 +
Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image.
 +
It is even possible to store the data once for a corpus of images using techniques like hash based imaging.
 +
 
 +
=== Selective imaging ===
 +
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
 +
 
 +
[[EnCase]] Logical Evidence Format (LEF) is an example of a selective image; although only file related contextual information is stored in the format by [[EnCase]].
 +
 
 +
=== Decryption while imaging ===
 +
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic, a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it again on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
 +
 
 +
== Also see ==
 +
* [[:Category:Forensics_File_Formats|Forensics File Formats]]
 +
* [[Write Blockers]]
 +
* [[Piecewise hashing]]
 +
* [[Memory Imaging]]
 +
 
 +
== External Links ==
 +
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
 +
 
 +
=== Hash based imaging ===
 +
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
 +
 
 +
[[Category:Disk Imaging]]

Revision as of 05:29, 28 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time consuming process especially for disks with a large capacity.

The process of disk imaging is also referred to as disk duplication.

Disk Imaging Solutions

See: Disk Imaging Solutions

Common practice

It common practice to use a Write Blocker when imaging a pyhical disk. The write blocker is an additional measure to prevent write access to the disk.

Also see: Device Configuration Overlay (DCO) and Host Protected Area (HPA)

Integrity

Often when creating a disk image a cryptographic hash is calculated of the entire disk. Commonly used cryptographic hashes are MD5, SHA1 and/or SHA256.


By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but can indicate that the data was altered, e.g. due to corruption. The integrity hash does not indicate where int he data the alteration has occurred. Therefore some image tools and/or formats provide for additional integrity checks like:

Smart imaging

Smart imaging is a combination of techniques to make the imaging process more intelligent.

  • Compressed storage
  • Deduplication
  • Selective imaging
  • Decryption while imaging

Compressed storage

A common technique to reduce the size of an image file is to compress the data. Where the compression method should be lossless. On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process. Since the write speed of the target disk can be a bottleneck in imaging process, parallel compression can reduce the total time of the imaging process. Guymager was one of the first imaging tools to implement the concept of multi-process compression for the Encase image file format. This technique is now used by various imaging tools including Tableau Imager (TIM)

Other techniques like storing the data sparse, using empty-block compression or pattern fill, can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.

Deduplication

Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image. It is even possible to store the data once for a corpus of images using techniques like hash based imaging.

Selective imaging

Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an NTFS volume with the necessary contextual information.

EnCase Logical Evidence Format (LEF) is an example of a selective image; although only file related contextual information is stored in the format by EnCase.

Decryption while imaging

Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic, a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it again on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.

Also see

External Links

Hash based imaging