vassil roussev the current forensic workflow
play

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) - PowerPoint PPT Presentation

Aug 26, 2023 •288 likes •590 views

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s @10MB/s ~5.5 hrs ~82.5 hrs 129 * We can start working on the case after 88 hours. * http://accessdata.com/distributed-processing 2 Scalable

  1. Vassil Roussev

  2. The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s @10MB/s ~5.5 hrs ~82.5 hrs 129 *  We can start working on the case after 88 hours. * http://accessdata.com/distributed-processing 2

  3. Scalable Forensic Workflow Clone Forensic Target (3TB) Process @150MB/s  We can start working on the case immediately . 3

  4. Current Forensic Processing  Hashing/filtering/correlation  File carving/reconstruction  Indexing The ultimate goal of this work is to make similarity hash-based correlation scalable & I/O-bound. 4

  5. Motivation for similarity approach: Traditional hash filtering is failing  Known file filtering: o Crypto-hash known files, store in library (e.g. NSRL) o Hash files on target o Filter in/out depending on interest  Challenges o Static libraries are falling behind  Dynamic software updates, trivial artifact transformations  We need version correlation o Need to find embedded objects  Block/file in file/volume/network trace o Need higher-level correlations  Disk-to-RAM  Disk-to-network 5

  6. Scenario #1: Fragment Identification Source artifacts (files) v Disk fragments (sectors) Network fragments (packets)  Given a fragment, identify source o Fragments of interest are 1-4KB in size o Fragment alignment is arbitrary 6

  7. Scenario #2: Artifact Similarity Similar files Similar drives (shared content/format) (shared blocks/files)  Given two binary objects, detect similarity/versioning o Similarity here is purely syntactic; o Relies on commonality of the binary representations. 7

  8. Solution: Similarity Digests sdhash sdhash sdhash sdhash sdbf 1 sdbf 2 sdbf 1 sdbf 2 sdhash sdhash Is this fragment present on the drive? Are these artifacts correlated?  0 .. 100  0 .. 100 All correlations based on bitstream commonality 8

  9. Quick Review: Similarity digests & sdhash 9

  10. Generating sdhash fingerprints (1) Digital artifact (block/file/packet/volume) as byte stream … Features (all 64-byte sequences) 10

  11. Generating sdhash fingerprints (2) Digital artifact … Select characteristic features (statistically improbable/rare) 11

  12. Generating sdhash fingerprints (3) Feature Selection Process All features Weak H norm  Feature 0..1000 Filter 0.18 0.16 0.14 Data with low information content 0.12 Probability 0.10 0.08 Rare 0.06 Local 0.04 0.02 Feature 0.00 0 100 200 300 400 500 600 700 800 900 1000 Selector (a) H norm distribution: doc H norm  doc files 12

  13. Generating sdhash fingerprints (4) 8-10K avg 8-10K avg 8-10K avg SHA-1 SHA-1 SHA-1 … = Artifact SD fingerprint bf 3 bf 1 + bf 2 + Sequence of Bloom filters (sdbf) Bloom filter  local SD fingerprint  256 bytes  up to 128/160 features 13

  14. Bloom filter (BF) comparison A bf A 0 .. 100 BF Score bitwise AND B bf B Based on BF theory, overlap due to chance is analytically predictable. Additional BF overlap is proportional to overlap in features. BF Score is tuned such that BF Score (A random , B random ) = 0. 14

  15. SDBF fingerprint comparison … SD B 1 2 m SD A bf B bf B bf B … 1 1 ,bf B 1 ) 1 ,bf B 2 ) 1 ,bf B m ) bf A BF Score (bf A BF Score (bf A BF Score (bf A max 1 … 2 bf A 2 ,bf B 1 ) 2 ,bf B 2 ) 2 ,bf B m ) BF Score (bf A BF Score (bf A BF Score (bf A max 2 … … … … … n bf A n ,bf B 1 ) n ,bf B 2 ) n ,bf B m ) max n BF Score (bf A BF Score (bf A BF Score (bf A SD Score (A,B) = Average(max 1 , max 2 , …, max n ) 15

  16. Scaling up: Block-aligned digests & parallelization 16

  17. Block-aligned similarity digests ( sdbf-dd ) 16K 16K 16K SHA-1 SHA-1 SHA-1 … = Artifact SD fingerprint bf 3 bf 1 + bf 2 + Sequence of Bloom filters (sdbf-dd) Bloom filter  local SD fingerprint  256 bytes  up to 192 features 17

  18. Advantages & challenges for block- aligned similarity digests (sdbf-dd)  Advantages Parallelizable computation o Direct mapping to source data o Shorter (1.6% vs 2.6% of source) o  Faster comparisons (fewer BFs)  Challenges Less reliable for smaller files o Sparse data o Compatibility with sdbf digests o  Solution Increase features for sdbf filters: 128  160 o Use 192 features per BF for sdbf-dd filters o Use compatible BF parameters to allow sdbf  sdbf-dd comparisons o 18

  19. sdhash 1.6: sdbf vs. sdbf-dd accuracy 19

  20. Sequential throughput: sdhash 1.3  Hash generation rate o Six-core Intel Xeon X5670 @ 2.93GHz ~27MB/s per core o Quad-Core Intel Xeon @ 2.8 GHz ~20MB/s per core  Hash comparison o 1MB vs. 1MB: 0.5ms  T5 corpus (4,457 files, all pairs) o 10mln file comparisons in ~ 15min  667K file comps per second  Single core 20

  21. sdhash 1.6: File-parallel generation rates on 27GB real data (in RAM) 21

  22. sdhash 1.6: Optimal file-parallel generation: 5GB synthetic target (RAM) 22

  23. sdhash-dd: Hash generation rates 10GB in-RAM target (RAM) 23

  24. Throughput summary: sdhash 1.6  Parallel hash generation o sdbf: file-parallel execution  260 MB/s on 12-core/24-threaded machine o sdbf-dd: block-parallel execution  370 MB/s (SHA1 — > 330MB/s)  Optimized hash comparison rates o 24 threads: 86.6 mln BF/s  1.4 TB/s for small file comparison (<16KB) I.e., we can search for a small file in a reference set of 1.4TB in 1s 24

  25. The Envisioned Architecture 25

  26. The Current State libsdbf CLI: sdhash Service: sdbf_d API Files: Network: Client: Disk: Cluster: Client: sdhash- sdhash- C/C++ C# Python sdhash-dd sdbfCluster sdbfWeb sdbfViz file pcap 26

  27. Todo List (1)  libsdbf o C++ rewrite (v2.0) o TBB parallelization  sdhash-file o More command line options/compatibility w/ssdeep o Service-based processing (w/ sdbf_d )  GPU acceleration  sdhash-pcap o Pcap-aware processing:  payload extraction, file discovery, timelining 27

  28. Todo List (2)  sdbf_d o Persistance: XML o Service interface: JSON o Server clustering  sdbfWeb o Browser-based management/query  sdbfViz o Large-scale visualization & clustering 28

  29. Further Development  Integration w/ RDS sdhash-set : construct SDBF s from existing SHA1 sets o  Compare/identify whole folders, distributions, etc.  Structural feature selection E.g., exe/dll, pdf , zip, … o  Optimizations Sampling o Skipping o  Under min continuous block assumption Cluster “core” extraction/comparison o  Representation Multi-resolution digests o New crypto hashes o Data offsets o 29

  30. Thank you!  http://roussev.net/sdhash wget http://roussev.net/sdhash/sdhash-1.6.zip o make o ./sdhash o  Contact: Vassil Roussev vassil@roussev.net  Reminder DFRWS’12: Washington DC, Aug 6-8 Paper deadline: Feb 20, 2012 Data sniffing challenge to be released shortly 30

Recommend

Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company &amp; setup

Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company &amp; setup

DFRWS12 /Aug 5-8 2012/Washington DC Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company &amp; setup Employees: o President: Pat McGoo o IT: Terry o Researchers: Jo, Charlie Period o 11/16/2009

673 views • 50 slides
Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Epigenetic age signatures in the forensically relevant body fluid of semen Hwan Yong Lee Department of Forensic Medicine Yonsei University College of Medicine Seoul, Korea Current Forensic DNA Typing o Forensic cases -- matching suspect with

533 views • 14 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico Marziale, Golden G. Richard III, Vassil Roussev Me: Professor of Computer Science Co-founder, Digital Forensics Solutions golden@cs.uno.edu

489 views • 28 slides
workflow: workflow: QSPR = Quantitative Structure Property

workflow: workflow: QSPR = Quantitative Structure Property

workflow: workflow: QSPR = Quantitative Structure Property Relationship workflow: workflow: 1600 1500 1400 1300 1200 1100 1000 900 mass (Da) 800 700 600 500 400 300 200 100 0 -5 -4 -3 -2 -1

793 views • 33 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides
Day 8 Workflow Cloud Resource Provisioning Todays Agenda Introduction What is workflow?

Day 8 Workflow Cloud Resource Provisioning Todays Agenda Introduction What is workflow?

2/7/2018 Day 8 Workflow Cloud Resource Provisioning Todays Agenda Introduction What is workflow? What are major QoS requirements? How is workflow represented? Our work in workflow scheduling Research problems

470 views • 13 slides
10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI, the prevalence of containment in prison/forensic system is high: men 15%; women 31% For people exhibiting symptoms: 67 % greater likelihood of

366 views • 7 slides
DNA methylation profiling for body fluid identification Hwan Young Lee, Ph.D. Department of

DNA methylation profiling for body fluid identification Hwan Young Lee, Ph.D. Department of

DNA methylation profiling for body fluid identification Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence o Paternity

309 views • 13 slides
GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays Entity Thursday, October 27, 2016 PRESENTER : COLLIN A. A. GREENLAND, Forensic Accountant, MBA, FJIM, CFE, CFSA, CFC. 1 To Sensitize /

1.12k views • 88 slides
Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao,

Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao,

Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao, Spain Michael Jessen BKA, Forensic Science Institute: Forensic Speech &amp; Audio Department Guidelines Forensic Semiautomatic and Automatic

308 views • 13 slides
Cannabis Some Challenges with Determining Impairment - A Forensic Toxicologists

Cannabis Some Challenges with Determining Impairment - A Forensic Toxicologists

Cannabis Some Challenges with Determining Impairment - A Forensic Toxicologists Perspective. Dr. Michael R. Corbett Ph.D., LL.M., F-ABFT, FCSFS Forensic Toxicologist, Chemical Review Services Inc. Adjunct Professor, Forensic Science

688 views • 38 slides
Kap. 12 Workflow Management in ERP-Systemen 12.1 Workflow Management: Konzepte 12.2 Einbindung

Kap. 12 Workflow Management in ERP-Systemen 12.1 Workflow Management: Konzepte 12.2 Einbindung

Kap. 12 Workflow Management in ERP-Systemen 12.1 Workflow Management: Konzepte 12.2 Einbindung von Workflow Management- Funktionalitt in ERP-Systeme 12.3 SAP Business Workflows Objektverwaltung hherer Ordnung (OHO) SS 2001 Kapitel 12:

746 views • 27 slides
Peoplesoft Workflow Peoplesoft Workflow Technology Technology Putting Customer First SOA IT

Peoplesoft Workflow Peoplesoft Workflow Technology Technology Putting Customer First SOA IT

Peoplesoft Workflow Peoplesoft Workflow Technology Technology Putting Customer First SOA IT Putting Customer First Highlights Introduction Workflow Understanding Workflow Components of Workflow Steps for Developing

843 views • 56 slides
Forensic Mental Health Care in the Texas State Hospital System Matthew Faubion, M.D. Forensic

Forensic Mental Health Care in the Texas State Hospital System Matthew Faubion, M.D. Forensic

Forensic Mental Health Care in the Texas State Hospital System Matthew Faubion, M.D. Forensic Psychiatrist Chief of Forensic Medicine Health and Specialty Care System HHSC Overview The Forensic Patient in Texas Pre-Admission Clinical

690 views • 37 slides
qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University Specialist, Swedish National Laboratory of Forensic Science Forensic science Every contact leaves a trace Edmond Locard (1877 1966) Forensic

1.32k views • 78 slides

More recommend