[CSEE Talk] Talk: Zatyko on Cloud Forensics, Noon Fri 11/1, ITE 229, UMBC

Tim Finin finin at cs.umbc.edu
Tue Oct 29 22:35:47 EDT 2013 

             Center for Information Security and Assurance
                University of Maryland, Baltimore County

                Cloud Forensics and its Many Challenges

                               Ken Zatyko
                   Assured Information Security, Inc.
                      kenneth.zatyko at ainfosec.com

             12-1pm, Friday 1 November 2013, ITE 229, UMBC


In this presentation, we present a challenge question for today's
cyber experts, cyber scientists, and cyber analysts.  Does Locard's
Exchange Principle apply in digital forensics? The dramatic increase
in cybercrime and the repeated cyber intrusions into critical
infrastructure demonstrate the need for improved security. The
Executive Office of the President noted on May 12, 2011 "cyber threat
is one of the most serious economic and national security challenges
we face as a nation." We believe addressing whether or not Locard's
Exchange Principle applies to digital forensics is a fundamental
question that can guide or limit the scientific search for digital
evidence.

Locard's Exchange Principle is often stated in forensics publications
"every contact leaves a trace…" Essentially Locard's Exchange
Principle is applied to crime scenes in which the perpetrator(s) of a
crime comes into contact with the scene. The perpetrator(s) will both
bring something into the scene, and leave with something from the
scene.  In the cyber world, the perpetrator may or may not come in
physical contact with the crime scene, thus, this brings a new facet
to crime scene analysis. According to the World of Forensic Science,
Locard's publications make no mention of an "exchange principle,"
although he did make the observation "Il est impossible au malfaiteur
d'agir avec l'intensité que suppose l'action criminelle sans laisser
des traces de son passage." (It is impossible for a criminal to act,
especially considering the intensity of a crime, without leaving
traces of this presence.)

The term "principle of exchange" first appears in Police and
Crime-Detection, in 1940, and was adapted from Locard's
observations. The field of digital forensics can be strictly defined
as "the application of computer science and investigative procedures
for a legal purpose involving the analysis of digital evidence after
proper search authority, chain of custody, validation with
mathematics, use of validated tools, repeatability, reporting, and
possible expert presentation. (Zatyko, 2007)." Furthermore, digital
evidence is defined as information stored or transmitted in binary
form that may be relied on in court. (National Institute of Justice,
2004). However, digital forensics tools and techniques have also been
used by cyber analysts and researchers to conduct media analysis,
compile damage assessments, build timelines, and determine
attribution. According to the Department of Defense Cyber Crime
Center's training program, cyber analysts require knowledge on how
network intrusions occur, how various logs are created, what is
electronic evidence, how electronic artifacts are forensically
gathered, and the ability to analyze data to produce comprehensive
reports and link analysis charts.

Our hypothesis is that Locard's Exchange Principle does apply to cyber
crimes involving computer networks such as identity theft, electronic
bank fraud, or denial of service attacks, even if the perpetrator does
not need to physically come in contact with the crime scene. Although
the perpetrator may make virtual contact with the crime scene through
the use of a proxy machine, we believe he will still "leave a trace"
and digital evidence will exist. This presentation will explore with
audience input "where in the cloud is digital evidence found" and new
ways it can lead to attribution. It will explore what new standards
and techniques are needed to find these digital traces. Read ahead
information can be found at http://bit.ly/Zatyko


Ken Zatyko was previously the Director of the Department of Defense
Computer Forensics Laboratory where he led the largest accredited,
internationally recognized, leading-edge computer forensics laboratory
located in Maryland. For several months, Mr. Zatyko has been working
with NIST on a working group to further standards and technology to
solve cloud forensics challenges. Mr. Zatyko is currently the Vice
President of Maryland Operations with Assured Information Security.


Host: Dr. Alan T. Sherman, sherman at umbc.edu

More information about the CSEE-colloquium-out mailing list