SlideShare a Scribd company logo

File000162

Desmond Devendran, profile picture
Desmond Devendran

The document discusses a new digital forensic data capture device called the Forensic Dossier launched by Logicube. The Dossier allows investigators to capture data from suspect drives at speeds of up to 6GB per minute. It supports capturing from RAID drives and various flash media. The Dossier features built-in support for many drive types and connections. It includes advanced authentication and other forensic features. The Dossier will be showcased at the 2009 International CES conference in Las Vegas.

TechnologyDesign
1 of 19
Downloaded 46 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Module XLIX - Investigating Search Keywords
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Logicube Launches Digital Forensic Data Capture Device Logicube® Inc., the industry’s leader in hard drive duplication technology, has launched the Forensic Dossier™, the newest addition to its line of eForensics data capture solutions. The Dossier is the fastest digital forensic data capture device on the market today, allowing investigators to capture and authenticate at speeds approaching 6GB/min. Users can capture data from one or two suspect drives to one or two evidence drives. This sophisticated solution provides built-in support for capture from a RAID drive pair (0, 1, JBOD) and can capture data from a variety of flash media devices with a built-in media reader. The versatile Dossier features built-in support for SATA and IDE drives with optional support for SCSI and SAS drives scheduled to be available in late spring of this year. The Dossier also provides built-in USB and firewire connectivity and features support for most solid state drives and supports microSATA and eSATA drives with optional cables. “Developed to meet the complex challenges of digital forensic investigators, the Dossier is the cornerstone of a future- focused platform of forensic products from Logicube. Sophisticated but easy to use, the Dossier’s design ensures investigators will keep pace with advanced digital technology used in criminal activities”, commented Farid Emrani, Vice President and COO of Logicube. The Dossier features the highest level of authentication with the ability to compute MD5 and SHA-256 hash concurrently. The Dossier also includes a drive spanning feature (scheduled to be available in spring 2009) that allows users to capture from one large suspect drive to two smaller evidence drives. Other features include DD image files, keyword search, audit trail reporting, and an internal flash memory to store keyword lists, software updates and reports and a touch screen display for easy navigation. The Dossier will be featured in the Logicube booth (#73640) at the 2009 International CES show held in Las Vegas, Nevada January 8th through January 11th. Source: http://pr-usa.net/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Keyword Search • Keyword Search List • Index-Based Keyword Searching • Bitwise Searching • Keyword Search Techniques • Odyssey Keyword Search This module will familiarize you with:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Odyssey Keyword Search Bitwise SearchingKeyword Search Index-Based Keyword Searching Keyword Search List Keyword Search Techniques
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Keywords are also known as Seed Information as they are the starting point of the investigation Keyword searching for terms relating to a case can be an important source for experts charged with uncovering digital clues in a forensic investigation Experts frequently conduct keyword searches of active files, deleted files, unallocated space, cookies, logs, temporary Internet files, etc. to search for evidence Crafting a keyword search term list that will help pinpoint relevant information is crucial to successful keyword search results Crafting the best keyword search may require trial and error, and the list may need to be refined as the expert begins to uncover virtual clues
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search (cont’d) An experienced investigator usually maintains a collection of search lists from his previous cases Keyword search list can be built on an existing list Keyword list can be re-used for a similar case directly Search list is a part of systematic mechanism for knowledge collection, management, sharing, and reuse that offer decision support for the investigators
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List • The number of keywords in a given list will vary depending upon the type of the forensic investigation and the facts of the case • When choosing which words to incorporate in the list, concentrate on the terms that are at the heart of the case • Focusing on the most relevant terms will avoid being over inclusive of the irrelevant data while offering the greatest likelihood of finding responsive information Select keywords with care: • Searching for “whole words,” which match exact instances of a word, will significantly cut down on search time • For example, the term Sally (instead of Sal) will avoid finding irrelevant words like salmon, salamander or salt Reduce search time using “whole words”: When formulating a keyword search list, consider the following tips:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List (cont’d) • When looking for a particular document, isolating specific phrases likely to be found in the document can help achieve good results Consider multiple word phrases: • Noise words, such as “it, a, an, and, the,” initials, numbers, and acronyms can result in an unreasonably high number of matches being returned Avoid noise words, initials, numbers, and acronyms: • In addition to sorting through gigabytes of information during a keyword search, a computer forensic expert can assist users in selecting a set of keywords most likely to yield relevant results Engage expert assistance:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index-Based Keyword Searching Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Indexing allows the time consuming task of keyword searching to be divided into an indexing phase which may run unattended and an interactive searching phase where the index is used to rapidly locate keywords An index is in a sense simply a list of offsets for occurrences of keywords
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bitwise Searching Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space A full bitwise search may be more relevant if a hard disk is being searched for deleted files or residual fragments of their content and when searching for complex regular expressions(for example, looking for all strings that match a credit card number or phone number) The ability to perform regular expression searches enables the examiner to search for non-text (binary) values such as file headers as well as complex text terms The criminal might change the extension of files to hide the files but the investigator can find all files of the given type even if someone has changed his name by searching for files based on signatures in his header
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques • Regular expressions provide a more expressible language for describing objects of interest than keywords • Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses and files of specific type • Forensic utilities such as EnCase can be used for regular expression searches • Regular expression searches suffer from false positives and false negatives because not all types of data can be adequately defined using regular expressions Regular expression search: • It uses matching algorithm that permits character mismatches when searching for keyword or pattern • User must specify the degree of mismatches allowed • Approximate matching can detect misspelled words, but mismatches also increase the number of false positives Approximate matching search:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques (cont’d) • Custom searches are programmed using a general purpose programming language for satisfying more complex criteria Custom searches: • Search of modification is an automated search for data objects that have been modified since specified moments in the past • Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash • A library of expected hashes must be built prior to the search • Modification of a file can also be inferred from modification of its timestamp • Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too Search of modifications:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Choice of Searching Methodology Investigations require a combination of context specific searching techniques and the methodology Factors affecting the choice and order of searching include: • If the suspect is aware that he is under investigation, file-based content may have been deleted, which leans toward bitwise searching • If the content is likely to be present on the drive intact, index-based searching may be more effective Awareness of suspect: • If there is a chance that the content resides in PDF, XLS, or HWP file, index-based searching will be more thorough • A preliminary bitwise search for the header bytes from these file types and subsequent recovery of deleted files before the index-based search will combine both techniques for the maximum effectiveness Likely data format:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues with Keyword Searching Keywords are rarely sufficient to specify the desired type of data objects precisely Output of keyword search can contain false positives and negatives Encryption, compression, or inability of the search utility to interpret certain data format lead to false negative
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Odyssey Keyword Search http://basistech.com/ Odyssey Digital Forensics is software that finds all keyword variations with one search Odyssey combines industry-leading language technology from Basis Technology, the Rosette® Linguistics Platform, with a high-performance search system that can analyze disk image files acquired from standard forensic tools • Displayed left to right or right to left (as in Middle-Eastern languages) • Stored with bits aligned left to right or right to left (“little Endian” or “big Endian”) • Encoded in UTF-8, UTF-16, or UTF-32 Unicode or any of dozens of legacy text encoding systems Odyssey recognizes text regardless of whether the text:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Keywords are also known as Seed Information as they are the starting point of the investigation Keyword search list can be built on an existing list Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space Investigations require a combination of context specific searching techniques, and the methodology Odyssey Digital Forensics is software that finds all keyword variations with one search
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

More Related Content

PDF
File000163
Desmond Devendran
 
PDF
File000169
Desmond Devendran
 
PDF
File000176
Desmond Devendran
 
PDF
File000168
Desmond Devendran
 
PDF
File000166
Desmond Devendran
 
PDF
File000172
Desmond Devendran
 
PDF
CHFI
Desmond Devendran
 
PDF
File000116
Desmond Devendran
 
File000163
Desmond Devendran
 
File000169
Desmond Devendran
 
File000176
Desmond Devendran
 
File000168
Desmond Devendran
 
File000166
Desmond Devendran
 
File000172
Desmond Devendran
 
CHFI
Desmond Devendran
 
File000116
Desmond Devendran
 

What's hot (20)

PDF
File000118
Desmond Devendran
 
PDF
File000117
Desmond Devendran
 
PDF
File000114
Desmond Devendran
 
PDF
File000113
Desmond Devendran
 
PDF
File000120
Desmond Devendran
 
PDF
File000167
Desmond Devendran
 
PDF
File000119
Desmond Devendran
 
PDF
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
PDF
CS6004 Cyber Forensics - UNIT IV
ArthyR3
 
PPTX
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
PPT
Introduction to computer forensic
Online
 
PPTX
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
PDF
File000175
Desmond Devendran
 
PPT
Forensic Lab Development
amiable_indian
 
PDF
An introduction to cyber forensics and open source tools in cyber forensics
Zyxware Technologies
 
PDF
CS6004 Cyber Forensics - UNIT V
ArthyR3
 
PPTX
Lect 6 computer forensics
Kabul Education University
 
DOCX
Forensic laboratory setup requirements
Sonali Parab
 
PPTX
Computer forensics
deaneal
 
PPT
Digital Forensics
Nicholas Davis
 
File000118
Desmond Devendran
 
File000117
Desmond Devendran
 
File000114
Desmond Devendran
 
File000113
Desmond Devendran
 
File000120
Desmond Devendran
 
File000167
Desmond Devendran
 
File000119
Desmond Devendran
 
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
CS6004 Cyber Forensics - UNIT IV
ArthyR3
 
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Introduction to computer forensic
Online
 
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
File000175
Desmond Devendran
 
Forensic Lab Development
amiable_indian
 
An introduction to cyber forensics and open source tools in cyber forensics
Zyxware Technologies
 
CS6004 Cyber Forensics - UNIT V
ArthyR3
 
Lect 6 computer forensics
Kabul Education University
 
Forensic laboratory setup requirements
Sonali Parab
 
Computer forensics
deaneal
 
Digital Forensics
Nicholas Davis
 
Ad

Similar to File000162 (20)

PPTX
Rightsizing Open Source Software Identification
nexB Inc.
 
PDF
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
Dr. Haxel Consult
 
PPT
Technical skills in multimedia for odl learners
Daniel Koloseni
 
PPTX
Routine Maintenance of Computer Systems and Basic Internet Search Skills
Idowu Adegbilero-Iwari
 
PPTX
FAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM
 
PPTX
ERA CoBioTech Data Management Webinar
FAIRDOM
 
PPTX
Improving your team’s source code searching capabilities
Nikos Katirtzis
 
PPTX
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Nikos Katirtzis
 
PDF
CS6007 information retrieval - 5 units notes
Anandh Arumugakan
 
PDF
PatSeer Overview
Gridlogics
 
PPTX
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
DOCX
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted Data
CloudTechnologies
 
PDF
Enterprise Search Share Point2009 Best Practices Final
Marianne Sweeny
 
PPTX
Reveal - An Enterprise Clinical Data Search Solution
d-Wise Technologies
 
PPTX
Research Data (and Software) Management at Imperial: (Everything you need to ...
Sarah Anna Stewart
 
PPTX
Securing APIs with Open Policy Agent
Nordic APIs
 
PPTX
Securing APIs with Open Policy Agent
Anders Eknert
 
PPTX
CSC315_LECTURE on database design and management
tissandavid
 
PPTX
Introduction to Information Retrieval (concepts and principles)
ImtithalSaeed1
 
PPTX
What is Document Indexing? A tutorial for intelligent data capture.
DocuFi, offering HAI and Infection Prevention Analytics
 
Rightsizing Open Source Software Identification
nexB Inc.
 
II-SDV 2017: Localizing International Content for Search, Data Mining and Ana...
Dr. Haxel Consult
 
Technical skills in multimedia for odl learners
Daniel Koloseni
 
Routine Maintenance of Computer Systems and Basic Internet Search Skills
Idowu Adegbilero-Iwari
 
FAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM
 
ERA CoBioTech Data Management Webinar
FAIRDOM
 
Improving your team’s source code searching capabilities
Nikos Katirtzis
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Nikos Katirtzis
 
CS6007 information retrieval - 5 units notes
Anandh Arumugakan
 
PatSeer Overview
Gridlogics
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Privacy-Preserving Multi-keyword Top-k Similarity Search Over Encrypted Data
CloudTechnologies
 
Enterprise Search Share Point2009 Best Practices Final
Marianne Sweeny
 
Reveal - An Enterprise Clinical Data Search Solution
d-Wise Technologies
 
Research Data (and Software) Management at Imperial: (Everything you need to ...
Sarah Anna Stewart
 
Securing APIs with Open Policy Agent
Nordic APIs
 
Securing APIs with Open Policy Agent
Anders Eknert
 
CSC315_LECTURE on database design and management
tissandavid
 
Introduction to Information Retrieval (concepts and principles)
ImtithalSaeed1
 
What is Document Indexing? A tutorial for intelligent data capture.
DocuFi, offering HAI and Infection Prevention Analytics
 
Ad

More from Desmond Devendran (20)

PDF
Siam key-facts
Desmond Devendran
 
PDF
Siam foundation-process-guides
Desmond Devendran
 
PDF
Siam foundation-body-of-knowledge
Desmond Devendran
 
PDF
Enterprise service-management-essentials
Desmond Devendran
 
PDF
Service Integration and Management
Desmond Devendran
 
PDF
Diagram of iso_22301_implementation_process_en
Desmond Devendran
 
PDF
CHFI 1
Desmond Devendran
 
PDF
File000174
Desmond Devendran
 
PDF
File000173
Desmond Devendran
 
PDF
File000171
Desmond Devendran
 
PDF
File000170
Desmond Devendran
 
PDF
File000165
Desmond Devendran
 
PDF
File000164
Desmond Devendran
 
PDF
File000161
Desmond Devendran
 
PDF
File000160
Desmond Devendran
 
PDF
File000159
Desmond Devendran
 
PDF
File000158
Desmond Devendran
 
PDF
File000157
Desmond Devendran
 
PDF
File000156
Desmond Devendran
 
PDF
File000155
Desmond Devendran
 
Siam key-facts
Desmond Devendran
 
Siam foundation-process-guides
Desmond Devendran
 
Siam foundation-body-of-knowledge
Desmond Devendran
 
Enterprise service-management-essentials
Desmond Devendran
 
Service Integration and Management
Desmond Devendran
 
Diagram of iso_22301_implementation_process_en
Desmond Devendran
 
CHFI 1
Desmond Devendran
 
File000174
Desmond Devendran
 
File000173
Desmond Devendran
 
File000171
Desmond Devendran
 
File000170
Desmond Devendran
 
File000165
Desmond Devendran
 
File000164
Desmond Devendran
 
File000161
Desmond Devendran
 
File000160
Desmond Devendran
 
File000159
Desmond Devendran
 
File000158
Desmond Devendran
 
File000157
Desmond Devendran
 
File000156
Desmond Devendran
 
File000155
Desmond Devendran
 

Recently uploaded (20)

PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Approach and Philosophy of On baking technology
30anthuong17
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
A Presentation on Touch Screen Technology
memembruh336
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
A Presentation on Artificial Intelligence
memembruh336
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 

File000162

  • 1. Module XLIX - Investigating Search Keywords
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Logicube Launches Digital Forensic Data Capture Device Logicube® Inc., the industry’s leader in hard drive duplication technology, has launched the Forensic Dossier™, the newest addition to its line of eForensics data capture solutions. The Dossier is the fastest digital forensic data capture device on the market today, allowing investigators to capture and authenticate at speeds approaching 6GB/min. Users can capture data from one or two suspect drives to one or two evidence drives. This sophisticated solution provides built-in support for capture from a RAID drive pair (0, 1, JBOD) and can capture data from a variety of flash media devices with a built-in media reader. The versatile Dossier features built-in support for SATA and IDE drives with optional support for SCSI and SAS drives scheduled to be available in late spring of this year. The Dossier also provides built-in USB and firewire connectivity and features support for most solid state drives and supports microSATA and eSATA drives with optional cables. “Developed to meet the complex challenges of digital forensic investigators, the Dossier is the cornerstone of a future- focused platform of forensic products from Logicube. Sophisticated but easy to use, the Dossier’s design ensures investigators will keep pace with advanced digital technology used in criminal activities”, commented Farid Emrani, Vice President and COO of Logicube. The Dossier features the highest level of authentication with the ability to compute MD5 and SHA-256 hash concurrently. The Dossier also includes a drive spanning feature (scheduled to be available in spring 2009) that allows users to capture from one large suspect drive to two smaller evidence drives. Other features include DD image files, keyword search, audit trail reporting, and an internal flash memory to store keyword lists, software updates and reports and a touch screen display for easy navigation. The Dossier will be featured in the Logicube booth (#73640) at the 2009 International CES show held in Las Vegas, Nevada January 8th through January 11th. Source: http://pr-usa.net/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Keyword Search • Keyword Search List • Index-Based Keyword Searching • Bitwise Searching • Keyword Search Techniques • Odyssey Keyword Search This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Odyssey Keyword Search Bitwise SearchingKeyword Search Index-Based Keyword Searching Keyword Search List Keyword Search Techniques
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Keywords are also known as Seed Information as they are the starting point of the investigation Keyword searching for terms relating to a case can be an important source for experts charged with uncovering digital clues in a forensic investigation Experts frequently conduct keyword searches of active files, deleted files, unallocated space, cookies, logs, temporary Internet files, etc. to search for evidence Crafting a keyword search term list that will help pinpoint relevant information is crucial to successful keyword search results Crafting the best keyword search may require trial and error, and the list may need to be refined as the expert begins to uncover virtual clues
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search (cont’d) An experienced investigator usually maintains a collection of search lists from his previous cases Keyword search list can be built on an existing list Keyword list can be re-used for a similar case directly Search list is a part of systematic mechanism for knowledge collection, management, sharing, and reuse that offer decision support for the investigators
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List • The number of keywords in a given list will vary depending upon the type of the forensic investigation and the facts of the case • When choosing which words to incorporate in the list, concentrate on the terms that are at the heart of the case • Focusing on the most relevant terms will avoid being over inclusive of the irrelevant data while offering the greatest likelihood of finding responsive information Select keywords with care: • Searching for “whole words,” which match exact instances of a word, will significantly cut down on search time • For example, the term Sally (instead of Sal) will avoid finding irrelevant words like salmon, salamander or salt Reduce search time using “whole words”: When formulating a keyword search list, consider the following tips:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List (cont’d) • When looking for a particular document, isolating specific phrases likely to be found in the document can help achieve good results Consider multiple word phrases: • Noise words, such as “it, a, an, and, the,” initials, numbers, and acronyms can result in an unreasonably high number of matches being returned Avoid noise words, initials, numbers, and acronyms: • In addition to sorting through gigabytes of information during a keyword search, a computer forensic expert can assist users in selecting a set of keywords most likely to yield relevant results Engage expert assistance:
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index-Based Keyword Searching Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Indexing allows the time consuming task of keyword searching to be divided into an indexing phase which may run unattended and an interactive searching phase where the index is used to rapidly locate keywords An index is in a sense simply a list of offsets for occurrences of keywords
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bitwise Searching Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space A full bitwise search may be more relevant if a hard disk is being searched for deleted files or residual fragments of their content and when searching for complex regular expressions(for example, looking for all strings that match a credit card number or phone number) The ability to perform regular expression searches enables the examiner to search for non-text (binary) values such as file headers as well as complex text terms The criminal might change the extension of files to hide the files but the investigator can find all files of the given type even if someone has changed his name by searching for files based on signatures in his header
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques • Regular expressions provide a more expressible language for describing objects of interest than keywords • Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses and files of specific type • Forensic utilities such as EnCase can be used for regular expression searches • Regular expression searches suffer from false positives and false negatives because not all types of data can be adequately defined using regular expressions Regular expression search: • It uses matching algorithm that permits character mismatches when searching for keyword or pattern • User must specify the degree of mismatches allowed • Approximate matching can detect misspelled words, but mismatches also increase the number of false positives Approximate matching search:
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques (cont’d) • Custom searches are programmed using a general purpose programming language for satisfying more complex criteria Custom searches: • Search of modification is an automated search for data objects that have been modified since specified moments in the past • Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash • A library of expected hashes must be built prior to the search • Modification of a file can also be inferred from modification of its timestamp • Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too Search of modifications:
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Choice of Searching Methodology Investigations require a combination of context specific searching techniques and the methodology Factors affecting the choice and order of searching include: • If the suspect is aware that he is under investigation, file-based content may have been deleted, which leans toward bitwise searching • If the content is likely to be present on the drive intact, index-based searching may be more effective Awareness of suspect: • If there is a chance that the content resides in PDF, XLS, or HWP file, index-based searching will be more thorough • A preliminary bitwise search for the header bytes from these file types and subsequent recovery of deleted files before the index-based search will combine both techniques for the maximum effectiveness Likely data format:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues with Keyword Searching Keywords are rarely sufficient to specify the desired type of data objects precisely Output of keyword search can contain false positives and negatives Encryption, compression, or inability of the search utility to interpret certain data format lead to false negative
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Odyssey Keyword Search http://basistech.com/ Odyssey Digital Forensics is software that finds all keyword variations with one search Odyssey combines industry-leading language technology from Basis Technology, the Rosette® Linguistics Platform, with a high-performance search system that can analyze disk image files acquired from standard forensic tools • Displayed left to right or right to left (as in Middle-Eastern languages) • Stored with bits aligned left to right or right to left (“little Endian” or “big Endian”) • Encoded in UTF-8, UTF-16, or UTF-32 Unicode or any of dozens of legacy text encoding systems Odyssey recognizes text regardless of whether the text:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Keywords are also known as Seed Information as they are the starting point of the investigation Keyword search list can be built on an existing list Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space Investigations require a combination of context specific searching techniques, and the methodology Odyssey Digital Forensics is software that finds all keyword variations with one search
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited