Real Time Event Recording System, the tool for Digital Forensics Investigation

Abstract:
This is the Tool kind of Application that records the system events, e.g. File Delete, File Execute etc., on the central  Server, which are the potential events used by Digital Forensic Investigators while investigating Offensive Event, e.g. Hosting an Attack.

Problem Statement:
Whenever required to provide a Digital Evidences for any investigation, the very first and the most important task, an Investigator does, is- dig out all past events occurred on/with/using a particular Computer/Device. E.g. all different files deleted, the process/executables run etc. This dig-out can be done using many different tools; the hypothetical example is “file un-delete” tools, available depending on the type of information being dug. Even though there many advanced tools and technologies available, it is not always possible to dig out all the events happened in the past. The % of success of this postmortem depends on many factors.

Description:

  • The proposed Tool is based on the concept of “Record When It Happens/Occurs”.
  • This tool will/should cover/support all type of Operating Systems, Devices.

Important factors of having such a tool are,

  • Biggest advantage of the proposed system is, even if the device is “physically destroyed/absent”, the events occurred are preserved.
  • The success rate of retrieving past events in a evidential presentable condition is very high, almost to 100%

Among all, following are the sample events which can be treated as Digital Evidence,

  • an object (file) deleted from the Disk/Device
  • executing an EXE
  • contents send for printing
  • access the network resource
  • Calls made through IP phones

The proposed tool will “record” all/specific events on the central server. This will operate in “On Line” as well as “Off Line” mode. It should store it such a way that it can identify the device on which it is occurred, and the time when it occurred. Like Source Code Controller Tools, the “Delta Storing” concept can be implemented to optimize the data being stored. On almost all devices, there are mechanisms to record the events, but there are limitations on these.
E.g. “Event Logs” on Windows Operating System records the different events. But this is stored “locally” in a file, and one can delete/clean these logs. Apart from this, if the Windows Box is reimaged, every things is almost lost. On Cell phone, there is “Call Log” which records the numbers for incoming and outgoing calls, but there is a limit of maximum number of records a phone can preserve.

 

Speaker: Madhav Limaye

Currently Madhav is working as Senior Technical Specialist with one of the leading software company. Earlier to this, he had been in the Technical Leader capacity for the product reporting on Network Vulnerability for all type of IP Devices and Operating Systems; while working with one of the leading security company. During this period, Madhav has analyzed many Microsoft Security Bulletins to generate data input points for the product.