SPRINGER BRIEFS ON CYBER SECURITY SYSTEMS AND NETWORKS Darren Quick Kim-Kwang Raymond Choo Big Digital Forensic Data Volume 1: Data Reduction Framework and Selective Imaging SpringerBriefs on Cyber Security Systems and Networks Editor-in-chief Yang Xiang, Digital Research & Innovation Capability Platform, Swinburne University of Technology, Hawthorn, Melbourne, VIC, Australia Series editors Liqun Chen, University of Surrey, Guildford, UK Kim-Kwang Raymond Choo, Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX, USA Sherman S. M. Chow, Department of Information Engineering, The Chinese University of Hong Kong, Hong Kong Robert H. Deng, School of Information Systems, Singapore Management University, Singapore, Singapore Dieter Gollmann, Hamburg University of Technology, Hamburg, Germany Javier Lopez, University of Malaga, Malaga, Spain Kui Ren, University at Buffalo, Buffalo, NY, USA Jianying Zhou, Singapore University of Technology and Design, Singapore, Singapore The series aims to develop and disseminate an understanding of innovations, paradigms, techniques, and technologies in the contexts of cyber security systems and networks related research and studies. It publishes thorough and cohesive overviews of state-of-the-art topics in cyber security, as well as sophisticated techniques, original research presentations and in-depth case studies in cyber systems and networks. The series also provides a single point of coverage of advancedandtimelyemergingtopicsaswellasaforumforcoreconceptsthatmay not have reached a level of maturity to warrant a comprehensive textbook. It addressessecurity,privacy,availability,anddependabilityissuesforcybersystems and networks, and welcomes emerging technologies, such as artificial intelligence, cloud computing, cyber physical systems, and big data analytics related to cyber security research. The mainly focuses on the following research topics: Fundamentals and Theories (cid:129) Cryptography for cyber security (cid:129) Theories of cyber security (cid:129) Provable security Cyber Systems and Networks (cid:129) Cyber systems Security (cid:129) Network security (cid:129) Security services (cid:129) Social networks security and privacy (cid:129) Cyber attacks and defense (cid:129) Data-driven cyber security (cid:129) Trusted computing and systems Applications and Others (cid:129) Hardware and device security (cid:129) Cyber application security (cid:129) Human and social aspects of cyber security More information about this series at http://www.springer.com/series/15797 Darren Quick Kim-Kwang Raymond Choo (cid:129) Big Digital Forensic Data Volume 1: Data Reduction Framework and Selective Imaging 123 Darren Quick Kim-Kwang RaymondChoo University of SouthAustralia University of Texas atSan Antonio Adelaide, SA SanAntonio, TX Australia USA ISSN 2522-5561 ISSN 2522-557X (electronic) SpringerBriefs onCyberSecurity Systems andNetworks ISBN978-981-10-7762-3 ISBN978-981-10-7763-0 (eBook) https://doi.org/10.1007/978-981-10-7763-0 LibraryofCongressControlNumber:2018934398 ©TheAuthor(s)2018 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission orinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilar methodologynowknownorhereafterdeveloped. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfrom therelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authorsortheeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinor for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictionalclaimsinpublishedmapsandinstitutionalaffiliations. Printedonacid-freepaper ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSingaporePteLtd. partofSpringerNature Theregisteredcompanyaddressis:152BeachRoad,#21-01/04GatewayEast,Singapore189721, Singapore Foreword “Work smarter not harder.” So goes the age old adage. Unfortunately, we in the digital forensics community have continued to work harder and harder over the years—developing distributed computing models and tools, leveraging collabora- tion platforms, and mastering the task force approach to large scale investigation and analysis. This isn’t to say the community hasn’t benefited from increasingly “smart” tools and people. Our community is full of superb tool developers and a highlyskilled,technicallyadeptcommunityofinvestigators.“Smart”surelyisn’ta quality lacking in our field, as I continue to be impressed with technically adept practitioners, researchers, and tool developers. The future also looks bright as I peer years ahead, anticipating an increasingly smartsuiteoftoolsthatmorefullyleveragethemachinelearningwavethat’sgaining momentumandfindingitsrightfulplaceinourfield.Ilookforwardtotheday,inthe not too distant future, where the analyst’s toolkit transcends the simple ‘search, extract,andpresent’paradigmofoldandbeginstotrulyreducetheanalyticalburden andoverheadthatstillplaguestoday’sinvestigators.Yettoday,weseemtobestuck atthedangerousintersectionof“collectandsearcheveryliteralbitofevidence”and “storagecapacityanduseeclipsesmodern,commonplaceprocessingcapabilities.” Andinmyview,simplythrowingadditionalcomputeattheproblem,toindexand presentvoluminousamountsofdatatotheinvestigatorfasterisn’ttherightsolution. We aredrowning in a deluge of data, more andmore every day. This book not only provides a great review and critical analysis of the current literature surrounding big data forensics, it provides useful and paradigm shifting frameworksforapproachingtheproblemwefacetoday—wheretheamountofdata far eclipses the intelligence of our analytical platforms. Simply put, in this book, Drs. Quick and Choo provide transformative frameworks for selective imaging, quick analysis, and intelligence driven information fusion. This book provides mechanisms, backed up by empirical studies, to work smarter not harder in answering investigative questions today. Thankfully, they do so while remaining mindful of the need to preserve evidence for more in-depth analysis. v vi Foreword In this book, the authors provide useful frameworks that augment current approaches, not replace them. They provide frameworks that make investigations more effective andefficient.Theyprovide acompelling argumentfor changingthe waywe currentlydobusiness.Inshort,anyoneinterestedinadvancingthefieldof bigdataforensicswillfindthisbookagreatresourceforsurveyingthefield.Ihope andexpectthisbookwillfacilitategreaterdiscussionofthebigdatachallengesand solutions thereto in the very important field of digital investigations. San Antonio, USA Nicole Beebe, Ph.D., CISSP, CCFP, EnCE, ACE Director, The Cyber Center for Security and Analytics, Associate Professor of Cyber Security, The University of Texas at San Antonio (Computer Crime Investigator, U.S. Air Force Office of Special Investigations 1998–2007) Preface Digitalforensicanalysisistheprocessof identification,preservation,analysis, and presentation of digital and electronic evidence in a manner that is legally accept- able. A major challenge to digital forensic analysis is the ongoing growth in the volumeofdata seized andpresented for analysis. Thisisaresultof thecontinuing development of storage technology, consumer devices, and cloud storage, which hasledtoincreasingbacklogsofevidenceawaitinganalysis,oftenmanymonthsto years, affecting even the largest digital forensic labs. Therehavebeenmanycallsforresearchtoaddressthevolumechallenge.While more people are needed to undertake analysis, there is also a potential to develop innovativemethodstocollectrelevantdatatoconductanalysis,reducingthetimea practitioner spends sorting the wheat from the chaff, or looking for needles in ever-growing haystacks. Data mining is a process of knowledge discovery which may offer afaster waytounderstandtheever-increasingvolumeofdata. Applying the process of data mining to digital forensic data may lead to a methodology to assist practitioners in analyzing the vast volumes of data. Theresearchoutlinedhereininvolvedcollectingandassemblingacorpusoftest data from a range of devices: mobile phones, portable storage, and computers, as well as other sources of digital forensic data. Research was then undertaken using the collected data in relation to applying data reduction and intelligence analysis methodologies to determine which, if any, are applicable to digital forensic analysis. In the following book, a framework for data mining and data reduction is out- lined,includingamethodologyfordatareduction,whichpavesthewayforVolume 2, in which a process of quick analysis, in-depth analysis, semi-automated infor- mation and entity extraction, and link charting in conjunction with link analysis is outlined. In Volume 1, the framework is explained, and then applied to a test data corpus and real-world data to ensure the process is valid and applicable to real-world data and investigations. Thedataexperimentsobservedareductionto0.206%oftheoriginalsourcedata volume, as an example, from 8.57TB of data to 12.3GB in a digital forensic data subset.ThedatasubsetswerethenusedinVolume2toexploreprocessesofquick vii viii Preface analysis,andsemi-automatedinformationandentityextraction,includingaprocess of value adding to the data subset with open-source information, with positive results. The proposed digital forensic data reduction and data mining framework pro- vides forensic practitioners with a methodology to guide through the process of digital forensic analysis, allowing for instances where the practitioner can decide whether to undertake full forensic imaging and analysis, or rapidly collect data whichisthenprocessedandreviewedinatimelymanner.Shouldthereductionand review process not discover evidence or intelligence of value, the framework provides for this by including an ability to traverse between rapid collection and timely review, and full forensic imaging and analysis. This is not seen in other digital forensic frameworks for analysis. Adelaide, Australia Darren Quick San Antonio, USA Kim-Kwang Raymond Choo Acknowledgements The permission of Elsevier (Chap. 2) and Springer (Chap. 4) for permission to reprint the respective copyrighted material is acknowledged. The views and opinions expressed in this book are those of the authors alone and not the organizations with whom the authors have been associated or supported. ix