An End-To-End Approach to Digital Investigation
Peter Stephenson - International Institute for Digital Forensic Studies
Oct 29, 2003
AbstractThe description of digital forensics is undergoing significant change. An
outgrowth of computer forensics, digital forensic science comprises
computers, networks, software and non-computer devices such as routers, PDAs
and cell phones. Defined primarily as the application of computer science
and mathematics to matters of law, digital forensic science has application
well beyond the courtroom. Important in the evolution of digital forensics
are the notions of digital investigation versus digital forensics, and
investigation of the entire end-to-end event rather than just some of the
In this talk we address the conducting of a digital incident post event
analysis (post mortem) using a new approach to digital investigation called
the End-to-End Digital Investigation Process (EEDI). The case study used to
illustrate the process will be a post mortem of a mid-sized (27,000 user)
enterprise infected by the SQLSlammer worm. We will discuss the structured
investigative process, the use of the Digital Investigation Process Language
(DIPL), the conclusions drawn from the investigation, and the
countermeasures recommended. A copy of a paper describing the event will be
available for those interested in somewhat more depth on the topic.
About the SpeakerPeter Stephenson is a writer, consultant, researcher and lecturer in information protection and forensics on large-scale computer networks. He has spoken extensively on digital forensics and security, and has written or contributed to 14 books and several hundred articles in major national and international trade publications. He has lectured and delivered consulting engagements for the past 17 years in eleven countries plus the United States.
Mr. Stephenson began his information security career as a U. S. Navy cryptography technician in 1965, and has worked with computer and network communications and security since the early 1970s. He was the director of technology for the global security practice of Netigy Corporation and was the Managing Partner for the Intrusion Management & Forensics Group, LLC, a specialized security technology consulting firm, for 15 years, prior to joining QinetiQ Trusted Information Management as U.S. director of technology. While at QinetiQ, he was promoted to director of research and, ultimately, to chief technology officer for U.S. operations.
He is the developer of an operational taxonomy for information protection, as well as structured methods for vulnerability assessment, and standards-based security architecture requirements engineering. He developed the end-to-end approach to digital incident investigation and the Digital Investigation Process Language (DIPL). Mr. Stephenson holds a BSEE and currently is a PhD candidate (degree expected Fall 2003) at Oxford-Brookes University in Oxford, UK where his research involves structured investigation of information security incidents in complex computing environments. Mr. Stephenson is an adjunct professor in the Master of Science in Information Assurance program at Norwich University.
He is a member of the ISSA, an associate member of the Association of Certified Fraud Examiners, and holds the professional designations Certified Professional Engineer (CPE), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Forensics Investigator (CIFI), and is a Fellow of the Institute for Communications, Arbitration and Forensics in the UK (FICAF).
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.