Personal tools
You are here: Home Tutorials WORLDCOMP'09 Tutorial: Dr. Robert F. Erbacher
Current Event
Click Here
Other Events
Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

WORLDCOMP'06 & '07
Click Here

Join Our Mailing List
Sign up to receive email announcements and updates about conferences and future events


WORLDCOMP'09 Tutorial: Dr. Robert F. Erbacher

Last modified 2009-07-03 10:57

Introduction to Digital Forensics Research
Dr. Robert F. Erbacher
Assistant Professor, Department of Computer Science
Utah State University, Utah, USA

Date: July 14, 2009
Time: 6:00 - 9:30 PM
Location: Ballroom 3


      Digital forensics is a growing area of concern to governments, corporations, and law enforcement. Intrinsically, digital forensics revolves around the need to analyze digital data, whether it is from an isolated computer system, a network of computer systems, or databases and data storage devices. Digital forensics is unique from other analysis tasks as the data needing to be located and analyzed can be carefully hidden within a morass of irrelevant data and the need to consider the legal validity of the raw data, the analysis results, and the analysis process itself. Unfortunately, technology has not kept pace with the challenges or legal requirements of digital forensics. This tutorial will discuss these challenges, identifying how analysts currently analyze digital data and how anti-forensics is being used to counter the forensics tools; i.e., how data can be hidden such that it will be more difficult to detect. This tutorial will also discuss the requirements imposed on forensic research by the necessity of legal admissibility. Current research directions, needs, and challenges will also be discussed.

      As an example, when considering computer forensics the goal is to locate criminally relevant information on a computer system. Today’s systems allow such relevant information to be stored in many places within a computer system; in addition to the hard drive, this could include storage of data in flash bioses, in video card ram, etc. Even when limiting analysis to the hard drive locating relevant data can be difficult due to the number of locations and ways that data can be hidden. For instance, data can be appended to other files, embedded into files, stored in the windows registry file, stored in free clusters, stored in clusters marked as bad, etc. Given the size of today’s hard drives, locating small snippets of criminally relevant data can be extremely cumbersome, especially when sophisticated data hiding paradigms are used. A digital forensic analyst must be able to locate the evidence, or lack thereof, that might be found on any number of various types of digital storage devices. Rather than simply having to locate files containing criminal activity hidden within the morass of files, analysts must locate the information hidden within otherwise innocuous files. This tutorial will discuss how data can be hidden and current research designed to improve the ability to locate such data.

      The need for legal validity of data also leads to the need to ensure the validity of raw data. For instance, consider syslog files, which provide detailed electronic traces of activity related to a computer system. These electronic traces in verifiable forms can be considered as digital evidence. In order to validate system log files we must ensure that the log files are resistant to deletions and modifications; i.e., it may not be possible to prevent truncation of a log file but such modifications must be detectable. Additionally, further verification must be added to the syslog protocol to validate where the syslog entries came from. Specifically, this could be done using system fingerprints, user fingerprints, and application fingerprints. This tutorial will discuss the requirements for validating raw data and the research needed to improve the legal admissibility of raw data such as syslog files.


      This tutorial will teach the participants about the fundamentals of digital forensics and associated research needs. More specifically, upon completion of the tutorial participants will be able to:

        • Identify methods by which data can be hidden on a hard drive
        • Identify the needs for the forensic validity of raw data
        • Specify and analyze typical digital forensic processes
        • Analyze the forensic validity of digital data
        • Specify current research directions and needs in digital forensics
        • Identify requirements for the legal admissibility of digital evidence

    Intended Audience

      This tutorial is intended for beginning and advanced researchers interested in understanding the current state of the art of digital forensics, the unique issues intrinsic to digital forensics, and current directions of research. The tutorial would be applicable to scientists, engineers, graduate students, or faculty interested in digital forensics research. Security managers, system administrators/analysts, and law enforcement interested in understanding forensics issues would also benefit from this tutorial.

    Biography of Instructor

      Dr. Erbacher is an Assistant Professor in the Department of Computer Science at Utah State University. Before joining Utah State University, he was an assistant professor at SUNY-Albany. He is an Associate Editor for the Journal of Electronic Imaging, general chair for the 2009 Systematic Approaches to Digital Forensics Engineering Conference, Chaired the SPIE Conference on Visualization and Data Analysis for 13 years, is on numerous other program committees related to digital forensics, computer security, and visualization and performs extensive reviewing for conferences and journals in these areas. His research interests include Digital Forensics, Computer Security, Intrusion Detection, Information and Scientific Visualization, and Computer Graphics. Dr. Erbacher has over 50 publications in these areas, including a best paper award from the Systematic Approaches to Digital Forensics Engineering Conference.

      In keeping with his research interests in computer security and visualization, Dr. Erbacher spent the summers of 2004 through 2006 at AFRL's Rome Labs developing techniques for intrusion detection and digital forensics for the air force under their summer faculty fellowship program. Dr. Erbacher received his BS in Computer Science from The University of Lowell in 1991 and his MS and ScD degrees in Computer Science from the University of Massachusetts-Lowell in 1993 and 1998, respectively.

Academic Co-Sponsors

United States Military Academy, Network Science Center

Biomedical Cybernetics Laboratory, HST of Harvard University and MIT, USA

Argonne's Leadership Computing Facility of Argonne National Laboratory

Functional Genomics Laboratory, University of Illinois at Urbana-Champaign, USA
Minnesota Supercomputing Institute, University of Minnesota, USA
Intelligent Data Exploration and Analysis Laboratory, University of Texas at Austin, Austin, Texas, USA
Harvard Statistics Department Genomics & Bioinformatics Laboratory, Harvard University, USA

Texas Advanced Computing Center, The University of Texas at Austin, Texas

Center for the Bioinformatics and Computational Genomics, Georgia Institute of Technology, Atlanta, Georgia, USA

Bioinformatics & Computational Biology Program, George Mason University, Virginia, USA

Institute of Discrete Mathematics and Geometry, Vienna University of Technology, Austria

BioMedical Informatics & Bio-Imaging Laboratory, Georgia Institute of Technology and Emory University, Atlanta, Georgia, USA
Knowledge Management & Intelligent System Center (KMIS) of University of Siegen, Germany

National Institute for Health Research, UK

Hawkeye Radiology Informatics, Department of Radiology, College of Medicine, University of Iowa, Iowa, USA

Institute for Informatics Problems of the Russian Academy of Sciences, Moscow, Russia.
Medical Image HPC & Informatics Lab (MiHi Lab), University of Iowa, Iowa, USA
SECLAB An inter-university research group (University of Naples Federico II, the University of Naples Parthenope, and the Second University of Naples, Italy)
The University of North Dakota, Grand Forks, North Dakota, USA
Intelligent Cyberspace Engineeing Lab., ICEL, Texas A&M; University (Com./Texas)

International Society of Intelligent Biological Medicine

World Academy of Biomedical Sciences and Technologies

Corporate Sponsor

Other Co-Sponsors
European Commission
High Performance Computing for Nanotechnology (HPCNano)

HoIP - Health without Boundaries

Hodges' Health

The International Council on Medical and Care Compunetics

GridToday - enewsletter focused on Grid, SOA, Virtualization, Storage, Networking and Service-Oriented IT

HPCwire - The Leading Source for Global News and Information Covering the Ecosystem of High Productivity Computing

The UK Department for Business, Enterprise & Regulatory Reform
VMW Solutions Ltd.
Scientific Technologies Corporation

Bentham Science Publishers


Administered by UCMSS
Universal Conference Management Systems & Support
San Diego, California, USA
Contact: Kaveh Arbtan

If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)