Tutorials

July 20, 2011

Working with Computer Forensics Data

9 am - noon, Newell-Simon 3305

Simson Garfinkel
Naval Postgraduate School

[slides]

Computer Forensics is an exciting and relatively untapped area for usable security research. Today forensic techniques are being used to dissect malware found on production systems, analyze packet flows moving over the Internet and on private networks, and understand the contents of hard drives, cell phones, and other portable devices encountered during the course of law enforcement operations.

Yet by its very nature, forensics poses challenges not typically encountered in other areas of security. Whereas most security practitioners are able to focus on specific areas of expertise, forensic analysis necessarily occupies the entire stack from individual bits and machine instructions to large-scale identity architectures. Forensic investigations typically involve large data sets, since many crimes involve high-end computer systems and criminals may hide their data anywhere technically possible. Encryption, steganography and cloud-based storage can further complicate investigations.

An important added complication of computer forensics is the difficulty of simply working with forensic data. Critical evidence may be present in files, but it may also be found in files that have been subsequently deleted and/or partially overwritten. Evidence may be intentionally hidden in unallocated regions of a file system, unused portions of a document, or unused regions of a TCP header. As a result, traditional security tools must be augmented with special-purpose forensic tools.

This half-day tutorial introduces computer forensics for security and usability practitioners. We will discuss the purposes for which forensics is used today, present the kinds of data that is available, and discuss the typical tasks performed by analysts and practitioners. We will discuss both open source and commercial tools, and we will hand out realistic, surrogate data that can be used for teaching, training and research without the need to secure IRB approval. The course will conclude with a survey of visualizations currently being used in computer forensics, discuss current problems and shortcomings, and investigate opportunities for improving practice through the use of HCI-SEC techniques.

Experiment Design and Quantitative Methods for Usable Security Research

1 pm - 4 pm, Newell-Simon 3305

Sonia Chiasson and Robert Biddle
Carleton University

Research in usable security often requires empirical evaluation, especially because the success typically involves a rich and diverse variety of human behaviour that cannot be determined in advance. This tutorial will provide a practical introduction to the design and analysis of experimental research using quantitative methods and statistical inference. The first half will outline experiment design, addressing issues such as the role of quantitative (rather than qualitative) methods, and the advantages of controlled and field studies. We will also review considerations relating to materials, equipment, procedures and data collection, and ethical review. The second half of the tutorial will address statistical analysis and inference. We will review parametric tests such as t-tests and ANOVA, non-parametric tests which as Mann-Whitney and Kruskal-Wallis, as well as categorical tests such as Chi-Squared and Fisher's Exact Test. We will also discuss various graphical techniques, such as scatter-plots, histograms, and box-plots. We will concentrate on the practical application of these methods, including issues relating to between-subjects or within-subjects design, ad-hoc testing and alpha correction, with interpretation and presentation of results. Practical examples will be demonstrated using the R Statistical Programming Language, an excellent and widely used open-source cross-platform system. Participants should bring laptop computers to explore practical exercises.

Those who plan to participate in this tutorial are encourage to bring a laptop on which they have downloaded and installed R.

SOUPS 2011 is sponsored by Carnegie Mellon CyLab