Authors: Harm Van Beek (Netherlands Forensic Institute), Quintin Walters (MITRE) & Mattijs Ugen (Netherlands Forensic Institute)
DFRWS USA 2023
Abstract
In this joint workshop by NFI and MITRE, you will experience how easy it can be to develop programming solutions for processing, visualizing and reporting data under investigation and share these solutions across investigators, cases and organizations.
To solve cases, investigators need detailed insight in data under investigation. To support these investigators, digital forensic data from multiple forensic images needs to be processed, resulting in reports and visualizations. This is typically done by digital experts on the actual case data, building on academic research documented in papers
or as proof-of-concept code. Reuse of such case specific operations is not easy.
Hansken is a Digital Forensics as a Service (DFaaS) platform that has been designed to give access to and insight in data under investigation. It is an open digital forensic platform that features a variety of APIs to let you automate and extend its capabilities. The browser-based expert user interface supports the development of code notebooks that operate on case data using for example Python or JavaScript. You can use these code notebooks to deliver custom software packages to non-technical investigators.
This workshop consists of two parts of approximately 1.5 hours.
First, you learn more about the Digital Forensics as a Service concepts and Hansken. This includes an introduction to the Hansken trace model, the Hansken Query Language (HQL) and Hansken.py, the Hansken Python API. By going through an
example, you are taught how to write a Python notebook that extracts and visualizes data from a forensic image. We also introduce the other APIs in the Hansken Software Development Kit (SDK) that is available to law enforcement and academia under the Hansken R&D license.
In the second part of this workshop, you get access to an online Hansken SDK instance. There, you can play around with Hansken and its APIs. Several example scripts are provided to get up and running. You are free to upload and process your own data using one of the Hansken SDK instances to learn if and how such a DFaaS solutions can help you in your research and investigations.
Preparation Details:
The workshop participants get access to an AWS EC2 instance containing the Hansken SDK version 1.0. Participants need a laptop with a browser, internet and an IDE environment capable of running Jupyter notebooks (e.g., PyCharm or Visual Studio Code).
Exercises are carried out in the web browser and the IDE running Jupyter notebooks with Python code. The IP addresses of the AWS instances are provided after the introduction in the hands-on part of the workshop.
Some understanding of Python and digital forensics is useful but not strictly necessary.
Bio
Harm van Beek
Harm van Beek is senior digital-forensic scientist at the Netherlands Forensic Institute (NFI). His work consists of performing examinations in criminal cases and conducting scientific research in the digital forensic field. Harm is cofounders (2012) of the forensic investigation, innovation and knowledge sharing platform Hansken. He was technical director of CASE, an international standard for sharing cyber-investigation traces (2019-2020). Harm obtained his PhD in formal methods (computer science) at the Eindhoven University of Technology (2005). Before joining the NFI in 2009, he was cofounder and CTO of ISAAC, a company dedicated to developing middleware and software for the Internet (1998-2008)
Quintin Walters
Quintin Walters is a Cyber Operations Engineer at the MITRE Corporation. At MITRE he works on developing forensic tools, cyber capabilities, and forensic support for sponsors. His recent work focuses on delivery of cloud-hosted forensic platforms, development of autonomous diagnostic agents in systems-level languages, remote access enablers, and medium scale exploitation of publicly posted data. Quintin obtained a Master’s of Science in Computing Security from the Rochester Institute of Technology in 2022. In his free time, Quintin is a 3D printing and miniatures enthusiast.
Mattijs UgenMattijs Ugen is a Forensic Data Engineer at the Netherlands Forensic Institute (NFI). Since obtaining his MSc. degree in computer science at the University of Twente in 2013, Mattijs has been involved with the development and design of the forensic investigation, innovation and knowledge sharing platform Hansken. Aside from Hansken, his work at the NFI involves analysis of digital-forensic trace evidence and engineering solutions to data science problems for court cases and law enforcement investigations.