Automated Computer Forensics - Revision history

Simson at 19:40, 17 March 2018

2018-03-17T19:40:58Z

@@ Line 4: / Line 4: @@
 Today my research into this field of automated computer forensics covers these main areas:
-# '''Small-block forensics'''---Exploring approaches for working with data elements that are smaller than files. This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.<ref>Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR</ref>
+# '''Small-block forensics'''---Exploring approaches for working with data elements in the 4KiB to 64KiB range and that are not aligned with file boundaries.  This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.<ref>Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR</ref>
 # '''Data-rich algorithms and approaches''' that are designed to work in environments where there is a large collection of data from multiple users, as can be the case in law enforcement, e-discovery, and internal corporate investigations. <ref>Garfinkel, S., [http://simson.net/clips/academic/2006.DFRWS.pdf Forensic Feature Extraction and Cross-Drive Analysis,]The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.</ref>
 # '''Media/Web correlation''' --- Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.
-# '''Corpus Creation''' --- Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref>
+# '''Corpus Creation''' --- Developing realistic corpora that can be used in education and software development that do not contain personal information.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref>
 Related work areas that I am not personally involved in includes:
 # Approaches for '''gisting''' and clustering documents based on their content.
 # Approaches that are tuned to human languages other than English.
 ==Relevant Publications==
 <references/>
 __NOTOC__

Simson at 14:31, 6 July 2010

2010-07-06T14:31:42Z

← Older revision		Revision as of 07:31, 6 July 2010
Line 1:		Line 1:
			==Current Research Areas==
	One of my primary areas of research is the development of algorithms, techniques, and eventually tools for automating a wide variety of computer forensics tasks that are currently performed by trained analysts. Today much work performed by computer analysts is performed with visualization tools that allow an analyst to search for data on a hard drive or captured from a network and slowly construct a story that might be useful in a prosecution or in recovering from a security event. But as data volumes increase and the network environment becomes increasingly complex, there is a need for increasingly automated tools that can perform autonomous analysis and correlation<ref>Garfinkel, S. [http://simson.net/clips/academic/2007.ACM.Domex.pdf "Document and Media Exploitation,"] <i>ACM Queue</i>, November/December 2007.</ref><ref>Garfinkel, Simson, Digital Forensics Research: The Next 10 Years , DFRWS 2010, Portland, OR</ref>		One of my primary areas of research is the development of algorithms, techniques, and eventually tools for automating a wide variety of computer forensics tasks that are currently performed by trained analysts. Today much work performed by computer analysts is performed with visualization tools that allow an analyst to search for data on a hard drive or captured from a network and slowly construct a story that might be useful in a prosecution or in recovering from a security event. But as data volumes increase and the network environment becomes increasingly complex, there is a need for increasingly automated tools that can perform autonomous analysis and correlation<ref>Garfinkel, S. [http://simson.net/clips/academic/2007.ACM.Domex.pdf "Document and Media Exploitation,"] <i>ACM Queue</i>, November/December 2007.</ref><ref>Garfinkel, Simson, Digital Forensics Research: The Next 10 Years , DFRWS 2010, Portland, OR</ref>

Line 6:		Line 7:
	# '''Data-rich algorithms and approaches''' that are designed to work in environments where there is a large collection of data from multiple users, as can be the case in law enforcement, e-discovery, and internal corporate investigations. <ref>Garfinkel, S., [http://simson.net/clips/academic/2006.DFRWS.pdf Forensic Feature Extraction and Cross-Drive Analysis,]The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.</ref>		# '''Data-rich algorithms and approaches''' that are designed to work in environments where there is a large collection of data from multiple users, as can be the case in law enforcement, e-discovery, and internal corporate investigations. <ref>Garfinkel, S., [http://simson.net/clips/academic/2006.DFRWS.pdf Forensic Feature Extraction and Cross-Drive Analysis,]The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.</ref>
	# '''Media/Web correlation''' --- Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.		# '''Media/Web correlation''' --- Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.
	# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref>		# '''Corpus Creation''' --- Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref>

	Some of my previous work in this area includes:		Some of my previous work in this area includes:

Simson at 14:31, 6 July 2010

2010-07-06T14:31:04Z

← Older revision		Revision as of 07:31, 6 July 2010
Line 4:		Line 4:

	# '''Small-block forensics'''---Exploring approaches for working with data elements that are smaller than files. This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.<ref>Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR</ref>		# '''Small-block forensics'''---Exploring approaches for working with data elements that are smaller than files. This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.<ref>Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR</ref>
	# ~~Developing new~~ algorithms and approaches ~~for working~~ in ~~a "data-rich environment" such as~~ a large collection of ~~hard drives that have been seized during~~ the ~~course of~~ law enforcement ~~or military operations~~. <ref>Garfinkel, S., [http://simson.net/clips/academic/2006.DFRWS.pdf Forensic Feature Extraction and Cross-Drive Analysis,]The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.</ref>		# '''Data-rich algorithms and approaches''' that are designed to work in environments where there is a large collection of data from multiple users, as can be the case in law enforcement, e-discovery, and internal corporate investigations. <ref>Garfinkel, S., [http://simson.net/clips/academic/2006.DFRWS.pdf Forensic Feature Extraction and Cross-Drive Analysis,]The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.</ref>
	# Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.		# '''Media/Web correlation''' --- Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.
	# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref>		# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref>

Simson at 14:28, 6 July 2010

2010-07-06T14:28:42Z

← Older revision		Revision as of 07:28, 6 July 2010
Line 1:		Line 1:
	~~We are developing~~ a variety of ~~techniques~~ and tools ~~for performing ''Automated Document~~ and ~~Media Exploitation''~~<ref>Garfinkel, S. [http://simson.net/clips/academic/2007.ACM.Domex.pdf "Document and Media Exploitation,"] <i>ACM Queue</i>, November/December 2007.		One of my primary areas of research is the development of algorithms, techniques, and eventually tools for automating a wide variety of computer forensics tasks that are currently performed by trained analysts. Today much work performed by computer analysts is performed with visualization tools that allow an analyst to search for data on a hard drive or captured from a network and slowly construct a story that might be useful in a prosecution or in recovering from a security event. But as data volumes increase and the network environment becomes increasingly complex, there is a need for increasingly automated tools that can perform autonomous analysis and correlation<ref>Garfinkel, S. [http://simson.net/clips/academic/2007.ACM.Domex.pdf "Document and Media Exploitation,"] <i>ACM Queue</i>, November/December 2007.</ref><ref>Garfinkel, Simson, Digital Forensics Research: The Next 10 Years , DFRWS 2010, Portland, OR</ref>
	</ref> (~~ADOMEX~~). ~~The thrust~~ of this ~~research covers three main areas~~:
			Today my research into this field of automated computer forensics covers these main areas:

			# '''Small-block forensics'''---Exploring approaches for working with data elements that are smaller than files. This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.<ref>Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR</ref>
			# Developing new algorithms and approaches for working in a "data-rich environment" such as a large collection of hard drives that have been seized during the course of law enforcement or military operations. <ref>Garfinkel, S., [http://simson.net/clips/academic/2006.DFRWS.pdf Forensic Feature Extraction and Cross-Drive Analysis,]The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.</ref>
			# Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.
			# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref>

			Some of my previous work in this area includes:
	# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.		# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.
	# ~~Developing an unclassified~~ [~~[Real Data Corpus]~~] (~~RDC~~) ~~consisting of "real data from real people" that can be used to develop new algorithms~~, ~~quantify results~~, and ~~test automated tools~~.		# Explorations of file carving. <ref>Garfinkel, S., [http://simson.net/clips/academic/2007.DFRWS.pdf "Carving Contiguous and Fragmented Files with Fast Object Validation"], Digital Forensics Workshop (DFRWS 2007), Pittsburgh, PA, August 2007. </ref>
	# ~~Developing new algorithms~~ and ~~approaches for working in a "data-rich environment" such as a large collection of hard drives~~ that ~~have been seized during the course of law enforcement or military operations~~.
			Related work areas that I am not personally involved in includes:
			# File type recognition and identification.
			# Approaches for '''gisting''' and clustering documents based on their content.
			# Approaches that are tuned to human languages other than English.

	==Recent Research Developments==		==Recent Research Developments==

Simson: moved ADOMEX to Automated Computer Forensics

2010-06-18T23:33:38Z

moved ADOMEX to Automated Computer Forensics

← Older revision	Revision as of 16:33, 18 June 2010
(No difference)

Simson at 21:39, 6 April 2010

2010-04-06T21:39:35Z

← Older revision		Revision as of 14:39, 6 April 2010
Line 35:		Line 35:
	==Relevant Publications==		==Relevant Publications==
	<references/>		<references/>
			==See Also==
			* [http://www.forensicswiki.org/wiki/Simson%27s_Open_Research_Topics Open Research Topics] on the [http://www.forensics.org/ Forensics Wiki]

	__NOTOC__		__NOTOC__

Simson at 04:43, 18 July 2009

2009-07-18T04:43:31Z

← Older revision		Revision as of 21:43, 17 July 2009
Line 1:		Line 1:
	We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation'' (ADOMEX). The thrust of this research covers three main areas:		We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation''<ref>Garfinkel, S. [http://simson.net/clips/academic/2007.ACM.Domex.pdf "Document and Media Exploitation,"] <i>ACM Queue</i>, November/December 2007.
			</ref> (ADOMEX). The thrust of this research covers three main areas:
	# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.		# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.
	# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.		# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.

Simson at 19:30, 28 May 2009

2009-05-28T19:30:48Z

← Older revision		Revision as of 12:30, 28 May 2009
Line 2:		Line 2:
	# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.		# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.
	# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.		# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.
	# Developing new algorithms and approaches for working in a "data-rich environment."		# Developing new algorithms and approaches for working in a "data-rich environment" such as a large collection of hard drives that have been seized during the course of law enforcement or military operations.

	==Recent Research Developments==		==Recent Research Developments==

Simson: 28 revisions

2009-05-03T07:11:59Z

28 revisions

← Older revision	Revision as of 00:11, 3 May 2009
(No difference)

Simson at 06:09, 28 April 2009

2009-04-28T06:09:15Z

← Older revision		Revision as of 23:09, 27 April 2009
Line 1:		Line 1:
	We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation'' (ADOMEX). The thrust of this research covers three main areas:		We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation'' (ADOMEX). The thrust of this research covers three main areas:
	# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.		# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref>.
	# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms and test automated tools.		# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms, quantify results, and test automated tools.
	# Developing new algorithms and approaches for working in a "data-rich environment."		# Developing new algorithms and approaches for working in a "data-rich environment."