Automated Computer Forensics

We are developing a variety of techniques and tools for performing Automated Document and Media Exploitation (ADOMEX). The thrust of this research consists of three parts:

1. Developing open source tools for working with electronic evidence. This work is part of the AFF project.
2. Developing an unclassified Real Data Corpus (RDC) consisting of "real data from real people" that can be used to develop new algorithms and test automated tools.
3. Developing an end-to-end plug-in research architecture for exploitation. This architecture can be used as the basis for both student projects and prototypes that can be deployed into the field.

Relevant Publications

• “Practical Applications of Bloom filters to the NIST RDS and hard drive triage,” Farrell, Garfinkel and White, ACSAC 2008
• "Carving Contiguous and Fragmented Files with Fast Object Validation", Garfinkel, S., Digital Investigation, Volume 4, Supplement 1, September 2007, Pages 2--12.
• "Complete Delete vs. Time Machine Computing," Garfinkel, S., Operating Systems Review, ACM Special Interest Group on Operating Systems, January 2007.
• "Forensic Feature Extraction and Cross-Drive Analysis," Garfinkel, S., Digital Investigation, Volume 3, Supplement 1, September 2006, Pages 71--81.
• "AFF: A New Format for Storing Hard Drive Images," Garfinkel, S., Communications of the ACM, February, 2006.
• "Standardizing Digital Evidence Storage," The Common Evidence Format Working Group (Carrier, B., Casey, E., Garfinkel, S., Kornblum, J., Hosmer, C., Rogers., M., and Turner., P.,) Communications of the ACM, February, 2006.