|(31 intermediate revisions by the same user not shown)|
We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation'' (ADOMEX). The thrust of this research consists of several thrusts:
# Developing open source tools for working with electronic evidence. This work is part of the [http:// www. afflib. org AFF] project.
of techniquesand tools for . tools for . is [http://..."and ".
# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of " real data from real people" that can be used to develop new algorithms and test automated tools.
# Developing new algorithms and approaches for working in a " data-rich environment. "
==Recent Research Developments==
of automated :
* We have developed a batch analysis tool called system called '''fiwalk''' which can take a disk image and produce an XML file corresponding to all of the files, deleted files, orphan files, and all of the extracted file metadata from a disk image. This XML file can be used as an input to enable further automated media processing. Using this system we have created a variety of applications for reporting and manipulating disk images. We have also developed an efficient system for allowing remote file-level access of disk images using XML-RPC and REST. Details can be found in our paper [http://simson.net/clips/academic/2009.SADFE.xml_forensics.pdf Automating Disk Forensic Processing with SleuthKit, XML and Python], [http: //conf.ncku.edu.tw/sadfe/sadfe09/ Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering] (IEEE/SADFE'09), May 2009.
* We have developed a prototype system for performing automated media forensic reporting. Based on PyFlag, the system performs an in- depth analysis of captured media, locates local and online identities, and presents summary information in a report that is tailed to be easy for the consumer of forensic intelligence. Details can be found in [http://www.simson.net/clips/ students/ 09_Farrell.pdf A Framework for Automated Digital Forensic Reporting], Lt. Paul Farrell, Master's Thesis, Naval Postgraduate School, Monterey, CA, March 2009
a for . on
, the in -, and , and
information that be the .
can be in [http://www.simson.net/clips//.pdf Digital Forensic ], , , 2009
===Bulk Data Forensics===
We have developed a tool called '''frag_find''' which can report if sectors of a TARGET file are present on a disk image. This is useful in cases where a TARGET file has been stolen and you wish to establish that the file has been present on a subject's drive. If most of the TARGET file's sectors are found on the IMAGE drive---and if the sectors are in consecutive sector runs---then the chances are excellent that the file was once there. Frag_find performs this search using time-and-space efficient data structures arranged in multiple filtering layers. The program deals with the problem of non-unique blocks by looking for runs of matching blocks, rather than individual blocks. Frag_find is part of the NPS Bloom package, which can be downloaded from http://www.afflib.org.
* http:/ /simson.net/clips/academic/2009.SADFE.xml_forensics.pdf
* [http://www.simson.net/clips/academic/2008.ACSAC.Bloom.pdf “Practical Applications of Bloom filters to the NIST RDS and hard drive triage,”] Farrell, Garfinkel and White, ACSAC 2008
* [http://www.simson.net/clips/academic/2007.DFRWS.pdf "Carving Contiguous and Fragmented Files with Fast Object Validation"], Garfinkel, S., Digital Investigation, Volume 4, Supplement 1, September 2007, Pages 2--12.
* [http://www.simson.net/clips/academic/p42-garfinkel.pdf "Complete Delete vs. Time Machine Computing,"] Garfinkel, S., Operating Systems Review, ACM Special Interest Group on Operating Systems, January 2007.
* [http://www.simson.net/clips/academic/2006.DFRWS.pdf "Forensic Feature Extraction and Cross-Drive Analysis,"] Garfinkel, S., Digital Investigation, Volume 3, Supplement 1, September 2006, Pages 71--81.
* [http://www.simson.net/clips/academic/2006.CACM.AFF.pdf "AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006.
* [http://www.simson.net/clips/academic/2006.CACM.digital_evidence.pdf "Standardizing Digital Evidence Storage,"] The Common Evidence Format Working Group (Carrier, B., Casey, E., Garfinkel, S., Kornblum, J., Hosmer, C., Rogers., M., and Turner., P.,) Communications of the ACM, February, 2006.