|(21 intermediate revisions by the same user not shown)|
We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation'' (ADOMEX). The thrust of this research consists of several thrusts:
# Developing open source tools for working with electronic evidence. This work is part of the [http://www.afflib.org AFF] project<ref>[http:// www.simson.net/clips/academic/ 2006. CACM. AFF.pdf " AFF: A New Format for Storing Hard Drive Images,"] Garfinkel, S., Communications of the ACM, February, 2006</ref> .
of techniquesand tools for . tools for . is <ref>[http://simson.net/clips/academic/...pdf ","] Garfinkel, , , , </ref>
# Developing an unclassified [[Real Data Corpus]] (RDC) consisting of "real data from real people" that can be used to develop new algorithms and test automated tools.
# Developing new algorithms and approaches for working in a "data-rich environment."
==Recent Research Developments==
File-based forensics is forensics that is based on an analysis of files, deleted files and orphan files. Most forensics currently performed for law enforcement, commercial e-discovery, and for intelligence purposes is based on file forensics. The goal here is typically to find a specific file that can be shown to a jury or that contains actionable intelligence. File forensics is typically performed using programs such as EnCase, FTK, or SleuthKit.
* We have developed a batch analysis tool called system called ''' fiwalk''' which can take a disk image and produce an XML file corresponding to all of the files, deleted files, orphan files, and all of the extracted file metadata from a disk image. This XML file can be used as an input to enable further automated media processing. Using this system we have created a variety of applications for reporting and manipulating disk images. We have also developed an efficient system for allowing remote file- level access of disk images using XML- RPC and REST. Details can be found in our paper<ref>[http://simson.net/clips/academic/ 2009.SADFE. xml_forensics.pdf Automating Disk Forensic Processing with SleuthKit, XML and Python], [http:// conf. ncku. edu.tw/ sadfe/ sadfe09/ Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering] ( IEEE/SADFE'09) , May 2009</ref> .
''''''can an file , of file . can be used to enable .Using and file
-of -and . <ref>[http://simson.net/clips/academic/..pdf Forensic
, and , [http://..///to Digital Forensic ]()</ref>
* We have developed a prototype system for performing automated media forensic reporting. Based on PyFlag, the system performs an in-depth analysis of captured media, locates local and online identities, and presents summary information in a report that is tailed to be easy for the consumer of forensic intelligence<ref>[http://www.simson.net/clips/students/09_Farrell.pdf A Framework for Automated Digital Forensic Reporting], Lt. Paul Farrell, Master's Thesis, Naval Postgraduate School, Monterey, CA, March 2009</ref>.
that to .
===Bulk Data Forensics===
* We have developed a tool called '''[http://www.forensicswiki.org/wiki/Frag_find frag_find]''' which can report if sectors of a TARGET file are present on a disk image. This is useful in cases where a TARGET file has been stolen and you wish to establish that the file has been present on a subject's drive. If most of the TARGET file's sectors are found on the IMAGE drive---and if the sectors are in consecutive sector runs---then the chances are excellent that the file was once there. Frag_find performs this search using time-and-space efficient data structures arranged in multiple filtering layers. The program deals with the problem of non-unique blocks by looking for runs of matching blocks, rather than individual blocks. Frag_find is part of the NPS Bloom package, which can be downloaded from http://www.afflib.org.
* CDA tool
* [http://www.simson.net/clips/academic/2008.ACSAC.Bloom.pdf “Practical Applications of Bloom filters to the NIST RDS and hard drive triage,”] Farrell, Garfinkel and White, ACSAC 2008
* [http://www.simson.net/clips/academic/2007.DFRWS.pdf "Carving Contiguous and Fragmented Files with Fast Object Validation"], Garfinkel, S., Digital Investigation, Volume 4, Supplement 1, September 2007, Pages 2--12.
* [http://www.simson.net/clips/academic/2006.DFRWS.pdf "Forensic Feature Extraction and Cross-Drive Analysis,"] Garfinkel, S., Digital Investigation, Volume 3, Supplement 1, September 2006, Pages 71--81.
* [http://www.simson.net/clips/academic/2006.CACM.digital_evidence.pdf "Standardizing Digital Evidence Storage,"] The Common Evidence Format Working Group (Carrier, B., Casey, E., Garfinkel, S., Kornblum, J., Hosmer, C., Rogers., M., and Turner., P.,) Communications of the ACM, February, 2006.