Difference between revisions of "Automated Computer Forensics"
(New page: We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation'' (ADOMEX). The thrust of this research consists of three parts: # Developing...)
|(35 intermediate revisions by the same user not shown)|
|Line 1:||Line 1:|
a variety of and tools Document and Media Exploitation.The
this of :
# for working with . This is of .
# Dataof data from can be and .
# --- for .
can be used
Latest revision as of 12:40, 17 March 2018
Current Research Areas
One of my primary areas of research is the development of algorithms, techniques, and eventually tools for automating a wide variety of computer forensics tasks that are currently performed by trained analysts. Today much work performed by computer analysts is performed with visualization tools that allow an analyst to search for data on a hard drive or captured from a network and slowly construct a story that might be useful in a prosecution or in recovering from a security event. But as data volumes increase and the network environment becomes increasingly complex, there is a need for increasingly automated tools that can perform autonomous analysis and correlation
Today my research into this field of automated computer forensics covers these main areas:
- Small-block forensics---Exploring approaches for working with data elements in the 4KiB to 64KiB range and that are not aligned with file boundaries. This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.
- Data-rich algorithms and approaches that are designed to work in environments where there is a large collection of data from multiple users, as can be the case in law enforcement, e-discovery, and internal corporate investigations. 
- Media/Web correlation --- Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.
- Corpus Creation --- Developing realistic corpora that can be used in education and software development that do not contain personal information.
Related work areas that I am not personally involved in includes:
- Approaches for gisting and clustering documents based on their content.
- Approaches that are tuned to human languages other than English.
- Garfinkel, S. "Document and Media Exploitation," ACM Queue, November/December 2007.
- Garfinkel, Simson, Digital Forensics Research: The Next 10 Years , DFRWS 2010, Portland, OR
- Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR
- Garfinkel, S., Forensic Feature Extraction and Cross-Drive Analysis,The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.
- Garfinkel, Farrell, Roussev and Dinolt, Bringing Science to Digital Forensics with Standardized Forensic Corpora, DFRWS 2009, Montreal, Canada. (slides)