Difference between revisions of "Automated Computer Forensics"
From Simson Garfinkel
Jump to navigationJump to search
(New page: We are developing a variety of techniques and tools for performing ''Automated Document and Media Exploitation'' (ADOMEX). The thrust of this research consists of three parts: # Developing...) |
m |
||
| (35 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Current Research Areas== | |||
# | One of my primary areas of research is the development of algorithms, techniques, and eventually tools for automating a wide variety of computer forensics tasks that are currently performed by trained analysts. Today much work performed by computer analysts is performed with visualization tools that allow an analyst to search for data on a hard drive or captured from a network and slowly construct a story that might be useful in a prosecution or in recovering from a security event. But as data volumes increase and the network environment becomes increasingly complex, there is a need for increasingly automated tools that can perform autonomous analysis and correlation<ref>Garfinkel, S. [http://simson.net/clips/academic/2007.ACM.Domex.pdf "Document and Media Exploitation,"] <i>ACM Queue</i>, November/December 2007.</ref><ref>Garfinkel, Simson, Digital Forensics Research: The Next 10 Years , DFRWS 2010, Portland, OR</ref> | ||
# | |||
# | Today my research into this field of automated computer forensics covers these main areas: | ||
# '''Small-block forensics'''---Exploring approaches for working with data elements in the 4KiB to 64KiB range and that are not aligned with file boundaries. This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.<ref>Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR</ref> | |||
# '''Data-rich algorithms and approaches''' that are designed to work in environments where there is a large collection of data from multiple users, as can be the case in law enforcement, e-discovery, and internal corporate investigations. <ref>Garfinkel, S., [http://simson.net/clips/academic/2006.DFRWS.pdf Forensic Feature Extraction and Cross-Drive Analysis,]The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.</ref> | |||
# '''Media/Web correlation''' --- Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web. | |||
# '''Corpus Creation''' --- Developing realistic corpora that can be used in education and software development that do not contain personal information.<ref>Garfinkel, Farrell, Roussev and Dinolt, [http://www.simson.net/clips/academic/2009.DFRWS.Corpora.pdf Bringing Science to Digital Forensics with Standardized Forensic Corpora], DFRWS 2009, Montreal, Canada. [http://simson.net/clips/academic/2009.DFRWS.Corpora.slides.pdf (slides)]</ref> | |||
Related work areas that I am not personally involved in includes: | |||
# Approaches for '''gisting''' and clustering documents based on their content. | |||
# Approaches that are tuned to human languages other than English. | |||
==Relevant Publications== | ==Relevant Publications== | ||
<references/> | |||
__NOTOC__ | |||
Latest revision as of 12:40, 17 March 2018
Current Research Areas
One of my primary areas of research is the development of algorithms, techniques, and eventually tools for automating a wide variety of computer forensics tasks that are currently performed by trained analysts. Today much work performed by computer analysts is performed with visualization tools that allow an analyst to search for data on a hard drive or captured from a network and slowly construct a story that might be useful in a prosecution or in recovering from a security event. But as data volumes increase and the network environment becomes increasingly complex, there is a need for increasingly automated tools that can perform autonomous analysis and correlation[1][2]
Today my research into this field of automated computer forensics covers these main areas:
- Small-block forensics---Exploring approaches for working with data elements in the 4KiB to 64KiB range and that are not aligned with file boundaries. This can be used in situations where an entire file is not available for reconstruction, or only a portion of a file is available for analysis. Small block forensics can be used to enable approaches based on statistical sampling rather than full-content analysis.[3]
- Data-rich algorithms and approaches that are designed to work in environments where there is a large collection of data from multiple users, as can be the case in law enforcement, e-discovery, and internal corporate investigations. [4]
- Media/Web correlation --- Exploring opportunities for automatic correlation of information on hard drives with information that can be found on the web.
- Corpus Creation --- Developing realistic corpora that can be used in education and software development that do not contain personal information.[5]
Related work areas that I am not personally involved in includes:
- Approaches for gisting and clustering documents based on their content.
- Approaches that are tuned to human languages other than English.
Relevant Publications
- ↑ Garfinkel, S. "Document and Media Exploitation," ACM Queue, November/December 2007.
- ↑ Garfinkel, Simson, Digital Forensics Research: The Next 10 Years , DFRWS 2010, Portland, OR
- ↑ Simson Garfinkel, Vassil Roussev, Alex Nelson and Douglas White, Using purpose-built functions and block hashes to enable small block and sub-file forensics, DFRWS 2010, Portland, OR
- ↑ Garfinkel, S., Forensic Feature Extraction and Cross-Drive Analysis,The 6th Annual Digital Forensic Research Workshop Lafayette, Indiana, August 14-16, 2006.
- ↑ Garfinkel, Farrell, Roussev and Dinolt, Bringing Science to Digital Forensics with Standardized Forensic Corpora, DFRWS 2009, Montreal, Canada. (slides)
