Digital ForensicsPapers to discussAbstract of Paper 1OutlineIntroduction: Why?Feature ExtractionSingle Drive analysisCross drive analysis (CDA)ImplementationSlide 10DirectionsAbstract of Paper 2Slide 13IntroductionFactorsDrifting clocks behaviorCorrelationSlide 18Abstract of Paper 3 (OPTIONAL)Slide 20Slide 21Slide 22Bloom FiltersApplication of Bloom Filter in SecuritySlide 25Abstract of Paper 4Slide 27Slide 28Piece wise hashingSpamsumSlide 31Digital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasEvidence CorrelationNovember 4, 2008Papers to discussForensic feature extraction and cross-drive analysis-http://dfrws.org/2006/proceedings/10-Garfinkel.pdfA correlation method for establishing provenance of timestamps in digital evidence-http://dfrws.org/2006/proceedings/13-%20Schatz.pdfmd5bloom: Forensic file system hashing revisited (OPTIONAL)-http://dfrws.org/2006/proceedings/11-Roussev.pdfIdentifying almost identical files using context triggered piecewise hashing (OPTIONAL)-http://dfrws.org/2006/proceedings/12-Kornblum.pdfAbstract of Paper 1This paper introduces Forensic Feature Extraction (FFE) and Cross-Drive Analysis (CDA), two new approaches for analyzing large data sets of disk images and other forensic data. FFE uses a variety of lexigraphic techniques for extracting information from bulk data; CDA uses statistical techniques for correlating this information within a single disk image and across multiple disk images. An architecture for these techniques is presented that consists of five discrete steps: imaging, feature extraction, first-order cross-drive analysis, cross-drive correlation, and report generation. CDA was used to analyze 750 images of drives acquired on the secondary market; it automatically identified drives containing a high concentration of confidential financial records as well as clusters of drives that came from the same organization. FFE and CDA are promising techniques for prioritizing work and automatically identifying members of social networks under investigation. Authors believe it is likely to have other uses as well.OutlineIntroductionForensics Feature ExtractionSingle Drive AnalysisCross drive analysisImplementationDirectionsIntroduction: Why?Improper prioritization. In these days of cheap storage and fast computers, the critical resource to be optimized is the attention of the examiner or analyst. Today work is not prioritized based on the information that the drive contains.Lost opportunities for data correlation. Because each drive is examined independently, there is no opportunity to automatically ‘‘connect the dots’’ on a large case involving multiple storage devices. Improper emphasis on document recovery. Because today’s forensic tools are based on document recovery, they have taught examiners, analysts, and customers to be primarily concerned with obtaining documents.Feature ExtractionAn email address extractor, which can recognize RFC822- style email addresses. An email Message-ID extractor. An email Subject: extractor. A Date extractor, which can extract date and time stamps in a variety of formats. A cookie extractor, which can identify cookies from the Set-Cookie: header in web page cache files. A US social security number extractor, which identifies the patterns ###-##-#### and ######### when preceded with the letters SSN and an optional colon. A Credit card number extractor.Single Drive analysisExtracted features can be used to speed initial analysis and answer specific questions about a drive image. Authors have successfully used extracted features for drive image attribution and to build a tool that scans disks to report the likely existence of information that should have been destroyed under Fair and Accurate Credit Transactions ActDrive attribution: an analyst might encounter a hard drive and wish to determine to whom that drive previously belonged. For example, the drive might have been purchased on eBay and the analyst might be attempting to return it to its previous owner. powerful technique for making this determination is to create a histogram of the email addresses on the drive (as returned by the email address feature extractor).Cross drive analysis (CDA)Cross-drive analysis is the term that coined to describe forensic analysis of a data set that spans multiple drives. The fundamental theory of cross-drive analysis is data gleaned from multiple drives can improve the forensic analysis of a drive in question both in the case when the multiple drives are related to the drive in question and in the case when they are not. two forms of CDA: first order, in which the results of a feature extractor are compared across multiple drives, an O(n) operation; and second order, where the results are correlated, an O(n2) operation.Implementation1. Disks collected are imaged onto into a single AFF file. (AFF is the Advanced Forensic Format, a file format for disk images that contains all of the data accession information, such as the drive’s manufacturer and serial number, as well as the disk contents)2. The afxml program is used to extract drive metadata from the AFF file and build an entry in the SQL database.3. Strings are extracted with an AFF-aware program in three passes, one for 8-bit characters, one for 16-bit characters in lsb format, and one for 16-bit characters in msb format.4. Feature extractors run over the string files and write their results to feature files.5. Extracted features from newly-ingested drives are run against a watch list; hits are reported to the human operator.6. The feature files are read by indexers, which build indexes in the SQL server of the identified features.Implementation7. A multi-drive correlation is run to see if the newly accessioned drive contained features in common with any drives that are on a drive watch list.8. A user interface allows multiple analysts to simultaneously interact with the database, to schedule new correlations to be run in a batch mode, or to view individual sectors or recovered files from the drive images that are stored on the file server.DirectionsImprove feature extractionImprove the algorithmsDevelop end to end systemsAbstract of Paper 2Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated
View Full Document
Unlocking...