SLAMorris Final Thesis After Corrections.pdf - Cranfield University

More documents

Recommendations

Info

7.1 Introduction ........................................................................................... 157 7.2 Traditional Data Carving ....................................................................... 158 7.2.1 Brute Force Approach .................................................................... 159 7.2.2 Structural and Syntactical Analysis ................................................ 160 7.3 Data Carving Research ......................................................................... 161 7.3.1 Statistical Methods ......................................................................... 162 7.3.2 Neural Networks ............................................................................. 164 7.3.3 Recovering deleted information from other operating systems ...... 165 7.4 Methodology ......................................................................................... 165 7.5 Information to be carved ....................................................................... 167 7.5.1 Corpus Generation ......................................................................... 167 7.5.2 File Fragment Classification ........................................................... 169 7.5.3 Preparing the File Fragments ......................................................... 170 7.5.4 Distribution of File Types ................................................................ 172 7.5.5 Training and Testing Sets .............................................................. 173 7.6 Brute Force Approach ........................................................................... 175 7.7 Structural and Syntactical Approach ..................................................... 177 7.7.1 H1:.................................................................................................. 177 7.7.2 H2................................................................................................... 180 7.7.3 H3................................................................................................... 181 7.7.4 H4................................................................................................... 182 7.7.5 H5................................................................................................... 183 7.7.6 H6................................................................................................... 183 7.8 Statistical Approach .............................................................................. 183 7.8.1 Construction ................................................................................... 184 7.8.2 Using Bayesian Networks for Classification ................................... 185 7.9 Neural Network Approach ..................................................................... 187 7.10 Results ................................................................................................ 188 7.10.1 Method 1: Brute Force approach .................................................. 188 7.10.2 Method 2: Structural and Syntactical approach ............................ 190 7.10.3 Method 3: Statistical approach ..................................................... 192 7.10.4 Method 4: Neural Network approach ............................................ 194 7.11 Comparison of Classification Methods ................................................ 196 7.12 Discussion .......................................................................................... 198 7.13 Chapter Conclusion ............................................................................ 201 8 The creation of a Hybrid Identification Approach ......................................... 203 8.1 Introduction ........................................................................................... 203 8.2 Problem Definition................................................................................. 204 8.3 Methodology ......................................................................................... 207 8.4 JPEG Identification Research ............................................................... 207 8.5 Visual Thumbnail JPEG File Fragment Identification ............................ 209 8.6 A hybrid approach for thumbnail cache identification ............................ 215 viii
8.6.1 Stage 1: Preliminary Checks .......................................................... 217 8.6.2 Stage 2: H1 Validation Checks ....................................................... 218 8.6.3 Stage 3: H2 Validation Checks ....................................................... 218 8.6.4 Stage 4: H3 Validation Checks ....................................................... 219 8.6.5 Stage 5: H4 Validation Checks ....................................................... 219 8.6.6 Stage 6: H5 Validation Checks ....................................................... 221 8.6.7 Logs ............................................................................................... 221 8.6.8 Accepted Fragments ...................................................................... 221 8.7 Results .................................................................................................. 222 8.8 Discussion ............................................................................................ 226 8.9 Chapter Conclusion .............................................................................. 229 9 Thumbnail cache fragment reassembly ....................................................... 231 9.1 Introduction ........................................................................................... 231 9.2 Image Reassembly ............................................................................... 232 9.3 Methodology ......................................................................................... 233 9.3.1 Potential clashes and missing fragments ....................................... 234 9.3.2 Logging .......................................................................................... 235 9.3.3 Data sets ........................................................................................ 235 9.3.4 Training and testing ........................................................................ 236 9.3.5 A general reassembly approach ..................................................... 236 9.4 Thumbcache_idx................................................................................... 238 9.4.1 Thumbcache_idx file fragment categories ...................................... 240 9.4.2 Thumbcache_idx file fragment reassembly .................................... 242 9.5 Thumbcache_32, 96, 1024 ................................................................... 246 9.5.1 Thumbcache_32, 96, 1024 file fragment categories ...................... 246 9.5.2 Thumbcache_32, 96, 1024 file fragment reassembly ..................... 248 9.6 Thumbcache_256 ................................................................................. 255 9.6.1 Thumbcache_256 file fragment categories .................................... 256 9.6.2 Thumbcache_256 file fragment reassembly ................................... 256 9.7 Linux Thumbnail Records ..................................................................... 257 9.7.1 Linux thumbnail file fragment categories ........................................ 258 9.7.2 Linux thumbnail file fragment reassembly ...................................... 259 9.8 Results .................................................................................................. 260 9.9 Artefacts from fragments identified in unallocated space ...................... 262 9.10 Discussion .......................................................................................... 263 9.11 Conclusion .......................................................................................... 266 10 Establishing the evidential value of thumbnail cache file fragments identified in unallocated space. ...................................................................... 267 10.1 Introduction ...................................................................................... 267 10.2 Replication, Corroboration and Clear Documentation ...................... 267 10.3 Justifiable Method, Understandable Consequences and Scientific Method ........................................................................................................ 269 ix
Page 1: CRANFIELD UNIVERSITY SARAH LOUISE A
Page 5 and 6: ABSTRACT This thesis establishes th
Page 7 and 8: ACKNOWLEDGEMENTS “And above all,
Page 9 and 10: TABLE OF CONTENTS ABSTRACT ........
Page 11: 6 The structure and behaviour of th
Page 15 and 16: LIST OF FIGURES Figure 1-1:A breakd
Page 17 and 18: LIST OF TABLES Table 5-1: A summary
Page 21 and 22: 1 Introduction 1.1 Introduction In
Page 23 and 24: potential difficulty is the identif
Page 25 and 26: This is followed by a structural an
Page 27 and 28: Chapter 6 describes the structure a
Page 29 and 30: Chapter 11 evaluates the methodolog
Page 31 and 32: 2 Related Research 2.1 Introduction
Page 33 and 34: Generally individuals, including so
Page 35 and 36: thought to be a disciplinary offenc
Page 37 and 38: 2.2.2 Tools used in Forensic Comput
Page 39 and 40: structure and behaviour. Winhex pro
Page 41 and 42: with it are important aspects of an
Page 43 and 44: An important question for each arte
Page 45 and 46: For this research it is necessary t
Page 47 and 48: 2007], which assist in building eve
Page 49 and 50: and therefore he did not have priva
Page 51 and 52: data may be affected by the behavio
Page 53 and 54: thumbnail cache is implemented in f
Page 55 and 56: available for office documents; the
Page 57 and 58: future. It is possible to establish
Page 59: structure and syntax the user and s
Page 62 and 63:
Identify existing file carving tech
Page 64 and 65:
throughout this research. Within th
Page 66 and 67:
corroborate the results. Time const
Page 68 and 69:
4.2.1 Legal Constraints The law can
Page 70 and 71:
to the evidence and to ensure any a
Page 72 and 73:
To ensure the evidence is accurate
Page 74 and 75:
evidence being extracted is crucial
Page 76 and 77:
analyse human behaviour, it can sti
Page 78 and 79:
4.3 Criteria for evaluating the evi
Page 80 and 81:
In order to determine an artefact w
Page 83 and 84:
5 The Structure and Behaviour of th
Page 85 and 86:
the way data changes. The experimen
Page 87 and 88:
5.4 Default Installations This sect
Page 89 and 90:
Figure 5-3: The structure of thumbn
Page 91 and 92:
these can be identified by the addi
Page 93 and 94:
The tEXt chunks contain the metadat
Page 95 and 96:
holds information about sample dept
Page 97 and 98:
Start of tEXt Chunk This tEXt chunk
Page 99 and 100:
00 00 00 2074 45 58 7453 6F 66 74 @
Page 101 and 102:
order to establish if the software
Page 103 and 104:
Each piece of software installed by
Page 105 and 106:
which is present in the subrecords
Page 107 and 108:
5.6.2 The modification of subrecord
Page 109 and 110:
ascertain if unused subrecords woul
Page 111 and 112:
in thumbnail view. This shows that
Page 113 and 114:
5.9.1 Metadata There are three dist
Page 115 and 116:
only information which does not con
Page 117 and 118:
information in the .thumbnails cach
Page 119 and 120:
uses substantially more checks whic
Page 121 and 122:
any manipulation to appear as stand
Page 123:
highlighting the need for understan
Page 126 and 127:
elationship between information con
Page 128 and 129:
document the state of a default Win
Page 130 and 131:
Figure 6-1: Directory structure for
Page 132 and 133:
Clone 1-8: Directories at level 0 w
Page 134 and 135:
Figure 6-2: The centralised thumbna
Page 136 and 137:
Start of Record 87 F7 6A 62 4B 7B C
Page 138 and 139:
Start of standard thumbnail cache s
Page 140 and 141:
Start of subrecord 14F8CE010 43 4D
Page 142 and 143:
6.5 Identifying the behaviour The t
Page 144 and 145:
greater than the maximum size image
Page 146 and 147:
experiment was repeated with a non-
Page 148 and 149:
to be shown [Douglas, 2009].Figure
Page 150 and 151:
6.5.1.2 Circumstances where informa
Page 152 and 153:
thumbnail cache based solely upon t
Page 154 and 155:
the cache to remove inactive record
Page 156 and 157:
6.6.1 Windows.edb The database for
Page 158 and 159:
Figure 6-10: Identifying the Defaul
Page 160 and 161:
thumbnail view for 30 seconds. Upon
Page 162 and 163:
checks are performed on the associa
Page 164 and 165:
showing a relationship between info
Page 166 and 167:
The type of a file can be identifie
Page 168 and 169:
The event timeline created could th
Page 170 and 171:
6.9.2 Media thumbnails In Windows 7
Page 172 and 173:
the provenance of artefacts. This i
Page 174 and 175:
6.10.2 Interpretation of Results An
Page 176 and 177:
however it is still possible to tam
Page 178 and 179:
implementations of the thumbnail ca
Page 180 and 181:
valid results only when the file is
Page 182 and 183:
7.3.1 Statistical Methods If docume
Page 184 and 185:
ate for HTML and JPEG files [Veenma
Page 186 and 187:
Having described current methods fo
Page 188 and 189:
previous experiments or downloaded
Page 190 and 191:
L2: The fragment is part of a visua
Page 192 and 193:
Table 7-1: Breakdown of file fragme
Page 194 and 195:
approximately half the data in Data
Page 196 and 197:
Table 7-3: A list of thumbnail cach
Page 198 and 199:
Figure 7-2: Classifications for thu
Page 200 and 201:
7.7.2 H2 For the identification of
Page 202 and 203:
Relative offset: 48 0B 09 0C 11 0F
Page 204 and 205:
The Bayesian Network takes into acc
Page 206 and 207:
Figure 7-3: Bayesian network for H1
Page 208 and 209:
Actual Fragment Type(Percentage) 7.
Page 210 and 211:
Actual Fragment Type(Percentage) Ta
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Table 7-19: Method 4 Results for th
Page 218 and 219:
more suited to pattern recognition
Page 220 and 221:
and 2. This is possible because the
Page 222 and 223:
This chapter has successfully ident
Page 224 and 225:
8.2 Problem Definition In the intro
Page 226 and 227:
information to examine at the end o
Page 228 and 229:
files is described on the Joint Pho
Page 230 and 231:
were not from thumbnail cache files
Page 232 and 233:
In order to identify potential H3 f
Page 234 and 235:
Actual Fragment Type (Percentage) p
Page 236 and 237:
Figure 8-3: A summary of the hybrid
Page 238 and 239:
cache file fragments. The headers i
Page 240 and 241:
follow the standard PNG specificati
Page 242 and 243:
then be viewed by an analyst and us
Page 244 and 245:
Actual Fragment Type (Percentage) T
Page 246 and 247:
8.8 Discussion The end aim of Chapt
Page 248 and 249:
identification method into stages l
Page 251 and 252:
9 Thumbnail cache fragment reassemb
Page 253 and 254:
Once the fragments have been identi
Page 255 and 256:
9.3.2 Logging In order to maintain
Page 257 and 258:
H1:Thumbcache_idx.db file H2: Image
Page 259 and 260:
Therefore this research assumes tha
Page 261 and 262:
ecords and 2 partial records. The n
Page 263 and 264:
equirement for generating table siz
Page 265 and 266:
100% success rate, with 0% false po
Page 267 and 268:
then stored and marked as a complet
Page 269 and 270:
Once a start of file fragment has b
Page 271 and 272:
number of fragments which contain o
Page 273 and 274:
Figure 9-7: Reassembling an image b
Page 275 and 276:
As the number of fragments being an
Page 277 and 278:
file fragment identification on sto
Page 279 and 280:
Linux Category_4: The last fragment
Page 281 and 282:
Table 9-1: Results from reassembly
Page 283 and 284:
activity. All the non-standard subr
Page 285 and 286:
which substantially reduces the inf
Page 287 and 288:
10 Establishing the evidential valu
Page 289 and 290:
The thumbnail cache artefact extrac
Page 291 and 292:
and 6. Each stage of the method has
Page 293 and 294:
adapted to extract artefact from ot
Page 295 and 296:
10.7 Discussion Both live system an
Page 297:
10.8 Conclusion This chapter evalua
Page 300 and 301:
Figure 11-1: A breakdown of aim of
Page 302 and 303:
analysing the file type it is possi
Page 304 and 305:
singular file fragment; by combinin
Page 306 and 307:
processing time of the reassembly m
Page 308 and 309:
In Chapter 9.5 a decision was taken
Page 311 and 312:
12 Conclusions and future work 12.1
Page 313 and 314:
potential for improving the identif
Page 315:
installations of the operating syst
Page 318 and 319:
Carnagey, N.L., Anderson, C.A. & Bu
Page 320 and 321:
Facebook, 2013. Facebook. Available
Page 322 and 323:
Helix, 2011. Helix. Available at: h
Page 324 and 325:
Noblett, M., Pollitt, M., Presley,
Page 326 and 327:
Stone-kaplan, K., Roter, M., 2003.
Page 329:
APPENDICES Cranfield University | 3
Page 332 and 333:
A.1.3 Image File Header typedefstru
Page 335 and 336:
Appendix B Bayesian probability tab
Page 337 and 338:
B.8 Fragment contains the ASCII str
Page 339 and 340:
B.15 32 byte record structure SR po
Page 341 and 342:
B.19 H3 Each byte frequency is less
Page 343 and 344:
B.21 H5 Stored in valid PNG chunks
Page 345 and 346:
Appendix C Peer Reviewed Publicatio
Page 347 and 348:
Cranfield University | 327
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
Page 369 and 370:
Page 371 and 372:
Page 373 and 374:
Page 375 and 376:
Page 377 and 378:
Page 379 and 380:
Page 381 and 382:
Page 383 and 384:
Page 385 and 386:
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395:
show all

SLAMorris Final Thesis After Corrections.pdf - Cranfield University

Create successful ePaper yourself

Delete template?

Save as template?