SLAMorris Final Thesis After Corrections.pdf - Cranfield University

More documents

Recommendations

Info

6 The structure and behaviour of the Windows 7 Operating System Thumbnail Cache 6.1 Introduction The release of Windows Vista prompted speculation from Forensic analysts about the impact of the new Operating system on investigations [Hargreaves, 2008]. One interesting change was the move away from the directory specific thumbs.db, to each user having a single centralised thumbnail cache. The release of Windows 7 in 2009 prompted further speculation from analysts; additional changes were introduced to the structure and behaviour of system components such as Windows Desktop Search [Chivers, 2011].The centralised thumbnail cache format introduced in Windows Vista had also been adapted in the new operating system. Microsoft operating systems are installed on a significant proportion of user machines and it is therefore unsurprising that currently a significant proportion of forensic analysis involves their operating systems. Due to the likelihood of encountering a Windows based operating system there is significant interest in finding and understanding relevant artefacts within the forensic community. This Chapter identifies the structure and behaviour of the Windows 7 operating system thumbnail caches; it begins with the methodology employed within this chapter [Section 6.2]. This is followed by the identification of relevant artefacts in a baseline installation of Windows 7 [Section 6.3]. Section 6.4 identifies the structure of the thumbnail cache components. In Section 6.5 the behaviour of the thumbnail cache is identified through experimentation, this is followed by a review of artefacts related to the thumbnail cache which are present on the operating system [Section 6.6]. Section 6.7 looks at the effect of tampering with data contained within the thumbnail cache; Section 6.8 looks at forming a Page 105
Page 1:
CRANFIELD UNIVERSITY SARAH LOUISE A
Page 5 and 6:
ABSTRACT This thesis establishes th
Page 7 and 8:
ACKNOWLEDGEMENTS “And above all,
Page 9 and 10:
TABLE OF CONTENTS ABSTRACT ........
Page 11 and 12:
6 The structure and behaviour of th
Page 13 and 14:
8.6.1 Stage 1: Preliminary Checks .
Page 15 and 16:
LIST OF FIGURES Figure 1-1:A breakd
Page 17 and 18:
LIST OF TABLES Table 5-1: A summary
Page 21 and 22:
1 Introduction 1.1 Introduction In
Page 23 and 24:
potential difficulty is the identif
Page 25 and 26:
This is followed by a structural an
Page 27 and 28:
Chapter 6 describes the structure a
Page 29 and 30:
Chapter 11 evaluates the methodolog
Page 31 and 32:
2 Related Research 2.1 Introduction
Page 33 and 34:
Generally individuals, including so
Page 35 and 36:
thought to be a disciplinary offenc
Page 37 and 38:
2.2.2 Tools used in Forensic Comput
Page 39 and 40:
structure and behaviour. Winhex pro
Page 41 and 42:
with it are important aspects of an
Page 43 and 44:
An important question for each arte
Page 45 and 46:
For this research it is necessary t
Page 47 and 48:
2007], which assist in building eve
Page 49 and 50:
and therefore he did not have priva
Page 51 and 52:
data may be affected by the behavio
Page 53 and 54:
thumbnail cache is implemented in f
Page 55 and 56:
available for office documents; the
Page 57 and 58:
future. It is possible to establish
Page 59:
structure and syntax the user and s
Page 62 and 63:
Identify existing file carving tech
Page 64 and 65:
throughout this research. Within th
Page 66 and 67:
corroborate the results. Time const
Page 68 and 69:
4.2.1 Legal Constraints The law can
Page 70 and 71:
to the evidence and to ensure any a
Page 72 and 73:
To ensure the evidence is accurate
Page 74 and 75: evidence being extracted is crucial
Page 76 and 77: analyse human behaviour, it can sti
Page 78 and 79: 4.3 Criteria for evaluating the evi
Page 80 and 81: In order to determine an artefact w
Page 83 and 84: 5 The Structure and Behaviour of th
Page 85 and 86: the way data changes. The experimen
Page 87 and 88: 5.4 Default Installations This sect
Page 89 and 90: Figure 5-3: The structure of thumbn
Page 91 and 92: these can be identified by the addi
Page 93 and 94: The tEXt chunks contain the metadat
Page 95 and 96: holds information about sample dept
Page 97 and 98: Start of tEXt Chunk This tEXt chunk
Page 99 and 100: 00 00 00 2074 45 58 7453 6F 66 74 @
Page 101 and 102: order to establish if the software
Page 103 and 104: Each piece of software installed by
Page 105 and 106: which is present in the subrecords
Page 107 and 108: 5.6.2 The modification of subrecord
Page 109 and 110: ascertain if unused subrecords woul
Page 111 and 112: in thumbnail view. This shows that
Page 113 and 114: 5.9.1 Metadata There are three dist
Page 115 and 116: only information which does not con
Page 117 and 118: information in the .thumbnails cach
Page 119 and 120: uses substantially more checks whic
Page 121 and 122: any manipulation to appear as stand
Page 123: highlighting the need for understan
Page 127 and 128: way the data on a storage medium ch
Page 129 and 130: The six thumbcache files identified
Page 131 and 132: 10 potential user generated file ty
Page 133 and 134: The structures were reverse enginee
Page 135 and 136: y extracting the images from each o
Page 137 and 138: Subrecord header: 4 bytes - Subreco
Page 139 and 140: 00000100 FF D8FF E000 104A 46 49 46
Page 141 and 142: The following two subrecords show t
Page 143 and 144: to a variety of locations on the st
Page 145 and 146: storage device to the User’s “M
Page 147 and 148: cache it was noted that the subreco
Page 149 and 150: and network places. As these items
Page 151 and 152: modified, saved and closed. The thu
Page 153 and 154: It is also interesting to note that
Page 155 and 156: main and external storage devices.
Page 157 and 158: can identify when the icons appeare
Page 159 and 160: Figure 6-11: An example contents fr
Page 161 and 162: Experiment 3: Experiments 1 and 2 w
Page 163 and 164: which have a relationship with the
Page 165 and 166: Like the visual inspection by an an
Page 167 and 168: In each experiment a single variabl
Page 169 and 170: this experiment have shown that the
Page 171 and 172: Figure 6-17: The use of media thumb
Page 173 and 174: have occurred; it could also determ
Page 175 and 176:
cache artefacts can be corroborated
Page 177 and 178:
7 Identification of thumbnail cache
Page 179 and 180:
a file from a storage device based
Page 181 and 182:
If potential evidence is identified
Page 183 and 184:
or more fragments, showing that fra
Page 185 and 186:
adjusting weights, techniques such
Page 187 and 188:
esearch in this Chapter is provided
Page 189 and 190:
7.5.2 File Fragment Classification
Page 191 and 192:
as 4096 bytes. The cluster size sel
Page 193 and 194:
Table 7-2: Breakdown of potentially
Page 195 and 196:
7.6 Brute Force Approach This appro
Page 197 and 198:
7.7 Structural and Syntactical Appr
Page 199 and 200:
((X * 2^32) + Y) Mod Z = Position i
Page 201 and 202:
The cases are checked in order from
Page 203 and 204:
to show they belong to a PNG file;
Page 205 and 206:
parents; in this case Z would repre
Page 207 and 208:
Figure 7-5: Bayesian Network for H6
Page 209 and 210:
Actual Fragment Types(Percentage) A
Page 211 and 212:
Actual Fragment Type(Percentage) Ac
Page 213 and 214:
Actual Fragment Type(Percentage) Ta
Page 215 and 216:
Actual Fragment Type(Percentage) Ac
Page 217 and 218:
Table 7-20: Percentage Success and
Page 219 and 220:
information available about single
Page 221 and 222:
hybrid approach may improve the acc
Page 223 and 224:
8 The creation of a Hybrid Identifi
Page 225 and 226:
and had a high number of false posi
Page 227 and 228:
8.3 Methodology The problem definit
Page 229 and 230:
A bit pattern matching technique pr
Page 231 and 232:
Figure 8-2: Single byte frequencies
Page 233 and 234:
check for each potential fragment.
Page 235 and 236:
The results of the H3 identificatio
Page 237 and 238:
8.6.1 Stage 1: Preliminary Checks E
Page 239 and 240:
the checks used in Section 7.7.2 ar
Page 241 and 242:
8.6.6 Stage 6: H5 Validation Checks
Page 243 and 244:
Actual Fragment Type (Percentage) T
Page 245 and 246:
Actual Fragment Type (Percentage) T
Page 247 and 248:
same affect on other data sets. The
Page 249:
The hybrid method was also tested a
Page 252 and 253:
eassembly is more likely when there
Page 254 and 255:
creation of a file fragment reassem
Page 256 and 257:
caches in the file may not be compl
Page 258 and 259:
When reconstructing a jigsaw, gener
Page 260 and 261:
9.4.1 Thumbcache_idx file fragment
Page 262 and 263:
IDX Category_3: Fragment with 127 c
Page 264 and 265:
n. To calculate the asymptotic comp
Page 266 and 267:
9.5 Thumbcache_32, 96, 1024 In Chap
Page 268 and 269:
Store Category_4: Fragment is at th
Page 270 and 271:
If the join is in the middle of a m
Page 272 and 273:
possible combination of fragments a
Page 274 and 275:
On examination of the training set
Page 276 and 277:
9.6.1 Thumbcache_256 file fragment
Page 278 and 279:
9.7.1 Linux thumbnail file fragment
Page 280 and 281:
In the training set there was only
Page 282 and 283:
Table 9-3: Results from reassembly
Page 284 and 285:
makes the method simple to explain
Page 286 and 287:
9.11 Conclusion This chapter has fo
Page 288 and 289:
“Clear documentation is defined a
Page 290 and 291:
As discussed in the previous sectio
Page 292 and 293:
“Maximising corroboration can be
Page 294 and 295:
Table 8.2 shows the improved accura
Page 296 and 297:
fragments of potentially related fi
Page 299 and 300:
11 Discussion 11.1 Introduction The
Page 301 and 302:
evidential artefacts as it has all
Page 303 and 304:
technique; therefore an open questi
Page 305 and 306:
could adapt the use of structural a
Page 307 and 308:
11.7 Generalising the approach to f
Page 309:
into both identification and reasse
Page 312 and 313:
In Chapter 9 methods for reassembli
Page 314 and 315:
information about hiding your actio
Page 317 and 318:
REFERENCES Access Data, 2012. FTK.
Page 319 and 320:
Chow, K. et al., 2007. The Rules of
Page 321 and 322:
Guidance Software, 2011. Encase. Av
Page 323 and 324:
Microsoft, 2007. Fundamental comput
Page 325 and 326:
Ramjohn, M., Landa, J., 2009. Unloc
Page 327:
Zetterstrom, H., 2002. Deleting Sen
Page 331 and 332:
Appendix A Thumbnail Cache File Str
Page 333:
A.2 Linux Thumbnail Cache Structure
Page 336 and 337:
B.4 Fragment contains a Start of Im
Page 338 and 339:
B.12 High text frequency (Ascii) Pr
Page 340 and 341:
B.17 H1 32 byte record structure Fr
Page 342 and 343:
B.20 H4 IDAT marker TEXT marker Asc
Page 344 and 345:
Cranfield University | 324
Page 346 and 347:
Page 348 and 349:
Page 350 and 351:
Page 352 and 353:
Page 354 and 355:
Page 356 and 357:
Page 358 and 359:
Page 360 and 361:
C.2 Morris, S.; Chivers, H.; 2011a.
Page 362 and 363:
Page 364 and 365:
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
Page 372 and 373:
C.3 Morris, S.; Chivers, H.; 2011b.
Page 374 and 375:
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 382 and 383:
Page 384 and 385:
Page 386 and 387:
C.4 Morris, S.; Chivers, H.; 2013.
Page 388 and 389:
Page 390 and 391:
Page 392 and 393:
Page 394 and 395:
show all

SLAMorris Final Thesis After Corrections.pdf - Cranfield University

Create successful ePaper yourself

Delete template?

Save as template?