- Page 1:
CRANFIELD UNIVERSITY SARAH LOUISE A
- Page 5 and 6:
ABSTRACT This thesis establishes th
- Page 7 and 8:
ACKNOWLEDGEMENTS “And above all,
- Page 9 and 10:
TABLE OF CONTENTS ABSTRACT ........
- Page 11 and 12:
6 The structure and behaviour of th
- Page 13 and 14:
8.6.1 Stage 1: Preliminary Checks .
- Page 15 and 16:
LIST OF FIGURES Figure 1-1:A breakd
- Page 17 and 18:
LIST OF TABLES Table 5-1: A summary
- Page 21 and 22:
1 Introduction 1.1 Introduction In
- Page 23 and 24:
potential difficulty is the identif
- Page 25 and 26:
This is followed by a structural an
- Page 27 and 28:
Chapter 6 describes the structure a
- Page 29 and 30:
Chapter 11 evaluates the methodolog
- Page 31 and 32:
2 Related Research 2.1 Introduction
- Page 33 and 34:
Generally individuals, including so
- Page 35 and 36:
thought to be a disciplinary offenc
- Page 37 and 38:
2.2.2 Tools used in Forensic Comput
- Page 39 and 40:
structure and behaviour. Winhex pro
- Page 41 and 42:
with it are important aspects of an
- Page 43 and 44:
An important question for each arte
- Page 45 and 46:
For this research it is necessary t
- Page 47 and 48:
2007], which assist in building eve
- Page 49 and 50:
and therefore he did not have priva
- Page 51 and 52:
data may be affected by the behavio
- Page 53 and 54:
thumbnail cache is implemented in f
- Page 55 and 56:
available for office documents; the
- Page 57 and 58:
future. It is possible to establish
- Page 59:
structure and syntax the user and s
- Page 62 and 63:
Identify existing file carving tech
- Page 64 and 65:
throughout this research. Within th
- Page 66 and 67:
corroborate the results. Time const
- Page 68 and 69:
4.2.1 Legal Constraints The law can
- Page 70 and 71:
to the evidence and to ensure any a
- Page 72 and 73:
To ensure the evidence is accurate
- Page 74 and 75: evidence being extracted is crucial
- Page 76 and 77: analyse human behaviour, it can sti
- Page 78 and 79: 4.3 Criteria for evaluating the evi
- Page 80 and 81: In order to determine an artefact w
- Page 83 and 84: 5 The Structure and Behaviour of th
- Page 85 and 86: the way data changes. The experimen
- Page 87 and 88: 5.4 Default Installations This sect
- Page 89 and 90: Figure 5-3: The structure of thumbn
- Page 91 and 92: these can be identified by the addi
- Page 93 and 94: The tEXt chunks contain the metadat
- Page 95 and 96: holds information about sample dept
- Page 97 and 98: Start of tEXt Chunk This tEXt chunk
- Page 99 and 100: 00 00 00 2074 45 58 7453 6F 66 74 @
- Page 101 and 102: order to establish if the software
- Page 103 and 104: Each piece of software installed by
- Page 105 and 106: which is present in the subrecords
- Page 107 and 108: 5.6.2 The modification of subrecord
- Page 109 and 110: ascertain if unused subrecords woul
- Page 111 and 112: in thumbnail view. This shows that
- Page 113 and 114: 5.9.1 Metadata There are three dist
- Page 115 and 116: only information which does not con
- Page 117 and 118: information in the .thumbnails cach
- Page 119 and 120: uses substantially more checks whic
- Page 121 and 122: any manipulation to appear as stand
- Page 123: highlighting the need for understan
- Page 127 and 128: way the data on a storage medium ch
- Page 129 and 130: The six thumbcache files identified
- Page 131 and 132: 10 potential user generated file ty
- Page 133 and 134: The structures were reverse enginee
- Page 135 and 136: y extracting the images from each o
- Page 137 and 138: Subrecord header: 4 bytes - Subreco
- Page 139 and 140: 00000100 FF D8FF E000 104A 46 49 46
- Page 141 and 142: The following two subrecords show t
- Page 143 and 144: to a variety of locations on the st
- Page 145 and 146: storage device to the User’s “M
- Page 147 and 148: cache it was noted that the subreco
- Page 149 and 150: and network places. As these items
- Page 151 and 152: modified, saved and closed. The thu
- Page 153 and 154: It is also interesting to note that
- Page 155 and 156: main and external storage devices.
- Page 157 and 158: can identify when the icons appeare
- Page 159 and 160: Figure 6-11: An example contents fr
- Page 161 and 162: Experiment 3: Experiments 1 and 2 w
- Page 163 and 164: which have a relationship with the
- Page 165 and 166: Like the visual inspection by an an
- Page 167 and 168: In each experiment a single variabl
- Page 169 and 170: this experiment have shown that the
- Page 171 and 172: Figure 6-17: The use of media thumb
- Page 173 and 174: have occurred; it could also determ
- Page 175 and 176:
cache artefacts can be corroborated
- Page 177 and 178:
7 Identification of thumbnail cache
- Page 179 and 180:
a file from a storage device based
- Page 181 and 182:
If potential evidence is identified
- Page 183 and 184:
or more fragments, showing that fra
- Page 185 and 186:
adjusting weights, techniques such
- Page 187 and 188:
esearch in this Chapter is provided
- Page 189 and 190:
7.5.2 File Fragment Classification
- Page 191 and 192:
as 4096 bytes. The cluster size sel
- Page 193 and 194:
Table 7-2: Breakdown of potentially
- Page 195 and 196:
7.6 Brute Force Approach This appro
- Page 197 and 198:
7.7 Structural and Syntactical Appr
- Page 199 and 200:
((X * 2^32) + Y) Mod Z = Position i
- Page 201 and 202:
The cases are checked in order from
- Page 203 and 204:
to show they belong to a PNG file;
- Page 205 and 206:
parents; in this case Z would repre
- Page 207 and 208:
Figure 7-5: Bayesian Network for H6
- Page 209 and 210:
Actual Fragment Types(Percentage) A
- Page 211 and 212:
Actual Fragment Type(Percentage) Ac
- Page 213 and 214:
Actual Fragment Type(Percentage) Ta
- Page 215 and 216:
Actual Fragment Type(Percentage) Ac
- Page 217 and 218:
Table 7-20: Percentage Success and
- Page 219 and 220:
information available about single
- Page 221 and 222:
hybrid approach may improve the acc
- Page 223 and 224:
8 The creation of a Hybrid Identifi
- Page 225 and 226:
and had a high number of false posi
- Page 227 and 228:
8.3 Methodology The problem definit
- Page 229 and 230:
A bit pattern matching technique pr
- Page 231 and 232:
Figure 8-2: Single byte frequencies
- Page 233 and 234:
check for each potential fragment.
- Page 235 and 236:
The results of the H3 identificatio
- Page 237 and 238:
8.6.1 Stage 1: Preliminary Checks E
- Page 239 and 240:
the checks used in Section 7.7.2 ar
- Page 241 and 242:
8.6.6 Stage 6: H5 Validation Checks
- Page 243 and 244:
Actual Fragment Type (Percentage) T
- Page 245 and 246:
Actual Fragment Type (Percentage) T
- Page 247 and 248:
same affect on other data sets. The
- Page 249:
The hybrid method was also tested a
- Page 252 and 253:
eassembly is more likely when there
- Page 254 and 255:
creation of a file fragment reassem
- Page 256 and 257:
caches in the file may not be compl
- Page 258 and 259:
When reconstructing a jigsaw, gener
- Page 260 and 261:
9.4.1 Thumbcache_idx file fragment
- Page 262 and 263:
IDX Category_3: Fragment with 127 c
- Page 264 and 265:
n. To calculate the asymptotic comp
- Page 266 and 267:
9.5 Thumbcache_32, 96, 1024 In Chap
- Page 268 and 269:
Store Category_4: Fragment is at th
- Page 270 and 271:
If the join is in the middle of a m
- Page 272 and 273:
possible combination of fragments a
- Page 274 and 275:
On examination of the training set
- Page 276 and 277:
9.6.1 Thumbcache_256 file fragment
- Page 278 and 279:
9.7.1 Linux thumbnail file fragment
- Page 280 and 281:
In the training set there was only
- Page 282 and 283:
Table 9-3: Results from reassembly
- Page 284 and 285:
makes the method simple to explain
- Page 286 and 287:
9.11 Conclusion This chapter has fo
- Page 288 and 289:
“Clear documentation is defined a
- Page 290 and 291:
As discussed in the previous sectio
- Page 292 and 293:
“Maximising corroboration can be
- Page 294 and 295:
Table 8.2 shows the improved accura
- Page 296 and 297:
fragments of potentially related fi
- Page 299 and 300:
11 Discussion 11.1 Introduction The
- Page 301 and 302:
evidential artefacts as it has all
- Page 303 and 304:
technique; therefore an open questi
- Page 305 and 306:
could adapt the use of structural a
- Page 307 and 308:
11.7 Generalising the approach to f
- Page 309:
into both identification and reasse
- Page 312 and 313:
In Chapter 9 methods for reassembli
- Page 314 and 315:
information about hiding your actio
- Page 317 and 318:
REFERENCES Access Data, 2012. FTK.
- Page 319 and 320:
Chow, K. et al., 2007. The Rules of
- Page 321 and 322:
Guidance Software, 2011. Encase. Av
- Page 323 and 324:
Microsoft, 2007. Fundamental comput
- Page 325 and 326:
Ramjohn, M., Landa, J., 2009. Unloc
- Page 327:
Zetterstrom, H., 2002. Deleting Sen
- Page 331 and 332:
Appendix A Thumbnail Cache File Str
- Page 333:
A.2 Linux Thumbnail Cache Structure
- Page 336 and 337:
B.4 Fragment contains a Start of Im
- Page 338 and 339:
B.12 High text frequency (Ascii) Pr
- Page 340 and 341:
B.17 H1 32 byte record structure Fr
- Page 342 and 343:
B.20 H4 IDAT marker TEXT marker Asc
- Page 344 and 345:
Cranfield University | 324
- Page 346 and 347:
Cranfield University | 326
- Page 348 and 349:
Cranfield University | 328
- Page 350 and 351:
Cranfield University | 330
- Page 352 and 353:
Cranfield University | 332
- Page 354 and 355:
Cranfield University | 334
- Page 356 and 357:
Cranfield University | 336
- Page 358 and 359:
Cranfield University | 338
- Page 360 and 361:
C.2 Morris, S.; Chivers, H.; 2011a.
- Page 362 and 363:
Cranfield University | 342
- Page 364 and 365:
Cranfield University | 344
- Page 366 and 367:
Cranfield University | 346
- Page 368 and 369:
Cranfield University | 348
- Page 370 and 371:
Cranfield University | 350
- Page 372 and 373:
C.3 Morris, S.; Chivers, H.; 2011b.
- Page 374 and 375:
Cranfield University | 354
- Page 376 and 377:
Cranfield University | 356
- Page 378 and 379:
Cranfield University | 358
- Page 380 and 381:
Cranfield University | 360
- Page 382 and 383:
Cranfield University | 362
- Page 384 and 385:
Cranfield University | 364
- Page 386 and 387:
C.4 Morris, S.; Chivers, H.; 2013.
- Page 388 and 389:
Cranfield University | 368
- Page 390 and 391:
Cranfield University | 370
- Page 392 and 393:
Cranfield University | 372
- Page 394 and 395:
Cranfield University | 374