SLAMorris Final Thesis After Corrections.pdf - Cranfield University

More documents

Recommendations

Info

Table 8-5: Method 5 Results for the 1 st Testing Set (Half of Data Set 1) ........ 224 Table 8-6: Method 5 Results for the 2 nd Testing Set (Data Set 2) .................. 225 Table 8-7: Method 5 Results for the unknown data set (Data Set 3) .............. 225 Table 8-8: Percentage Success and False Positive rates for the hybrid approach and the commercial recovery tool Blade for Data Set 2 .......... 228 Table 9-1: Results from reassembly of data set A .......................................... 261 Table 9-2: Results from reassembly of data set B .......................................... 261 Table 9-3: Results from reassembly of data set C .......................................... 262 xiv
Page 1: CRANFIELD UNIVERSITY SARAH LOUISE A
Page 5 and 6: ABSTRACT This thesis establishes th
Page 7 and 8: ACKNOWLEDGEMENTS “And above all,
Page 9 and 10: TABLE OF CONTENTS ABSTRACT ........
Page 11 and 12: 6 The structure and behaviour of th
Page 13 and 14: 8.6.1 Stage 1: Preliminary Checks .
Page 15 and 16: LIST OF FIGURES Figure 1-1:A breakd
Page 17: LIST OF TABLES Table 5-1: A summary
Page 22 and 23: 1.2 Justification The thumbnail cac
Page 24 and 25: 1.5 Methodology This research aims
Page 26 and 27: implementations of operating system
Page 28 and 29: chapter evaluates possible image fr
Page 30 and 31: conducted into establishing relatio
Page 32 and 33: The definition of Forensic Computin
Page 34 and 35: 2.2.1 Methodologies A computer can
Page 36 and 37: each stage. One of the most critica
Page 38 and 39: obtain and analyse evidence [Helix,
Page 40 and 41: 2.2.3 Current Opportunities Forensi
Page 42 and 43: techniques, in order to fully under
Page 44 and 45: Kerr [2006] identified that an anal
Page 46 and 47: answer questions such as who, what,
Page 48 and 49: However whilst this technique curre
Page 50 and 51: Event reconstruction can be modelle
Page 52 and 53: makes them difficult to identify, a
Page 54 and 55: make less conservative judgements a
Page 56 and 57: investigation is necessary to estab
Page 58 and 59: Thumbnail caches contain metadata,
Page 61 and 62: 3 Research Objectives, Consideratio
Page 63 and 64: The file fragments identified and r
Page 65 and 66: each experiment to identify structu
Page 67 and 68: 4 Defining Evidential Value 4.1 Int
Page 69 and 70:
In Jurisprudence, admissibility is
Page 71 and 72:
It has been suggested that to fully
Page 73 and 74:
4.2.4 Procedural Constraints The pr
Page 75 and 76:
To minimise the possibility of frau
Page 77 and 78:
for their crimes; therefore anti-fo
Page 79 and 80:
A process is defined as having unde
Page 81:
4.4.2 Legal and ethical constraints
Page 84 and 85:
thumbnail cache responds to artefac
Page 86 and 87:
The thumbnail cache itself is a hid
Page 88 and 89:
5.5 Identifying the structure This
Page 90 and 91:
Figure 5-4: A figure showing the th
Page 92 and 93:
5.5.2 The structure of a thumbnail
Page 94 and 95:
Start of IHDR Chunk The IHDR contai
Page 96 and 97:
00000030 00 00 00 1774 45 58 7454 6
Page 98 and 99:
Start of tEXt Chunk This chunk stor
Page 100 and 101:
Start of IEND Chunk This is a stand
Page 102 and 103:
thumbnail generation; if a director
Page 104 and 105:
The information panel within the fi
Page 106 and 107:
Circumstances where information is
Page 108 and 109:
on the user’s desktop and 5 sub-d
Page 110 and 111:
information relating to the files o
Page 112 and 113:
However, if this ‘tampered’ rec
Page 114 and 115:
5.9.3 MD5 hashes In the previous se
Page 116 and 117:
5.10 Audio and Media thumbnails Thi
Page 118 and 119:
5.2, and 5.5) to replicate the expe
Page 120 and 121:
consequences of the method used. Fo
Page 122 and 123:
In Ubuntu and Kubuntu the thumbnail
Page 125 and 126:
6 The structure and behaviour of th
Page 127 and 128:
way the data on a storage medium ch
Page 129 and 130:
The six thumbcache files identified
Page 131 and 132:
10 potential user generated file ty
Page 133 and 134:
The structures were reverse enginee
Page 135 and 136:
y extracting the images from each o
Page 137 and 138:
Subrecord header: 4 bytes - Subreco
Page 139 and 140:
00000100 FF D8FF E000 104A 46 49 46
Page 141 and 142:
The following two subrecords show t
Page 143 and 144:
to a variety of locations on the st
Page 145 and 146:
storage device to the User’s “M
Page 147 and 148:
cache it was noted that the subreco
Page 149 and 150:
and network places. As these items
Page 151 and 152:
modified, saved and closed. The thu
Page 153 and 154:
It is also interesting to note that
Page 155 and 156:
main and external storage devices.
Page 157 and 158:
can identify when the icons appeare
Page 159 and 160:
Figure 6-11: An example contents fr
Page 161 and 162:
Experiment 3: Experiments 1 and 2 w
Page 163 and 164:
which have a relationship with the
Page 165 and 166:
Like the visual inspection by an an
Page 167 and 168:
In each experiment a single variabl
Page 169 and 170:
this experiment have shown that the
Page 171 and 172:
Figure 6-17: The use of media thumb
Page 173 and 174:
have occurred; it could also determ
Page 175 and 176:
cache artefacts can be corroborated
Page 177 and 178:
7 Identification of thumbnail cache
Page 179 and 180:
a file from a storage device based
Page 181 and 182:
If potential evidence is identified
Page 183 and 184:
or more fragments, showing that fra
Page 185 and 186:
adjusting weights, techniques such
Page 187 and 188:
esearch in this Chapter is provided
Page 189 and 190:
7.5.2 File Fragment Classification
Page 191 and 192:
as 4096 bytes. The cluster size sel
Page 193 and 194:
Table 7-2: Breakdown of potentially
Page 195 and 196:
7.6 Brute Force Approach This appro
Page 197 and 198:
7.7 Structural and Syntactical Appr
Page 199 and 200:
((X * 2^32) + Y) Mod Z = Position i
Page 201 and 202:
The cases are checked in order from
Page 203 and 204:
to show they belong to a PNG file;
Page 205 and 206:
parents; in this case Z would repre
Page 207 and 208:
Figure 7-5: Bayesian Network for H6
Page 209 and 210:
Actual Fragment Types(Percentage) A
Page 211 and 212:
Actual Fragment Type(Percentage) Ac
Page 213 and 214:
Actual Fragment Type(Percentage) Ta
Page 215 and 216:
Actual Fragment Type(Percentage) Ac
Page 217 and 218:
Table 7-20: Percentage Success and
Page 219 and 220:
information available about single
Page 221 and 222:
hybrid approach may improve the acc
Page 223 and 224:
8 The creation of a Hybrid Identifi
Page 225 and 226:
and had a high number of false posi
Page 227 and 228:
8.3 Methodology The problem definit
Page 229 and 230:
A bit pattern matching technique pr
Page 231 and 232:
Figure 8-2: Single byte frequencies
Page 233 and 234:
check for each potential fragment.
Page 235 and 236:
The results of the H3 identificatio
Page 237 and 238:
8.6.1 Stage 1: Preliminary Checks E
Page 239 and 240:
the checks used in Section 7.7.2 ar
Page 241 and 242:
8.6.6 Stage 6: H5 Validation Checks
Page 243 and 244:
Actual Fragment Type (Percentage) T
Page 245 and 246:
Actual Fragment Type (Percentage) T
Page 247 and 248:
same affect on other data sets. The
Page 249:
The hybrid method was also tested a
Page 252 and 253:
eassembly is more likely when there
Page 254 and 255:
creation of a file fragment reassem
Page 256 and 257:
caches in the file may not be compl
Page 258 and 259:
When reconstructing a jigsaw, gener
Page 260 and 261:
9.4.1 Thumbcache_idx file fragment
Page 262 and 263:
IDX Category_3: Fragment with 127 c
Page 264 and 265:
n. To calculate the asymptotic comp
Page 266 and 267:
9.5 Thumbcache_32, 96, 1024 In Chap
Page 268 and 269:
Store Category_4: Fragment is at th
Page 270 and 271:
If the join is in the middle of a m
Page 272 and 273:
possible combination of fragments a
Page 274 and 275:
On examination of the training set
Page 276 and 277:
9.6.1 Thumbcache_256 file fragment
Page 278 and 279:
9.7.1 Linux thumbnail file fragment
Page 280 and 281:
In the training set there was only
Page 282 and 283:
Table 9-3: Results from reassembly
Page 284 and 285:
makes the method simple to explain
Page 286 and 287:
9.11 Conclusion This chapter has fo
Page 288 and 289:
“Clear documentation is defined a
Page 290 and 291:
As discussed in the previous sectio
Page 292 and 293:
“Maximising corroboration can be
Page 294 and 295:
Table 8.2 shows the improved accura
Page 296 and 297:
fragments of potentially related fi
Page 299 and 300:
11 Discussion 11.1 Introduction The
Page 301 and 302:
evidential artefacts as it has all
Page 303 and 304:
technique; therefore an open questi
Page 305 and 306:
could adapt the use of structural a
Page 307 and 308:
11.7 Generalising the approach to f
Page 309:
into both identification and reasse
Page 312 and 313:
In Chapter 9 methods for reassembli
Page 314 and 315:
information about hiding your actio
Page 317 and 318:
REFERENCES Access Data, 2012. FTK.
Page 319 and 320:
Chow, K. et al., 2007. The Rules of
Page 321 and 322:
Guidance Software, 2011. Encase. Av
Page 323 and 324:
Microsoft, 2007. Fundamental comput
Page 325 and 326:
Ramjohn, M., Landa, J., 2009. Unloc
Page 327:
Zetterstrom, H., 2002. Deleting Sen
Page 331 and 332:
Appendix A Thumbnail Cache File Str
Page 333:
A.2 Linux Thumbnail Cache Structure
Page 336 and 337:
B.4 Fragment contains a Start of Im
Page 338 and 339:
B.12 High text frequency (Ascii) Pr
Page 340 and 341:
B.17 H1 32 byte record structure Fr
Page 342 and 343:
B.20 H4 IDAT marker TEXT marker Asc
Page 344 and 345:
Cranfield University | 324
Page 346 and 347:
Page 348 and 349:
Page 350 and 351:
Page 352 and 353:
Page 354 and 355:
Page 356 and 357:
Page 358 and 359:
Page 360 and 361:
C.2 Morris, S.; Chivers, H.; 2011a.
Page 362 and 363:
Page 364 and 365:
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
Page 372 and 373:
C.3 Morris, S.; Chivers, H.; 2011b.
Page 374 and 375:
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 382 and 383:
Page 384 and 385:
Page 386 and 387:
C.4 Morris, S.; Chivers, H.; 2013.
Page 388 and 389:
Page 390 and 391:
Page 392 and 393:
Page 394 and 395:
show all

SLAMorris Final Thesis After Corrections.pdf - Cranfield University

Create successful ePaper yourself

Delete template?

Save as template?