- Page 1: CRANFIELD UNIVERSITY SARAH LOUISE A
- Page 5 and 6: ABSTRACT This thesis establishes th
- Page 7 and 8: ACKNOWLEDGEMENTS “And above all,
- Page 9 and 10: TABLE OF CONTENTS ABSTRACT ........
- Page 11 and 12: 6 The structure and behaviour of th
- Page 13 and 14: 8.6.1 Stage 1: Preliminary Checks .
- Page 15 and 16: LIST OF FIGURES Figure 1-1:A breakd
- Page 17: LIST OF TABLES Table 5-1: A summary
- Page 22 and 23: 1.2 Justification The thumbnail cac
- Page 24 and 25: 1.5 Methodology This research aims
- Page 26 and 27: implementations of operating system
- Page 28 and 29: chapter evaluates possible image fr
- Page 30 and 31: conducted into establishing relatio
- Page 32 and 33: The definition of Forensic Computin
- Page 34 and 35: 2.2.1 Methodologies A computer can
- Page 36 and 37: each stage. One of the most critica
- Page 38 and 39: obtain and analyse evidence [Helix,
- Page 40 and 41: 2.2.3 Current Opportunities Forensi
- Page 42 and 43: techniques, in order to fully under
- Page 44 and 45: Kerr [2006] identified that an anal
- Page 46 and 47: answer questions such as who, what,
- Page 48 and 49: However whilst this technique curre
- Page 50 and 51: Event reconstruction can be modelle
- Page 52 and 53: makes them difficult to identify, a
- Page 54 and 55: make less conservative judgements a
- Page 56 and 57: investigation is necessary to estab
- Page 58 and 59: Thumbnail caches contain metadata,
- Page 61 and 62: 3 Research Objectives, Consideratio
- Page 63 and 64: The file fragments identified and r
- Page 65 and 66: each experiment to identify structu
- Page 67 and 68: 4 Defining Evidential Value 4.1 Int
- Page 69 and 70:
In Jurisprudence, admissibility is
- Page 71 and 72:
It has been suggested that to fully
- Page 73 and 74:
4.2.4 Procedural Constraints The pr
- Page 75 and 76:
To minimise the possibility of frau
- Page 77 and 78:
for their crimes; therefore anti-fo
- Page 79 and 80:
A process is defined as having unde
- Page 81:
4.4.2 Legal and ethical constraints
- Page 84 and 85:
thumbnail cache responds to artefac
- Page 86 and 87:
The thumbnail cache itself is a hid
- Page 88 and 89:
5.5 Identifying the structure This
- Page 90 and 91:
Figure 5-4: A figure showing the th
- Page 92 and 93:
5.5.2 The structure of a thumbnail
- Page 94 and 95:
Start of IHDR Chunk The IHDR contai
- Page 96 and 97:
00000030 00 00 00 1774 45 58 7454 6
- Page 98 and 99:
Start of tEXt Chunk This chunk stor
- Page 100 and 101:
Start of IEND Chunk This is a stand
- Page 102 and 103:
thumbnail generation; if a director
- Page 104 and 105:
The information panel within the fi
- Page 106 and 107:
Circumstances where information is
- Page 108 and 109:
on the user’s desktop and 5 sub-d
- Page 110 and 111:
information relating to the files o
- Page 112 and 113:
However, if this ‘tampered’ rec
- Page 114 and 115:
5.9.3 MD5 hashes In the previous se
- Page 116 and 117:
5.10 Audio and Media thumbnails Thi
- Page 118 and 119:
5.2, and 5.5) to replicate the expe
- Page 120 and 121:
consequences of the method used. Fo
- Page 122 and 123:
In Ubuntu and Kubuntu the thumbnail
- Page 125 and 126:
6 The structure and behaviour of th
- Page 127 and 128:
way the data on a storage medium ch
- Page 129 and 130:
The six thumbcache files identified
- Page 131 and 132:
10 potential user generated file ty
- Page 133 and 134:
The structures were reverse enginee
- Page 135 and 136:
y extracting the images from each o
- Page 137 and 138:
Subrecord header: 4 bytes - Subreco
- Page 139 and 140:
00000100 FF D8FF E000 104A 46 49 46
- Page 141 and 142:
The following two subrecords show t
- Page 143 and 144:
to a variety of locations on the st
- Page 145 and 146:
storage device to the User’s “M
- Page 147 and 148:
cache it was noted that the subreco
- Page 149 and 150:
and network places. As these items
- Page 151 and 152:
modified, saved and closed. The thu
- Page 153 and 154:
It is also interesting to note that
- Page 155 and 156:
main and external storage devices.
- Page 157 and 158:
can identify when the icons appeare
- Page 159 and 160:
Figure 6-11: An example contents fr
- Page 161 and 162:
Experiment 3: Experiments 1 and 2 w
- Page 163 and 164:
which have a relationship with the
- Page 165 and 166:
Like the visual inspection by an an
- Page 167 and 168:
In each experiment a single variabl
- Page 169 and 170:
this experiment have shown that the
- Page 171 and 172:
Figure 6-17: The use of media thumb
- Page 173 and 174:
have occurred; it could also determ
- Page 175 and 176:
cache artefacts can be corroborated
- Page 177 and 178:
7 Identification of thumbnail cache
- Page 179 and 180:
a file from a storage device based
- Page 181 and 182:
If potential evidence is identified
- Page 183 and 184:
or more fragments, showing that fra
- Page 185 and 186:
adjusting weights, techniques such
- Page 187 and 188:
esearch in this Chapter is provided
- Page 189 and 190:
7.5.2 File Fragment Classification
- Page 191 and 192:
as 4096 bytes. The cluster size sel
- Page 193 and 194:
Table 7-2: Breakdown of potentially
- Page 195 and 196:
7.6 Brute Force Approach This appro
- Page 197 and 198:
7.7 Structural and Syntactical Appr
- Page 199 and 200:
((X * 2^32) + Y) Mod Z = Position i
- Page 201 and 202:
The cases are checked in order from
- Page 203 and 204:
to show they belong to a PNG file;
- Page 205 and 206:
parents; in this case Z would repre
- Page 207 and 208:
Figure 7-5: Bayesian Network for H6
- Page 209 and 210:
Actual Fragment Types(Percentage) A
- Page 211 and 212:
Actual Fragment Type(Percentage) Ac
- Page 213 and 214:
Actual Fragment Type(Percentage) Ta
- Page 215 and 216:
Actual Fragment Type(Percentage) Ac
- Page 217 and 218:
Table 7-20: Percentage Success and
- Page 219 and 220:
information available about single
- Page 221 and 222:
hybrid approach may improve the acc
- Page 223 and 224:
8 The creation of a Hybrid Identifi
- Page 225 and 226:
and had a high number of false posi
- Page 227 and 228:
8.3 Methodology The problem definit
- Page 229 and 230:
A bit pattern matching technique pr
- Page 231 and 232:
Figure 8-2: Single byte frequencies
- Page 233 and 234:
check for each potential fragment.
- Page 235 and 236:
The results of the H3 identificatio
- Page 237 and 238:
8.6.1 Stage 1: Preliminary Checks E
- Page 239 and 240:
the checks used in Section 7.7.2 ar
- Page 241 and 242:
8.6.6 Stage 6: H5 Validation Checks
- Page 243 and 244:
Actual Fragment Type (Percentage) T
- Page 245 and 246:
Actual Fragment Type (Percentage) T
- Page 247 and 248:
same affect on other data sets. The
- Page 249:
The hybrid method was also tested a
- Page 252 and 253:
eassembly is more likely when there
- Page 254 and 255:
creation of a file fragment reassem
- Page 256 and 257:
caches in the file may not be compl
- Page 258 and 259:
When reconstructing a jigsaw, gener
- Page 260 and 261:
9.4.1 Thumbcache_idx file fragment
- Page 262 and 263:
IDX Category_3: Fragment with 127 c
- Page 264 and 265:
n. To calculate the asymptotic comp
- Page 266 and 267:
9.5 Thumbcache_32, 96, 1024 In Chap
- Page 268 and 269:
Store Category_4: Fragment is at th
- Page 270 and 271:
If the join is in the middle of a m
- Page 272 and 273:
possible combination of fragments a
- Page 274 and 275:
On examination of the training set
- Page 276 and 277:
9.6.1 Thumbcache_256 file fragment
- Page 278 and 279:
9.7.1 Linux thumbnail file fragment
- Page 280 and 281:
In the training set there was only
- Page 282 and 283:
Table 9-3: Results from reassembly
- Page 284 and 285:
makes the method simple to explain
- Page 286 and 287:
9.11 Conclusion This chapter has fo
- Page 288 and 289:
“Clear documentation is defined a
- Page 290 and 291:
As discussed in the previous sectio
- Page 292 and 293:
“Maximising corroboration can be
- Page 294 and 295:
Table 8.2 shows the improved accura
- Page 296 and 297:
fragments of potentially related fi
- Page 299 and 300:
11 Discussion 11.1 Introduction The
- Page 301 and 302:
evidential artefacts as it has all
- Page 303 and 304:
technique; therefore an open questi
- Page 305 and 306:
could adapt the use of structural a
- Page 307 and 308:
11.7 Generalising the approach to f
- Page 309:
into both identification and reasse
- Page 312 and 313:
In Chapter 9 methods for reassembli
- Page 314 and 315:
information about hiding your actio
- Page 317 and 318:
REFERENCES Access Data, 2012. FTK.
- Page 319 and 320:
Chow, K. et al., 2007. The Rules of
- Page 321 and 322:
Guidance Software, 2011. Encase. Av
- Page 323 and 324:
Microsoft, 2007. Fundamental comput
- Page 325 and 326:
Ramjohn, M., Landa, J., 2009. Unloc
- Page 327:
Zetterstrom, H., 2002. Deleting Sen
- Page 331 and 332:
Appendix A Thumbnail Cache File Str
- Page 333:
A.2 Linux Thumbnail Cache Structure
- Page 336 and 337:
B.4 Fragment contains a Start of Im
- Page 338 and 339:
B.12 High text frequency (Ascii) Pr
- Page 340 and 341:
B.17 H1 32 byte record structure Fr
- Page 342 and 343:
B.20 H4 IDAT marker TEXT marker Asc
- Page 344 and 345:
Cranfield University | 324
- Page 346 and 347:
Cranfield University | 326
- Page 348 and 349:
Cranfield University | 328
- Page 350 and 351:
Cranfield University | 330
- Page 352 and 353:
Cranfield University | 332
- Page 354 and 355:
Cranfield University | 334
- Page 356 and 357:
Cranfield University | 336
- Page 358 and 359:
Cranfield University | 338
- Page 360 and 361:
C.2 Morris, S.; Chivers, H.; 2011a.
- Page 362 and 363:
Cranfield University | 342
- Page 364 and 365:
Cranfield University | 344
- Page 366 and 367:
Cranfield University | 346
- Page 368 and 369:
Cranfield University | 348
- Page 370 and 371:
Cranfield University | 350
- Page 372 and 373:
C.3 Morris, S.; Chivers, H.; 2011b.
- Page 374 and 375:
Cranfield University | 354
- Page 376 and 377:
Cranfield University | 356
- Page 378 and 379:
Cranfield University | 358
- Page 380 and 381:
Cranfield University | 360
- Page 382 and 383:
Cranfield University | 362
- Page 384 and 385:
Cranfield University | 364
- Page 386 and 387:
C.4 Morris, S.; Chivers, H.; 2013.
- Page 388 and 389:
Cranfield University | 368
- Page 390 and 391:
Cranfield University | 370
- Page 392 and 393:
Cranfield University | 372
- Page 394 and 395:
Cranfield University | 374