SLAMorris Final Thesis After Corrections.pdf - Cranfield University

More documents

Recommendations

Info

7.3.1 Statistical Methods If document fragments can be identified as belonging to the same file it is possible to reassemble them using statistical modelling based upon the expected context of the file [Shanmugasundaram, 2003]. The fragments are added to a graph with the probability of adjacency to other fragments being calculated and used as weights; the reassembled document is therefore equivalent to picking the sequence of fragments with the highest probability of being a structurally and syntactically valid file. Currently this is possible only for files where all the fragments are available, making it useful in cases where the directory structure is missing, but would not provide assistance reassembling incomplete files. This algorithm can currently only find a solution when it is given an input that consists solely of fragments from the file to be reassembled [Memon, 2006]; it is unclear how fragments could be sorted into individual files during an investigation to provide the necessary input. This research was conducted by looking at a variety of file types including logs and binary files. This implied the authors wanted to determine the effects of carving multiple file types that may be relevant to an investigation rather than just focusing on a specific structure such as OLE2 or jpeg. Fragmentation of a file occurs when it is not possible to store the file in contiguous sectors, such as when storing a large file. A fragment may be part of a fragmented file or as little as a single cluster recovered from unallocated space. Research has suggested that file fragmentation is not present on all drives that an analyst would come across [Garfinkel, 2007]; this is in line with the fact that different users have different needs from their computers and are therefore likely to store varying amounts of information. Garfinkel [2007] collected a series of hard drives from places such as eBay and whilst examining them found that from the 51 NTFS file systems he examined approximately 12.2% of files were in at least 2 fragments, with 6.6% being in 5 Page 162
or more fragments, showing that fragmentation is likely to be encountered on NTFS systems, this is in contrast to FAT systems where almost 97% of files were found to be contiguous. Approximately 44% of the total drives in the corpus contained no fragmented files, however the total number of files found from these drives accounted for less than 1% of the files recovered from the entire corpus, suggesting the more files found on the drive the greater the chance of fragmentation occurring. Garfinkel [2007] makes an interesting statement when he discusses the probability of encountering fragmentation is related to the individual type of the file; user generated files such as word documents were found to have higher fragmentation rates, possibly due to the tendency to work on such files over a prolonged period. These results show that whilst tools such as Disk Defragmenter exist it is still likely an analyst will find fragmented user files on the disk. This suggests that the file types an analyst is likely to be interested in are those most at risk of fragmentation; this suggests that fragmented file carving may be necessary to recover relevant artefacts. Since this study was conducted, the use of computers has altered; users are now storing vast quantities of media such as music and videos on their machines. The media can take up a significant amount of space; whilst the size of storage media is also increasing, the large volume of data being stored still suggests a greater chance of encountering fragmented files. Since the thumbnail cache stores information relating to user files, it is likely to become fragmented if enough user files are added that generate thumbnail cache content. This is particularly likely if the additions are done over a prolonged period as the additional clusters required to store the new subrecords may not be available contiguously on the storage media. Fragments can be classified based on pattern recognition statistics; a prototypic histogram is used in a supervised learning environment to attempt to model file types, and research has shown this to be reasonably successful with a low error Page 163
Page 1:
CRANFIELD UNIVERSITY SARAH LOUISE A
Page 5 and 6:
ABSTRACT This thesis establishes th
Page 7 and 8:
ACKNOWLEDGEMENTS “And above all,
Page 9 and 10:
TABLE OF CONTENTS ABSTRACT ........
Page 11 and 12:
6 The structure and behaviour of th
Page 13 and 14:
8.6.1 Stage 1: Preliminary Checks .
Page 15 and 16:
LIST OF FIGURES Figure 1-1:A breakd
Page 17 and 18:
LIST OF TABLES Table 5-1: A summary
Page 21 and 22:
1 Introduction 1.1 Introduction In
Page 23 and 24:
potential difficulty is the identif
Page 25 and 26:
This is followed by a structural an
Page 27 and 28:
Chapter 6 describes the structure a
Page 29 and 30:
Chapter 11 evaluates the methodolog
Page 31 and 32:
2 Related Research 2.1 Introduction
Page 33 and 34:
Generally individuals, including so
Page 35 and 36:
thought to be a disciplinary offenc
Page 37 and 38:
2.2.2 Tools used in Forensic Comput
Page 39 and 40:
structure and behaviour. Winhex pro
Page 41 and 42:
with it are important aspects of an
Page 43 and 44:
An important question for each arte
Page 45 and 46:
For this research it is necessary t
Page 47 and 48:
2007], which assist in building eve
Page 49 and 50:
and therefore he did not have priva
Page 51 and 52:
data may be affected by the behavio
Page 53 and 54:
thumbnail cache is implemented in f
Page 55 and 56:
available for office documents; the
Page 57 and 58:
future. It is possible to establish
Page 59:
structure and syntax the user and s
Page 62 and 63:
Identify existing file carving tech
Page 64 and 65:
throughout this research. Within th
Page 66 and 67:
corroborate the results. Time const
Page 68 and 69:
4.2.1 Legal Constraints The law can
Page 70 and 71:
to the evidence and to ensure any a
Page 72 and 73:
To ensure the evidence is accurate
Page 74 and 75:
evidence being extracted is crucial
Page 76 and 77:
analyse human behaviour, it can sti
Page 78 and 79:
4.3 Criteria for evaluating the evi
Page 80 and 81:
In order to determine an artefact w
Page 83 and 84:
5 The Structure and Behaviour of th
Page 85 and 86:
the way data changes. The experimen
Page 87 and 88:
5.4 Default Installations This sect
Page 89 and 90:
Figure 5-3: The structure of thumbn
Page 91 and 92:
these can be identified by the addi
Page 93 and 94:
The tEXt chunks contain the metadat
Page 95 and 96:
holds information about sample dept
Page 97 and 98:
Start of tEXt Chunk This tEXt chunk
Page 99 and 100:
00 00 00 2074 45 58 7453 6F 66 74 @
Page 101 and 102:
order to establish if the software
Page 103 and 104:
Each piece of software installed by
Page 105 and 106:
which is present in the subrecords
Page 107 and 108:
5.6.2 The modification of subrecord
Page 109 and 110:
ascertain if unused subrecords woul
Page 111 and 112:
in thumbnail view. This shows that
Page 113 and 114:
5.9.1 Metadata There are three dist
Page 115 and 116:
only information which does not con
Page 117 and 118:
information in the .thumbnails cach
Page 119 and 120:
uses substantially more checks whic
Page 121 and 122:
any manipulation to appear as stand
Page 123:
highlighting the need for understan
Page 126 and 127:
elationship between information con
Page 128 and 129:
document the state of a default Win
Page 130 and 131:
Figure 6-1: Directory structure for
Page 132 and 133: Clone 1-8: Directories at level 0 w
Page 134 and 135: Figure 6-2: The centralised thumbna
Page 136 and 137: Start of Record 87 F7 6A 62 4B 7B C
Page 138 and 139: Start of standard thumbnail cache s
Page 140 and 141: Start of subrecord 14F8CE010 43 4D
Page 142 and 143: 6.5 Identifying the behaviour The t
Page 144 and 145: greater than the maximum size image
Page 146 and 147: experiment was repeated with a non-
Page 148 and 149: to be shown [Douglas, 2009].Figure
Page 150 and 151: 6.5.1.2 Circumstances where informa
Page 152 and 153: thumbnail cache based solely upon t
Page 154 and 155: the cache to remove inactive record
Page 156 and 157: 6.6.1 Windows.edb The database for
Page 158 and 159: Figure 6-10: Identifying the Defaul
Page 160 and 161: thumbnail view for 30 seconds. Upon
Page 162 and 163: checks are performed on the associa
Page 164 and 165: showing a relationship between info
Page 166 and 167: The type of a file can be identifie
Page 168 and 169: The event timeline created could th
Page 170 and 171: 6.9.2 Media thumbnails In Windows 7
Page 172 and 173: the provenance of artefacts. This i
Page 174 and 175: 6.10.2 Interpretation of Results An
Page 176 and 177: however it is still possible to tam
Page 178 and 179: implementations of the thumbnail ca
Page 180 and 181: valid results only when the file is
Page 184 and 185: ate for HTML and JPEG files [Veenma
Page 186 and 187: Having described current methods fo
Page 188 and 189: previous experiments or downloaded
Page 190 and 191: L2: The fragment is part of a visua
Page 192 and 193: Table 7-1: Breakdown of file fragme
Page 194 and 195: approximately half the data in Data
Page 196 and 197: Table 7-3: A list of thumbnail cach
Page 198 and 199: Figure 7-2: Classifications for thu
Page 200 and 201: 7.7.2 H2 For the identification of
Page 202 and 203: Relative offset: 48 0B 09 0C 11 0F
Page 204 and 205: The Bayesian Network takes into acc
Page 206 and 207: Figure 7-3: Bayesian network for H1
Page 208 and 209: Actual Fragment Type(Percentage) 7.
Page 210 and 211: Actual Fragment Type(Percentage) Ta
Page 216 and 217: Table 7-19: Method 4 Results for th
Page 218 and 219: more suited to pattern recognition
Page 220 and 221: and 2. This is possible because the
Page 222 and 223: This chapter has successfully ident
Page 224 and 225: 8.2 Problem Definition In the intro
Page 226 and 227: information to examine at the end o
Page 228 and 229: files is described on the Joint Pho
Page 230 and 231: were not from thumbnail cache files
Page 232 and 233:
In order to identify potential H3 f
Page 234 and 235:
Actual Fragment Type (Percentage) p
Page 236 and 237:
Figure 8-3: A summary of the hybrid
Page 238 and 239:
cache file fragments. The headers i
Page 240 and 241:
follow the standard PNG specificati
Page 242 and 243:
then be viewed by an analyst and us
Page 244 and 245:
Actual Fragment Type (Percentage) T
Page 246 and 247:
8.8 Discussion The end aim of Chapt
Page 248 and 249:
identification method into stages l
Page 251 and 252:
9 Thumbnail cache fragment reassemb
Page 253 and 254:
Once the fragments have been identi
Page 255 and 256:
9.3.2 Logging In order to maintain
Page 257 and 258:
H1:Thumbcache_idx.db file H2: Image
Page 259 and 260:
Therefore this research assumes tha
Page 261 and 262:
ecords and 2 partial records. The n
Page 263 and 264:
equirement for generating table siz
Page 265 and 266:
100% success rate, with 0% false po
Page 267 and 268:
then stored and marked as a complet
Page 269 and 270:
Once a start of file fragment has b
Page 271 and 272:
number of fragments which contain o
Page 273 and 274:
Figure 9-7: Reassembling an image b
Page 275 and 276:
As the number of fragments being an
Page 277 and 278:
file fragment identification on sto
Page 279 and 280:
Linux Category_4: The last fragment
Page 281 and 282:
Table 9-1: Results from reassembly
Page 283 and 284:
activity. All the non-standard subr
Page 285 and 286:
which substantially reduces the inf
Page 287 and 288:
10 Establishing the evidential valu
Page 289 and 290:
The thumbnail cache artefact extrac
Page 291 and 292:
and 6. Each stage of the method has
Page 293 and 294:
adapted to extract artefact from ot
Page 295 and 296:
10.7 Discussion Both live system an
Page 297:
10.8 Conclusion This chapter evalua
Page 300 and 301:
Figure 11-1: A breakdown of aim of
Page 302 and 303:
analysing the file type it is possi
Page 304 and 305:
singular file fragment; by combinin
Page 306 and 307:
processing time of the reassembly m
Page 308 and 309:
In Chapter 9.5 a decision was taken
Page 311 and 312:
12 Conclusions and future work 12.1
Page 313 and 314:
potential for improving the identif
Page 315:
installations of the operating syst
Page 318 and 319:
Carnagey, N.L., Anderson, C.A. & Bu
Page 320 and 321:
Facebook, 2013. Facebook. Available
Page 322 and 323:
Helix, 2011. Helix. Available at: h
Page 324 and 325:
Noblett, M., Pollitt, M., Presley,
Page 326 and 327:
Stone-kaplan, K., Roter, M., 2003.
Page 329:
APPENDICES Cranfield University | 3
Page 332 and 333:
A.1.3 Image File Header typedefstru
Page 335 and 336:
Appendix B Bayesian probability tab
Page 337 and 338:
B.8 Fragment contains the ASCII str
Page 339 and 340:
B.15 32 byte record structure SR po
Page 341 and 342:
B.19 H3 Each byte frequency is less
Page 343 and 344:
B.21 H5 Stored in valid PNG chunks
Page 345 and 346:
Appendix C Peer Reviewed Publicatio
Page 347 and 348:
Cranfield University | 327
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
Page 369 and 370:
Page 371 and 372:
Page 373 and 374:
Page 375 and 376:
Page 377 and 378:
Page 379 and 380:
Page 381 and 382:
Page 383 and 384:
Page 385 and 386:
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395:
show all

SLAMorris Final Thesis After Corrections.pdf - Cranfield University

Create successful ePaper yourself

Delete template?

Save as template?