- Page 1:
CRANFIELD UNIVERSITY SARAH LOUISE A
- Page 5 and 6:
ABSTRACT This thesis establishes th
- Page 7 and 8:
ACKNOWLEDGEMENTS “And above all,
- Page 9 and 10:
TABLE OF CONTENTS ABSTRACT ........
- Page 11 and 12:
6 The structure and behaviour of th
- Page 13 and 14:
8.6.1 Stage 1: Preliminary Checks .
- Page 15 and 16:
LIST OF FIGURES Figure 1-1:A breakd
- Page 17 and 18:
LIST OF TABLES Table 5-1: A summary
- Page 21 and 22:
1 Introduction 1.1 Introduction In
- Page 23 and 24:
potential difficulty is the identif
- Page 25 and 26:
This is followed by a structural an
- Page 27 and 28:
Chapter 6 describes the structure a
- Page 29 and 30:
Chapter 11 evaluates the methodolog
- Page 31 and 32:
2 Related Research 2.1 Introduction
- Page 33 and 34:
Generally individuals, including so
- Page 35 and 36:
thought to be a disciplinary offenc
- Page 37 and 38:
2.2.2 Tools used in Forensic Comput
- Page 39 and 40:
structure and behaviour. Winhex pro
- Page 41 and 42:
with it are important aspects of an
- Page 43 and 44:
An important question for each arte
- Page 45 and 46:
For this research it is necessary t
- Page 47 and 48:
2007], which assist in building eve
- Page 49 and 50:
and therefore he did not have priva
- Page 51 and 52:
data may be affected by the behavio
- Page 53 and 54:
thumbnail cache is implemented in f
- Page 55 and 56:
available for office documents; the
- Page 57 and 58:
future. It is possible to establish
- Page 59:
structure and syntax the user and s
- Page 62 and 63:
Identify existing file carving tech
- Page 64 and 65:
throughout this research. Within th
- Page 66 and 67:
corroborate the results. Time const
- Page 68 and 69:
4.2.1 Legal Constraints The law can
- Page 70 and 71:
to the evidence and to ensure any a
- Page 72 and 73:
To ensure the evidence is accurate
- Page 74 and 75:
evidence being extracted is crucial
- Page 76 and 77:
analyse human behaviour, it can sti
- Page 78 and 79:
4.3 Criteria for evaluating the evi
- Page 80 and 81:
In order to determine an artefact w
- Page 83 and 84:
5 The Structure and Behaviour of th
- Page 85 and 86:
the way data changes. The experimen
- Page 87 and 88:
5.4 Default Installations This sect
- Page 89 and 90:
Figure 5-3: The structure of thumbn
- Page 91 and 92:
these can be identified by the addi
- Page 93 and 94:
The tEXt chunks contain the metadat
- Page 95 and 96:
holds information about sample dept
- Page 97 and 98:
Start of tEXt Chunk This tEXt chunk
- Page 99 and 100:
00 00 00 2074 45 58 7453 6F 66 74 @
- Page 101 and 102:
order to establish if the software
- Page 103 and 104:
Each piece of software installed by
- Page 105 and 106:
which is present in the subrecords
- Page 107 and 108:
5.6.2 The modification of subrecord
- Page 109 and 110:
ascertain if unused subrecords woul
- Page 111 and 112:
in thumbnail view. This shows that
- Page 113 and 114:
5.9.1 Metadata There are three dist
- Page 115 and 116:
only information which does not con
- Page 117 and 118:
information in the .thumbnails cach
- Page 119 and 120:
uses substantially more checks whic
- Page 121 and 122:
any manipulation to appear as stand
- Page 123:
highlighting the need for understan
- Page 126 and 127:
elationship between information con
- Page 128 and 129:
document the state of a default Win
- Page 130 and 131:
Figure 6-1: Directory structure for
- Page 132 and 133:
Clone 1-8: Directories at level 0 w
- Page 134 and 135:
Figure 6-2: The centralised thumbna
- Page 136 and 137:
Start of Record 87 F7 6A 62 4B 7B C
- Page 138 and 139:
Start of standard thumbnail cache s
- Page 140 and 141:
Start of subrecord 14F8CE010 43 4D
- Page 142 and 143:
6.5 Identifying the behaviour The t
- Page 144 and 145:
greater than the maximum size image
- Page 146 and 147:
experiment was repeated with a non-
- Page 148 and 149:
to be shown [Douglas, 2009].Figure
- Page 150 and 151:
6.5.1.2 Circumstances where informa
- Page 152 and 153:
thumbnail cache based solely upon t
- Page 154 and 155:
the cache to remove inactive record
- Page 156 and 157:
6.6.1 Windows.edb The database for
- Page 158 and 159:
Figure 6-10: Identifying the Defaul
- Page 160 and 161:
thumbnail view for 30 seconds. Upon
- Page 162 and 163:
checks are performed on the associa
- Page 164 and 165:
showing a relationship between info
- Page 166 and 167:
The type of a file can be identifie
- Page 168 and 169:
The event timeline created could th
- Page 170 and 171:
6.9.2 Media thumbnails In Windows 7
- Page 172 and 173:
the provenance of artefacts. This i
- Page 174 and 175:
6.10.2 Interpretation of Results An
- Page 176 and 177:
however it is still possible to tam
- Page 178 and 179:
implementations of the thumbnail ca
- Page 180 and 181:
valid results only when the file is
- Page 182 and 183:
7.3.1 Statistical Methods If docume
- Page 184 and 185:
ate for HTML and JPEG files [Veenma
- Page 186 and 187:
Having described current methods fo
- Page 188 and 189:
previous experiments or downloaded
- Page 190 and 191:
L2: The fragment is part of a visua
- Page 192 and 193:
Table 7-1: Breakdown of file fragme
- Page 194 and 195:
approximately half the data in Data
- Page 196 and 197:
Table 7-3: A list of thumbnail cach
- Page 198 and 199:
Figure 7-2: Classifications for thu
- Page 200 and 201:
7.7.2 H2 For the identification of
- Page 202 and 203:
Relative offset: 48 0B 09 0C 11 0F
- Page 204 and 205:
The Bayesian Network takes into acc
- Page 206 and 207:
Figure 7-3: Bayesian network for H1
- Page 208 and 209:
Actual Fragment Type(Percentage) 7.
- Page 210 and 211:
Actual Fragment Type(Percentage) Ta
- Page 212 and 213:
Actual Fragment Type(Percentage) Ta
- Page 214 and 215:
Actual Fragment Type(Percentage) Ta
- Page 216 and 217:
Table 7-19: Method 4 Results for th
- Page 218 and 219:
more suited to pattern recognition
- Page 220 and 221:
and 2. This is possible because the
- Page 222 and 223:
This chapter has successfully ident
- Page 224 and 225:
8.2 Problem Definition In the intro
- Page 226 and 227:
information to examine at the end o
- Page 228 and 229:
files is described on the Joint Pho
- Page 230 and 231:
were not from thumbnail cache files
- Page 232 and 233:
In order to identify potential H3 f
- Page 234 and 235:
Actual Fragment Type (Percentage) p
- Page 236 and 237:
Figure 8-3: A summary of the hybrid
- Page 238 and 239:
cache file fragments. The headers i
- Page 240 and 241:
follow the standard PNG specificati
- Page 242 and 243:
then be viewed by an analyst and us
- Page 244 and 245:
Actual Fragment Type (Percentage) T
- Page 246 and 247:
8.8 Discussion The end aim of Chapt
- Page 248 and 249:
identification method into stages l
- Page 251 and 252:
9 Thumbnail cache fragment reassemb
- Page 253 and 254:
Once the fragments have been identi
- Page 255 and 256:
9.3.2 Logging In order to maintain
- Page 257 and 258:
H1:Thumbcache_idx.db file H2: Image
- Page 259 and 260:
Therefore this research assumes tha
- Page 261 and 262:
ecords and 2 partial records. The n
- Page 263 and 264:
equirement for generating table siz
- Page 265 and 266:
100% success rate, with 0% false po
- Page 267 and 268:
then stored and marked as a complet
- Page 269 and 270:
Once a start of file fragment has b
- Page 271 and 272:
number of fragments which contain o
- Page 273 and 274:
Figure 9-7: Reassembling an image b
- Page 275 and 276:
As the number of fragments being an
- Page 277 and 278:
file fragment identification on sto
- Page 279 and 280:
Linux Category_4: The last fragment
- Page 281 and 282:
Table 9-1: Results from reassembly
- Page 283 and 284:
activity. All the non-standard subr
- Page 285 and 286:
which substantially reduces the inf
- Page 287 and 288:
10 Establishing the evidential valu
- Page 289 and 290:
The thumbnail cache artefact extrac
- Page 291 and 292:
and 6. Each stage of the method has
- Page 293 and 294: adapted to extract artefact from ot
- Page 295 and 296: 10.7 Discussion Both live system an
- Page 297: 10.8 Conclusion This chapter evalua
- Page 300 and 301: Figure 11-1: A breakdown of aim of
- Page 302 and 303: analysing the file type it is possi
- Page 304 and 305: singular file fragment; by combinin
- Page 306 and 307: processing time of the reassembly m
- Page 308 and 309: In Chapter 9.5 a decision was taken
- Page 311 and 312: 12 Conclusions and future work 12.1
- Page 313 and 314: potential for improving the identif
- Page 315: installations of the operating syst
- Page 318 and 319: Carnagey, N.L., Anderson, C.A. & Bu
- Page 320 and 321: Facebook, 2013. Facebook. Available
- Page 322 and 323: Helix, 2011. Helix. Available at: h
- Page 324 and 325: Noblett, M., Pollitt, M., Presley,
- Page 326 and 327: Stone-kaplan, K., Roter, M., 2003.
- Page 329: APPENDICES Cranfield University | 3
- Page 332 and 333: A.1.3 Image File Header typedefstru
- Page 335 and 336: Appendix B Bayesian probability tab
- Page 337 and 338: B.8 Fragment contains the ASCII str
- Page 339 and 340: B.15 32 byte record structure SR po
- Page 341 and 342: B.19 H3 Each byte frequency is less
- Page 343: B.21 H5 Stored in valid PNG chunks
- Page 347 and 348: Cranfield University | 327
- Page 349 and 350: Cranfield University | 329
- Page 351 and 352: Cranfield University | 331
- Page 353 and 354: Cranfield University | 333
- Page 355 and 356: Cranfield University | 335
- Page 357 and 358: Cranfield University | 337
- Page 359 and 360: Cranfield University | 339
- Page 361 and 362: Cranfield University | 341
- Page 363 and 364: Cranfield University | 343
- Page 365 and 366: Cranfield University | 345
- Page 367 and 368: Cranfield University | 347
- Page 369 and 370: Cranfield University | 349
- Page 371 and 372: Cranfield University | 351
- Page 373 and 374: Cranfield University | 353
- Page 375 and 376: Cranfield University | 355
- Page 377 and 378: Cranfield University | 357
- Page 379 and 380: Cranfield University | 359
- Page 381 and 382: Cranfield University | 361
- Page 383 and 384: Cranfield University | 363
- Page 385 and 386: Cranfield University | 365
- Page 387 and 388: Cranfield University | 367
- Page 389 and 390: Cranfield University | 369
- Page 391 and 392: Cranfield University | 371
- Page 393 and 394: Cranfield University | 373
- Page 395:
Cranfield University | 375