- Page 1:
CRANFIELD UNIVERSITY SARAH LOUISE A
- Page 5 and 6:
ABSTRACT This thesis establishes th
- Page 7 and 8:
ACKNOWLEDGEMENTS “And above all,
- Page 9 and 10:
TABLE OF CONTENTS ABSTRACT ........
- Page 11 and 12:
6 The structure and behaviour of th
- Page 13 and 14:
8.6.1 Stage 1: Preliminary Checks .
- Page 15 and 16:
LIST OF FIGURES Figure 1-1:A breakd
- Page 17 and 18:
LIST OF TABLES Table 5-1: A summary
- Page 21 and 22:
1 Introduction 1.1 Introduction In
- Page 23 and 24:
potential difficulty is the identif
- Page 25 and 26:
This is followed by a structural an
- Page 27 and 28:
Chapter 6 describes the structure a
- Page 29 and 30:
Chapter 11 evaluates the methodolog
- Page 31 and 32:
2 Related Research 2.1 Introduction
- Page 33 and 34:
Generally individuals, including so
- Page 35 and 36:
thought to be a disciplinary offenc
- Page 37 and 38: 2.2.2 Tools used in Forensic Comput
- Page 39 and 40: structure and behaviour. Winhex pro
- Page 41 and 42: with it are important aspects of an
- Page 43 and 44: An important question for each arte
- Page 45 and 46: For this research it is necessary t
- Page 47 and 48: 2007], which assist in building eve
- Page 49 and 50: and therefore he did not have priva
- Page 51 and 52: data may be affected by the behavio
- Page 53 and 54: thumbnail cache is implemented in f
- Page 55 and 56: available for office documents; the
- Page 57 and 58: future. It is possible to establish
- Page 59: structure and syntax the user and s
- Page 62 and 63: Identify existing file carving tech
- Page 64 and 65: throughout this research. Within th
- Page 66 and 67: corroborate the results. Time const
- Page 68 and 69: 4.2.1 Legal Constraints The law can
- Page 70 and 71: to the evidence and to ensure any a
- Page 72 and 73: To ensure the evidence is accurate
- Page 74 and 75: evidence being extracted is crucial
- Page 76 and 77: analyse human behaviour, it can sti
- Page 78 and 79: 4.3 Criteria for evaluating the evi
- Page 80 and 81: In order to determine an artefact w
- Page 83 and 84: 5 The Structure and Behaviour of th
- Page 85 and 86: the way data changes. The experimen
- Page 87: 5.4 Default Installations This sect
- Page 91 and 92: these can be identified by the addi
- Page 93 and 94: The tEXt chunks contain the metadat
- Page 95 and 96: holds information about sample dept
- Page 97 and 98: Start of tEXt Chunk This tEXt chunk
- Page 99 and 100: 00 00 00 2074 45 58 7453 6F 66 74 @
- Page 101 and 102: order to establish if the software
- Page 103 and 104: Each piece of software installed by
- Page 105 and 106: which is present in the subrecords
- Page 107 and 108: 5.6.2 The modification of subrecord
- Page 109 and 110: ascertain if unused subrecords woul
- Page 111 and 112: in thumbnail view. This shows that
- Page 113 and 114: 5.9.1 Metadata There are three dist
- Page 115 and 116: only information which does not con
- Page 117 and 118: information in the .thumbnails cach
- Page 119 and 120: uses substantially more checks whic
- Page 121 and 122: any manipulation to appear as stand
- Page 123: highlighting the need for understan
- Page 126 and 127: elationship between information con
- Page 128 and 129: document the state of a default Win
- Page 130 and 131: Figure 6-1: Directory structure for
- Page 132 and 133: Clone 1-8: Directories at level 0 w
- Page 134 and 135: Figure 6-2: The centralised thumbna
- Page 136 and 137: Start of Record 87 F7 6A 62 4B 7B C
- Page 138 and 139:
Start of standard thumbnail cache s
- Page 140 and 141:
Start of subrecord 14F8CE010 43 4D
- Page 142 and 143:
6.5 Identifying the behaviour The t
- Page 144 and 145:
greater than the maximum size image
- Page 146 and 147:
experiment was repeated with a non-
- Page 148 and 149:
to be shown [Douglas, 2009].Figure
- Page 150 and 151:
6.5.1.2 Circumstances where informa
- Page 152 and 153:
thumbnail cache based solely upon t
- Page 154 and 155:
the cache to remove inactive record
- Page 156 and 157:
6.6.1 Windows.edb The database for
- Page 158 and 159:
Figure 6-10: Identifying the Defaul
- Page 160 and 161:
thumbnail view for 30 seconds. Upon
- Page 162 and 163:
checks are performed on the associa
- Page 164 and 165:
showing a relationship between info
- Page 166 and 167:
The type of a file can be identifie
- Page 168 and 169:
The event timeline created could th
- Page 170 and 171:
6.9.2 Media thumbnails In Windows 7
- Page 172 and 173:
the provenance of artefacts. This i
- Page 174 and 175:
6.10.2 Interpretation of Results An
- Page 176 and 177:
however it is still possible to tam
- Page 178 and 179:
implementations of the thumbnail ca
- Page 180 and 181:
valid results only when the file is
- Page 182 and 183:
7.3.1 Statistical Methods If docume
- Page 184 and 185:
ate for HTML and JPEG files [Veenma
- Page 186 and 187:
Having described current methods fo
- Page 188 and 189:
previous experiments or downloaded
- Page 190 and 191:
L2: The fragment is part of a visua
- Page 192 and 193:
Table 7-1: Breakdown of file fragme
- Page 194 and 195:
approximately half the data in Data
- Page 196 and 197:
Table 7-3: A list of thumbnail cach
- Page 198 and 199:
Figure 7-2: Classifications for thu
- Page 200 and 201:
7.7.2 H2 For the identification of
- Page 202 and 203:
Relative offset: 48 0B 09 0C 11 0F
- Page 204 and 205:
The Bayesian Network takes into acc
- Page 206 and 207:
Figure 7-3: Bayesian network for H1
- Page 208 and 209:
Actual Fragment Type(Percentage) 7.
- Page 210 and 211:
Actual Fragment Type(Percentage) Ta
- Page 212 and 213:
Actual Fragment Type(Percentage) Ta
- Page 214 and 215:
Actual Fragment Type(Percentage) Ta
- Page 216 and 217:
Table 7-19: Method 4 Results for th
- Page 218 and 219:
more suited to pattern recognition
- Page 220 and 221:
and 2. This is possible because the
- Page 222 and 223:
This chapter has successfully ident
- Page 224 and 225:
8.2 Problem Definition In the intro
- Page 226 and 227:
information to examine at the end o
- Page 228 and 229:
files is described on the Joint Pho
- Page 230 and 231:
were not from thumbnail cache files
- Page 232 and 233:
In order to identify potential H3 f
- Page 234 and 235:
Actual Fragment Type (Percentage) p
- Page 236 and 237:
Figure 8-3: A summary of the hybrid
- Page 238 and 239:
cache file fragments. The headers i
- Page 240 and 241:
follow the standard PNG specificati
- Page 242 and 243:
then be viewed by an analyst and us
- Page 244 and 245:
Actual Fragment Type (Percentage) T
- Page 246 and 247:
8.8 Discussion The end aim of Chapt
- Page 248 and 249:
identification method into stages l
- Page 251 and 252:
9 Thumbnail cache fragment reassemb
- Page 253 and 254:
Once the fragments have been identi
- Page 255 and 256:
9.3.2 Logging In order to maintain
- Page 257 and 258:
H1:Thumbcache_idx.db file H2: Image
- Page 259 and 260:
Therefore this research assumes tha
- Page 261 and 262:
ecords and 2 partial records. The n
- Page 263 and 264:
equirement for generating table siz
- Page 265 and 266:
100% success rate, with 0% false po
- Page 267 and 268:
then stored and marked as a complet
- Page 269 and 270:
Once a start of file fragment has b
- Page 271 and 272:
number of fragments which contain o
- Page 273 and 274:
Figure 9-7: Reassembling an image b
- Page 275 and 276:
As the number of fragments being an
- Page 277 and 278:
file fragment identification on sto
- Page 279 and 280:
Linux Category_4: The last fragment
- Page 281 and 282:
Table 9-1: Results from reassembly
- Page 283 and 284:
activity. All the non-standard subr
- Page 285 and 286:
which substantially reduces the inf
- Page 287 and 288:
10 Establishing the evidential valu
- Page 289 and 290:
The thumbnail cache artefact extrac
- Page 291 and 292:
and 6. Each stage of the method has
- Page 293 and 294:
adapted to extract artefact from ot
- Page 295 and 296:
10.7 Discussion Both live system an
- Page 297:
10.8 Conclusion This chapter evalua
- Page 300 and 301:
Figure 11-1: A breakdown of aim of
- Page 302 and 303:
analysing the file type it is possi
- Page 304 and 305:
singular file fragment; by combinin
- Page 306 and 307:
processing time of the reassembly m
- Page 308 and 309:
In Chapter 9.5 a decision was taken
- Page 311 and 312:
12 Conclusions and future work 12.1
- Page 313 and 314:
potential for improving the identif
- Page 315:
installations of the operating syst
- Page 318 and 319:
Carnagey, N.L., Anderson, C.A. & Bu
- Page 320 and 321:
Facebook, 2013. Facebook. Available
- Page 322 and 323:
Helix, 2011. Helix. Available at: h
- Page 324 and 325:
Noblett, M., Pollitt, M., Presley,
- Page 326 and 327:
Stone-kaplan, K., Roter, M., 2003.
- Page 329:
APPENDICES Cranfield University | 3
- Page 332 and 333:
A.1.3 Image File Header typedefstru
- Page 335 and 336:
Appendix B Bayesian probability tab
- Page 337 and 338:
B.8 Fragment contains the ASCII str
- Page 339 and 340:
B.15 32 byte record structure SR po
- Page 341 and 342:
B.19 H3 Each byte frequency is less
- Page 343 and 344:
B.21 H5 Stored in valid PNG chunks
- Page 345 and 346:
Appendix C Peer Reviewed Publicatio
- Page 347 and 348:
Cranfield University | 327
- Page 349 and 350:
Cranfield University | 329
- Page 351 and 352:
Cranfield University | 331
- Page 353 and 354:
Cranfield University | 333
- Page 355 and 356:
Cranfield University | 335
- Page 357 and 358:
Cranfield University | 337
- Page 359 and 360:
Cranfield University | 339
- Page 361 and 362:
Cranfield University | 341
- Page 363 and 364:
Cranfield University | 343
- Page 365 and 366:
Cranfield University | 345
- Page 367 and 368:
Cranfield University | 347
- Page 369 and 370:
Cranfield University | 349
- Page 371 and 372:
Cranfield University | 351
- Page 373 and 374:
Cranfield University | 353
- Page 375 and 376:
Cranfield University | 355
- Page 377 and 378:
Cranfield University | 357
- Page 379 and 380:
Cranfield University | 359
- Page 381 and 382:
Cranfield University | 361
- Page 383 and 384:
Cranfield University | 363
- Page 385 and 386:
Cranfield University | 365
- Page 387 and 388:
Cranfield University | 367
- Page 389 and 390:
Cranfield University | 369
- Page 391 and 392:
Cranfield University | 371
- Page 393 and 394:
Cranfield University | 373
- Page 395:
Cranfield University | 375