OpenForensics:a digital forensics GPU pattern matching approach for the 21st century

Pattern matching is a crucial component employed in many digital forensic (DF) analysis techniques, such as file-carving. The capacity of storage available on modern consumer devices has increased substantially in the past century, making pattern matching approaches of current generation DF tools increasingly ineffective in performing timely analyses on data seized in a DF investigation. As pattern matching is a trivally parallelisable problem, general purpose programming on graphic processing units (GPGPU) is a natural fit for this problem. This paper presents a pattern matching framework - OpenForensics - that demonstrates substantial performance improvements from the use of modern parallelisable algorithms and graphic processing units (GPUs) to search for patterns within forensic images and local storage devices

Identification of Clear Text Data Obfuscated Within Active File Slack

Obfuscating text on a hard drive can be done by utilizing the slack space of files. Text can be inserted into the area between the end of the file data and the New Technology File System (NTFS) cluster (the smallest drive space allocated to a file) that in which the file is stored, the data is hidden from traditional methods of viewing. If the hard drive is large, how does a digital forensics expert know where to look to find text that has been obfuscated? Searching through a large hard drive could take up a substantial amount of time that the expert possibly could not justify. If the digital forensics expert lacks the knowledge on how to properly search a hard drive for obfuscated clear text using data carving concepts, how will the obfuscated clear text be located on the drive and identified? To address this, an algorithm was proposed and tested, which resulted in the successful identification of clear text data in slack space with a percentage average of 99.31% identified. This algorithm is a reliable form of slack space analysis which can be used in conjunction with other data extraction methods to see the full scope of evidence on a drive

An effective and efficient testing methodology for correctness testing for file recovery tools

We hereby develop an effective and efficient testing methodology for correctness testing for file recovery tools across different file systems. We assume that the tool tester is familiar with the formats of common file types and has the ability to use the tools correctly. Our methodology first derives a testing plan to minimize the number of runs required to identify the differences in tools with respect to correctness. We also present a case study on correctness testing for file carving tools, which allows us to confirm that the number of necessary testing runs is bounded and our results are statistically sound. <br /

Investigating visualisation techniques for rapid triage of digital forensic evidence

This study investigates the feasibility of a tool that allows digital forensics (DF) investigators to efficiently triage device datasets during the collection phase of an investigation. This tool utilises data visualisation techniques to display images found in near real-time to the end user. Findings indicate that participants were able to accurately identify contraband material whilst using this tool, however, classification accuracy dropped slightly with larger datasets. Combined with participant feedback, the results show that the proposed triage method is indeed feasible, and this tool provides a solid foundation for the continuation of further work

Development of a micro-extruder with vibration mode for microencapsulation of human keratinocytes in calcium alginate

Microencapsulation is a promising technique to form microtissues. The existing cell microencapsulation technologies that involved extrusion and vibration are designed with complex systems and required the use of high energy. A micro-extruder with an inclusion of simple vibrator that has the commercial value for creating a 3D cell model has been developed in this work. This system encapsulates human keratinocytes (HaCaT) in calcium alginate and the size of the microcapsules is controllable in the range of 500-800 µm by varying the flow rates of the extruded solution and frequency of the vibrator motor ( I 0-63 Hz). At 0.13 ml/min of flow rate and vibration rate of 26.4 Hz, approximately 40 ± IO pieces of the alginate microcapsules in a size 632.14 ± I 0.35 µm were produced. Approximately I 00 µm suspension of cells at different cells densities of 1.55 x I 05 cells/ml and 1.37 x I 07 cells/ml were encapsulated for investigation of microtissues formation. Fourier transform infrared spectroscopy (FTIR) analysis showed the different functional groups and chemistry contents of the calcium alginate with and without the inclusion of HaCaT cells in comparison to the monolayers of HaCaT cells. From Field Emission Scanning Electron Microscope (FESEM) imaging, calcium alginate microcapsules were characterised by spherical shape and homogenous surface morphology. Via the nuclei staining, the distance between cells was found reduced as the incubation period increased. This indicated that the cells merged into microtissues with good cell-cell adhesions. After 15 days of culture, the cells were still viable as indicated by the fluorescence green expression of calcein­acetoxymethyl. Replating experiment indicated that the cells from the microtissues were able to migrate and has the tendency to form monolayer of cells on the culture flask. The system was successfully developed and applied to encapsulate cells to produce 3D microtissues

Development of a micro-extruder with vibration mode for microencapsulation of human keratinocytes in calcium alginate

Microencapsulation is a promising technique to form microtissues. The existing cell microencapsulation technologies that involved extrusion and vibration are designed with complex systems and required the use of high energy. A micro-extruder with an inclusion of simple vibrator that has the commercial value for creating a 3D cell model has been developed in this work. This system encapsulates human keratinocytes (HaCaT) in calcium alginate and the size of the microcapsules is controllable in the range of 500-800 µm by varying the flow rates of the extruded solution and frequency of the vibrator motor ( I 0-63 Hz). At 0.13 ml/min of flow rate and vibration rate of 26.4 Hz, approximately 40 ± IO pieces of the alginate microcapsules in a size 632.14 ± I 0.35 µm were produced. Approximately I 00 µm suspension of cells at different cells densities of 1.55 x I 05 cells/ml and 1.37 x I 07 cells/ml were encapsulated for investigation of microtissues formation. Fourier transform infrared spectroscopy (FTIR) analysis showed the different functional groups and chemistry contents of the calcium alginate with and without the inclusion of HaCaT cells in comparison to the monolayers of HaCaT cells. From Field Emission Scanning Electron Microscope (FESEM) imaging, calcium alginate microcapsules were characterised by spherical shape and homogenous surface morphology. Via the nuclei staining, the distance between cells was found reduced as the incubation period increased. This indicated that the cells merged into microtissues with good cell-cell adhesions. After 15 days of culture, the cells were still viable as indicated by the fluorescence green expression of calcein­acetoxymethyl. Replating experiment indicated that the cells from the microtissues were able to migrate and has the tendency to form monolayer of cells on the culture flask. The system was successfully developed and applied to encapsulate cells to produce 3D microtissues

Comparison of data recovery techniques on master file table between Aho-Corasick and logical data recovery based on efficiency

Data recovery is one of the tools used to obtain digital forensics from various storage media that rely entirely on the file system used to organize files in these media. In this paper, two of the latest techniques of file recovery from file system (new technology file system (NTFS)) logical data recovery, Aho-Corasick data recovery were studied, examined and a practical comparison was made between these two techniques according to the speed and accuracy factors using three global datasets. It was noted that all previous studies in this field completely ignored the time criterion despite the importance of this standard. On the other hand, algorithms developed with other algorithms were not compared. The proposed comparison of this paper aims to detect the weaknesses and strength of both algorithms to develop a new algorithm that is more accurate and faster than both algorithms. The paper concluded that the logical algorithm was superior to the Aho-Corasick algorithm according to the speed criterion, whereas the algorithms gave the same results according to the accuracy criterion. The paper leads to a set of suggestions for future research aimed at achieving a highly efficient and high-speed data recovery algorithm such as the file-carving algorithm

Digital Forensics Tool Selection with Multi-armed Bandit Problem

Digital forensics investigation is a long and tedious process for an investigator in general. There are many tools that investigators must consider, both proprietary and open source. Forensics investigators must choose the best tool available on the market for their cases to make sure they do not overlook any evidence resides in suspect device within a reasonable time frame. This is however hard decision to make, since learning and testing all available tools make their job only harder. In this project, we define the digital forensics tool selection for a specific investigative task as a multi-armed bandit problem assuming that multiple tools are available for an investigator\u27s use. In addition, we also created set of disk images in order to create a real dataset for experiments. This dataset can be used by digital forensics researchers and tool developers for testing and validation purposes. In this paper, we also simulated multi-armed bandit algorithms to test whether using these algorithms would be more successful than using simple randomization during the tool selection process. Our results show that, bandit based strategies successfully analyzed up to 57% more disk images over 1000 simulations. Finally, we also show that our findings satisfy a high level of statistical confidence. This work will help investigators to spend more time on the analysis of evidence than learning and testing different tools to see which one performs better

Maintenance management process model for school buildings: an application of IDEF0 modelling methodology

The lack of a clear understanding of the maintenance management process is one of the major sources of difficulties in the maintenance of school buildings. A clearer understanding of the maintenance management process can be achieved by constructing a process model of the existing practices using a suitable process modelling technique. The purpose of this study was to develop a process model for the management of maintenance of school buildings using the IDEF0 structured modelling technique. The modelling process is divided into three phases, (i) the information gathering phase, (ii) the model development phase and (ii) the experts' evaluation and validation phase. In the first phase, information on existing maintenance practices was obtained through questionnaires and document analysis of policies, standing orders and maintenance reports. In the second phase, a process model was drafted through an iterative process using the IDEF0 process modelling technique. In the third phase, the draft process model was submitted to three experts on maintenance management from the Ministry of Education Malaysia for evaluation and validation. A ready to implement process model for the maintenance management of school buildings was constructed upon validation by the experts