3 research outputs found
Audit: Automated Disk Investigation Toolkit
Software tools designed for disk analysis play a critical role today in forensics investigations. However, these digital forensics tools are often difficult to use, usually task specific, and generally require professionally trained users with IT backgrounds. The relevant tools are also often open source requiring additional technical knowledge and proper configuration. This makes it difficult for investigators without some computer science background to easily conduct the needed disk analysis. In this paper, we present AUDIT, a novel automated disk investigation toolkit that supports investigations conducted by non-expert (in IT and disk technology) and expert investigators. Our proof of concept design and implementation of AUDIT intelligently integrates open source tools and guides non-IT professionals while requiring minimal technical knowledge about the disk structures and file systems of the target disk image
An Automated Solution to the Multiuser Carved Data Ascription Problem
The article of record as published may be located at http://dx.doi.org/10.1109/TIFS.2010.2060484This paper presents a novel solution to the problem
of determining the ownership of carved information found on disk
drives and other storage media that have been used by more than
one person. When a computer is subject to forensic examination,
information may be found that cannot be readily ascribed to a specific
user. Such information is typically not located in a specific file
or directory, but is found through file carving, which recovers data
from unallocated disk sectors. Because the data is carved, it does
not have associated file system metadata, and its owner cannot be
readily ascertained. The technique presented in this paper starts by
automatically recovering both file system metadata as well as extended
metadata embedded in files (for instance, embedded timestamps)
directly from a disk image. This metadata is then used to
find exemplars and to create a machine learning classifier that can
be used to ascertain the likely owner of the carved data. The resulting
classifier is well suited for use in a legal setting since the
accuracy can be easily verified using cross-validation. Our technique
also results in a classifier that is easily validated by manual
inspection. We report results of the technique applied to both specific
hard drive data created in our laboratory and multiuser drives
that we acquired on the secondary market. We also present a tool
set that automatically creates the classifier and performs validation