SIFT -- File Fragment Classification Without Metadata

A vital issue of file carving in digital forensics is type classification of file fragments when the filesystem metadata is missing. Over the past decades, there have been several efforts for developing methods to classify file fragments. In this research, a novel sifting approach, named SIFT (Sifting File Types), is proposed. SIFT outperforms the other state-of-the-art techniques by at least 8%. (1) One of the significant differences between SIFT and others is that SIFT uses a single byte as a separate feature, i.e., a total of 256 (0x00 - 0xFF) features. We also call this a lossless feature (information) extraction, i.e., there is no loss of information. (2) The other significant difference is the technique used to estimate inter-Classes and intra-Classes information gain of a feature. Unlike others, SIFT adapts TF-IDF for this purpose, and computes and assigns weight to each byte (feature) in a fragment (sample). With these significant differences and approaches, SIFT produces promising (better) results compared to other works

Identification of fragmented JPEG files in the absence of file systems

Identifying fragmented and deleted files from scattered digital storage become crucial needs in computer forensic. Storage media experience regular space fragmentation which gives direct consequence to the files system series. This paper specifies a case where the jpeg files are heavily fragmented with absent file header which contains maximum information for the stored data can be easily retrieved. The problem is formulated using statistical byte frequency analysis for identifying the group of jpeg file fragments. Several related works have addressed the issue of classifying variety types of file format with high occurrence of being fragmented such as avi, doc, wav file and etc. These files have been tagged as among the larger file format. We provide techniques for identifying the pattern of file fragments distribution and describe roles of selected clustering attributes. Finally, we provide experimental results presenting that the jpeg fragments distribution can be retrieved with quite small gap differences between the groups

Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications

When an application is uninstalled from a computer system, the application\u27s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application\u27s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog filesystem changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference

Development of a micro-extruder with vibration mode for microencapsulation of human keratinocytes in calcium alginate

Microencapsulation is a promising technique to form microtissues. The existing cell microencapsulation technologies that involved extrusion and vibration are designed with complex systems and required the use of high energy. A micro-extruder with an inclusion of simple vibrator that has the commercial value for creating a 3D cell model has been developed in this work. This system encapsulates human keratinocytes (HaCaT) in calcium alginate and the size of the microcapsules is controllable in the range of 500-800 µm by varying the flow rates of the extruded solution and frequency of the vibrator motor ( I 0-63 Hz). At 0.13 ml/min of flow rate and vibration rate of 26.4 Hz, approximately 40 ± IO pieces of the alginate microcapsules in a size 632.14 ± I 0.35 µm were produced. Approximately I 00 µm suspension of cells at different cells densities of 1.55 x I 05 cells/ml and 1.37 x I 07 cells/ml were encapsulated for investigation of microtissues formation. Fourier transform infrared spectroscopy (FTIR) analysis showed the different functional groups and chemistry contents of the calcium alginate with and without the inclusion of HaCaT cells in comparison to the monolayers of HaCaT cells. From Field Emission Scanning Electron Microscope (FESEM) imaging, calcium alginate microcapsules were characterised by spherical shape and homogenous surface morphology. Via the nuclei staining, the distance between cells was found reduced as the incubation period increased. This indicated that the cells merged into microtissues with good cell-cell adhesions. After 15 days of culture, the cells were still viable as indicated by the fluorescence green expression of calcein­acetoxymethyl. Replating experiment indicated that the cells from the microtissues were able to migrate and has the tendency to form monolayer of cells on the culture flask. The system was successfully developed and applied to encapsulate cells to produce 3D microtissues

Development of a micro-extruder with vibration mode for microencapsulation of human keratinocytes in calcium alginate

Microencapsulation is a promising technique to form microtissues. The existing cell microencapsulation technologies that involved extrusion and vibration are designed with complex systems and required the use of high energy. A micro-extruder with an inclusion of simple vibrator that has the commercial value for creating a 3D cell model has been developed in this work. This system encapsulates human keratinocytes (HaCaT) in calcium alginate and the size of the microcapsules is controllable in the range of 500-800 µm by varying the flow rates of the extruded solution and frequency of the vibrator motor ( I 0-63 Hz). At 0.13 ml/min of flow rate and vibration rate of 26.4 Hz, approximately 40 ± IO pieces of the alginate microcapsules in a size 632.14 ± I 0.35 µm were produced. Approximately I 00 µm suspension of cells at different cells densities of 1.55 x I 05 cells/ml and 1.37 x I 07 cells/ml were encapsulated for investigation of microtissues formation. Fourier transform infrared spectroscopy (FTIR) analysis showed the different functional groups and chemistry contents of the calcium alginate with and without the inclusion of HaCaT cells in comparison to the monolayers of HaCaT cells. From Field Emission Scanning Electron Microscope (FESEM) imaging, calcium alginate microcapsules were characterised by spherical shape and homogenous surface morphology. Via the nuclei staining, the distance between cells was found reduced as the incubation period increased. This indicated that the cells merged into microtissues with good cell-cell adhesions. After 15 days of culture, the cells were still viable as indicated by the fluorescence green expression of calcein­acetoxymethyl. Replating experiment indicated that the cells from the microtissues were able to migrate and has the tendency to form monolayer of cells on the culture flask. The system was successfully developed and applied to encapsulate cells to produce 3D microtissues

Vulnerability analysis of GPU computing

In the past decade Graphics Processing Units (GPUs) have advanced from simple fixed function graphics accelerators to fully-programmable multi-core architectures capable of supporting thousand of concurrent threads. Their use has spread from the specialized field of graphics into more general processing domains ranging from biomedical imaging to stock market prediction. Despite their increased computational power and range of applications, the security implications of GPUs have not been carefully studied. It has been assumed that the use of a GPU as a coprocessor with physically separate memory space, minimal support for multi-user programming, and limited I/O capability inherently guarantees security. This research challenges this assumption by demonstrating multiple security vulnerabilities in the current GPU computing infrastructure. Specifically, it focuses on the following three areas: 1. Denial-of-Service by overwhelming the capabilities of the GPU so it is unable to provide responsiveness to the host operating system. 2. Information leakage due to the way that modern GPUs fail to randomize pointers and zero out memory. 3. The use of GPUs to assist CPU-resident malware through obfuscation and unpacking or acceleration of computational intensive tasks such as password cracking or encryption. Through the use of WebGL and CUDA, we successfully developed a proof of concept attack for the first two vulnerabilities listed above. For the third, we considered several different types of attacks and their implications. In all cases we also suggest possible security measures to fix these vulnerabilities. While the impact of each of these particular exploits is currently hardware and OS specific, current trends in GPU architecture indicate that these problems are only going to rise in importance going forward

Reassembly and clustering bifragmented intertwined jpeg images using genetic algorithm and extreme learning machine

File carving tools are essential element of digital forensic investigation for recovering evidence data from computer disk drives. Today, JPEG image files are popular file formats that have less structured contents which make its carving possible in the absence of any file system metadata. However, completely recovering intertwined Bifragmented JPEG images into their original form without missing any parts or data of the image is a challenging due to the intertwined case might occur with non-JPEG images such as PDF, Text, Microsoft Office or random data. In this research, a new carving framework is presented in order to address the fragmentation issues that often occur in JPEG images which is called RX_myKarve. The RX_myKarve is an extended framework from X_myKarve, which consists of the following key components: (i) an Extreme Learning Machine (ELM) neural network for clusters classification using three existing content-based features extraction (Entropy, Byte Frequency Distribution (BFD) and Rate of Change (RoC)) to improve the identification of JPEG images content and support the reassembling process; (ii) a genetic algorithm with Coherence Euclidean Distance (CED) matric and cost function to reconstruct a JPEG image from a set of deformed and fragmented clusters in the scan area. The RX_myKarve is a framework that contains both structure-based carving and content-based carving approaches. The RX_myKarve is implemented as an Automatic JPEG Carver (AJC) tool in order to test and compare its performance with the state-of-the art carvers such as RevIt, myKarve and X_myKarve. It is applied to three datasets namely DFRWS (2006 and 2007) forensic challenges datasets and a new dataset to test and evaluate the AJC tool. These datasets have complex challenges that simulate particular fragmentation cases addressed in this research. The final results show that the AJC with the aid of the RX_myKarve framework outperform the X_myKarve, myKarve and RevIt. The RX_myKarve is able to completely carve 23.8% images more than X_myKarve, 45.4% images more than myKarve and 67% images more than RevIt in which AJC tool using RX_myKarve completely solves the research problem

File Fragment Classification Using Neural Networks with Lossless Representations

This study explores the use of neural networks as universal models for classifying file fragments. This approach differs from previous work in its lossless feature representation, with fragments’ bits as direct input, and its use of feedforward, recurrent, and convolutional networks as classifiers, whereas previous work has only tested feedforward networks. Due to the study’s exploratory nature, the models were not directly evaluated in a practical setting; rather, easily reproducible experiments were performed to attempt to answer the initial question of whether this approach is worthwhile to pursue further, especially due to its high computational cost. The experiments tested classification of fragments of homogeneous file types as an idealized case, rather than using a realistic set of types, because the types of interest are highly application-dependent. The recurrent networks achieved 98 percent accuracy in distinguishing 4 file types, suggesting that this approach may be capable of yielding models with sufficient performance for practical applications. The potential applications depend mainly on the model performance gains achievable by future work but include binary mapping, deep packet inspection, and file carving

Error Level Analysis Technique for Identifying JPEG Block Unique Signature for Digital Forensic Analysis

The popularity of unique image compression features of image files opens an interesting research analysis process, given that several digital forensics cases are related to diverse file types. Of interest has been fragmented file carving and recovery which forms a major aspect of digital forensics research on JPEG files. Whilst there exist several challenges, this paper focuses on the challenge of determining the co-existence of JPEG fragments within various file fragment types. Existing works have exhibited a high false-positive rate, therefore rendering the need for manual validation. This study develops a technique that can identify the unique signature of JPEG 8 × 8 blocks using the Error Level Analysis technique, implemented in MATLAB. The experimental result that was conducted with 21 images of JFIF format with 1008 blocks shows the efficacy of the proposed technique. Specifically, the initial results from the experiment show that JPEG 8 × 8 blocks have unique characteristics which can be leveraged for digital forensics. An investigator could, therefore, search for the unique characteristics to identify a JPEG fragment during a digital investigation process