A Case-Based Reasoning Method for Locating Evidence During Digital Forensic Device Triage

The role of triage in digital forensics is disputed, with some practitioners questioning its reliability for identifying evidential data. Although successfully implemented in the field of medicine, triage has not established itself to the same degree in digital forensics. This article presents a novel approach to triage for digital forensics. Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence. The CBR-FT framework is discussed and the results of twenty test triage examinations are presented. CBR-FT has been shown to be a more effective method of triage when compared to a practitioner using a leading commercial application

On deletions in open addressing hashing

Deletions in open addressing tables have often been seen as problematic. The usual solution is to use a special mark ’deleted’ so that probe sequences continue past deleted slots, as if there was an element still sitting there. Such a solution, notwithstanding is wide applicability, may involve serious performance degradation. In the first part of this paper we review a practical implementation of the often overlooked deletion algorithm for linear probing hash tables, analyze its properties and performance, and provide several strong arguments in favor of the Robin Hood variant. In particular, we show how a small variation can yield substantial improvements for unsuccesful search. In the second part we propose an algorithm for true deletion in open addressing hashing with secondary clustering, like quadratic hashing. As far as we know, this is the first time that such an algorithm appears in the literature. Although it involves some extra memory for bookkeeping, the algorithm is comparatively easy and efficient, and might be of practical value, besides its theoretical interest.Postprint (published version

On deletions in open addressing hashing

Deletions in open addressing tables have often been seen as problematic. The usual solution is to use a special mark’deleted’ so that probe sequences continue past deleted slots, as if there was an element still sitting there. Such a solution, notwithstanding is wide applicability, may involve performance degradation. In the first part of this paper we review a practical implementation of the often overlooked deletion algorithm for linear probing hash tables, analyze its properties and performance, and provide several strong arguments in favor of the Robin Hood variant. In particular, we show how a small variation can yield substantial improvements for unsuccessful search. In the second part we propose an algorithm for true deletion in open addressing hashing with secondary clustering, like quadratic hashing. As far as we know, this is the first time that such an algorithm appears in the literature. Moreover, for tables built using the Robin Hood variant the deletion algorithm strongly preserves randomness (the resulting table is identical to the table that would result if the item were not inserted at all). Although it involves some extra memory for bookkeeping, the algorithm is comparatively easy and efficient, and it might be of some practical value, besides its theoretical interest.Peer ReviewedPostprint (author's final draft

Open-addressing hashing with unequal-probability keys

This paper describes the use of a drone in collecting data for mapping discontinuities within a marble quarry. A topographic survey was carried out in order to guarantee high spatial accuracy in the exterior orientation of images. Photos were taken close to the slopes and at different angles, depending on the orientation of the quarry walls. This approach was used to overcome the problem of shadow areas and to obtain detailed information on any feature desired. Dense three-dimensional (3D) point clouds obtained through image processing were used to rebuild the quarry geometry. Discontinuities were then mapped deterministically in detail. Joint attitude interpretation was not always possible due to the regular shape of the cut walls; for every discontinuity set we therefore also mapped the uncertainty. This, together with additional fracture characteristics, was used to build 3D discrete fracture network models. Preliminary results reveal the advantage of modern photogrammetric systems in producing detailed orthophotos; the latter allow accurate mapping in areas difficult to access (one of the main limitations of traditional techniques). The results highlight the benefits of integrating photogrammetric data with those collected through classical methods: the resulting knowledge of the site is crucially important in instability analyses involving numerical modelling.Part of the present study was undertaken within the framework of the Italian National Research Project PRIN2009, funded by the Ministry of Education, Universities and Research, which involves the collaboration between the University of Siena, ‘La Sapienza’ University of Rome, and USL1 of Massa and Carrara (Mining Engineering Operative Unit – Department of Prevention). The authors acknowledge M. Pellegri and D. Gullì (USL1, Mining Engineering Operative Unit – Department of Prevention), M. Ferrari, M. Profeti and V. Carnicelli (Cooperativa Cavatori Lorano), X. Chaoshui and P.A. Dowd (School of Civil, Environmental and Mining Engineering, University of Adelaide, South Australia) and M. Bocci (Geographike) for their support of this research

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection