Difference between revisions of "Main Page"

From ForensicsWiki
Jump to: navigation, search
m
m
 
(6 intermediate revisions by 2 users not shown)
Line 7: Line 7:
  
 
==WIKI NEWS==
 
==WIKI NEWS==
 +
2014-06-14: The Wiki has been migrated to the most up-to-date MediaWiki and moved from HostGator to Pair. The previous bugs with the AccountCreation problem should be fixed. Please let us know if there are any problems.
 +
* 2014-06-16 - It seems that the transfer and upgrade has resulted in some content being lost. The content appears to be on the old site and we may need some help in migrating it. Please see [[Content Lost in Migration]] for a list of the lost content.
 +
 
2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the [[ForensicsWiki FeedBurner Feed]]
 
2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the [[ForensicsWiki FeedBurner Feed]]
  
Line 19: Line 22:
 
<bibtex>
 
<bibtex>
 
@inproceedings{Hurley:2013:MAC:2488388.2488444,
 
@inproceedings{Hurley:2013:MAC:2488388.2488444,
  author = {Hurley, Ryan and Prusty, Swagatika and Soroush, Hamed and Walls, Robert J. and Albrecht, Jeannie and Cecchet, Emmanuel and Levine, Brian Neil and Liberatore, Marc and Lynn, Brian and Wolak, Janis},
+
  author = {Sven Ka ̈lber, Andreas Dewald, Steffen Idler},
  title = {Measurement and Analysis of Child Pornography Trafficking on P2P Networks},
+
  title = {Forensic Zero-Knowledge Event Reconstruction on Filesystem Metadata},
  booktitle = {Proceedings of the 22Nd International Conference on World Wide Web},
+
  booktitle = {Lecture Notes in Informatics},
  series = {WWW '13},
+
  volume="P-228",
  year = {2013},
+
  year=2014,
isbn = {978-1-4503-2035-1},
+
  url = {http://subs.emis.de/LNI/Proceedings/Proceedings228/331.pdf},
location = {Rio de Janeiro, Brazil},
+
pages = {631--642},
+
numpages = {12},
+
  url = {http://dl.acm.org/citation.cfm?id=2488388.2488444},
+
acmid = {2488444},
+
publisher = {International World Wide Web Conferences Steering Committee},
+
address = {Republic and Canton of Geneva, Switzerland},
+
keywords = {digital forensics, forensic triage},
+
 
}  
 
}  
 
</bibtex>
 
</bibtex>
Peer-to-peer networks are the most popular mechanism for the criminal acquisition and distribution of child pornography (CP). In this paper, we examine observations of peers sharing known CP on the eMule and Gnutella networks, which were collected by law enforcement using forensic tools that we developed. We characterize a year's worth of network activity and evaluate different strategies for prioritizing investigators' limited resources. The highest impact research in criminal forensics works within, and is evaluated under, the constraints and goals of investigations. We follow that principle, rather than presenting a set of isolated, exploratory characterizations of users.
 
  
First, we focus on strategies for reducing the number of CP files available on the network by removing a minimal number of peers. We present a metric for peer removal that is more effective than simply selecting peers with the largest libraries or the most days online. Second, we characterize six aggressive peer subgroups, including: peers using Tor, peers that bridge multiple p2p networks, and the top 10% of peers contributing to file availability. We find that these subgroups are more active in their trafficking, having more known CP and more uptime, than the average peer. Finally, while in theory Tor presents a challenge to investigators, we observe that in practice offenders use Tor inconsistently. Over 90% of regular Tor users send traffic from a non-Tor IP at least once after first using Tor.
+
Abstract: Criminal investigations today can hardly be imagined without the forensic analysis of digital devices, regardless of whether it is a desktop computer, a mobile phone, or a navigation system. This not only holds true for cases of cybercrime, but also for traditional delicts such as murder or blackmail, and also private corporate investigations rely on digital forensics. This leads to an increasing number of cases with an ever-growing amount of data, that exceeds the capacity of the forensic experts. To support investigators to work more efficiently, we introduce a novel approach to automatically reconstruct events that previously occurred on the examined system and to provide a quick overview to the investigator as a starting point for further investigation. In contrast to the few existing approaches, our solution does not rely on any previously profiled system behavior or knowledge about specific applications, log files, or file formats. We further present a prototype implementation of our so-called zero knowledge event reconstruction approach, that solely tries to make sense of characteristic structures in file system metadata such as file- and folder-names and timestamps.
 +
 
 
(See also [[Past Selected Articles]])
 
(See also [[Past Selected Articles]])
  

Latest revision as of 04:51, 16 June 2014

This is the Forensics Wiki, a Creative Commons-licensed wiki devoted to information about digital forensics (also known as computer forensics). We currently list a total of 724 pages.

Much of computer forensics is focused on the tools and techniques used by investigators, but there are also a number of important papers, people, and organizations involved. Many of those organizations sponsor conferences throughout the year and around the world. You may also wish to examine the popular journals and some special reports.


WIKI NEWS

2014-06-14: The Wiki has been migrated to the most up-to-date MediaWiki and moved from HostGator to Pair. The previous bugs with the AccountCreation problem should be fixed. Please let us know if there are any problems.

  • 2014-06-16 - It seems that the transfer and upgrade has resulted in some content being lost. The content appears to be on the old site and we may need some help in migrating it. Please see Content Lost in Migration for a list of the lost content.

2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the ForensicsWiki FeedBurner Feed

Featured Forensic Research

May 2014

Sven Ka ̈lber, Andreas Dewald, Steffen Idler - Forensic Zero-Knowledge Event Reconstruction on Filesystem Metadata
Lecture Notes in Informatics P-228,2014
http://subs.emis.de/LNI/Proceedings/Proceedings228/331.pdf
Bibtex
Author : Sven Ka ̈lber, Andreas Dewald, Steffen Idler
Title : Forensic Zero-Knowledge Event Reconstruction on Filesystem Metadata
In : Lecture Notes in Informatics -
Address :
Date : 2014

Abstract: Criminal investigations today can hardly be imagined without the forensic analysis of digital devices, regardless of whether it is a desktop computer, a mobile phone, or a navigation system. This not only holds true for cases of cybercrime, but also for traditional delicts such as murder or blackmail, and also private corporate investigations rely on digital forensics. This leads to an increasing number of cases with an ever-growing amount of data, that exceeds the capacity of the forensic experts. To support investigators to work more efficiently, we introduce a novel approach to automatically reconstruct events that previously occurred on the examined system and to provide a quick overview to the investigator as a starting point for further investigation. In contrast to the few existing approaches, our solution does not rely on any previously profiled system behavior or knowledge about specific applications, log files, or file formats. We further present a prototype implementation of our so-called zero knowledge event reconstruction approach, that solely tries to make sense of characteristic structures in file system metadata such as file- and folder-names and timestamps.

(See also Past Selected Articles)

Featured Article

Forensic Linux Live CD issues
Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. Read More...


Topics



You can help! We have a list of articles that need to be expanded. If you know anything about any of these topics, please feel free to chip in.