Difference between pages "Timeline Analysis Bibliography" and "Carver 2.0 Planning Page"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Papers)
 
(Requirements)
 
Line 1: Line 1:
==Papers==
+
This page is for planning Carver 2.0.
* S. Willassen, [http://www.igi-global.com/articles/details.asp?ID=33298 "A Model Based Approach to Timestamp Evidence Interpretation"], International Journal of Digital Crime and Forensics, 1:2, 2009
+
  
* [http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument Digital Evidence with an Emphasis on Time], Jens Olsson, Master's Thesis, Blekinge Institute of Technology, September 2008.
+
= License =
* R. Koen, M. Olivier, [http://icsa.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf "The Use of File Timestamps in Digital Forensics"], ISSA 2008, Johannesburg, South Africa, July 2008
+
* S. Willassen, [http://www.diva-portal.org/ntnu/abstract.xsql?dbid=2145 "Methods for Enhancement of Timestamp Evidence in Digital Investigations"], PhD Dissertation, Norwegian University of Science and Technology, 2008
+
* S. Willassen, [http://www.willassen.no/svein/pub/ares08.pdf "Finding Evidence of Antedating in Digital Investigations"], ARES 2008, Barcelona, Spain, March 2008
+
* S. Willassen, [http://www.willassen.no/svein/pub/ifip08.pdf "Hypothesis Based Investigation of Digital Timestamp"], 4th IFIP WG 11.9 Workskop on Digital Evidence, Kyoto, Japan, January 2008
+
* S. Willassen, [http://www.willassen.no/svein/pub/efor08.pdf "Timestamp Evidence Correlation by model based clock hypothesis testing"], E-Forensics 2008, Adelaide, Australia, January 2008
+
* F. Buchholz, [http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf "An Improved Clock Model for Translating Timestamps"], JMU-INFOSEC-TR-2007-001, James Madison University
+
* F. Buchholz, B. Tjaden, [http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf "A brief study of time"], Digital Investigation 2007:4S
+
* K. Chow, F. Law, M. Kwan, P. Lai, [http://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf "The Rules of Time on NTFS File System"], 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007
+
* B. Schatz, G. Mohay, A. Clark, [http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf "A correlation method for establishing provenance of timestamps in digital evidence"], Digital Investigation 2006:3S
+
* P. Gladyshev, A. Patel, [http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf "Formalizing Event Time Bouding in Digital Investigation"], International Journal of Digital Evidence, vol 4:2, 2005
+
* C. Boyd, P. Forster, "Time and Date issues in forensic computing - a case study", Digital Investigation 2004:1
+
* M.W. Stevens, "Unification of relative time frames for digital forensics", Digital Investigation 2004:1
+
* M.C. Weil, [http://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf "Dynamic Time & Date Stamp Analysis"], International Journal of Digital Evidence, vol 1:2, 2002
+
  
* [http://infoviz.pnl.gov/pdf/themeriver99.pdf ThemeRiver: In Search of Trends, Patterns, and Relationships], Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999
+
BSD
* [http://www.conceptsymbols.com/web/publications/2003_timelines.pdf Timeline Visualization of Research Fronts], Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003
+
* [http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists Visualizing gaps in time-based lists], Moritz Stefaner
+
  
==Programs==
+
= OS =
; [[Zeitline]] — Forensic timeline editor
+
: http://projects.cerias.purdue.edu/forensics/timeline.php
+
: http://sourceforge.net/projects/zeitline/
+
  
; [[sorter]] — [[Sleuthkit]]'s [[MAC times]] sorting program.
+
Linux/FreeBSD/MacOS
  
; [http://code.google.com/p/simile-widgets/ Simile Timeline and Timeplot]
+
= Requirements =
 +
* AFF and EWF file images supported from scratch.
 +
* File system aware layer.  
 +
** By default, files are not carved.
 +
* Plug-in architecture for identification/validation.
 +
** Can we exercise libmagic or at least the patterns they identify?
 +
* Ship with validators for:
 +
** JPEG
 +
** PNG
 +
** GIF
 +
** MSOLE
 +
** ZIP
 +
** TAR (gz/bz2)
 +
* Simple fragment recovery carving using gap carving.
 +
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
 +
* Autonomous operation (what is it? [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)).
 +
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
 +
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
 +
* Parallelizable.
 +
* Configuration:
 +
** Can handle config files,like Revit07, to enter different file formats used by the carver.
 +
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
 +
**  Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
 +
* Can output audit.txt file.
 +
* Easy integration into ascription software.
  
==See Also==
+
= Ideas =
* http://www.timeforensics.com/  
+
* Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
 +
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
 +
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
  
 +
= Supported File Systems =
  
 
+
Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
 
+
 
+
[[Category:Tools]]
+
[[Category:Bibliographies]]
+
[[Category:Timeline Analysis]]
+

Revision as of 16:44, 28 October 2008

This page is for planning Carver 2.0.

License

BSD

OS

Linux/FreeBSD/MacOS

Requirements

  • AFF and EWF file images supported from scratch.
  • File system aware layer.
    • By default, files are not carved.
  • Plug-in architecture for identification/validation.
    • Can we exercise libmagic or at least the patterns they identify?
  • Ship with validators for:
    • JPEG
    • PNG
    • GIF
    • MSOLE
    • ZIP
    • TAR (gz/bz2)
  • Simple fragment recovery carving using gap carving.
  • Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
  • Autonomous operation (what is it? .FUF 19:18, 28 October 2008 (UTC)).
  • Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
    • Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
  • Parallelizable.
  • Configuration:
    • Can handle config files,like Revit07, to enter different file formats used by the carver.
    • Disengage internal configuration structure from configuration files, create parsers that present the expected structure
    • Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
  • Can output audit.txt file.
  • Easy integration into ascription software.

Ideas

  • Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
  • Extracting/carving data from Thumbs.db? I've used foremost for it with some success. Vinetto has some critical bugs :( .FUF 19:18, 28 October 2008 (UTC)
  • Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat .FUF 19:18, 28 October 2008 (UTC)

Supported File Systems

Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. .FUF 19:18, 28 October 2008 (UTC)