Difference between revisions of "Research Topics"

From Forensics Wiki
Jump to: navigation, search
m
m (Open Research Topics moved to Simson's Open Research Topics: Nobody else is contributing to this page, so I might as well claim ownership of it.)
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas. ''Potential Sponsor,'' when present, indicates the name of a researcher who would be interested in lending support in the form of supervision or other resources to a project.
+
; Research Ideas
 +
 
 +
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.  
  
  
 
=Hard Problems=
 
=Hard Problems=
* Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time.  ''Sponsor: [[User:Simsong|Simson Garfinkel]]''
+
* Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time.   
* Determine the device that created an image or video without metadata.
+
* Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
 
* Automatically detect falsified digital evidence.
 
* Automatically detect falsified digital evidence.
 
* Use the location of where data resides on a computer as a way of inferring information about the computer's past.
 
* Use the location of where data resides on a computer as a way of inferring information about the computer's past.
 
* Detect and diagnose sanitization attempts.  
 
* Detect and diagnose sanitization attempts.  
 
* Recover overwritten data.
 
* Recover overwritten data.
 
  
 
=Tool Development=
 
=Tool Development=
Line 18: Line 19:
 
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
 
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
 
* Improve the data recovery features of aimage.
 
* Improve the data recovery features of aimage.
;Sponsor for these projects --- [[User:Simsong|Simson Garfinkel]]
 
==Stored Data Forensics==
 
* Automatically determine a system's clock skew by comparing timestamps on HTML files with internal time stamps.
 
;Sponsor for these projects --- [[User:Simsong|Simson Garfinkel]]
 
  
 
==Decoders and Validators==
 
==Decoders and Validators==
 
* A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.
 
* A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.
;Sponsor for these projects --- [[User:Simsong|Simson Garfinkel]]
 
  
 
==Cell Phones==
 
==Cell Phones==
Line 31: Line 27:
 
* Imaging the contents of a cell phone memory
 
* Imaging the contents of a cell phone memory
 
* Reassembling information in a cell phone memory
 
* Reassembling information in a cell phone memory
;Sponsor for these projects --- [[User:Simsong|Simson Garfinkel]]
 
  
 
==Flash Memory==
 
==Flash Memory==
 
Flash memory devices such as USB keys implement a [http://www.st.com/stonline/products/literature/an/10122.htm wear leveling algorithm] in hardware so that frequently rewritten blocks are actually written to many different physical blocks. Are there any devices that let you access the raw flash cells underneath the wear leveling chip? Can you get statistics out of the device? Can you access pages that have been mapped out (and still have valid data) but haven't been mapped back yet? Can you use this as a technique for accessing deleted information?
 
Flash memory devices such as USB keys implement a [http://www.st.com/stonline/products/literature/an/10122.htm wear leveling algorithm] in hardware so that frequently rewritten blocks are actually written to many different physical blocks. Are there any devices that let you access the raw flash cells underneath the wear leveling chip? Can you get statistics out of the device? Can you access pages that have been mapped out (and still have valid data) but haven't been mapped back yet? Can you use this as a technique for accessing deleted information?
 
;Sponsor for these projects --- [[User:Simsong|Simson Garfinkel]]
 
 
  
 
=Corpora Development=
 
=Corpora Development=
==Real Corpora==
 
* Cell phone memory images
 
 
==Realistic Corpora==
 
==Realistic Corpora==
 
* Simulated disk imags
 
* Simulated disk imags
 
* Simulated network traffic
 
* Simulated network traffic

Revision as of 21:54, 2 November 2008

Research Ideas

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.


Contents

Hard Problems

  • Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time.
  • Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
  • Automatically detect falsified digital evidence.
  • Use the location of where data resides on a computer as a way of inferring information about the computer's past.
  • Detect and diagnose sanitization attempts.
  • Recover overwritten data.

Tool Development

AFF Enhancement

AFF is the Advanced Forensics Format, developed by Simson Garfinkel and Basis Technology.

  • Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
  • Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
  • Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
  • Improve the data recovery features of aimage.

Decoders and Validators

  • A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.

Cell Phones

Open source tools for:

  • Imaging the contents of a cell phone memory
  • Reassembling information in a cell phone memory

Flash Memory

Flash memory devices such as USB keys implement a wear leveling algorithm in hardware so that frequently rewritten blocks are actually written to many different physical blocks. Are there any devices that let you access the raw flash cells underneath the wear leveling chip? Can you get statistics out of the device? Can you access pages that have been mapped out (and still have valid data) but haven't been mapped back yet? Can you use this as a technique for accessing deleted information?

Corpora Development

Realistic Corpora

  • Simulated disk imags
  • Simulated network traffic