Past Selected Articles
Archived past selected research articles
2008-July-27 The Symposium on Usable Privacy and Security (2008) concluded this past week in Pittsburgh, PA. One paper that appeared which is interesting to the network forensics crowd is The Challenges of Using an Intrusion Detection System: Is It Worth the Effort?, by Rodrigo Werlinger, Kirstie Hawkey, Kasia Muldner, Pooya Jaferian and Konstantin Beznosov. slides
In this article, the authors conducted interviews with 9 IT security practitioners who have worked with IDSs performed ethnographic observations within an organization that was deploying a new IDS. They found that security practitioners were heavily divided on the value of the IDS, and learned that the an IDS really only generates value if the network is well-understood before the IDS is deployed.
The current Fall 2007 issue has an interesting article Mobile Phone Forensics Tool Testing: A Database Drive Approach by Baggili, Mislan, and Rogers at Purdue University. Given that phones are increasingly a primary source of forensic information in many cases, we need to be sure that the tools that are used for forensic analysis present data that is accurate and repeatable. Unfortunately they frequently aren't because of there are so many different kinds of phones on the market and the forensic tools lag far behind the market.
Ibrahim M. Baggili, Richard Mislan, Marcus Rogers -
- International Journal of Digital Evidence 6,2007
BibtexAuthor : Ibrahim M. Baggili, Richard Mislan, Marcus Rogers
In : International Journal of Digital Evidence -
Date : 2007
Anandabrata Pal, Taha Sencar, Nasir Memon - Detecting File Fragmentation Point Using Sequential Hypothesis Testing
BibtexAuthor : Anandabrata Pal, Taha Sencar, Nasir Memon
Title : Detecting File Fragmentation Point Using Sequential Hypothesis Testing
In : -
Date : 2008
This DFRWS 2008 article presents an improved approach for carving fragmented JPEGs using sequential hypothesis testing. According to the authors, "The technique begins with a header block identifying the start of a ﬁle and then attempts to validate via SHT each subsequent block following the header block. The fragmentation point is identiﬁed when SHT identiﬁes a block as not belonging to the ﬁle. By utilizing this technique, we are able to correctly and efﬁciently recover JPEG images from the DFRWS 2006  and 2007  test sets even in the presence of tens of thousands of blocks and ﬁles fragmented into 3 or more parts. The bifragment gap carving technique enhanced with SHT allows us to improve the performance result of DFRWS 2006 challenge test-sets, although the technique cannot be used for DFRWS 2007. We then show how Parallel Unique Path enhanced with SHT is able to recover all fragmented JPEGs from DFRWS 2006 and all recoverable JPEGs from 2007 challenge test-sets. As far as we are aware, no other automated technique can recover multi-fragmented JPEGs from the DFRWS 2007 test set."
Yoginder Singh Dandass, Nathan Joseph Necaise, Sherry Reede Thomas - An Empirical Analysis of Disk Sector Hashes for Data Carving
- Journal of Digital Forensic Practice 2:95--106,2008
BibtexAuthor : Yoginder Singh Dandass, Nathan Joseph Necaise, Sherry Reede Thomas
Title : An Empirical Analysis of Disk Sector Hashes for Data Carving
In : Journal of Digital Forensic Practice -
Date : 2008
Authors Dandass et. al analyzed 528 million sectors from 433,630 unique files. They computed the CRC32, CRC64, MD5 and SHA-1 of each sector. Not surprisingly, they find that the MD5 and SHA-1s of the sectors are different if the sectors are different. They find 94 CRC64 collisions and 30 million CRC32 collisions. The conclusion is that, if you are search for a single sector or building a database of single sector hashes, you are better off building a database of CRC64s because they are easier to store and dramatically faster to calculate than the traditional hash functions, and they are nearly as accurate.