Difference between pages "DC3 Digital Forensics Challenge" and "Research Topics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added links and cleaned up 2007 text)
 
m (Flash Memory)
 
Line 1: Line 1:
The '''DC3 Digital Forensics Challenge''' is an annual forensics contest sponsored by the [[Defense Cyber Crime Center]]. The winning team, which must consist of U.S. citizens, receives a free trip to the annual DoD Cyber Crime Conference.
+
; Research Ideas
  
== Participation ==
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.  
Participation in the contest is a good way for vendors to showcase their talents and for academics to teach computer forensics research. Some academics feel, however, that they are not getting much benefit from the the contest. They believe that the DoD should publish all of the submissions so that they can be independently evaluated. This opinion was most vocally stated by David C. Smith and Mickey Lasky from Georgetown University in August 2007. They gave a talk at the DEFCON conference titled "Cool stuff learned from competing in the DC3 digital forensic challenge" where they described their entries and the lack of feedback from the DC3 [http://video.google.com/videoplay?docid=-7884272596646742143&hl=en].
+
  
== History ==
 
  
=== 2008 ===
+
=Hard Problems=
The 2008 challenge is now open. Packets were mailed starting 1 Mar 2008 and solutions are due before 1 Nov 2008. The winner will be announced on 1 Dec 2008 and will, as usual, receive a free trip to the 2009 DoD Cyber Crime Conference. The challenges this year included detecting  suspicious software, hash analysis, image analysis, partition recovery, signature analysis, file header reconstruction, password recovery, registry analysis, steganography, encryption, Skype analysis, foreign text identification and translation, MSN Live analysis, and image analysis.
+
* Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time.
 +
* Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
 +
* Automatically detect falsified digital evidence.
 +
* Use the location of where data resides on a computer as a way of inferring information about the computer's past.
 +
* Detect and diagnose sanitization attempts.
 +
* Recover overwritten data.
  
=== 2007 ===
+
=Tool Development=
The challenge was held in 2007 again, this time asking participants to focus on BitLocker and PAX protected files, erased files on a CDROM, a damaged DVD and thumb drive, determining real images from fake ones, and audio steganography.  
+
==[[AFF]] Enhancement==
 +
* Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
 +
* Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
 +
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
 +
* Improve the data recovery features of aimage.
 +
* Replace AFF's current table-of-contents system with one based on B+ Trees.
  
The [http://www.dc3.mil/2007_challenge/ archives from the 2007 challenge] are online.
+
==Decoders and Validators==
 +
* A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.
  
=== 2006 ===
+
==Cell Phones==
The 2006 challenge was the first sponsored by the DC3. Entrants were asked to solve puzzles in Audio Steganography, Steganography using S-Tools, Password Cracking, Image Analysis: Real vs. CG, Data Carving: Linux LVM Interpretation, Data Acquisition: Boot a dd Image, Data Acquisition: Boot a Split dd Image, Media Recovery: Compact-disc, Media Recovery: Floppy Diskette, Keylog Cracking, and Metadata Extraction.
+
Open source tools for:
 +
* Imaging the contents of a cell phone memory
 +
* Reassembling information in a cell phone memory
  
One hundred and forty teams requested challenge packets, but only 21 teams submitted entries. The winning team, announced on 15 Dec 2006, was [[AccessData]]. They won a free trip to the [[Defense Cyber Crime Center|DC3's]] annual [[Conferences|conference]] in St. Louis, MO in January 2007. They presented a complete solution at the conference.
 
  
Challenge submissions were broken down by academic, civilian, commercial, military, and government entrants. International teams from Australia, Canada, France, and India all requested packets, but were not eligible to win.
 
  
The [http://www.dc3.mil/2006_challenge/ archives from the 2006 challenge] are online.
+
=Corpora Development=
 
+
==Realistic Corpora==
== External Links ==
+
* Simulated disk imags
 
+
* Simulated network traffic
* [http://www.dc3.mil/challenge/ Official web site]
+
==Real Data==
 +
* Digital Cameras
 +
* Cell phones
 +
* USB Memory Sticks ''below'' the logical layer.

Revision as of 23:24, 2 November 2008

Research Ideas

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.


Hard Problems

  • Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time.
  • Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
  • Automatically detect falsified digital evidence.
  • Use the location of where data resides on a computer as a way of inferring information about the computer's past.
  • Detect and diagnose sanitization attempts.
  • Recover overwritten data.

Tool Development

AFF Enhancement

  • Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
  • Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
  • Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
  • Improve the data recovery features of aimage.
  • Replace AFF's current table-of-contents system with one based on B+ Trees.

Decoders and Validators

  • A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.

Cell Phones

Open source tools for:

  • Imaging the contents of a cell phone memory
  • Reassembling information in a cell phone memory


Corpora Development

Realistic Corpora

  • Simulated disk imags
  • Simulated network traffic

Real Data

  • Digital Cameras
  • Cell phones
  • USB Memory Sticks below the logical layer.