Difference between pages "DC3 Digital Forensics Challenge" and "Research Topics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m (Flash Memory)
 
Line 1: Line 1:
{{expand}}
+
; Research Ideas
  
The '''DC3 Digital Forensics Challenge''' is an annual forensics contest sponsored by the [[Defense Cyber Crime Center]]. The winning team, which must consist of U.S. citizens, receives a free trip to the annual DoD Cyber Crime Conference.  
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.  
  
== Participation ==
 
Participation in the contest is a good way for vendors to showcase their talents and for academics to teach computer forensics research. Some academics feel, however, that they are not getting much benefit from the the contest. They believe that the DoD should publish all of the submissions so that they can be independently evaluated. This opinion was most vocally stated by David C. Smith and Mickey Lasky from Georgetown University in August 2007. They gave a talk at the DEFCON conference titled "Cool stuff learned from competing in the DC3 digital forensic challenge" where they described their entries and the lack of feedback from the DC3 [http://video.google.com/videoplay?docid=-7884272596646742143&hl=en].
 
  
== History ==
+
=Hard Problems=
 +
* Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time. 
 +
* Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
 +
* Automatically detect falsified digital evidence.
 +
* Use the location of where data resides on a computer as a way of inferring information about the computer's past.
 +
* Detect and diagnose sanitization attempts.
 +
* Recover overwritten data.
  
=== 2010 ===
+
=Tool Development=
 +
==[[AFF]] Enhancement==
 +
* Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
 +
* Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
 +
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
 +
* Improve the data recovery features of aimage.
 +
* Replace AFF's current table-of-contents system with one based on B+ Trees.
  
=== 2009 ===
+
==Decoders and Validators==
 +
* A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.
  
=== 2008 ===
+
==Cell Phones==
The challenges this year included detecting  suspicious software, hash analysis, image analysis, partition recovery, signature analysis, file header reconstruction, password recovery, registry analysis, steganography, encryption, Skype analysis, foreign text identification and translation, MSN Live analysis, and image analysis.
+
Open source tools for:
 +
* Imaging the contents of a cell phone memory
 +
* Reassembling information in a cell phone memory
  
=== 2007 ===
 
The challenge was held in 2007 again, this time asking participants to focus on BitLocker and PAX protected files, erased files on a CDROM, a damaged DVD and thumb drive, determining real images from fake ones, and audio steganography.
 
  
The [http://www.dc3.mil/2007_challenge/ archives from the 2007 challenge] are online.
 
  
=== 2006 ===
+
=Corpora Development=
The 2006 challenge was the first sponsored by the DC3. Entrants were asked to solve puzzles in Audio Steganography, Steganography using S-Tools, Password Cracking, Image Analysis: Real vs. CG, Data Carving: Linux LVM Interpretation, Data Acquisition: Boot a dd Image, Data Acquisition: Boot a Split dd Image, Media Recovery: Compact-disc, Media Recovery: Floppy Diskette, Keylog Cracking, and Metadata Extraction.
+
==Realistic Corpora==
 
+
* Simulated disk imags
One hundred and forty teams requested challenge packets, but only 21 teams submitted entries. The winning team, announced on 15 Dec 2006, was [[AccessData]]. They won a free trip to the [[Defense Cyber Crime Center|DC3's]] annual [[Conferences|conference]] in St. Louis, MO in January 2007. They presented a complete solution at the conference.
+
* Simulated network traffic
 
+
==Real Data==
Challenge submissions were broken down by academic, civilian, commercial, military, and government entrants. International teams from Australia, Canada, France, and India all requested packets, but were not eligible to win.
+
* Digital Cameras
 
+
* Cell phones
The [http://www.dc3.mil/2006_challenge/ archives from the 2006 challenge] are online.
+
* USB Memory Sticks ''below'' the logical layer.
 
+
== External Links ==
+
 
+
* [http://www.dc3.mil/challenge/ Official web site]
+

Revision as of 22:24, 2 November 2008

Research Ideas

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.


Contents

Hard Problems

  • Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time.
  • Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
  • Automatically detect falsified digital evidence.
  • Use the location of where data resides on a computer as a way of inferring information about the computer's past.
  • Detect and diagnose sanitization attempts.
  • Recover overwritten data.

Tool Development

AFF Enhancement

  • Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
  • Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
  • Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
  • Improve the data recovery features of aimage.
  • Replace AFF's current table-of-contents system with one based on B+ Trees.

Decoders and Validators

  • A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.

Cell Phones

Open source tools for:

  • Imaging the contents of a cell phone memory
  • Reassembling information in a cell phone memory


Corpora Development

Realistic Corpora

  • Simulated disk imags
  • Simulated network traffic

Real Data

  • Digital Cameras
  • Cell phones
  • USB Memory Sticks below the logical layer.