Research Topics

From ForensicsWiki
Revision as of 13:31, 25 May 2007 by Simsong (Talk | contribs) (added a few things for aimage)

Jump to: navigation, search

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas. Potential Sponsor, when present, indicates the name of a researcher who would be interested in lending support in the form of supervision or other resources to a project.

Tool Development

AFF Enhancement

AFF is the Advanced Forensics Format, developed by Simson Garfinkel and Basis Technology. The following enhancements would be very useful to the format:

  • Signing with X.509 or GPG keys data segments and metadata.
  • Encryption of data segments with an AES-256 key specified by a password
  • Encryption of the AES-256 key with a public key (and decryption with a corresponding private key)
  • Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
  • Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.

The following improvements in the AFF tools would be useful:

  • Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
  • Improve the data recovery features of aimage.

Sponsor for these projects: Simson Garfinkel

Decoders and Validators

  • A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.

Cell Phones

Open source tools for:

  • Imaging the contents of a cell phone memory
  • Reassembling information in a cell phone memory

Sponsor: Simson Garfinkel

Flash Memory

Flash memory devices such as USB keys implement a wear leveling algorithm in hardware so that frequently rewritten blocks are actually written to many different physical blocks. Are there any devices that let you access the raw flash cells underneath the wear leveling chip? Can you get statistics out of the device? Can you access pages that have been mapped out (and still have valid data) but haven't been mapped back yet? Can you use this as a technique for accessing deleted information?

Sponsor: Simson Garfinkel

Corpora Development

Real Corpora

  • Cell phone memory images

Realistic Corpora

  • Simulated disk imags
  • Simulated network traffic