Difference between pages "Harlan Carvey" and "Research Topics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Added web links to his blog)
 
m (SleuthKit Enhancements)
 
Line 1: Line 1:
[[File:HarlanCarvey.jpg|200px|thumb|right|alt text]] [[Harlan Carvey]] is a computer forensics author, researcher and practitioner. He has written several books and tools focusing on [[Windows]] systems and [[Incident Response|incident response]]. His [http://windowsir.blogspot.com Windows Incident Response Blog] Harlan Carvey's interest in computer and information security began while he was an officer in the U.S. military, and a student at the Naval Postgraduate School, earning his MSEE. After leaving military service, he began working in the field of commercial and government information security consulting, performing vulnerability assessments and penetration tests. While employed at one company, he was the sole developer of a program for collecting security-specific information (i.e., Registry entries, file information, configuration settings, etc.) from Windows NT systems during vulnerability assessments. The purpose of the product was to overcome shortfalls in commercial scanning products and provide more valuable information to the customer. Harlan has also done considerable work in the area of incident response and forensics, performing internal and external investigations. He has also written a number of proof-of-concept tools for educating users in such topics as Windows null sessions, file signature analysis, and the retrieval of metadata from a variety of file formats. Harlan's experience with computers began in the early '80s, with a Timex-Sinclair 1000. Around that time, he was learning to program BASIC on an Apple IIe. From there, he moved on to computers such as the Epson QX-10 and the TRS-80, on which he programmed BASIC and learned some rudimentary PASCAL, using the TurboPASCAL compiler. Since then, he's worked with SunOS and Solaris systems, as well as various versions of DOS and Windows, OS/2, and Linux. Harlan has presented at a variety of computer security conferences, including Usenix, DefCon9, Black Hat, GMU2003/HTCIA/RCFG, WACCI, and PFIC2010. He has discussed various topics specific to issues on Windows platforms, such as data hiding, incident response, and forensic analysis. He has had articles published in the Information Security Bulletin, on the SecurityFocus web site, and in the Hakin9 magazine. Finally, Harlan has written a number of open source programs (including RegRipper), which have been made available online and via CDs/DVDs in his books. His [http://windowsir.blogspot.com/ Windows Incident Response] blog is updated on a regular basis.
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
  
== Website ==
+
==Short-Term Engineering Projects==
 +
These projects would make a nice master's thesis or the start of a PhD.
  
* [http://windowsir.blogspot.com Harlen's Windows Incident Response Blog]
+
; Physical layer access to flash storage.
 +
: Gain access to the physical layer of SD or USB flash storage device. This will require reverse-engineering the proprietary APIs or gaining access to proprietary information from the manufacturers. Use these APIs to demonstrate the feasibility of recovering residual data that has been overwritten at the logical layer but which is still present at the physical layer.  
  
== Tools ==
+
===SleuthKit Enhancements===
 +
[[SleuthKit]] is the popular open-source system for forensics and data recovery.
 +
* Add support for a new file system:
 +
** The [[YAFFS]] [[flash file system]]. (YAFFS2 is currently used on the Google G1 phone.)
 +
** The [[JFFS2]] [[flash file system]]. (JFFS2 is currently used on the One Laptop Per Child laptop.)
 +
** [[XFAT]], Microsoft's new FAT file system.
 +
** [[EXT4]]
 +
* Enhance support for an existing file system:
 +
** Report the physical location on disk of compressed files.
 +
** Add support for NTFS encrypted files (EFS)
 +
** Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
 +
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
 +
* Rewrite '''sorter''' in C++ to make it faster and more flexible.
  
* [http://code.google.com/p/winforensicaanalysis/downloads/list WinForensicAnalysis Tools] - Hosted on Google Code, includes files for the Windows Registry Forensics book.
+
===Timeline Analysis===
 +
; Timeline Visualization and Analysis
 +
: Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
 +
; Changed Clocks
 +
: Detect a system that has had its clock changed.
  
== Books ==
+
==Research Areas==
 +
These are research areas that could easily grow into a PhD thesis.
 +
; Stream-based Forensics
 +
: Process the entire disk with one pass to minimize seek time.  (You may find it necessary to do a quick metadata scan first.)
 +
; Stegnography Detection (general purpose)
 +
: Detect the use of stegnography by through the analysis of file examplars and specifications.
 +
; Sanitization Detection
 +
: Detect and diagnose sanitization attempts.
 +
; Compressed Data Reconstruction
 +
: Reconstruct decompressed data from a GZIP file after the first 1K has been removed.
 +
;Evidence Falsification Detection
 +
: Automatically detect falsified digital evidence through the use of inconsistency in file system allocations, application data allocation, and log file analysis.
 +
; Visualization of data/information in digital forensic context
 +
: SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;
  
* ''[http://http://www.syngress.com/digital-forensics/Windows-Registry-Forensics/ Windows Registry Forensics]''
+
==Correlation==
* ''[http://www.syngress.com/catalog/index.cfm?pid=4235 Windows Forensic Analysis]''
+
* Logfile correlation
* ''[http://www.amazon.com/Forensics-Incident-Addison-Wesley-Microsoft-Technology/dp/0321200985/ref=sr_1_3?ie=UTF8&s=books&qid=1200485877&sr=1-3 Windows Forensics and Incident Recovery]''
+
* Document identity identification
* ''[http://www.amazon.com/Perl-Scripting-Security-Harlan-Carvey/dp/159749173X/ref=pd_bbs_sr_2?ie=UTF8&s=books&qid=1200485877&sr=1-2 Perl Scripting for Windows Security]''
+
* Correlation between stored data and intercept data
* ''A Study of Video Teleconferencing Traffic on a TCP/IP Network''
+
* Online Social Network Analysis
 +
** Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
 +
** Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
 +
* Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login
  
[[Category:People]]
+
==Programming Projects==
 +
===File Visualization===
 +
Write a program that visualizes the contents of a file, sort of like hexedit, but with other features:
 +
* Automatically pull out the strings
 +
* Show histogram
 +
* Detect crypto and/or stenography.
 +
I would write the program in java with a plug-in architecture.
 +
 
 +
===Carving===
 +
* Write [[Carver 2.0 Planning Page | Carver 2.0]]
 +
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
 +
 
 +
===fiwalk Enhancements===
 +
* Rewrite the metadata extraction system.
 +
* Extend [[fiwalk]] to report the NTFS "inodes."
 +
 
 +
==File Format analysis==
 +
Analysis of file format for forensic artefacts; could be combined with programming to build code that parses the format.
 +
 
 +
* Continue work on the [[Extensible Storage Engine (ESE) Database File (EDB) format]] in regard to
 +
** Fill in the missing information about older ESE databases
 +
** Exchange EDB (MAPI database), STM
 +
** Active Directory (Active Directory working document available on request)
 +
* Continue work on the [[Notes Storage Facility (NSF)]] (code available on request)
 +
* Microsoft SQL Server databases
 +
 
 +
__NOTOC__

Revision as of 07:45, 2 February 2011

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.

Short-Term Engineering Projects

These projects would make a nice master's thesis or the start of a PhD.

Physical layer access to flash storage.
Gain access to the physical layer of SD or USB flash storage device. This will require reverse-engineering the proprietary APIs or gaining access to proprietary information from the manufacturers. Use these APIs to demonstrate the feasibility of recovering residual data that has been overwritten at the logical layer but which is still present at the physical layer.

SleuthKit Enhancements

SleuthKit is the popular open-source system for forensics and data recovery.

  • Add support for a new file system:
  • Enhance support for an existing file system:
    • Report the physical location on disk of compressed files.
    • Add support for NTFS encrypted files (EFS)
    • Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see NTFS)
  • Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
  • Rewrite sorter in C++ to make it faster and more flexible.

Timeline Analysis

Timeline Visualization and Analysis
Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
Changed Clocks
Detect a system that has had its clock changed.

Research Areas

These are research areas that could easily grow into a PhD thesis.

Stream-based Forensics
Process the entire disk with one pass to minimize seek time. (You may find it necessary to do a quick metadata scan first.)
Stegnography Detection (general purpose)
Detect the use of stegnography by through the analysis of file examplars and specifications.
Sanitization Detection
Detect and diagnose sanitization attempts.
Compressed Data Reconstruction
Reconstruct decompressed data from a GZIP file after the first 1K has been removed.
Evidence Falsification Detection
Automatically detect falsified digital evidence through the use of inconsistency in file system allocations, application data allocation, and log file analysis.
Visualization of data/information in digital forensic context
SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;

Correlation

  • Logfile correlation
  • Document identity identification
  • Correlation between stored data and intercept data
  • Online Social Network Analysis
    • Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
    • Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
  • Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login

Programming Projects

File Visualization

Write a program that visualizes the contents of a file, sort of like hexedit, but with other features:

  • Automatically pull out the strings
  • Show histogram
  • Detect crypto and/or stenography.

I would write the program in java with a plug-in architecture.

Carving

  • Write Carver 2.0
  • Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.

fiwalk Enhancements

  • Rewrite the metadata extraction system.
  • Extend fiwalk to report the NTFS "inodes."

File Format analysis

Analysis of file format for forensic artefacts; could be combined with programming to build code that parses the format.