Difference between revisions of "Main Page"

From ForensicsWiki
Jump to: navigation, search
m
m
Line 15: Line 15:
 
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>
 
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>
  
<small>August 2011</small>
+
<small>Dec 2011</small>
 
    
 
    
 
<bibtex>
 
<bibtex>
@article{beverly:ipcarving,
+
@INPROCEEDINGS{5931110,  
author = "Robert Beverly and Simson Garfinkel and Gregory Cardwell",
+
author={Baier, H. and Breitinger, F.},  
journal = "Digital Investigation",
+
booktitle={IT Security Incident Management and IT Forensics (IMF), 2011 Sixth International Conference on},  
publisher="Elsevier",
+
title={Security Aspects of Piecewise Hashing in Computer Forensics},  
booktitle = {Proc. of the Eleventh Annual DFRWS Conference},
+
year={2011},  
title = "Forensic Carving of Network Packets and Associated Data Structures",
+
month={may},  
volume=8
+
volume={},
year = 2011,
+
number={},
abstract="Using validated carving techniques, we show that popular operating systems (\eg Windows, Linux, and OSX)  frequently have residual IP packets, Ethernet frames,  and associated data structures present in system memory  from long-terminated network traffic. Such information is useful  for many forensic purposes including establishment of   prior connection activity and services used;  identification of other  systems present on the system's LAN or WLAN; geolocation of the  host computer system; and cross-drive analysis. We show that network structures can also be  recovered from memory that is persisted onto a mass storage medium   during the course of system swapping or hibernation.  We present our network carving techniques, algorithms and tools,   and validate these against both purpose-built memory images and a readily  available forensic corpora. These techniques are  valuable to both forensics tasks, particularly  in analyzing mobile devices, and to cyber-security objectives such  as malware analysis."
+
pages={21 -36},
}
+
keywords={MD5 hash function;SHA-1 hash function;computer forensics;cryptographic hash function;piecewise hashing security aspect;pseudorandom number generator;security analysis;computer forensics;cryptography;random number generation;},
 +
doi={10.1109/IMF.2011.16},  
 +
abstract="Although hash functions are a well-known method in computer science to map arbitrary large data to bit strings of a fixed length, their use in computer forensics is currently very limited. As of today, in a pre-step process hash values of files are generated and stored in a database, typically a cryptographic hash function like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. This approach has several drawbacks, which have been sketched in the community, and some alternative approaches have been proposed. The most popular one is due to Jesse Kornblum, who transferred ideas from spam detection to computer forensics in order to identify similar files. However, his proposal lacks a thorough security analysis. It is therefore one aim of the paper at hand to present some possible attack vectors of an active adversary to bypass Kornblum's approach. Furthermore, we present a pseudo random number generator being both more efficient and more random compared to Kornblum's pseudo random number generator."
 +
ISSN={},}
 
</bibtex>
 
</bibtex>
<i>Using validated carving techniques, we show that popular operating systems (\eg Windows, Linux, and OSX)  frequently have residual IP packets, Ethernet frames,   and associated data structures present in system memory  from long-terminated network traffic. Such information is useful  for many forensic purposes including establishment of   prior connection activity and services used;  identification of other  systems present on the system's LAN or WLAN; geolocation of the  host computer system; and cross-drive analysis. We show that network structures can also be  recovered from memory that is persisted onto a mass storage medium   during the course of system swapping or hibernation.  We present our network carving techniques, algorithms and tools,   and validate these against both purpose-built memory images and a readily  available forensic corpora. These techniques are  valuable to both forensics tasks, particularly  in analyzing mobile devices, and to cyber-security objectives such  as malware analysis.</i>
+
Although hash functions are a well-known method in computer science to map arbitrary large data to bit strings of a fixed length, their use in computer forensics is currently very limited. As of today, in a pre-step process hash values of files are generated and stored in a database, typically a cryptographic hash function like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. This approach has several drawbacks, which have been sketched in the community, and some alternative approaches have been proposed. The most popular one is due to Jesse Kornblum, who transferred ideas from spam detection to computer forensics in order to identify similar files. However, his proposal lacks a thorough security analysis. It is therefore one aim of the paper at hand to present some possible attack vectors of an active adversary to bypass Kornblum's approach. Furthermore, we present a pseudo random number generator being both more efficient and more random compared to Kornblum's pseudo random number generator.
 
+
 
+
  
 
(See also [[Past Selected Articles]])
 
(See also [[Past Selected Articles]])

Revision as of 16:32, 13 December 2011

This is the Forensics Wiki, a Creative Commons-licensed wiki devoted to information about digital forensics (also known as computer forensics). We currently list a total of 719 pages.

Much of computer forensics is focused on the tools and techniques used by investigators, but there are also a number of important papers, people, and organizations involved. Many of those organizations sponsor conferences throughout the year and around the world. You may also wish to examine the popular journals and some special reports.

WIKI MAINTENANCE NOTE: We have re-installed mediawiki. New anti-spam measures and account re-confirmation software is in effect. Please let us know if you have problems on the Contact Form


Featured Forensic Research

Dec 2011

Baier, H., Breitinger, F. - Security Aspects of Piecewise Hashing in Computer Forensics
IT Security Incident Management and IT Forensics (IMF), 2011 Sixth International Conference on pp. 21 -36, may 2011
Bibtex
Author : Baier, H., Breitinger, F.
Title : Security Aspects of Piecewise Hashing in Computer Forensics
In : IT Security Incident Management and IT Forensics (IMF), 2011 Sixth International Conference on -
Address :
Date : may 2011

Although hash functions are a well-known method in computer science to map arbitrary large data to bit strings of a fixed length, their use in computer forensics is currently very limited. As of today, in a pre-step process hash values of files are generated and stored in a database, typically a cryptographic hash function like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. This approach has several drawbacks, which have been sketched in the community, and some alternative approaches have been proposed. The most popular one is due to Jesse Kornblum, who transferred ideas from spam detection to computer forensics in order to identify similar files. However, his proposal lacks a thorough security analysis. It is therefore one aim of the paper at hand to present some possible attack vectors of an active adversary to bypass Kornblum's approach. Furthermore, we present a pseudo random number generator being both more efficient and more random compared to Kornblum's pseudo random number generator.

(See also Past Selected Articles)

Featured Article

Forensic Linux Live CD issues
Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. Read More...


Topics



You can help! We have a list of articles that need to be expanded. If you know anything about any of these topics, please feel free to chip in.