Difference between pages "Research Topics" and "GRR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Flash Memory)
 
 
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas. ''Potential Sponsor,'' when present, indicates the name of a researcher who would be interested in lending support in the form of supervision or other resources to a project.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Darren Bilby]] and others |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Incident response}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 +
}}
  
=Tool Development=
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
==AFF Enhancement==
+
[[AFF]] is the Advanced Forensics Format, developed by Simson Garfinkel and Basis Technology. The following enhancements would be very useful to the format:
+
* Signing with X.509 or GPG keys data segments and metadata.
+
* Encryption of data segments with an AES-256 key specified by a password
+
* Encryption of the AES-256 key with a public key (and decryption with a corresponding private key)
+
* Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
+
* Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
+
  
''Sponsor for these projects: [[User:Simsong|Simson Garfinkel]]''
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
  
==Flash Memory==
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
Flash memory devices such as USB keys implement a [http://www.st.com/stonline/products/literature/an/10122.htm wear leveling algorithm] in hardware so that frequently rewritten blocks are actually written to many different physical blocks. Are there any devices that let you access the raw flash cells underneath the wear leveling chip? Can you get statistics out of the device? Can you access pages that have been mapped out (and still have valid data) but haven't been mapped back yet? Can you use this as a technique for accessing deleted information?
+
  
''Sponsor: [[User:Simsong|Simson Garfinkel]]''
+
= See also =
 +
* [[rekall]]
 +
 
 +
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
 +
 
 +
== Publications ==
 +
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
 +
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
 +
 
 +
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
 +
 
 +
== Workshops ==
 +
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]

Revision as of 14:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

See also

External Links

Publications

Presentations

Workshops