Difference between pages "Research Topics" and "GRR"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Reverse-Engineering Projects)
 
 
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Darren Bilby]] and others |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Incident response}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 +
}}
  
Many of these would make a nice master's project.
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  
=Programming Projects=
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
  
==Small-Sized Programming Projects==
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
* Modify [[bulk_extractor]] so that it can directly acquire a raw device under Windows. This requires replacing the current ''open'' function call with a ''CreateFile'' function call and using windows file handles.
+
* Rewrite SleuthKit '''sorter''' in C++ to make it faster and more flexible.
+
  
==Medium-Sized Programming Projects==
+
= See also =
* Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
+
* [[rekall]]
** Automatically pull out the strings
+
** Show histogram
+
** Detect crypto and/or stenography.
+
* Extend [[fiwalk]] to report the NTFS alternative data streams.
+
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
+
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
+
* Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.
+
  
 +
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
  
==Big Programming Projects==
+
== Publications ==
* Develop a new carver with a plug-in architecture and support for fragment reassembly carving (see [[Carver 2.0 Planning Page]]).
+
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
* Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
+
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
  
* Correlation Engine:
+
== Presentations ==
** Logfile correlation
+
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
** Document identity identification
+
** Correlation between stored data and intercept data
+
** Online Social Network Analysis
+
  
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
+
== Workshops ==
** Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]
** Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login
+
 
+
=Reverse-Engineering Projects=
+
==Reverse-Engineering Projects==
+
* Reverse the on-disk structure of the [[Extensible Storage Engine (ESE) Database File (EDB) format]] to learn:
+
** Fill in the missing information about older ESE databases
+
** Exchange EDB (MAPI database), STM
+
** Active Directory (Active Directory working document available on request)
+
* Reverse the on-disk structure of the Lotus [[Notes Storage Facility (NSF)]]
+
* Reverse the on-disk structure of Microsoft SQL Server databases
+
* Add support to SleuthKit for [[FAT|eXFAT]], Microsoft's new FAT file system.
+
* Add support to SleuthKit for [[Resilient File System (ReFS)|ReFS]].
+
* Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
+
* Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
+
* Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
+
 
+
==EnCase Enhancement==
+
* Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)
+
 
+
= Timeline analysis =
+
* Mapping differences and similarities in multiple versions of a system, e.g. those created by [[Windows Shadow Volumes]]
+
 
+
=Research Areas=
+
These are research areas that could easily grow into a PhD thesis.
+
* General-purpose detection of:
+
** Stegnography
+
** Sanitization attempts
+
** Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
+
* Visualization of data/information in digital forensic context
+
* SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;
+
 
+
 
+
 
+
__NOTOC__
+

Revision as of 14:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

Contents

See also

External Links

Publications

Presentations

Workshops