Difference between pages "Research Topics" and "Using signature headers to determine if an email has been forged"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Reverse-Engineering Projects)
 
(Domain Key Signatures)
 
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
+
{{Expand}}
  
Many of these would make a nice master's project.
 
  
=Programming Projects=
+
== DomainKeys Identified Mail ==
 +
{main|DomainKeys Identified Mail}
  
==Small-Sized Programming Projects==
+
== Domain Key Signatures ==
* Modify [[bulk_extractor]] so that it can directly acquire a raw device under Windows. This requires replacing the current ''open'' function call with a ''CreateFile'' function call and using windows file handles.
+
* Rewrite SleuthKit '''sorter''' in C++ to make it faster and more flexible.
+
  
==Medium-Sized Programming Projects==
+
These headers, included by the mail server, provide a signature of each message. See [[Gmail Header Format]]. The public keys are distributed via [[Domain Name System|DNS]].
* Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
+
** Automatically pull out the strings
+
** Show histogram
+
** Detect crypto and/or stenography.
+
* Extend [[fiwalk]] to report the NTFS alternative data streams.
+
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
+
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
+
* Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.
+
  
 +
== Signed mail ==
  
==Big Programming Projects==
+
Some other programs can be used by the sender to sign an email message. Programs such as [[PGP]], [[GnuPG]].
* Develop a new carver with a plug-in architecture and support for fragment reassembly carving (see [[Carver 2.0 Planning Page]]).
+
* Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
+
  
* Correlation Engine:
+
=== PGP Messages ===
** Logfile correlation
+
** Document identity identification
+
** Correlation between stored data and intercept data
+
** Online Social Network Analysis
+
  
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
+
Messages sent using PGP, or its free equivalents such as GnuPG, have the signature in the message body itself. Each message can be signed, encrypted, or both. Encrypted messages begin with the header
** Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
+
<pre>-----BEGIN PGP MESSAGE-----</pre> followed by some optional headers. The optional headers may include the character set of the decoded message, the program and version that created the message, and an optional comment. The end of the message is noted with <pre>-----END PGP MESSAGE-----</pre> Between these two lines are a series of ASCII characters that represent the encrypted or signed message.  
** Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login
+
  
=Reverse-Engineering Projects=
+
A signed message has the header <pre>-----BEGIN PGP SIGNATURE-----</pre> at the ''end'' of the signed message followed by the same optional headers as encrypted messages. The signature is usually three lines of ASCII characters.
==Reverse-Engineering Projects==
+
* Reverse the on-disk structure of the [[Extensible Storage Engine (ESE) Database File (EDB) format]] to learn:
+
** Fill in the missing information about older ESE databases
+
** Exchange EDB (MAPI database), STM
+
** Active Directory (Active Directory working document available on request)
+
* Reverse the on-disk structure of the Lotus [[Notes Storage Facility (NSF)]]
+
* Reverse the on-disk structure of Microsoft SQL Server databases
+
* Add support to SleuthKit for [[FAT|eXFAT]], Microsoft's new FAT file system.
+
* Add support to SleuthKit for [[Resilient File System (ReFS)|ReFS]].
+
* Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
+
* Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
+
* Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
+
  
==EnCase Enhancement==
+
== See Also ==
* Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)
+
* [[Using message id headers to determine if an email has been forged]]
  
= Timeline analysis =
+
[[Category:Howtos]]
* Mapping differences and similarities in multiple versions of a system, e.g. those created by [[Windows Shadow Volumes]]
+
 
+
=Research Areas=
+
These are research areas that could easily grow into a PhD thesis.
+
* General-purpose detection of:
+
** Stegnography
+
** Sanitization attempts
+
** Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
+
* Visualization of data/information in digital forensic context
+
* SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;
+
 
+
 
+
 
+
__NOTOC__
+

Revision as of 13:23, 29 April 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.


Contents

DomainKeys Identified Mail

{main|DomainKeys Identified Mail}

Domain Key Signatures

These headers, included by the mail server, provide a signature of each message. See Gmail Header Format. The public keys are distributed via DNS.

Signed mail

Some other programs can be used by the sender to sign an email message. Programs such as PGP, GnuPG.

PGP Messages

Messages sent using PGP, or its free equivalents such as GnuPG, have the signature in the message body itself. Each message can be signed, encrypted, or both. Encrypted messages begin with the header

-----BEGIN PGP MESSAGE-----
followed by some optional headers. The optional headers may include the character set of the decoded message, the program and version that created the message, and an optional comment. The end of the message is noted with
-----END PGP MESSAGE-----
Between these two lines are a series of ASCII characters that represent the encrypted or signed message. A signed message has the header
-----BEGIN PGP SIGNATURE-----
at the end of the signed message followed by the same optional headers as encrypted messages. The signature is usually three lines of ASCII characters.

See Also