Difference between pages "List of Cyberspeak Podcast Interviews" and "Research Topics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (2007: - Updated for 20 May 2007, no interview)
 
m
 
Line 1: Line 1:
The [[Cyberspeak podcast]] usually features at least one interview per show. The guests on each show are listed below.
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
  
=== 2005 ===
+
==Short-Term Engineering Projects==
 +
These projects would make a nice master's thesis or the start of a PhD.
 +
; Extend SleuthKit's implementation of NTFS to cover EFS.
 +
; Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF)
 +
; Physical layer access to flash storage.
 +
: Gain access to the physical layer of SD or USB flash storage device. This will require reverse-engineering the proprietary APIs or gaining access to proprietary information from the manufacturers. Use these APIs to demonstrate the feasibility of recovering residual data that has been overwritten at the logical layer but which is still present at the physical layer.
  
* 18 Dec 2005: [[Nick Harbour]], author of [[Dcfldd|dcfldd]]
+
===Timeline Analysis===
* 31 Dec 2005: [[Jesse Kornblum]], author of [[foremost]] and [[md5deep]]
+
; Timeline Visualization and Analysis
 +
: Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
 +
; Changed Clocks
 +
: Detect a system that has had its clock changed.
  
=== 2006 ===  
+
==Research Areas==
 +
These are research areas that could easily grow into a PhD thesis.
 +
; Stream-based Forensics
 +
: Process the entire disk with one pass to minimize seek time.  (You may find it necessary to do a quick metadata scan first.)
 +
; Stegnography Detection (general purpose)
 +
: Detect the use of stegnography by through the analysis of file examplars and specifications.
 +
; Sanitization Detection
 +
: Detect and diagnose sanitization attempts.
 +
; Compressed Data Reconstruction
 +
: Reconstruct decompressed data from a GZIP file after the first 1K has been removed.
 +
;Evidence Falsification Detection
 +
: Automatically detect falsified digital evidence through the use of inconsistency in file system allocations, application data allocation, and log file analysis.
  
* 7 Jan 2006: [[Drew Fahey]], author of [[Helix]]
+
==Correlation==
* 18 Jan 2006: [[Simple Nomad]]
+
* Logfile correlation
* 21 Jan 2006: [[Johnny Long]]
+
* Document identity identification
* 28 Jan 2006: [[Kevin Mandia]]
+
* Correlation between stored data and intercept data
 +
* Online Social Network Analysis
 +
** Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
 +
** Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
  
 +
==Programming Projects==
 +
===File Visualization===
 +
Write a program that visualizes the contents of a file, sort of like hexedit, but with other features:
 +
* Automatically pull out the strings
 +
* Show histogram
 +
* Detect crypto and/or stenography.
 +
I would write the program in java with a plug-in architecture.
 +
===SleuthKit Enhancements===
 +
[[SleuthKit]] is the popular open-source system for forensics and data recovery.
 +
* Add support for a new file system:
 +
** The [[YAFFS]] [[flash file system]]. (YAFFS2 is currently used on the Google G1 phone.)
 +
** The [[JFFS2]] [[flash file system]]. (JFFS2 is currently used on the One Laptop Per Child laptop.)
 +
** [[XFAT]], Microsoft's new FAT file system.
 +
* Enhance support for an existing file system:
 +
** EXT4
 +
** Add support for NTFS encrypted files.
 +
** Report the physical location on disk of compressed files.
 +
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK. (I've already started on this if you want the code.)
 +
''Necessary skills: C programming and filesystem familiarity.''
  
* 4 Feb 2006: [[Brian Carrier]]
+
===fiwalk Enhancements===
* 11 Feb 2006: [[Jesse Kornblum]]
+
* Rewrite the metadata extraction system.
* 18 Feb 2006: [[Bruce Potter]] of the Shmoo Group
+
* Extend [[fiwalk]] to report the NTFS "inodes."
* 25 Feb 2006: [[Kris Kendall]] speaks about malware analysis
+
  
  
* 4 Mar 2006: [[Dave Merkel]]
 
* 11 Mar 2006: [[James Wiebe]] of [[Wiebe Tech]]. Also [[Todd Bellows]] of [[LogiCube]] about [[CellDek]]
 
* 18 Mar 2006: [[Kris Kendall]]
 
* 25 Mar 2006: (No interview)
 
  
 
+
__NOTOC__
* 1 Apr 2006: [[Harlan Carvey]], creator of the [[Forensic Server Project]]
+
* 8 Apr 2006: (No interview)
+
* 15 Apr 2006: (No interview), but first to mention the [[Main_Page|Forensics Wiki]]!
+
* 22 Apr 2006: [[Jaime Florence]] about [[Mercury]], a text indexing product
+
 
+
 
+
* 6 May 2006: [[Mark Rache]] and [[Dave Merkel]]
+
* 13 May 2006: [[Steve Bunting]]
+
* 21 May 2006: [[Mike Younger]]
+
* 29 May 2006: [[Mike Younger]]
+
 
+
 
+
* 3 Jun 2006: [[Jesse Kornblum]] about [[Windows Memory Analysis]]
+
* 10 Jun 2006: (No interview)
+
* 17 Jun 2006: [[Mike Younger]]
+
* 24 Jun 2006: (No interview)
+
 
+
 
+
* 1 Jul 2006: (No interview)
+
* 9 Jul 2006: [[Johnny Long]]
+
* 18 Jul 2006: [[Dark Tangent]]
+
* 30 Jul 2006: [[Jesse Kornblum]] about [[Ssdeep|ssdeep]] and [[Context Triggered Piecewise Hashing|Fuzzy Hashing]]
+
 
+
 
+
* 10 Aug 2006: [[Brian Contos]] discusses his book ''Insider Threat: Enemy at the Watercooler''
+
* 13 Aug 2006: [[Richard Bejtlich]] discusses his book ''Real Digital Forensics''
+
* 27 Aug 2006: [[David Farquhar]]
+
 
+
 
+
* 3 Sep 2006: [[Keith Jones]]
+
* 10 Sep 2006: (No Interview)
+
* 17 Sep 2006: (No Interview)
+
* 24 Sep 2006: (No Interview)
+
 
+
 
+
* 1 Oct 2006: [[Brian Kaplan]], author of [[LiveView]]
+
* 8 Oct 2006: [[Tom Gallagher]] discusses his book ''Hunting Security Bugs''
+
* 15 Oct 2006: (No Interview)
+
* 29 Oct 2006: (No Interview)
+
 
+
 
+
* 12 Nov 2006: [[Jesse Kornblum]] discusses his paper ''Exploiting the Rootkit Paradox with Windows Memory Analysis''
+
* 19 Nov 2006: [[Kris Kendall]] discusses unpacking binaries when conducting malware analysis
+
* 26 Nov 2006: (No Interview)
+
 
+
 
+
* 3 Dec 2006: [[Brian Dykstra]]
+
* 10 Dec 2006: [[Mike Younger]]
+
* 17 Dec 2006: [[Mike Younger]] and [[Geoff Michelli]]
+
 
+
=== 2007 ===
+
 
+
* 7 Jan 2007: [[Jamie Butler]]
+
* 17 Jan 2007: [[Chad McMillan]]
+
* 28 Jan 2007: [[Jesse Kornblum]]
+
 
+
 
+
* 11 Feb 2007: [[Scott Moulton]]
+
* 18 Fen 2007: [[Phil Zimmerman]], creator of [[PGP]] discussing his new [[Zfone]]
+
* 25 Feb 2007: [[Mark Menz]] and [[Jeff Moss]]
+
 
+
 
+
* 4 Mar 2007: No show due to technical difficulties
+
* 12 Mar 2007: [[Trevor Fairchild]] of [[Ontario Provincial Police Department]] discussing [[C4P]] and [[C4M]], both add-ons to [[EnCase]]
+
* 18 Mar 2007: [[Tony Hogeveen]] of [[DeepSpar]] Date Recovery Systems
+
* 25 Mar 2007: Shmoocon broadcast
+
 
+
 
+
* 1 Apr 2007: [[Kevin Smith]] from LTU Technologies about [[Image Seeker]]
+
* 15 Apr 2007: [[Jim Christy]] from the [[Defense Cyber Crime Center]]
+
* 22 Apr 2007: [[Jesse Kornblum]] all about the [[Main_Page|Forensics Wiki]]!
+
* 29 Apr 2007: [[Harlan Carvey]] discusses his new book
+
 
+
 
+
* 13 May 2007: [[Russell Yawn]]
+
* 20 May 2007: No interview
+

Revision as of 06:50, 10 November 2010

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.

Short-Term Engineering Projects

These projects would make a nice master's thesis or the start of a PhD.

Extend SleuthKit's implementation of NTFS to cover EFS.
Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF)
Physical layer access to flash storage.
Gain access to the physical layer of SD or USB flash storage device. This will require reverse-engineering the proprietary APIs or gaining access to proprietary information from the manufacturers. Use these APIs to demonstrate the feasibility of recovering residual data that has been overwritten at the logical layer but which is still present at the physical layer.

Timeline Analysis

Timeline Visualization and Analysis
Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
Changed Clocks
Detect a system that has had its clock changed.

Research Areas

These are research areas that could easily grow into a PhD thesis.

Stream-based Forensics
Process the entire disk with one pass to minimize seek time. (You may find it necessary to do a quick metadata scan first.)
Stegnography Detection (general purpose)
Detect the use of stegnography by through the analysis of file examplars and specifications.
Sanitization Detection
Detect and diagnose sanitization attempts.
Compressed Data Reconstruction
Reconstruct decompressed data from a GZIP file after the first 1K has been removed.
Evidence Falsification Detection
Automatically detect falsified digital evidence through the use of inconsistency in file system allocations, application data allocation, and log file analysis.

Correlation

  • Logfile correlation
  • Document identity identification
  • Correlation between stored data and intercept data
  • Online Social Network Analysis
    • Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
    • Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.

Programming Projects

File Visualization

Write a program that visualizes the contents of a file, sort of like hexedit, but with other features:

  • Automatically pull out the strings
  • Show histogram
  • Detect crypto and/or stenography.

I would write the program in java with a plug-in architecture.

SleuthKit Enhancements

SleuthKit is the popular open-source system for forensics and data recovery.

  • Add support for a new file system:
  • Enhance support for an existing file system:
    • EXT4
    • Add support for NTFS encrypted files.
    • Report the physical location on disk of compressed files.
  • Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK. (I've already started on this if you want the code.)

Necessary skills: C programming and filesystem familiarity.

fiwalk Enhancements

  • Rewrite the metadata extraction system.
  • Extend fiwalk to report the NTFS "inodes."