CT-ISG: A Comprehensive Data Carving Architecture for Digital Forensics

CT-ISG：用于数字取证的综合数据雕刻架构

• 批准号: 0627226
• 负责人: Golden Richard
• 金额: --
• 依托单位: University of New Orleans
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2006
• 资助国家: 美国
• 起止时间: 2006-09-01 至 2009-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0627226&HistoricalAwards=false
• 关键词: CT; ISG; Comprehensive; Data; Carving

Golden RichardUniversity of New Orleans0627226Panel: P060969A Comprehensive Data Carving Architecture for Digital ForensicsOne of the most important software techniques in digital forensics is file carving, which uses a database of characteristics about commonly encountered file types to search physical disks for files of these types. File carving is a particularly powerful technique because files can be retrieved from raw disk images, regardless of the type of filesystem, even if file metadata has been destroyed. File carving can find data associated with deleted files, in slack space, swap files, and data "hidden" outside the filesystem. The goal is to identify the starting and ending locations of files in the disk images and "carve" (copy) sequences of bytes into regular files so their value as evidence can be measured.Currently, the scope of file carving is narrow and there are significant limitations. Patterns for new file types are typically created manually, which is a tedious and error-prone process. Current-generation tools generate many false positives, carving files whose formats are incorrect. This wastes the time of investigators, who already have overwhelming caseloads. In addition, carving has not been applied extensively to volatile media such as memory and network flows. RAM carving is useful for low-level detection of installed malware, where high level detection (e.g., via OS facilities) might be thwarted by the malware. Network data flow carving can help investigators determine whether specific documents were transmitted or whether versions of specific documents were transmitted. This research explores techniques for better automatic identification of documents, by expanding on the header/milestone/footer search generally employed in current generation tools. The research also expands the scope of data carving to include memory analysis and network flow analysis. The entire architecture is be incorporated into the distributed digital forensics framework created by the PI and his collaborators at the University of New Orleans.

Golden Richard University of New Orleans 0627226 Panel：P060969数字取证的综合数据雕刻架构数字取证中最重要的软件技术之一是文件雕刻，它使用一个关于常见文件类型的特征数据库来搜索物理磁盘以查找这些类型的文件。 文件切割是一种特别强大的技术，因为可以从原始磁盘映像中检索文件，而不管文件系统的类型，即使文件元数据已被破坏。 文件雕刻可以找到与已删除文件相关的数据，在空闲空间中，交换文件和“隐藏”在文件系统之外的数据。 其目的是确定磁盘映像中文件的起始和结束位置，并将字节序列“雕刻”（复制）到常规文件中，以衡量其证据价值。目前，文件雕刻的范围很窄，存在很大的局限性。 新文件类型的模式通常是手动创建的，这是一个繁琐且容易出错的过程。当前生成的工具生成许多误报，雕刻格式不正确的文件。 这浪费了调查人员的时间，他们已经有大量的案件要处理。 此外，雕刻还没有广泛应用于易失性介质，如内存和网络流。RAM雕刻对于安装的恶意软件的低级检测是有用的，其中高级检测（例如，通过操作系统工具）可能会被恶意软件阻止。 网络数据流雕刻可以帮助调查人员确定是否传输了特定文件或是否传输了特定文件的版本。 本研究探讨了更好地自动识别文档的技术，通过扩展当前生成工具中通常采用的页眉/里程碑/页脚搜索。 研究还扩展了数据雕刻的范围，包括内存分析和网络流量分析。 整个架构被纳入由PI和他在新奥尔良大学的合作者创建的分布式数字取证框架中。