Catálogo de publicaciones - libros

A write blocker allows read-only access to digital data on a secondary storage device by placing a hardware or software filter between the host computer and the storage device. The filter monitors I/O commands sent from the application on the host computer, only allowing commands to the device that make no changes to its data. This paper examines the I/O commands used to access secondary storage devices and discusses their implications for BIOS-based and hardware-based write blockers.

Investigations involving digital media (e.g., hard disks and USB thumb drives) rely heavily on text string searches. Traditional search approaches utilizing matching algorithms or database technology and treebased indexing algorithms result in an overwhelming number of “hits ” — a large percentage of which are irrelevant to investigative objectives. Furthermore, current approaches predominantly employ literal search techniques, which lead to poor recall with respect to investigative objectives. A better approach is needed that reduces information retrieval overhead and improves investigative recall. This paper proposes a new, high-level text string search process model that addresses some of the shortfalls in current text string search paradigms. We hope that this model will stimulate efforts on extending information retrieval and text mining research to digital forensic text string searching.

When a digital forensics investigator suspects that steganography has been used to hide data in an image, he must not only determine that the image contains embedded information but also identify the method used for embedding. The determination of the embedding methodor stego fingerprint — is critical to extracting the hidden information. This paper focuses on identifying stego fingerprints in JPEG images. The steganography tools targeted are F5, JSteg, Model-Based Embedding, OutGuess and StegHide. Each of these tools embeds data in a dramatically different way and, therefore, presents a different challenge to extracting the hidden information. The embedding methods are distinguished using features developed from sets of stego images that are used to train a multi-class support vector machine (SVM) classifier. For new images, the image features are calculated and evaluated based on their associated label to the most similar class, i.e., clean or embedding method feature space. The SVM results demonstrate that, in the worst case, embedding methods can be distinguished with 87% reliability.

Redaction is the process of removing privileged information from a document before it is presented to other parties. This paper discusses the major issues associated with the redaction of digital information from electronic devices. A novel technique involving a tokenized representation is presented as a solution to digital redaction in legal proceedings.

File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amounts of disk space.

This paper describes an “in-place” approach to file carving, which allows the inspection of recovered files without copying file contents. The approach results in a significant reduction in storage requirements, shorter turnaround times, and opens new opportunities for on-the-spot screening of evidence. Moreover, it can be used to perform in-place carving on local and remote drives.

Journaling is a relatively new feature of modern file systems that is not yet exploited by most digital forensic tools. A file system journal caches data to be written to the file system to ensure that it is not lost in the event of a power loss or system malfunction. Analysis of journal data can identify which files were overwritten recently. Indeed, under the right circumstances, analyzing a file system journal can reveal deleted files and previous versions of files without having to review the hex dump of a drive. This paper discusses data recovery from ReiserFS and ext3, two popular journaled file systems. It also describes a Java-based tool for analyzing ext3 file system journals and recovering data pertaining to overwritten and deleted files.

Search engine APIs can be used very effectively to automate the surreptitious gathering of information about network assets. This paper describes GooSweep, a tool that uses the Google API to automate the search for references to individual IP addresses in a target network. GooSweep is a promising investigative tool. It can assist network forensic investigators in gathering information about individual computers such as referral logs, guest books, spam blacklists, and instructions for logging into servers. GooSweep also provides valuable intelligence about a suspect’s Internet activities, including browsing habits and communications in web-based forums.

Positive train control (PTC) or communication-based control systems (CBTC) control trains using wireless network infrastructures. Consequently, investigations of accidents involving PTCor CBTC-controlled trains require network forensic analysis. This paper describes a forensic analysis framework that leverages the communications capabilities of PTC systems. The framework incorporates a centralized database architecture that securely stores PTC-related and other digital data, and provides for efficient and flexible querying of the data during accident analysis.

Microsoft’s Xbox game console can be modified to run additional operating systems, enabling it to store gigabytes of non-game related files and run various computer services. Little has been published, however, on procedures for determining whether or not an Xbox console has been modified, for creating a forensic duplicate, and for conducting a forensic investigation. Given the growing popularity of Xbox systems, it is important to understand how to identify, image and examine these devices while reducing the potential of corrupting the media. This paper discusses Xbox forensics and provides a set of forensically-sound procedures for analyzing Xbox consoles.

Super-resolution algorithms typically improve the resolution of a video frame by mapping and performing signal processing operations on data from frames immediately preceding and immediately following the frame of interest. However, these algorithms ignore forensic considerations. In particular, the high-resolution video evidence they produce could be challenged on the grounds that it incorporates data or artifacts that were not present in the original recording.

This paper presents a super-resolution algorithm that differs from its counterparts in two important respects. First, it is explicitly parameterized, enabling forensic video analysts to tune it to yield higher quality in regions of interest at the cost of degraded quality in other regions. Second, the higher resolution output is only constructed in the final visualization step. This allows the intermediate refinement step to be repeatedly composed without tainting the original data.