How To Measure The Quality Of A File Carving
|
|
- Melina Young
- 3 years ago
- Views:
Transcription
1 National Conference on Emerging Trends in Computing and Communication (ETCC-2008) ANALSIS FRAMEWORK FOR QUALITY MEASURMENT OF CARVING TECHNIQUES Prof. Deepak Singh Tomar, Mr. Om Malviya, Mr. Rakesh Verma Department of CSE Maulana Azad National Institute of Technology(MANIT) Bhopal(M.P) Abstract File Carving is the method of investigating raw disk image based on file format specific characteristics present in that disk image. The tools that perform file carving, implement techniques like Header footer carving, Header maximum size, Header embedded length, File structure based and Block based. To measure the quality of carving techniques a framework is proposed which is based on the result produces by the tools from the disk image. It uses three quality aspects (Carving recall for Data Relevancy, Carving Precision for Correctness and Supported Recall for Reliability) of the file carving technique that has been utilize for the measurement of quality. The framework is also implemented on existing carving tools (Scalpel, Foremost) for quality appraise. Keywords Digital forensic, File carving, Digital Disk image, File carving Tools, Carving recall, Carving precision I. INTRODUCTION A. Digital Forensic Digital or computer forensics is the practice of identifying, preserving, extracting, analysing and presenting legally sound evidence from digital media such as computer hard drives. [1] B. File Carving During a digital forensic investigation different pieces of data are preserved for investigation, of which bit-copy images of hard drives are the most common. These images contain the data allocated to files as well as the unallocated data. The unallocated data may still contain information that is relevant to an investigation, in the form of (parts of) intentionally deleted files or automatically removed temporary files. Unfortunately, this data is not always easily accessible: a string search on the raw data might recover (parts of) interesting text documents, but it won't help to get to information present in for example images or compressed files. The downside of this approach is that these techniques become much less effective if the file system information is corrupted or overwritten. In these cases techniques is required that works independent of the file system information, by identifying the deleted files and file parts directly in the raw data and extracting them in a verifiable manner, these techniques are called file carving. [2] C. Current state of Carving and Motivation Carving is a general term for extracting files out of raw data, based on file format specific characteristics present in that data.. D. Problem Description If a tool produces good results, then valuable information might be uncovered. However tool results can also have a negative impact on the usability of the available information. First of all information that is not recovered by a tool is information that will most likely be ignored, since datasets under investigation are much too large for manual inspection. The biggest problem is that results are a combination of both the tool and the data being examined Another problem is that some quality aspects are simply unrelated to the carving results, like the amount of human intervention needed to process a dataset or the speed of a carver. II. DATASET AND FILE CARVING TECHNIQUES Some carving technique is used by current tools discuss below. For each technique a description is given of how the difficulties that may be present in a dataset are handled and what impact this has on the results. A. Structure of Datasets The datasets that are examined in a digital forensic investigation are usually bit-copies of full hard drives or individual partitions. The data present on these original drives continually changed over time. files were added, deleted, copied or moved, a partition may have been defragmenter, formatted or even resized, etc. 1). Fragmented Files A fragmented file is a file that has been split into multiple parts and where all parts may be placed on different locations in a dataset. Fragmented files can be divided into two categories: i). Files with linear fragmentation ii). Files with nonlinear fragmentation i). Linear fragmentation occurs when a file has been split into two or more parts, but the parts are present in the dataset in their original order. 421
2 National Institute of Technology Hamirpur (HP) ii). No guarantee that fragmentation is always linear, it is also possible that the different parts exist in the dataset in a different order than in the original file 2). Partial Files Partially overwritten or partial files can almost never be fully recovered1, in some cases partial files can be repaired, but this is beyond the scope of theproject but may still contain useful information. B). Carving Techniques This section describes the different carving techniques that are used by the open-source tools tested in section V and/or were used in the 2007 DFRWS carving challenge [3]. 1) Header footer carving 2) Header maximum size file carving 3) File structure based carving 4) Block based carving 1). Header-Footer Carving Header-footer carving is the most basic carving technique. It works by searching the dataset for the patterns that mark the beginning of a file (header), like x89pngx0dx0ax1ax0a2 for PNG files. 2). Header Maximum Size Files Carving Even though most file types have a unique header, not all file types have a fixed footer. In the case of header maximum file size carving a maximum file size is defined for these file types. If a header is found, then a piece of data is carved of maximum file size length. 3). File Structure Based Carving File structure based carving uses the internal layout of a file to determine which data is part of which file. To understand file structure based carving, it is best to first get a basic idea of the type of structures that can be present in a file. 4). Block Content Based Carving One technique that can be useful in detecting fragmentation in those cases where file structure based carving is unsuccessful, is block content based carving. Block content based carving works by calculating Meta information like character counts or statistical information over the bytes in a block. III. CARVING TOOL QUALITY MEASURING METHOD A). File Marking Of Carved File As the previous section discussion, the combination of complete, partial and fragmented files and different carving techniques can lead to four different result types. To recapitulate: 1). Positive A file that is correctly carved from the dataset is called a Positive.. 2). False Positives and Known False Positives False positive: A carving result which is not a Positive. Known false positive: A carving result of which the carver knows that it is not fully correct, and which it has marked as such false positive. 3). False Negative A file that is present in the dataset, but which was not carved. The False negative definition needs more elaboration, since in carving the recovery of a file is not necessarily all or nothing. B). Quality Criteria Measures How can these result types be translated into measurable quality criteria?" Originally a quality system was created based on the number of Positives, Unknown false positives and false negatives. It simply calculated the following two scores: a. The main score was calculated by giving points for each Positive and subtracting points for the false negatives. The higher this score was, the better a tool performed. b. A second score was calculated by counting the number of Unknown false positives, which should be as low as possible. C). Quality Criteria Measures Method Precision and Recall are two widely used measures for evaluating the quality of results in domains such as Information Retrieval and statistical classification.[3] Precision can be seen as a measure of exactness or fidelity, whereas Recall is a measure of completeness. In Information Retrieval, a perfect Precision score of 1.0 means that every result retrieved by a search was relevant (but says nothing about whether all relevant documents were retrieved) whereas a perfect Recall score of 1.0 means that all relevant documents were retrieved by the search (but says nothing about how many irrelevant documents were also retrieved).[3] Recall is defined as the proportion of the target items that the system selected: 422
3 National Conference on Emerging Trends in Computing and Communication (ETCC-2008) Precision is defined as a measure of the proportion of selected items that the system got right: Positive Precision = Positive false negative Together these two measures can be combined into a single measure of overall system performance, called the F measure. Fmeasure = 1 (α /Rl) + ((1-α)/P) Where P is precision, R is recall and α is a factor between 0 and 1 which can be used to determine the weighting of precision and recall. These equations form the basis for a quality measurement system whose goal it is to answer the following three carving quality questions: 1) What proportion of the available files was recovered? 2) What proportion of the recovered files was correct? 3) How reliable is the tool? If it claims to support a set of file types, then what proportion of these files does it recover? The first quality question can be answered using a modified version of the recall equation. This leads to the following recall equation for carving: all Where all is the number of files in the dataset. The second quality question can be answered using a modified version of the precision equation. This leads to the following precision equation for carving Carving precision = Positive Positive +unknown false positive +(1/β)known false positive Where β is a factor, which can be used to determine he relative weight of Unknown false positives compared to Known false positives. A carving specific variation on the F measure, named the Cperformance, can now be used to give an overall score for a tool, using the updated carving recall' and carving precision" scores: Cperformance = Recall = Carving recall = (α /carving recall) + ((1-α)/carving precision) Where α is a factor which determines the weighting of carving precision and carving recall. 1 Positive Positive + false negative all false negative This leaves the third quality measure, the reliability of a tool. Reliability does not state how well a tool works on all the files in a dataset, but only how successful it is at recovering the file types it claims to support. This lead to a modified version of the carving recall" measure, in which only supported files are taken into account: Supported recall = supported false negative Supported Where supported is the number of supported files in the dataset and sfn is the amount of Supported false negatives. D). Datasets First of all, these measures only work if the layout of a dataset is known, since the tool results have to be compared to the files present in that set. In 2005 Nick Mikus released datasets, based on an EXT2 file system, which are meant to test carving tools[6]. E). Testing Procedures Each tool is tested by running it on the datasets and comparing the results to the layout provided for that set. F). Score Interpretation Using the results of these comparisons, the quality scores can be created for each combination of a tool and a dataset. These scores each give a different insight into the quality and improvement possibilities of the tools. IV. PROPOSED ARCHITECTURE FOR QUALITY MEASUREMENT OF CARVING TOOL A). Proposed Architecture Use tool on raw disk image Extractio n of file Read the file for validation Mark each object file for validation 1. Compare files MD5 With disk image file 2. Read file in Hex code Resultant performan ce of file carving tools 1. Calculating carving precision 2. Calculating carving recall Performance measuring method implementation Visualiz ation PHASE (1) PHASE (2) PHASE (3) Fig.1 Proposed architecture for the quality measurement of carving tool. 423
4 National Institute of Technology Hamirpur (HP) B). Major Components 1). Extraction of file and marking Each tool is tested by running it on the datasets and comparing the results to the layout provided for that set. The marking of file after the extraction from the image file using the tool on the following bases: i. The MD5 sums are calculated over the carving results and compared to the MD5 sums of the files in the image, if provided in the layout description. Matching files are marked as true Positives. ii. The remaining carved files are checked against the remaining image files by comparing header and footer with the known file string of header and footer. Files with exact matching wit the header and/ or footer are marked as known false Positives. iii. The remaining files, which have not been marked as Known false positives are marked as unknown false positives. iv. The file that is not carved by the carver is known as false negatives. 2). Performance Measurement Phase The quality method is implemented on files carved by the file carver. To measure the quality of tool quality measurement system is given that discussed in section C of part III. 3). Result Analysis These results are analyse for the purpose of improvement of the future carving tools. The result give the insight view of the technique use by the tool that is been used for measuring the quality. Overall analysis provides measure for the improvement of future carving tools. This phase gives measure for analysing the carving tool. The improvement goals stated for the new carving framework can be divided into two categories: improve carving recall and improve carving precision. C).Proposed Procedure for Quality Measurement of Carving Techniques Input: Directory, documents Outputs: table of carving performance result Other variable: file carving recall, file caving precision 1. Read the contents of the caving result output folder and file 2. Read the MD5 of files given with image file 3. Read the MD5 of the carved file 4. Int a= read the no of carved file 5. Int b= (no of file in disk image) a 6. mark(b no of file are false negative) 7. while( carving result folder not empty) { 8. get a file a // get a file from carving result folder 9. for(int i=0;i<(no of file in image);i++){ 10. if(compare (MD5 of file given with image file to carved image file)) 11. mark file as positive 12. break } // mark and break 13. read file a hex code 14. if(compare its header and footer with given headers and footer ){ 15. mark file as known false positive break}else // mark and break 16. mark file as unknown false positive} 17. } //end of while loop 18. calculate file carving recall 19. calculate file carving precision 20. calculate Cperformance for tool 21. End V. RESULTS AND IMPLEMENTATION DETAIL A). Hardware and Software Requirements The experiments were setup in both windows & Linux environment.the Programs were developed in c for MD5 conversions and reading HEXCODE FILE B). Tested Tool and their Specification The carving tool that use for quality measurement by this architecture are: 1). Scalpel Created by Golden G. Richard III [4] Scalpel which is file system independent is used to carve files from FATx, NTFS, ext2/3, or raw partitions used to reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files 2). Foremost Created by Nick Mikus [5] Foremost is used to recover files based on their headers, footers, and internal data structures. Supports file structure based carving for avi, bmp, doc, gif, hmlt, jpg, mov, pdf, png, rar, wav and zip files. C). Implementation Details Extraction and classification of file extracted by tool from raw disk image. The first phase of architecture is to extract of data using the tool that are using for testing in this architecture. The test image that is using is taken from the extraction of results from tool this test image is use as data set for the tools fig 2 and show the working and result of foremost tool and its output folder for carved file 424
5 National Conference on Emerging Trends in Computing and Communication (ETCC-2008) Fig 2 Working of Foremost carving tool Fig. 5 MD5 of image file Fig 3 Output summary result from foremost carving tool The results produced are classified into four following classifications based on tools need in experiment: -True Positive -Unknown false positive -Known false positive -False negative To calculate the MD5 of file HashMyfile Version 1.30 is used: Fig. 6 MD5 of carved file Fig 4 HASHMYFILE tool for MD5 calculation After calculating the md5 of carved file these md5 are matched with md5 of given image file the three snap shot show in Fig. 5,6,7 the result of comparison. Fig. 7 Result after compression The Fig. 8 show for the checking of partial files to check partial file first calculate the hex dump of each file this snap shot showing extraction of hex dump of a PDF file. 425
6 National Institute of Technology Hamirpur (HP) Fig 11 Grouping of carved file for Scalpel The Fig.12 show that provide comparison of the Cperformance of the tool two that been implemented on this framework Fig. 8 HEX code calculation of carved file D). Results The comparison of the carved file for the two tools (Foremost and scalpel) show in Fig. 9 Fig. 12 Cperformance of tested carving tools V. CONCLUSION Fig. 9 Number of file carved by different tool The Fig. 10 show that provide the graphical view of grouping of carved file for the Foremost carving tool and the next fig provide the grouping of file for the Scalpel A). Conclusion The results from raw disk image using the carving tools may have significant impact on the information available to an investigator; if tool produces accurate results then valuable information may be unveil. The quality and performance of carving tools is very crucial in digital forensic. In this work a quality measuring method in analysed for carving tools. Evaluations of tools in this method cover the aspects that is use to determine the overall quality of carving tools. B). Future work Area for future work in this quality analysis method is to improvement in the dependency on datasets with known unknown layouts and ameliorates in validation method or special purpose validators can be created which produce more accurate results. REFERENCES Fig. 10 Grouping of carved file for Foremost [1] [2] Carving Taxonomy URL: [3] [4] [5] [6] (Digital Forensics Tool Testing Images) 426
Digital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationIntroduction to File Carving
By Christiaan Beek Principal Security Consultant McAfee Foundstone Professional Services Table of Contents Overview 3 File Recovery Versus Carving 3 Fragmentation 5 Tooling 5 An example of using Photorec
More informationLab V: File Recovery: Data Layer Revisited
New Mexico Tech Digital Forensics Fall 2006 Lab V: File Recovery: Data Layer Revisited Objectives - Perform searches based on file headers - Data Carving with Foremost - Zip password recovery Procedures
More informationFORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE
More informationRecover Data Like a Forensics Expert Using an Ubuntu Live CD
Recover Data Like a Forensics Expert Using an Ubuntu Live CD There are lots of utilities to recover deleted files, but what if you can t boot up your computer, or the whole drive has been formatted? We
More informationWelcome to new students seminar!! Security is a people problem. forensic proof.com proneer.tistory.com. @pr0neer JK Kim
Welcome to new students seminar!! Data Recovery Security is a people problem proneer.tistory.com proneer@gmail.com @pr0neer JK Kim Outline Data & Recording Method Definition & Classification Recovering
More informationwinhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR
winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation
More informationTowards facilitating reliable recovery of JPEG pictures? P. De Smet
Towards facilitating reliable recovery of JPEG pictures? P. De Smet (edited for public release) patrick.desmet@just.fgov.be http://nicc.fgov.be/datarecovery/ Introduction & disclaimer Aim of this talk:
More informationCOMPUTER FORENSICS. DAVORY: : DATA RECOVERY
COMPUTER FORENSICS. DAVORY: : DATA RECOVERY Supervised By: Dr. Lo ai Tawalbeh New York Institute of Technology (NYIT)-Amman-2006 TOPICS Definition Recovery from what?? Davory SOFTWARE. Restore Software.
More informationOpen Source Data Recovery
Open Source Data Recovery Options and Techniques CALUG MEETING October 2008 !! Disclaimer!! This presentation is not sponsored by any organization of the US Government I am here representing only myself
More informationLab III: Unix File Recovery Data Unit Level
New Mexico Tech Digital Forensics Fall 2006 Lab III: Unix File Recovery Data Unit Level Objectives - Review of unallocated space and extracting with dls - Interpret the file system information from the
More informationQ. If I purchase a product activation key on-line, how long will it take to be sent to me?
Page 1 of 6 Frequently Asked Questions (FAQ) Q. If I purchase a product activation key on-line, how long will it take to be sent to me? A. When you purchase on-line your product activation key is provided
More informationThe Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices
The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices Introduction As organizations rely more heavily on technology-based methods of communication, many corporations
More informationNuix Forensic Focus 2014 Webinar Accelerating investigations using advanced ediscovery techniques 6 th March 2014
Nuix Forensic Focus 2014 Webinar Accelerating investigations using advanced ediscovery techniques 6 th March 2014 All rights reserved 2014. Nuix Software ABOUT THE PRESENTERS Paul Slater Director of Forensic
More informationRecover My Files v5.2.1. Test Results for Video File Carving Tool
Recover My Files v5.2.1 Test Results for Video File Carving Tool October 22, 2014 This report w as prepared for the Department of Homeland Security Science and Technology Directorate Cyber Security Division
More informationParaben s P2C 4.1. Release Notes
Paraben s P2C 4.1 Release Notes Welcome to Paraben s P2C 4.1! Paraben's P2C is a comprehensive digital forensic analysis tool designed to handle more data, more efficiently while keeping to Paraben's P2
More informationForensic Analysis of Internet Explorer Activity Files
Forensic Analysis of Internet Explorer Activity Files by Keith J. Jones keith.jones@foundstone.com 3/19/03 Table of Contents 1. Introduction 4 2. The Index.dat File Header 6 3. The HASH Table 10 4. The
More informationFuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009
Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009 Abstract Fuzzy hashing allows the investigator to focus on potentially incriminating documents that may not
More informationRecoverIt Frequently Asked Questions
RecoverIt Frequently Asked Questions Windows Recovery FAQs When can I use Windows Recovery application? This application is used to recover the deleted files from internal or external storage devices with
More informationA Records Recovery Method for InnoDB Tables Based on Reconstructed Table Definition Files
Journal of Computational Information Systems 11: 15 (2015) 5415 5423 Available at http://www.jofcis.com A Records Recovery Method for InnoDB Tables Based on Reconstructed Table Definition Files Pianpian
More informationQUICK RECOVERY FOR DBASE
QUICK RECOVERY FOR DBASE QUICK RECOVERY FOR DBASE Operation steps Who Suffers most Features 100% data recovery is possible if Recovery Modes Frequently asked Questions Quick Recovery for Dbase Quick Recovery
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationRECOVERING FROM SHAMOON
Executive Summary Fidelis Threat Advisory #1007 RECOVERING FROM SHAMOON November 1, 2012 Document Status: FINAL Last Revised: 2012-11-01 The Shamoon malware has received considerable coverage in the past
More informationLukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014
Lukas Limacher Department of Computer Science, ETH Zürich Computer Forensics September 25, 2014 Contents 9 Computer Forensics 1 91 Objectives 1 92 Introduction 2 921 Incident Response 2 922 Computer Forensics
More informationConcepts of digital forensics
Chapter 3 Concepts of digital forensics Digital forensics is a branch of forensic science concerned with the use of digital information (produced, stored and transmitted by computers) as source of evidence
More informationAutomating the Computer Forensic Triage Process With MantaRay
Automating the Computer Forensic Triage Process With MantaRay Senior Computer Forensic Analysts Doug Koster & Kevin Murphy Worlds best Summer Intern Chapin Bryce GMU RCFG Conference August 2013 1 MantaRay
More informationDigital Forensics with Open Source Tools
Digital Forensics with Open Source Tools Cory Altheide Harlan Carvey Technical Editor Ray Davidson AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO
More informationTime Stamp. Instruction Booklet
Time Stamp Instruction Booklet Time Stamp Introductions Time stamp is a useful solution for backing up and restoring system, it backs up the entire computer system to the Backup Zone. Time Stamp is used
More informationDiscovery of Electronically Stored Information ECBA conference Tallinn October 2012
Discovery of Electronically Stored Information ECBA conference Tallinn October 2012 Jan Balatka, Deloitte Czech Republic, Analytic & Forensic Technology unit Agenda Introduction ediscovery investigation
More informationTechnical Procedure for Evidence Search
Technical Procedure for Evidence Search 1.0 Purpose - The purpose of this procedure is to provide a systematic means of searching digital evidence in order to find data sought by the search authorization.
More information1 Description of The Simpletron
Simulating The Simpletron Computer 50 points 1 Description of The Simpletron In this assignment you will write a program to simulate a fictional computer that we will call the Simpletron. As its name implies
More informationDigital Forensic Techniques
Digital Forensic Techniques Namrata Choudhury, Sr. Principal Information Security Analyst, Symantec Corporation Professional Techniques T23 CRISC CGEIT CISM CISA AGENDA Computer Forensics vs. Digital Forensics
More informationRecovering from a System Crash
In this appendix Learn how to recover your data in the event of a power failure or if Word stops responding. Use the Open and Repair option to repair damaged files. Use the Recover Text from Any File converter
More information1. Digital Asset Management User Guide... 2 1.1 Digital Asset Management Concepts... 2 1.2 Working with digital assets... 4 1.2.1 Importing assets in
1. Digital Asset Management User Guide....................................................... 2 1.1 Digital Asset Management Concepts.................................................... 2 1.2 Working with
More informationDO NOT ASSUME THAT THE BACKUP IS CORRECT. MAKE SURE IT IS.
BACKING UP DATABASES & ASSOCIATED FILES It is not the responsibility of Incisive Software Limited, or any agent appointed by us, to configure or ensure the reliability and validity of the backing up of
More informationThe Evolution of File Carving [The benefits and problems of forensics recovery]
[ Anandabrata Pal and Nasir Memon ] The Evolution of File Carving [The benefits and problems of forensics recovery] BRAND X PICTURES Year by year, the number of computers and other digital devices being
More informationDesign Document for Implementing a Digital Forensics Laboratory
Design Document for Implementing a Digital Forensics Laboratory Version.00 Group CNWIS-G4 Department of Computer Science and Engineering University of Moratuwa Project Supervisors: Dr Chandana Gamage Project
More informationRecovering and Analyzing Deleted Registry Files
Recovering and Analyzing Deleted Registry Files Andrew Case Digital Forensics Solutions andrew@digdeeply.com / @attrc I had a case recently where I was asked to investigate any signs of data exfiltration
More informationDATA RECOVERY FUNCTION TESTING FOR DIGITAL FORENSIC TOOLS
Chapter 21 DATA RECOVERY FUNCTION TESTING FOR DIGITAL FORENSIC TOOLS Yinghua Guo and Jill Slay Abstract Many digital forensic tools used by investigators were not originally designed for forensic applications.
More informationDigital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics
Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over
More informationAutomated Windows Event Log Forensics
DIGITAL FORENSIC RESEARCH CONFERENCE Automated Windows Event Log Forensics By Rich Murphey Presented At The Digital Forensic Research Conference DFRWS 2007 USA Pittsburgh, PA (Aug 13 th - 15 th ) DFRWS
More informationCDR500 Spy Recovery Pro
The CDR 500 Spy is the ultimate data recovery tool, which enables users to recover lost and deleted data from a variety of different sources using both Windows PC and Mac. By combining 4 of the most sophisticated,
More information2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
More information1. Digital Asset Management User Guide... 2 1.1 Digital Asset Management Concepts... 2 1.2 Working with digital assets... 4 1.2.1 Importing assets in
1. Digital Asset Management User Guide........................................................................... 2 1.1 Digital Asset Management Concepts........................................................................
More informationAns.: You can find your activation key for a Recover My Files by logging on to your account.
Faqs > Recover Q1. I lost my activation key Ans.: You can find your activation key for a Recover My Files by logging on to your account. Q2. I purchased on-line, when will my activation key be sent to
More informationJust EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012
Just EnCase Presented By Larry Russell CalCPA State Technology Committee May 18, 2012 What is e-discovery Electronically Stored Information (ESI) Discover or Monitor for Fraudulent Activity Tools used
More informationConnectivity. Alliance Access 7.0. Database Recovery. Information Paper
Connectivity Alliance Access 7.0 Database Recovery Information Paper Table of Contents Preface... 3 1 Overview... 4 2 Resiliency Concepts... 6 2.1 Database Loss Business Impact... 6 2.2 Database Recovery
More informationIn-Place File Carving
Fast In-Place File Carving For Digital Forensics Xinyan Zha and Sartaj Sahni Computer and Information Science and Engineering University of Florida Gainesville, FL 32611 Email: {xzha, sahni}@cise.ufl.edu
More informationSolutions of Linear Equations in One Variable
2. Solutions of Linear Equations in One Variable 2. OBJECTIVES. Identify a linear equation 2. Combine like terms to solve an equation We begin this chapter by considering one of the most important tools
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationDigital Forensics Tutorials Acquiring an Image with Kali dcfldd
Digital Forensics Tutorials Acquiring an Image with Kali dcfldd Explanation Section Disk Imaging Definition Disk images are used to transfer a hard drive s contents for various reasons. A disk image can
More informationFile System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1
File System Forensics FAT and NTFS 1 FAT File Systems 2 File Allocation Table (FAT) File Systems Simple and common Primary file system for DOS and Windows 9x Can be used with Windows NT, 2000, and XP New
More informationChapter 6. The stacking ensemble approach
82 This chapter proposes the stacking ensemble approach for combining different data mining classifiers to get better performance. Other combination techniques like voting, bagging etc are also described
More informationOffice of History. Using Code ZH Document Management System
Office of History Document Management System Using Code ZH Document The ZH Document (ZH DMS) uses a set of integrated tools to satisfy the requirements for managing its archive of electronic documents.
More informationWhite Paper. 3-Heights Document Converter Basics and Applications
White Paper 3-Heights Document Converter Basics and Applications Contents Introduction...3 What does a central conversion service do?...3 How is the service used?...4 What are the benefits of a central
More informationOriginal-page small file oriented EXT3 file storage system
Original-page small file oriented EXT3 file storage system Zhang Weizhe, Hui He, Zhang Qizhen School of Computer Science and Technology, Harbin Institute of Technology, Harbin E-mail: wzzhang@hit.edu.cn
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationCan Computer Investigations Survive Windows XP?
Can Computer Investigations Survive? An Examination of Microsoft and its Effect on Computer Forensics December 2001 by Kimberly Stone and Richard Keightley 2001 Guidance Software All Rights Reserved Executive
More informationComputer Forensics using Open Source Tools
Computer Forensics using Open Source Tools COMP 5350/6350 Digital Forensics Professor: Dr. Anthony Skjellum TA: Ananya Ravipati Presenter: Rodrigo Sardinas Overview Use case explanation Useful Linux Commands
More informationArti Tyagi Sunita Choudhary
Volume 5, Issue 3, March 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Web Usage Mining
More informationForensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationMADR Algorithm to Recover Authenticity from Damage of the Important Data
, pp. 443-452 http://dx.doi.org/10.14257/ijmue.2014.9.12.39 MADR Algorithm to Recover Authenticity from Damage of the Important Data Seong-Ho An 1, * Kihyo Nam 2, Mun-Kweon Jeong 2 and Yong-Rak Choi 1
More informationArchival of Digital Assets.
Archival of Digital Assets. John Burns, Archive Analytics Summary: We discuss the principles of archiving, best practice in both preserving the raw bits and the utility of those bits, and assert that bit-
More informationQAD Enterprise Applications. Training Guide Demand Management 6.1 Technical Training
QAD Enterprise Applications Training Guide Demand Management 6.1 Technical Training 70-3248-6.1 QAD Enterprise Applications February 2012 This document contains proprietary information that is protected
More informationForensics on the Windows Platform, Part Two
1 of 5 9/27/2006 3:52 PM Forensics on the Windows Platform, Part Two Jamie Morris 2003-02-11 Introduction This is the second of a two-part series of articles discussing the use of computer forensics in
More informationDr. Lodovico Marziale Managing Partner 504ENSICS, LLC vico@504ensics.com
Dr. Lodovico Marziale Managing Partner 504ENSICS, LLC vico@504ensics.com Education Ph.D. in Computer Science, University of New Orleans, 2009. Dissertation Topic: Advanced Techniques for Improving the
More informationSweet Home 3D user's guide
1 de 14 08/01/2013 13:08 Features Download Online Gallery Blog Documentation FAQ User's guide Video tutorial Developer's guides History Reviews Support 3D models Textures Translations Forum Report a bug
More informationLab - Dual Boot - Vista & Windows XP
Lab - Dual Boot - Vista & Windows XP Brought to you by RMRoberts.com After completing this lab activity, you will be able to: Install and configure a dual boot Windows XP and Vista operating systems. Explain
More informationArchival Data Format Requirements
Archival Data Format Requirements July 2004 The Royal Library, Copenhagen, Denmark The State and University Library, Århus, Denmark Main author: Steen S. Christensen The Royal Library Postbox 2149 1016
More informationPDF Primer PDF. White Paper
White Paper PDF Primer PDF What is PDF and what is it good for? How does PDF manage content? How is a PDF file structured? What are its capabilities? What are its limitations? Version: 1.0 Date: October
More informationUTILITIES BACKUP. Figure 25-1 Backup & Reindex utilities on the Main Menu
25 UTILITIES PastPerfect provides a variety of utilities to help you manage your data. Two of the most important are accessed from the Main Menu Backup and Reindex. The other utilities are located within
More informationCommission Accounting User Manual
Commission Accounting User Manual Confidential Information This document contains proprietary and valuable, confidential trade secret information of APPX Software, Inc., Richmond, Virginia Notice of Authorship
More informationinforouter Version 8.0 Administrator s Backup, Restore & Disaster Recovery Guide
inforouter Version 8.0 Administrator s Backup, Restore & Disaster Recovery Guide Active Innovations, Inc. Names of all products herein are used for identification purposes only and are trademarks and/or
More informationInterested in learning more about security?
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Data
More informationSeagate Manager. User Guide. For Use With Your FreeAgent TM Drive. Seagate Manager User Guide for Use With Your FreeAgent Drive 1
Seagate Manager User Guide For Use With Your FreeAgent TM Drive Seagate Manager User Guide for Use With Your FreeAgent Drive 1 Seagate Manager User Guide for Use With Your FreeAgent Drive Revision 1 2008
More informationHelp System. Table of Contents
Help System Table of Contents 1 INTRODUCTION...1 2 GETTING STARTED!... 2 2.1 Installation...2 2.2 Wizard...3 2.3 Browse Method:...7 2.4 Search Method:...7 2.5 Surface Scan Method:... 8 3 RECOVERING DELETED
More informationConnectivity. Alliance Access 7.0. Database Recovery. Information Paper
Connectivity Alliance 7.0 Recovery Information Paper Table of Contents Preface... 3 1 Overview... 4 2 Resiliency Concepts... 6 2.1 Loss Business Impact... 6 2.2 Recovery Tools... 8 3 Manual Recovery Method...
More informationDocument Storage Tips: Inside the Email Vault
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Document Storage Tips: Inside the Email Vault Law360,
More informationThe Forensic Analysis of the Microsoft Windows Vista Recycle Bin. By Mitchell Machor MMachor@gmail.com
The Forensic Analysis of the Microsoft Windows Vista Recycle Bin By Mitchell Machor MMachor@gmail.com 1/22/2008 - 1 - Introduction Contrary to due belief, when a file is deleted on a Microsoft operating
More informationPTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference
PTK Forensics Dario Forte, Founder and Ceo DFLabs The Sleuth Kit and Open Source Digital Forensics Conference What PTK is about PTK forensics is a computer forensic framework based on command line tools
More informationWhere is computer forensics used?
What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic
More information(b) slack file space.
Hidden Files A Computer Forensics Case Study Question Paper 1. Outline the meaning of the following terms: (a) cookie, [2 marks] A cookie is data stored locally that is used by some websites for data that
More informationPractice Exercise March 7, 2016
DIGITAL FORENSICS Practice Exercise March 7, 2016 Prepared by Leidos CyberPatriot Forensics Challenge 1 Forensics Instruction Guide Introduction The goal of this event is to learn to identify key factors
More informationwww.studymafia.org Seminar report Computer Forensics Submitted in partial fulfillment of the requirement for the award of degree Of CSE
A Seminar report On Computer Forensics Submitted in partial fulfillment of the requirement for the award of degree Of CSE SUBMITTED TO: SUBMITTED BY: www.studymafia.org www.studymafia.org 1 Acknowledgement
More informationHP FutureSmart Firmware Device Hard Disk Security
HP FutureSmart Firmware Device Hard Disk Security Summary: This document discusses hard disk security for HP FutureSmart Firmware printing devices. Contents: Overview... 2 Secure Erase Commands... 2 1.
More informationLINEAR EQUATIONS IN TWO VARIABLES
66 MATHEMATICS CHAPTER 4 LINEAR EQUATIONS IN TWO VARIABLES The principal use of the Analytic Art is to bring Mathematical Problems to Equations and to exhibit those Equations in the most simple terms that
More informationA Practical Approach for Evidence Gathering in Windows Environment
A Practical Approach for Evidence Gathering in Windows Environment Kaveesh Dashora Department of Computer Science & Engineering Maulana Azad National Institute of Technology Bhopal, India Deepak Singh
More informationACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane
ACE STUDY GUIDE *Note* All of the actual exam questions are in multiple choice format. This Study Guide is designed to cover all of the material on the exam, 1. FTK Imager supports the encryption of forensic
More informationActive @ UNDELETE Users Guide
Active @ UNDELETE Users Guide Contents 2 Contents Legal Statement...5 Active@ UNDELETE Overview... 6 Getting Started with Active@ UNDELETE... 7 Active@ UNDELETE Views And Windows... 7 Recovery Explorer
More information4.10 Maintain Database
: Chapter 4.10 Maintain Database 4.10 Maintain Database 4.10.1 Manage Record Data Aging Status Please see Section 4.5.15 for details on this section. 4.10.2 Update DIS Node Configuration by James F. Cornwall
More informationIntroduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014
Introduction to Data Forensics Jeff Flaig, Security Consultant January 15, 2014 WHAT IS COMPUTER FORENSICS Computer forensics is the process of methodically examining computer media (hard disks, diskettes,
More informationPublished. Technical Bulletin: Use and Configuration of Quanterix Database Backup Scripts 1. PURPOSE 2. REFERENCES 3.
Technical Bulletin: Use and Configuration of Quanterix Database Document No: Page 1 of 11 1. PURPOSE Quanterix can provide a set of scripts that can be used to perform full database backups, partial database
More informationFORSIGS: Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints
FORSIGS: Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints John Haggerty and Mark Taylor Liverpool John Moores University, School of Computing & Mathematical Sciences, Byrom
More informationRECOVERING DELETED DATA FROM FAT PARTITIONS WITHIN MOBILE PHONE HANDSETS USING TRADITIONAL IMAGING TECHNIQUES
RECOVERING DELETED DATA FROM FAT PARTITIONS WITHIN MOBILE PHONE HANDSETS USING TRADITIONAL IMAGING TECHNIQUES KEVIN MANSELL CONTROL-F LTD. KEVIN.MANSELL@CONTROLF.CO.UK DARREN LOLE & FIONA LITCHFIELD SERVICE
More informationImageNow User. Getting Started Guide. ImageNow Version: 6.7. x
ImageNow User Getting Started Guide ImageNow Version: 6.7. x Written by: Product Documentation, R&D Date: June 2012 2012 Perceptive Software. All rights reserved CaptureNow, ImageNow, Interact, and WebNow
More informationComputer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
More informationImproved document archiving speeds; data enters the FileNexus System at a faster rate! See benchmark test spreadsheet.
Feature Sheet Version 6.100.14 FileNexus Major Advances Client Server Communication - Dependency on Windows DCOM protocols eliminated which means NO additional configuration required on Client PCs after
More informationTalend Component: tjasperreportexec
Talend Component: tjasperreportexec Purpose This component creates (compile + fill + export) reports based on Jasper Report designs (jrxml files). Making reports in the ETL system provides multiple advantages:
More informationSIPAC. Signals and Data Identification, Processing, Analysis, and Classification
SIPAC Signals and Data Identification, Processing, Analysis, and Classification Framework for Mass Data Processing with Modules for Data Storage, Production and Configuration SIPAC key features SIPAC is
More informationENDNOTE Workbook. PART 1: Setting up your EndNote Library 2. PART 2: Linking Word with your EndNote Library 6
PART 1: Setting up your EndNote Library 2 Creating an EndNote Library 2 Compressing your EndNote Library 2 Entering References into an Endnote Library 2 Importing References into an EndNote Library 3 PDF
More information