CT-ISG: A Comprehensive Data Carving Architecture for Digital Forensics

CT-ISG：用于数字取证的综合数据雕刻架构

• 批准号: 0627226
• 负责人: Golden Richard
• 金额: --
• 依托单位: University of New Orleans
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2006
• 资助国家: 美国
• 起止时间: 2006-09-01 至 2009-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0627226&HistoricalAwards=false
• 关键词: CT; ISG; Comprehensive; Data; Carving

Golden RichardUniversity of New Orleans0627226Panel: P060969A Comprehensive Data Carving Architecture for Digital ForensicsOne of the most important software techniques in digital forensics is file carving, which uses a database of characteristics about commonly encountered file types to search physical disks for files of these types. File carving is a particularly powerful technique because files can be retrieved from raw disk images, regardless of the type of filesystem, even if file metadata has been destroyed. File carving can find data associated with deleted files, in slack space, swap files, and data "hidden" outside the filesystem. The goal is to identify the starting and ending locations of files in the disk images and "carve" (copy) sequences of bytes into regular files so their value as evidence can be measured.Currently, the scope of file carving is narrow and there are significant limitations. Patterns for new file types are typically created manually, which is a tedious and error-prone process. Current-generation tools generate many false positives, carving files whose formats are incorrect. This wastes the time of investigators, who already have overwhelming caseloads. In addition, carving has not been applied extensively to volatile media such as memory and network flows. RAM carving is useful for low-level detection of installed malware, where high level detection (e.g., via OS facilities) might be thwarted by the malware. Network data flow carving can help investigators determine whether specific documents were transmitted or whether versions of specific documents were transmitted. This research explores techniques for better automatic identification of documents, by expanding on the header/milestone/footer search generally employed in current generation tools. The research also expands the scope of data carving to include memory analysis and network flow analysis. The entire architecture is be incorporated into the distributed digital forensics framework created by the PI and his collaborators at the University of New Orleans.

新奥尔良的黄金Richarduniversity0627226Panel：P060969a数字法医学中最重要的软件技术的数字法医学的全面数据雕刻架构是文件雕刻，它使用有关常见的遇到的文件类型的特征的数据库来搜索这些类型的物理磁盘，以搜索这些类型的文件。 文件雕刻是一种特别功能强大的技术，因为即使文件元数据已被破坏，也可以从原始磁盘图像中检索文件。 文件雕刻可以找到与已删除的文件相关的数据，在Slack Space，交换文件和文件系统外“隐藏”的数据中。 目的是确定磁盘图像中文件的启动和结束位置，并在常规文件中“雕刻”字节序列（复制）序列，以便可以测量其值作为证据。目前，文件雕刻的范围是狭窄的，并且存在很大的限制。 新文件类型的模式通常是手动创建的，这是一个乏味且容易出错的过程。当前产生工具会生成许多误报，即格式不正确的雕刻文件。 这浪费了调查人员的时间，调查人员已经有压倒性的案件。 此外，雕刻尚未广泛应用于挥发性媒体，例如内存和网络流。 RAM雕刻可用于低水平检测安装的恶意软件，其中恶意软件可能会挫败高级检测（例如，通过OS设施）。 网络数据流雕刻可以帮助调查人员确定是否传输了特定文档或是否传输了特定文档的版本。 这项研究通过扩展当前一代工具中通常采用的标头/里程碑/页脚搜索来探讨以更好地自动识别文档的技术。 该研究还扩大了数据雕刻的范围，以包括内存分析和网络流分析。 整个架构都被纳入由PI及其合作者在新奥尔良大学创建的分布式数字取证框架中。