Towards a standardised strategy to collect and distribute application software artifacts

Reference sets contain known content that are used to identify relevant or filter irrelevant content. Application profiles are a type of reference set that contain digital artifacts associated with application software. An application profile can be compared against a target data set to identify relevant evidence of application usage in a variety of investigation scenarios. The research objective is to design and implement a standardised strategy to collect and distribute application software artifacts using application profiles. An advanced technique for creating application profiles was designed using a formalised differential analysis strategy. The design was implemented in a live differential forensic analysis tool, LiveDiff, to automate and simplify data collection. A storage mechanism was designed based on a previously standardised forensic data abstraction. The design was implemented in a new data abstraction, Application Profile XML (APXML), to provide storage, distribution and automated processing of collected artifacts.

[1]  Lorrie Faith Cranor,et al.  Scrubbing Stubborn Data: An Evaluation of Counter-Forensic Privacy Tools , 2006, IEEE Security & Privacy.

[2]  Simson L. Garfinkel,et al.  Using purpose-built functions and block hashes to enable small block and sub-file forensics , 2010, Digit. Investig..

[3]  Alex Nelson XML Conversion of the Windows Registry for Forensic Processing and Distribution , 2012, IFIP Int. Conf. Digital Forensics.

[4]  Muhammad Abulaish,et al.  DigLA - A Digsby log analysis tool to identify forensic artifacts , 2013, Digit. Investig..

[5]  Harlan Carvey,et al.  Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry , 2011 .

[6]  Simson L. Garfinkel,et al.  A general strategy for differential forensic analysis , 2012, Digit. Investig..

[7]  Kim-Kwang Raymond Choo,et al.  Dropbox analysis: Data remnants on user machines , 2013, Digit. Investig..

[8]  Simson L. Garfinkel,et al.  Automating Disk Forensic Processing with SleuthKit, XML and Python , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[9]  Darrell D. E. Long,et al.  Cooperative mode: Comparative storage metadata verification applied to the Xbox 360 , 2014, Digit. Investig..

[10]  Timothy D. Morgan Recovering deleted data from the Windows registry , 2008 .

[11]  Vassil Roussev,et al.  An evaluation of forensic similarity hashes , 2011, Digit. Investig..

[12]  Vassil Roussev,et al.  Content triage with similarity digests: The M57 case study , 2012 .

[13]  Markus Lupp,et al.  Extensible Markup Language , 2008, Encyclopedia of GIS.

[14]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[15]  Sujeet Shenoi,et al.  Detecting Data Concealment Programs Using Passive File System Analysis , 2006 .

[16]  C. M. Sperberg-McQueen,et al.  Extensible markup language , 1997 .

[17]  C. M. Sperberg-McQueen,et al.  eXtensible Markup Language (XML) 1.0 (Second Edition) , 2000 .

[18]  Vassil Roussev,et al.  Data Fingerprinting with Similarity Digests , 2010, IFIP Int. Conf. Digital Forensics.