File Toolkit for Selective Analysis & Reconstruction (FileTSAR) for Large-Scale Networks

There are many challenges in digital forensic investigations involving large-scale computer networks; these include large volume of data, the limited scope of tools, the financial burdens of purchasing and licensing those tools, and identifying salient evidence from the vast amounts of network data. We have implemented a collection of open-source tools and code wrappers to provide a tool for network forensic investigators to capture, selectively analyze, and reconstruct files from network traffic. The main functions of this tool (FileTSAR) are capturing data flows and providing a mechanism to selectively reconstruct documents, images, email, and VoIP conversations. To validate the large-scale capabilities of the toolkit, we conducted a "stress test" of the system using approximately 123,500,000 packets from a collection of packet capture files totaling nearly 100GB. Additionally, sixteen (16) digital forensic examiners participated in a 3-day law enforcement training workshop for FileTSAR from across the United States; the examiners expressed substantial support for FileTSAR with large-scale investigations as well as an interest in a scaled-down version for smaller agencies with storage, budget, and back-end support limitations.

[1]  Brian A. Jackson,et al.  Digital Evidence and the U.S. Criminal Justice System , 2015 .

[2]  Kathryn C. Seigfried-Spellar,et al.  Cybercrime and Digital Forensics: An Introduction , 2015 .

[3]  Darlene Demelo Moreau,et al.  Cybercrime: The Investigation, Prosecution and Defense of a Computer-Related Crime , 2006 .

[4]  Kristin A. Cook,et al.  Illuminating the Path: The Research and Development Agenda for Visual Analytics , 2005 .

[5]  Marcus K. Rogers,et al.  Computer Forensics Field Triage Process Model , 2006, J. Digit. Forensics Secur. Law.

[6]  Marcus K. Rogers,et al.  The future of computer forensics: a needs analysis survey , 2004, Comput. Secur..

[7]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[8]  Ibrahim M. Baggili,et al.  A cyber forensics needs analysis survey: Revisiting the domain's needs a decade later , 2016, Comput. Secur..

[9]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[10]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..

[11]  Daniel A. Keim,et al.  Visual Analytics: Scope and Challenges , 2008, Visual Data Mining.

[12]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[13]  Weijie Wang,et al.  A visual analytics based approach on identifying server redirections and data exfiltration , 2015 .