A general strategy for differential forensic analysis

The dramatic growth of storage capacity and network bandwidth is making it increasingly difficult for forensic examiners to report what is present on a piece of subject media. Instead, analysts are focusing on what characteristics of the media have changed between two snapshots in time. To date different algorithms have been implemented for performing differential analysis of computer media, memory, digital documents, network traces, and other kinds of digital evidence. This paper presents an abstract differencing strategy and applies it to all of these problem domains. Use of an abstract strategy allows the lessons gleaned in one problem domain to be directly applied to others. Published by Elsevier Ltd.

[1]  Christopher A. Lee,et al.  Creating Realistic Corpora for Forensic and Security Education , 2011 .

[2]  Alex Nelson XML Conversion of the Windows Registry for Forensic Processing and Distribution , 2012, IFIP Int. Conf. Digital Forensics.

[3]  Paul Mackerras,et al.  The rsync algorithm , 1996 .

[4]  Walter F. Tichy,et al.  Implementation and evaluation of a revision control system , 1982 .

[5]  Simson L. Garfinkel,et al.  Automating Disk Forensic Processing with SleuthKit, XML and Python , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[6]  Simson L. Garfinkel,et al.  Digital forensics XML and the DFXML toolset , 2012, Digit. Investig..

[7]  Sujeet Shenoi,et al.  Advances in Digital Forensics VIII , 2012, IFIP Advances in Information and Communication Technology.

[8]  Alessandro Orso,et al.  A differencing algorithm for object-oriented programs , 2004, Proceedings. 19th International Conference on Automated Software Engineering, 2004..

[9]  George M. Mohay,et al.  A correlation method for establishing provenance of timestamps in digital evidence , 2006, Digit. Investig..

[10]  Bill Hill,et al.  Teleporter: An analytically and forensically sound duplicate transfer system , 2009, Digit. Investig..

[11]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[12]  Susan Horwitz,et al.  Identifying the semantic and textual differences between two versions of a program , 1990, PLDI '90.

[13]  Simson L. Garfinkel,et al.  Forensic carving of network packets and associated data structures , 2011, Digit. Investig..

[14]  Miryung Kim,et al.  A program differencing algorithm for verilog HDL , 2010, ASE.

[15]  Martin Boldt,et al.  Computer forensic timeline visualization tool , 2009 .

[16]  Sergey Bratus,et al.  Using Hierarchical Change Mining to Manage Network Security Policy Evolution , 2011, Hot-ICE.

[17]  Benjamin C. Pierce,et al.  What's in Unison? A Formal Specification and Reference Implementation of a File Synchronizer , 2004 .

[18]  David Roundy Darcs: distributed version management in haskell , 2005, Haskell '05.

[19]  Neil C. Rowe,et al.  Global Analysis of Drive File Times , 2010, 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[20]  Simson L. Garfinkel,et al.  An Automated Solution to the Multiuser Carved Data Ascription Problem , 2010, IEEE Transactions on Information Forensics and Security.

[21]  Matt Zandstra,et al.  Version Control with Subversion , 2010 .

[22]  Miryung Kim,et al.  LSdiff: a program differencing tool to identify systematic structural differences , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[23]  Sasu Tarkoma,et al.  Fast and simple XML tree differencing by sequence alignment , 2006, DocEng '06.

[24]  Ben Collins-Sussman,et al.  Version Control with Subversion, Second Edition , 2008 .

[25]  J. W. Hunt,et al.  An Algorithm for Differential File Comparison , 2008 .

[26]  Simson L. Garfinkel,et al.  Bringing science to digital forensics with standardized forensic corpora , 2009, Digit. Investig..

[27]  George M. Mohay,et al.  CAT Detect (Computer Activity Timeline Detection) : a toolfor detecting inconsistency in computer activity timelines , 2011 .