Topic
Digital forensics
About: Digital forensics is a research topic. Over the lifetime, 4270 publications have been published within this topic receiving 49676 citations. The topic is also known as: digital forensic science & Digital forensics.
Papers published on a yearly basis
Papers
More filters
••
TL;DR: This paper explores issues in the context of the Ext2 file system and proposes one solution to tackle such issues for the scenario where systems have preinstalled plug-ins in the form of Loadable Kernel Modules, which provide the capability to preserve ADTS.
19 citations
••
25 Aug 2020TL;DR: In this article, the authors summarized existing artificial intelligence-based tools and approaches in digital forensics and highlighted the current challenges and future potential impact of artificial intelligence in digital forensic analysis.
Abstract: Multi-year digital forensic backlogs have become commonplace in law enforcement agencies throughout the globe. Digital forensic investigators are overloaded with the volume of cases requiring their expertise compounded by the volume of data to be processed. Artificial intelligence is often seen as the solution to many big data problems. This paper summarises existing artificial intelligence based tools and approaches in digital forensics. Automated evidence processing leveraging artificial intelligence based techniques shows great promise in expediting the digital forensic analysis process while increasing case processing capacities. For each application of artificial intelligence highlighted, a number of current challenges and future potential impact is discussed.
19 citations
••
13 Feb 2005TL;DR: This paper presents a new approach that significantly automates the examination process by relying on image analysis techniques and can be used to automatically search for case-specific images, contraband or otherwise, and to provide online monitoring of shared storage for early detection of specific images.
Abstract: Digital forensic investigators are often faced with the task of manually examining a large number of (photographic) images to identify potential evidence. The task can be daunting and time-consuming if the target of the investigation is very broad, such as a web hosting service. Current forensic tools are woefully inadequate: they are largely confined to generating pages of thumbnail images and identifying known files through cryptographic hashes. This paper presents a new approach that significantly automates the examination process by relying on image analysis techniques. The strategy is to use previously-identified content (e.g., contraband images) and to perform feature extraction, which captures mathematically the essential properties of the images. Based on this analysis, a feature set database is constructed to facilitate automatic scanning of a target machine for images similar to the ones in the database. An important property of the approach is that it is not possible to recover the original image from the feature set. Therefore, it is possible to build a (potentially very large) database targeting known contraband images that investigators may be barred from collecting directly. The approach can be used to automatically search for case-specific images, contraband or otherwise, and to provide online monitoring of shared storage for early detection of specific images.
19 citations
••
TL;DR: A TrustZone-based memory acquisition mechanism called TrustDump is developed that is capable of reliably and securely obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or been compromised.
Abstract: With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and then steal or manipulate sensitive data from mobile applications Forensic analysis tools demand a reliable and trustworthy memory acquisition of the operating systems running on the smartphones for further digital forensic analysis However, a compromised OS may launch denial of service attacks to prevent a valid memory acquisition by forensic examiners In this paper, we develop a TrustZone-based memory acquisition mechanism called TrustDump that is capable of reliably and securely obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or been compromised TrustDump is isolated from the mobile OS by TrustZone Instead of using a hypervisor to ensure the isolation between the OS and the memory acquisition tool, we rely on ARM TrustZone to achieve a hardware-assisted isolation with a small trusted computing base TrustDump can include basic online analysis modules to catch malware in an early stage Moreover, the acquired memory and register data can be sent to a remote server through a fast Micro-USB port for real-time forensics analysis when the OS runs or a slow serial port for further forensic analysis when the OS has crashed A trusted graphical user interface is integrated in the TrustZone to authenticate the user and prevent the misuse of our memory acquisition tool We build a TrustDump prototype on Freescale iMX53 QSB
19 citations
••
TL;DR: This paper is the result of a systematic literature review which answer three main questions in data carving filed and shows the need of realistic data sets for tools testing, and points to a new direction for using semantic validation to reduce false positive rates.
19 citations