FFCK: The Filesystem Forensics Classifier Kit
نویسنده
چکیده
Filesystem forensics is a general term to describe the searching and recovery of data that is on a drive that has been damaged or reformatted. There are two common applications for filesystem forensics, data recovery and criminal investigation. Certain factors in the filesystem design can make forensics difficult. If only the raw blocks exist on the disk, then it can be very difficult to determine the location of files. FFCK attempts to solve this problem by applying data mining techniques to the field of filesystem forensics.
منابع مشابه
Detecting data theft using stochastic forensics
We present a method to examine a filesystem and determine if and when files were copied from it. We develop this method by stochastically modeling filesystem behavior under both routine activity and copying, and identifying emergent patterns in MAC timestamps unique to copying. These patterns are detectable even months afterwards. We have successfully used this method to investigate data exfilt...
متن کاملSecure, Audited Processing of Digital Evidence: Filesystem Support for Digital Evidence Bags
Traditional digital forensics methods capture, preserve, and analyze digital evidence in standard electronic containers: images of seized hard drives (e.g., created using the Unix dd command) are stored in regular files and documents are typically processed “as is”. Auditing of a digital investigation, from identification and seizure of evidence through duplication and investigation is essentia...
متن کاملDistributed filesystem forensics: XtreemFS as a case study
Distributed filesystems provide a cost-effective means of storing high-volume, velocity and variety information in cloud computing, big data and other contemporary systems. These technologies have the potential to be exploited for illegal purposes, which highlights the need for digital forensic investigations. However, there have been few papers published in the area of distributed filesystem f...
متن کاملTesting the Date Maintenance of the File Allocation Table File System
The directory entries used in the File Allocation Table filesystems maintain a significant amount of file metadata that is of interest to a forensic examiner. This information is maintained by the operating system under normal conditions and may be amended by activities undertaken by the computer user. This paper examines the maintenance of date information when files are being moved between di...
متن کاملDe-Anonymizing Live CDs through Physical Memory Analysis
Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a serious problem for this investigative model, howe...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2005