1 / 9

“A general strategy for differential forensic analysis”

“A general strategy for differential forensic analysis”. Presented by: Garrett Leach. http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf. Quick Definitions. Image – “A byte stream from any data-carrying device” Feature – Information implied or extracted from image.

gaius
Download Presentation

“A general strategy for differential forensic analysis”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “A general strategy for differential forensic analysis” Presented by: Garrett Leach http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf

  2. Quick Definitions • Image – “A byte stream from any data-carrying device” • Feature – Information implied or extracted from image

  3. Prior Work (And related) • We are already familiar with diff • File/Data sync programs • Rsync • Git • Svn • Previous timeline reconstruction papers

  4. Use cases • Malware discovery • Discover alterations to system files and registry • Insider Threat Detection • Discover irregularities in time • Generalizable to other areas (Pattern of life) • Pre-emptive routine imaging* • Discard files that will not be important • Windows update files

  5. The generalized approach • Collect Feature Metadata • Location(s) • Name(s) • Timestamps • Create list of changes • Locate inconsistencies in time • Beware common pitfalls • Report

  6. Report Generation • Intent: Suppress unwanted features • Common techniques: • Present statistics (instead of enumerating features) • Organize features into hierarchies that can be expanded (folder, file/name, metadata) • Organize features into timeline

  7. Tools created • idifference(.py) • Reads DFXML (for each image) • Outputs filepaths in 1st image and not second, inodes added to 2nd, and filepaths added to 2nd • rdifference.py • Reads two windows registry files • Outputs: new and deleted cells and values (both content and type) and keys with changed mtimes • Caveat: Some cells have non-unique paths

  8. Tools created • bulk_diff.py • Compares data (histograms) between runs of bulk_extractor (from another paper) • corpus_sync.py • Sync program that recognizes renames • Not deletion and creatioon • flowdiff (in-progress as of publication) • Processes pcap files to create DFXML

More Related