Gradually Improving the Forensic Process

Neuner, Sebastian; Mulazzani, Martin; Schrittwieser, Sebastian; Weippl, Edgar

doi:10.1109/ares.2015.32

Cited by 5 publications

(4 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we first describe the theoretical approach as described in the original paper by Neuner et al , . This first part is described an artificial scenario.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Effectiveness of file‐based deduplication in digital forensics

Neuner

Schmiedecker

Weippl

2016

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

Over the last decades, the increasing amount of storage became a pressing problem for forensic investigators. This is caused by the computerization of everyday life and the associated increasing number of different devices in typical households. Considering multi‐terabyte storage on the suspects' side, even more storage requirements emerge on the side of the investigator for secure backup and working copies. In this paper, we improve the standardized forensic process by proposing to rigorously use file deduplication across devices as well as file whitelisting in investigations in order to reduce the amount of data that needs to be stored for analysis as early as during data acquisition. These improvements happen in an automatic fashion and are completely transparent to the forensic investigator. They may furthermore be added without negative effects to the chain of custody or artifact validity in court and are evaluated in a realistic use case. Additionally, we illustrate the effectivity of our proposed approach on a real‐world corpus by showing a notable reduction in number of reduced files as well as storage. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

“…In this section, we first describe the theoretical approach as described in the original paper by Neuner et al , . This first part is described an artificial scenario.…”

Section: Discussionmentioning

confidence: 99%

“…This paper is the extended version of the paper by Neuner et al , and was funded by COMET K1, FFG ‐ Austrian Research Promotion Agency and by FFG grant 846070: SpeedFor. Additionally, we want to thank the employees of SBA Research for giving us access to their data and process power.…”

Section: Acknowledgementsmentioning

confidence: 99%

Effectiveness of file‐based deduplication in digital forensics

Neuner

Schmiedecker

Weippl

2016

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

show abstract

“…This technique can work on top of the DFaaS framework. The employment of data deduplication techniques effectively reduces the data required to be processed during the investigation, and potentially blacklisting enables a faster illegal file artefact detection [21,25]. Experimentation has proven the significant savings of the storage and the volumes of data processed in [21] and [8].…”

Section: Dfaas and Data Deduplicationmentioning

confidence: 99%

“…Based on the DFaaS paradigm, data deduplication was proposed for reducing the time repeatedly acquiring and analysing known file artefacts [25]. Several experiments have been performed that proves the increased efficiency created by a deduplication system [8,21,28]. Creation of centralised artefact whitelisting eliminates the known, benign operating system and application files, and also eliminates known, benign user created files.…”

Section: Introductionmentioning

confidence: 99%

Methodology for the Automated Metadata-Based Classification of Incriminating Digital Forensic Artefacts

Scanlon

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

The ever increasing volume of data in digital forensic investigation is one of the most discussed challenges in the field. Usually, most of the file artefacts on seized devices are not pertinent to the investigation. Manually retrieving suspicious files relevant to the investigation is akin to finding a needle in a haystack. In this paper, a methodology for the automatic prioritisation of suspicious file artefacts (i.e., file artefacts that are pertinent to the investigation) is proposed to reduce the manual analysis effort required. This methodology is designed to work in a human-in-the-loop fashion. In other words, it predicts/recommends that an artefact is likely to be suspicious rather than giving the final analysis result. A supervised machine learning approach is employed, which leverages the recorded results of previously processed cases. The process of features extraction, dataset generation, training and evaluation are presented in this paper. In addition, a toolkit for data extraction from disk images is outlined, which enables this method to be integrated with the conventional investigation process and work in an automated fashion.

show abstract