Abstract
Computer forensics has become a vital tool in providing evidence in investigations of computer misuse, attacks against computer systems and more traditional crimes like money laundering and fraud where digital devices are involved. Investigators frequently perform preliminary analysis at the crime scene on these suspect devices to determine the existence of target files like child pornography. Hence, it is crucial to design a tool which is portable and which can perform efficient preliminary analysis. In this paper, we adopt the space efficient data structure of fingerprint hash table for storing the massive forensic data from law enforcement databases in a flash drive and utilize hash trees for fast searches. Then, we apply group testing to identify the fragmentation points of fragmented files and the starting cluster of the next fragment based on statistics on the gap between the fragments.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
An introduction to Computer Forensics, http://www.dns.co.uk
Computer Online Forensic Evidence Extractor (COFEE), http://www.microsoft.com/industry/government/solutions/cofee/default.aspx
Garfinkel, S.L.: Carving contiguous and fragmented files with fast object validation. Digital Investigation 4, 2–12 (2007)
Antognini, C.: Bloom Filters, http://antognini.ch/papers/BloomFilters20080620.pdf
Fan, L., Cao, P., Almeida, J., Broder, A.: Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol. In: ACM SIGCOMM 1998, Vancouver, Canada (1998)
Squid Web Cache, http://www.squid-cache.org/
Broder, A., Mitzenmacher, M.: Network Applications of Bloom Filters: A Survey, http://www.eecs.harvard.edu/~michaelm/NEWWORK/postscripts/BloomFilterSurvey.pdf
Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms. The MIT Press, Cambridge (2001)
Hua, N., Zhao, H., Lin, B., Xu, J.: Rank-Indexed Hashing: A Compact Construction of Bloom Filters and Variants. In: IEEE Conference on Network Protocols (ICNP), pp. 73–82 (2008)
Carrier, B.: File System Forensic Analysis. Addison Wesley Professional, Reading (2005)
Hong, Y.-W., Scaglione, A.: Generalized group testing for retrieving distributed information. In: IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), Philadelphia, PA (2005)
Chapweske, J., Mohr, G.: Tree Hash EXchange format (THEX), http://zgp.org/pipermail/p2p-hackers/2002-June/000621.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Lei, Z., Dule, T., Lin, X. (2011). A Novel Forensics Analysis Method for Evidence Extraction from Unallocated Space. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-23602-0_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23601-3
Online ISBN: 978-3-642-23602-0
eBook Packages: Computer ScienceComputer Science (R0)