Elsevier

Digital Investigation

Volume 5, Supplement, September 2008, Pages S65-S75
Digital Investigation

FACE: Automated digital evidence discovery and correlation

https://doi.org/10.1016/j.diin.2008.05.008Get rights and content
Under a Creative Commons license
open access

Abstract

Digital forensic tools are being developed at a brisk pace in response to the ever increasing variety of forensic targets. Most tools are created for specific tasks – filesystem analysis, memory analysis, network analysis, etc. – and make little effort to interoperate with one another. This makes it difficult and extremely time-consuming for an investigator to build a wider view of the state of the system under investigation. In this work, we present FACE, a framework for automatic evidence discovery and correlation from a variety of forensic targets. Our prototype implementation demonstrates the integrated analysis and correlation of a disk image, memory image, network capture, and configuration log files. The results of this analysis are presented as a coherent view of the state of a target system, allowing investigators to quickly understand it. We also present an advanced open-source memory analysis tool, ramparser, for the automated analysis of Linux systems.

Keywords

Memory analysis
Physical memory
Digital forensics
Evidence correlation
Disk image
Network capture
Log file
Forensics tool

Cited by (0)

Andrew Case is an undergraduate student in the Computer Science Department at the University of New Orleans, and a member of the Digital Forensics Research Group there. He is currently pursuing a B.S. in Computer Science. His research interests include digital forensics, security, and operating systems development. He is also the captain of the UNO Collegiate Cyber Defense Team.

Andrew Cristina is a graduate student in the Computer Science Department at the University of New Orleans, and a member of the Digital Forensics Research Group there. He received a B.S. in Computer Science and is currently pursuing a M.S. in Computer Science. His research interests include digital forensics and programming languages, especially Lisp.

Lodovico Marziale is a graduate student and research assistant in the Computer Science Department at the University of New Orleans, and a member of the Digital Forensics Research Group there. He received a B.S. in Finance, and M.S. in Computer Science from the University of New Orleans, and is currently pursuing a M.S. in Mathematics and a Ph.D. in Computer Science. His research currently focuses on digital forensics, machine learning, and parallel and concurrent programming. He has been spied on more than one occasion preaching the Linux gospel to random passers-by.

Golden G. Richard III is a Professor of Computer Science at the University of New Orleans and co-founder of Digital Forensics Solutions, LLC. He received the B.S. in Computer Science from the University of New Orleans (honors) and M.S. and Ph.D. degrees in Computer Science from The Ohio State University. He is a co-director of the Networking, Systems Administration, and Security Laboratory (NSSAL) at the University of New Orleans. His research interests include digital forensics, computer security, and operating systems internals. He is extremely unlikely to eat foods whose recipes contain the word “packet” or “can”. It is a New Orleans thing.

Vassil Roussev is an Assistant Professor of Computer Science at the University of New Orleans. His research interests include digital forensics, high-performance computing, distributed collaboration, and software engineering. Dr. Roussev holds B.S. and M.S. degrees in Computer Science from Sofia University (Bulgaria) and M.S. and Ph.D. degrees in Computer Science from the University of North Carolina – Chapel Hill.