skip to main content
10.1145/3465481.3470051acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article
Public Access

Forensic Artifact Finder (ForensicAF): An Approach & Tool for Leveraging Crowd-Sourced Curated Forensic Artifacts

Published: 17 August 2021 Publication History

Abstract

Current methods for artifact analysis and understanding depend on investigator expertise. Experienced and technically savvy examiners spend a lot of time reverse engineering applications while attempting to find crumbs they leave behind on systems. This takes away valuable time from the investigative process, and slows down forensic examination. Furthermore, when specific artifact knowledge is gained, it stays within the respective forensic units. To combat these challenges, we present ForensicAF, an approach for leveraging curated, crowd-sourced artifacts from the Artifact Genome Project (AGP). The approach has the overarching goal of uncovering forensically relevant artifacts from storage media. We explain our approach and construct it as an Autopsy Ingest Module. Our implementation focused on both File and Registry artifacts. We evaluated ForensicAF using systematic and random sampling experiments. While ForensicAF showed consistent results with registry artifacts across all experiments, it also revealed that deeper folder traversal yields more File Artifacts during data source ingestion. When experiments were conducted on case scenario disk images without apriori knowledge, ForensicAF uncovered artifacts of forensic relevance that help in solving those scenarios. We contend that ForensicAF is a promising approach for artifact extraction from storage media, and its utility will advance as more artifacts are crowd-sourced by AGP.

References

[1]
[n.d.]. Dutch National Police Agency. http://ocfa.sourceforge.net/. Accessed: 2010-12-12.
[2]
[n.d.]. Encase Forensic. http://www.guidancesoftware.com/products/ef_index.asp. Accessed: 2007-12-12.
[3]
[n.d.]. Forensic Toolkit (FTK). https://accessdata.com/products-services/forensic-toolkit-ftk. Accessed: 2021-02-04.
[4]
Inikpi O Ademu, Chris O Imafidon, and David S Preston. 2011. A new approach of digital forensic model for digital forensic investigation. Int. J. Adv. Comput. Sci. Appl 2, 12 (2011), 175–178.
[5]
Apache Foundation. [n.d.]. Class XSSFWorkbook. https://poi.apache.org/apidocs/dev/org/apache/poi/xssf/usermodel/XSSFWorkbook.html.
[6]
Ibrahim Baggili and Frank Breitinger. 2015. Data Sources for Advancing Cyber Forensics: What the Social World Has to Offer. AAAI Spring Symposium Series. https://www.aaai.org/ocs/index.php/SSS/SSS15/paper/view/10227/10092
[7]
Ibrahim Baggili, Andrew Marrington, and Yasser Jafar. 2014. Performance of a logical, five-phase, multithreaded, bootable triage tool. In IFIP International Conference on Digital Forensics. Springer, 279–295.
[8]
Willi Ballenthin. 2014. Rejistry. https://github.com/williballenthin/Rejistry.
[9]
Sean Barnum. 2012. Standardizing cyber threat intelligence information with the structured threat information expression (stix). Mitre Corporation 11(2012), 1–22.
[10]
Basis Technology. [n.d.]. Autopsy - Autopsy Forensic Browser Developer’s Guide and API Reference. https://www.sleuthkit.org/autopsy/docs/api-docs/4.0/mod_dev_py_page.html. Accessed: 2020-02-06.
[11]
Nicole Beebe. 2009. Digital forensic research: The good, the bad and the unaddressed. In IFIP International conference on digital forensics. Springer, 17–36.
[12]
Frank Breitinger, Huajian Liu, Christian Winter, Harald Baier, Alexey Rybalchenko, and Martin Steinebach. 2013. Towards a process model for hash functions in digital forensics. In International Conference on Digital Forensics and Cyber Crime. Springer, 170–186.
[13]
Brian Carrier. 2009. The Sleuth Kit and Autopsy: forensics tools for Linux and other Unixes, 2005. URL http://www. sleuthkit. org(2009).
[14]
Brian Carrier 2003. Defining digital forensic examination and analysis tools using abstraction layers. International Journal of digital evidence 1, 4 (2003), 1–12.
[15]
Sudarshan S Chawathe. 2009. Effective whitelisting for filesystem forensics. In 2009 IEEE International Conference on Intelligence and Security Informatics. IEEE, 131–136.
[16]
MI Cohen. 2008. PyFlag–An advanced network forensic framework. Digital investigation 5(2008), S112–S120.
[17]
D. Compton, J. A. Hamilton, and Jr.2011. An Examination of the Techniques and Implications of the Crowd-Sourced Collection of Forensic Data. In 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing. 892–895. https://doi.org/10.1109/PASSAT/SocialCom.2011.232
[18]
Vicka Corey, Charles Peterman, Sybil Shearin, Michael S Greenberg, and James Van Bokkelen. 2002. Network forensics analysis. IEEE Internet Computing 6, 6 (2002), 60–66.
[19]
Josiah Dykstra and Alan T Sherman. 2013. Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation 10(2013), S87–S95.
[20]
Forensic Artifacts. 2021. artifacts. https://github.com/ForensicArtifacts/artifacts.
[21]
Baguelin Frederic, Jacob Solal, Mounier Jeremy, and Percot Francois. 2010. Digital forensics framework.
[22]
Simson L Garfinkel. 2007. Carving contiguous and fragmented files with fast object validation. digital investigation 4(2007), 2–12.
[23]
Simson L Garfinkel. 2009. Automating disk forensic processing with SleuthKit, XML and Python. In 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering. IEEE, 73–84.
[24]
Simson L Garfinkel. 2010. Digital forensics research: The next 10 years. digital investigation 7(2010), S64–S73.
[25]
Eric Gentry, Ryan McIntyre, Michael Soltys, and Frank Lyu. 2019. SEAKER: A tool for fast digital forensic triage. In Future of Information and Communication Conference. Springer, 1227–1243.
[26]
Cinthya Grajeda, Laura Sanchez, Ibrahim Baggili, Devon Clark, and Frank Breitinger. 2018. Experience constructing the artifact genome project (agp): Managing the domain’s knowledge one artifact at a time. Digital Investigation 26(2018), S47–S58.
[27]
Grand View Research. 2019. Digital Forensics Market Size is expected to grow to USD 6.95 billion by 2025. https://www.grandviewresearch.com/industry-analysis/digital-forensics-market. Accessed: 2021-02-02.
[28]
Vikram S Harichandran, Frank Breitinger, and Ibrahim Baggili. 2016. Bytewise approximate matching: the good, the bad, and the unknown. Journal of Digital Forensics, Security and Law 11, 2 (2016), 4.
[29]
Vikram S Harichandran, Frank Breitinger, Ibrahim Baggili, and Andrew Marrington. 2016. A cyber forensics needs analysis survey: Revisiting the domain’s needs a decade later. Computers & Security 57(2016), 1–13.
[30]
Vikram S Harichandran, Daniel Walnycky, Ibrahim Baggili, and Frank Breitinger. 2016. Cufa: A more formal definition for digital forensic artifacts. Digital Investigation 18(2016), S125–S137.
[31]
Alastair Irons and Harjinder Singh Lallie. 2014. Digital forensics to intelligent forensics. Future Internet 6, 3 (2014), 584–596.
[32]
Vacius Jusas, Darius Birvinskas, and Elvar Gahramanov. 2017. Methods and tools of digital triage in forensic context: Survey and future directions. Symmetry 9, 4 (2017), 49.
[33]
Thomas Laurenson. 2017. Automated Digital Forensic Triage: Rapid Detection of Anti-Forensic Tools. Ph.D. Dissertation. University of Otago.
[34]
log2timeline. 2021. Plaso. https://github.com/log2timeline/plaso.
[35]
Laoise Luciano, Ibrahim Baggili, Mateusz Topor, Peter Casey, and Frank Breitinger. 2018. Digital forensics in the next five years. In Proceedings of the 13th International Conference on Availability, Reliability and Security. 1–14.
[36]
Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2016. Effectiveness of file-based deduplication in digital forensics. Security and Communication Networks 9, 15 (2016), 2876–2885.
[37]
Golden G Richard III and Vassil Roussev. 2005. Scalpel: A Frugal, High Performance File Carver. In DFRWS. Citeseer.
[38]
Marcus K Rogers, James Goldman, Rick Mislan, Timothy Wedge, and Steve Debrota. 2016. Paper Session II: Computer Forensics Field Triage Process Model. (2016).
[39]
Marcus K Rogers and Kate Seigfried. 2004. The future of computer forensics: a needs analysis survey. Computers & Security 23, 1 (2004), 12–16.
[40]
Vassil Roussev, Yixin Chen, Timothy Bourg, and Golden G Richard III. 2006. md5bloom: Forensic filesystem hashing revisited. digital investigation 3, 1 (2006), 82–90.
[41]
Keyun Ruan, Ibrahim Baggili, Joe Carthy, and Tahar Kechadi. 2011. Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis. (2011).
[42]
Keyun Ruan, Joe Carthy, Tahar Kechadi, and Ibrahim Baggili. 2013. Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results. Digital Investigation 10, 1 (2013), 34–43.
[43]
Laura Sanchez, Cinthya Grajeda, Ibrahim Baggili, and Cory Hall. 2019. A practitioner survey exploring the value of forensic tools, ai, filtering, & safer presentation for investigating child sexual abuse material (csam). Digital Investigation 29(2019), S124–S142.
[44]
George Sibiya, Hein S Venter, and Thomas Fogwill. 2012. Digital forensic framework for a cloud environment. (2012).
[45]
Harm MA van Beek, Jeroen van den Bos, Abdul Boztas, EJ van Eijk, R Schramp, and M Ugen. 2020. Digital forensics as a service: Stepping up the game. Forensic Science International: Digital Investigation 35 (2020), 301021.

Cited By

View all
  • (2024)Enhancing Autopsy with G-Code File Recovery: Ingest Module Development2024 International Conference on Computer, Information and Telecommunication Systems (CITS)10.1109/CITS61189.2024.10607984(1-7)Online publication date: 17-Jul-2024
  • (2024)Catch Me if You Can: Analysis of Digital Devices and Artifacts Used in Murder CasesDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_2(19-32)Online publication date: 3-Apr-2024
  • (2023)Back and Forth—On Automatic Exposure of Origin and Dissemination of Files on WindowsDigital Threats: Research and Practice10.1145/36092324:3(1-17)Online publication date: 6-Oct-2023

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security
August 2021
1447 pages
ISBN:9781450390514
DOI:10.1145/3465481
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. AGP
  2. Artifact Genome Project
  3. Artifacts
  4. Autopsy
  5. CuFA
  6. Cyber Forensics
  7. Digital Forensics
  8. Triage

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

ARES 2021

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)364
  • Downloads (Last 6 weeks)33
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Enhancing Autopsy with G-Code File Recovery: Ingest Module Development2024 International Conference on Computer, Information and Telecommunication Systems (CITS)10.1109/CITS61189.2024.10607984(1-7)Online publication date: 17-Jul-2024
  • (2024)Catch Me if You Can: Analysis of Digital Devices and Artifacts Used in Murder CasesDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_2(19-32)Online publication date: 3-Apr-2024
  • (2023)Back and Forth—On Automatic Exposure of Origin and Dissemination of Files on WindowsDigital Threats: Research and Practice10.1145/36092324:3(1-17)Online publication date: 6-Oct-2023

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media