Vassil Roussev

Next-generation digital forensics

The digital forensics community requires new tools and strategies for the rapid turnaround of large forensic targets.

Data Fingerprinting with Similarity Digests

State-of-the-art techniques for data fingerprinting have been based on randomized feature selection pioneered by Rabin in 1981. This paper proposes a new, statistical approach for selecting fingerprinting features. The approach relies on entropy estimates and a sizeable empirical study to pick out the features that are most likely to be unique to a data object and, therefore, least likely to trigger false positives. The paper also describes the implementation of a tool (sdhash) and the results of an evaluation study. The results demonstrate that the approach works consistently across different types of data, and its compact footprint allows for the digests of targets in excess of 1 TB to be queried in memory.

Real-time digital forensics and triage

There are two main reasons the processing speed of current generation digital forensic tools is inadequate for the average case: a) users have failed to formulate explicit performance requirements; and b) developers have failed to put performance, specifically latency, as a top-level concern in line with reliability and correctness. In this work, we formulate forensic triage as a real-time computation problem with specific technical requirements, and we use these requirements to evaluate the suitability of different forensic methods for triage purposes. Further, we generalize our discussion to show that the complete digital forensics process should be viewed as a (soft) real-time computation with well-defined performance requirements. We propose and validate a new approach to target acquisition that enables file-centric processing without disrupting optimal data throughput from the raw device. We evaluate core forensic processing functions with respect to processing rates and show their intrinsic limitations in both desktop and server scenarios. Our results suggest that, with current software, keeping up with a commodity SATA HDD at 120 MB/s requires 120-200 cores.

File Fragment Classification-The Case for Specialized Approaches

Increasingly advances in file carving, memory analysis and network forensics requires the ability to identify the underlying type of a file given only a file fragment. Work to date on this problem has relied on identification of specific byte sequences in file headers and footers, and the use of statistical analysis and machine learning algorithms taken from the middle of the file. We argue that these approaches are fundamentally flawed because they fail to consider the inherent internal structure in widely used file types such as PDF, DOC, and ZIP. We support our argument with a bottom-up examination of some popular formats and an analysis of TK PDF files. Based on our analysis, we argue that specialized methods targeted to each specific file type will be necessary to make progress in this area.

md5bloom: Forensic filesystem hashing revisited

Hashing is a fundamental tool in digital forensic analysis used both to ensure data integrity and to efficiently identify known data objects. However, despite many years of practice, its basic use has advanced little. Our objective is to leverage advanced hashing techniques in order to improve the efficiency and scalability of digital forensic analysis. Specifically, we explore the use of Bloom filters as a means to efficiently aggregate and search hashing information. In this paper, we present md5bloom-an actual Bloom filter manipulation tool that can be incorporated into forensic practice, along with example uses and experimental results. We also provide a basic theoretical foundation, which quantifies the error rates associated with the various Bloom filter uses along with a simulation-based verification. We provide a probabilistic framework that allows the interpretation of direct, bitwise comparison of Bloom filters to infer similarity and abnormality. Using the similarity interpretation, it is possible to efficiently identify versions of a known object, whereas the notion of abnormality could aid in identifying tampered hash sets.

Hashing and Data Fingerprinting in Digital Forensics

Hashing is a primary, yet under appreciated, tool in digital forensic investigations. Recent R&D has demonstrated that, with clever design, we can construct robust fingerprinting and similarity hashes that can significantly speed up an investigation.

A Cloud Computing Platform for Large-Scale Forensic Computing

The timely processing of massive digital forensic collections demands the use of large-scale distributed computing resources and the flexibility to customize the processing performed on the collections. This paper describes MPI MapReduce (MMR), an open implementation of the MapReduce processing model that outperforms traditional forensic computing techniques. MMR provides linear scaling for CPU-intensive processing and super-linear scaling for indexing-related workloads.

In-Place File Carving

File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amounts of disk space.

Composable collaboration infrastructures based on programming patterns

In general, collaboration infrastructures have supported sharing of an object based on its logical structure. However, current implementations assume an implicit binding between this logical structure and particular system-defined abstractions. We present a new composable design based on programming patterns that eliminates this binding, thereby increasing the range of supported objects and supporting extensibility.

Integrating XML and object-based programming for distributed collaboration

Explores some of the new opportunities for distributed collaborative applications that emerge from the use of XML as a data specification language. We present two different approaches: the first one transparently adds asynchronous collaboration to applications whose persistent state is in XML format, while the second one helps build synchronous collaborative applications starting with an XML schema specification. Although the two approaches start with different assumptions, they both lead to the same problem - the need for a generic one-to-one conversion between objects and XML constructs. Using object properties, we define two variants of a conversion scheme for the two approaches.