10.1145/3465481.3470051acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article
Public Access

Forensic Artifact Finder (ForensicAF): An Approach & Tool for Leveraging Crowd-Sourced Curated Forensic Artifacts

Published:17 August 2021Publication History

ABSTRACT

Current methods for artifact analysis and understanding depend on investigator expertise. Experienced and technically savvy examiners spend a lot of time reverse engineering applications while attempting to find crumbs they leave behind on systems. This takes away valuable time from the investigative process, and slows down forensic examination. Furthermore, when specific artifact knowledge is gained, it stays within the respective forensic units. To combat these challenges, we present ForensicAF, an approach for leveraging curated, crowd-sourced artifacts from the Artifact Genome Project (AGP). The approach has the overarching goal of uncovering forensically relevant artifacts from storage media. We explain our approach and construct it as an Autopsy Ingest Module. Our implementation focused on both File and Registry artifacts. We evaluated ForensicAF using systematic and random sampling experiments. While ForensicAF showed consistent results with registry artifacts across all experiments, it also revealed that deeper folder traversal yields more File Artifacts during data source ingestion. When experiments were conducted on case scenario disk images without apriori knowledge, ForensicAF uncovered artifacts of forensic relevance that help in solving those scenarios. We contend that ForensicAF is a promising approach for artifact extraction from storage media, and its utility will advance as more artifacts are crowd-sourced by AGP.

References

  1. [n.d.]. Dutch National Police Agency. http://ocfa.sourceforge.net/. Accessed: 2010-12-12.Google ScholarGoogle Scholar
  2. [n.d.]. Encase Forensic. http://www.guidancesoftware.com/products/ef_index.asp. Accessed: 2007-12-12.Google ScholarGoogle Scholar
  3. [n.d.]. Forensic Toolkit (FTK). https://accessdata.com/products-services/forensic-toolkit-ftk. Accessed: 2021-02-04.Google ScholarGoogle Scholar
  4. Inikpi O Ademu, Chris O Imafidon, and David S Preston. 2011. A new approach of digital forensic model for digital forensic investigation. Int. J. Adv. Comput. Sci. Appl 2, 12 (2011), 175–178.Google ScholarGoogle Scholar
  5. Apache Foundation. [n.d.]. Class XSSFWorkbook. https://poi.apache.org/apidocs/dev/org/apache/poi/xssf/usermodel/XSSFWorkbook.html.Google ScholarGoogle Scholar
  6. Ibrahim Baggili and Frank Breitinger. 2015. Data Sources for Advancing Cyber Forensics: What the Social World Has to Offer. AAAI Spring Symposium Series. https://www.aaai.org/ocs/index.php/SSS/SSS15/paper/view/10227/10092Google ScholarGoogle Scholar
  7. Ibrahim Baggili, Andrew Marrington, and Yasser Jafar. 2014. Performance of a logical, five-phase, multithreaded, bootable triage tool. In IFIP International Conference on Digital Forensics. Springer, 279–295.Google ScholarGoogle ScholarCross RefCross Ref
  8. Willi Ballenthin. 2014. Rejistry. https://github.com/williballenthin/Rejistry.Google ScholarGoogle Scholar
  9. Sean Barnum. 2012. Standardizing cyber threat intelligence information with the structured threat information expression (stix). Mitre Corporation 11(2012), 1–22.Google ScholarGoogle Scholar
  10. Basis Technology. [n.d.]. Autopsy - Autopsy Forensic Browser Developer’s Guide and API Reference. https://www.sleuthkit.org/autopsy/docs/api-docs/4.0/mod_dev_py_page.html. Accessed: 2020-02-06.Google ScholarGoogle Scholar
  11. Nicole Beebe. 2009. Digital forensic research: The good, the bad and the unaddressed. In IFIP International conference on digital forensics. Springer, 17–36.Google ScholarGoogle ScholarCross RefCross Ref
  12. Frank Breitinger, Huajian Liu, Christian Winter, Harald Baier, Alexey Rybalchenko, and Martin Steinebach. 2013. Towards a process model for hash functions in digital forensics. In International Conference on Digital Forensics and Cyber Crime. Springer, 170–186.Google ScholarGoogle Scholar
  13. Brian Carrier. 2009. The Sleuth Kit and Autopsy: forensics tools for Linux and other Unixes, 2005. URL http://www. sleuthkit. org(2009).Google ScholarGoogle Scholar
  14. Brian Carrier 2003. Defining digital forensic examination and analysis tools using abstraction layers. International Journal of digital evidence 1, 4 (2003), 1–12.Google ScholarGoogle Scholar
  15. Sudarshan S Chawathe. 2009. Effective whitelisting for filesystem forensics. In 2009 IEEE International Conference on Intelligence and Security Informatics. IEEE, 131–136.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. MI Cohen. 2008. PyFlag–An advanced network forensic framework. Digital investigation 5(2008), S112–S120.Google ScholarGoogle Scholar
  17. D. Compton, J. A. Hamilton, and Jr.2011. An Examination of the Techniques and Implications of the Crowd-Sourced Collection of Forensic Data. In 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing. 892–895. https://doi.org/10.1109/PASSAT/SocialCom.2011.232Google ScholarGoogle Scholar
  18. Vicka Corey, Charles Peterman, Sybil Shearin, Michael S Greenberg, and James Van Bokkelen. 2002. Network forensics analysis. IEEE Internet Computing 6, 6 (2002), 60–66.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Josiah Dykstra and Alan T Sherman. 2013. Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation 10(2013), S87–S95.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Forensic Artifacts. 2021. artifacts. https://github.com/ForensicArtifacts/artifacts.Google ScholarGoogle Scholar
  21. Baguelin Frederic, Jacob Solal, Mounier Jeremy, and Percot Francois. 2010. Digital forensics framework.Google ScholarGoogle Scholar
  22. Simson L Garfinkel. 2007. Carving contiguous and fragmented files with fast object validation. digital investigation 4(2007), 2–12.Google ScholarGoogle Scholar
  23. Simson L Garfinkel. 2009. Automating disk forensic processing with SleuthKit, XML and Python. In 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering. IEEE, 73–84.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Simson L Garfinkel. 2010. Digital forensics research: The next 10 years. digital investigation 7(2010), S64–S73.Google ScholarGoogle Scholar
  25. Eric Gentry, Ryan McIntyre, Michael Soltys, and Frank Lyu. 2019. SEAKER: A tool for fast digital forensic triage. In Future of Information and Communication Conference. Springer, 1227–1243.Google ScholarGoogle Scholar
  26. Cinthya Grajeda, Laura Sanchez, Ibrahim Baggili, Devon Clark, and Frank Breitinger. 2018. Experience constructing the artifact genome project (agp): Managing the domain’s knowledge one artifact at a time. Digital Investigation 26(2018), S47–S58.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Grand View Research. 2019. Digital Forensics Market Size is expected to grow to USD 6.95 billion by 2025. https://www.grandviewresearch.com/industry-analysis/digital-forensics-market. Accessed: 2021-02-02.Google ScholarGoogle Scholar
  28. Vikram S Harichandran, Frank Breitinger, and Ibrahim Baggili. 2016. Bytewise approximate matching: the good, the bad, and the unknown. Journal of Digital Forensics, Security and Law 11, 2 (2016), 4.Google ScholarGoogle Scholar
  29. Vikram S Harichandran, Frank Breitinger, Ibrahim Baggili, and Andrew Marrington. 2016. A cyber forensics needs analysis survey: Revisiting the domain’s needs a decade later. Computers & Security 57(2016), 1–13.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Vikram S Harichandran, Daniel Walnycky, Ibrahim Baggili, and Frank Breitinger. 2016. Cufa: A more formal definition for digital forensic artifacts. Digital Investigation 18(2016), S125–S137.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Alastair Irons and Harjinder Singh Lallie. 2014. Digital forensics to intelligent forensics. Future Internet 6, 3 (2014), 584–596.Google ScholarGoogle ScholarCross RefCross Ref
  32. Vacius Jusas, Darius Birvinskas, and Elvar Gahramanov. 2017. Methods and tools of digital triage in forensic context: Survey and future directions. Symmetry 9, 4 (2017), 49.Google ScholarGoogle ScholarCross RefCross Ref
  33. Thomas Laurenson. 2017. Automated Digital Forensic Triage: Rapid Detection of Anti-Forensic Tools. Ph.D. Dissertation. University of Otago.Google ScholarGoogle Scholar
  34. log2timeline. 2021. Plaso. https://github.com/log2timeline/plaso.Google ScholarGoogle Scholar
  35. Laoise Luciano, Ibrahim Baggili, Mateusz Topor, Peter Casey, and Frank Breitinger. 2018. Digital forensics in the next five years. In Proceedings of the 13th International Conference on Availability, Reliability and Security. 1–14.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2016. Effectiveness of file-based deduplication in digital forensics. Security and Communication Networks 9, 15 (2016), 2876–2885.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Golden G Richard III and Vassil Roussev. 2005. Scalpel: A Frugal, High Performance File Carver.. In DFRWS. Citeseer.Google ScholarGoogle Scholar
  38. Marcus K Rogers, James Goldman, Rick Mislan, Timothy Wedge, and Steve Debrota. 2016. Paper Session II: Computer Forensics Field Triage Process Model. (2016).Google ScholarGoogle Scholar
  39. Marcus K Rogers and Kate Seigfried. 2004. The future of computer forensics: a needs analysis survey. Computers & Security 23, 1 (2004), 12–16.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Vassil Roussev, Yixin Chen, Timothy Bourg, and Golden G Richard III. 2006. md5bloom: Forensic filesystem hashing revisited. digital investigation 3, 1 (2006), 82–90.Google ScholarGoogle Scholar
  41. Keyun Ruan, Ibrahim Baggili, Joe Carthy, and Tahar Kechadi. 2011. Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis. (2011).Google ScholarGoogle Scholar
  42. Keyun Ruan, Joe Carthy, Tahar Kechadi, and Ibrahim Baggili. 2013. Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results. Digital Investigation 10, 1 (2013), 34–43.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Laura Sanchez, Cinthya Grajeda, Ibrahim Baggili, and Cory Hall. 2019. A practitioner survey exploring the value of forensic tools, ai, filtering, & safer presentation for investigating child sexual abuse material (csam). Digital Investigation 29(2019), S124–S142.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. George Sibiya, Hein S Venter, and Thomas Fogwill. 2012. Digital forensic framework for a cloud environment. (2012).Google ScholarGoogle Scholar
  45. Harm MA van Beek, Jeroen van den Bos, Abdul Boztas, EJ van Eijk, R Schramp, and M Ugen. 2020. Digital forensics as a service: Stepping up the game. Forensic Science International: Digital Investigation 35 (2020), 301021.Google ScholarGoogle ScholarCross RefCross Ref

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in
  • Published in

    cover image ACM Other conferences
    ARES 21: Proceedings of the 16th International Conference on Availability, Reliability and Security
    August 2021
    1447 pages
    ISBN:9781450390514
    DOI:10.1145/3465481

    Copyright © 2021 ACM

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    • Published: 17 August 2021

    Permissions

    Request permissions about this article.

    Request Permissions

    Check for updates

    Qualifiers

    • research-article
    • Research
    • Refereed limited

    Acceptance Rates

    Overall Acceptance Rate228of451submissions,51%
  • Article Metrics

    • Downloads (Last 12 months)283
    • Downloads (Last 6 weeks)49

    Other Metrics

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!