Finding anomalous and suspicious files from directory metadata on a large corpus
Loading...
Authors
Rowe, Neil C.
Garfinkel, Simson L.
Subjects
forensics
directories
files
deception
extensions
clustering
directories
files
deception
extensions
clustering
Advisors
Date of Issue
2011-10
Date
Publisher
Monterey, California. Naval Postgraduate School
Language
Abstract
We describe a tool Dirim for automatically finding files on a drive that are anomalous or suspicious, and thus worthy of
focus during digital-forensic investigation, based on solely their directory information. Anomalies are found both from comparing
overall drive statistics and from comparing clusters of related files using a novel approach of "superclustering" of clusters.
Suspicious file detection looks for a set of specific clues. We discuss results of experiments we conducted on a representative
corpus on 1467 drive images where we did find interesting anomalies but not much deception (as expected given the corpus).
Cluster comparison performed best at providing useful information for an investigator, but the other methods provided unique
additional information albeit with a significant number of false alarms.
Type
Conference Paper
Description
This paper appeared in the 3rd International ICST Conference on Digital Forensics and Cyber Crime, Dublin, Ireland, October
2011.
Series/Report No
Department
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.