Finding anomalous and suspicious files from directory metadata on a large corpus
Rowe, Neil C.
Garfinkel, Simson L.
MetadataShow full item record
We describe a tool Dirim for automatically finding files on a drive that are anomalous or suspicious, and thus worthy of focus during digital-forensic investigation, based on solely their directory information. Anomalies are found both from comparing overall drive statistics and from comparing clusters of related files using a novel approach of "superclustering" of clusters. Suspicious file detection looks for a set of specific clues. We discuss results of experiments we conducted on a representative corpus on 1467 drive images where we did find interesting anomalies but not much deception (as expected given the corpus). Cluster comparison performed best at providing useful information for an investigator, but the other methods provided unique additional information albeit with a significant number of false alarms.
This paper appeared in the 3rd International ICST Conference on Digital Forensics and Cyber Crime, Dublin, Ireland, October 2011.
Showing items related by title, author, creator and subject.
Determining a cost-effective mix of UAV-USV-manned platforms to achieve a desired level of surveillance in a congested strait Chng, Kim Chuan (Monterey California. Naval Postgraduate School, 2007-12);This thesis develops concepts of operations (CONOPS) and analytical models to determine the surveillance assets for a congested strait. Two maritime security threats (Reds) are a hijacked large ship carrying dangerous ...
The use of social media and smartphone applications for reporting suspicious and criminal activities to mass transit law enforcement agencies Donald, Jennifer S. (Monterey, California: Naval Postgraduate School, 2013-12);The threat of terrorism remains in the forefront daily, and public transportation systems remain a preferred target for terrorist attacks. Mass transit customers have long served as the eyes and ears of the public ...
Rowe, Neil C.; Schwamm, Riqui; Cho, Jeehee; Reed, Ahren A.; Flores, Jose J.; Das, Arijit (Monterey, California. Naval Postgraduate School, 2010-07);We report on experiments with a nonimaging sensor network for detection of suspicious behavior related to pedestrian emplacement of IEDs. Emplacement is the time when detection is the most feasible for IEDs since it almost ...