Finding suspicious activity on computer systems
Rowe, Neil C.
Garfinkel, Simson L.
MetadataShow full item record
When computer systems are found during law enforcement, peacekeeping, counter-insurgency or similar operations, a key problem for forensic investigators is to identify useful subject-specific information in a sea of routine and uninteresting data. For instance, when a computer is obtained during a search of a criminal organization, investigators are not as much interested in the machines used for surfing the Internet as the machines used for accounting of drug deals and emailing to co-conspirators. We are doing research on tools to enable investigators to more quickly find such relevant information. We focus on the directory metadata of a computer drive, the listing of the stored files and directories and their properties, since examining it requires much less time than examining file contents. We discuss first what ways people try to hide things on drives. We then discuss clues that suggest concealment or atypical usage of a drive, including encryption, oddities in file names, clusters of deletions, atypical average values, and atypical clusters of files. We report on experiments we have conducted with a corpus of drives purchased from a range of countries. Processing extracted the directory metadata, classified each file, and calculated suspiciousness metrics on the drives. Experimental results showed we could identify some suspicious drives within our corpus but with a certain number of false alarms.
This paper appeared in the Proc. 11th European Conf. on Information Warfare and Security, Laval, France, July 2012.
RightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Showing items related by title, author, creator and subject.
Taguchi, James K. (Monterey, California: Naval Postgraduate School, 2013-06);With digital storage becoming cheaper, bigger, and more prevalent, finding evidence from the hard drives collected for a case is too difficult and time consuming. Simply reading an entire drive takes hours and it takes ...
Young, Joel; Foster, Kristina; Garfinkel, Simson; Fairbanks, Kevin (2012-12);Using an alternative approach to traditional file hashing, digital forensic investigators can hash individually sampled subject drives on sector boundaries and then check these hashes against a prebuilt database, making ...
Hoge, James Claude (Monterey, California. Naval Postgraduate School, 1982-12);Since the start of the computer era, information users have been restricted by inadequate and expensive data storage. The development of solid state memory, soft storage media (floppy disk drives), drum memory drives and ...