Show simple item record

dc.contributor.authorGarfinkel, Simson L.
dc.contributor.authorParker-Wood, Aleatha
dc.contributor.authorHuynh, Daniel
dc.contributor.authorMigletz, James
dc.dateDecember 2010
dc.date.accessioned2015-01-12T17:01:56Z
dc.date.available2015-01-12T17:01:56Z
dc.date.issued2010-12
dc.identifier.urihttp://hdl.handle.net/10945/44283
dc.descriptionThe article of record as published may be located at http://dx.doi.org/10.1109/TIFS.2010.2060484en_US
dc.description.abstractThis paper presents a novel solution to the problem of determining the ownership of carved information found on disk drives and other storage media that have been used by more than one person. When a computer is subject to forensic examination, information may be found that cannot be readily ascribed to a specific user. Such information is typically not located in a specific file or directory, but is found through file carving, which recovers data from unallocated disk sectors. Because the data is carved, it does not have associated file system metadata, and its owner cannot be readily ascertained. The technique presented in this paper starts by automatically recovering both file system metadata as well as extended metadata embedded in files (for instance, embedded timestamps) directly from a disk image. This metadata is then used to find exemplars and to create a machine learning classifier that can be used to ascertain the likely owner of the carved data. The resulting classifier is well suited for use in a legal setting since the accuracy can be easily verified using cross-validation. Our technique also results in a classifier that is easily validated by manual inspection. We report results of the technique applied to both specific hard drive data created in our laboratory and multiuser drives that we acquired on the secondary market. We also present a tool set that automatically creates the classifier and performs validation.en_US
dc.rightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.en_US
dc.titleAn Automated Solution to the Multiuser Carved Data Ascription Problemen_US
dc.typeArticleen_US
dc.contributor.departmentComputer Science (CS)
dc.subject.authorData miningen_US
dc.subject.authorforensicsen_US
dc.subject.authorinformation securityen_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record