Please enable JavaScript.
Coggle requires JavaScript to display documents.
Forensic feature extraction and cross-drive analysis (2006) - Coggle…
Forensic feature extraction and cross-drive analysis (2006)
category
analysis methodology prototype
context
forensic feature extraction (ffe)
lexigraphic techniques
cross drive analysis (cda)
statistical techniques
revealing of search term would need a second warrant
correctness
how did they do it? methodology
feature extraction
pseudo unique identifier
ex. email message id
single drive analysis
drive attribution (owner) - get most common email address in to and from
cross drive analysis
first order
hot drive identification
use histogram to identify largest number of features
second order
multidrive correlator
count of drives per feature
count of features that match all drives
list of drives which feature occurs
image drive as aff to save space
afxml to extract metadata from drive and build this to sql
extract strings in 8bit, 16msb and lsb
match extracted feature against a watchlist and report to human operator
index the feature file
run multidrive correlation
c,c++ is faster than python
statistics
presented the statistics on what they have found coutn on drives etc.
conclusion
was able to identify drives from same organization and high concentration of financial records to help prioritization
how can i apply this to my work
add linguistic awareness ex. Rosette Linguistics Platform
hash of individual sectors as features
contribution
identification of hot drives
creation of stop list for single drive analysis
social network membership
relevant references
credibiliity
who wrote it?
Simson Garfinkel
where work?
consulting scientist at basis technology
where was it published? was it referenced?
DFRWS (2006) cited by almost 100