Dr Sarah Morris
Digital Forensics Research Portfolio
Research Publications ~ 2013
Thumbnail Cache File Fragment Identification using a Bayesian Network
The increased awareness of digital forensics and privacy has led to a growth in users trying to remove traces of their activity. Therefore information which may be potentially relevant to an investigation may be found in unallocated space. Artefacts found in unallocated space may only consist of a single file fragment. However with the growing size of storage media such artefacts may be difficult to identify without using an automated method. Previous research has high-lighted the importance of thumbnail cache artefacts to digital forensics. This re-search aims to identify single thumbnail cache file fragments using a Bayesian network. The research constructed a Bayesian Network using the information gathered about the structure and characteristics of common operating system thumbnail cache file formats. The Bayesian truth tables were generated and tested using a large corpus of data created during previous research. This re-search identified at least 62.4% of each of the five classifications. The three classifications which contained structured information had success rates of over 98%.
Morris, S; Chivers, H; (2013); "Thumbnail Cache File Fragment Identification using a Bayesian Network"; Proceedings from 3rd Cyberforensics, University of Cardiff, Cardiff, UK
An investigation into the identification, reconstruction, and evidential value of thumbnail cache file fragments in unallocated space
This thesis establishes the evidential value of thumbnail cache file fragments identified in unallocated space. A set of criteria to evaluate the evidential value of thumbnail cache artefacts were created by researching the evidential constraints present in Forensic Computing. The criteria were used to evaluate the evidential value of live system thumbnail caches and thumbnail cache file fragments identified in unallocated space. Thumbnail caches can contain visual thumbnails and associated metadata which may be useful to an analyst during an investigation; the information stored in the cache may provide information on the contents of files and any user or system behaviour which interacted with the file. There is a standard definition of the purpose of a thumbnail cache, but not the structure or implementation; this research has shown that this has led to some thumbnail caches storing a variety of other artefacts such as network place names.
The growing interest in privacy and security has led to an increase in user’s attempting to remove evidence of their activities; information removed by the user may still be available in unallocated space. This research adapted popular methods for the identification of contiguous files to enable the identification of single cluster sized fragments in Windows 7, Ubuntu, and Kubuntu. Of the four methods tested, none were able to identify each of the classifications with no false positive results; this result led to the creation of a new approach which improved the identification of thumbnail cache file fragments.
After the identification phase, further research was conducted into the reassembly of file fragments; this reassembly was based solely on the potential thumbnail cache file fragments and structural and syntactical information. In both the identification and reassembly phases of this research image only file fragments proved the most challenging resulting in a potential area of continued future research. Finally this research compared the evidential value of live system thumbnail caches with identified and reassembled fragments. It was determined that both types of thumbnail cache artefacts can provide unique information which may assist with a digital investigation. ii This research has produced a set of criteria for determining the evidential value of thumbnail cache artefacts; it has also identified the structure and related user and system behaviour of popular operating system thumbnail cache implementations. This research has also adapted contiguous file identification techniques to single fragment identification and has developed an improved method for thumbnail cache file fragment identification. Finally this research has produced a proof of concept software tool for the automated identification and reassembly of thumbnail cache file fragments
Morris, S. (2013) An investigation into the identification, reconstruction, and evidential value of thumbnail cache file fragments in unallocated space. PhD thesis. Cranfield University. Available at: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.585420.