Embed Size (px)
DESCRIPTION
“XIRAF – XML-based indexing and querying for digital forensics”. A summary of the report written by W. Alink, R.A.F. Bhoedjang, P.A. Boncz, and A.P. de Vries. The Problem. Large amount of data – possibly terabytes Limited amount of time Higher chance of missing traces Diversity of data - PowerPoint PPT Presentation
Citation preview
A summary of the report written by W. Alink, R.A.F. Bhoedjang, P.A. Boncz, and A.P. de Vries.
The ProblemLarge amount of data – possibly terabytes
Limited amount of timeHigher chance of missing traces
Diversity of dataToo many specialized toolsDifficult to integrate results
Time constraints Knowledge constraints
SolutionSeparate feature extraction from analysis:
Feature Extraction: The extraction of useful features from raw data- Includes more than just file data
Analysis: Browsing, querying and correlating. One output format for forensic analysis tools
(based on XML) XML for storing and querying the output of the
tools. Automate feature extraction
Various current projects in law enforcement community related to automated feature extraction
XIRAFPrototype system that uses this approach“XML Information Retrieval Approach to
digital Forensics”Automatic feature extraction from disk
image/sStores data in XML databaseUses XQuery (XML query language) to
access the database and the data from the disk-image.
Framework3 components:
Tool repository: feature extraction toolsFeature extraction manager: manages the
invocation of the tools, merges output and stores it in storage subsystem.
Storage subsystem: composed of raw evidence (binary large objects) and extracted features (XML)
General Overview of processImage fed to system (binary data)Feature Extraction Manager extracts useful
features(uses tool repository) Feature Extraction Manager stores features in
single XML document (in form of a tree).The Feature Extraction Manager can then run
other tools on the found data and add to the xml document.
Data stored in storage sub system, where the binary data or the XML tree can be accessed
Forensic Applications Timeline browser
Mainstream tools do file-system browsing (relies on file-system meta-data)
This application of XIRAF can get all XML fragments with a timestamp, gathered from different tools (which could include things like chat logs).
Photo searchFinds digital images that meet desired conditionsCan consider camera model, date and time of
recording, image resolution and more.
Forensic Applications Child Pornography Detection
Uses hash of various files that are known to contain child pornography
Matches files against a database of hashesThe hash database is converted to XML, and
preloaded into the XML database XIRAF contains.
The comparison is done during the feature extraction phase.
Conclusion/future workToo early to draw definitive conclusions (just
a prototype)An increasing number of tools have started
producing output in XML. Mobile phone queriesMore knowledge bases
References
W. Alink, R.A.F. Bhoedjang, P.A. Boncz, and A.P. de Vries. ““XIRAF – XML-based indexing and querying for digital forensics”. Available at: http://dfrws.org/2006/proceedings/7-Alink.pdf
