Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus

Rowe, Neil C.; Garfinkel, Simson L.

doi:10.1007/978-3-642-35515-8_10

Cited by 19 publications

(24 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Garfinkel and Migletz [76] develop a tool for automatic metadata extraction from digital evidence. Rowe and Garfinkel [174] develop a tool that uses directory and file metadata to determine anomalous files on a large corpus. The tool uses fiwalk [78] to traverse the corpus and compute statistical characteristics on the numerical metadata and generate 204 output files based on which anomalous files such as misnamed files and duplicate copies of files were identified.…”

Section: "Metadata Includes Information About the Document Or File Thmentioning

confidence: 99%

Digital forensic research: current state of the art

Raghavan

2012

CSIT

113

View full text Add to dashboard Cite

Abstract-Digital Forensics is the process of employing scientific principles and processes analyze electronically stored information to determine the sequence of events which led to a particular incident. In this digital age, it is important for researchers to become aware of the recent developments in this dynamic field and understand scope for the future. The past decade has witnessed significant technological advancements to aid during a digital investigation. Many methodologies, tools and techniques have found their way into the field designed on forensic principles. Digital forensics has also witnessed many innovative approaches that have been explored to acquire and analyze digital evidence from diverse sources. In this paper, we review the research literature since 2000 and categorize developments in the field into 4 major categories. In recent years the exponential growth of technological has also brought with it some serious challenges for digital forensic research which is elucidated. Within each category, research is sub-classified into conceptual and practical advancements. We highlight the observations made by previous researchers and summarize the research directions for the future.

show abstract

Section: "Metadata Includes Information About the Document Or File Thmentioning

confidence: 99%

Digital forensic research: current state of the art

Raghavan

2012

CSIT

113

View full text Add to dashboard Cite

show abstract

“…Many of the techniques these researchers use apply to our problem. For instance, Rowe and Garfinkel [7] point out that files that have close proximity in creation or modification times can have causal relationships, and they also look for co-occurrence of files that are duplicated in a snapshot.…”

Section: Introductionmentioning

confidence: 99%

Single-Snapshot File System Analysis

Wildani

Adams

Miller

2013

2013 IEEE 21st International Symposium on Modelling, Analysis and Simulation of Computer and Telecommunication Systems

View full text Add to dashboard Cite

Abstract-Metadata snapshots are a common method for gaining insight into filesystems due to their small size and relative ease of acquisition. Since they are static, most researchers have used them for relatively simple analyses such as file size distributions and age of files. We hypothesize that it is possible to gain much richer insights into file system and user behavior by clustering features in metadata snapshots and comparing the entropy within clusters to the entropy within natural partitions such as directory hierarchies. We discuss several different methods for gaining deeper insights into metadata snapshots, and show a small proof of concept using data from Los Alamos National Laboratories. In our initial work, we see evidence that it is possible to identify user locality information, traditionally the purview of dynamic traces, using a single static snapshot.

show abstract

“…For instance, it may be necessary to generate a list of all files that were created at a particular location determined based on the EXIF lat-long information of a digital photograph or determine doctored photographs and group them with their originals or identify the different versions of a document that exist and determine the original (oldest) document using a timeline. This requires an approach which can identify not just identical files [29] but also other forms of file associations. We demonstrate this approach on unknown collections of digital image files and word processing documents.…”

Section: Metadata For Grouping Filesmentioning

confidence: 99%

“…Document metadata may also record information about where it was created (geo-tagging), number of pages/ slides, formatting type, encoding type and so on. Rowe and Garfinkel [29] have analyzed the same digital corpora govdocs1 file repository [15] to determine anomalous documents. They compute statistical characteristics using directory metadata and identify the top and bottom 5 percentile in the repository as outliers.…”

Section: Document Relationships and Analysismentioning

confidence: 99%

“…Castiglione et al [8] highlighted the information that can be obtained from the Microsoft Compound Document File Format (MCDFF) and lists some metadata useful in forensic investigations. Rowe and Garfinkel [29] Fig. 1 Illustrating the differences in image classification versus association developed a tool that used directory and file metadata to determine anomalous files on a large corpus.…”

Section: Use Of File Metadata In Digital Forensicsmentioning

confidence: 99%

See 1 more Smart Citation

Eliciting file relationships using metadata based associations for digital forensics

Raghavan¹

2014

CSIT

View full text Add to dashboard Cite

In the conventional system of analysis that is concerned with digital forensics, content is analyzed to describe the state of files in digital evidence and ascertain their relevance. Such content analysis is carried out using ''searching''. When searching a file or for a file, use of keywords is the norm. When the exact words are not known, one may use regular expression search which uses a more flexible language for describing a set of keywords that fit a pattern. During analysis, there is also a need to identify all types of associations that exist between the files to answer the six fundamental questions of what, when, where, how, who and why. If the keywords and pattern have limited scope, an examiner often has very little to go on. Metadata contains information that represents the state of a file, even if partially. Besides, metadata based search is amenable to automation by virtue of the ubiquitous nature of metadata. During analysis, metadata can be used to ascertain the nature of digital photographs that were processed using software and identify digitally generated images that resemble original photographs. Metadata can also be used to identify word processing documents that were derived from other documents and stored as a duplicate or after modification in such a way that traditional techniques cannot detect. Often what is needed is the ability to identify section(s) of the evidence where relevant information appears to reside. Metadata based matches give rise to file relationships that encapsulate the event sequence among related files aiding in the discovery. This paper proposes a method to automatically identify associations among the files in digital evidence at the syntactic and semantic levels using metadata. We apply this method to identify metadata associations from collections of image files and word processing documents and elicit inter-file relationships for the purpose of identifying interesting or relevant files from large file collections in digital evidence. We demonstrate that the file relationships identified using metadata help in the identification of doctored photographs and copied documents.

show abstract

Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus

Cited by 19 publications

References 12 publications

Digital forensic research: current state of the art

Digital forensic research: current state of the art

Single-Snapshot File System Analysis

Eliciting file relationships using metadata based associations for digital forensics

Contact Info

Product

Resources

About