Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.6.1421

Development of Windows forensic tool for verifying a set of data  

Kim, Min-Seo (Center for Information Security Technologies(CIST), Korea University)
Lee, Sang-jin (Center for Information Security Technologies(CIST), Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.6, 2015 , pp. 1421-1433 More about this Journal
Abstract
For an accurate analysis through the forensic of digital devices and computer, it is a very important validation of the reliability of digital forensic tools. To verify the reliability of the tool, it is necessary to research and development of the data set to be input to the tool. In many-used Windows operating system of the computer, there is a Window forensic artifacts associated with time and system behavior. In this paper, we developed a set of data in the Windows operating system to be able to analyze all of the two Windows artifacts and we conducted a test with published digital forensic tools. Therefore, the developed data set presents the use of the following method. First, artefacts education for growing ability can be analyzed acts standards. Secondly, the purpose of tool tests for verifying the reliability of digital forensics. Lastly, recyclability for new artifact analysis.
Keywords
Digital forensics; Data set; Corpus; Corpora; Digital forensics tool testing;
Citations & Related Records
연도 인용수 순위
  • Reference
1 F.Cohen, Digital Forensic Evidence Examination, 4th Ed, Fred Cohen & Associates, 2009-2012
2 C.Altheide, H.Carvey, Digital Forensics with Open Source Tools : Using Open Source Platform Tools for Performing Computer Forensics on TargetSystems: Windows, Mac, Linux, Unix, etc, 1st Edition, Syngress Media Inc, 2011
3 H.Carvey, Windows Registry forensics: advanced digital forensic analysis of the Windows Registry, Syngress Publishing, 2011
4 S.Garfinkel, P.Farrel, V.Roussev and G.Dinolt, "Bringing science to digital forensics with standardized forensic corpora," Digital Investigation 6, 2009.
5 JR Lyle, DR White and RP Ayers, "Digital forensics at the national institute of standards and technology," National Institute of Standards and Technology, 2008
6 Lei Pan, "Robust performance testing for digital forensic tools," Digital Investigation, vol. 6, pp. 71-81, Sept 2009   DOI
7 K.Woods, C.Lee, S.Garfinkel, D.Dittrich, A.Russell and K.Kearton, "Creating realistic corpora for security and forensic education," Proceedings of the ADFSL Conference on Digital Forensics, Security and Law, 2011.
8 S.Carfinkel, "Forensic corpora, a challenge for forensic research," unpublished manuscript, 2007.
9 Peng Li, "Selecting and using virtualization solutions: our experiences with VMware and VirtualBox," Journal of Computing Sciences in Colleges, Vol. 2, pp 11-17, Jan. 2010.
10 F.Buchholz, E.Spafford, "On the role of file system metadata in digital forensics," Digital Investigation, Vol. 1, pp 298-309, Dec. 2004.   DOI
11 B.Carrier, EH.Spafford, "An event-based digital forensic investigation framework," Digital forensic research workshop, 2004.
12 M.Geiger, "Evaluating commercial counter-forensic tools," 2005 Digital Forensic Workshop, 2005.
13 H.Carvey, "The Windows Registry as a forensic resource," Digital Investigation, Vol. 2, pp. 201-205, Sept. 2005.   DOI
14 V.Mee, T.Tryfonas and I.Sutherland, "The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage," Digital Investigation, Vol. 3, pp. 166-173, Sept. 2006.   DOI
15 E.Huebner, D.Bem and CK.Wee, "Data hiding in the NTFS file system," Digital Investigation, Vol. 3, pp. 211-226, Dess. 2006.   DOI
16 H.Chung, J.Park, S.Lee and C.Kang, "Digital forensic investigation of cloud storage services," Digital Investigation, Vol. 9, pp. 81-95, Nov. 2012.   DOI
17 A.Castiglione, A.De Santis and C.Soriente, "Taking advantages of a disadvantage: Digital forensics and steganography using document metadata," Journal of Systems and Software, Vol. 80, pp. 750-764, May. 2007.   DOI
18 TD.Morgan, "Recovering deleted data from the Windows registry," Digital Investigation, Vol. 5, pp. S33-S41, Sept. 2008.   DOI
19 B.Park, J.Park and S.Lee, "Data concealment and detection in Microsoft Office 2007 files," Digital Investigation, Vol. 5, pp. 104-114, Mar. 2009.   DOI
20 J.Collie, "The windows IconCache.db: A resource for forensic artifacts from USB connectable devices," Digital Investigation, Vol. 9, pp. 200-201, Feb. 2013.   DOI
21 MG.Meshram, D.Kapgate, "Investigating the Artifacts Using Windows Registry and Log Files," IJCSMC, Vol. 4, pp. 625-631, Jun. 2015.
22 NK.Shashidhar, D.Novak, "Digital Forensic Analysis on Prefetch Files," International Journal of Information Security Science, Vol. 4, no. 2, 2015.
23 SK.Khode, VN.Pahune and MR.Sayankar, "Digital Forensic Tool for Decision Making in Computer Security Domain," International Journal for Research in Emerging Science and Technology, Vol. 2, Apr. 2015.
24 CFTT, http://www.cftt.nist.gov/
25 Computer Forensic Reference Data Sets, http://www.cfreds.nist.gov/
26 Digital Forensic Tool Testing Images, http://dftt.sourceforge.net/
27 NPS Corpus, http://digitalcorpora.org/
28 Harlan Carvey, RegRipper, v2.8, https://code.google.com/p/regripper/download s/list
29 Lance Mueller's Homepage, http://www.forensickb.com/
30 Portable Forensics, Windows Artifact Analysis,http://portable-forensics.blogspot.kr/2014/10/windows-artifact-analysis.html
31 Didier Stevens, UserAssist, v2.6.0, http://blog.didierstevens.com/programs/userassist/
32 woanware, RegRipperRunner, v1.0.4, http://www.woanware.co.uk/forensics/regripperrunner.html
33 woanware, ForensicUserInfo, v1.0.5, http://www.woanware.co.uk/forensics/forensicuserinfo.html
34 woanware, USBDeviceForensics, v1.0.14, http://www.woanware.co.uk/forensics/usbdeviceforensics.html
35 MiTeC, Windows Registry Recovery, v1. 5.3, http://www.mitec.cz/Data/XML/data_downloads.xml
36 NirSoft, BrowsingHistoryView, v1.69, http://www.nirsoft.net/utils/browsing_history_view.html
37 NirSoft, ChromeCacheView, v1.66, http://www.nirsoft.net/utils/chrome_cache_view.html
38 NirSoft, ChromeHistoryView, v1.22, http://www.nirsoft.net/utils/chrome_history_view.html
39 woanware, ChromeForensics, v1.0.5, http://www.woanware.co.uk/forensics/chromeforensics.html
40 woanware, FireFoxForensics, v1.0.5, http://www.woanware.co.uk/forensics/firefoxforensics.html
41 woanware, Firefoxsessionstoreextractor, v1.0.2, http://www.woanware.co.uk/forensics/firefoxsessionstoreextractor.html
42 NirSoft, MozillaCacheView, v1.6, http://www.nirsoft.net/utils/mozilla_cache_viewer.html
43 NirSoft, IECacheView, v1.53, http://www.nirsoft.net/utils/ie_cache_viewer.html
44 NirSoft, IECookiesView, v1.77, http://www.nirsoft.net/utils/iecookies.html
45 NirSoft, IEHistoryView, v1.70, http://www.nirsoft.net/utils/iehv.html
46 NirSoft, MozilaCookieView, v1.50, http://www.nirsoft.net/utils/mzcv.html
47 NirSoft, MozilaHistoryView, v1.56, http://www.nirsoft.net/utils/mozilla_history_view.html
48 "NirSoft, MyLastSearch, v1.63, http://www.nirsoft.net/utils/my_last_search.html
49 NirSoft, OperaCacheView, v1.06, http://www.nirsoft.net/utils/opera_cache_view.html
50 NirSoft, SafariCacheView, v1.11, http://www.nirsoft.net/utils/safari_cache_view.html
51 NirSoft, SafariHistoryView, v1.01, http://www.nirsoft.net/utils/safari_history_view.html
52 NirSoft, WebBrowserPassView, v1.60, http://www.nirsoft.net/utils/web_browser_password.html
53 https://drive.google.com/open?id=0ByMck91GiIuqNUVNN2pzcjkyT1E
54 https://drive.google.com/open?id=0Byhj6HV8ySUyMTV6Q2FETF9kQ2s
55 https://drive.google.com/open?id=0Byhj6HV8ySUycHRoVHI3SEJLbVk
56 https://drive.google.com/open?id=0Byhj6HV8ySUyNDdydHlERm01TE0
57 https://drive.google.com/open?id=0B9Sfk3oZxm9IQUZNZjYycVMxZTg
58 https://drive.google.com/open?id=0B9Sfk3oZxm9IUTJiMjRPWHltRjA
59 https://drive.google.com/open?id=0B9Sfk3oZxm9IdW9XZHdINTRtMUE
60 https://drive.google.com/open?id=0B9Sfk3oZxm9IQjJtaWNIVU9qOEU
61 https://drive.google.com/open?id=0B9Xaut-MwPuJTGVnSC16MzJvbGc
62 https://drive.google.com/open?id=0B9Xaut-MwPuJTVhldWhqRDVGM2s
63 https://drive.google.com/open?id=0B9Xaut-MwPuJN1gxeVMwVXNVV1E