My Road to Digital Forensics Excellence

Forensic research projects

Posted by Paul Bobby on July 23, 2009

I have been maintaining a list of digital forensics related research projects, from small to large. The purpose is as a source of inspiration for quick hit enscripts, analyses of artifacts and processes etc. I decided to share my current version of the list hoping it inspires readers to find opportunities to become notable in the world of digital forensics.

File Erasers

From simple deletes to commercial file system cleaners, review the tools available to hide a users’ computer tracks. For each product determine the method of cleaning, artifacts left behind, indicators of usage etc. Compare the usage of these tools in high-security mode versus panic-mode.

Internet Accelerators

Modern browser functions, plugins to browsers and independent tools provide efficiency upgrades to the Internet surfing process. These tools complicate the answer to the following question: “How responsible am I for the Internet History on my computer”?

Memory Analysis

This has been a hot topic for a while now. Some research areas:

Sweep Enterprise

Encase Enterprise specific – contains an ability to run a triage process against your Corporation, in the form of a Compromise Assessment Module. Document a process for triage using this function. There is little information for this powerful feature out there. I’ve posted a thorough and repeatable test for this module here; there is an issue currently, and I’ve received a temp fix.

Forensic Visualization

There is a lot of discussion regarding the presentation and visualization of data for various analyses. More research is needed concerning the use of visualization in forensic analysis. Timeline analysis comes to mind. Mandiants’ Log Analysis tool is another.

Windows Steadystate

This will require a significant reverse engineering effort. Windows Steadystate is gaining some headway, I have blogged about it a few times. I’ve run in to a roadblock concerning the Steadystate Cache file, and the ability to extract forensic evidence from this file.

WBEM and PCHealth

Determine if there is any 4n6 benefit to deadbox analysis of the WBEM and PCHealth data stores. Regarding system32\wbem, can WMI queries be made against the data store? Parsed out? Any benefit to doing so?

Some new timestamp sources for timeline analysis:

  • (in wbem tree). Search for <LastWriteDate>200######, and sort by hit text
  • Search Collected*.xml in the windows\pchealth tree

Exculpatory versus Inculpatory

There are a huge number of forensic artifacts and indicators discovered during an investigation. From Internet History to Antivirus hits, from file system timestamps to email creation, determine the following:

  • Inculpatory characteristics: what about the artifact proves the allegation?
  • Exculpatory characteristics: what about the artifact disproves the allegation?

Temporal Analysis

In conjunction with the above forensic visualization, this research topic will apply some intelligence to the automated visualization process. The idea is to give each item in your timeline listing a weight. For example, a single Last Written value in the registry might have more weight than 500 Last Written Values all within seconds of each other.

Malware compromise often results in a few timeline artifacts, such as a handful of registry changes, file system changes, and that’s it. This kind of block of change should stand out…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: