UNH Cyber Forensics Research & Education Group / Lab (Est. 2013)
Paper to be presented @ Vienna University of Technology @ the Tenth Annual IFIP WG 11.9 International Conference on Digital Forensics
January 1, 2014
A paper entitled: Performance of a Logical, Five-Phase, Multithreaded, Bootable Digital Forensics Triage Tool - will be presented at this conference. To see the conference program you can Click Here.
Below is the Abstract from the paper:
In this paper we present a novel five-phased, multi-threaded bootable approach to digital forensic triage. The conceived triage system was tested on 57 computers (n=57). The five phases are arranged in terms of speed - from fastest to slowest. In the first phase, every file is collected from the system along with its meta-data. The average time it took to complete Phase I was 398 seconds. In the second phase, EXIF camera data is collected from each image found on the system. The average time it took to complete Phase II was 306 seconds. In the third phase, each file is analyzed and categorized based on its header information. The average time it took to complete Phase III was 807 seconds. In the fourth phase each EXE file is parsed to provide a complete audit of all the software applications on the system, and a patent-in-progress algorithm is applied to each of the files to generate a signature - to later be compared to a threat detection database. The average time it took to complete Phase IV was 2046 seconds. In the fifth phase each file is hashed and the hash value is recorded. The average time it took to complete Phase V was 5591 seconds. All of these phases are performed in the background while the investigator is able to interact with the system.