Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Date of Graduation

Spring 2013

Document Type

Thesis

Degree Name

Master of Science (MS)

Department

Department of Computer Science

Abstract

As our day to day interaction with technology continues to grow, so does the amount of data created through this interaction. The science of digital forensics grew out of the need for specialists to recover, analyze, and interpret this data. When events or actions, either by accident or with criminal intent create, delete or manipulate data, it is the role of a digital forensics analyst to acquire this data and draw conclusions about the discovered facts about who or what is responsible for the event. This thesisidentifies a gap in the research between data analysis and interpretation. Current research and tool development has been focusing on data acquisition techniques and file carving. Data acquisition is the process of recovering a forensically sound copy of the evidence, such as a bit-by-bit copy of a hard drive or an image of the contents of a computer system’s RAM. File carving is the process of searching for and extracting files from the acquired data. Few tools provide a means of quick and easy file validation and data extraction once they have been recovered, and the tools that do are either limited in their ability or very complex and require a lot of overhead and a steep learning curve to use effectively. The tool created through this research fills this gap. The tool utilizes a file description language that can textually describe the layout and on-disk format of a file type’s data. This language is very intuitive and easy to read and understand by humans. By using a description as input, the tool builds a syntax tree which can be used to parse and extract various fields of interest from any file matching the provided description. This allows for the quick analysis and interpretation of any file type, even those with uncommon or proprietary formats, as long as a valid description is provided.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.