Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus

Rowe, Neil C.; Garfinkel, Simson L.

doi:10.1007/978-3-642-35515-8_10

Neil C. Rowe¹⁷ &
Simson L. Garfinkel¹⁷

Part of the book series: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering ((LNICST,volume 88))

Included in the following conference series:

International Conference on Digital Forensics and Cyber Crime

1563 Accesses
8 Citations

Abstract

We describe a tool Dirim for automatically finding files on a drive that are anomalous or suspicious, and thus worthy of focus during digital-forensic investigation, based on solely their directory information. Anomalies are found both from comparing overall drive statistics and from comparing clusters of related files using a novel approach of "superclustering" of clusters. Suspicious file detection looks for a set of specific clues. We discuss results of experiments we conducted on a representative corpus on 1467 drive images where we did find interesting anomalies but not much deception (as expected given the corpus). Cluster comparison performed best at providing useful information for an investigator, but the other methods provided unique additional information albeit with a significant number of false alarms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Agrawal, N., Bolosky, W., Douceur, J., Lorch, J.: A Five-Year Study of File-System Metadata. ACM Transactions on Storage 3(3), 9 (2007)
Article Google Scholar
Alsagoff, C.: Microsoft Excel as a Tool for Digital Forensic Accounting. In: Intl. Conf. on Information Retrieval and Management, Shah Alam, Malaysia, p. 97 (March 2010)
Google Scholar
Buchholz, F., Spafford, E.: On the Role of File System Metadata in Digital Forensics. Digital Investigation 1, 298–309 (2004)
Article Google Scholar
Bell, J., Whaley, B.: Cheating and Deception. Transaction Publishing, New York (1991)
Google Scholar
Carrier, B., Spafford, E.: Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence. In: Proc. Fifth Digital Forensic Research Workshop (2005)
Google Scholar
Doraimani, S., Iamnitchi, A.: File Grouping for Scientific Data Management: Lessons from Experimenting with Real Traces. In: Proc. HPDC 2008, Boston, MA (2008)
Google Scholar
Garfinkel, S.: Automating Disk Forensic Processing with SleuthKit, XML and Python. In: Proc. Systematic Approaches to Digital Forensics Engineering, Oakland, CA (2009)
Google Scholar
Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing Science to Digital Forensics with Standardized Forensic Corpora. Digital Investigation 6, S2–S11 (2009)
Article Google Scholar
Huebner, E., Bem, D., Wee, C.: Data Hiding in the NTFS File System. Digital Investigation 3, 211–226 (2006)
Article Google Scholar
Lee, G., Lee, S., Tsomko, E., Lee, S.: Discovering Methodology and Scenario to Detect Covert Database System. In: Proc. Future Generation Communication and Networking, Jeju, China, p. 130 (December 2007)
Google Scholar
Munson, S.: Defense in Depth and the Home User: Securing the Home PC, http://www.sans.org/reading_room/hsoffice/defense-in-depth-home-user-securing-home-pc_894
Naiqi, L., Zhongshan, W., Yujie, H.: QuiKe: Computer Forensics Research and Implementation Based on NTFS File System. In: Proc. Intl. Colloquium on Computing, Communication, Control, and Management, Guangzhou, China, pp. 519–523 (August 2008)
Google Scholar
Rowe, N.: A Taxonomy of Deception in Cyberspace. In: Proc. Intl. Conf. on Information Warfare and Security, Princess Anne, MD, pp. 173-181 (March 2006)
Google Scholar
Rowe, N., Garfinkel, S.: Global Analysis of Disk File Times. In: Fifth International Workshop on Systematic Approaches to Digital Forensic Engineering, Oakland CA (May 2010)
Google Scholar
Xu, R., Wunsch, D.: Clustering. Wiley-IEEE, New York (2008)
Book Google Scholar

Download references

Author information

Authors and Affiliations

U.S. Naval Postgraduate School, Code CS/Rp, 1411 Cunningham Road, Monterey, CA, 93943, USA
Neil C. Rowe & Simson L. Garfinkel

Authors

Neil C. Rowe
View author publications
You can also search for this author in PubMed Google Scholar
Simson L. Garfinkel
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

School of Computer Science and Informatics, University College Dublin, 4, Dublin, Ireland
Pavel Gladyshev
Department of Computer and Information Technology, Purdue University, 47907, West Lafayette, IN, USA
Marcus K. Rogers

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Rowe, N.C., Garfinkel, S.L. (2012). Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus. In: Gladyshev, P., Rogers, M.K. (eds) Digital Forensics and Cyber Crime. ICDF2C 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 88. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35515-8_10

Download citation

DOI: https://doi.org/10.1007/978-3-642-35515-8_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35514-1
Online ISBN: 978-3-642-35515-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics