Research Article
Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus
@INPROCEEDINGS{10.1007/978-3-642-35515-8_10, author={Neil Rowe and Simson Garfinkel}, title={Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus}, proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={12}, keywords={forensics directories files deception extensions clustering}, doi={10.1007/978-3-642-35515-8_10} }- Neil Rowe
Simson Garfinkel
Year: 2012
Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus
ICDF2C
Springer
DOI: 10.1007/978-3-642-35515-8_10
Abstract
We describe a tool for automatically finding files on a drive that are anomalous or suspicious, and thus worthy of focus during digital-forensic investigation, based on solely their directory information. Anomalies are found both from comparing overall drive statistics and from comparing clusters of related files using a novel approach of "superclustering" of clusters. Suspicious file detection looks for a set of specific clues. We discuss results of experiments we conducted on a representative corpus on 1467 drive images where we did find interesting anomalies but not much deception (as expected given the corpus). Cluster comparison performed best at providing useful information for an investigator, but the other methods provided unique additional information albeit with a significant number of false alarms.