Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers

Research Article

Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus

Download56 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-35515-8_10,
        author={Neil Rowe and Simson Garfinkel},
        title={Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus},
        proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={12},
        keywords={forensics directories files deception extensions clustering},
        doi={10.1007/978-3-642-35515-8_10}
    }
    
  • Neil Rowe
    Simson Garfinkel
    Year: 2012
    Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-35515-8_10
Neil Rowe1,*, Simson Garfinkel1
  • 1: U.S. Naval Postgraduate School
*Contact email: ncrowe@nps.edu

Abstract

We describe a tool for automatically finding files on a drive that are anomalous or suspicious, and thus worthy of focus during digital-forensic investigation, based on solely their directory information. Anomalies are found both from comparing overall drive statistics and from comparing clusters of related files using a novel approach of "superclustering" of clusters. Suspicious file detection looks for a set of specific clues. We discuss results of experiments we conducted on a representative corpus on 1467 drive images where we did find interesting anomalies but not much deception (as expected given the corpus). Cluster comparison performed best at providing useful information for an investigator, but the other methods provided unique additional information albeit with a significant number of false alarms.