FACE: Automated digital evidence discovery and correlation

Authors:
Andrew Case;Andrew Cristina;Lodovico Marziale;Golden G. Richard;Vassil Roussev
Affiliations:
Department of Computer Science, University of New Orleans, New Orleans, LA 70148, USA;Department of Computer Science, University of New Orleans, New Orleans, LA 70148, USA;Department of Computer Science, University of New Orleans, New Orleans, LA 70148, USA;Department of Computer Science, University of New Orleans, New Orleans, LA 70148, USA;Department of Computer Science, University of New Orleans, New Orleans, LA 70148, USA
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2008

Citing 8
Cited 3

File System Forensic Analysis

File System Forensic Analysis
Understanding data lifetime via whole system simulation

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
The VAD tree: A process-eye view of physical memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic memory analysis: From stack and code to execution history

Digital Investigation: The International Journal of Digital Forensics & Incident Response
BodySnatcher: Towards reliable volatile memory acquisition by software

Digital Investigation: The International Journal of Digital Forensics & Incident Response
User data persistence in physical memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Artificial intelligence applied to computer forensics

Proceedings of the 2009 ACM symposium on Applied Computing
Machine learning in computer forensics (and the lessons learned from machine learning in computer security)

Proceedings of the 4th ACM workshop on Security and artificial intelligence
Treasure and tragedy in kmem_cache mining for live forensics investigation

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Quantified Score

Hi-index	0.00

Visualization

Abstract

Digital forensic tools are being developed at a brisk pace in response to the ever increasing variety of forensic targets. Most tools are created for specific tasks - filesystem analysis, memory analysis, network analysis, etc. - and make little effort to interoperate with one another. This makes it difficult and extremely time-consuming for an investigator to build a wider view of the state of the system under investigation. In this work, we present FACE, a framework for automatic evidence discovery and correlation from a variety of forensic targets. Our prototype implementation demonstrates the integrated analysis and correlation of a disk image, memory image, network capture, and configuration log files. The results of this analysis are presented as a coherent view of the state of a target system, allowing investigators to quickly understand it. We also present an advanced open-source memory analysis tool, ramparser, for the automated analysis of Linux systems.