An algorithm for suffix stripping
Readings in information retrieval
Secure audit logs to support computer forensics
ACM Transactions on Information and System Security (TISSEC)
Collection statistics for fast duplicate document detection
ACM Transactions on Information Systems (TOIS)
Detecting similar documents using salient terms
Proceedings of the eleventh international conference on Information and knowledge management
Towards Proactive Computer-System Forensics
ITCC '04 Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 2 - Volume 2
File System Forensic Analysis
Evidence Handling in Proactive Cyberstalking Investigations: The PAPA Approach
SADFE '05 Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering on Systematic Approaches to Digital Forensic Engineering
Detection of video sequences using compact signatures
ACM Transactions on Information Systems (TOIS)
A Log Correlation Model to Support the Evidence Search Process in a Forensic Investigation
SADFE '07 Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering
Finding similar files in a large file system
WTEC'94 Proceedings of the USENIX Winter 1994 Technical Conference on USENIX Winter 1994 Technical Conference
Highly efficient techniques for network forensics
Proceedings of the 14th ACM conference on Computer and communications security
Finding the Evidence in Tamper-Evident Logs
SADFE '08 Proceedings of the 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering
Finding near-duplicate images on the web using fingerprints
MM '08 Proceedings of the 16th ACM international conference on Multimedia
CloudAV: N-version antivirus in the network cloud
SS'08 Proceedings of the 17th conference on Security symposium
Towards Proactive Forensic Evidentiary Collection
HICSS '10 Proceedings of the 2010 43rd Hawaii International Conference on System Sciences
Multi-resolution similarity hashing
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Computer forensic timeline visualization tool
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Identifying almost identical files using context triggered piecewise hashing
Digital Investigation: The International Journal of Digital Forensics & Incident Response
On the role of file system metadata in digital forensics
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Time and date issues in forensic computing-a case study
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.00 |
The historical focus of forensics research and tools on digital systems that are seized from a suspect misses the fact that in centrally controlled networks it is possible to proactively and continuously collect evidence in advance of any known need. We present a proof-of-concept for PROOFS, the first proposed continuous forensic evidence collection system that applies information retrieval techniques to file system forensics. PROOFS creates and stores signatures for files that are deleted, edited, or copied within such a network. The heart of each signature is one or more fingerprints, generated based on statistical properties of file contents, maintaining semantics while requiring as little as 1.06% of the storage space of the original file. We focus on text documents and show that PROOFS has a high precision of 0.96 and recall of 0.85 with stored fingerprint sizes of less than 375 bytes. The two contributions of this work are that we show that common environments exist where proactive collection of forensic evidence is possible and that we demonstrate an efficient and accurate mechanism for collecting evidence in those environments.