CentraLUG notes from Andy Bair’s Digital Forensic File Carving presentation

Our thanks to Andy Bair for making the trip north from Massachusetts to present to the Central New Hampshire Linux User Group on March 5th, 2007, the first Monday of the month, at the New Hampshire Technical Institute’s Library. Andy announced that his work at MITRE was done and that he would be starting a job at Korelogic in the immediate future.

Andy worked with several friends at KoreLogic to take on the Digital Forensic Research Workshop (DFRWS) 2006 File Carving Challenge. They were supplied with a 50 megabyte “chunk” from a hard drive with the assignment to find as many files in that chunk as possible. The DFRWS’ motivation was to move the state of the art forward, and all participants were required to supply the source code of the applications they developed. Andy and his team won the challenge, beating out a number of other teams, notably Simson Garfinkel, who came in second. Andy demonstrated the procedures they worked out, talked about the algorithms they used, and showed the graphing of the results that made boundary detection and anomaly detection more easy to pick out. Andy and his team extended the UNIX magic technique to detect patterns in files, extending magic to XMagic which included regular expressions and more sophisticated rules to match files to the patterns. It was a very interesting presentation, presented well. Andy’s presentation, the source code and original data can be found at this link [Updated link – tr, 15-Feb-2010].

Thanks to Andy for the presentation, to Bill Sconce for supplying the projector, and to the New Hampshire Technical Institute for providing the facilities.

Upcoming presentations include:

  1. Bill Stearns demonstrating Logical Volume Management April 2nd,
  2. Seth Cohn presenting Drupal on May 7th, and
  3. Ben Scott presenting OpenWRT on June 4th.

We plan to meet at the usual location, but keep an eye out for a more detailed announcement as the date gets closer.

,

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.