Forensic Artifact Finder (ForensicAF): An Approach & Tool for Leveraging Crowd-Sourced Curated Forensic Artifacts

Authors

Tyler Balon, University of New Haven
Krikor Herlopian, University of New Haven
Ibrahim Baggili, University of New HavenFollow
Cinthya Grajeda-Mendez, University of New Haven

Author URLs

Dr. Baggili's Faculty Profile.

Document Type

Article

Publication Date

8-17-2021

Subject: LCSH

Crowdsourcing, Antiquities, Information storage and retrieval systems--Digital media

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security

Abstract

Current methods for artifact analysis and understanding depend on investigator expertise. Experienced and technically savvy examiners spend a lot of time reverse engineering applications while attempting to find crumbs they leave behind on systems. This takes away valuable time from the investigative process, and slows down forensic examination. Furthermore, when specific artifact knowledge is gained, it stays within the respective forensic units. To combat these challenges, we present ForensicAF, an approach for leveraging curated, crowd-sourced artifacts from the Artifact Genome Project (AGP). The approach has the overarching goal of uncovering forensically relevant artifacts from storage media. We explain our approach and construct it as an Autopsy Ingest Module. Our implementation focused on both File and Registry artifacts. We evaluated ForensicAF using systematic and random sampling experiments. While ForensicAF showed consistent results with registry artifacts across all experiments, it also revealed that deeper folder traversal yields more File Artifacts during data source ingestion. When experiments were conducted on case scenario disk images without apriori knowledge, ForensicAF uncovered artifacts of forensic relevance that help in solving those scenarios. We contend that ForensicAF is a promising approach for artifact extraction from storage media, and its utility will advance as more artifacts are crowd-sourced by AGP.

Comments

This is the Author's Accepted Manuscript.

Article part of the International Conference Proceeding Series (ICPS), ARES 2021: The 16th International Conference on Availability, Reliability and Security, published by ACM.

DOI

10.1145/3465481.3470051

Repository Citation

Balon, Tyler; Herlopian, Krikor; Baggili, Ibrahim; and Grajeda-Mendez, Cinthya, "Forensic Artifact Finder (ForensicAF): An Approach & Tool for Leveraging Crowd-Sourced Curated Forensic Artifacts" (2021). Electrical & Computer Engineering and Computer Science Faculty Publications. 97.
https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/97

Publisher Citation

Tyler Balon, Krikor Herlopian, Ibrahim Baggili, and Cinthya Grajeda-Mendez. 2021. Forensic Artifact Finder (ForensicAF): An Approach & Tool for Leveraging Crowd-Sourced Curated Forensic Artifacts. In The 16th International Conference on Availability, Reliability and Security (ARES 2021). Association for Computing Machinery, New York, NY, USA, Article 43, 1–10. DOI:https://doi.org/10.1145/3465481.3470051