Forensic analysis of unallocated space

dc.contributor.advisorLin, Xiaodong
dc.contributor.authorLei, Zhenxing
dc.date.accessioned2011-09-19T16:39:53Z
dc.date.accessioned2022-03-29T16:33:52Z
dc.date.available2011-09-19T16:39:53Z
dc.date.available2022-03-29T16:33:52Z
dc.date.issued2011-06-01
dc.degree.disciplineElectrical and Computer Engineering
dc.degree.levelMaster of Applied Science (MASc)
dc.description.abstractComputer forensics has become an important technology in providing evidence in investigations of computer misuse, attacks against computer systems and more traditional crimes like money laundering and fraud where digital devices are involved. Investigators frequently perform preliminary analysis at the crime scene on suspects‟ devices to determine the existence of any inappropriate materials such as child pornography on them and conduct further analysis after the seizure of computers to glean leads or valuable evidence. Hence, it is crucial to design a tool which is portable and can perform efficient instant analysis. Many tools have been developed for this purpose, such as Computer Online Forensic Evidence Extractor (COFEE), but unfortunately, they become ineffective in cases where forensic data has been removed. In this thesis, we design a portable forensic tool which can be used to compliment COFEE for preliminary screening to analyze unallocated disk space by adopting a space efficient data structure of fingerprint hash tables for storing the massive forensic data from law enforcement databases in a flash drive and utilizing hash tree indexing for fast searching. We also apply group testing to identify the fragmentation point of the file and locate the starting cluster of each fragment based on statistics on the gap between the fragments. Furthermore, in order to retrieve evidence and clues from unallocated space by recovering deleted files, a file structure based carving algorithm for Windows registry hive files is presented based on their internal structure and unique patterns of storage.en
dc.description.sponsorshipUniversity of Ontario Institute of Technologyen
dc.identifier.urihttps://hdl.handle.net/10155/165
dc.language.isoenen
dc.subjectComputer forensicsen
dc.subjectFingerprint hash tableen
dc.subjectBloom filteren
dc.subjectFragmentationen
dc.subjectFragmentation pointen
dc.subjectRegistry hive filesen
dc.subjectHive binen
dc.subjectKey cellen
dc.titleForensic analysis of unallocated spaceen
dc.typeThesisen
thesis.degree.disciplineElectrical and Computer Engineering
thesis.degree.grantorUniversity of Ontario Institute of Technology
thesis.degree.nameMaster of Applied Science (MASc)

Files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Lei_Zhenxing.pdf
Size:
1.29 MB
Format:
Adobe Portable Document Format

License bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
1.61 KB
Format:
Plain Text
Description: