Design and Implementation of a Forensic Triage Tool

Digital Forensics (DF) is undergoing a natural transformation as a response to the constant growth of the number of seized devices to analyse, with the respective increase in capacity and data production by their users. Investigators cannot cope with such an amount of data; therefore there is an impelling need to manage as quickly and as efficiently as possible the list of devices to streamline the subsequent activities of analysis and reporting. This work relies on triaging techniques, inspired by medicine, to address this demand. Digital triage is an expanding branch of DF that provides valuable data without running digital evidence through a full examination; we contribute by designing a tool that would enable an investigator to speed up the process of preliminary analysis of evidence. We focus on post-mortem triage of mass storage drives formatted with the NTFS file system, from which we parse and eventually extract a large table that contains metadata about all the files allegedly present on the disk. Then we build a timeline of filenames with the associated creation, modification and access events from which an investigator can look for names, file extensions or potentially hashes of interest and periods of abnormal activity. This avoids dealing with forensic image extraction that is the most time-and-space-consuming operation in a forensic study. Every procedure is accomplished concerning to the particular practices required for a legal investigation. Ultimately, this representation is enhanced by non-linear placement and colouring profiles of the entries, i.e. events occurred near in time. Space is left for possible future work like the measurement of eventual performance improvement for case management with this tool.

Sviluppo ed implementazione di strumenti per il Triage Forense