•  
  •  
 

Abstract

A common investigative task is to identify known contraband images on a device, which typically involves calculating cryptographic hashes for all the files on a disk and checking these against a database of known contraband. However, modern drives are now so large that it can take several hours just to read this data from the disk, and can contribute to the large investigative backlogs suffered by many law enforcement bodies. Digital forensic triage techniques may thus be used to prioritise evidence and effect faster investigation turnarounds. This paper proposes a new forensic triage method for investigating disk evidence relating to picture files, making use of centralised thumbnail caches that are present in the Windows operating system. Such centralised caches serve as a catalogue of images on the device, allowing for fast triage. This work includes a comprehensive analysis of the thumbnail variants across a range of windows operating systems, which causes difficulties when detecting contraband using cryptographic hash databases. A novel method for large-scale hash database generation is described which allows precalculated cryptographic hash databases to be built from arbitrary image sets for use in thumbnail contraband detection. This approach allows for cryptographic hashes to be generated for multiple Windows versions from the original source image, facilitating wider detection. Finally, a more flexible approach is also proposed which makes novel use of perceptual hashing techniques, mitigating issues caused by the differences between thumbnails across Windows versions. A key contribution of this work demonstrates that by using new techniques, thumbnail caches can be used to robustly and effectively detect contraband in seconds, with processing times being largely independent of disk capacity.

References

Beebe, N. (2009). Digital forensic re- search: The good, the bad and the un- addressed. In IFIP International Con- ference on Digital Forensics (pp. 17{ 36). Springer.

Breitinger, F., Liu, H., Winter, C., Baier, H., Rybalchenko, A., & Steinebach, M. (2013). Towards a process model for hash functions in digital forensics. In International Conference on Digital Forensics and Cyber Crime (pp. 170{ 186). Springer.

Brinkmann, M. (2019, March). How to block the automatic cleaning of Windows 10's Thumbnail Cache - gHacks Tech News. Retrieved 2019-07-09, from https:// www.ghacks.net/2019/03/04/how-to -block-the-automatic-cleaning-of -windows-10s-thumbnail-cache/

Buchner, J. (2017). ImageHash. Retrieved 2018-08-24, from https://pypi.org/ project/ImageHash/

Commonsmachinery. (2018, July). Con- tribute to blockhash development by creating an account on Github. Commons Machinery. Retrieved 2018- 08-24, from https://github.com/ commonsmachinery/blockhash (original-date: 2014-09-02T17:46:34Z)

Cryer, J. (2017, August). Resemble.js: Im- age analysis and comparison. Huddle. Retrieved 2017-08-25, from https:// github.com/Huddle/Resemble.js (original-date: 2013-02-21T14:25:27Z)

Dandass, Y. S., Necaise, N. J., & Thomas, S. R. (2008, April). An Empir- ical Analysis of Disk Sector Hashes for Data Carving. J. Digit. Forensic Pract., 2 (2), 95{104. doi: 10.1080/ 15567280802050436

Franqueira, V. N., Bryce, J., Al Mutawa, N., & Marrington, A. (2018, Decem- ber). Investigation of Indecent Images of Children cases: Challenges and sug- gestions collected from the trenches. Digital Investigation. doi: 10.1016/ j.diin.2017.11.002

Garfinkel, S. L. (2010, August). Dig- ital forensics research: The next 10 years. Digital Investigation, 7 , S64{ S73. (DFRWS USA 2010. The Proceed- ings of the Tenth Digital Forensics Re- search Workshop. Philadelphia. Aug 2- 4, 2010.). doi: 10.1016/j.diin.2010.05 .009

Hadmi, A., Ouahman, A. A., Said, B. A. E., & Puech, W. (2012). Perceptual image hashing. INTECH Open Access Publisher. Retrieved 2016-08-23, from http://cdn.intechopen.com/pdfs/ 36921/InTech-Perceptual image hashing.pdf

Huiskes, M. J., Thomee, B., & Lew, M. S. (2010). New trends and ideas in visual concept detection: the MIR ickr re- trieval evaluation initiative. In Proceedings of the international conference on Page 20 c 2020 JDFSL Fast Forensic Triage JDFSL V14N3 Multimedia information retrieval (pp. 527{536). ACM.

James, J. I., & Gladyshev, P. (2013, Septem- ber). A survey of digital forensic inves- tigator decision processes and measure- ment of decisions based on enhanced preview. Digital Investigation, 10 (2), 148{157. doi: 10.1016/j.diin.2013.04 .005

Khatri, Y. (2012). Windows 7 Thum- bcache hash algorithm. Re- trieved 2017-11-09, from http:// www.swiftforensics.com/2012/ 06/windows-7-thumbcache-hash -algorithm.html]

Klinger, E., & Starkweather, D. (2012, Octo- ber). pHash { the open source percep- tual hash library. Retrieved 2017-08-24, from http://www.phash.org/apps/

Kuksov, I. (2016). What EXIF can tell about the photos you post on- line. Retrieved 2018-03-22, from https://www.kaspersky.co.uk/ blog/exif-privacy/7893/

Kutcher, E. (2016, October). Thumbcache Viewer - Extract thumbnail images from the thumbcache *.db and iconcache *.db database les. Retrieved 2017-08- 24, from https://thumbcacheviewer .github.io/

Lillis, D., Becker, B., O'Sullivan, T., & Scanlon, M. (2016, April). Cur- rent Challenges and Future Research Areas for Digital Forensic Investiga- tion. arXiv:1604.03850 [cs] . (arXiv: 1604.03850)

Liu, W. J. (2016, January). Empty Standby List. Retrieved 2017-08-31, from https://wj32.org/wp/software/ empty-standby-list/

Morris, S., & Chivers, H. (2011a). An analy- sis of the structure and behaviour of the Windows 7 operating system thumbnail cache. In Proceedings from 1st Cyber- forensics Conference.

Morris, S., & Chivers, H. (2011b). Form- ing a Relationship between Artefacts identified in thumbnail caches and the remaining data on a storage device. Cybercrime Forensics Education and Training.

Newcomer, S., & Martin, L. (2014). Deter- mining User Actions In Os X Based On Quicklook Thumbnail Cache Database Entries. Issues in Information Systems, 15 (2).

Norouzi, M., Punjani, A., & Fleet, D. J. (2012). Fast search in hamming space with multi-index hashing. In Com- puter Vision and Pattern Recognition (CVPR), 2012 IEEE Conference on (pp. 3108{3115). IEEE.

Penrose, P., Buchanan, W. J., & Macfarlane, R. (2015, March). Fast contraband detection in large capacity disk drives. Digital Investigation, 12, Supplement 1 , S22{S29. (DFRWS EU 2015. The Proceedings of the Tenth Digital Foren- sics ResearchWorkshop. Dublin. March 23-26, 2015.). doi: 10.1016/j.diin.2015 .01.007

Quick, D., & Choo, K.-K. R. (2014, Decem- ber). Impacts of increasing volume of digital forensic data: A survey and fu- ture research challenges. Digital Inves- tigation, 11 (4), 273{294. doi: 10.1016/ j.diin.2014.09.002

Quick, D., Tassone, C., & Choo, K.-K. R. (2014). Forensic Analysis of Windows Thumbcache fles.Quick D, Tassone C and Choo KK R.

Roussev, V., Quates, C., & Martell, R. (2013, September). Real-time digital forensics and triage. Digital Investigation, 10 (2), 158{167. doi: 10.1016/j.diin.2013.02 .001

Shaw, A., & Browne, A. (2013, Septem- ber). A practical and robust approach to coping with large volumes of data submitted for digital forensic examina- c 2020 JDFSL Page 21 JDFSL V14N3 Fast Forensic Triage tion. Digital Investigation, 10 (2), 116{ 128. doi: 10.1016/j.diin.2013.04.003

Yang, B., Gu, F., & Niu, X. (2006). Block mean value based image percep- tual hashing. In Intelligent Information Hiding and Multimedia Signal Process- ing, 2006. IIH-MSP'06. International Conference on (pp. 167{172). IEEE.

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.