November 15, 2011
Stream-based digital forensics with bulk_extractor
by Simson L. Garfinkel
Abstract
Bulk data analysis eschews file extraction and analysis, common in forensic practice today, and instead processes data in ``bulk,'' recognizing and extracting salient details (``features'') of use in the typical digital forensics investigation. This talk presents the requirements, design and implementation of bulk\_extractor, a new, high-performance carving and feature extraction tool that uses bulk data analysis to allow the triage and rapid exploitation of digital media. bulk\_extractor offers several important advances over today's forensic tools, including opportunistic decompression of compressed data, context-based stop-lists, and the creation of a forensic path that allows concise documentation of both the physical location and forensic transformations necessary to reconstruct exploited evidence. bulk\_extractor is a stream forensic tool, meaning that it scans the entire media from beginning to end without seeking the disk head, and is fully parallelized, allowing it to work at the maximum I/O capabilities of the underlying hardware (provided that the system has sufficient CPU resources). Although bulk\_extractor was developed as a research prototype, it has proved useful in actual police investigations, two of which we recount.
About the Speaker
Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School in Monterey, California. His research interests include computer forensics, the emerging field of usability and security, personal information management, privacy, information policy and terrorism. He holds six US patents for his computer-related research and has published dozens of journal and conference papers in security and computer forensics.
Garfinkel is the author or co-author of fourteen books on computing. He is perhaps best known for his book Database Nation: The Death of Privacy in the 21st Century. Garfinkel's most successful book, Practical UNIX and Internet Security (co-authored with Gene Spafford), has sold more than 250,000 copies and been translated into more than a dozen languages since the first edition was published in 1991.
Garfinkel is also a journalist and has written more than a thousand articles about science, technology, and technology policy in the popular press since 1983. He started writing about identity theft in 1988. He has won numerous national journalism awards, including the Jesse H. Neal National Business Journalism Award two years in a row for his "Machine shop" series in CSO magazine. Today he mostly writes for Technology Review Magazine and the technologyreview.com website.
As an entrepreneur, Garfinkel founded five companies between 1989 and 2000. Two of the most successful were Vineyard.NET, which provided Internet service on Martha's Vineyard to more than a thousand customers from 1995 through 2005, and Sandstorm Enterprises, an early developer of commercial computer forensic tools.
Garfinkel received three Bachelor of Science degrees from MIT in 1987, a Master's of Science in Journalism from Columbia University in 1988, and a Ph.D. in Computer Science from MIT in 2005.
Please RSVP if you plan to attend.
Non-members are welcome without charge! Light refreshments will be served.
Tuesday, November 15, 2011 6:30 PM
Government Printing Office
Room A138
732 N. Capitol St.
Washington, DC, 20401
Click here for details