Authors: Pavel Gladyshev, Ph.D. (University College Dublin)
DFRWS EU 2017
Abstract
This workshop provides an introduction to DFIRE Forensics Prolog, which is a forensic extension of Prolog language. Unlike traditional data-centric programming languages, Prolog views computation as logical inference: the data is viewed as evidence for proving statements posed by the user. Prolog is well suited for creating forensic expert systems that query file systems, Registry hives, and other tree like data structures. Prolog has a built-in text parser, which makes it suitable for processing text files. DFIRE Forensic Prolog introduces additional language extensions allowing it to process image files, parse binary data, represent and reason about date time information. In addition, DFIRE Forensic Prolog access and manipulate case files created by Autopsy forensic browser (run-queries, access bookmarks, add artifacts, create reports, etc.), and can embed fragments of Python and/or Scala code for interoperability and performance reasons. Additional features are under development. This workshop introduces key capabilities of DFIRE Forensic Prolog in a series of hands-on exercises that explore a simulated forensic case. The intended audience is digital forensic practitioners and researchers. Some investigative experience as well as familiarity with Autopsy forensic browser would be an advantage although is not strictly required.