Authors: Andrew Case (University of New Orleans), Andrew Cristina (University of New Orleans), Lodovico Marziale (University of New Orleans), Golden Richard III, Ph.D. (University of New Orleans), and Vassil Roussev, Ph.D. (University of New Orleans)
DFRWS USA 2008
Abstract
Digital forensic tools are being developed at a brisk pace in response to the ever increasing variety of forensic targets. Most tools are created for specific tasks – filesystem analysis, memory analysis, network analysis, etc. — and make little effort to interoperate with one another. This makes it difficult and extremely time-consuming for an investigator to build a wider view of the state of the system under investigation. In this work, we present FACE, a framework for automatic evidence discovery and correlation from a variety of forensic targets. Our prototype implementation demonstrates the integrated analysis and correlation of a disk image, memory image, network capture, and configuration log files. The results of this analysis are presented as a coherent view of the state of a target system, allowing investigators to quickly understand it. We also present an advanced open-source memory analysis tool, ramparser, for the automated analysis of Linux systems.