Authors: Thomas Göbel, Stephan Maltan, Jan Türr, Harald Baier, Florian Mann

DFRWS EU 2022

Abstract

Digital forensic experts are confronted with awide variety of investigation objectives, e.g., to deal with an infected IT system. The same holds for digital forensic tools. Mostly different sources of digital traces have to be inspected including persistent storage devices (e.g., SSDs, SD cards, USB drives), volatile main memory snapshots, and network captures, respectively. In order to train experts and tools and keep their knowledge and capabilities up-to-date, a capacious amount of realistic, timely training data is necessary. However, due to different reasons like privacy, secrecy, or intellectual property rights there is a large gap in digital forensic training data. In recent years different synthesis frameworks to generate realistic digital forensic data sets have been proposed. However, none of these frameworks provides a holistic approach to generate realistic digital forensic relevant traces of different sources. In this paper we introduce ForTrace, a holistic framework for the simultaneous generation of persistent, volatile and network traces. Our approach is based on the data synthesis framework hystck. We explain our extension of hystck by defining properties of a holistic data set synthesis framework and by discussing different forensically relevant scenarios and their implementation in ForTrace. We then successfully evaluate ForTrace with respect to diverse realistic and complex scenarios. ForTrace is open source and may be adapted or extended with respect to individual needs.

Downloads