A Flexible, Open Source Software Architecture for Network-Based Forensic Computing Intelligence Gathering

摘要

Currently real time support tracking and identifying files across networks is extremely limited. In this paper we propose a flexible, open source software architecture for real-time analysis of the Web and local area networks in order to identify and track images and other forms of illicit files or malware. A prototype architecture has been developed and was evaluated using a series of anonymous case studies. Calculating and storing their MD5 message digest identify the files. The results of this can be used in several different ways. For example, comparisons of message digest results on obtained from files on a user's machine against a database of known files may reveal certain malware, such as Trojans or unlicensed software. Additionally, an illicit image may be found in this way. If a file is found on more than one website or hard drive then a comparison of the modified, accessed, and created (MAC) times may give some idea as to the order in which a file has migrated across a network. Results showed that files could be tracked and identified in the majority of cases and that the prototype showed promise in a live case scenario.