Upload File

xiraf - ultimate forensic querying · monetdb/xquery dbms standoff extensions tool repository tool...

  • Home
  • Documents
  • XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital
27
DIGITAL FORENSIC RESEARCH CONFERENCE XIRAF - Ultimate Forensic Querying By Wouter Alink, Raoul Bhoedjang, Peter Boncz and Arjen de Vries Presented At The Digital Forensic Research Conference DFRWS 2006 USA Lafayette, IN (Aug 14 th - 16 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Upload: others

Post on 12-Jul-2020

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

DIGITAL FORENSIC RESEARCH CONFERENCE

XIRAF - Ultimate Forensic Querying

By

Wouter Alink, Raoul Bhoedjang, Peter Boncz and Arjen de Vries

Presented At

The Digital Forensic Research Conference

DFRWS 2006 USA Lafayette, IN (Aug 14th - 16th)

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized

the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners

together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working

groups, annual conferences and challenges to help drive the direction of research and development.

http:/dfrws.org

Page 2: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

Digital Forensic Research Workshop - August 15, 2006

XIRAF

Ultimate Forensic QueryingDFRWS - August 15, 2006

Wouter Alink, Raoul BhoedjangNetherlands Forensic Institute

Peter Boncz, Arjen de VriesCentrum voor Wiskunde en Informatica

Page 3: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

2Digital Forensic Research Workshop - August 15, 2006

Introduction

XIRAF

“An XML Information Retrieval

Approach to Digital Forensics”

Collect, manage, and query information

extracted from digital evidence

Page 4: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

3Digital Forensic Research Workshop - August 15, 2006

Outline

• Problem statement

• XIRAF approach

• XIRAF architecture

• Forensic application areas

• Initial experiments

• Conclusion

Page 5: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

4Digital Forensic Research Workshop - August 15, 2006

Typical investigation steps

1. Media capture

2. Feature extraction

3. Analysis

4. Reporting

Page 6: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

5Digital Forensic Research Workshop - August 15, 2006

Problem identification

• Large amounts of data

• Investigation restricted by deadlines

• Too much information to track manually

• Diversity of data and tools

• Many different formats

• Many stand-alone forensic tools

Page 7: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

6Digital Forensic Research Workshop - August 15, 2006

Approach

• Clean separation between feature extraction and analysis

• A single, XML-based output format for tools

• XML database technology to analyze extracted features

• Use of existing forensic analysis tools

Page 8: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

7Digital Forensic Research Workshop - August 15, 2006

XIRAF architecture Storage Subsystem

Feature Extraction

Framework

Query Interface

Annotations

XML

document

Case Data

Binary Large

Object (BLOB)

MonetDB/XQuery

DBMS

StandOff

extensions

Tool Repository

tool A

tool B

tool C

Tool Invocation

Process

Page 9: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

8Digital Forensic Research Workshop - August 15, 2006

tool-execution-wrapper

pre-processinput

Forensic Analysis

Tool

post-processoutput

input

descriptor

Forensic

Analysis

Tool

Tool wrapper

//file[mime=“image/jpeg”]

• data from evidence files`Photo03.jpg’

• Optional:

additional metadata

• metadata (features/traces)

• new view of the original data

<photo> <camera>Canon<camera> <taken-on> <date>15-12-2005</date> </taken-on></photo>

Page 10: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

9Digital Forensic Research Workshop - August 15, 2006

Tool repository

• Feature extraction tools

• Gain knowledge about an ‘object’:• volume

• file-system

• image

• email

• Some of the wrapped tools:• file-system dissector

• windows registry analyzer

• EXIF-data parser

• carving tool

• IE-history parser

• Hashing tool

Page 11: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

10Digital Forensic Research Workshop - August 15, 2006

XIRAF architecture Storage Subsystem

Feature Extraction

Framework

Query Interface

Annotations

XML

document

Case Data

Binary Large

Object (BLOB)

MonetDB/XQuery

DBMS

StandOff

extensions

Tool Repository

tool A

tool B

tool C

Tool Invocation

Process

Page 12: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

11Digital Forensic Research Workshop - August 15, 2006

Feature extraction framework

storage

subsystem

Tool Repository

tool A

tool B

tool C

run toolrun tool

case initializationis there input

for the tool?

Page 13: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

12Digital Forensic Research Workshop - August 15, 2006

Feature extraction framework Storage subsystem

Tool Invocation

tool-execution wrapper

fetch datafor tool

for each item of data: call wrapper

pre-process

inputForensic

Analysis

Tool

post-process

output

inpu

tde

scrip

tor

collect and check output

merge with current data

Case Data

(BLOB)

Annotations

(XML)

Page 14: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

13Digital Forensic Research Workshop - August 15, 2006

<case name=“testcase”> <image path=“/casedata/HD-A.img”> <volume label=“Windows”> <type>NTFS</type> </volume> <volume label=“Media”/> </image> <image path=“/casedata/HD-B.e01”/> <image path=“/casedata/HD-C.e01”> <volume label=“MP3”/> </image></case>

Feature extraction

<case name=“testcase”> <image path=“/casedata/HD-A.img”/> <image path=“/casedata/HD-B.e01”/> <image path=“/casedata/HD-C.e01”/></case>

Page 15: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

14Digital Forensic Research Workshop - August 15, 2006

XIRAF architecture Storage Subsystem

Feature Extraction

Framework

Query Interface

Annotations

XML

document

Case Data

Binary Large

Object (BLOB)

MonetDB/XQuery

DBMS

StandOff

extensions

Tool Repository

tool A

tool B

tool C

Tool Invocation

Process

Page 16: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

15Digital Forensic Research Workshop - August 15, 2006

Virtual BLOB and XML

FAT NTFS ZIPVirtual Layer

n +m

Evidence A Evidence B Evidence C

.img .img EnCase- imagePhysical Layer

VirtualBLOB

0 n

<case name=“testcase”> <image path=“/casedata/HD-A.img” start=“0” end=“19999”/> <image path=“/casedata/HD-B.img” start=“20000” end=“29999”/> <image path=“/casedata/HD-C.e01” start=“30000” end=“59999”/></case>

... <file name=“Photo03.jpg” start=“70000” end=“74999”> <size>5000</size> <mime>image/jpeg</mime> <modified><date>2006-08-15T09:10:00</date></modified>

</file>...

<volume type=“FAT” start=“1000” end=“19999”/> <volume type=“NTFS” start=“35000” end=“39999”/>

Page 17: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

16Digital Forensic Research Workshop - August 15, 2006

Storage subsystem

• Virtual BLOB mapping

• evidence files

• alternative representations

• Single XML document

• extracted features

• references to layout

Page 18: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

17Digital Forensic Research Workshop - August 15, 2006

Storage Subsystem

Feature Extraction

Framework

Query Interface

Annotations

XML

document

Case Data

Binary Large

Object (BLOB)

MonetDB/XQuery

DBMS

StandOff

extensions

Tool Repository

tool A

tool B

tool C

Tool Invocation

Process

XIRAF architecture

Page 19: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

18Digital Forensic Research Workshop - August 15, 2006

XQuery language

• Database language:

• large XML documents

• sorting/grouping/selecting/(updating)

• Example: timeline

• different tools produce date-elements

for $i in doc(“case.xml”)//dateorder by $iwhere $i > $lowerbound

and $i < $upperboundreturn $i

Page 20: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

19Digital Forensic Research Workshop - August 15, 2006

Forensic application areas

• search for keywords, MD5s, URLs

for $i in doc(“case.xml”)//filefor $j in doc(“CP-hashes.xml”)//md5where $i/md5 = $jreturn <file> { $i/@name } </file>

let $word_list := doc(“terrorism-words.xml”)//wordfor $i in doc(“case.xml”)//*where some $i in $word_list satisfies blob-contains($i,$j)return element { name($i) } { $i/@* }

Page 21: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

20Digital Forensic Research Workshop - August 15, 2006

Benefits

• Exploit exhaustive runs of tools

• Use knowledge from previous

investigations

• Integrated data schema

• Added functionality:

• XQuery extensions to relate XML to

Virtual BLOB content

Page 22: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

21Digital Forensic Research Workshop - August 15, 2006

let $d := doc(“case.xml”)

for $i in $d//%object_of_interest%where $i/descendant::%contains%[so-contains(%keyword_1%)] and $i/ancestor::%contained%[so-contains(%keyword_2%)] and (some $j in $i//%date%//date satisfies $j >= %lowerbound% and $j < %upperbound%)return element { name($i) } { $i/@* }

Page 23: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

22Digital Forensic Research Workshop - August 15, 2006

XIRAF architecture Storage Subsystem

Feature Extraction

Framework

Query Interface

Annotations

XML

document

Case Data

Binary Large

Object (BLOB)

MonetDB/XQuery

DBMS

StandOff

extensions

Tool Repository

tool A

tool B

tool C

Tool Invocation

Process

Page 24: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

23Digital Forensic Research Workshop - August 15, 2006

Initial Experiments

• Evidence: 2 hard disks

• (2 x 120GB)

• ~200MB XML

• ~2.5M elements

• Recognized ~90000 files

• file-systems / unallocated space

• ~500000 timestamps

• file-system, registry, EXIF, .LNK, log-entry, cookie, etc

Page 25: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

24Digital Forensic Research Workshop - August 15, 2006

Conclusion

• Separation of feature extraction and

analysis seems a viable approach

• Integrated querying of multiple tools

becomes possible

Page 26: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

25Digital Forensic Research Workshop - August 15, 2006

Status & Future Work

• Prototype implementation

(Java/Python)

• Make system production-ready

• More tools, query patterns

• Connect XIRAF to existing knowledge-

bases

Page 27: XIRAF - Ultimate Forensic Querying · MonetDB/XQuery DBMS StandOff extensions Tool Repository tool A tool B tool C Tool Invocation Process. NETHERL ANDSFOR ENSICINS TITUTE 8 Digital

NETHERLANDSFORENSICINSTITUTE

26Digital Forensic Research Workshop - August 15, 2006

More information

[email protected]

• http://www.forensischinstituut.nl/

• http://monetdb.cwi.nl/


M.Kersten 2008 1 MonetDB/SQL : the Challenges of a Scientific Database, Milena Ivanova, Niels Nes, Romulo Goncalves, Martin Kersten CWI, Amsterdam

Official Journal of the European Union...33254 GE CAPITAL SOLUTIONS DENMARK 37052 GENCHART B.V. NETHERL ANDS 32364 GLOBAL TRANSERVICE UNITED STATES 32595 GRAAKJAER A/S DENMARK 38120

Dutch-Belgium DataBase Day University of Antwerp, 2004.12.03 MonetDB/x100 Peter Boncz, Marcin Zukowski, Niels Nes

Breaking the memory wall in MonetDB

MonetDB/XQuery Reference Manual · PDF file1 This is the reference manual of MonetDB/XQuery, and open-source XQuery database system built on: the open-source MonetDB column-store,

Europe - Bertha-von-Suttner-Gesamtschule Dormagen · United Kingdom o York Liverpeol.ir Nottingham ke-on-Trent Derby E àland -Sea Parrs Orleans Amsterdam The Hague0 Netherl n S Denmark

XQuery Updates in MonetDB/XQuery

MonetDB for various DB ... Run-Time Indexing and Query Optimization ...

MySQL vs. MonetDB

MonetDB: the Challenges of a Scientific Database · MonetDB: the Challenges of a Scientific Database Milena Ivanova, Niels Nes, Romulo Goncalves, Martin Kersten CWI, Amsterdam

ADT 2010 XQuery Updates in MonetDB/XQuery - CWIhomepages.cwi.nl/~manegold/teaching/adt/lectures/... · 13 [email protected] MonetDB/XQuery: Updates ADT 2010 XML Storage Revisited

Just-in-time compilation in MonetDB with Weld

Europebvsdormagen.de/data/PDF/Comenius.pdf · United Kingdom o York Liverpeol.ir Nottingham ke-on-Trent Derby E àland -Sea Parrs Orleans Amsterdam The Hague0 Netherl n S Denmark

MonetDB: A column-oriented DBMS Ryan Johnson CSC2531

sandman Documentation - Read the Docs · sandman Documentation, Release 0.9.8 •Drizzle •Sybase •IBM DB2 •SAP Sybase SQL Anywhere •MonetDB 2.3Beyond sandmanctl sandmanctlis

MonetDB/X100 hyper-pipelining query execution Peter Boncz, Marcin Zukowski, Niels Nes

Column-Stores vs. Row-Stores: How Different Are They Really? · MonetDB [10] and the MonetDB/X100 [9] systems pioneered the design of modern column-oriented database systems and vector-ized

MonetDB/XQuery Technology Preview 1

Top Main Memory DBs FastDB MonetDB eXtremeDB ERDB DataBlitz Times Ten

M.Kersten 2008 1 The MonetDB Architecture Martin Kersten CWI Amsterdam

A SPARQL front-end for MonetDB - CWIhomepages.cwi.nl/~boncz/msc/2008-MarcoAntonelli.pdf · A SPARQL front-end for MonetDB Relatore Correlatore Laureando Paolo Atzeni Peter A. Boncz

MonetDB/XQuery InfoMgmt 2009 Peter Boncz [email protected] (CWI Amsterdam) Querying XML Data Sources using MonetDB/XQuery

Large-Scale Statistics with MonetDB and R

MonetDB: Open-source Database Technology Beyond Textbooks Stefan Manegold [email protected] manegold

MonetDB, a Column-Store in Midflight

MonetDB Server Reference Manual

A SPARQL front-end for MonetDB - CWIboncz/msc/2008-MarcoAntonelli.pdf · A SPARQL front-end for MonetDB ... the translation of the SPARQL algebra in ... riguardato la traduzione dell’algebra

MonetDB/XQuery: Using a Relational DBMS for XML

Powered By PropGOLuxury - Tulpfestival · NEWS EUROPE NETHERL AND S AMSTERDAM Amsterdam (/prop er tynews/amsterdam) A view from Amsterdam , The Netherlands ... space of the Vondelpark

MonetDB :column-store approach in database

MonetDB/XQuery Technology Preview 1 Stefan Manegold CWI Amsterdam -

NETHERL ANDSFOR ENSICINS TITUTE

ADT 2010 XQuery Updates in MonetDB/XQuery Other Approaches ...homepages.cwi.nl/~manegold/teaching/adt/lectures/... · 1 [email protected] MonetDB/XQuery: Updates ADT 2010 ADT

The MonetDB Architecture

M.Kersten 2008 1 MonetDB, Cracking and recycling Martin Kersten CWI Amsterdam