Brian Carrier's CERIAS Research

My Research at CERIAS / Purdue

Ph.D. Research

My Ph.D. was in Computer Science with a thesis on Digital Forensics and Digital Investigations. The work was sponsored by CERIAS and I defended in February 2006. The title of my thesis was A Hypothesis-Based Approach to Digital Forensic Investigations.

Abstract

This work formally defines a digital forensic investigation and categories of analysis techniques. The definitions are based on an extended finite state machine (FSM) model that was designed to include support for removable devices and complex states and events. The model is used to define the concept of a computer's history, which contains the primitive and complex states and events that existed and occurred. The goal of a digital investigation is to make valid inferences about a computer's history.

Unlike the physical world, where an investigator can directly observe objects, the digital world involves many indirect observations. The investigator cannot directly observe the state of a hard disk sector or bytes in memory. He can only directly observe the state of output devices. Therefore, all statements about digital states and events are hypotheses that must be tested to some degree.

Using the dynamic FSM model, seven categories and 31 unique classes of digital investigation analysis techniques are defined. The techniques in each category can be used to test and formulate different types of hypotheses and completeness is shown. The classes are defined based on the model design and current practice.

Using the categories of analysis techniques and the history model, the process models that investigators use are formally compared. Until now, it was not clear how the phases in the models were different. The model is also used to identify where assumptions are made during an investigation and to show differences between the concepts of digital forensics and the more traditional forensic disciplines.

Related Papers

A Hypothesis-Based Approach to Digital Forensic Investigations - The full dissertation. February 2006.
Defining Digital Crime Scene Event Reconstruction - The Journal of Forensic Sciences 49(6) (Nov 2004). Also presented at the The American Academy of Forensic Sciences (AAFS) 56th Annual Meeting (Feb 2004)
An Event-Based Digital Forensic Investigation Framework - Digital Forensic Research Workshop IV (August 2004)
Getting Physical with the Digital Investigation Process - International Journal of Digital Evidence (IJDE) (Fall 2003)

Masters Research

My Master's dissertation was on a recursive protocol based on 'ident' that could be used to trace the connection chain of an attacker. Information was saved on each system and it could be used during the investigation of a computer incident. It was called the Session Token Protocol (STOP).

Thesis (May 2001)
A Recursive Session Token Protocol for Use in Computer Forensics and TCP Traceback - IEEE Infocom 2002 (June 2002)
The Session Token Protocol for Forensics and Traceback - ACM Transactions on Information and System Security 7(3) (August 2004)

2/19/06