Back and Forth—On Automatic Exposure of Origin and Dissemination of Files on Windows

Digital Threats: Research and Practice Pub Date : 2023-07-14 DOI:10.1145/3609232

Samantha Klier, Janneke Varenkamp, Harald Baier

{"title":"Back and Forth—On Automatic Exposure of Origin and Dissemination of Files on Windows","authors":"Samantha Klier, Janneke Varenkamp, Harald Baier","doi":"10.1145/3609232","DOIUrl":null,"url":null,"abstract":"The number of Child Sexual Abuse Material (CSAM) cases has increased dramatically in recent years. This leads to the need to automate various steps in digital forensic processing, especially for CSAM investigations. For instance, if CSAM pictures are found on a device, the investigator aim at finding traces about the origin and possible further dissemination, respectively. In this article, we address this challenge with respect to the widespread Windows operating system. We model different common scenarios of system use by CSAM offenders in the scope of file inbound and outbound transfer channels. This gives us insights about digital traces in the Windows operating system and its applications to get knowledge about origin and possible destination of a file. We review available concepts and applications to support this issue. Furthermore, we develop a recursive-based approach and provide a prototype as plugin for the open source application Autopsy. We call our prototype AutoTrack. Our evaluation against the different models of Windows system usage reveals that Autotrack is superior to existing solutions and provides support for an investigator to find digital traces about the origin and possible further dissemination of files. We publish our AutoTrack plugin and thus provide full reproducibility of our approach.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Threats: Research and Practice","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3609232","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The number of Child Sexual Abuse Material (CSAM) cases has increased dramatically in recent years. This leads to the need to automate various steps in digital forensic processing, especially for CSAM investigations. For instance, if CSAM pictures are found on a device, the investigator aim at finding traces about the origin and possible further dissemination, respectively. In this article, we address this challenge with respect to the widespread Windows operating system. We model different common scenarios of system use by CSAM offenders in the scope of file inbound and outbound transfer channels. This gives us insights about digital traces in the Windows operating system and its applications to get knowledge about origin and possible destination of a file. We review available concepts and applications to support this issue. Furthermore, we develop a recursive-based approach and provide a prototype as plugin for the open source application Autopsy. We call our prototype AutoTrack. Our evaluation against the different models of Windows system usage reveals that Autotrack is superior to existing solutions and provides support for an investigator to find digital traces about the origin and possible further dissemination of files. We publish our AutoTrack plugin and thus provide full reproducibility of our approach.

查看原文本刊更多论文

来回-自动曝光的来源和传播的文件在Windows上

近年来，儿童性虐待材料(CSAM)案件的数量急剧增加。这导致需要自动化数字取证处理中的各个步骤，特别是对于CSAM调查。例如，如果在一个设备上发现了CSAM图像，调查人员的目标是分别找到关于起源和可能进一步传播的痕迹。在本文中，我们将针对广泛使用的Windows操作系统解决这一挑战。我们在文件入站和出站传输通道范围内对CSAM违法者使用系统的不同常见场景进行了建模。这使我们能够深入了解Windows操作系统及其应用程序中的数字痕迹，从而了解文件的来源和可能的目的地。我们回顾了可用的概念和应用程序来支持这个问题。此外，我们开发了一种基于递归的方法，并为开源应用程序尸检提供了一个原型作为插件。我们称我们的原型为AutoTrack。我们对Windows系统使用的不同模型的评估表明，Autotrack优于现有的解决方案，并为调查人员提供了关于文件起源和可能进一步传播的数字痕迹的支持。我们发布了我们的AutoTrack插件，从而提供了我们方法的完全再现性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Digital Threats: Research and Practice

自引率

0.00%

发文量