改进的先前卸载的计算机应用程序的容错推断

IF 0.6 Q4 COMPUTER SCIENCE, INFORMATION SYSTEMS
Oluwaseun Adegbehingbe, James H. Jones
{"title":"改进的先前卸载的计算机应用程序的容错推断","authors":"Oluwaseun Adegbehingbe, James H. Jones","doi":"10.15394/jdfsl.2019.1626","DOIUrl":null,"url":null,"abstract":"When an application is uninstalled from a computer system, the application’s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application’s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog file-system changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.6000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications\",\"authors\":\"Oluwaseun Adegbehingbe, James H. Jones\",\"doi\":\"10.15394/jdfsl.2019.1626\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"When an application is uninstalled from a computer system, the application’s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application’s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog file-system changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.\",\"PeriodicalId\":43224,\"journal\":{\"name\":\"Journal of Digital Forensics Security and Law\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.6000,\"publicationDate\":\"2019-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Digital Forensics Security and Law\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.15394/jdfsl.2019.1626\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Digital Forensics Security and Law","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.15394/jdfsl.2019.1626","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 2

摘要

当从计算机系统卸载应用程序时,应用程序已删除的文件内容会随着时间的推移而被覆盖,这取决于操作系统、可用未分配磁盘空间、用户活动等因素。随着这些内容的衰减,基于剩余的数字工件推断应用程序先前存在的能力变得更加困难。先前的研究通过将感兴趣的硬盘扇区与先前构建的标记扇区哈希目录相匹配来推断先前安装的应用程序,显示出有希望的结果。先前的工作使用白名单方法来识别相关的工件,导致没有不相关的工件,但是导致一些潜在有用的工件的丢失。在当前的工作中,我们通过采用顺序快照文件差异方法收集了一组更完整的相关工件,以从目录中识别和消除不是由于应用程序安装和使用而导致的文件系统更改。我们的工作的关键贡献是建立一个更完整的目录,最终导致更准确的先验应用推断。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications
When an application is uninstalled from a computer system, the application’s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application’s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog file-system changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Digital Forensics Security and Law
Journal of Digital Forensics Security and Law COMPUTER SCIENCE, INFORMATION SYSTEMS-
自引率
0.00%
发文量
5
审稿时长
10 weeks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信