Computer Forensic Projects

A major part of computer forensics is to search hard disks for information. As hard disks can store hundreds of gigabytes, it becomes harder for forensic investigators to rapidly find the required evidence.

These projects would aid computer forensic investigators and would require a good knowledge of the Java language. They should use the Eclipse plug-in architecture to ensure that they have a consistent and powerful user interface.

1. File Viewer

   Write an Eclipse plug-in that will be able to display all files on the system in a forensic way. The program will look a little bit like the windows file explorer, but will be adapted to be useful to forensic examiners. In particular, the program will

   1. Allow an investigator to quickly see all relevant data in about the file (all relevant times), size.
   2. be able to sort on any of these fields.
   3. use file signatures to identify the file type.
   4. open the file using the identified file type
   5. Allow files to be filtered, e.g. known system files could be removed, only image files might be required, etc, remove duplicates from consideration (or list duplicates)

   Other useful features would be to use standard linux utilities to identify deleted files.

2. Unallocated Space analyser

   This project will use techniques to view unstructured data (such as exists in the windows page file and in unallocated space). Typical approaches will be entropy analysis. A major part of this work will be to graphically present this information so that an examiner can quickly zoom in on interesting areas of the data.

   The other main technique is to use file startup and end signatures to identify possible undeleted files.

   Another aspect would be to aid filtering the data on the disk. An examiner might only be interested in identifying text areas, or images or compressed data etc. Your program should identify and display these.

   Finally, the need to usefully present the data will have to be developed.

3. Timeline viewer

   In an investigation, one of the first things an investigator does is to build up a time line. There are two main parts to this project:

   • Discover all time related information that can be retrieved from a computer. (E.g. file modification times, event log files, browser history, emails)
   • Present the information in a manner that makes it easy to identify what was happening and when.

4. Text Analyser

   Build a powerful and fast way to search text on a hard disk.

   1. Preprocess a hard disk:
      1. identify and remove known system files and any duplicate files (to speed search)
      2. Allow the user to remove/include parts of the disk.
      3. Identify regions of the disk which contain textual information (maybe simply count percentage of ASCII characters)
      4. Index the disk (adapt some already exisiting open source tools)
      5. Present a friendly and powerful interface to search the disk. The search should support regular expressions (this would also adapt open source tools).

      Your program should be able to search unicode and ASCII data transparently to the user. The preprocessing will identify whether a region of the disk is unicode or ASCII and switch appropriately.

      The program should be written as an eclipse plugin and be written so that it can easily be integrated with other forensic tools.