COMPSCI 365/590F

Digital Forensics (Spring 2017)

Overview

Policies

Schedule

Assignments

12: THD, Phone Forensics, TRIM

  1. (10 points) Define the "Trojan Horse defense" in terms of "actus reus" and "mens rea".

  2. (10 points) List two methods of countering the Trojan Horse defense that can be performed by law enforcement during the execution of a search warrant and/or interview.

  3. (20 points) Garfinkel et al.'s article on small block forensics is motivated by four main reasons. They state at the start of the article, "there is a growing need for automated techniques and tools that operate on bulk data, and specifically on bulk data at the block level." What are these reasons?

  4. (15 points) The "small block forensics" approach proposed by Garfinkel et al. includes the use of sampling from a drive to find files already known to be of interest. Suppose you've recently acquired 160TiB (that is, 160 * 240 bytes) of data, and you are looking for any portion of 512GiB (512 * 230 bytes) of files that you know to be of interest. How many 4096 byte samples (uniform, at random, without replacement) would you expect to have to take from the drive such that the probability of failing to find even one of the files of interest is less than 0.01% (that is, p < 0.0001)? Make the simplifying assumption that all files are located at 4096 byte offsets.

    You can find the answer entirely analytically. Show your work for possible partial credit. If you write a (short!) program to aid you, include its source for possible partial credit. In either case, if the grader is unable to understand your approach, do not expect partial credit.

  5. (10 points) Describe the basic use of block hash filtering in the Walls et al. article on DEC0DE. What are the specific steps that are taken?

  6. (10 points) Explain the purpose of TRIM for solid-state drives; also explain the performance implications of not supporting TRIM.

  7. (15 points) Microsoft supports TRIM for NTFS filesystems on recent versions of Windows. Explain why the recoverability of a very small file in particular (for example, a file storing a 64 byte private key) would or would not be affected the use of TRIM on an SSD drive.