Compositional Declarative Forensics
ABSTRACT
Digital forensics often requires an investigator to use multiple tools in the anal- ysis phase. For example, the output of a tool may be captured into a file that is then input to a second tool; values may be printed and manually entered in subsequent phases of analysis. This process is tedious, adhoc and time consum- ing.
We advocate the use of constraint-based declarative techniques to address this problem. Constraints provide three advantages in this setting. First, logi- cal constraints enable higher-level abstract specifications that are closer to the domain experts perspective. Second, constraints provide a semantic foundation to exchange data between different tools. Finally, constraint programming fa- cilitates greater automation and reuse of the tactics used by forensics experts to compose tools.
As a proof-of-concept, we explore a constraint-based API for the specific domain of semantic search for files in disk images. We build on top of the C++ implementation of Gecode, the open source framework for constraints and constraint programming. This declarative setting allows for flexible and programmatic combination of existing tools.
Award ID: 0915704