Compositional Declarative Forensics

pdf

ABSTRACT

Digital forensics often requires an investigator to use multiple tools in the anal- ysis phase. For example, the output of a tool may be captured into a file that is then input to a second tool; values may be printed and manually entered in subsequent phases of analysis. This process is tedious, adhoc and time consum- ing.

We advocate the use of constraint-based declarative techniques to address this problem. Constraints provide three advantages in this setting. First, logi- cal constraints enable higher-level abstract specifications that are closer to the domain experts perspective. Second, constraints provide a semantic foundation to exchange data between different tools. Finally, constraint programming fa- cilitates greater automation and reuse of the tactics used by forensics experts to compose tools.

As a proof-of-concept, we explore a constraint-based API for the specific domain of semantic search for files in disk images. We build on top of the C++ implementation of Gecode, the open source framework for constraints and constraint programming. This declarative setting allows for flexible and programmatic combination of existing tools.

Award ID: 0915704

Tags:

DePaul University

forensics; declarative queries

License: CC-2.5

Submitted by Katie Dey on Wed, 12/19/2012 - 12:31