This page lists the code and data resources used to support the paper:
Alex J. Nelson, Erik Q. Steggall and Darrell D. E. Long, "Cooperative mode: Comparative storage metadata verification applied to the Xbox 360," in Proceedings of the DFRWS 2014 US Annual Conference, August 2014.
Errata for the paper will be here, but may move in the future if appropriate.
The Elsevier template used for formatting draft documents includes section numbers. The final prints do not, but still allow the \section macros to resolve to section numbers. In light of that, here is a table of contents for referencing section numbers:
| No. | Section | Page |
|---|---|---|
| 1 | Introduction | 1 |
| 1.1 | Outline | 3 |
| 2 | Background: Theory and frameworks | 3 |
| 2.1 | Digital Forensics XML | 3 |
| 2.2 | Differential analysis | 3 |
| 3 | Analytic subject: Xbox 360 and the XTAF file system | 4 |
| 3.1 | The XTAF filesystem | 4 |
| 3.2 | Partition management | 4 |
| 4 | Designing XTAF data | 4 |
| 5 | Improving DFXML and differencing for tool evaluation | 5 |
| 5.1 | Formalizing the DFXML language | 5 |
| 5.2 | Implementing new DFXML Python bindings | 5 |
| 5.3 | Modularizing idifference.py | 5 |
| 5.4 | Byte runs to note more than content locations | 6 |
| 6 | Programs extended for DFXML comparison | 7 |
| 6.1 | Uxtaf | 7 |
| 6.2 | Py360 | 7 |
| 6.3 | The SleuthKit | 7 |
| 7 | Tools developed for DFXML comparison | 7 |
| 7.1 | UPartsFS: Extending single-partition file system parsers | 7 |
| 7.2 | FSNView: A single-data, multi-interpreter DFXMLreporter | 7 |
| 8 | Evaluating multi-tool analysis of Xbox 360 storage | 7 |
| 8.1 | Artifact recovery | 9 |
| 9 | Related work | 9 |
| 9.1 | Practices | 9 |
| 9.2 | Other tool comparison in storage forensics | 9 |
| 9.3 | Xbox analysis | 10 |
| 10 | Future research | 10 |
| 11 | Conclusion | 10 |
The code projects are maintained on Github.
The tools are tracked in FSNView as Git submodules. That is, FSNView specifies the exact code version of each of these tools.
Storage system analysis suite. Fiwalk was the original DFXML generator. Original development credit to Brian Carrier, Basis Technologies, Simson Garfinkel, Kevin Fairbanks, and others.
XBox 360 analysis suite. Contains tools for analyzing files particular to the XBox 360. Original development credit to "Arkem."
Userspace reference implementation for XTAF parsing. Original development credit to René Ladan.
C and Python libraries for creating and analyzing DFXML files and objects.
Specification of DFXML document structure.
Userspace partition table file system. Presents disk partitions as virtual files.
N-Version Programming realization for file system parsing. Compares DFXML generated by multiple tools.
Commit used in DFRWS '14: d165169e092f8b581f93d19b41467836e21d294a.
Pattern-searcher tool.
Commit used in DFRWS '14 for credit card scanning: 7579457faf91e713861240e5776fc66c085b7454.
Commit used in DFRWS '14 for HTTP header scanning: 05c533fbf48059354c072987af06083c9c96449a. This commit is available from my development repository.
The data supporting this paper are available at Digital Corpora.
In DFRWS '14, FSNView at the above commit was run on DRIVE2_TIME_FINAL.E01.
Last modified: 2015-08-18T12:08:43EDT.