Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Cell Phones: Relevant articles S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics R. Walls et al.,

Cell Phones: Relevant articles

  • S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics
  • R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE.
  • S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback

THD, Phone Forensics, TRIM

  1. Define the "Trojan Horse defense" in terms of "actus reus" and "mens rea".

  1. List two methods of countering the Trojan Horse defense that can be performed by law enforcement during the execution of a search warrant and/or interview.

  1. Garfinkel et al.'s article on small block forensics is motivated by four main reasons. They state at the start of the article, "there is a growing need for automated techniques and tools that operate on bulk data, and specifically on bulk data at the block level." What are these reasons?
  2. The "small block forensics" approach proposed by Garfinkel et al. includes the use of sampling from a drive to find files already known to be of interest. Suppose you've recently acquired 160TiB (that is, 160 * 240 bytes) of data, and you are looking for any portion of 512GiB (512 * 230 bytes) of files that you know to be of interest. How many 4096 byte samples (uniform, at random, without replacement) would you expect to have to take from the drive such that the probability of failing to find even one of the files of interest is less than 0.01% (that is, p < 0.0001)? Make the simplifying assumption that all files are located at 4096 byte offsets.

You can find the answer entirely analytically. Show your work for possible partial credit. If you write a (short!) program to aid you, include its source for possible partial credit. In either case, if the grader is unable to understand your approach, do not expect partial credit.

  1. Describe the basic use of block hash filtering in the Walls et al. article on DEC0DE. What are the specific steps that are taken?
  2. Explain the purpose of TRIM for solid-state drives; also explain the performance implications of not supporting TRIM.
  1. Microsoft supports TRIM for NTFS filesystems on recent versions of Windows. Explain why the recoverability of a very small file in particular (for example, a file storing a 64 byte private key) would or would not be affected the use of TRIM on an SSD drive.

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Students also viewed these Databases questions

Question

What is the purpose of an executive summary?

Answered: 1 week ago