View Proposal
-
Proposer
-
Mike Just
-
Title
-
Detecting suspicious files
-
Goal
-
Design, implement, and test an application that detects, distinguishes, and recovers different suspicious file types
-
Description
- Digital forensics and security analysis often involve searching a storage device for particular files and file types. Standard approaches such as indexing and hash matching are typically used to search for known files and particular strings, including file extensions, file signatures ("magic strings"), and keywords associated with suspicious activities. In some cases, standard approaches won't necessarily work. This can happen when file contents are obfuscated in some way, such as with encrypted or compressed files. In this case, a different approach is required that involves first detecting and distinguishing such suspicious files.
Some examples include files that:
- Hide data using steganography, such as hiding data in the least significant bit of image files.
- Are encrypted, using either historical cryptography, or modern cryptographic methods.
- Are compressed.
There are many reasons that files are modified in this way, e.g., as part of normal file or disk encryption practice, in an effort to hide or obscure information contained in particular folders or files, or to render data (temporarily) inaccessible such as for ransomware. Detecting such modified files can be done with various statistical tests (e.g., entropy), and properly tuning the tests for the different varieties of data. For example, modern encryption algorithms produce random looking (uniformly distributed) data, while historical encryption methods will have related properties. Once suspicious files are detected, they need to be distinguished, e.g., both encrypted and compressed data can produce random looking data, and knowing the difference between the two would allow the compressed data to be recovered sooner.
For this project you'll first research the standard approaches for searching files, and then investigate approaches for detecting, distinguishing, and recovering suspicious files. Based on your research you'll need to design and implement an application according to a set of requirements. You'll then need to test your application. This will involve finding and creating suitable datasets for testing the variety of suspicious files, along with a number of benign files.
- Resources
-
-
Background
-
You should have an interest in cryptography (ideally have taken F20CN/F21CN Computer Network Security) and in using statistical methods to analyse data.
-
Url
-
-
Difficulty Level
-
Moderate
-
Ethical Approval
-
None
-
Number Of Students
-
2
-
Supervisor
-
Mike Just
-
Keywords
-
cyber security, digital forensics
-
Degrees
-
Bachelor of Science in Computer Science
Bachelor of Science in Computer Systems
Master of Engineering in Software Engineering
Master of Science in Artificial Intelligence
Master of Science in Artificial Intelligence with SMI
Master of Science in Computer Science for Cyber Security
Master of Science in Computing (2 Years)
Master of Science in Data Science
Master of Science in Information Technology (Software Systems)
Master of Science in Network Security
Master of Science in Software Engineering
Bachelor of Science in Computing Science
Bachelor of Science in Computer Science (Cyber Security)
MSc Applied Cyber Security