Computer Hard Drive Geolocation by HTTP Feature Extraction
Published as Storage Systems Research Center Technical Report UCSC-SSRC-12-04. Technical Report UCSC-SSRC-12-04
Abstract
Geolocation data have high value to forensic investigators because computer activities may be associated with physical locations in the past. However, locating and extracting useful location information from an off-line disk image is a difficult problem. Most forensic investigations employ tools that focus on extracting content, such as emails, databases, and hidden or deleted data, and then manually investigate the results with practices like keyword searches. While this can work on a drive-by-drive basis, without a uniform approach to the location question, it is easy for an investigator to miss an answer that could be found from an evaluated technique known to other investigators. To determine drive location, we develop a two-step approach that analyzes a drive image for geolocation purposes, finding substantial location information in HTTP headers from common and default sources. First, we extract HTTP headers from the memory page (swap) files that reside on the hard drive. Second, we apply a weight based algorithm that parses those headers to determine the past geographical locations of the drive. We apply our method to drive images from the publicly available M57 Patents corpus and identify the hard drives' location with low recall but high precision.
Publication date:
May 2012
Authors:
Ziqian Wan
Alex Nelson
Tao Li
Darrell D. E. Long
Andy Hospodor
Projects:
Digital Forensics
Available media
Full paper text: PDF
Bibtex entry
@techreport{wan-ssrctr-12-04, author = {Ziqian Wan and Alex Nelson and Tao Li and Darrell D. E. Long and Andy Hospodor}, title = {Computer Hard Drive Geolocation by {HTTP} Feature Extraction}, institution = {University of California, Santa Cruz}, number = {UCSC-SSRC-12-04}, month = may, year = {2012}, }