Authors: Clay Shields (Georgetown University), Ophir Frieder, Mark Maloof



The historical focus of forensics research and tools on digital systems that are seized from a suspect misses the fact that in centrally controlled networks it is possible to proactively and continuously collect evidence in advance of any known need. We present a proof-of-concept for PROOFS, the first proposed continuous forensic evidence collection system that applies information retrieval techniques to file system forensics. PROOFS creates and stores signatures for files that are deleted, edited, or copied within such a network. The heart of each signature is one or more fingerprints, generated based on statistical properties of file contents, maintaining semantics while requiring as little as 1.06% of the storage space of the original file. We focus on text documents and show that PROOFS has a high precision of 0.96 and recall of 0.85 with stored fingerprint sizes of less than 375 bytes. The two contributions of this work are that we show that common environments exist where a proactive collection of forensic evidence is possible and that we demonstrate an efficient and accurate mechanism for collecting evidence in those environments.