Computer Hard Drive Geolocation by HTTP Feature Extraction

Published as Storage Systems Research Center Technical Report UCSC-SSRC-12-04. Technical Report UCSC-SSRC-12-04

Abstract

Geolocation data have high value to forensic investigators because computer activities may be associated with physical locations in the past. However, locating and extracting useful location information from an off-line disk image is a difficult problem. Most forensic investigations employ tools that focus on extracting content, such as emails, databases, and hidden or deleted data, and then manually investigate the results with practices like keyword searches. While this can work on a drive-by-drive basis, without a uniform approach to the location question, it is easy for an investigator to miss an answer that could be found from an evaluated technique known to other investigators. To determine drive location, we develop a two-step approach that analyzes a drive image for geolocation purposes, finding substantial location information in HTTP headers from common and default sources. First, we extract HTTP headers from the memory page (swap) files that reside on the hard drive. Second, we apply a weight based algorithm that parses those headers to determine the past geographical locations of the drive. We apply our method to drive images from the publicly available M57 Patents corpus and identify the hard drives' location with low recall but high precision.

Publication date:
May 2012

Authors:
Ziqian Wan
Alex Nelson
Tao Li
Darrell D. E. Long
Andy Hospodor

Projects:
Digital Forensics

Available for download:

Full text:
Download as PDF

Bibtex entry

@techreport{wan-ssrctr-12-04,
  author       = {Ziqian Wan and Alex Nelson and Tao Li and Darrell D. E. Long and
Andy Hospodor},
  title        = {Computer Hard Drive Geolocation by HTTP Feature Extraction},
  institution  = {University of California, Santa Cruz},
  number       = {UCSC-SSRC-12-04},
  month        = may,
  year         = {2012},
}
Last modified 3 Oct 2012