{"id":2986,"date":"2015-04-11T09:56:57","date_gmt":"2015-04-11T09:56:57","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2986"},"modified":"2015-04-13T14:52:20","modified_gmt":"2015-04-13T14:52:20","slug":"introducing-filighting-and-the-future-of-dfir-tools-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/04\/11\/introducing-filighting-and-the-future-of-dfir-tools-part-2\/","title":{"rendered":"Introducing filighting and the future of DFIR tools, part 2"},"content":{"rendered":"<p>In my <a title=\"Introducing filighting and the future of DFIR tools\" href=\"https:\/\/www.hexacorn.com\/blog\/2015\/04\/10\/introducing-filighting-and-the-future-of-dfir-tools\/\">yesterday&#8217;s post<\/a> I described a simple clustering algorithm that could be used to group files that contain references to each other. Today I am posting the source code of the program that generated the data in my last post, together with a demo that shows how powerful such clustering could be if combined with proper visualization techniques.<\/p>\n<p>In the example I have shown, I used a relatively small folder where Total Commander was installed. The resulting cluster looks like this:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-2987\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster1-300x275.png\" alt=\"cluster1\" width=\"300\" height=\"275\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster1-300x275.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster1.png 707w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>You can play with it interactively <a href=\"https:\/\/www.hexacorn.com\/examples\/2015-04-11\/cluster1.html\">here<\/a>.<\/p>\n<p>Imagine that someone adds files to the Total Commander folder. Since they are not referenced by any other file in this folder, they will create separate clusters. After adding 3 such files:<\/p>\n<ul>\n<li>orphan1.txt<\/li>\n<li>orphan2.txt<\/li>\n<li>orphan3.txt<\/li>\n<\/ul>\n<p>we get the following clusters:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-2988\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster2-300x197.png\" alt=\"cluster2\" width=\"300\" height=\"197\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster2-300x197.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster2.png 966w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>You can play with it interactively <a href=\"https:\/\/www.hexacorn.com\/examples\/2015-04-11\/cluster2.html\">here<\/a> (you need to drag the orphans away to get the same result as shown on the screenshot).<\/p>\n<p>Finally, we can imagine that a hacker of malware creates a couple of files that are perhaps referencing each other. An example could be:<\/p>\n<ul>\n<li>config.bin<\/li>\n<li>keystrokes.txt<\/li>\n<li>malware.exe &#8211; referencing keystrokes.txt and config.bin<\/li>\n<\/ul>\n<p>If we now cluster this directory, we will get something like this:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-2989\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster3-300x252.png\" alt=\"cluster3\" width=\"300\" height=\"252\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster3-300x252.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/04\/cluster3.png 867w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>The &#8216;malware&#8217; files clearly stand out.<\/p>\n<p>You can play with it interactively <a href=\"https:\/\/www.hexacorn.com\/examples\/2015-04-11\/cluster3.html\">here<\/a> (again, you need to drag the nodes away to get the same result as shown on the screenshot).<\/p>\n<p>For more examples see <a title=\"Introducing filighting and the future of DFIR tools, part 3 \u2013 more examples\" href=\"https:\/\/www.hexacorn.com\/blog\/2015\/04\/11\/introducing-filighting-and-the-future-of-dfir-tools-part-3-more-examples\/\">part 3<\/a>.<\/p>\n<p>I believe there is a lot of opportunities in leveraging clustering to reduce the amount of data we need to analyze and to improve user experience by introducing new ways to look at data. There are a lot of visualization techniques that are not used in forensic software today and it is a pity. Clustering adds an extra dimension on top of a timeline and structure imposed by the organization of a file system &#8211; we can only hope that forensic software of the future will take this into account.<\/p>\n<p>For inspiration and really amazing examples of visualization go to <a href=\"https:\/\/github.com\/mbostock\/d3\/wiki\/Gallery\">https:\/\/github.com\/mbostock\/d3\/wiki\/Gallery<\/a>. I used the very same script to create the interactive demos referenced by this post.<\/p>\n<p>The source code of the filighter script that generates these clusters is <a href=\"https:\/\/www.hexacorn.com\/examples\/2015-04-11\/filighter.pl\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my yesterday&#8217;s post I described a simple clustering algorithm that could be used to group files that contain references to each other. Today I am posting the source code of the program that generated the data in my last &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/04\/11\/introducing-filighting-and-the-future-of-dfir-tools-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[39,19,5,40],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2986"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2986"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2986\/revisions"}],"predecessor-version":[{"id":3004,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2986\/revisions\/3004"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}