Digital Forensic Research: Current State of The Art
Digital Forensic Research: Current State of The Art
Digital Forensic Research: Current State of The Art
DOI 10.1007/s40012-012-0008-7
ORIGINAL RESEARCH
Received: 9 October 2012 / Accepted: 30 October 2012 / Published online: 13 November 2012
CSI Publications 2012
123
92 CSIT (March 2013) 1(1):91–114
remains the single largest source of national threat at By acquisition, we refer to the process of obtaining a
10.81 % closely followed by terrorism at 10.43 %. The binary bitwise copy of the entire contents of all digital
2006 Australian Computer Crime Survey [12] has esti- media that are identified. The evidence thus acquired is
mated computer facilitated financial fraud and proprietary preserved and standard hash signatures like MD5 or SHA1
information breaches at over A$ 2,000,000 in lost revenue. is used to verify integrity of the digital evidence.
With the recent proliferation of newer digital devices in the In a digital forensics investigation, investigators deal
markets and the increasing frequency of discovering such with acquiring digital records for examination. Digital
devices in investigations, a new term called digital foren- records can vary in form and type. Documents on a com-
sics was coined. This new term now refers to investigating puter, telephone contact list, lists of all phone calls made,
any type of media capable of storing digital information as trace of signal strength from the base station of a mobile
part of a forensic investigation. The Digital Forensic phone, recorded voice and video files, email conversations,
Research Workshop (DFRWS) Technical committee [63] network traffic patterns and virus intrusions and detections
has defined digital forensic science as below: are all examples of different types of digital records. In
short, digital evidence encompasses:
The use of scientifically derived and proven methods
toward the preservation, collection, validation, a. User data
identification, analysis, interpretation, documentation b. Metadata associated with user data
and presentation of digital evidence derived from c. Activity logs; and possibly
digital sources for the purpose of facilitating or fur- d. System logs
thering the reconstruction of events found to be
User data pertains to data directly created or modified or
criminal, or helping to anticipate unauthorized
accessed by one or more users involved in an investigation.
actions shown to be disruptive to planned operations.
Metadata pertains to data providing context of how, when,
who and in what form the user data was created or modified
1.1 Digital forensics: the process
or accessed. Activity logs are records of user activity by a
system or application or both detailing specific actions
Digital forensics is multi-staged process starting with the
conducted by one or more users and system logs pertain to
identification of digital media from a scene (possible crim-
variations in system behavior from the normal based on
inal) as potential evidence to the stage where it is presented
one or more actions conducted by the users.
as evidence by an expert witness in a court of law. The
Once the digital evidence is acquired, it is always nec-
sequence of activities is illustrated at a high level in Fig. 1.
essary to make copies and conduct all forensic tests on such
The very first stage of the digital forensic process is the
read-only copies, lest any activity tamper the data stored
identification of relevant digital evidence. This involves the
within the original sources [58, 59]. The digital evidence is
identification of one or more sources of digital storage
then examined using one or more forensic tools. These
capable of storing digital information associated with the
forensic tools generally provide some form of file system
investigation at hand. Some examples of hardware that can
abstraction to the digital evidence, such that their contents
provide digital evidence include hard disks on computer
may be examined for trace of evidence. This stage is called
systems, random access memory cards, USB and other
evidence examination where the digital evidence sources
external sources of secondary storage, mobile phones,
are examined for their contents and possibly indexed for
PDAs and so on. Once identified, evidence is acquired
conducting searches. This definition is in accordance with
from the devices and forensically preserved.
123
CSIT (March 2013) 1(1):91–114 93
Casey’s view of the digital forensic examination process. problem. But currently, there is abundance in the number of
Casey [44] defines forensic examination as the process of forensic tools to interpret binary data in digital evidence and
extracting information from digital evidence and making it consequently, complexity has taken a backseat.
available for analysis. In some cases, the examination of Of late, the amount of data collected during investigations
digital evidence may reveal some hidden or otherwise not has been steadily growing and it is becoming ineffective to
explicit information which has to be extracted and subse- analyze every single byte. The volumes and the heteroge-
quently analyzed. The act of identifying such information neity of digital evidence have called for the application of
is termed evidence discovery. data reduction techniques by grouping data into larger
After evidence examination and discovery, forensic chunks or by removing known and irrelevant data prior to
analysis begins where the evidence sources and the discov- analysis. Garfinkel [74] also acknowledges the growing
ered data are analyzed to determine the sequence of events volumes of storage devices and makes an additional obser-
leading to the reported crime under investigation. Casey [44] vation that in the presence of the multiple operating systems,
defines forensic analysis as the application of scientific file formats and devices, there is no standard way to examine
methods and critical thinking to address the fundamental and analyze all types of digital evidence—this has led to the
questions in an investigation: what, who, why, how, when diversity problem. Besides, with digital investigations often
and where. The individual stages are thoroughly documented having to deal with multiple sources, investigators are
and this documentation is presented in a court of law. required to examine consistency and correlate the evidence
Oftentimes, the presentation of digital evidence in court may discovered across these sources leading to the consistency
be accompanied by an expert witness for testifying. and correlation challenge. Garfinkel [74] observes that as
there are no standards in data representation across these
1.2 Research challenges devices, many of which are proprietary, forensic examina-
tion and analysis become a significant challenge. Besides,
In a digital investigation, investigators deal with acquiring the forensic tools currently in existence are designed to find
digital records for examination. Digital records can vary in pieces of digital evidence but not assist in investigations
forms and types. Documents on a computer, telephone [78]; hence, majority of the analysis is conducted manually.
contact list, list of all phone calls made, trace of signal Since different sources require different forensic tools, this
strengths from base station of a mobile phone, recorded has resulted in the diversity problem.
voice and video files, email conversations, network traffic Despite this seemingly common structure of many file
patterns and virus intrusions and detections are all exam- systems, these file systems are customized in the manner in
ples of different types of digital records. In the last decade, which they store and process files. As a result, a file system
a large number of new digital devices have been introduced partition which is defined as NTFS cannot process an EXT
with advancements in digital technology. Lalis et al.’s or a HFS partition. Another example of such a seemingly
[115] article on wearable computing provides a flavor for common structure for potential evidence sources is among
this changing digital scenario. These advances in digital logs; all log files have a set of fields and corresponding set
technology and the relatively gradual progress in digital of values, and they are used to record activities to tracking
forensics have resulted in five major challenges [34, 74, system behavior or users’ activities. Nevertheless, not all
169]. They are: logs can be interpreted the same way. Each log is cus-
tomized to track specific activities and hence the events of
1. Complexity problem
a system log and a network can never be merged together.
2. Diversity problem
In other words, the semantics of the log is embedded in the
3. Consistency and correlation;
log type which is lost when they are merged. Moreover,
4. Quantity or volume problem; and
when multiple sources of digital evidence are identified for
5. Unified time-lining problem
investigation, not only is it essential to analyze them, it is
Digital forensics has developed primarily a reactive field also essential to corroborate and correlate the data between
[74] which is a prime cause for these challenges, viz., these sources for consistency. For instance, if a user has
advancements in digital forensics were triggered by crime visits a webpage, the visit creates a record in the user’s
first being committed on a computer or any digital device. browser history as well as the cookies. If the user accessed
Consequently, the field apparently seems to follows the the webpage via a proxy, the proxy will also contain an
trend rather than leading it. entry corresponding to the visit. Hence, multiple logs may
Primarily, digital evidence is acquired in raw binary form require to be corroborated during forensic analysis. This is
which is too difficult for humans to understand and this leads the consistency and correlation problem.
to the complexity problem [34]. Forensic tools are hence With the rapid increase in the sizes of storage media, the
used to interpret the raw digital evidence to address this volumes of digital evidence collected these days are
123
94 CSIT (March 2013) 1(1):91–114
123
CSIT (March 2013) 1(1):91–114 95
interpret a few different types but there is no tool in exis- 3 Evidence acquisition and representation
tence to date that can interpret all types of data. The
common digital evidence storage format working group Evidence acquisition, being the first step in a digital
[58] has re-iterated the drawbacks with current forensic investigation has been thoroughly studied to understand
analysis tools in terms of not being able to cope with where there is scope for data (potential digital evidence)
multiple proprietary image formats. The group emphasizes and how it can be extracted. Several national governmental
the need for introducing a common digital evidence storage agencies have recognized the need to deal with increasing
format that is common to variety of evidence sources use of digital data and participated in efforts to define
including hard disk images, network logs, proxy cache guidelines for their use and handling.
data, memory dumps, etc.
Current research in digital forensics can be classified 3.1 Standards and guidelines
into 4 major categories, viz. evidence acquisition and
representation, evidence discovery and examination, dig- The National Institute of Justice (NIJ) and the Department
ital forensic analysis and digital forensic process model- of Justice (DoJ) in the United States of America have laid
ing. Evidence acquisition is concerned with identifying down principles for first responders, where to search for
and acquiring digital data in a forensically secure manner evidence in a crime scene and how to go about acquiring
from a variety of digital devices. This branch examines data. The National Institute of Standards and Technology
the forensic scope of data from different devices and (NIST) has supported many such initiatives and has pro-
presents new techniques and tools (both hardware and vided both tools and tool testing capability [147, 150–154]
software) to acquire data from the field. The data so for evidence acquisition. The Association of Chief Police
acquired is then carefully imaged into secure drives for Officers (ACPO) [11] has published the Good Practice
data discovery and examination. Evidence examination Guide for Computer based Electronic Evidence in the
and discovery deals with techniques to discover relevant United Kingdom and Standards Australia [196] has laid
data within the acquired sources and the software support down guidelines for the management of IT evidence in
needed to examine the contents using one or more Australia. While there has been a general growth in
forensic tools. Evidence examination deals with the awareness for acquiring digital evidence and different
extraction of information from digital evidence and makes national standards have been published, the underlying
it available of analysis [44]. The different forensic tools principle in evidence acquisition remains the same. Typi-
used generally provide some form of file system or cally, when a hard disk must be acquired, it is connected to
schema support to the digital evidence sources enabling a forensic system via a write-blocker and a binary image of
investigators to navigate through the sources examining the entire disk is taken. A write blocker is a hardware
their contents. Digital forensic analysis is the application device or software tool that allows read-only access to the
of the scientific method and critical thinking to address suspect disk to avoid tampering evidence and maintains
the fundamental questions in an investigation: who, what, data integrity. While it is a safe and secure method for hard
where, when, how and why [44]. The process involves the disk acquisition and is applicable to all disk formats, the
analysis of artifacts from one or more sources of digital sheer volumes of hard disks today render the process
evidence to determine the sequence of events and answer tedious. Further, if a disk was purchased in a secondary
these fundamental questions in order to solve the crime market, as in many cases, often investigators acquire and
that is being investigated. analyze far too much data than necessary which amounts to
Forensic analysis also involves using the fundamental precious lost time in an investigation. This can be attrib-
principles underpinning the creation, modification, tamper uted to the fact that such disks could contain irrelevant
and deletion of digital data on storage media and coming data, deleted, lost or otherwise, which would be captured
up with a logical sequence of events to explain the state of by the acquisition tool. In such cases, improper formatting
data in acquired evidence. Digital forensic process mod- of secondary disks and possibly improper magnetization in
eling deals with establishing theoretical backgrounds on the disks could result because of aging. Since in most cases
the forensic process and defining procedures and processes the data are acquired in raw binary format, there are no
that must be in place while guaranteeing integrity of evi- reliable means to compress the size of the acquired data
dence throughout an investigation. The modeling process which renders the process cumbersome. Since then, how-
also defines fundamental forensic principles for the ever, several proprietary formats have been engineered to
development of new tools in forensics examination and compress these images and manage size of data [59].
analysis. In the following sections, we will deal with each Since initially recognizing the need to acquire digital
category separately identifying the different published data and use it in digital investigations, research has paved
research in them. the way for several new acquisition techniques and tools in
123
96 CSIT (March 2013) 1(1):91–114
the public domain for evidence in different types of devi- examination and analysis. The raw binary format or EWF
ces. Lyle [123] describes the functions of a hardware write are the most popular imaging formats but they do not
blocker and describes how the NIST had come up with provide effective means to compress the acquired data
testing tools to validate their functionality. Garfinkel [79, which renders handling digital evidence in the later stages
80] notes in many cases often investigators acquire and rather unwieldy.
analyze far too much data than necessary which amounts to
precious lost time in an investigation. This can be attrib- 3.3 Digital evidence bags (DEB)
uted to the fact that certain sources of digital evidence
could contain irrelevant or deleted data which would be Turner [202] proposes the DEB, an abstraction model for
captured by the acquisition tool. evidence when multiple source types are involved. This
Since initially recognizing the need to acquire digital model accounts for including volatile memory and other
data and use it in digital investigations, research has paved forms of data that were being acquired in some investiga-
the way for several new acquisition techniques and tools in tions. DEB is a hierarchical evidence model, illustrated in
the public domain for evidence in different types of devi- Fig. 2. It consists of an open-ended TAG file containing
ces. While acquisition was recognized as a straightforward information about:
process, it involved gathering a variety of different devices
1. The collector of evidence,
and data in several different formats, viz., raw binary for-
2. Meta information about the evidence capture process,
mat, expert witness format (EWF), advanced forensic for-
3. List of evidence units (EUs) contained,
mat (AFF), Encase image file format and so on. The raw
4. An expandable tag continuity block (TCB) providing
binary format is a purely binary image of the source. The
history of evidence transaction record; and
EWF is the basis of the image file format created by
5. A hash signature of the evidence bag.
EnCase. The Encase image file format is relatively com-
pressed but proprietary image format used by Encase The index extension files list the files and folders con-
forensic tools. tained in evidence and record the metadata information like
file creation times, access times, modification dates and
3.2 AFF folder paths. Alternatively, it could contain the make, model,
serial number and the manufacturer details as metadata for
Garfinkel [79] developed the AFF which is an opensource storage disks. The bag extension files contain the actual files
format exclusively for hard disk images. The AFF is par- obtained from the evidence site. These include the contents
titioned into two-layers providing both abstraction and of the files in raw format. Turner demonstrates the use of the
extended functionality. AFF’s lower data storage layer model in a network investigation and system administration
describes how a series of name/value pairs are stored in one task [205] and uses it for selective intelligent acquisition
or more disk files in a manner that is both operating system [204] from static storage devices. Masters and Turner [126]
and byte-order independent. AFF’s upper disk presentation describe a method to represent data from magnetic swipe
layer defines a series of name/value pairs used for storing card readers using the DEB model.
images and associated metadata. It presents an opportunity Trends indicate that it is infeasible to always bring down
for an investigator to capture all the information related to a system to image it and often investigators must rely on
a disk and also allows recording of case related metadata. their ability to reliably image the memory and available
Garfinkel has developed the afflib2 open source library to
support AFF format, integrated in many open source Evidence TAG
forensic tools. However, the AFF is primarily designed for
forensic images of hard disks and does not account for raw
sources of digital evidence, such as files and logs and
regular sources such as memory dumps and network packet
captures. Cohen et al. [56] proposed the AFF4 by rede-
signing the AFF model to accommodate out-of-band
information. AFF4 supports multiple secondary storage
devices, new data types (including network packets and .index 01 .index 02 .index MN
memory images), extracted logical evidence, and forensic
workflow. The investigator may choose to extract relevant
evidence from the encapsulation and conduct evidence .BAG 01 .BAG 02 .BAG MN
2
http://www.afflib.org/. Fig. 2 Digital evidence bags
123
CSIT (March 2013) 1(1):91–114 97
storage drives for examination during an investigation Each of the digital evidence models discussed above
using online imaging. This recent development is a sig- have provided significant advance over earlier research
nificant detour from McKemmish’s 4-point model [128] with regard to representing digital evidence and addressing
which assumes that digital evidence is always acquired the diversity problem to varying degrees. The DEB and the
after the system is turned off. SDEB models emphasize data integrity, not forensic
While DEB is an integral concept to maintain prove- examination and analysis. Consequently, these models fail
nance information regarding digital evidence, it omits any to address the volume, consistency and correlation and the
reference to time zone information and timestamp repre- unified time-lining problems. While the AFF4 addresses
sentation, for instance when dealing with multiple digital the diversity problem and provides certain level of con-
evidence sources, from several time zones. Being able to sistency among digital evidence, it is designed using the
abstract the representation of digital evidence and the time- ZIP specification as the container format does not record
correlation of multiple sources is one of the key research accurate time zone information.
focal points for the future. While the TAG file definition is Analysis requires a framework that superstructures the
novel and helps verify evidence integrity, it is mainly forensics investigation process and enables the inclusion of
intended to help human interpretation. new tools to understand and interpret the data in a holistic
manner. Such a framework would naturally support an
3.4 Secure digital evidence bags abstraction model which retains data integrity while also
allowing enhanced analysis capabilities by providing easier
Schatz and Clark [181] observe that the DEB model is access to evidence encapsulated in these models.
monolithic in nature and proposed a representation approach
to integrate metadata with evidence information and intro- 3.5 Forensic acquisition tools
duced an open DEB architecture called sealed digital evi-
dence bags (SDEB), illustrated in Fig. 3. The SDEB, There have been several other efforts in advancing the state
however, assumes the pre-existence of forensic domain of the art in techniques for data acquisition from electronic
ontology in the context of the case. The model is defined devices. Gillam and Rogers [87] present the FileHound
using resource description framework using Universal ‘‘field analysis’’ software for first responders. Adelstein and
Resource Indicator (URI) [17] to tag the evidence bags. Each Joyce [2] propose File Marshal for automatic extraction of
tag is uniquely identified with an identifier and they are P2P data over a network. Kornblum [114] presents a meth-
immutable. When the analysis of primary evidence results in odology for forensic acquisition of Linux disk with odd
secondary evidence, a new evidence bag is created into number of sectors. LaVelle and Konrad [118] propose the
which the details are stored. Hence, the existing evidence FriendlyRoboCopy as a method for forensic preservation
bags are untouched and unlikely to undergo modifications. while acquiring data from a network. Carrier and Grand [38]
In addition, each tag is also associated with a tag signature describe a hardware based memory acquisition procedure
which records and stores the hash signature like SHA1 or while Schatz [180] presents a software based volatile
MD5 to verify SDEB integrity before using it. memory capture using BodySnatcher. Schuster [183, 185]
Tag.rdf LEGEND
Tag.rdf.sig
Tag integrity
file
Tag file
Evidence
content
123
98 CSIT (March 2013) 1(1):91–114
examines the presence of processes and threads in Windows recognizes that the figure is not exhaustive for space con-
memory dumps and examines memory allocation strategies straints but the author has tried to fit in as many literature
in Windows Operating systems, Solomon et al. [195] ana- works as possible.
lyze user data persistence in physical memory and Mee et al.
[130] have examined the Windows registry as a forensic
artifact. Schuster [184] describes the Microsoft Vista event 4 Evidence discovery and examination
log format and studies its forensic capabilities and Murphey
[145] presents a methodology for automated event log During Evidence examination, digital evidence sources are
forensics combining multiple logs. Hargreaves et al. [93] interpreted using one or more forensic tools. These forensic
describe the Windows Vista format and examine the chal- tools essentially provide a file system abstraction to the
lenges it poses to forensics while Park et al. [159] study data digital evidence source as defined by Carrier’s forensic tool
concealment and detection in Microsoft Office 2007 files. abstraction layers [34] which bridges the gap between the
Eckstein and Jahnke [68] present a study on data hiding in definition of a forensic process model and the development
journaling file systems, Gupta et al. [92] study hidden disk of associated forensic tools in aiding an investigation.
areas in a hard disk, Barik et al. [13] propose a methodology Evidence discovery involves the process of reliably3
to preserve authentic date and timestamps in EXT2 file recovering encrypted, hidden, lost or deleted data from the
system for forensic purposes and Schatz et al. [182] propose acquired evidence for further examination. Since raw data
a method for establishing timestamp provenance in digital from digital evidence is often very difficult to understand,
evidence by corroborating system timestamps with a uni- the data are translated through one or more layers of
versal source such as NTP timestamps. Kenneally and abstraction using forensic tools until they can be understood.
Brown [107] present a risk sensitive approach to evidence The directory is an example of a file system abstraction
collection while adhering to a legal framework and Johnston while ASCII is a non-file system binary abstraction. The
and Reust [106] highlight the importance of evaluating abstraction layer concept has been instrumental in the
evidence in a network intrusion case study. Casadei et al. development of many forensic tools. The tool abstraction
[42] present an overview of the SIM card forensics, Laurie model proposed by Carrier is illustrated in Fig. 5.
[117] analyzes the forensic scope for Bluetooth technology
and Nutter [155] examines TomTom records for identifying 3
This involves the process of obtaining data as it is represented in a
locations. Figure 4 illustrates the taxonomy of digital digital evidence source, without having to manipulate or modify any
forensic acquisition and representation. The author information contained on that evidence source.
123
CSIT (March 2013) 1(1):91–114 99
4
http://log2timeline.net/.
5 7
http://www.tcpdump.org/. https://cofee.nw3c.org/.
6 8
https://www.volatilesystems.com/default/volatility. http://www.x-ways.net/forensics/index-m.html.
123
100 CSIT (March 2013) 1(1):91–114
to extracting the metadata from the relevant file and log memory dumps, logs and network captures. Sleuthkit
abstractions for subsequent analysis and evidence compo- addresses the integration of file system analysis across
sition corresponds to handling multiple and heterogeneous multiple file systems and Pyflag integrates the examination
sources of digital evidence in order to facilitate the con- of file systems, memory dumps, network packet captures
duction of a holistic investigation. and logs into a single framework. The open computer
Binary abstraction of digital evidence was established forensic architecture9 (OCFA) developed by the Dutch
by Carrier [34] to overcome the complexity problem and National Police Agency10 is another example on an inte-
all these forensic toolkits support it. In fact, all forensic grated forensic architecture. However, OCFA only inte-
tools must provide this basic support. File system based grates the forensic image formats such as RAW, EnCase
forensics is fairly established and so is the act of text and EWF for file system examination. All these tools, i.e.,
querying and searching; all these forensic toolkits support Sleuthkit, Pyflag and OCFA, allow multiple sources of
these two functionalities. digital evidence to be examined simultaneously. However,
In the metadata category, the identification of file system the analysis needs to be conducted manually by an inves-
metadata, especially MAC timestamps has been deep- tigator using a search and browse interface.
seated and hence the ability to extract file system metadata
is common to these toolkits; however other types of 4.2 Data carving
metadata have been sparingly accessed or used, even on
other forensic tools. Over the last decade, the design of In several cases, it was found that deleted data or partial file
forensic toolkits has principally been from the point of data could help an investigation which gave rise to the new
view of extracting all types of digital evidence that can be field of data carving. Carving is the process of identifying
identified on a source [74, 169], consequently much of the the file types using a string of bytes, called magic numbers,
task of putting the information discovered from evidence from an image and matching with a database of known
together and interpreting the semantics has been left to an magic numbers to recover deleted or partially deleted files
investigator. [63]. The magic number is a constant used to identify a file
Recent advent of such tools, especially in the open- format and is hence unique to each format. The DFRWS
source community, is an acknowledgement of the impor- report of 2001 [63] defines,
tance associated with developing solutions that can
Data carving is the process of extracting a collection
integrate increasingly more number of digital evidence
of data from a larger data set. Data carving tech-
sources to tackle technological diversity. However, the
niques frequently occur during a digital investigation
ability to analyze and cross correlate information derived
when the unallocated file system space is analyzed to
from one source across other sources is not supported in the
extract files. The files are ‘‘carved’’ from the unal-
architectures they build on. The examination and forensic
located space using file type-specific header and
analysis of digital evidence hence remain disconnected and
footer values. File system structures are not used
analysis continues to be performed manually.
during the process.
Carrier developed the Sleuthkit [35] that exports results
to a browser interface (Autopsy) as HTML output. Cohen
[55] extended the functionality of Sleuthkit and developed 9
http://ocfa.sourceforge.net/.
10
the Pyflag framework that can operate on forensic images, http://www.politie.nl/KLPD/.
123
CSIT (March 2013) 1(1):91–114 101
Carving is done on a disk when the unallocated file Lee et al. [119] present an approach for detecting image
system space is analysed to extract files because data anomalies by combining computer graphics principles and
cannot be identified due to missing of allocation info, or on AI reasoning. Image forgery has been classified into four
network captures where files are ‘‘carved’’ from the categories, viz. deletion, insertion, photomontage and false
dumped traffic using the same techniques [78, 79]. One captioning. The approach operates on the premise that if
drawback of this process on disks or images is that file- key objects (known a priori) can be identified in an image
carving tools typically contain many false positives, hence then reasoning can be employed to determine whether or
tests must be done on each of the extracted files in order to not it has been tampered with. The approach segments a
check its consistency. A huge repository of such file types given image, computes the importance map on regions of
and headers are then incorporated into each forensic tool importance and employs a rule based reasoning component
which then examines the section of data that need to be to determine forgery status. While this work presents a
carved with the reference file signatures. Garfinkel has novel combination of graphics and AI, such techniques are
proposed a technique by controlling state space explosion also equally important in detecting anomalies in other types
to carve from AFF images [81]. Richard and Roussev [168] of evidence data. Mead [129] from NIST examines the
describe a high performance file carver called Scalpel techniques used at the national software reference library
carving files from hard disk images. The paper compares its for building a corpus of known software, file profiles and
performance in terms of speed and memory requirements file signatures used by law enforcement. The Scientific
with Foremost, a popular Linux file carver. Marziale et al. Working Group on Digital Evidence has explored scope for
[125] propose a hyper threading scheme to improve digital digital evidence in Windows operating systems [178, 179].
forensic tool performance. The hyper threading architec-
ture performance is analyzed in terms of time taken to 4.4 Metadata in forensics
carve a set of large volume hard disk images. Garfinkel
[83] studies forensic feature extraction using file carving Metadata refers to data about the data that is stored within a
across 750 hard disk images and attempts to determine source of digital evidence. Metadata can be defined at many
cross drive correlation. In [82], Garfinkel proposes a levels, such as system metadata, file system metadata, appli-
method for continuous fragmented file carving using fast cation metadata, document metadata, email metadata, busi-
object validation. Alvarez [7] proposes a method for using ness metadata, geographical metadata and many more. Each
EXIF file headers for file carving in images. Since 2004, type of metadata contains information describing aspects
the opensource community11 has been actively promoting pertaining to the type they are attributed to. Metadata of a
the use of several forensic tools which perform specific particular type provides certain context information that
tasks and can be operated in conjunction with one another. enables easy handling and management of the data contained
However, the analysis of digital evidence, especially in an and is hence very informative. For instance, file system
automated manner, has continued to evade the forensic metadata describes certain attributes as recorded by a file
community. system regarding a particular file, such as its location, MAC
timestamps, file size, owner and permissions. Similarly,
4.3 Data hiding and steganography application metadata records context as recorded by the
application handling that file or artifact such as author,
We mentioned earlier that evidence examination is often application version, format, and encoding. Thus, the term
accompanied by discovery of new information from within metadata is an umbrella definition to encompass all such
digital evidence and this is called evidence discovery. One different types of metadata. According to the Sedona Princi-
such evidence discovery technique is the discovery of ples for Addressing Electronic Document Production [187],
steganographic information. Steganography is the art and
metadata includes information about the document or
science of writing hidden messages in such a way that no
file that is recorded by the computer (or digital
one, apart from the sender and intended recipient, suspects
device) to assist in storing and retrieving the docu-
the existence of the message. Digital steganography may
ment or file. The information may also be useful for
include hiding information inside document files, image
system administration as it reflects data regarding the
files, programs or protocols. Media files are ideal for ste-
generation, handling, transfer and storage of the
ganographic transmission because of their large size.
document or file within the computer (or digital
Hosmer and Hyde [98] introduce the challenges posed by
device). Much of the metadata is neither created by
steganography and propose the saturation view technique
nor normally accessible to a computer user.
to detect steganographic information from digital images.
Broadly, file system metadata and application metadata
11
http://www.opensourceforensics.org/tools. are also often referred to as external and embedded
123
102 CSIT (March 2013) 1(1):91–114
metadata [188] since file system metadata is stored external develop a tool that uses directory and file metadata to
to the document or file it describes and application meta- determine anomalous files on a large corpus. The tool uses
data is embedded into it. In the traditional sense, metadata fiwalk [78] to traverse the corpus and compute statistical
are only native to files and documents that reside on file characteristics on the numerical metadata and generate 204
systems. Nevertheless, log records and network packets output files based on which anomalous files such as mis-
also have some associated information that can be attrib- named files and duplicate copies of files were identified.
uted the term metadata. Although logs and network packet Garfinkel et al. [75] propose an automated solution for the
captures themselves reside as files in a file system, the multi-user carved data ascription problem using file loca-
entries they contain are independent units that correspond tion information from the OS and training a classifier.
to specific events. For instance, an entry in the IE history
log, index.dat, would correspond to visiting a web page 4.5 Digital timestamps and time-lining
characterized by a URI. The attributes corresponding to
this entry contain the timestamp of web page visit, the A timestamp has a physical realization and a temporal
domain, the host server IP address, and so on. Similarly, an interpretation [67]. The physical realization is an encoding
entry in a network packet capture corresponds to a network as a pattern of bits while the temporal interpretation stip-
packet that was observed by the network capture sensor on ulates the meaning of the bit pattern, the calendar date and
a particular network belonging to a specific protocol con- time to which the pattern corresponds. A timestamp is the
taining a source and destination address. A network packet record of the time, according to some reference clock,
can be associated with a timestamp, source and destination associated an event. Allen [4, 5] discusses the different
IP addresses, the protocol for transfer and payload size. representations of timestamps adopted in literature,
Such information may be treated as metadata for a log including one where timestamps are logical timestamps
record or a network packet, as the case may be. Shankar- only, merely a sequential numbering of events on a system.
anarayanan and Even [192] have discussed the different With regard to metadata in logs and network packet
semantics metadata can possess under various contexts and captures, timestamps are the most popular type of metadata
how valuable it is to researchers despite the enigma it used in generating timelines [25, 57]. Often in network
poses. Carrier and Spafford [39] have noted that metadata packet captures, the packets are organized according to the
can be treated as the characteristics of a digital object. IP addresses and protocol in investigations involving net-
According to Carrier and Spafford, every digital object work intrusion detection. Zander et al. [217] classify IP
which is a discrete collection of digital data, is an evidence traffic based on statistical flow characteristics by filtering
of at least one event and the metadata is a partial repre- based on destination address and port. Snort12 intrusion
sentation of the state of a digital object. Buchholz and detection tool allows IP packets to be monitored and
Spafford [28] have examined the role of file system sequenced according to IP addresses. Jiang et al. [105]
metadata in digital investigations and they note that despite have proposed a coloring scheme to identify a remotely
the lack of quality and quantity of information stored in file accessible server or process to detect provenance aware
system metadata, it plays a crucial role in reconstructing self-propagating worm contaminations. This scheme asso-
events. ciates a unique color as a system-wide identifier to each
Boutell and Luo have used EXIF metadata in digital remote server or process and that is inherited by all
photographs for classifying based on camera specifications spawned child processes. The color also diffuses to other
[21] and to perform scene classification [23] and Alvarez processes that interact with a colored process through read/
[7] uses EXIF metadata in digital photographs to verify write operations.
authenticity of a picture and determine whether it has been Weil [214] presents a method for correlating times and
altered. Bohm and Rakow [20] discuss the different aspects dates contained within a file to the modified, accessed, and
of classifying multimedia documents based on document created/change of status (MAC) times of the file. The
metadata. Multimedia documents can be classified into six method attempts to standardize the apparent file MAC times
orthogonal categories, viz., representation of media type, to the actual time. According to Weil, dynamic date and time
content description, content classification, document com- stamp analysis relies on external independent sources of
position, document history and document location. time within a file and the MAC times at a singular point in
Castiglione et al. [49] highlight the type of information time. In the case study presented in this work, Weil corre-
that can be obtained from document metadata on Microsoft lates the MAC timestamps with the timestamps within the
Compound Document File Format (MCDFF) which may body of HTML pages. Increasing the number of independent
be of relevance in digital investigations. Garfinkel and sources enhances the reliability of the data and minimizes
Migletz [76] develop a tool for automatic metadata
12
extraction from digital evidence. Rowe and Garfinkel [174] http://www.snort.org/.
123
CSIT (March 2013) 1(1):91–114 103
CMOS limitations. While the method proposed is feasible [182] and Buchholz and Tjaden [31] have independently
for small sets of timestamps during analysis, a more com- analyzed clock skew and clock drift across a system of
prehensive method is needed to address this challenge across clocks and their impact in determining exact time when
multiple heterogeneous sources of digital evidence. recording system events. Koen and Olivier [111] discuss
Boyd and Forster [25] describe the timestamp interpre- the information deficiency problem and the use of file
tation challenges associated with the Internet Explorer and timestamps from a UNIX file system in digital forensics.
time zone translations between UTC and local time. In Chow et al. [53] propose a method for systematic evalua-
their paper, Boyd and Forster describe a case study where tion of timestamp behavior on the NTFS file system.
investigators were wrongly accused of tampering with Sarmoria and Chapin [177] present an approach for
computer evidence based on misinterpreted timestamps. monitoring access to shared memory mapped files and
They discuss the Microsoft Internet Explorer time struc- Schuster [185] examines the impact of Windows memory
tures together with local and UTC time translation issues allocation strategies on process and context persistence in
and suggest a checklist for examiners while interpreting memory. van Baar et al. [206] describe a method for
timestamps. This work reinforces our expectations with recovering files mapped in memory and to link mapped file
regard to the challenges in timestamp interpretation and information process data. The paper presents a case for
behavior across time zones. extracting such data which reduces the amount of uniden-
Lamport [116] provides a precise characterization of tified data in memory dumps. The paper claims that 25 %
causality in distributed systems (called the clock consis- of pages in memory dumps could be identified as part of
tency condition) and a framework for explaining and rea- mapped file. Morgan [144] examines the cause for deleted
soning about partial event ordering in distributed systems. registry data and proposes a technique for recovering
The simplest way to implement the clock consistency deleted data from Windows registry. Dolan-Gavitt [66]
condition is with ‘‘logical clocks’’ that Lamport introduced. examines the structure of Windows registry and explores
Gladyshev and Patel [90] formulate the event time- the use of tools to extract this data from memory dumps.
bounding problem and propose an algorithm for solving it The paper also describes a compelling attack that modifies
when the causal order is known. They propose a sandwich cached registry and proposes a method to detect such
algorithm to time bound an event when its causal rela- attacks by examining memory. Petroni et al. [161] propose
tionship is known with respect to other events whose the FATKit, an extendable framework for extraction and
timestamps are available. Further, they attempt to shorten analysis of volatile system memory. Harms [94] investi-
the time bound [TBmax, TBmin] to the smallest value within gates system restore points in Windows XP and Arasteh
which the event would have occurred. Willassen [215] and Debbabi [8] use the process logic to model extracted
proposes a similar formal approach using hypothesis based properties of memory stack and verify against model
testing on timestamps to detect antedating. generated from program assembly code. Arasteh et al. [9]
Stevens [198] proposes the unification of timestamps propose a model checking approach to the formalization of
from different sources by accounting for factors affecting forensic analysis of logs. Properties of the model, attack
the behavior of system clocks with respect to a global clock. scenarios and event sequences are expressed as formulae of
Stevens proposes a global clock model that can account for a logic having dynamic, linear, temporal and modal char-
these factors is used to simulate the behaviour of each acteristics. The model was then applied to a variety of
independent clock. The clock models are used to remove the system, user and network logs to detect an intrusion on a
predicted clock errors from the time stamps to get a more corporate network. Jansen and Ayers [103] provide an
realistic indication of the actual time at which the events overview of PDA forensics and compare different present
occurred. All the time stamps from different sources are then day tools in their capabilities and limitations.
unified using this global clock model onto a single time-line.
In order to be able to unify all the digital events, two sets of 4.6 Indexing and querying digital evidence
information are required. Firstly, one needs to identify all the
different clocks that were used and which time stamps were Alink et al. [7] propose XIRAF, a new XML based
produced by each clock. Secondly, one needs to know the indexing and retrieval of stored digital evidence. The
complete behaviour of each clock over the relevant time XIRAF architecture indexes into raw disk images storing
period. It is also necessary to have a full understanding of them in annotated XML format. A query engine called
how time stamps are generated and their semantics. XQuery is used to query into the XML database for evi-
Not all system clocks are always accurate. Since system dence related information. However, this architecture is
clocks are based on a low frequency CMOS transistor, the designed only to index and retrieve digital evidence and
clock drifts over several charging and discharging cycles does not support any means for combining information
and 1 s count no longer remains exactly 1 s. Schatz et al. from multiple types. Further, the architecture lacks
123
104 CSIT (March 2013) 1(1):91–114
flexibility to extract content which may provide key cor- implementations are customized to a particular operating
relations in data elsewhere. Richard et al. [171] propose the platform. As a result, the extrapolation of an approach to
forensic discovery auditing module for storing and make it generic is a rather long leap. There is a need to build
manipulating digital evidence using digital evidence con- upon forensic data discovery and examination techniques to
tainers. Beebe and Clarke [15] propose a new methodology develop new mechanisms for the integrated analysis of
to categorize forensic string search results by thematically evidence and determine the sequence of events which would
clustering them to improve information retrieval effec- explain the state of data so acquired. Another aspect of
tiveness. The approach uses Kohonen self-organizing maps research in the area is the lack of availability of forensic
(SOM), an unsupervised neural network which learns the datasets for evaluation and validation. Often researchers
case themes and associated strings from an expert volun- have to rely on their ability to develop hypothetical case
teer. The results of the search output are then evaluated studies or synthetic datasets to validate research contribu-
based on query precision and recall ratios. While this tions. Since much of the research is developed on custom-
approach provides significant benefits with respect to string ized operating platforms, using a particular case study
searching, it is infeasible to have an expert classify each developed by one group to cross validate has not been very
case prior to performing analysis. Besides, such an unsu- successful. Garfinkel [77] acknowledges this absence and
pervised model could take a long time learn the themes has called for conscious efforts on the part of researchers to
which is again not within practical boundaries. develop extensive datasets and contribute to the community
Lee et al. [120] present a hardware base approach for through various channels. Garfinkel and his group at the
improving performance of digital forensic tools. They Naval Postgraduate School have since developed the Digital
propose the use of the Tarari content processor to imple- Corpora13 which is available to academics on request. Fig-
ment a high speed search engine. They also describe the ure 6 illustrates the taxonomy of digital forensic discovery
characteristics of the processor and how it can be exploited and examination.
in the context of digital forensic analysis. Carrier [37]
proposes a new methodology for volume analysis using
multiple disk volumes. The paper addresses the concerns in 5 Digital forensic analysis
accessing large data sets stored across several disks typi-
cally in RAID format. In recent years there is widespread acknowledgement to
Research in this area has independently addressed some focus research efforts in this area [74, 169]. While
of the challenges in evidence examination and discovery but
13
continues to remain widely scattered. Besides, many of the www.digitalcorpora.org/.
123
CSIT (March 2013) 1(1):91–114 105
published research remains sparse, it hold much promise Calhoun and Coles [33] examine the performance of
and most likely to witness developments in the years to Fisher’s linear discriminant and longest common subse-
come. One of the main aims of forensic analysis of digital quence methods for predicting the type of file fragment.
evidence is the determination of possible reconstruction The work is aimed at improving file carvers by being able
scenarios. In event reconstruction, the contents of digital to reconstruct files when directory information is lost or
evidence sources are analyzed to use the timestamps to set deleted. The algorithms were compared across a set of 100
the time windows within which certain activities might files whose header bytes were partially deleted or lost and
have occurred. Additionally, the metadata or data about the the results are reported. Bogen and Dampier [19] propose a
contents are used in determining who created or accessed case domain modeling approach for large scale investiga-
the contents and how they may have been created or tions and define case specific ontology using UML. Wang
accessed. Taking into consideration any pre-conditions that and Daniels [213] propose an evidence graph approach to
are essential for the existence of the contents would also network forensic analysis and build a correlation graph
contribute towards determining how and who could have using network captures. Brinson et al. [27] a cyber foren-
created or accessed them. Such an exhaustive analysis sics ontology and focuses on identifying the correct layers
eventually leads to mapping out a set of possible scenarios for specialization, certification and education within the
from which the investigator identify the most appropriate domain. While the paper discusses the ontology to up to 5
scenario based on other leads they may have. levels in hierarchy, it is determined that this structuring is
insufficient for forensic analysis which is far more diverse.
Fei et al. [69] introduce SOM, which is an unsupervised
5.1 Finite state approach and parametric reconstruction neural network, for detecting anomalous human behavior
in controlled networks. However, its immediate applica-
Gladyshev and Patel [90] propose a finite state model bility to integrated forensic analysis is unclear.
approach for event reconstruction. They demonstrate that Case et al. [43] propose the FACE framework for per-
even a simple printer investigation problem can have forming automatic correlations in forensic investigation.
exponential state space for analysis. In the context of However, the framework is structured to only consider static
current cases, clearly such a system is impractical and and known relations in data (for example, linking network
newer methods are needed to simplify the state space socket in memory to TCP requests in packet capture) espe-
analysis. Carrier and Spafford [41] propose a method for cially when signification case detail is available a priori.
analysis using the computer history model. However, like Cohen [56] describes the PyFlag network forensic archi-
in the finite state model case, the application is not practical tecture, which is an open-source effort in providing a com-
to current case complexities. Jeyaraman and Atallah [104] mon framework for integrating forensic analysis from
present an empirical study of automatic reconstruction diverse digital sources. PyFlag, however sorely needs an
systems and Khan et al. [110] propose a framework for post analysis architecture to make the analysis more cohesive.
event timeline reconstruction using neural networks. Both Raghavan et al. [165] propose the forensic integration
research works use a set of network logs and train a neural architecture and describe how to integrate evidence from
network to learn the attributes of the logs in order to different sources irrespective of the logical type of its con-
integrate the events into a single timeline. tents. The integration architecture exploits existing tech-
nologies and brings varied evidence sources together under
one roof to perform unified forensic analysis. The architec-
5.2 Correlation and corroboration ture attempts to provide multifarious interpretation and
analysis of varied evidence types in a uniform manner
Kornblum [113] presents a novel approach to identifying independent of origination source and storage formats. It
almost identical files using context triggered piecewise conceptualizes how to integrate evidence using content
hashing. The aim of this paper is to automate detection of information from diverse evidence sources which is dem-
visual similarity between two files. The approach combines onstrated through a case study.
the rolling hash with the spamsum algorithm to compare In brief, the analysis category appears to be the most
the resultant signature and determine if similarity exists. promising among the different categories. However, liter-
Pal et al. [157] present an approach to detect file frag- ature has only witnessed widely scattered efforts in dif-
mentation and use sequential hypothesis testing to identify ferent aspects of forensic analysis. We believe that a
the fragmentation point. By using serial analysis the consistent and concerted effort by integrating different
approach aims to minimize errors in detection. The aspects of digital forensic analysis will perhaps be the
approach maintains a base fragment as reference and future course of research. Figure 7 illustrates the taxonomy
determines whether a data block is joined or separated. of digital forensic analysis.
123
106 CSIT (March 2013) 1(1):91–114
6 Digital forensic process modeling digital forensics have called for extension of this concept to
multiple computers simultaneously and over distributed
A digital forensic investigator typically has to contend with networks. Besides, digital evidence includes data collected
several digital image formats during an investigation. There from network logs, proxy caches, memory dumps and
can be general lack of cohesiveness in the manner in which therefore, a more comprehensive framework is essential to
the evidence acquisition, examination and analysis are han- provide holistic understanding.
dled. DFRWS 2001 [63] presents a consolidated report call- As early as 2003, Mocas [142] has identified three main
ing out the challenges facing the field in the coming years and challenges that researchers need to overcome to advance
demanding specific actions to advance the field and develop a the field of digital forensics from a theoretical standpoint.
better understanding of the digital forensic process. These challenges are:
Many digital forensic process models have been pro-
1. Scaling technology and the need to adapt scalable
posed in the literature. Primarily, these models deal with
architectures;
the definition of the general stages in a digital forensic
2. Need to adopt uniform certification programs and
investigation. According to McKemmish [128], the four
courses in digital forensics;
broad stages involved in a digital forensic investigation are:
3. Need for changes in the digital evidence permissibility
1. Identification of digital evidence; laws in courts.
2. Preservation of digital evidence;
Leighland and Krings [121] present formalization to
3. Analysis of digital evidence; and
digital forensics using a hierarchical elements model. Beebe
4. Presentation of digital evidence.
and Clarke [14] argue the need for an objective based
Carrier [34] introduces the forensic tool abstraction framework for digital forensic process and divide the pro-
layer which classifies abstraction layers as lossy or lossless. cess into six stages and propose a 2-tier hierarchical objec-
Carrier and Spafford [39] study the digital investigation tives framework. The six stages defined by this work are
process and compare its functioning with a physical
1. preparation,
investigation and highlight the similarities. Carrier and
2. incident response,
Spafford [40] set up an event based investigation frame-
3. data collection,
work where the abstraction layer concept is extended to
4. data analysis,
other sections of a digital investigation. Pan and Batten
5. presentation of findings; and
[158] study the reproducibility of digital evidence that
6. incident closure
builds on Carrier’s abstraction layer concept. Gerber and
Leeson [86] observe that computer-based input–output The framework further breaks down these stages into
processes have not been thoroughly understood. They sub-stages (called sub-phases) and list out objectives at
define computer-based IO simply as a sequence of trans- each stage for typical investigations.
lations followed by transport of data. They propose the Carrier and Spafford’s computer history model [41] was
layered Hadley model for IO which follows a layered one of the first works that attempted to formalize digital
abstracted approach. While the Hadley model accurately forensics using a finite state automaton. However, they
models the IO on a single computer, current trends in concluded that the model is computationally infeasible
123
CSIT (March 2013) 1(1):91–114 107
owing to state space explosion. Hosmer [98, 99] empha- early 2000 as a distinct field of study. The digital forensic
sizes the importance of chain-of-custody equivalents in the process is multi-staged which involves the collection of
digital world and calls for auditing every operation con- digital evidence from one of multiple crime scenes, called
ducted on digital evidence from digital devices. Since data as evidence acquisition. This is followed up by digital
on digital devices can be altered, copied or erased, Hosmer forensic examination of the contents of the evidence using
proposes the following 4-point principles: forensic toolkits which provide various levels of abstrac-
tions to data. This process also serves to discover hidden,
• authentication,
deleted or lost data within the contents and detect and
• integrity,
decrypt encrypted data. Each file has associated metadata
• access control; and
that can be extracted using software support for analysis
• non-repudiation
[44]. The digital forensic analysis covers the realm of
…while handing digital evidence. The significance of analyzing data to understand the set of possible explana-
this concept is reinforced by Turner’s DEB [202]. Turner tions and associated logical sequences of events which
focuses on these 4 aspects from the standpoint of forensic explain the state of data in digital evidence. Digital forensic
acquisition and draws parallel from physical investigations process modeling has attempted to provide overall growth
to define DEBto record provenance information. to the area by proposing new theories and principles for the
Myers and Rogers [146] can for the need to standardize the developments of methodologies and forensic tools in the
forensic investigation process and present an argument for digital investigation process. The overall taxonomy is
achieving this through education and certification. Pollitt illustrated in Fig. 9. The author acknowledges that it is not
[162] presents an annotated bibliography of the different exhaustive for space reasons but the figure attempts to
digital forensic models and examines their legal constraints provide a generic categorization of the different areas of
while Reith et al. [166] present an independent examination of research and identify significant classes of published
the digital forensic models and analyze its implications in the research.
context of the report from DRFWS 2001. Figure 8 illustrates The recent technological advancements have resulted in
the taxonomy of digital forensic process modeling. significant increase in the volumes of digital evidence
being acquired and analyzed in a digital investigation. As a
result, the process is not only getting tiresome but humanly
7 Summary impossible. There is urgent need for methodologies and
approaches that automate much of the preliminary stages.
In summary, the digital forensic literature has diversified Both the opensource community and proprietary vendors
significantly since its importance was first recognized in have recognized this growing need and developed a suite of
123
108 CSIT (March 2013) 1(1):91–114
tools that can work with each other, however, the extent of which could lead to a reduction in the number of items for
cooperation needs to be expanded further. It is evident that individual analysis. Furthermore, this approach could also
research in this space cannot remain isolated, viz., already facilitate automatic corroboration which is an integral
researcher have started developing tools and methods that component of forensic analysis. Notwithstanding the tar-
combine acquisition with examination or some examina- geted and customized applications in the past, this
tion with preliminary analysis of digital evidence. approach has shown promising results [37, 80].
Researchers are presently attempting to integrate multiple The literature recognizes the need for a comprehensive
forensic and other analysis tools, primarily within a single analysis framework which can adopt and support inter-
framework to achieve this task and it has been a major pretation of a variety of digital evidence sources. There is
victory. We are sure that in future, more such methodolo- an abundance of metadata in today’s digital systems and
gies and tool development are there to be witnessed. literature recognizes its value to digital forensics, particu-
larly with regard to event reconstruction. Metadata pro-
vides what can be considered to be situational information
to determine under what context events transpired. Besides,
8 The road ahead…
metadata transcends data and formats and hence can bridge
the diversity challenge naturally. Sequencing these events
Going forward, the volume challenge [34, 74, 169] remains
across multiple diverse digital evidence sources can also
the single largest challenge to conquer in the near future as
provide a solution to the unified time-lining challenge and
we get accustomed to deal with terabytes of digital evi-
provide an investigator a holistic view of all the events
dence on a daily basis. While computation power and
across all digital evidence sources which can be very
hardware performance continues to grow, it is unlikely to
valuable during an investigation.
challenge the growing volumes of digital evidence.
Researchers have acknowledged the need to move from the
space of developing tools to extract all data, to the space
where the evidence is correlated towards solving an References
investigation [74, 169]. While the types of digital devices
have grown exponentially, methinks there is significant 1. Adelstein F (2006) Live forensics: diagnosing your system
potential to identify correlations in such information. One without killing it first. Commun ACM 49(2):63–66
2. Adelstein F, Joyce RA (2007) FileMarshal: an automatic
of the ways to manage the volume challenge would be to
extraction of peer-to-peer data, digital investigation. In: Pro-
recognize this correlation across multiple digital evidence ceedings of the 7th annual digital forensic research workshop
sources and automatically associate such evidence items (DFRWS’07). Digit Investig 4(Supplement 1):S43–S48
123
CSIT (March 2013) 1(1):91–114 109
3. Agrawal N, Bolosky WJ, Douceur JR, Lorsch JR (2007) A five- 22. Boutell M, Luo J (2004) Incorporating temporal context with
year study of file system metadata. ACM Trans Storage 3(3): content for classifying image collections. In: 17th international
9:1–9:32 conference on pattern recognition (ICPR’04) vol 2, Cambridge,
4. Allen J (1983) Maintaining knowledge about temporal intervals. pp 947–950
Commun ACM 26(11):832–843 23. Boutell M, Luo J (2004) Bayesian fusion of camera metadata
5. Allen J (1991) Time and time again: the many ways to represent cues in semantic scene classification. In: IEEE computer society
time. Int J Intell Syst 6(4):1–14 conference on computer vision and pattern recognition
6. Alink W, Bhoedjang RAF, Boncz PA, de Vries AP (2006) (CVPR’04), vol 2, Washington, pp 623–630
XIRAF—XML-based indexing and querying for digital foren- 24. Boutell M, Luo J (2005) Beyond pixels: exploiting camera
sics. In: The proceedings of the 6th annual digital forensic metadata for photo classification. Pattern Recognit Image Und-
research workshop (DFRWS’06). Digit Investig 3(Supplement erst Photogr 38(6): 935–946. doi:10.1016/j.patcog.2004.11.013
1):50–58 25. Boyd C, Forster P (2004) Time and date issues in forensic
7. Alvarez P (2004) Using extended file information (EXIF) file computing—a case study. Digit Investig 1(1):18–23
headers in digital evidence analysis. Int J Alvarezal Evidence 26. Brand A, Daly F, Meyers B (2003) Metadata demystified. The
2(3):1–5 Sheridian and NISO Press, http://www.niso.org/standards/
8. Arasteh A R, Debbabi M (2007) Forensic memory analysis: resources/Metadata_Demystified.pdf, pp 1–19. ISBN: 1-
from stack and code to execution history, digital investigations. 880124-59-9
In: Proceedings of the 7th annual digital forensic research 27. Brinson A, Robinson A, Rogers M (2006) A cyber-forensics
workshop (DFRWS’07). Digit Investig 4(Supplement 1):S114– ontology: creating a new approach to studying cyber forensics.
S125 Digit Investig 3(Supplement 1): S37–S43
9. Arasteh AR, Debbabi M, Sakha A, Saleh M (2007) Analyzing 28. Buchholz F, Spafford EH (2004) On the role of system metadata
multiple logs for forensic evidence, digital investigations. In: in digital forensics. Digit Investig 1(1):298–309
Proceedings of the 7th annual digital forensic research workshop 29. Buchholz F, Spafford EH (2007) Run-time label propagation for
(DFRWS’07). Digit Investig 4(Supplement 1):S82–S91 forensic audit data. Comput Secur 26(2007):496–513
10. Arthur K, Olivier M, Venter H (2007) Applying the biba 30. Buchholz F (2007) An improved clock model for translating
integrity model to evidence management. paper presented at the timestamps, JMU-INFOSEC-TR-2007-001. James Madison
digital forensics; advances in digital forensics III. In: IFIP University, Madison
international conference on digital forensics, Orlando 31. Buchholz F, Tjaden B (2007) A brief history of time. In: Pro-
11. Association of Chief Police Officers (ACPO) (2003) Good ceedings of the 7th annual digital forensic research workshop
practice guide for computer based electronic evidence. NHTCU (DFRWS’07). Digit Investig 4S:S31–S42
Publications, London, pp 1–51 32. Burke P, Craiger P (2007) Forensic analysis of Xbox consoles.
12. Australian Computer Emergency Response Team (AusCERT) Paper presented at the digital forensics. Advances in digital
(2006) 2006 Australian Computer Crime and Security Survey. forensics III. In: IFIP international conference on digital foren-
AusCERT & Australian High Tech Crime Center (AHTCC). sics, Orlando
ISBN 1-86499-849-0 33. Calhoun WC, Coles D (2008) Predicting the types of file frag-
13. Barik MS, Gupta G, Sinha S, Mishra A, Mazumdar C (2007) ments. In: Proceedings of the 8th annual digital forensic research
Efficient techniques for enhancing forensic capabilities of Ext2 workshop (DFRWS’08). Digit Investig 5(1):S14–S20
file system. Digit Investig 4(Supplement 1):55–61 34. Carrier BD (2003) Defining digital forensic examination and
14. Beebe NL, Clark JG (2005) A hierarchical, objectives-based analysis tools using abstraction layers. Int J Digit Evidence
framework for the digital investigations process. Digit Investig (IJDE) 1(4):1–12
2(2):147–167 35. Carrier BD (2003) Sleuthkit. http://www.sleuthkit.org/sleuthkit/.
15. Beebe NL, Clark JG (2007) Digital forensic text string search- Accessed 12 July 2011
ing: improving information retrieval effectiveness by themati- 36. Carrier BD (2005) File system forensic analysis. Addison
cally clustering search results. Digit Investig 4(Supplement Wesley, Upper Saddle River. ISBN 0-32-126817-2
1):49–54 37. Carrier BD (2005) Volume analysis of disk spanning multiple
16. Berghel H (2007) Hiding data, forensics and anti-forensics. volumes. Digit Investig 2(1):78–88
Commun ACM 50(4):15–20 38. Carrier BD, Grand J (2004) A hardware-based memory acqui-
17. Berners Lee T, Fielding R, Masinter L (1998) Uniform resource sition procedure for digital investigations. Digit Investig
identifiers (URI), general syntax http://www.ietf.org/rfc/ 1(1):50–60
rfc2396.txt. Accessed 20 Mar 2008 39. Carrier BD, Spafford EH (2003) Getting physical with the
18. Bogen AC, Dampier DA (2005) Unifying computer forensics digital investigation process. Int J Digit Evidence 2(2):1–20
modeling approaches: engineering perspective. In: Proceedings 40. Carrier BD, Spafford EH (2004) An event-based digital forensic
of the first international workshop on systematic approaches to investigation framework. Paper presented at the 4th annual
digital forensic engineering (SADFE’05). IEEE Publication, digital forensic research workshop (DFRWS’04), Lafayette
Taipei 41. Carrier BD, Spafford EH (2006) Categories of digital investi-
19. Bogen AC, Dampier DA (2005) Preparing for large scale gation analysis techniques based on the computer history model.
investigations with case domain modeling. Paper presented at In: The proceedings of the 6th annual digital forensic research
the 5th annual digital forensic research workshop (DFRWS’05), workshop (DFRWS’06). Digit Investig 3(Supplement 1):121–
New Orleans 130
20. Bohm K, Rakow TC (1994) Metadata for multimedia docu- 42. Casadei F, Savoldi A, Gubian P (2006) Forensics and SIM
ments. SIGMOD Rec. 23(4):21–26 cards: an overview. Int J Digit Evidence 5(1):1–21
21. Boutell M, Luo J (2004) Photo classification by integrating 43. Case A, Cristina A, Marziale L, Richard GG, Roussev V (2008)
image content and camera metadata. In: 17th international FACE: automated digital evidence discovery and correlation. In:
conference on pattern recognition (ICPR’04), vol 4, Cambridge, Proceedings of the 8th annual digital forensic research workshop
pp 901–904 (DFRWS’08). Digit Investig 5(Supplement 1):S65–S75
123
110 CSIT (March 2013) 1(1):91–114
44. Casey E (2011) Digital evidence and computer crime: forensic IEEE international conference on digital information management,
science, computers and the internet. Academy Press Publica- ICDIM 2009, Ann Arbor, pp 27–32. ISBN 978-1-4244-4253-9
tions, London. ISBN 978-0-12-374268 65. Ding X, Zou H (2011) Time based data forensic and cross ref-
45. Casey E (2006) Investigating sophisticated security breaches. erence analysis. In: Proceedings of the ACM symposium on
Commun ACM 49(2):48–54 applied computing 2011, TaiChung, Taiwan, pp 185–190.
46. Casey E (2007) Digital evidence maps—a sign of times. Digit ISBN: 978-14503-0113-8
Investig (Editorial) 4(1):1–2 66. Dolan-Gavitt B (2008) Forensic analysis of windows registry in
47. Casey E (2007) What does ‘‘forensically sound’’ mean? Digit memory. In: Proceedings of the 8th annual digital forensic
Investig (Editorial) 4(1):49–50 research workshop (DFRWS’08). Digit Investig 5(Supplement 1):
48. Casey E (2009) Timestamp misinterpretations in file systems. S26–S32
http://blog.cmdlabs.com/tag/timestamps/. Accessed 12 July 67. Dyreson CE, Snodgrass RT (1993) Timestamps semantics and
2011 representation. J Inf Syst 18(3):143–166
49. Castiglione A, De Santis A, Soriente C (2007) Taking advan- 68. Eckstein K, Jahnke M (2005) Data hiding in journaling file
tages of a disadvantage: digital forensics and steganography systems. Paper presented at the 5th annual digital forensic
using document metadata. J Syst Softw 80(5):750–764 research workshop (DFRWS’05), New Orleans
50. Choo Kim-Kwang R (2010) Cloud computing: challenges and 69. Fei BKL, Eloff JHP, Olivier MS, Venter HS (2006) The use of
future directions. Trends and issues in crime and criminal justice self-organising maps for anomalous behaviour detection in a
No. 400. Australian Institute of Criminology, Canberra. ISSN digital investigation. In: Forensic science international 17th
1836-2206 triennial meeting of the international association of forensic
51. Choo Kim-Kwang R (2011) Cyber threat landscape faced by sciences 2005, Hong Kong. Forensic Sci Int 162(1–3), 33–37
financial and insurance industry. Trends and issues in crime and 70. Fernandez E, Pelaez J, Larrondo-Petrie M (2007) Attack pat-
criminal justice No. 408. Australian Institute of Criminology, terns: a new forensic and design tool. Paper presented at the
Canberra. ISSN 1836-2206 digital forensics: advances in digital forensics III: IFIP inter-
52. Choi Kan-San, Lam EY, Wong KKY (2006) Source camera national conference on digital forensics, Orlando
identification using footprints from len aberration. Proceedings 71. FICCI Indian Risk Survey (2012) FICCI & Pinkerton C&I India
of the SPIE-IS&T Electronic Imaging SPIE 6069:60690J-1– Ltd. 2012 Risk Survey. www.ficci.com/SEDocument/
60690J-8 20186/IndiaRiskSurvey2012.pdf. Accessed 8 Oct 2012
53. Chow K, Law F, Kwan M, Lai P (2007) The rules of time on 72. Fu Z, Sun X, Liu Y, Li Bo (2011) Forensic investigation of
NTFS file system. In: Proceedings of the 2nd international OOXML format documents. Digit Investig 8(1):48–55
workshop on systematic approaches to digital forensic engi- 73. Gallup Politics (2010) 2010 Gallup computer crime survey.
neering, Seattle http://www.gallup.com/poll/145205/new-high-households-
54. Ciardhuain SO (2004) An extended model for cybercrime report-computer-crimes.aspx. Accessed 8 Oct 2012
investigations. Int J Digit Evidence 3(1):1–22 74. Garfinkel SL (2010) Digital forensic research: the next
55. Cohen MI (2008) PyFlag—an advanced network forensic 10 years. In: Proceedings of the 10th annual conference on
framework. In: Proceedings of the 8th annual digital forensic digital forensic research workshop (DFRWS’10). Digit Investig
research workshop (DFRWS’08). Digit Investig 5(Supplement 7:S64–S73
1):S112–S120 75. Garfinkel SL, Parker-Wood A, Huynh D, Migletz J (2010) An
56. Cohen MI, Garfinkel S, Schatz B (2009) Extending the advanced automated solution to the multiuser carved data ascription
forensic format to accommodate multiple data sources, logical problem. IEEE Trans Inf Forensics Secur 5(4):868–882
evidence, arbitrary information and forensic workflow. In: Pro- 76. Garfinkel SL, Migletz J (2009) New XML-based files: impli-
ceedings of the 9th annual digital forensic research workshop cations for forensics. IEEE Secur Privacy Mag 7(2):38–44
(DFRWS’09). Digit Investig 6:S57–S68 77. Garfinkel SL, Farrell P, Roussev V, Dinolt G (2009) Bringing
57. Combs G (1998) Wireshark—network protocol analyzer. http:// science to digital forensics with standardized forensic corpora.
www.wireshark.org/about.html. Accessed 12 July 2011 In: Proceedings of the 9th annual conference on digital forensic
58. Common Digital Evidence Storage Format Working Group research workshop (DFRWS’09). Digit Investig 6:S2–S11
(CDESF-WG) (2006) Standardizing digital evidence storage. 78. Garfinkel SL (2009) Automating disk forensic processing with
Commun ACM 49(2):67–68 Sleuthkit, XML and Python. In: Proceedings of the 2009 fourth
59. Common Digital Evidence Storage Format Working Group international IEEE workshop on systemmatic approaches to
(CDESF-WG) (2006) Survey of disk image storage formats. digital forensic engineering (SADFE 2009), Berkeley, pp 73–84.
Paper presented at the 6th annual digital forensic research ISBN: 978-0-7695-3792-4
workshop (DFRWS’05), New Orleans, pp 1–18 79. Garfinkel SL (2006) AFF: a new format for storing hard drive
60. Computer Security Institute (2010/11) Computer crime and images. Commun ACM 49(2):85–87
security survey. In: 15th Annual Computer Crime survey (2010, 80. Garfinkel SL (2006) Forensic feature extraction and cross drive
GoCSI). https://cours.etsmtl.ca/log619/documents/divers/ analysis. Digit Investig 3(Supplement 1):S71–S81
CSIsurvey2010.pdf. Accessed 8 Oct 2012 81. Garfinkel SL, Malan D, Dubec K, Stevens C, Pham C (2006)
61. Coutaz J, Crowley JL, Dobson S, Garlan D (2005) Context is Advanced forensic format: an open extensible format for disk
key. Commun ACM 48(3):49–53 imaging. In: Olivier M, Shenoi S (eds) Proceedings of the sec-
62. Dennen VP (2005) Looking for evidence of learning: assessment ond annual IFIP WG 11.9 international conference on digital
and analysis methods for online discourse. Paper presented at forensics, advances in digital forensics II. Springer, Boston, pp
the cognition and exploratory learning in digital age: CELDA, 17–31. ISBN: 0-387-36890-6
Lisbon 82. Garfinkel SL (2007) Carving contiguous and fragmented files
63. DFRWS Technical Committee (DFRWS) (2001) A road map for with fast object validation. Digit Investig 4(Supplement 1):
digital forensic research: DFRWS Technical Report. DTR- S2–S12
T001-01 FINAL 83. Garfinkel SL (2009) Providing cryptographic security and evi-
64. Denecke K, Risse T, Baehr T (2009) Text classification based dentiary chain-of-custody with the advanced forensic format
on limited bibliographic metadata. In: Proceedings of the fourth library and tools. Int J Digit Crime Forensics 1(1):1–28
123
CSIT (March 2013) 1(1):91–114 111
84. Gehani A, Reif J (2007) Super-resolution video analysis for 106. Johnston A, Reust J (2006) Network intrusion investigation—
forensic investigations. Paper presented at the digital forensics: preparation and challenges. Digit Investig 3(1):118–126
advances in digital forensics III: IFIP international conference 107. Kenneally EE, Brown CLT (2005) Risk sensitive digital evi-
on digital forensics, Orlando dence collection. Digit Investig 2(2):101–119
85. Geiger M (2005) evaluating commercial counter forensic tools. 108. Kee E, Farid H (2010) Digital image authentication from
Paper presented at the 5th annual digital forensic research thumbnails. In: Proceedings of the SPIE symposium on elec-
workshop (DFRWS’05), New Orleans tronic imaging, San Jose
86. Gerber M, Leeson J (2004) Formalization of computer input and 109. Kee E, Johnson MK, Farid H (2011) Digital image authentica-
output: the Hadley model. Digit Investig 1(3):214–224 tion from JPEG headers. IEEE Trans Inf Forensic Secur
87. Gillam WB, Rogers M (2005) FileHound: a forensics tool for 6(3):1066–1075
first responders. In: Proceedings of the 5th annual digital 110. Khan MNA, Chatwin CR, Young RCD (2007) A framework for
forensic research workshop (DFRWS’05), New Orleans post-event timeline reconstruction using neural networks. Digit
88. Gilligan J (2001) Beating the daylight savings Time bug and Investig 4(3–4):146–157
getting the correct file modification times. Code project—date 111. Koen R, Olivier M (2008) The use of file timestamps in digital
and time. http://www.codeproject.com/KB/datetime/dstbugs. forensics. In: Proceeding of the information security of South
aspx. Accessed 12 July 2011 Africa (ISSA 2008), Pretoria, pp 1–16
89. Gladney HM (2006) Principles for digital preservation. Com- 112. Kornblum JD (2008) Using JPEG quantization tables to identify
mun ACM 49(2):111–116 imagery processed by software. In: Proceedings of the 8th
90. Gladyshev P, Patel A (2004) Finite state machine approach to annual digital forensic research workshop (DFRWS’08). Digit
digital event reconstruction. Digit Investig 1(2):130–149 Investig 5:S21–S25
91. Gloe T, Bohme R (2010) The Dresden Image database for 113. Kornblum JD (2006) Identifying almost identical files using
benchmarking digital image forensics. In: Proceedings of the context triggered piecewise hashing. In: Proceedings of the 6th
ACM symposium on applied computing 2010 (SAC 2010), Si- annual digital forensic research workshop (DFRWS’06). Digit
erre. ISBN 978-1-60558-639-7 Investig 3(Supplement 1):S91–S97
92. Gupta MR, Hoeschele MD, Rogers MK (2006) Hidden disk 114. Kornblum JD (2004) The linux and the forensic acquisition of
areas: hPA and DCO. Int J Digit Evidence 5(1):1–8 hard disks with odd number of sectors. Int J Digit Evidence
93. Hargreaves C, Chivers H, Titheridge D (2008) Windows vista 3(2):1–5
and digital investigations. Digit Investig 5(1):34–48 115. Lalis S, Karypidis A, Savidis A (2005) Ad-hoc composition
94. Harms K (2006) Forensic analysis of system restore points in in wearable and mobile computing. Commun ACM 48(3):
microsoft windows XP. In: Proceedings of the 6th annual digital 67–68
forensic research workshop (DFRWS’06). Digit Investig 3(1): 116. Lamport L (1978) Time, clocks, and the ordering of events in a
151–158 distributed system. Commun ACM 21(7):558–565
95. Hartong M, Goel R, Wijeskera D (2007) A framework for 117. Laurie A (2006) Digital detective. Digit Investig 3(1):17–19
investigating railroad accidents. Paper presented at the digital 118. Lavelle C, Konrad A (2007) FriendlyRoboCopy: a GUI to
forensics; advances in digital forensics III: IFIP international robocopy for computer forensic investigators. Digit Investig
conference on digital forensics, Orlando 4(1):16–23
96. Hearst MA (2006) Clustering versus faceted categories for 119. Lee S, Shamma DA, Gooch B (2006) detecting false captioning
information exploration. Commun ACM 49(4):59–61 using common sense reasoning. In: Proceedings of the 6th
97. Hoepmann J-H, Jacobs B (2007) Increased security through annual digital forensic research workshop (DFRWS’06). Digit
open source. Commun ACM 50(1):79–83 Investig 3(Supplement 1):S65–S70
98. Hosmer C, Hyde C (2003) Discovering covert digital evidence. 120. Lee J, Un S, Hong D (2008) High-speed search using tarari
Paper presented at the 3rd annual digital forensic research content processor in digital forensics. In: Proceedings of the 8th
workshop (DFRWS’03), Cleveland annual digital forensic research workshop (DFRWS’08). Digit
99. Hosmer C (2006) Digital evidence bag. Commun ACM 49(2): Investig 5(Supplement 1):S91–95
69–70 121. Leighland R, Krings AW (2004) A formalization of digital
100. Huang H-C, Fang W-C, Chen S-C (2008) Copyright protection forensics. Int J Digit Evidence 3(2):1–32
with EXIF metadata and error control codes, security technol- 122. Liebrock LM, Marrero N, Burton DP, Prine R, Cornelius E,
ogy. In: International conference on security technology 2008, Shakamuri M et al. (2007) A preliminary design for digital
Sanya, pp 133–136 forensics analysis of terabyte size data sets. Paper presented at
101. Ieong RSC (2006) FORZA—digital forensics investigation the symposium on applied computing (SAC’2007), Seoul
framework that incorporate legal issues. In: The proceedings of 123. Lyle JR (2006) A strategy for testing hardware write block devi-
the 6th annual digital forensic research workshop (DFRWS’06). ces. Paper presented at the 6th annual digital forensic research
Digit Investig 3(Supplement 1):29–36 workshop (DFRWS’06). Digit Investig 3(Supplement 1):
102. Jain AK, Ross A (2004) Multibiometric systems. Commun S3–S9
ACM 47(1):34–40 124. Marchionini G (2006) Exploratory search: from finding to
103. Jansen W, Ayers R (2005) An overview and analysis of PDA understanding. Commun ACM 49(4):41–46
forensic tools. Digit Investig 2(2):120–132 125. Marziale L, Richard III GG, Roussev V (2006) Massive
104. Jeyaraman S, Atallah MJ (2006) An empirical study of auto- threading: using GPUs to increase performance of digital
matic event reconstruction systems. In: Proceedings of the 6th forensic tools. Paper presented at the 6th annual digital forensics
annual digital forensic research workshop (DRFWS’06). Digit research workshop (DFRWS’06). Digit Investig 4:73–81
Investig 3(Supplement 1):S108–S115 126. Masters G, Turner P (2007) Forensic data discovery and
105. Jian X, Walters A, Xu D, Spafford E, Buchholz F, Wang Y examination of magnetic swipe card cloning devices. In: The
(2007) Provenance-aware tracing of worm break-in and con- proceedings of the 7th annual digital forensic research workshop
taminations: a process coloring approach. In: Proceedings of the (DFRWS‘07). Digit Investig 4(Supplement 1):S16–S22
24th IEEE international conference on distributed computing 127. McGrew R, Vaughn R (2007) Using search engines to acquire
systems, (ICDCS 2006), Lisbon. ISBN: 0-7695-2540-7 network forensic evidence. Paper presented at the digital
123
112 CSIT (March 2013) 1(1):91–114
forensics; advances in digital forensics III: IFIP international 148. Nikkel BJ (2006) Improving evidence acquisition from live
conference on digital forensics, Orlando network sources. Digit Investig 3(2):89–96
128. McKemmish R (1999) What is forensic computing? Trends and 149. NISO (2004) Understanding metadata. NISO Press, pp 1–20.
issues in crime and justice, vol 188. Australian Institute of ISBN: 1-880124-62-9, http://www.niso.org/publications/press/
Criminology, Canberra, pp 1–6. ISBN 0-642-24102-3 UnderstandingMetadata.pdf
129. Mead S (2006) Unique file identification in the national software 150. NIST (2007) Test results for hardware write block device:
reference library. Digit Investig 3(1):138–150 Tableau Forensic SATA Bridge T3u. NIST, Gaithersburg
130. Mee V, Tryfonas T, Sutherland I (2006) The windows registry (Unpublished manuscript)
as a forensic artefact: illustrating evidence collection for Internet 151. NIST (2002) Hard disk hardware write block tool specification.
usage. Digit Investig 3(3):166–173 NIST, Gaithersburg (Unpublished manuscript)
131. Mercuri RT (2005) Challenges in forensic computing. Commun 152. NIST (2003) Hard disk software write block tool specification.
ACM 48(12):17–21 NIST, Gaithersburg (Unpublished manuscript)
132. Metadata Working Group (2010) Guidelines for handling 153. NIST (2001) General test methodology for computer forensic
metadata, Ver 2.0. http://www.metadataworkinggroup.org/pdf/ tools. NIST, Gaithersburg (Unpublished manuscript)
mwg_guidance.pdf. Accessed 12 July 2011 154. NIST (2001) Disk imaging tool specification. NIST, Gaithers-
133. Microsoft Developer Network Library (2011) SYSTEMTIME burg (Unpublished manuscript)
Structure, MSDN Microsoft Corporation. http://msdn.microsoft. 155. Nutter B (2008) Pinpointing TomTom location records: a
com/en-us/library/ms724950(v=VS.85).aspx. Accessed 12 July forensic analysis. Digit Investig 5(1):10–18
2011. Microsoft Developer Network Library, TIME_ZONE_ 156. Olievier MS (2008) On metadata context in database forensics.
INFORMATION Structure, MSDN Microsoft Corporation. Digit Investig 5(1):1–8
http://msdn.microsoft.com/en-us/library/ms725481(v=VS.85). 157. Pal A, Sencar HT, Memon N (2008) Detecting file fragmenta-
aspx. Accessed 12 July 2011 tion point using sequential hypothesis testing. In: Proceedings of
134. Microsoft Developer Network Library (2011) DYNAMIC_TI- the 8th annual digital forensic research workshop (DFRWS’08).
ME_ZONE_INFORMATION structure, MSDN Microsoft Digit Investig 5(Supplement 1):S2–S13
Corporation. http://msdn.microsoft.com/en-us/library/ms724253 158. Pan L, Batten LM (2005) Reproducibility of digital evidence in
(v=VS.85).aspx. Accessed 12 July 2011 forensic investigations. Paper presented at the 5th annual digital
135. Microsoft Developer Network Library (2011) File times, MSDN forensic research workshop (DFRWS’05), New Orleans
Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ 159. Park B, Park J, Lee S (2009) Data concealment and detection in
ms724290(v=VS.85).aspx. Accessed 12 July 2011 microsoft office 2007 files. Digit Investig 5(3–4):104–114
136. Microsoft Developer Network Library (2011) Local time, 160. Pering T, Ballagas R, Want R (2005) Spontaneous marriages of
MSDN Microsoft Corporation. http://msdn.microsoft.com/en- mobile devices and interactive spaces. Commun ACM 48(9):
us/library/ms724493(v=VS.85).aspx. Accessed 12 July 2011 53–59
137. Microsoft Developer Network Library (2011) DateTime. To- 161. Petroni J, Nick L, Walters A, Fraser T, Arbaugh WA (2006)
UniversalTime Method, MSDN Microsoft Corporation. http:// FATKit: a framework for the extraction and analysis of digital
msdn.microsoft.com/en-us/library/ forensic data from volatile system memory. Digit Investig
system.datetime.touniversaltime.aspx. Accessed 12 July 2011 3(4):197–210
138. Microsoft Support (2011) Time stamps change when copying 162. Pollitt MM (2007) An Ad-hoc review of digital forensic models.
from NTFS to FAT, Article ID 127830, Microsoft Corporation. In: Proceedings of the second international workshop on sys-
http://support.microsoft.com/kb/127830. Accessed 12 July 2011 tematic approaches to digital forensic engineering (SADFE’07).
139. Microsoft Support (2011) Description of NTFS date and Time IEEE Publication, Washington
stamps for file and folders. Article ID 299648, Microsoft Cor- 163. Poolsapassit N, Ray I (2007) Investigating computer attacks
poration. http://support.microsoft.com/kb/299648. Accessed 12 using attack trees. In: Pollitt M, Shenoi S (eds) Proceedings of
July 2011 the third annual IFIP WG 11.9 international conference on
140. Microsoft Support (2011) Interpreting timestamps on NTFS file digital forensics; advances in digital forensics III: IFIP inter-
systems. Article ID 158558, Microsoft Corporation. http:// national conference on digital forensics. Springer, Orlando.
support.microsoft.com/kb/158558. Accessed 12 July 2011 ISBN: 978-0-387-73741-6
141. Miskelly GM, Wagner JH (2005) Using spectral information in 164. Popescu AC, Farid H (2004) Statistical tools for digital foren-
forensic imaging. Forensic Sci Int 155(2–3):112–118 sics. In: Proceedings of sixth international workshop on infor-
142. Mocas S (2004) Building theoretical underpinnings for digital mation hiding, Toronto
forensics research. Digit Investig 1(1):61–68 165. Raghavan S, Clark AJ, Mohay G (2009) FIA: an open forensic
143. Mohay GM, Anderson A, Collie B, de Vel O, McKemmish R integration architecture for composing digital evidence. In:
(2003) Computer and intrusion forensics. Artech House Publi- Proceedings of the ICST second annual international conference
cations, London. ISBN 1580533698, 9781580533690 on forensic applications and techniques in telecommunications,
144. Morgan TD (2008) Recovering data from the windows registry. information and multimedia (e-Forensics 2009), Adelaide
In: Proceedings of the 8th annual digital forensic research work- 166. Reith M, Carr C, Gunsch G (2002) An examination of digital
shop (DFRWS’08). Digit Investig 5(Supplement 1):S33–S41 forensic models. Int J Digit Evidence 1(3):1–12
145. Murphey R (2007) Automated Windows Event Log Forensics. 167. Reyes A, O’Shea K, Steele J, Hansen JR, Jean BR, Ralph T
Paper presented at the 7th annual digital forensic research (2007) Digital forensics and analyzing data, cyber crime
workshop (DFRWS’07). Digit Investig 4(Supplement 1):S92– investigations. Syngress, Burlington, pp 219–259
S100 168. Richard III GG, Roussev V (2005) Scalpel: a frugal high per-
146. Myers M, Rogers M (2004) Computer forensics: a need for formance file carver. Paper presented at the 5th annual digital
standardization and certification. Int J Digit Evidence 3(2):1–11 forensics research workshop (DFRWS’05), New Orleans
147. National Institute of Justice (NIJ) (2001) Electronic crime scene 169. Richard GG III, Roussev V (2006) Next-generation digital
investigation guide: a guide for first responders. National Insti- forensics. Commun ACM 49(2):76–80
tute of Justice, Department of Justice (DoJ) 2001. http:// 170. Richard III GG, Roussev V, Marziale L (2006) In-place file
www.ncjrs.gov/pdffiles1/nij/187736.pdf carving. In: Proceedings of the second annual IFIP WG 11.9
123
CSIT (March 2013) 1(1):91–114 113
international conference on digital forensics, advances in digital 191. Sencar HT, Memon N (2008) Overview of state-of-the-art in
forensics II. Springer, Boston, pp 1–12. ISBN: 0-387-36890-6 digital image forensics, part of Indian statistical institute plati-
171. Richard GG III, Roussev V, Marziale L (2007) Forensic dis- num jubilee monograph series titled statistical science and
covery auditing of digital evidence containers. Digit Investig interdisciplinary research. World Scientific Press, Singapore
4(2):88–97 192. Shankaranarayanan G, Even A (2006) The metadata enigma.
172. Rossev V, Chen Y, Bourg T, Richard III GG (2005) md5Bloom: Commun ACM 49(2):88–94
forensic filesystem hashing revisited. Paper presented at the 5th 193. Shannon MM (2004) Forensic relative strength scoring: aSCII
annual digital forensics research workshop (DFRWS’05), New and entropy scoring. Int J Digit Evidence 2(4):1–19
Orleans 194. Slewe T, Hooenboom M (2004) Who will rob you on the digital
173. Roussev V, Richard GG III, Marziale L (2007) Multi-resolution highway? Commun ACM 47(5):56–60
similarity hashing. Digit Investig 4(Supplement 1):105–113 195. Solomon J, Huebner E, Bem D, Szezynska (2007) User data
174. Rowe NC, Garfinkel S (2011) Finding anomalous and suspicious persistence in physical memory. Digit Investig 4(1):68–72
files from directory metadata on a large corpus, to appear. In: 196. Standards Australia (2003) HB171-guidelines for the manage-
Proceedings of the third international conference on digital ment of IT evidence
forensics and cyber crime, ICDF2C 2011, Dublin 197. Steele J (2007) Digital forensics and analyzing data: alternate
175. Rui Y, Huang TS, Shih-Fu Chang (1998) Image retrieval: cur- data storage forensics. Syngress, Burlington, pp 1–38
rent technologies, promising directions and open issues. J Vis 198. Stevens MW (2004) Unification of relative time frames for
Commun Image Represent (IJVCIR) 10:39–62 digital forensics. Digit Investig 1(1):225–239
176. Sanderson P (2006) Identifying an existing file via KaZaA 199. Teerlink S, Erbacher R (2006) Improving the computer forensic
artefacts. Digit Investig 3(3):174–180 process through visualization. Commun ACM 49(2):71–75
177. Sarmoria CG, Chapin SJ (2005) Monitoring Access to shared 200. Toyama K, Logan R, Roseway A, Anadan P (2003) Geographic
memory mapped files. Paper presented at the 5th annual digital location tags on digital images. In: Proceedings of ACM mul-
forensic research workshop (DFRWS’05), New Orleans timedia 2003, Berkeley, pp 156–166. ISBN: 1-58113-722-2
178. Scientific Working Group on Digital Evidence (2009) technical 201. Turnbull B, Blundell G, Slay G (2006) Google desktop as a
notes on microsoft windows vista. SWGDE Technical Notes, pp source of digital evidence. Int J Digit Evidence (IJDE) 5(1):1–12
1–25 202. Turner P (2005) Unification of digital evidence from disparate
179. Scientific Working Group on Digital Evidence (2010) Technical sources (digital evidence bags). Digit Investig 2(3):223–228
notes on microsoft windows 7. SWGDE Technical Notes, pp 1–20 203. Turner P (2005) Digital provenance—interpretation, verification
180. Schatz B (2007) BodySnatcher: towards reliable volatile memory and corroboration. Digit Investig 2(1):45–49
acquisition by software. Digit Investig 4(Supplement 1):126–134 204. Turner P (2006) Selective and intelligent imaging using digital
181. Schatz BL, Clark AJ (2006) An open architecture for digital evidence bags. In: The proceedings of the 6th annual digital
evidence integration. In: Proceedings of the AusCERT R&D forensic research workshop (DFRWS’06), Digit Investig
Stream, AusCERT 2006, Gold Coast, pp 15–29 3(Supplement 1):59–64
182. Schatz B, Mohay G, Clark A (2006) A correlation method for 205. Turner P (2007) Applying a forensic approach to incident
establishing provenance of timestamps in digital evidence. In: response, network investigation and system administration using
The proceedings of the 6th annual digital forensic research digital evidence bags. Digit Investig 4(1):30–35
workshop (DFRWS’06). Digit Investig 3(Supplement 1):98–107 206. van Baar RB, Alink W, Van Ballegooji AR (2008) Forensic
183. Schuster A (2006) Searching for processes and threads in memory analysis: files mapped in memory. In: Proceedings of
microsoft windows memory dumps. In: The proceedings of the the 8th annual digital forensic research workshop (DFRWS’08).
6th annual digital forensic research workshop (DFRWS’06). Digit Investig 5(Supplement 1):S52–S57
Digit Investig 3(Supplement 1):10–16 207. Venter J, de Waal A, Willers C (2007) Specializing CRISP-DM
184. Schuster A (2007) Introducing the microsoft vista event log file for evidence mining. Paper presented at the digital forensics;
format. Digit Investig 4(Supplement 1):65–72 advances in digital forensics III: IFIP international conference
185. Schuster A (2008) The impact of microsoft windows pool on digital forensics, Orlando
allocation strategies on memory forensics. In: Proceedings of the 208. Vlastos E, Patel A (2007) An open source forensic tool to visualize
8th annual digital forensic research workshop (DFRWS’08). digital evidence. Comput Stand Interfaces 29(6):614–625
Digit Investig 5(Supplement 1):S58–S64 209. Vlastos E, Patel A (2008) An open source forensic tool to visualize
186. Schraffel MC, Wilson M, Russel M, Smith DA (2006) MSpace: digital evidence. Comput Stand Interfaces 30(1–2):8–19
improving information access to multimedia domains with 210. Wang G, Chen H, Atabakhsh H (2004) Automatically detecting
multimodal exploratory search. Commun ACM 49(4):47–49 deceptive criminal identities. Commun ACM 47(3):71–76
187. The Sedona Conference Working Group (2007) The Sedona 211. Wang S-J, Kao D-Y (2007) Internet forensics on the basis of
principles: best practices recommendations & principles for evidence gathering with peep attacks. Comput Stand Interfaces
addressing electronic document production (2nd edn.) http:// 29(4):423–429
www.thesedonaconference.org/content/miscFiles/ 212. Wang S-J (2007) Measures of retaining digital evidence to
TSC_PRINCP_2nd_ed_607.pdf. Accessed 12 July 2011 prosecute computer-based cyber-crimes. Comput Stand Inter-
188. The Sedona Conference Working Group (2010) The Sedona faces 29(2):216–223
conference glossary: e-discovery & digital information man- 213. Wang W, Daniels TE (2005) Network forensic analysis with
agement (3rd edn.) www.thesedonaconference.org/dltForm? evidence graphs. Paper presented at the 5th annual digital
did=glossary2010.pdf. Accessed 12 July 2011 forensic research workshop (DFRWS’05), New Orleans
189. The Sedona Conference Working Group (2011) The Sedona 214. Weil MC (2002) Dynamic time and date stamp analysis. Int J
Conference: Commentary on ESI Evidence & Admissibility Digit Evidence 1(2):1–6
(2008). http://www.thesedonaconference.org/dltForm?did=ESI_ 215. Willassen S (2008) Finding evidence of antedating in digital
Commentary_0308.pdf. Accessed 12 July 2011 investigations. In: Proceedings of the third international con-
190. Sencar HT, Memon N (2009) Identification and recovery of ference on availability, reliability and security, ARES, Barce-
JPEG files with missing fragments. Digit Investig 6(4):S88–S98 lona, pp 26–32
123
114 CSIT (March 2013) 1(1):91–114
216. Xu J, Chen H (2005) Criminal network analysis and visualiza- learning. In: Proceedings of the IEEE conference on local
tion. Commun ACM 48(6):100–107 computer networks, IEEE LCN 2005, Sydney, pp 250–257.
217. Zander S, Nguyen T, Armitage G (2005) Automated traffic ISBN: 0-7695-2421-4
classification and application identification using machine
123