Digital Forensic Research: The Good, the Bad and the Unaddressed

Digital forensics is a relatively new scientific discipline, but one that has matured greatly over the past decade. In any field of human endeavor, it is important to periodically pause and review the state of the discipline. This paper examines where the discipline of digital forensics is at this point in time and what has been accomplished in order to critically analyze what has been done well and what ought to be done better. The paper also takes stock of what is known, what is not known and what needs to be known. It is a compilation of the author’s opinion and the viewpoints of twenty-one other practitioners and researchers, many of whom are leaders in the field. In synthesizing these professional opinions, several consensus views emerge that provide valuable insights into the “state of the discipline.”

[1]  Philip Turner,et al.  Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags) , 2005, DFRWS.

[2]  Mark Pollitt,et al.  A Virtual Digital Forensics Laboratory , 2008, IFIP Int. Conf. Digital Forensics.

[3]  Paul Burke,et al.  Mac OS X Forensics , 2006, IFIP Int. Conf. Digital Forensics.

[4]  Ronald C. Dodge,et al.  Virtualization and Digital Forensics: A Research and Education Agenda , 2008, J. Digit. Forensic Pract..

[5]  Paul Burke,et al.  Forensic Analysis of Xbox Consoles , 2007, IFIP Int. Conf. Digital Forensics.

[6]  Paul Sanderson Mass image classification , 2006, Digit. Investig..

[7]  Jesse D. Kornblum Using every part of the buffalo in Windows memory analysis , 2007, Digit. Investig..

[8]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[9]  Mark T. Maybury,et al.  Information Storage and Retrieval Systems: Theory and Implementation , 2000 .

[10]  Matthew M. Shannon Forensic Relative Strength Scoring: ASCII and Entropy Scoring , 2004, Int. J. Digit. EVid..

[11]  Ewa Huebner,et al.  Computer Forensic Analysis in a Virtual Environment , 2007, Int. J. Digit. EVid..

[12]  Aaron Burghardt,et al.  Using the HFS+ journal for deleted file recovery , 2008 .

[13]  Harlan Carvey,et al.  Tracking USB storage: Analysis of windows artifacts generated by USB storage devices , 2005, Digit. Investig..

[14]  George M. Mohay,et al.  Mining e-mail content for author identification forensics , 2001, SGMD.

[15]  Brendan Dolan-Gavitt,et al.  Forensic analysis of the Windows registry in memory , 2008, Digit. Investig..

[16]  Andrew H. Sung,et al.  Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligence Techniques , 2003, Int. J. Digit. EVid..

[17]  P. Mahadevan,et al.  An overview , 2007, Journal of Biosciences.

[18]  W. Alink,et al.  Forensic memory analysis: Files mapped in memory , 2008, Digit. Investig..

[19]  Barrie Mellars Forensic examination of mobile phones , 2004, Digit. Investig..

[20]  Nicole Beebe,et al.  Digital forensic implications of ZFS , 2009 .

[21]  Svein Yngvar Willassen Forensic Analysis of Mobile Phone Internal Memory , 2005, IFIP Int. Conf. Digital Forensics.

[22]  Marcus K. Rogers,et al.  iPod Forensics , 2005, Int. J. Digit. EVid..

[23]  Marcus K. Rogers,et al.  iPOD Forensics Update , 2007, Int. J. Digit. EVid..

[24]  Nicole Beebe,et al.  Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results , 2007, Digit. Investig..

[25]  Andy Spruill,et al.  Tackling the U3 trend with computer forensics , 2007, Digit. Investig..

[26]  Nicole Beebe,et al.  A hierarchical, objectives-based framework for the digital investigations process , 2005, Digit. Investig..

[27]  Tamas Abraham,et al.  Investigative profiling with computer forensic log data and association rules , 2002, 2002 IEEE International Conference on Data Mining, 2002. Proceedings..

[28]  Gregg H. Gunsch,et al.  Blind Steganography Detection Using a Computational Immune System Approach: A Proposal , 2002 .

[29]  P. Turner Unification of Digital Evidence from Disparate Sources , 2005 .

[30]  Keith McDonald To image a Macintosh , 2005, Digit. Investig..

[31]  Mark Pollitt,et al.  Advances in Digital Forensics , 2006 .

[32]  R. Holte,et al.  Hierarchical A * : , 1999 .

[33]  Ryan Kling,et al.  Investigative Profile Analysis With Computer Forensic Log Data Using Attribute Generalisation , 2002, Australasian Data Mining Conference.

[34]  Sos S. Agaian,et al.  Steganalysis Embedding Percentage Determination with Learning Vector Quantization , 2006, 2006 IEEE International Conference on Systems, Man and Cybernetics.

[35]  Golden G. Richard,et al.  Massive threading: Using GPUs to increase the performance of digital forensics tools , 2007, Digit. Investig..

[36]  Michael A. Penhallurick Methodologies for the use of VMware to boot cloned/mounted subject hard disk images , 2005, Digit. Investig..

[37]  Gilbert L. Peterson,et al.  Detecting Steganography Using Multi-Class Classification , 2007, IFIP Int. Conf. Digital Forensics.

[38]  Frank Adelstein,et al.  MEGA: A tool for Mac OS X operating system and application forensics , 2008 .

[39]  Michael Cohen,et al.  PyFlag - An advanced network forensic framework , 2008, Digit. Investig..

[40]  Jay F. Nunamaker,et al.  A framework for collaboration and knowledge management , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[41]  Indrajit Ray,et al.  Advances in Digital Forensics IV , 2008 .

[42]  Philip Turner,et al.  Selective and intelligent imaging using digital evidence bags , 2006, Digit. Investig..

[43]  Sujeet Shenoi,et al.  A Network-Based Architecture for Storing Digital Evidence , 2005, IFIP Int. Conf. Digital Forensics.

[44]  Golden G. Richard,et al.  Multi-resolution similarity hashing , 2007, Digit. Investig..

[45]  Paolo Gubian,et al.  Forensics and SIM Cards: An Overview , 2006, Int. J. Digit. EVid..

[46]  Sujeet Shenoi,et al.  Advances in Digital Forensics V - Fifth IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 26-28, 2009, Revised Selected Papers , 2009, IFIP Int. Conf. Digital Forensics.

[47]  Richard P. Ayers,et al.  An overview and analysis of PDA forensic tools , 2005, Digit. Investig..

[48]  Ewa Huebner,et al.  User data persistence in physical memory , 2007, Digit. Investig..

[49]  Brendan Dolan-Gavitt,et al.  The VAD tree: A process-eye view of physical memory , 2007, Digit. Investig..

[50]  J. Philip Craiger,et al.  Analyzing the Impact of a Virtual Machine on a Host Machine , 2009, IFIP Int. Conf. Digital Forensics.

[51]  Sujeet Shenoi,et al.  Imaging and Analysis of GSM SIM Cards , 2005, IFIP Int. Conf. Digital Forensics.

[52]  Yixin Chen,et al.  md5bloom: Forensic filesystem hashing revisited , 2006, Digit. Investig..

[53]  Megan Carney,et al.  The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction , 2004, Int. J. Digit. EVid..

[54]  Kevin Curran,et al.  An evaluation of image based steganography methods , 2006, Multimedia Tools and Applications.

[55]  Paolo Gubian,et al.  Data Recovery from Windows CE Based Handheld Devices , 2008, IFIP Int. Conf. Digital Forensics.

[56]  Gianluigi Me,et al.  An overall assessment of Mobile Internal Acquisition Tool , 2008, Digit. Investig..

[57]  G. Richard,et al.  Breaking the Performance Wall: The Case for Distributed Digital Forensics , 2004 .

[58]  Eoghan Casey Error, Uncertainty and Loss in Digital Evidence , 2002, Int. J. Digit. EVid..

[59]  Jungheum Park,et al.  Data concealment and detection in Microsoft Office 2007 files , 2009, Digit. Investig..

[60]  Sujeet Shenoi,et al.  Detecting Hidden Data in Ext2/Ext3 File Systems , 2005, IFIP Int. Conf. Digital Forensics.

[61]  Gilbert L. Peterson,et al.  Fusion of Steganalysis Systems Using Bayesian Model Averaging , 2008, IFIP Int. Conf. Digital Forensics.

[62]  Gary L. Palmer Forensic Analysis in the Digital World , 2002, Int. J. Digit. EVid..

[63]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[64]  Martin S. Olivier,et al.  On metadata context in Database Forensics , 2009, Digit. Investig..

[65]  Sujeet Shenoi,et al.  Advances in Digital Forensics III , 2007 .

[66]  J. Philip Craiger Recovering Digital Evidence from Linux Systems , 2005, IFIP Int. Conf. Digital Forensics.

[67]  Nicole Beebe,et al.  Dealing with Terabyte Data Sets in Digital Investigations , 2005 .

[68]  Erin E. Kenneally,et al.  Risk sensitive digital evidence collection , 2005, Digit. Investig..

[69]  Sujeet Shenoi,et al.  Advances in Digital Forensics XII , 2007, IFIP Advances in Information and Communication Technology.

[70]  Jill Slay,et al.  iPod Forensics: Forensically Sound Examination of an Apple iPod , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[71]  Marko Jahnke,et al.  Data Hiding in Journaling File Systems , 2005, DFRWS.

[72]  Chris Vaughan Xbox security issues and forensic recovery methodology (utilising Linux) , 2004, Digit. Investig..

[73]  Gilbert L. Peterson,et al.  A new blind method for detecting novel steganography , 2005, Digit. Investig..

[74]  Frans Henskens,et al.  Persistent systems techniques in forensic acquisition of memory , 2007, Digit. Investig..

[75]  Golden G. Richard,et al.  Class-Aware Similarity Hashing for Data Classification , 2008, IFIP Int. Conf. Digital Forensics.

[76]  Golden G. Richard,et al.  A Cloud Computing Platform for Large-Scale Forensic Computing , 2009, IFIP Int. Conf. Digital Forensics.

[77]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..