Digital Forensic Research: The Good, the Bad and the Unaddressed

  • Nicole Beebe
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 306)

Abstract

Digital forensics is a relatively new scientific discipline, but one that has matured greatly over the past decade. In any field of human endeavor, it is important to periodically pause and review the state of the discipline. This paper examines where the discipline of digital forensics is at this point in time and what has been accomplished in order to critically analyze what has been done well and what ought to be done better. The paper also takes stock of what is known, what is not known and what needs to be known. It is a compilation of the author’s opinion and the viewpoints of twenty-one other practitioners and researchers, many of whom are leaders in the field. In synthesizing these professional opinions, several consensus views emerge that provide valuable insights into the “state of the discipline.”

Keywords

Digital forensic research evaluation future research areas 

References

  1. 1.
    T. Abraham and O. de Vel, Investigative profiling with computer forensic log data and association rules, Proceedings of the IEEE International Conference on Data Mining, pp. 11–18, 2002.Google Scholar
  2. 2.
    T. Abraham, R. Kling and O. de Vel, Investigative profile analysis with computer forensic log data using attribute generalization, Proceedings of the Fifteenth Australian Joint Conference on Artificial Intelligence, 2002.Google Scholar
  3. 3.
    K. Bailey and K. Curran, An evaluation of image based steganography methods, International Journal of Digital Evidence, vol. 2(2), 2003.Google Scholar
  4. 4.
    N. Beebe and J. Clark, A hierarchical, objectives-based framework for the digital investigations process, Digital Investigation, vol. 2(2), pp. 147–167, 2005.CrossRefGoogle Scholar
  5. 5.
    N. Beebe and J. Clark, Dealing with terabyte data sets in digital investigations, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 3–16, 2005.Google Scholar
  6. 6.
    N. Beebe and J. Clark, Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results, Digital Investigation, vol. 4(S1), pp. 49–54, 2007.CrossRefGoogle Scholar
  7. 7.
    N. Beebe, S. Stacy and D. Stuckey, Digital forensic implications of ZFS, to appear in Digital Investigation, 2009.Google Scholar
  8. 8.
    D. Bem and E. Huebner, Computer forensic analysis in a virtual environment, International Journal of Digital Evidence, vol. 6(2), 2007.Google Scholar
  9. 9.
    A. Burghardt and A. Feldman, Using the HFS+ journal for deleted file recovery, Digital Investigation, vol. 5(S1), pp. 76–82, 2008.CrossRefGoogle Scholar
  10. 10.
    P. Burke and P. Craiger, Forensic analysis of Xbox consoles, in Advances in Digital Forensics III, P. Craiger and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 269–280, 2007.CrossRefGoogle Scholar
  11. 11.
    M. Carney and M. Rogers, The Trojan made me do it: A first step in statistical based computer forensics event reconstruction, International Journal of Digital Evidence, vol. 2(4), 2004.Google Scholar
  12. 12.
    B. Carrier, File System Forensic Analysis, Addison-Wesley, Boston, Massachusetts, 2005.Google Scholar
  13. 13.
    H. Carvey, Tracking USB storage: Analysis of Windows artifacts generated by USB storage devices, Digital Investigation, vol. 2(2), pp. 94–100, 2005.CrossRefGoogle Scholar
  14. 14.
    F. Casadei, A. Savoldi and P. Gubian, Forensics and SIM cards: An overview, International Journal of Digital Evidence, vol. 5(1), 2006.Google Scholar
  15. 15.
    E. Casey, Error, uncertainty and loss in digital evidence, International Journal of Digital Evidence, vol. 1(2), 2002.Google Scholar
  16. 16.
    M. Cohen, PyFlag – An advanced network forensic framework, Digital Investigation, vol. 5(S1), pp. 112–120, 2008.CrossRefGoogle Scholar
  17. 17.
    P. Craiger, Recovering digital evidence from Linux systems, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 233–244, 2005.Google Scholar
  18. 18.
    P. Craiger and P. Burke, Mac OS X forensics, in Advances in Digital Forensics II, M. Olivier and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 159–170, 2006.CrossRefGoogle Scholar
  19. 19.
    P. Craiger, P. Burke, C. Marberry and M. Pollitt, A virtual digital forensics laboratory, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 357–365, 2008.CrossRefGoogle Scholar
  20. 20.
    M. Davis, G. Manes and S. Shenoi, A network-based architecture for storing digital evidence, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 33–43, 2005.Google Scholar
  21. 21.
    O. de Vel, A. Anderson, M. Corney and G. Mohay, Mining email content for author identification forensics, ACM SIGMOD Record, vol. 30(4), pp. 55–64, 2001.CrossRefGoogle Scholar
  22. 22.
    A. Distefano and G. Me, An overall assessment of mobile internal acquisition tool, Digital Investigation, vol. 5(S1), pp. 121–127, 2008.CrossRefGoogle Scholar
  23. 23.
    B. Dolan-Gavitt, The VAD tree: A process-eye view of physical memory, Digital Investigation, vol. 4(S1), pp. 62–64, 2007.CrossRefGoogle Scholar
  24. 24.
    B. Dolan-Gavitt, Forensic analysis of the Windows registry in memory, Digital Investigation, vol. 5(S1), pp. 26–32, 2008.CrossRefGoogle Scholar
  25. 25.
    G. Dorn, C. Marberry, S. Conrad and P. Craiger, Analyzing the impact of a virtual machine on a host machine, in Advances in Digital Forensics V, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 69–81, 2009.CrossRefGoogle Scholar
  26. 26.
    K. Eckstein and M. Jahnke, Data hiding in journaling file systems, Proceedings of the Fifth Digital Forensic Research Workshop, 2005.Google Scholar
  27. 27.
    C. Hosmer and C. Hyde, Discovering covert digital evidence, Proceedings of the Third Digital Forensic Research Workshop, 2003.Google Scholar
  28. 28.
    E. Huebner, D. Bem, F. Henskens and M. Wallis, Persistent systems techniques in forensic acquisition of memory, Digital Investigation, vol. 4(3-4), pp. 129–137, 2007.CrossRefGoogle Scholar
  29. 29.
    J. Jackson, G. Gunsch, R. Claypoole and G. Lamont, Blind steganography detection using a computational immune system approach: A proposal, Proceedings of the Second Digital Forensic Research Workshop, 2002.Google Scholar
  30. 30.
    W. Jansen and R. Ayers, An overview and analysis of PDA forensic tools, Digital Investigation, vol. 2(2), pp. 120–132, 2005.CrossRefGoogle Scholar
  31. 31.
    R. Joyce, J. Powers and F. Adelstein, MEGA: A tool for Mac OS X operating system and application forensics, Digital Investigation, vol. 5(S1), pp. 83–90, 2008.CrossRefGoogle Scholar
  32. 32.
    E. Kenneally and C. Brown, Risk sensitive digital evidence collection, Digital Investigation, vol. 2(2), pp. 101–119, 2005.CrossRefGoogle Scholar
  33. 33.
    M. Kiley, T. Shinbara and M. Rogers, iPod forensics update, International Journal of Digital Evidence, vol. 6(1), 2007.Google Scholar
  34. 34.
    J. Kornblum, Identifying almost identical files using context triggered piecewise hashing, Digital Investigation, vol. 3(S1), pp. 91–97, 2006.CrossRefGoogle Scholar
  35. 35.
    J. Kornblum, Using every part of the buffalo in Windows memory analysis, Digital Investigation, vol. 4(1), pp. 24–29, 2007.CrossRefGoogle Scholar
  36. 36.
    G. Kowalski and M. Maybury, Information Storage and Retrieval Systems: Theory and Implementation, Kluwer, Norwell, Massachusetts, 2000.Google Scholar
  37. 37.
    C. Marsico and M. Rogers, iPod forensics, International Journal of Digital Evidence, vol. 4(2), 2005.Google Scholar
  38. 38.
    L. Marziale, G. Richard and V. Roussev, Massive threading: Using GPUs to increase the performance of digital forensic tools, Digital Investigation, vol. 4(S1), pp. 73–81, 2007.CrossRefGoogle Scholar
  39. 39.
    B. McBride, G. Peterson and S. Gustafson, A new blind method for detecting novel steganography, Digital Investigation, vol. 2(1), pp. 50–70, 2005.CrossRefGoogle Scholar
  40. 40.
    K. McDonald, To image a Macintosh, Digital Investigation, vol. 2(3), pp. 175–179, 2005.CrossRefGoogle Scholar
  41. 41.
    B. Mellars, Forensic examination of mobile phones, Digital Investigation, vol. 1(4), pp. 266–272, 2004.CrossRefGoogle Scholar
  42. 42.
    S. Mukkamala and A. Sung, Identifying significant features for network forensic analysis using artificial intelligence techniques, International Journal of Digital Evidence, vol. 1(4), 2003.Google Scholar
  43. 43.
    Net Applications, Global Market Share Statistics, Aliso Viejo, California (marketshare.hitslink.com), April 9, 2009.Google Scholar
  44. 44.
    J. Nunamaker, N. Romano and R. Briggs, A framework for collaboration and knowledge management, Proceedings of the Thirty-Fourth Hawaii International Conference on System Sciences, 2001.Google Scholar
  45. 45.
    M. Olivier, On metadata context in database forensics, Digital Investigation, vol. 5(3-4), pp. 115–123, 2009.CrossRefGoogle Scholar
  46. 46.
    G. Palmer, A Road Map for Digital Forensic Research, DFRWS Technical Report, DTR-T001-01 Final, Air Force Research Laboratory, Rome, New York, 2001.Google Scholar
  47. 47.
    G. Palmer, Forensic analysis in the digital world, International Journal of Digital Evidence, vol. 1(1), 2002.Google Scholar
  48. 48.
    B. Park, J. Park and S. Lee, Data concealment and detection in Microsoft Office 2007 files, Digital Investigation, vol. 5(3-4), pp. 104–114, 2009.CrossRefGoogle Scholar
  49. 49.
    M. Penhallurick, Methodologies for the use of VMware to boot cloned/mounted subject hard disks, Digital Investigation, vol. 2(3), pp. 209–222, 2005.CrossRefGoogle Scholar
  50. 50.
    S. Piper, M. Davis, G. Manes and S. Shenoi, Detecting hidden data in EXT2/EXT3 file systems, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 245–256, 2005.Google Scholar
  51. 51.
    M. Pollitt, K. Nance, B. Hay, R. Dodge, P. Craiger, P. Burke, C. Marberry and B. Brubaker, Virtualization and digital forensics: A research and teaching agenda, Journal of Digital Forensic Practice, vol. 2(2), pp. 62–73, 2008.CrossRefGoogle Scholar
  52. 52.
    B. Rodriguez and G. Peterson, Detecting steganography using multi-class classification, in Advances in Digital Forensics III, P. Craiger and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 193–204, 2007.CrossRefGoogle Scholar
  53. 53.
    B. Rodriguez, G. Peterson and K. Bauer, Fusion of steganalysis systems using Bayesian model averaging, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 345–355, 2008.CrossRefGoogle Scholar
  54. 54.
    B. Rodriguez, G. Peterson, K. Bauer and S. Agaian, Steganalysis embedding percentage determination with learning vector quantization, Proceedings of the IEEE International Conference on Systems Man and Cybernetics, vol. 3, pp. 1861–1865, 2006.Google Scholar
  55. 55.
    V. Roussev, Y. Chen, T. Bourg and G. Richard, md5bloom: Forensic file system hashing revisited, Digital Investigation, vol. 3(S1), pp. 82–90, 2006.CrossRefGoogle Scholar
  56. 56.
    V. Roussev and G. Richard, Breaking the performance wall: The case for distributed digital forensics, Proceedings of the Fourth Digital Forensic Research Workshop, 2004.Google Scholar
  57. 57.
    V. Roussev, G. Richard and L. Marziale, Multi-resolution similarity hashing, Digital Investigation, vol. 4(S1), pp. 105–113, 2007.CrossRefGoogle Scholar
  58. 58.
    V. Roussev, G. Richard and L. Marziale, Class-aware similarity hashing for data classification, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 101–113, 2008.CrossRefGoogle Scholar
  59. 59.
    V. Roussev, L. Wang, G. Richard and L. Marziale, A cloud computing platform for large-scale forensic computing, in Advances in Digital Forensics V, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 201–214, 2009.CrossRefGoogle Scholar
  60. 60.
    P. Sanderson, Mass image classification, Digital Investigation, vol. 3(4), pp. 190–195, 2006.CrossRefGoogle Scholar
  61. 61.
    A. Savoldi and P. Gubian, Data recovery from Windows CE based handheld devices, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 219–230, 2008.CrossRefGoogle Scholar
  62. 62.
    A. Schuster, Searching for processes and threads in Microsoft Windows memory dumps, Digital Investigation, vol. 3(S1), pp. 10–16, 2006.CrossRefGoogle Scholar
  63. 63.
    A. Schuster, The impact of Microsoft Windows pool allocation strategies on memory forensics, Digital Investigation, vol. 5(S1), pp. 58–64, 2008.CrossRefGoogle Scholar
  64. 64.
    M. Shannon, Forensic relative strength scoring: ASCII and entropy scoring, International Journal of Digital Evidence, vol. 2(4), 2004.Google Scholar
  65. 65.
    M. Sieffert, R. Forbes, C. Green, L. Popyack and T. Blake, Stego intrusion detection system, Proceedings of the Fourth Digital Forensic Research Workshop, 2004.Google Scholar
  66. 66.
    H. Simon, Administrative Behavior, Macmillan, New York, 1947.Google Scholar
  67. 67.
    J. Slay and A. Przibilla, iPod forensics: Forensically sound examination of an Apple iPod, Proceedings of the Fortieth Hawaii International Conference on System Sciences, 2007.Google Scholar
  68. 68.
    J. Solomon, E. Huebner, D. Bem and M. Szezynska, User data persistence in physical memory, Digital Investigation, vol. 4(2), pp. 68–72, 2007.CrossRefGoogle Scholar
  69. 69.
    A. Spruill and C. Pavan, Tackling the U3 trend with computer forensics, Digital Investigation, vol. 4(1), pp. 7–12, 2007.CrossRefGoogle Scholar
  70. 70.
    C. Swenson, G. Manes and S. Shenoi, Imaging and analysis of GSM SIM cards, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 205–216, 2005.Google Scholar
  71. 71.
    P. Turner, Unification of digital evidence from disparate sources (digital evidence bags), Proceedings of the Fifth Digital Forensic Research Workshop, 2005.Google Scholar
  72. 72.
    P. Turner, Selective and intelligent imaging using digital evidence bags, Digital Investigation, vol. 3(S1), pp. 59–64, 2006.CrossRefGoogle Scholar
  73. 73.
    R. van Baar, W. Alink and A. van Ballegooij, Forensic memory analysis: Files mapped in memory, Digital Investigation, vol. 5(S1), pp. 52–57, 2008.CrossRefGoogle Scholar
  74. 74.
    C. Vaughan, Xbox security issues and forensic recovery methodology (utilizing Linux), Digital Investigation, vol. 1(3), pp. 165–172, 2004.CrossRefGoogle Scholar
  75. 75.
    M. Weier, Hewlett-Packard data warehouse lands in Wal-Mart’s shopping cart, InformationWeek, August 4, 2007.Google Scholar
  76. 76.
    S. Willassen, Forensic analysis of mobile phone internal memory, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 191–204, 2005.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Nicole Beebe

There are no affiliations available

Personalised recommendations