The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media
Loading...
Authors
Garfinkel, Simson L.
Subjects
forensic science
digital forensics
optimistic decompression
bulk_extractor
real data corpus
encoded nonfile
Microsoft Xpress
BASE64
GZIP
PDF
ZIP
digital forensics
optimistic decompression
bulk_extractor
real data corpus
encoded nonfile
Microsoft Xpress
BASE64
GZIP
ZIP
Advisors
Date of Issue
2014
Date
Summer 2014
Publisher
Language
Abstract
Forensically significant digital trace evidence that is frequently present in sectors of digital media not associated with allocated
or deleted files. Modern digital forensic tools generally do not decompress such data unless a specific file with a recognized file type is first
identified, potentially resulting in missed evidence. Email addresses are encoded differently for different file formats. As a result, trace evidence
can be categorized as Plain in File (PF), Encoded in the File (EF), Plain Not in File (PNF), or Encoded Not in File (ENF). The tool bulk_extractor finds all of these formats, but other forensic tools do not. A study of 961 storage devices purchased on the secondary market and shows that 474 contained encoded email addresses that were not in files (ENF). Different encoding formats are the result of different application programs that processed different kinds of digital trace evidence. Specific encoding formats explored include BASE64, GZIP, PDF, HIBER, and ZIP.
Type
Article
Description
The article of record as published may be located at http://dx.doi.org/10.1111/1556-4029.1252810.1111/1556-4029.12528
Series/Report No
Department
Computer Science (CS)
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Journal of Forensic Sciences, Summer 2014
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.