The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media
Abstract
Forensically significant digital trace evidence that is frequently present in sectors of digital media not associated with allocated
or deleted files. Modern digital forensic tools generally do not decompress such data unless a specific file with a recognized file type is first
identified, potentially resulting in missed evidence. Email addresses are encoded differently for different file formats. As a result, trace evidence
can be categorized as Plain in File (PF), Encoded in the File (EF), Plain Not in File (PNF), or Encoded Not in File (ENF). The tool bulk_extractor finds all of these formats, but other forensic tools do not. A study of 961 storage devices purchased on the secondary market and shows that 474 contained encoded email addresses that were not in files (ENF). Different encoding formats are the result of different application programs that processed different kinds of digital trace evidence. Specific encoding formats explored include BASE64, GZIP, PDF, HIBER, and ZIP.
Description
The article of record as published may be located at http://dx.doi.org/10.1111/1556-4029.1252810.1111/1556-4029.12528
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Collections
Related items
Showing items related by title, author, creator and subject.
-
A graphic user interface for rapid integration of steganography software
Wootten, David Raiman (Monterey, California. Naval Postgraduate School, 1996-03);Steganography is a method an individual uses to secretly communicate, whereby the transmitting agent hides a message within some medium, so that only an intended recipient can detect the message's presence. Researchers who ... -
Document-based message-centric security using XML authentication and encryption for coalition and interagency operations
Williams, Jeffrey Scott (Monterey, California. Naval Postgraduate School, 2009-09);Different agencies and different nations are not able to securely communicate and share structured information due to differences in security policies and data formats. The current evolution of security and data policies ... -
A digital hardware test system analysis with test vector translation
Loeblein, James T. (Monterey, California. Naval Postgraduate School, 1992-12);Digital logic testing occurs in two different test environments, digital simulation and actual hardware testing. A computer aided design (CAD) tool applies a set of stimulus/response test vector patterns to check the ...