Premium
The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media , ,
Author(s) -
Garfinkel Simson L.
Publication year - 2014
Publication title -
journal of forensic sciences
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.715
H-Index - 96
eISSN - 1556-4029
pISSN - 0022-1198
DOI - 10.1111/1556-4029.12528
Subject(s) - file format , digital forensics , computer science , trace (psycholinguistics) , digital evidence , encoding (memory) , extractor , computer file , file size , world wide web , database , operating system , artificial intelligence , engineering , linguistics , philosophy , process engineering
Forensically significant digital trace evidence that is frequently present in sectors of digital media not associated with allocated or deleted files. Modern digital forensic tools generally do not decompress such data unless a specific file with a recognized file type is first identified, potentially resulting in missed evidence. Email addresses are encoded differently for different file formats. As a result, trace evidence can be categorized as Plain in File ( PF ), Encoded in File ( EF ), Plain Not in File ( PNF ), or Encoded Not in File ( ENF ). The tool bulk_extractor finds all of these formats, but other forensic tools do not. A study of 961 storage devices purchased on the secondary market and shows that 474 contained encoded email addresses that were not in files ( ENF ). Different encoding formats are the result of different application programs that processed different kinds of digital trace evidence. Specific encoding formats explored include BASE 64, GZIP , PDF , HIBER , and ZIP .