Authors: Omoche Cheche Agada (George Mason University)
DFRWS USA 2022
Abstract
Estimating the rate and pattern of deleted file decay on digital media is of interest to digital forensic investigators. Understanding how deleted file contents decay and the factors that affect the process is useful in making decisions about artifact recovery during a forensic investigation.Although the mechanisms that cause deleted file content decay are well-known, the actual decay behavior and patterns of decay are not well understood, and one cannot predict with certainty if some or all of a file may be recovered after it has been deleted. In this presentation, we will discuss a novel method for collecting data about deleted file content decay from real-world systems, without violating user privacy. We will show how to leverage a distributed digital body farm (DDBF) to collect deleted file decay data from geographically dispersed computers. The DDBF is a remote software agent that collects content-free and privacy-preserving data about deleted file decay on an active computer system. The data collected is consolidated in a central repository and subsequently analyzed to show meaningful patterns.