Cargando…
The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡
Forensically significant digital trace evidence that is frequently present in sectors of digital media not associated with allocated or deleted files. Modern digital forensic tools generally do not decompress such data unless a specific file with a recognized file type is first identified, potential...
Autor principal: | |
---|---|
Formato: | Online Artículo Texto |
Lenguaje: | English |
Publicado: |
BlackWell Publishing Ltd
2014
|
Materias: | |
Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4263158/ https://www.ncbi.nlm.nih.gov/pubmed/25053280 http://dx.doi.org/10.1111/1556-4029.12528 |
_version_ | 1782348522306142208 |
---|---|
author | Garfinkel, Simson L |
author_facet | Garfinkel, Simson L |
author_sort | Garfinkel, Simson L |
collection | PubMed |
description | Forensically significant digital trace evidence that is frequently present in sectors of digital media not associated with allocated or deleted files. Modern digital forensic tools generally do not decompress such data unless a specific file with a recognized file type is first identified, potentially resulting in missed evidence. Email addresses are encoded differently for different file formats. As a result, trace evidence can be categorized as Plain in File (PF), Encoded in File (EF), Plain Not in File (PNF), or Encoded Not in File (ENF). The tool bulk_extractor finds all of these formats, but other forensic tools do not. A study of 961 storage devices purchased on the secondary market and shows that 474 contained encoded email addresses that were not in files (ENF). Different encoding formats are the result of different application programs that processed different kinds of digital trace evidence. Specific encoding formats explored include BASE64, GZIP, PDF, HIBER, and ZIP. |
format | Online Article Text |
id | pubmed-4263158 |
institution | National Center for Biotechnology Information |
language | English |
publishDate | 2014 |
publisher | BlackWell Publishing Ltd |
record_format | MEDLINE/PubMed |
spelling | pubmed-42631582014-12-15 The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡ Garfinkel, Simson L J Forensic Sci Digital & Multimedia Sciences Forensically significant digital trace evidence that is frequently present in sectors of digital media not associated with allocated or deleted files. Modern digital forensic tools generally do not decompress such data unless a specific file with a recognized file type is first identified, potentially resulting in missed evidence. Email addresses are encoded differently for different file formats. As a result, trace evidence can be categorized as Plain in File (PF), Encoded in File (EF), Plain Not in File (PNF), or Encoded Not in File (ENF). The tool bulk_extractor finds all of these formats, but other forensic tools do not. A study of 961 storage devices purchased on the secondary market and shows that 474 contained encoded email addresses that were not in files (ENF). Different encoding formats are the result of different application programs that processed different kinds of digital trace evidence. Specific encoding formats explored include BASE64, GZIP, PDF, HIBER, and ZIP. BlackWell Publishing Ltd 2014-09 2014-07-23 /pmc/articles/PMC4263158/ /pubmed/25053280 http://dx.doi.org/10.1111/1556-4029.12528 Text en Published 2014. This article is a U.S. Government work and is in the public domain in the USA. Journal of Forensic Sciences published by Wiley Periodicals, Inc. on behalf of American Academy of Forensic Sciences http://creativecommons.org/licenses/by-nc/3.0/ This is an open access article under the terms of the Creative Commons Attribution-NonCommercial License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited and is not used for commercial purposes. |
spellingShingle | Digital & Multimedia Sciences Garfinkel, Simson L The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡ |
title | The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡ |
title_full | The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡ |
title_fullStr | The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡ |
title_full_unstemmed | The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡ |
title_short | The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media*†‡ |
title_sort | prevalence of encoded digital trace evidence in the nonfile space of computer media*†‡ |
topic | Digital & Multimedia Sciences |
url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4263158/ https://www.ncbi.nlm.nih.gov/pubmed/25053280 http://dx.doi.org/10.1111/1556-4029.12528 |
work_keys_str_mv | AT garfinkelsimsonl theprevalenceofencodeddigitaltraceevidenceinthenonfilespaceofcomputermedia AT garfinkelsimsonl prevalenceofencodeddigitaltraceevidenceinthenonfilespaceofcomputermedia |