Abstract
Digital forensics is a relatively new scientific discipline, but one that has matured greatly over the past decade. In any field of human endeavor, it is important to periodically pause and review the state of the discipline. This paper examines where the discipline of digital forensics is at this point in time and what has been accomplished in order to critically analyze what has been done well and what ought to be done better. The paper also takes stock of what is known, what is not known and what needs to be known. It is a compilation of the author’s opinion and the viewpoints of twenty-one other practitioners and researchers, many of whom are leaders in the field. In synthesizing these professional opinions, several consensus views emerge that provide valuable insights into the “state of the discipline.”
Chapter PDF
Similar content being viewed by others
References
T. Abraham and O. de Vel, Investigative profiling with computer forensic log data and association rules, Proceedings of the IEEE International Conference on Data Mining, pp. 11–18, 2002.
T. Abraham, R. Kling and O. de Vel, Investigative profile analysis with computer forensic log data using attribute generalization, Proceedings of the Fifteenth Australian Joint Conference on Artificial Intelligence, 2002.
K. Bailey and K. Curran, An evaluation of image based steganography methods, International Journal of Digital Evidence, vol. 2(2), 2003.
N. Beebe and J. Clark, A hierarchical, objectives-based framework for the digital investigations process, Digital Investigation, vol. 2(2), pp. 147–167, 2005.
N. Beebe and J. Clark, Dealing with terabyte data sets in digital investigations, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 3–16, 2005.
N. Beebe and J. Clark, Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results, Digital Investigation, vol. 4(S1), pp. 49–54, 2007.
N. Beebe, S. Stacy and D. Stuckey, Digital forensic implications of ZFS, to appear in Digital Investigation, 2009.
D. Bem and E. Huebner, Computer forensic analysis in a virtual environment, International Journal of Digital Evidence, vol. 6(2), 2007.
A. Burghardt and A. Feldman, Using the HFS+ journal for deleted file recovery, Digital Investigation, vol. 5(S1), pp. 76–82, 2008.
P. Burke and P. Craiger, Forensic analysis of Xbox consoles, in Advances in Digital Forensics III, P. Craiger and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 269–280, 2007.
M. Carney and M. Rogers, The Trojan made me do it: A first step in statistical based computer forensics event reconstruction, International Journal of Digital Evidence, vol. 2(4), 2004.
B. Carrier, File System Forensic Analysis, Addison-Wesley, Boston, Massachusetts, 2005.
H. Carvey, Tracking USB storage: Analysis of Windows artifacts generated by USB storage devices, Digital Investigation, vol. 2(2), pp. 94–100, 2005.
F. Casadei, A. Savoldi and P. Gubian, Forensics and SIM cards: An overview, International Journal of Digital Evidence, vol. 5(1), 2006.
E. Casey, Error, uncertainty and loss in digital evidence, International Journal of Digital Evidence, vol. 1(2), 2002.
M. Cohen, PyFlag – An advanced network forensic framework, Digital Investigation, vol. 5(S1), pp. 112–120, 2008.
P. Craiger, Recovering digital evidence from Linux systems, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 233–244, 2005.
P. Craiger and P. Burke, Mac OS X forensics, in Advances in Digital Forensics II, M. Olivier and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 159–170, 2006.
P. Craiger, P. Burke, C. Marberry and M. Pollitt, A virtual digital forensics laboratory, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 357–365, 2008.
M. Davis, G. Manes and S. Shenoi, A network-based architecture for storing digital evidence, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 33–43, 2005.
O. de Vel, A. Anderson, M. Corney and G. Mohay, Mining email content for author identification forensics, ACM SIGMOD Record, vol. 30(4), pp. 55–64, 2001.
A. Distefano and G. Me, An overall assessment of mobile internal acquisition tool, Digital Investigation, vol. 5(S1), pp. 121–127, 2008.
B. Dolan-Gavitt, The VAD tree: A process-eye view of physical memory, Digital Investigation, vol. 4(S1), pp. 62–64, 2007.
B. Dolan-Gavitt, Forensic analysis of the Windows registry in memory, Digital Investigation, vol. 5(S1), pp. 26–32, 2008.
G. Dorn, C. Marberry, S. Conrad and P. Craiger, Analyzing the impact of a virtual machine on a host machine, in Advances in Digital Forensics V, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 69–81, 2009.
K. Eckstein and M. Jahnke, Data hiding in journaling file systems, Proceedings of the Fifth Digital Forensic Research Workshop, 2005.
C. Hosmer and C. Hyde, Discovering covert digital evidence, Proceedings of the Third Digital Forensic Research Workshop, 2003.
E. Huebner, D. Bem, F. Henskens and M. Wallis, Persistent systems techniques in forensic acquisition of memory, Digital Investigation, vol. 4(3-4), pp. 129–137, 2007.
J. Jackson, G. Gunsch, R. Claypoole and G. Lamont, Blind steganography detection using a computational immune system approach: A proposal, Proceedings of the Second Digital Forensic Research Workshop, 2002.
W. Jansen and R. Ayers, An overview and analysis of PDA forensic tools, Digital Investigation, vol. 2(2), pp. 120–132, 2005.
R. Joyce, J. Powers and F. Adelstein, MEGA: A tool for Mac OS X operating system and application forensics, Digital Investigation, vol. 5(S1), pp. 83–90, 2008.
E. Kenneally and C. Brown, Risk sensitive digital evidence collection, Digital Investigation, vol. 2(2), pp. 101–119, 2005.
M. Kiley, T. Shinbara and M. Rogers, iPod forensics update, International Journal of Digital Evidence, vol. 6(1), 2007.
J. Kornblum, Identifying almost identical files using context triggered piecewise hashing, Digital Investigation, vol. 3(S1), pp. 91–97, 2006.
J. Kornblum, Using every part of the buffalo in Windows memory analysis, Digital Investigation, vol. 4(1), pp. 24–29, 2007.
G. Kowalski and M. Maybury, Information Storage and Retrieval Systems: Theory and Implementation, Kluwer, Norwell, Massachusetts, 2000.
C. Marsico and M. Rogers, iPod forensics, International Journal of Digital Evidence, vol. 4(2), 2005.
L. Marziale, G. Richard and V. Roussev, Massive threading: Using GPUs to increase the performance of digital forensic tools, Digital Investigation, vol. 4(S1), pp. 73–81, 2007.
B. McBride, G. Peterson and S. Gustafson, A new blind method for detecting novel steganography, Digital Investigation, vol. 2(1), pp. 50–70, 2005.
K. McDonald, To image a Macintosh, Digital Investigation, vol. 2(3), pp. 175–179, 2005.
B. Mellars, Forensic examination of mobile phones, Digital Investigation, vol. 1(4), pp. 266–272, 2004.
S. Mukkamala and A. Sung, Identifying significant features for network forensic analysis using artificial intelligence techniques, International Journal of Digital Evidence, vol. 1(4), 2003.
Net Applications, Global Market Share Statistics, Aliso Viejo, California (marketshare.hitslink.com), April 9, 2009.
J. Nunamaker, N. Romano and R. Briggs, A framework for collaboration and knowledge management, Proceedings of the Thirty-Fourth Hawaii International Conference on System Sciences, 2001.
M. Olivier, On metadata context in database forensics, Digital Investigation, vol. 5(3-4), pp. 115–123, 2009.
G. Palmer, A Road Map for Digital Forensic Research, DFRWS Technical Report, DTR-T001-01 Final, Air Force Research Laboratory, Rome, New York, 2001.
G. Palmer, Forensic analysis in the digital world, International Journal of Digital Evidence, vol. 1(1), 2002.
B. Park, J. Park and S. Lee, Data concealment and detection in Microsoft Office 2007 files, Digital Investigation, vol. 5(3-4), pp. 104–114, 2009.
M. Penhallurick, Methodologies for the use of VMware to boot cloned/mounted subject hard disks, Digital Investigation, vol. 2(3), pp. 209–222, 2005.
S. Piper, M. Davis, G. Manes and S. Shenoi, Detecting hidden data in EXT2/EXT3 file systems, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 245–256, 2005.
M. Pollitt, K. Nance, B. Hay, R. Dodge, P. Craiger, P. Burke, C. Marberry and B. Brubaker, Virtualization and digital forensics: A research and teaching agenda, Journal of Digital Forensic Practice, vol. 2(2), pp. 62–73, 2008.
B. Rodriguez and G. Peterson, Detecting steganography using multi-class classification, in Advances in Digital Forensics III, P. Craiger and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 193–204, 2007.
B. Rodriguez, G. Peterson and K. Bauer, Fusion of steganalysis systems using Bayesian model averaging, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 345–355, 2008.
B. Rodriguez, G. Peterson, K. Bauer and S. Agaian, Steganalysis embedding percentage determination with learning vector quantization, Proceedings of the IEEE International Conference on Systems Man and Cybernetics, vol. 3, pp. 1861–1865, 2006.
V. Roussev, Y. Chen, T. Bourg and G. Richard, md5bloom: Forensic file system hashing revisited, Digital Investigation, vol. 3(S1), pp. 82–90, 2006.
V. Roussev and G. Richard, Breaking the performance wall: The case for distributed digital forensics, Proceedings of the Fourth Digital Forensic Research Workshop, 2004.
V. Roussev, G. Richard and L. Marziale, Multi-resolution similarity hashing, Digital Investigation, vol. 4(S1), pp. 105–113, 2007.
V. Roussev, G. Richard and L. Marziale, Class-aware similarity hashing for data classification, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 101–113, 2008.
V. Roussev, L. Wang, G. Richard and L. Marziale, A cloud computing platform for large-scale forensic computing, in Advances in Digital Forensics V, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 201–214, 2009.
P. Sanderson, Mass image classification, Digital Investigation, vol. 3(4), pp. 190–195, 2006.
A. Savoldi and P. Gubian, Data recovery from Windows CE based handheld devices, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 219–230, 2008.
A. Schuster, Searching for processes and threads in Microsoft Windows memory dumps, Digital Investigation, vol. 3(S1), pp. 10–16, 2006.
A. Schuster, The impact of Microsoft Windows pool allocation strategies on memory forensics, Digital Investigation, vol. 5(S1), pp. 58–64, 2008.
M. Shannon, Forensic relative strength scoring: ASCII and entropy scoring, International Journal of Digital Evidence, vol. 2(4), 2004.
M. Sieffert, R. Forbes, C. Green, L. Popyack and T. Blake, Stego intrusion detection system, Proceedings of the Fourth Digital Forensic Research Workshop, 2004.
H. Simon, Administrative Behavior, Macmillan, New York, 1947.
J. Slay and A. Przibilla, iPod forensics: Forensically sound examination of an Apple iPod, Proceedings of the Fortieth Hawaii International Conference on System Sciences, 2007.
J. Solomon, E. Huebner, D. Bem and M. Szezynska, User data persistence in physical memory, Digital Investigation, vol. 4(2), pp. 68–72, 2007.
A. Spruill and C. Pavan, Tackling the U3 trend with computer forensics, Digital Investigation, vol. 4(1), pp. 7–12, 2007.
C. Swenson, G. Manes and S. Shenoi, Imaging and analysis of GSM SIM cards, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 205–216, 2005.
P. Turner, Unification of digital evidence from disparate sources (digital evidence bags), Proceedings of the Fifth Digital Forensic Research Workshop, 2005.
P. Turner, Selective and intelligent imaging using digital evidence bags, Digital Investigation, vol. 3(S1), pp. 59–64, 2006.
R. van Baar, W. Alink and A. van Ballegooij, Forensic memory analysis: Files mapped in memory, Digital Investigation, vol. 5(S1), pp. 52–57, 2008.
C. Vaughan, Xbox security issues and forensic recovery methodology (utilizing Linux), Digital Investigation, vol. 1(3), pp. 165–172, 2004.
M. Weier, Hewlett-Packard data warehouse lands in Wal-Mart’s shopping cart, InformationWeek, August 4, 2007.
S. Willassen, Forensic analysis of mobile phone internal memory, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 191–204, 2005.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Beebe, N. (2009). Digital Forensic Research: The Good, the Bad and the Unaddressed. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics V. DigitalForensics 2009. IFIP Advances in Information and Communication Technology, vol 306. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04155-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-04155-6_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04154-9
Online ISBN: 978-3-642-04155-6
eBook Packages: Computer ScienceComputer Science (R0)