A Distributed Digital Body Farm for Dynamic Monitoring of File Decay Patterns on the NTFS Filesystem
Date
2022
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Forensic recovery of previously deleted data could be a time-consuming activity during a digital forensic investigation. As tedious as the procedure is, it may not produce useful results or any results at all, as the deleted file data decay process may have rendered such data irrecoverable. Proper insight into the rates, patterns, and factors that influence digital artifact decay is necessary to help investigators determine if attempting a recovery is a wise use of time. A significant amount of research effort has been invested in the study of deleted artifact decay, but knowledge gaps still exist. This work developed, implemented, tested, and applied a tool to collect deleted file decay data, then analyzed that data to determine decay rates and patterns, as well as factors affecting those decay rates and patterns. The work describes a methodology and the implementation of a distributed digital body farm (DDBF) – a suite of applications that use differential analysis to monitor and record patterns of decay as data are erased or overwritten on a secondary storage medium attached to a live system. The patterns are remotely collected from systems belonging to independent users without violating the privacy of such users. The extracted patterns are subsequently analyzed using multiple data models to provide further insight into the deleted file decay rates, processes, and influencing factors.
Description
Keywords
Deleted file decay, Deleted file persistence, Digital body farm, Digital forensics, Digital investigation, Distributed digital body farm