The Association of Digital Forensics, Security and Law (ADFSL)
Digital forensic examiners are tasked with retrieving data from digital storage devices, and frequently these examiners are expected to explain the circumstances that led to the data being in its current state. Through written reports or verbal, expert testimony delivered in court, digital forensic examiners are expected to describe whether data have been altered, and if so, then to what extent have data been altered. Addressing these expectations results from opinions digital forensic examiners reach concerning their understanding of electronic storage and retrieval methods. The credibility of these opinions evolves from the scientific basis from which they are drawn using forensic methodology. Digital forensic methodology, being a scientific process, is derived from observations and repeatable findings in controlled environments. Furthermore, scientific research methods have established that causal conclusions can be drawn only when observed in controlled experiments. With this in mind, it seems beneficial that digital forensic examiners have a library of experiments from which they can perform, observe results, and derive conclusions. After having conducted an experiment on a specific topic, a digital forensic examiner will be in a better position to express with confidence the state of the current data and perhaps the conditions that led to its current state. This study provides a simple experiment using the contemporary versions of the most widely used software applications running on the most commonly installed operation system. Here, using the Microsoft Office 2010 applications, a simple Word document, an Excel spreadsheet, a PowerPoint presentation, and an Access database are created and then modified. A forensic analysis is performed to determine the extent in which the changes to the data are identified. The value in this study is not that it yields new forensic analysis techniques, but rather that it illustrates a methodology that other digital forensic examiners can apply to develop experiments representing their specific data challenges.
Babbie, E. (2004). The Practice of Social Research, 10th ed. Belmont, CA: Thompson Learning.
Baeza-Yates, R., & Ribeiro-Neto, B. (1999). Modern Information Retrieval. New York, NY: ACM Press.
Carlton, G. H. (2007). A grounded theory approach to identifying and measuring forensic data acquisition tasks. Journal of Digital Forensics, Security, and Law, 2 (1), 35-56.
Cimaware. (2013). Repair Access database files with AccessFIX database recovery Software. Retrieved from http://www.accessfix.com on June 10, 2013.
Cohen, F. (2011). Putting the science in digital forensics. Journal of Digital Forensics, Security, and Law , 6 (1), 7-14.
Elmasri, R., & Navathe, S. B. (2003). Fundamentals of Database Systems, 4th ed. Boston, MA: Addison-Wesley.
Guidance Software, Inc. (2008). EnCase Enterprise Version 6.10 User's Guide. Pasadena, CA: Guidance Software, Inc.
Hoyle, R. H., Harris, M. J., & Judd, C. M. (2002). Research Methods in Social Relations, 7th ed. Boston, MA: Thompson Learning.
Korfhage, R. R., & Spencer, M. (ed). (1997). Information Storage and Retrieval. New York, NY: John Wiley & Sons, Inc.
Microsoft Corporation. (2013). Understanding Office binary file formats. Retrieved from http://msdn.microsoft.com/enus/library/office/gg615407%28v=office.14%29.aspx on July 21, 2013.
Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to Computer Forensics and Investigations, 4 th ed. Boston, MA: Course Technology Cengage Learning.
Shelly, G. B., & Vermaat, M. E. (2011). Microsoft Office 2010 Introductory. Boston, MA: Course Technology Cengage Learning.
Volonino, L., Anzaldua, R., & Godwin, J. (2007). Computer Forensics Principles and Practices. Upper Saddle River, New Jersey: Pearson Prentice Hall.
Carlton, Gregory H.
"A Simple Experiment with Microsoft Office 2010 and Windows 7 Utilizing Digital Forensic Methodology,"
Journal of Digital Forensics, Security and Law: Vol. 8
, Article 2.
Available at: http://commons.erau.edu/jdfsl/vol8/iss1/2