Proposal / Submission Type
Peer Reviewed Paper
Location
Mori Hosseini Student Union: Event Center
Start Date
15-5-2019 10:00 AM
Abstract
When an application is uninstalled from a computer system, the application's deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application's prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog filesystem changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.
Scholarly Commons Citation
Adegbehingbe, Oluwaseun and Jones, James H. Jr., "Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications" (2019). Annual ADFSL Conference on Digital Forensics, Security and Law. 9.
https://commons.erau.edu/adfsl/2019/paper-presentation/9
PDF version of PPT
Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications
Mori Hosseini Student Union: Event Center
When an application is uninstalled from a computer system, the application's deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application's prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog filesystem changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.
