When an application is uninstalled from a computer system, the application’s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application’s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog file-system changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.


J. Haggerty and M. Taylor, “Forsigs: Forensic signature analysis of the hard drive for multimedia file fingerprints,” New Approaches Secur. Priv. Trust Complex Environ., pp. 1–12, 2007.

J. Jones, T. Khan, K. Laskey, A. Nelson, M. Laamanen, and White, “Inferring previously uninstalled applications from digital traces,” in Proceedings of the Conference on Digital Forensics, Security and Law, 2016, pp. 113–130.

K. Woods, C. A. Lee, S. Garfinkel, D. Dittrich, A. Russell, and K. Kearton, “Creating realistic corpora for security and forensic education,” in Proceedings of the Conference on Digital Forensics, Security and Law, 2011, p. 123.

D. Quick and K.-K. R. Choo, “Dropbox analysis: Data remnants on user machines,” Digit. Investig., vol. 10, no. 1, pp. 3–18, 2013.

M. Geiger and L. F. Cranor, “Scrubbing stubborn data: An evaluation of counter-forensic privacy tools,” IEEE Secur. Priv., vol. 4, no. 5, pp. 16–25, 2006.

A. Margosis and M. E. Russinovich, Windows Sysinternals administrator’s reference. Pearson Education, 2011.

S. Garfinkel, A. J. Nelson, and J. Young, “A general strategy for differential forensic analysis,” Digit. Investig., vol. 9, Supplement, pp. S50–S59, Aug. 2012.

CGSecurity, “TestDisk - Partition Recovery and File Undelete,” 04-Jun-2016. [Online]. Available: https://www.cgsecurity.org/wiki/TestDisk. [Accessed: 22-Dec-2018].

A. Ravi, T. R. Kumar, and A. R. Mathew, “A method for carving fragmented document and image files,” in Advances in Human Machine Interaction (HMI), 2016 International Conference on, 2016, pp. 1–6.

G. Richard, Scalpel. The Sleuth Kit, 2005.

J. H. Jones and T. M. Khan, “A method and implementation for the empirical study of deleted file persistence in digital devices and media,” in Computing and Communication Workshop and Conference (CCWC), 2017 IEEE 7th Annual, 2017, pp. 1–7.

M. H. Ligh, A. Case, J. Levy, and A. Walters, The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory. John Wiley & Sons, 2014.

A. Nelson, “XML Conversion of the Windows Registry for Forensic Processing and Distribution,” in Advances in Digital Forensics VIII: 8th IFIP WG 11.9 International Conference on Digital Forensics, Pretoria, South Africa, January 3- 5, 2012, Revised Selected Papers, G. Peterson and S. Shenoi, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 51–65.

E. Casey, “Network traffic as a source of evidence: tool strengths, weaknesses, and future needs,” Digit. Investig., vol. 1, no. 1, pp. 28–43, 2004.

L. Garber, “Encase: A case study in computer-forensic technology,” IEEE Comput. Mag. January, 2001.

E. Casey, Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press, 2011.

C. Painter, “Threats to the Net: Trends and Law Enforcement Responses,” in Crime and Technology: New Frontiers for Regulation, Law Enforcement and Research, E. U. Savona, Ed. Dordrecht: Springer Netherlands, 2004, pp. 69–77.

G. G. Richard III and V. Roussev, “Scalpel: A Frugal, High Performance File Carver.,” in DFRWS, 2005.

C. J. Veenman, “Statistical Disk Cluster Classification for File Carving,” in Third International Symposium on Information Assurance and Security, 2007, pp. 393–398.

S. Garfinkel, A. Nelson, D. White, and V. Roussev, “Using purpose-built functions and block hashes to enable small block and sub-file forensics,” Digit. Investig., vol. 7, pp. S13–S23, 2010.

S. L. Garfinkel and M. McCarrin, “Hashbased carving: Searching media for complete files and file fragments with sector hashing and hashdb,” Digit. Investig., vol. 14, pp. S95–S105, 2015.

M. Laamanen and A. Nelson, NSRL Next Generation- Diskprinting. Forensics@ NIST, Gaithersburg, MD, December 3, 2014. Last accessed 10.4. 15. 2014.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.