New Today: 4
New Yesterday: 9
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
Project Ideas for Digital Forensics StudentsBack to top Back to main Skip to menu
Project Ideas for Digital Forensics Students
If you decide to base your project on one of these suggestions please contact us so that we can discuss making your work available to other researchers and practitioners. By doing so you will be making an immediate and positive impact on the field of digital forensics.
Please note: Projects marked with an asterisk (*) have been suggested by practitioners who are willing to discuss the subject matter in further detail and provide a limited degree of guidance to students who have already formally agreed the project with their own supervisor. Contact us for further details only if you have already reached this stage and note that no support is offered to students prior to this point and any such enquiries will not receive a reply.
New project suggestions are always welcome and should be submitted here together with a short description and an indication of what level of support/guidance, if any, you are happy to provide to students.
Project ideas and descriptions
Solid-State Drives (SSDs): Build on the existing research concerning wear levelling, effects on hashing, recovery of data from unallocated space etc.
4K Sector Hard Disk Drives (HDDs): 4K sector hard disk drives are a bit of an unknown quantity at the moment from a forensic perspective, particularly those drives that include 512 byte sector emulation.
GPS Devices: Tom Toms and Navmans have been well researched but Garmin devices are more of a challenge with part of these devices' storage not being currently accessible with existing forensic tools.
Application Forensics: e.g. Gigatribe, Skype (file transfer), Dropbox (the app - not the web app)
Cloud Storage Artefacts: e.g. skydrive, idrive, etc
Verification and Validation*: Forensic regulation may change in the next few years with the formalisation of certain laboratory standards across not only countries but perhaps also continents. However, there is much work to be done formalising the details in relation to the verification and validation of hard disk data recovery software, mobile phone software, hardware write blockers, etc.
Laboratory Accreditation ISO Standards*: A comprehensive study detailing how and why current laboratory standards (e.g. 9001 which focuses more on calibration for DNA and chromatography etc.) do or do not apply to the digital forensic arena would be valuable - especially for management - in taking the field forward. There is work currently being done on this by various prominent figures but further research would be useful.
MMORPG (and 'Cloud') Chat Artefacts*: It would be nice to see more research into chat artefacts from within the multiplayer areas of games. Second Life and World of Warcraft have had some research conducted, but there is not a huge amount of information available about the results. The well documented success of recovery of MSN, Yahoo etc. chat artefacts in grooming cases may mean that such activities move to the 'cloud'.
Policy*: Various suggestions - a state-of-affairs review looking at past, present and future policy; triage; scenes of crime; seizure etc.
ZeitGeist*: ZeitGeist looks like it will be integrated into the GNOME desktop environment and has the potential to be even better than volume shadow and user assist for evidence.
TULP2G*: This has already had some work done on it recently but a resurrection of the TULP2G software for mobile phone analysis, and the development of 3G capabilities for it, would be useful.
Use of Software Engineering Principles in Ensuring the Forensic Integrity of Digital Forensics Software and Results Produced*: Involves looking at software engineering principles and methodologies and evaluating which one would be more suitable to digital forensics software development.
Tamper-Resistant Communication Networks*: This would involve studying Tamper-Resistant Communication Networks such as the Plan R* network (and others that are far more advanced) and creating either a methodology or a software solution to aid digital forensics investigators in analysing such networks.
AI and Data-Mining*: This research project could revolve around the use of AI and data-mining principles and methodologies to extract data from multiple sources in search of evidence regarding a crime committed by a person or group of people. Or, to make it a bit more doable within the allotted time-frame for an MSc project, the development of an extensible framework that would allow the collation and correlation of data from such disparate sources. For students in the UK, this would also tie-in well with the new policy of retaining information from landline, mobile telephony and internet records for use by law enforcement agencies.
Use of Intelligent (and possibly mobile) Multi-Agent Systems*: This project would look at the use of Intelligent (and possibly mobile) Multi-Agent Systems as frameworks for the development of software that would automate the collection, analysis and reporting of digital forensics artefacts from not just single computers but also computer networks in such a way as to guarantee the forensic and evidential integrity and soundness of the artefacts and reports produced.
Recovery of SQLite Databases from Unallocated Space*: For example to enable the recovery of artefacts from various browser databases (e.g. Mozilla).
Phone Artefacts*: A project researching artefacts from phones, e.g. those produced by web browsers, web based chat, IM based chat, Skype, etc. Are phone artefacts the same as the respective artefacts from a computer?
Web Browser Session Restore Artefacts*: Further research could be done in relation to web browser session restore artefacts, particularly from Internet Explorer.
Jump Lists and Linkfiles in W7*: There is a lot of scope for research into the forensic significance of Jump Lists and Linkfiles in Windows 7.
A Generic Solution to NTFS Compressed Carving*: As part of the ReviveIt project a case-specific solution has been created to carve NTFS compressed Outlook MSG email files (see link here). It would be useful to have a generic solution carving NTFS compressed data. This could be done by extending existing carvers with NTFS compression support. But research is needed to determine if there are other solutions to recover NTFS compressed data e.g. based on characteristics of the compression algorithm that might be better.
Research into Carving Precision*: A project based on furthering the work already done by Bas Kloet (see link here). Currently not a lot of reference carving images are publicly available. One aspect of this research topic would be to create an automated solution to generate carving images using different realistic scenarios and input data as part of the carving-precision-framework. Also, additional research is needed in regard of existing carving approaches and possible improvements, e.g. those proposed by the contributions of the DFRWS 2007 carving challenge.
Database Reverse Engineering: Analysis of database file formats for forensic artefacts. This could be combined with programming to build code that parses the format. Various possibilities, e.g.
Exchange/Active Directory formats* (continuing the work of the libesedb project e.g. to fill up the existing gaps or research Exchange or Active Directory specific structures).
Windows Live Messenger* - forensically interesting due to the contacts.edb file that has 29 different tables with over 700 fields. There is a lot of scope for some really useful information to be gleaned from these tables.
Vista Thumbnail Databases* - A project researching thumbnail databases in Windows Vista (for example examining the claim that filenames may be recovered by reference to the Windows indexing in windows.edb).
Lotus Notes database format* (continuing the work of the libnsfdb project).
MSSQL database format*.
log2timeline Framework*: The tool log2timeline supports a lot of input formats but its main problem is that it produces too much output data. A next step could be to design a framework (probably with a form of AI) in which certain user-related activity e.g. boot OS, used inlog, virus scan, opening of an application etc. can be grouped/determined/annotated.
A further list of open research topics is maintained by Simson Garfinkel at http://www.forensicswiki.org/wiki/Open_Research_Topics