Recent Research In Digital Forensics

Despite pandemic-related disruptions in both research and publishing as we head into the summer, there are still some posts and papers being published. In this round-up, we take a look at three recent articles in digital forensics.

An Evaluation of Data Erasing Tools

Andrew Jones and Isaac Afrifa are the authors of this paper in the Journal of Digital Forensics, Security, & Law 15(1).

In this updated comparative study, Jones and Afrifa analyzed some popular erasing tools. The researchers evaluated the tools’ efficiency based on their usability, claimed erasing standards, and whether they perform complete data erasure with the use of the “write zero” method. The tools studied were:

  • Hard Wipe
  • Eraser
  • Macrorit DataWiper
  • Active KillDisk
  • Disk Wipe
  • PuranWipe Disk
  • Remo Drive Wipe
  • SuperFile Shredder

The research focused on data stored on an electromechanical drive, excluding solid state drives because no scientifically proven method exists to ascertain that all sectors of the storage media have been accessed and overwritten.

The researchers’ results: most tools completely wiped the entire disk, but not all of them included the boot sector. The researchers noted that this did not imply data recovery or carving capabilities. In addition, one tool wiped content but not folder or file names.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

The results indicated that the “write zero” method remains sufficient for disk erasure. The researchers also concluded that a single overwrite pass is enough to completely wipe a disk — sufficient, they noted, for personal disks — though it didn’t necessarily mean data might not be recoverable in the future.

Another conclusion: system resources such as CPU time and memory usage have no bearing on the wiping tools’ effectiveness, nor did tools’ pricing: free tools could offer secure, permanent erasure as readily as premium tools.

What’s in the Cloud? An Examination of the Impact of Cloud Storage Usage on the Browser Cache

In the same journal Graeme Horsman’s paper, What’s in the Cloud? – An examination of the impact of cloud storage usage on the browser cache, forensically examined trace evidence left in the Google Chrome browser cache following cloud storage account usage and interaction, specifically with Dropbox and Google Drive.

Horsman identified volatility as one of the key challenges of cloud-based evidence: found during an investigation, the evidence “may no longer be present where attempting to acquire access to it.” His research demonstrated the possibility of recovering data that can be used to partially reconstruct a user’s cloud storage account.

The value in doing this lies in the fact that requesting account content or credential access from service providers doesn’t guarantee access to a user’s account. Further, the browser cache itself can provide the information needed to show probative value to the collection of cloud-based data from a service provider, and should not be disregarded as a source of potentially material data.

Horsman found that accessing Dropbox via Chrome results in what he called “comprehensive caching of their account content and its associated metadata.” At the same time, however, each platform displays different caching behavior.

For example, although Google Drive is comparable to Dropbox, its behavior in the browser cache is more challenging, because only limited information — relative to Dropbox usage — is retained in Chrome.

On the other hand, Horsman cautioned, cached cloud storage content can change over time and as service providers update and adapt their platforms. Either some data may no longer be cached locally, or new data could be cached. Ongoing research is needed to document these changes over time. 

ScreenTime Notifications in macOS Catalina

At Swift Forensics, Yogesh Khatri wrote about ScreenTime notifications in macOS Catalina (10.15).

In particular, he noted, ScreenTime notifications differ from actual displayed notifications in that the databases don’t contain (and therefore, some forensic tools don’t show) the same strings. 

In contrast to the notification data stored within a plist, Khatri wrote, “Screentime uses format strings and a list of data, which needs to be put back together… similar to how Event logs in windows or Unified logging in macOS works.”

Leave a Comment

Latest Articles