Casey Eoghan
Ecole des Sciences Criminelles (ESC), Université de Lausanne, Batochime, CH-1015, Lausanne-Dorigny, Switzerland.
J Forensic Sci. 2018 Sep;63(5):1383-1391. doi: 10.1111/1556-4029.13722. Epub 2017 Dec 28.
This work introduces novel methods for conducting forensic analysis of file allocation traces, collectively called digital stratigraphy. These in-depth forensic analysis methods can provide insight into the origin, composition, distribution, and time frame of strata within storage media. Using case examples and empirical studies, this paper illuminates the successes, challenges, and limitations of digital stratigraphy. This study also shows how understanding file allocation methods can provide insight into concealment activities and how real-world computer usage can complicate digital stratigraphy. Furthermore, this work explains how forensic analysts have misinterpreted traces of normal file system behavior as indications of concealment activities. This work raises awareness of the value of taking the overall context into account when analyzing file system traces. This work calls for further research in this area and for forensic tools to provide necessary information for such contextual analysis, such as highlighting mass deletion, mass copying, and potential backdating.
这项工作介绍了对文件分配踪迹进行法医分析的新方法,统称为数字地层学。这些深入的法医分析方法可以深入了解存储介质中层的起源、组成、分布和时间框架。通过案例和实证研究,本文阐明了数字地层学的成功之处、挑战和局限性。这项研究还展示了理解文件分配方法如何能深入了解隐藏活动,以及现实世界中的计算机使用情况如何使数字地层学变得复杂。此外,这项工作解释了法医分析师如何将正常文件系统行为的踪迹误判为隐藏活动的迹象。这项工作提高了人们在分析文件系统踪迹时考虑整体背景的价值的意识。这项工作呼吁在该领域进行进一步研究,并要求法医工具提供此类背景分析所需的信息,例如突出显示大规模删除、大规模复制和潜在的回溯。
