A review of thumbnail images artefacts in the Linux desktop and a methodology to add provenance to deleted files, using the thumbnail images artefact in combination with recent files history, and Trash artefacts

Abstract

This research presents a methodology which may be applied to investigations involving a number of common Linux desktop distributions, to give provenance to users’ files which have been deleted and otherwise would not have such additional context and metadata available. The proposed methodology relies upon key artefacts pertaining to evidence of user activity, contained within Linux desktop distributions; thumbnail cache, recent files history and Trash artefacts. The research also examines the creation criteria for thumbnails on a number of popular Linux desktop distributions. The key metadata from these artefacts are demonstrated to survive the deletion of the original file in most cases. The methodology has been tested with a focus on common media file formats, given their importance to many digital forensic investigations; however, as shown, it can be applied to other file types under certain circumstances. The methodology outlined, in the right circumstances, allows for key metadata (including filenames, dates and times, and full paths) to be attributed to deleted content. A summary of key file system considerations, and also the underlying desktop operating system artefacts upon which the methodology relies are presented; in order to aid investigators in their understanding and utilisation of the methodology. Strategies to recover additional useful information through carving and keyword searches are also proposed.