Forensic Investigation of Remnant Data on USB Storage Devices Sold in New Zealand

Abstract

The digital forensic tools used by law enforcement agencies for forensic investigations are mostly proprietary and commercially expensive; although open-source tools are used, the investigations conducted with such tools are not verified by reputable organisations, and hence, users are reluctant to practice such tools. To address this issue, we experimentally evaluate three open-source forensic tools based on various requirements recommended by the National Institute of Standards and Technology (NIST) framework for forensic investigation. The experimental setup consists of a forensic workstation, write-blocker, and purchased USB hard drives investigated via digital forensic imaging tools, i.e., DC3DD, DCFLDD, and Guymager. We create various test cases, which distribute USB hard drives in different groups and investigate the functional and optional requirements of NIST along with recovering and analysing remnant data. We evaluate these forensic tools by analysing the log information, following, anonymously (to ensure that data were not disclosed or misused during or after the investigations) collecting, examining, and classifying the remnant data restored from the USB hard drives. We observe that the percentage of hardware resources usage and the processing time of each tool are remarkably different, e.g., Guymager was the fastest tool and met all the functional requirements in each test case, but it utilised more CPU and memory resources than DC3DD, DCFLDD. We note that 88.23% of the USB hard drives contained sensitive personal or business information (e.g., personal photos, bank transactions, and contracts). Subsequently, the remnant data analysis shows that consumers in New Zealand are unaware of personal data security and the associated vulnerabilities of data leakages.