Standardization of file recovery classification and authentication

Abstract

Digital forensics can no longer tolerate software that cannot be relied upon to perform specific functions such as file recovery. Indistinct and non-standardized results increase the risk of misinterpretation by digital forensic practitioners, and hinder automated correlation of file recovery results in forensic analysis and tool testing. Treating file recovery results in a clear, distinct manner helps reduce the risk of misunderstandings, incorrect assertions and, ultimately, miscarriages of justice. The root of this problem is a lack of clearly defined software requirements, which compels users and tool testers to make educated guesses and assumptions about how digital forensic tools work. To address this problem, this work applies the core forensic processes of classification, authentication and evaluation to file recovery. Specifically, this work defines a vocabulary for software developers, testers and practitioners to classify, authenticate, evaluate and present results of file recovery operations. This vocabulary can be used by software developers to normalize how file recovery is treated, improving clarity, testability and interoperability of results, and reducing the risk or mistakes in digital investigations. This work also proposes an inaugural set of requirements for applying this vocabulary to file recovery results, providing a foundation for further development by the digital forensic community. This work demonstrates how this vocabulary can be implemented using DFXML, and presents a normalized representation of file recovery results using the Cyber-investigation Analysis Standard Expression (CASE). To demonstrate the more generalized utility of this vocabulary, it is applied to recovery results from versioning file systems and SQLite databases. The formalized vocabulary and forensic methods developed in this work support tool validation as called for in the international standard ISO/IEC 27041 and required for accreditation under the international standard ISO 17025. This work also demonstrates how the European Network of Forensic Science Institutes (ENFSI) Guideline for Evaluative Reporting can be applied to express the results of file recovery classification, authentication and evaluation.