Standardization of File Recovery Classification and Authentication
Eoghan Casey, Alexander J. Nelson, Jessica Hyde
Digital forensics can no longer tolerate software that cannot be relied upon to perform specific functions such as file recovery. The root of this problem is a lack of clearly defined software requirements, which compels users and tool testers to make educated guesses and assumptions about how digital forensic tools work. This informal approach results in untested software errors that can result in erroneous decisions, which can have serious consequences in a digital forensic context. To address this problem, this work applies the core forensic processes of classification and authentication to file recovery. Specifically, this work defines a vocabulary for software developers, testers and practitioners to process, present and evaluate results of file recovery operations. This vocabulary can be used by software developers to normalize how file recovery is treated, improving clarity and testability of results, and reducing the chances of misinterpretation. This approach supports tool validation as called for in the international standard ISO/IEC 27041 and required for accreditation under the international standard ISO 17025. This work demonstrates how the vocabulary can be implemented using DFXML, and presents a normalized representation of file recovery results using the evolving Cyber-investigation Analysis Standard Expression (CASE).