Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Standardization of File Recovery Classification and Authentication

Published

Author(s)

Eoghan Casey, Alexander J. Nelson, Jessica Hyde

Abstract

Digital forensics can no longer tolerate software that cannot be relied upon to perform specific functions such as file recovery. The root of this problem is a lack of clearly defined software requirements, which compels users and tool testers to make educated guesses and assumptions about how digital forensic tools work. This informal approach results in untested software errors that can result in erroneous decisions, which can have serious consequences in a digital forensic context. To address this problem, this work applies the core forensic processes of classification and authentication to file recovery. Specifically, this work defines a vocabulary for software developers, testers and practitioners to process, present and evaluate results of file recovery operations. This vocabulary can be used by software developers to normalize how file recovery is treated, improving clarity and testability of results, and reducing the chances of misinterpretation. This approach supports tool validation as called for in the international standard ISO/IEC 27041 and required for accreditation under the international standard ISO 17025. This work demonstrates how the vocabulary can be implemented using DFXML, and presents a normalized representation of file recovery results using the evolving Cyber-investigation Analysis Standard Expression (CASE).
Citation
Digital Investigation
Volume
31

Keywords

Digital forensics, Forensic science, Software development, Tool validation, Tool testing, ISO/IEC 27041, ISO/IEC 17025, File recovery, Taxonomy, Standards, SQLite recovery, CASE, DFXML
Created December 1, 2019, Updated February 13, 2020