Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications

IF 0.6 Q4 COMPUTER SCIENCE, INFORMATION SYSTEMS Journal of Digital Forensics Security and Law Pub Date : 2019-01-01 DOI:10.15394/jdfsl.2019.1626

Oluwaseun Adegbehingbe, James H. Jones

{"title":"Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications","authors":"Oluwaseun Adegbehingbe, James H. Jones","doi":"10.15394/jdfsl.2019.1626","DOIUrl":null,"url":null,"abstract":"When an application is uninstalled from a computer system, the application’s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application’s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog file-system changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.6000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Digital Forensics Security and Law","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.15394/jdfsl.2019.1626","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 2

Abstract

When an application is uninstalled from a computer system, the application’s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application’s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog file-system changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

改进的先前卸载的计算机应用程序的容错推断

当从计算机系统卸载应用程序时，应用程序已删除的文件内容会随着时间的推移而被覆盖，这取决于操作系统、可用未分配磁盘空间、用户活动等因素。随着这些内容的衰减，基于剩余的数字工件推断应用程序先前存在的能力变得更加困难。先前的研究通过将感兴趣的硬盘扇区与先前构建的标记扇区哈希目录相匹配来推断先前安装的应用程序，显示出有希望的结果。先前的工作使用白名单方法来识别相关的工件，导致没有不相关的工件，但是导致一些潜在有用的工件的丢失。在当前的工作中，我们通过采用顺序快照文件差异方法收集了一组更完整的相关工件，以从目录中识别和消除不是由于应用程序安装和使用而导致的文件系统更改。我们的工作的关键贡献是建立一个更完整的目录，最终导致更准确的先验应用推断。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Journal of Digital Forensics Security and Law COMPUTER SCIENCE, INFORMATION SYSTEMS-

自引率

0.00%

发文量

审稿时长

10 weeks