When finding nothing may be evidence of something:: Anti-forensics and digital tool marks

Graeme Horsman; David Errickson

doi:10.1016/j.scijus.2019.06.004

When finding nothing may be evidence of something: Anti-forensics and digital tool marks

Graeme Horsman, David Errickson

Centre for Digital Innovation

Research output: Contribution to journal › Article › peer-review

17 Downloads (Pure)

Abstract

There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.

Original language	English
Pages (from-to)	565-572
Number of pages	8
Journal	Science & Justice
Volume	59
Issue number	5
Early online date	3 Jun 2019
DOIs	https://doi.org/10.1016/j.scijus.2019.06.004
Publication status	Published - 30 Sep 2019

Access to Document

10.1016/j.scijus.2019.06.004Licence: Unspecified

Full textAccepted author manuscript, 209 KBLicence: CC BY-NC-ND

https://linkinghub.elsevier.com/retrieve/pii/S1355030619300085Licence: Unspecified

Cite this

@article{08690a99f26c42f4ad00fd22bcdbd8f1,

title = "When finding nothing may be evidence of something:: Anti-forensics and digital tool marks",

abstract = "There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, {\textquoteleft}digital tool marks{\textquoteright} (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.",

author = "Graeme Horsman and David Errickson",

year = "2019",

month = sep,

day = "30",

doi = "10.1016/j.scijus.2019.06.004",

language = "English",

volume = "59",

pages = "565--572",

journal = "Science and Justice - Journal of the Forensic Science Society",

issn = "1355-0306",

publisher = "Elsevier",

number = "5",

}

TY - JOUR

T1 - When finding nothing may be evidence of something:

T2 - Anti-forensics and digital tool marks

AU - Horsman, Graeme

AU - Errickson, David

PY - 2019/9/30

Y1 - 2019/9/30

N2 - There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.

AB - There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.

UR - http://www.scopus.com/inward/record.url?scp=85067423863&partnerID=8YFLogxK

U2 - 10.1016/j.scijus.2019.06.004

DO - 10.1016/j.scijus.2019.06.004

M3 - Article

VL - 59

SP - 565

EP - 572

JO - Science and Justice - Journal of the Forensic Science Society

JF - Science and Justice - Journal of the Forensic Science Society

SN - 1355-0306

IS - 5

ER -

When finding nothing may be evidence of something: Anti-forensics and digital tool marks

Abstract

Access to Document

Other files and links

Fingerprint

Cite this