Digital forensic investigators recover data from various media and devices, then use those recovered artifacts to infer past user or system activity. Investigators sometimes recover whole, intact artifacts, but often critical evidence is only in the form of partial files or residual fragments from deleted content. In these cases, investigators must attempt to infer what whole artifact used to exist, and what that means for the investigation. Jim Jones and his team have been working on methods to determine how deleted files "decay" over time, what factors affect that decay, and what inferences can be drawn from such an understanding.
Every action on a digital device, whether initiated by a user, an application, the operating system, or hardware, leaves behind evidence of the activity in the form of digital artifacts such as files, memory content, and network traffic. Such artifacts are used by digital forensics investigators to reconstruct past activity, and by criminals seeking to harvest private or sensitive information. The persistence of an artifact over time directly affects its ability to be recovered at a later date, yet a rigorous, comprehensive theory of digital artifact persistence does not exist. Dr. Jones and his students developed tools and are conducting experiments to develop such a theory. They implemented a differential analysis approach in which sequential digital media snapshots are analyzed for deleted file persistence. The contents of deleted files are recorded and tracked over time to establish when each sector of the deleted file changes. This data forms a decay curve for each file over time and activity. Since we also have access to system and storage media properties, deleted file properties, and the details of actions taken between images, we can form testable hypotheses about the factors affecting deleted file persistence. They are applying these techniques to image, audio, and data files on workstations, mobile, IoT, and ICS devices.