Supporting Dstl's research into recovering forensic data from novel devices and software

The Defence Science and Technology Laboratory (Dstl) is an executive agency of the Ministry of Defence (MOD) providing world class expertise and delivering cutting-edge science and technology for the benefit of the nation and allies.

It produces a regular Digital Forensics Bulletin and the latest issue is based on a major research project CCL conducted on behalf of Dstl, investigating the 'the forensic data that could be recovered from novel devices or software, and how that data could be used'.

The CCL team, led by Alex Caithness and Arun Prasannan, examined the Google Chrome web browser and the artefacts that are created by using file sharing websites (viz. Google Drive, Dropbox, Mega and Cloud Mail.ru). They presented methodologies to identify and interpret artefacts which could assist in criminal investigations.

Modern file sharing websites are complex web applications which make use of a range of web technologies (e.g. Web Storage, IndexedDB, File System API) which generate artefacts alongside traditional browser artefacts such as history, cookies, web cache, etc. While forensic tools support these traditional artefacts, support for the artefacts related to newer web technologies are less well established.

Comments Arun: “Given the complexity of many modern websites, our approach considers the browser as an operating system on which web apps run, where all artefacts relating to a particular website are considered together as artefacts of a single app, rather than in isolation. This provided a more comprehensive view of the state and usage of each file sharing service. We also created Python scripts to process various Chrome related data sources, which have been released under an open-source licence.”

The Dstl bulletin is available here

The Python scripts can be found here

‍