Digital Forensics

The art and science of forensic examination of digital computing systems including but not limited to personal computers, web servers, portable devices and automotive computers.

Commercial disk wiping programs don't work in many cases. See: http://igneous.scis.ecu.edu.au/proceedings/2005/forensics/woodward.pdf

This is good news for the forensic examiner, not so good for privacy advocates.

iPod forensics: http://igneous.scis.ecu.edu.au/proceedings/2005/forensics/woodward.pdf

update: http://www.utica.edu/academic/institutes/ecii/publications/articles/B40DD0EA-D340-962F-F98B868F3C69129F.pdf

COFEE: http://www.microsoft.com/industry/government/solutions/cofee/default.aspx

Microsoft spills the COFEE: http://www.techdirt.com/articles/20091108/0808216846.shtml

DECAF: http://gizmodo.com/5426874/decaf-app-thwarts-microsofts-super+illegal-cofee-forensic-software

Digital image forensics and image tamper detetion: http://www.cs.dartmouth.edu/farid/research/tampering.html

Scanner identification: http://www.ecn.purdue.edu/~prints/public/papers/ei07-nitin2.pdf

I've built some software in this area and my algorithm was much faster and simpler than everything I have found in the literature.

Printer tracking: http://w2.eff.org/Privacy/printers/docucolor/

Bet you didn't know these dots are very likely on your driver's license and almost every color print you've ever made.

Recommended reading: http://books.google.com/books?id=Y7eKM3kl7DEC

How to REALLY Erase a Hard Drive: http://blogs.zdnet.com/storage/?p=129

Overwriting doesn't work. Can Intelligence Agencies Read Overwritten Data: http://www.nber.org/sys-admin/overwritten-data-guttman.html

Facebook Forensics: http://blogs.sans.org/computer-forensics/2009/06/11/facebook-forensics/

As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. Only degaussing or physical destruction is acceptable for the latter.[4]

On the other hand, according to the 2006 NIST Special Publication 800-88 (p. 7): "Studies have shown that most of today’s media can be effectively cleared by one overwrite" and "for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged."[1] An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes "has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss. "[5]

http://en.wikipedia.org/wiki/Data_remanence

This is fantastic stuff, thanks very much for all these links, we really have a nice reference link library here now about many different things. I like how its coming along.

I guess this article might fit in here:
http://www.eff.org/deeplinks/2010/03/eff-posts-documents-detailing-law-enforcement

Yes, thanks for posting that. Here's the link to the master site: http://www.eff.org/foia/social-network-monitoring

Stay tuned, there will be some interesting revelations I expect.

haha ,c'mon us x-websleuthers knew for a long time that's how you get the good stuff

The way you get the good stuff is to capture everything and throw out most of it. See http://www.blackhat.com/presentations/bh-usa-09/TOPLETZ/BHUSA09-Topletz-GlobalSpying-PAPER.pdf