Skip to Main Content
Forensic investigations have traditionally relied on data that exists as a by-product of normal operating system and application operation on a system following an incident. We propose a research agenda targeted at expanding the information available to an investigator in computing environments in which software can be installed on the target systems ahead of any incident. In these cases, information can be preserved proactively and stored until needed for examination. In our first ongoing project, we are working to modify a file system to selectively recover disk blocks that are less likely to contain useful information when space is needed for a new file. In our second, we are keeping small amounts of information about files on a system that are deleted, copied, or modified. This allows us to perform certain types of investigations on files that are overwritten or otherwise missing from the system.