Towards a standardised strategy to collect and distribute application software artifacts

TL;DR

This paper proposes a standardized strategy for collecting and distributing application software artifacts through application profiles, utilizing formal differential analysis and a new data abstraction to enhance forensic investigations.

Contribution

It introduces a formalized differential analysis method and a new data abstraction, APXML, for standardized collection and sharing of application artifacts in forensic analysis.

Findings

Successfully implemented in LiveDiff forensic tool

Enables automated and simplified data collection

Provides a standardized format for artifact storage and distribution

Abstract

Reference sets contain known content that are used to identify relevant or filter irrelevant content. Application profiles are a type of reference set that contain digital artifacts associated with application software. An application profile can be compared against a target data set to identify relevant evidence of application usage in a variety of investigation scenarios. The research objective is to design and implement a standardised strategy to collect and distribute application software artifacts using application profiles. An advanced technique for creating application profiles was designed using a formalised differential analysis strategy. The design was implemented in a live differential forensic analysis tool, LiveDiff, to automate and simplify data collection. A storage mechanism was designed based on a previously standardised forensic data abstraction. The design was implemented in a new data abstraction, Application Profile XML (APXML), to provide storage, distribution and automated processing of collected artifacts.