Abstract
Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, "IconCache.db" files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.
Original language | English |
---|---|
Pages (from-to) | 102-110 |
Number of pages | 9 |
Journal | Digital Investigation |
Volume | 11 |
Issue number | 2 |
DOIs | |
Publication status | Published - 2014 Jun |
Bibliographical note
Funding Information:This research was supported by the Public Welfare & Safety Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (2012M3A2A1051106) and the Korea University Grant.
Keywords
- Anti-forensics
- Digital forensics
- Icon
- IconCache.db
- User behavior
ASJC Scopus subject areas
- Pathology and Forensic Medicine
- Information Systems
- Computer Science Applications
- Medical Laboratory Technology
- Law