Applying filter clusters to reduce search state space

Abstract

Computer forensic tools must be both accurate and reliable so as not to miss vital evidence. While many investigations are conducted in sophisticated digital forensic laboratories, there is an increasing need to develop tools and techniques that could permit preliminary investigations to be carried out in the field. Pre-filtering electronic data in the field, before a computer is brought back to a laboratory for full investigation, can save valuable time. Filtering can also speed up in-house investigations by reducing search space size. This paper discusses the application of automated tools based on filters. In addition to helping reduce the search space, niters can support specific tasks such as locating and identifying encryption software and hidden, encrypted or compressed files. Filters may be used to automate tedious examinations of temporary Internet files, Windows directories or illicit images. Also, filters can facilitate customized searches based on patterns encountered in investigations of common cases. © 2006 International Federation for Information Processing.