Samantha Klier, Jan Varenkamp, Harald Baier

Back and Forth—On Automatic Exposure of Origin and Dissemination of Files on Windows

  • Computer Networks and Communications
  • Computer Science Applications
  • Hardware and Architecture
  • Safety Research
  • Information Systems
  • Software

The number of Child Sexual Abuse Material (CSAM) cases has increased dramatically in recent years. This leads to the need to automate various steps in digital forensic processing, especially for CSAM investigations. For instance, if CSAM pictures are found on a device, the investigator aim at finding traces about the origin and possible further dissemination, respectively. In this article, we address this challenge with respect to the widespread Windows operating system. We model different common scenarios of system use by CSAM offenders in the scope of file inbound and outbound transfer channels. This gives us insights about digital traces in the Windows operating system and its applications to get knowledge about origin and possible destination of a file. We review available concepts and applications to support this issue. Furthermore, we develop a recursive-based approach and provide a prototype as plugin for the open source application Autopsy. We call our prototype AutoTrack . Our evaluation against the different models of Windows system usage reveals that Autotrack is superior to existing solutions and provides support for an investigator to find digital traces about the origin and possible further dissemination of files. We publish our AutoTrack plugin and thus provide full reproducibility of our approach.

Need a simple solution for managing your BibTeX entries? Explore CiteDrive!

  • Web-based, modern reference management
  • Collaborate and share with fellow researchers
  • Integration with Overleaf
  • Comprehensive BibTeX/BibLaTeX support
  • Save articles and websites directly from your browser
  • Search for new articles from a database of tens of millions of references
Try out CiteDrive

More from our Archive