Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Inferring previously uninstalled applications from digital traces

Published

Author(s)

Jim Jones, Tahir Kahn, Kathryn B. Laskey, Alexander J. Nelson, Mary T. Laamanen, Douglas R. White

Abstract

In this paper, we present an approach and experimental results to suggest the past presence of an application after the application has been uninstalled and the system has remained in use. Current techniques rely on the recovery of intact artifacts and traces, e.g., whole files, Windows Registry entries, or log file entries, while our approach requires no intact artifact recovery and leverages trace evidence in the form of residual partial files. In the case of recently uninstalled applications or an instrumented infrastructure, artifacts and traces may be intact and complete. In most cases, however, digital artifacts and traces are altered, destroyed, and disassociated over time due to normal system operation and deliberate obfuscation activity. As a result, analysts are often presented with partial and incomplete artifacts and traces from which defensible conclusions must be drawn. In this work, we match the sectors from a hard disk of interest to a previously constructed catalog of full files captured while various applications were installed, used, and uninstalled. The sectors composing the files in the catalog are not necessarily unique to each file or application, so we use an inverse frequency-weighting scheme to compute the inferential value of matched sectors. Similarly, we compute the fraction of full files associated with each application that is matched, where each file with a sector match is weighted by the fraction of total catalog sectors matched for that file. We compared results using both the sector-weighted and file-weighted values for known ground truth test images and final snapshot images from the M57 Patents Scenario data set. The file-weighted measure was slightly more accurate than the sector-weighted measure, although both identified all of the uninstalled applications in the test images and a high percentage of installed and uninstalled applications in the M57 data set, with minimal false positives for both sets.
Proceedings Title
Proceedings of the Conference on Digital Forensics, Security and Law
Conference Dates
May 24-26, 2016
Conference Location
Daytona Beach, FL, US
Conference Title
11th Annual ADFSL Conference on Digital Forensics, Security and Law

Keywords

digital forensics, digital artifact, digital trace, partial artifact, residual artifact, uninstalled application

Citation

Jones, J. , Kahn, T. , Laskey, K. , Nelson, A. , Laamanen, M. and White, D. (2017), Inferring previously uninstalled applications from digital traces, Proceedings of the Conference on Digital Forensics, Security and Law, Daytona Beach, FL, US, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=920622 (Accessed November 24, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created May 24, 2017, Updated October 12, 2021