Open Access. Powered by Scholars. Published by Universities.®

Computer Engineering Commons

Open Access. Powered by Scholars. Published by Universities.®

Articles 1 - 30 of 57

Full-Text Articles in Computer Engineering

Chip-Off Success Rate Analysis Comparing Temperature And Chip Type, Choli Ence, Joan Runs Through, Gary D. Cantrell Feb 2019

Chip-Off Success Rate Analysis Comparing Temperature And Chip Type, Choli Ence, Joan Runs Through, Gary D. Cantrell

Journal of Digital Forensics, Security and Law

Throughout the digital forensic community, chip-off analysis provides examiners with a technique to obtain a physical acquisition from locked or damaged digital device. Thermal based chip-analysis relies upon the application of heat to remove the flash memory chip from the circuit board. Occasionally, a flash memory chip fails to successfully read despite following similar protocols as other flash memory chips. Previous research found the application of high temperatures increased the number of bit errors present in the flash memory chip. The purpose of this study is to analyze data collected from chip-off analyses to determine if a statistical difference exists ...


I Know What You Did Last Summer: Your Smart Home Internet Of Things And Your Iphone Forensically Ratting You Out, Gokila Dorai, Shiva Houshmand, Ibrahim Baggili Aug 2018

I Know What You Did Last Summer: Your Smart Home Internet Of Things And Your Iphone Forensically Ratting You Out, Gokila Dorai, Shiva Houshmand, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

The adoption of smart home Internet of Things (IoT) devices continues to grow. What if your devices can snitch on you and let us know where you are at any given point in time? In this work we examined the forensic artifacts produced by Nest devices, and in specific, we examined the logical backup structure of an iPhone used to control a Nest thermostat, Nest Indoor Camera and a Nest Outdoor Camera. We also integrated the Google Home Mini as another method of controlling the studied Smart Home devices. Our work is the primary account for the examination of Nest ...


Digital Forensics In The Next Five Years, Laoise Luciano, Ibrahim Baggili, Mateusz Topor, Peter Casey, Frank Breitinger Aug 2018

Digital Forensics In The Next Five Years, Laoise Luciano, Ibrahim Baggili, Mateusz Topor, Peter Casey, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

Cyber forensics has encountered major obstacles over the last decade and is at a crossroads. This paper presents data that was obtained during the National Workshop on Redefining Cyber Forensics (NWRCF) on May 23-24, 2017 supported by the National Science Foundation and organized by the University of New Haven. Qualitative and quantitative data were analyzed from twenty-four cyber forensics expert panel members. This work identified important themes that need to be addressed by the community, focusing on (1) where the domain currently is; (2) where it needs to go and; (3) steps needed to improve it. Furthermore, based on the ...


Retrieval Of Infotainment System Artifacts From Vehicles Using Ive, Celia J. Whelan, John Sammons, Brian Mcmanus, Terry W. Fenger Jul 2018

Retrieval Of Infotainment System Artifacts From Vehicles Using Ive, Celia J. Whelan, John Sammons, Brian Mcmanus, Terry W. Fenger

Journal of Applied Digital Evidence

The analysis of mobile devices and hard drives has been the focus of the digital forensics world for years, but there is another source of potential evidence not often considered: vehicles. Many of today’s “connected cars” have systems that function like computers, storing information they process including user data from devices synced to the system. There has been little to no research done regarding what types of user artifacts can be found on the system, how long these artifacts remain, whether or not the user can remove those artifacts, and whether certain systems provide more information than others. For ...


Drop (Drone Open Source Parser) Your Drone: Forensic Analysis Of The Dji Phantom Iii, Devon R. Clark, Christopher S. Meffert, Ibrahim Baggili, Frank Breitinger Jan 2017

Drop (Drone Open Source Parser) Your Drone: Forensic Analysis Of The Dji Phantom Iii, Devon R. Clark, Christopher S. Meffert, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

The DJI Phantom III drone has already been used for malicious activities (to drop bombs, remote surveillance and plane watching) in 2016 and 2017. At the time of writing, DJI was the drone manufacturer with the largest market share. Our work presents the primary thorough forensic analysis of the DJI Phantom III drone, and the primary account for proprietary file structures stored by the examined drone. It also presents the forensically sound open source tool DRone Open source Parser (DROP) that parses proprietary DAT files extracted from the drone's nonvolatile internal storage. These DAT files are encrypted and encoded ...


A Novel Privacy Preserving User Identification Approach For Network Traffic, Nathan Clarke, Fudong Li, Steven Furnell Jan 2017

A Novel Privacy Preserving User Identification Approach For Network Traffic, Nathan Clarke, Fudong Li, Steven Furnell

ECU Publications Post 2013

The prevalence of the Internet and cloud-based applications, alongside the technological evolution of smartphones, tablets and smartwatches, has resulted in users relying upon network connectivity more than ever before. This results in an increasingly voluminous footprint with respect to the network traffic that is created as a consequence. For network forensic examiners, this traffic represents a vital source of independent evidence in an environment where anti-forensics is increasingly challenging the validity of computer-based forensics. Performing network forensics today largely focuses upon an analysis based upon the Internet Protocol (IP) address – as this is the only characteristic available. More typically, however ...


The Impact Of Md5 File Hash Collisions On Digital Forensic Imaging, Gary C. Kessler Dec 2016

The Impact Of Md5 File Hash Collisions On Digital Forensic Imaging, Gary C. Kessler

Journal of Digital Forensics, Security and Law

The Message Digest 5 (MD5) hash is commonly used as for integrity verification in the forensic imaging process. The ability to force MD5 hash collisions has been a reality for more than a decade, although there is a general consensus that hash collisions are of minimal impact to the practice of computer forensics. This paper describes an experiment to determine the results of imaging two disks that are identical except for one file, the two versions of which have different content but otherwise occupy the same byte positions on the disk, are the same size, and have the same hash ...


The Impact Of Sha-1 File Hash Collisions On Digital Forensic Imaging: A Follow-Up Experiment, Gary C. Kessler Dec 2016

The Impact Of Sha-1 File Hash Collisions On Digital Forensic Imaging: A Follow-Up Experiment, Gary C. Kessler

Journal of Digital Forensics, Security and Law

A previous paper described an experiment showing that Message Digest 5 (MD5) hash collisions of files have no impact on integrity verification in the forensic imaging process. This paper describes a similar experiment applied when two files have a Secure Hash Algorithm (SHA-1) collision.


The Legacy Computer Challenge, Matt Schultz Oct 2016

The Legacy Computer Challenge, Matt Schultz

Matt Schultz

In late 2016, the Special Collections & University Archives (SCUA) at GVSU LIbraries were approached by a faculty member with a request to help retrieve a series of important emails, journals, and film production notes that were stored electronically on two very old (legacy) Macintosh computers. This presentation was used to provide the Mid-Michigan Digital Practitioners community with an overview of the materials and the use case being presented. Attention was drawn to the challenges of connecting and retrieving data from obsolete computer technology and feedback was solicited for strategies and best practices to follow.


Deleting Collected Digital Evidence By Exploiting A Widely Adopted Hardware Write Blocker, Christopher S. Meffert, Ibrahim Baggili, Frank Breitinger Aug 2016

Deleting Collected Digital Evidence By Exploiting A Widely Adopted Hardware Write Blocker, Christopher S. Meffert, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

In this primary work we call for the importance of integrating security testing into the process of testing digital forensic tools. We postulate that digital forensic tools are increasing in features (such as network imaging), becoming networkable, and are being proposed as forensic cloud services. This raises the need for testing the security of these tools, especially since digital evidence integrity is of paramount importance. At the time of conducting this work, little to no published anti-forensic research had focused on attacks against the forensic tools/process.We used the TD3, a popular, validated, touch screen disk duplicator and hardware ...


Anti-Forensics: Furthering Digital Forensic Science Through A New Extended, Granular Taxonomy, Kevin Conlan, Ibrahim Baggili, Frank Breitinger Aug 2016

Anti-Forensics: Furthering Digital Forensic Science Through A New Extended, Granular Taxonomy, Kevin Conlan, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

Anti-forensic tools, techniques and methods are becoming a formidable obstacle for the digital forensic community. Thus, new research initiatives and strategies must be formulated to address this growing problem. In this work we first collect and categorize 308 antidigital forensic tools to survey the field. We then devise an extended anti-forensic taxonomy to the one proposed by Rogers (2006) in order to create a more comprehensive taxonomy and facilitate linguistic standardization. Our work also takes into consideration anti-forensic activity which utilizes tools that were not originally designed for antiforensic purposes, but can still be used with malicious intent. This category ...


A Cyber Forensics Needs Analysis Survey: Revisiting The Domain's Needs A Decade Later, Vikram S. Harichandran, Frank Breitinger, Ibrahim Baggili, Andrew Marrington Mar 2016

A Cyber Forensics Needs Analysis Survey: Revisiting The Domain's Needs A Decade Later, Vikram S. Harichandran, Frank Breitinger, Ibrahim Baggili, Andrew Marrington

Electrical & Computer Engineering and Computer Science Faculty Publications

The number of successful cyber attacks continues to increase, threatening financial and personal security worldwide. Cyber/digital forensics is undergoing a paradigm shift in which evidence is frequently massive in size, demands live acquisition, and may be insufficient to convict a criminal residing in another legal jurisdiction. This paper presents the findings of the first broad needs analysis survey in cyber forensics in nearly a decade, aimed at obtaining an updated consensus of professional attitudes in order to optimize resource allocation and to prioritize problems and possible solutions more efficiently. Results from the 99 respondents gave compelling testimony that the ...


A Method And A Case Study For The Selection Of The Best Available Tool For Mobile Device Forensics Using Decision Analysis, Shahzad Saleem, Oliver Popov, Ibrahim Baggili Mar 2016

A Method And A Case Study For The Selection Of The Best Available Tool For Mobile Device Forensics Using Decision Analysis, Shahzad Saleem, Oliver Popov, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

The omnipresence of mobile devices (or small scale digital devices - SSDD) and more importantly the utility of their associated applications for our daily activities, which range from financial transactions to learning, and from entertainment to distributed social presence, create an abundance of digital evidence for each individual. Some of the evidence may be a result of illegal activities that need to be identified, understood and eventually prevented in the future. There are numerous tools for acquiring and analyzing digital evidence extracted from mobile devices. The diversity of SSDDs, types of evidence generated and the number of tools used to uncover ...


On Efficiency Of Distributed Password Recovery, Radek Hranický, Martin Holkovič, Petr Matoušek Jan 2016

On Efficiency Of Distributed Password Recovery, Radek Hranický, Martin Holkovič, Petr Matoušek

Journal of Digital Forensics, Security and Law

One of the major challenges in digital forensics today is data encryption. Due to the leaked information about unlawful sniffing, many users decided to protect their data by encryption. In case of criminal activities, forensic experts are challenged how to decipher suspect's data that are subject to investigation. A common method how to overcome password-based protection is a brute force password recovery using GPU-accelerated hardware. This approach seems to be expensive. This paper presents an alternative approach using task distribution based on BOINC platform. The cost, time and energy efficiency of this approach is discussed and compared to the ...


Towards Syntactic Approximate Matching-A Pre-Processing Experiment, Doowon Jeong, Frank Breitinger, Hari Kang, Sangjin Lee Jan 2016

Towards Syntactic Approximate Matching-A Pre-Processing Experiment, Doowon Jeong, Frank Breitinger, Hari Kang, Sangjin Lee

Electrical & Computer Engineering and Computer Science Faculty Publications

Over the past few years, the popularity of approximate matching algorithms (a.k.a. fuzzy hashing) has increased. Especially within the area of bytewise approximate matching, several algorithms were published, tested, and improved. It has been shown that these algorithms are powerful, however they are sometimes too precise for real world investigations. That is, even very small commonalities (e.g., in the header of a file) can cause a match. While this is a desired property, it may also lead to unwanted results. In this paper, we show that by using simple pre-processing, we significantly can influence the outcome. Although ...


An Automated Approach For Digital Forensic Analysis Of Heterogeneous Big Data, Hussam Mohammed, Nathan Clarke, Fudong Li Jan 2016

An Automated Approach For Digital Forensic Analysis Of Heterogeneous Big Data, Hussam Mohammed, Nathan Clarke, Fudong Li

Journal of Digital Forensics, Security and Law

The major challenges with big data examination and analysis are volume, complex interdependence across content, and heterogeneity. The examination and analysis phases are considered essential to a digital forensics process. However, traditional techniques for the forensic investigation use one or more forensic tools to examine and analyse each resource. In addition, when multiple resources are included in one case, there is an inability to cross-correlate findings which often leads to inefficiencies in processing and identifying evidence. Furthermore, most current forensics tools cannot cope with large volumes of data. This paper develops a novel framework for digital forensic analysis of heterogeneous ...


Making Sense Of Email Addresses On Drives, Neil C. Rowe, Riqui Schwamm, Michael R. Mccarrin, Ralucca Gera Jan 2016

Making Sense Of Email Addresses On Drives, Neil C. Rowe, Riqui Schwamm, Michael R. Mccarrin, Ralucca Gera

Journal of Digital Forensics, Security and Law

Drives found during investigations often have useful information in the form of email addresses which can be acquired by search in the raw drive data independent of the file system. Using this data we can build a picture of the social networks that a drive owner participated in, even perhaps better than investigating their online profiles maintained by social-networking services because drives contain much data that users have not approved for public display. However, many addresses found on drives are not forensically interesting, such as sales and support links. We developed a program to filter these out using a Naïve ...


Whatsapp Network Forensics: Decrypting And Understanding The Whatsapp Call Signaling Messages, Filip Karpisek, Ibrahim Baggili, Frank Breitinger Oct 2015

Whatsapp Network Forensics: Decrypting And Understanding The Whatsapp Call Signaling Messages, Filip Karpisek, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

WhatsApp is a widely adopted mobile messaging application with over 800 million users. Recently, a calling feature was added to the application and no comprehensive digital forensic analysis has been performed with regards to this feature at the time of writing this paper. In this work, we describe how we were able to decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination. We explain the methods and tools ...


Identification And Exploitation Of Inadvertent Spectral Artifacts In Digital Audio, N. C. Donnangelo, W. S. Kuklinski, R. Szabo, R. A. Coury, G. R. Hamshar Jan 2015

Identification And Exploitation Of Inadvertent Spectral Artifacts In Digital Audio, N. C. Donnangelo, W. S. Kuklinski, R. Szabo, R. A. Coury, G. R. Hamshar

Journal of Digital Forensics, Security and Law

We show that modulation products from local oscillators in a variety of commercial camcorders are coupled into the recorded audio track, creating narrow band time invariant spectral features. These spectral features, left largely intact by transcoding, compression and other forms of audiovisual post processing, can encode characteristics of specific camcorders used to capture the audio files, including the make and model. Using data sets both downloaded from YouTube and collected under controlled laboratory conditions we demonstrate an average probability of detection (Pd) approaching 0.95 for identification of a specific camcorder in a population of thousands of similar recordings, with ...


Factors Influencing Digital Forensic Investigations: Empirical Evaluation Of 12 Years Of Dubai Police Cases, Ibtesam Alawadhi, Janet C. Read, Andrew Marrington, Virginia N. L. Franqueira Jan 2015

Factors Influencing Digital Forensic Investigations: Empirical Evaluation Of 12 Years Of Dubai Police Cases, Ibtesam Alawadhi, Janet C. Read, Andrew Marrington, Virginia N. L. Franqueira

Journal of Digital Forensics, Security and Law

In Digital Forensics, the number of person-hours spent on investigation is a key factor which needs to be kept to a minimum whilst also paying close attention to the authenticity of the evidence. The literature describes challenges behind increasing person-hours and identifies several factors which contribute to this phenomenon. This paper reviews these factors and demonstrates that they do not wholly account for increases in investigation time. Using real case records from the Dubai Police, an extensive study explains the contribution of other factors to the increase in person-hours. We conclude this work by emphasizing on several factors affecting the ...


Cyber Blackbox For Collecting Network Evidence, Jooyoung Lee, Sunoh Choi, Yangseo Choi, Jonghyun Kim, Ikkyun Kim, Youngseok Lee Jan 2015

Cyber Blackbox For Collecting Network Evidence, Jooyoung Lee, Sunoh Choi, Yangseo Choi, Jonghyun Kim, Ikkyun Kim, Youngseok Lee

Australian Digital Forensics Conference

In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting ...


An Empirical Comparison Of Widely Adopted Hash Functions In Digital Forensics: Does The Programming Language And Operating System Make A Difference?, Satyendra Gurjar, Ibrahim Baggili, Frank Breitinger, Alice E. Fischer Jan 2015

An Empirical Comparison Of Widely Adopted Hash Functions In Digital Forensics: Does The Programming Language And Operating System Make A Difference?, Satyendra Gurjar, Ibrahim Baggili, Frank Breitinger, Alice E. Fischer

Electrical & Computer Engineering and Computer Science Faculty Publications

Hash functions are widespread in computer sciences and have a wide range of applications such as ensuring integrity in cryptographic protocols, structuring database entries (hash tables) or identifying known files in forensic investigations. Besides their cryptographic requirements, a fundamental property of hash functions is efficient and easy computation which is especially important in digital forensics due to the large amount of data that needs to be processed when working on cases. In this paper, we correlate the runtime efficiency of common hashing algorithms (MD5, SHA-family) and their implementation. Our empirical comparison focuses on C-OpenSSL, Python, Ruby, Java on Windows and ...


Preliminary Forensic Analysis Of The Xbox One, Jason Moore, Ibrahim Baggili, Andrew Marrington, Armindo Rodrigues Aug 2014

Preliminary Forensic Analysis Of The Xbox One, Jason Moore, Ibrahim Baggili, Andrew Marrington, Armindo Rodrigues

Electrical & Computer Engineering and Computer Science Faculty Publications

Video game consoles can no longer be viewed as just gaming consoles but rather as full multimedia machines, capable of desktop computer-like performance. The past has shown that game consoles have been used in criminal activities such as extortion, identity theft, and child pornography, but with their ever-increasing capabilities, the likelihood of the expansion of criminal activities conducted on or over the consoles increases. This research aimed to take the initial step of understanding the Xbox One, the most powerful Microsoft console to date. We report the outcome of conducting a forensic examination of the Xbox One, and we provide ...


On The Database Lookup Problem Of Approximate Matching, Frank Breitinger, Harald Baier, Douglas White May 2014

On The Database Lookup Problem Of Approximate Matching, Frank Breitinger, Harald Baier, Douglas White

Electrical & Computer Engineering and Computer Science Faculty Publications

Investigating seized devices within digital forensics gets more and more difficult due to the increasing amount of data. Hence, a common procedure uses automated file identification which reduces the amount of data an investigator has to look at by hand. Besides identifying exact duplicates, which is mostly solved using cryptographic hash functions, it is also helpful to detect similar data by applying approximate matching.

Let x denote the number of digests in a database, then the lookup for a single similarity digest has the complexity of O(x). In other words, the digest has to be compared against all digests ...


Testing Framework For Mobile Device Forensics Tools, Maxwell Anobah, Shahzad Saleem, Oliver Popov Jan 2014

Testing Framework For Mobile Device Forensics Tools, Maxwell Anobah, Shahzad Saleem, Oliver Popov

Journal of Digital Forensics, Security and Law

The proliferation of mobile communication and computing devices, in particular smart mobile phones, is almost paralleled with the increasing number of mobile device forensics tools in the market. Each mobile forensics tool vendor, on one hand claims to have a tool that is best in terms of performance, while on the other hand each tool vendor seems to be using different standards for testing their tools and thereby defining what support means differently. To overcome this problem, a testing framework based on a series of tests ranging from basic forensics tasks such as file system reconstruction up to more complex ...


Quantifying Relevance Of Mobile Digital Evidence As They Relate To Case Types: A Survey And A Guide For Best Practice, Shahzad Saleem, Ibrahim Baggili, Oliver Popov Jan 2014

Quantifying Relevance Of Mobile Digital Evidence As They Relate To Case Types: A Survey And A Guide For Best Practice, Shahzad Saleem, Ibrahim Baggili, Oliver Popov

Journal of Digital Forensics, Security and Law

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as child pornography). 97 % of the respondents agreed that every type of digital evidence has a different level of relevance to further or solve a particular investigation. From 55 serious participants, a dataset of 5,772 responses regarding the relevance of nineteen types of digital evidence for all the seven types of digital investigations was obtained. The results showed that (i) SMS belongs to the most relevant type ...


A Study Of Forensic Imaging In The Absence Of Write-Blockers, Gary C. Kessler, Gregory H. Carlton Jan 2014

A Study Of Forensic Imaging In The Absence Of Write-Blockers, Gary C. Kessler, Gregory H. Carlton

Security Studies & International Affairs - Daytona Beach

"Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect. This paper describes a research framework that compares forensic images acquired with and without utilizing write-blockers in order to understand the extent of the differences, if any, in the resultant forensic copies. We specifically address whether differences are superficial or evidentiary, and we discuss the impact of admitting evidence acquired without write blocking ...


An Efficient Similarity Digests Database Lookup – A Logarithmic Divide & Conquer Approach, Frank Breitinger, Christian Rathgeb, Harald Baier Jan 2014

An Efficient Similarity Digests Database Lookup – A Logarithmic Divide & Conquer Approach, Frank Breitinger, Christian Rathgeb, Harald Baier

Journal of Digital Forensics, Security and Law

Investigating seized devices within digital forensics represents a challenging task due to the increasing amount of data. Common procedures utilize automated file identification, which reduces the amount of data an investigator has to examine manually. In the past years the research field of approximate matching arises to detect similar data. However, if n denotes the number of similarity digests in a database, then the lookup for a single similarity digest is of complexity of O(n). This paper presents a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(n) to O(log(n)). Our ...


Using Internet Artifacts To Profile A Child Pornography Suspect, Marcus K. Rogers, Kathryn C. Seigfried-Spellar Jan 2014

Using Internet Artifacts To Profile A Child Pornography Suspect, Marcus K. Rogers, Kathryn C. Seigfried-Spellar

Journal of Digital Forensics, Security and Law

Digital evidence plays a crucial role in child pornography investigations. However, in the following case study, the authors argue that the behavioral analysis or “profiling” of digital evidence can also play a vital role in child pornography investigations. The following case study assessed the Internet Browsing History (Internet Explorer Bookmarks, Mozilla Bookmarks, and Mozilla History) from a suspected child pornography user’s computer. The suspect in this case claimed to be conducting an ad hoc law enforcement investigation. After the URLs were classified (Neutral; Adult Porn; Child Porn; Adult Dating sites; Pictures from Social Networking Profiles; Chat Sessions; Bestiality; Data ...


Audit: Automated Disk Investigation Toolkit, Umit Karabiyik, Sudhir Aggarwal Jan 2014

Audit: Automated Disk Investigation Toolkit, Umit Karabiyik, Sudhir Aggarwal

Journal of Digital Forensics, Security and Law

Software tools designed for disk analysis play a critical role today in forensics investigations. However, these digital forensics tools are often difficult to use, usually task specific, and generally require professionally trained users with IT backgrounds. The relevant tools are also often open source requiring additional technical knowledge and proper configuration. This makes it difficult for investigators without some computer science background to easily conduct the needed disk analysis. In this paper, we present AUDIT, a novel automated disk investigation toolkit that supports investigations conducted by non-expert (in IT and disk technology) and expert investigators. Our proof of concept design ...