Authors: Mohammed I. Al-Saleh; Mona J. Al-Shamaileh
Addresses: Department of Computer Science, Jordan University of Science and Technology, P.O. Box 3030, Irbid, 22110, Jordan ' Department of Computer Science, Jordan University of Science and Technology, P.O. Box 3030, Irbid, 22110, Jordan
Abstract: Digital forensics is an evolving discipline that looks for evidence in electronic devices. It is being utilised in investigating attacks and accusing cyber criminals. As in physical crimes, a cyber criminal might try every possible technique to hide responsibility about a crime. This can be done by manipulating all kinds of traces that could lead investigators to resolve cases. For example, a criminal can delete files, images, network traces, operating system log files, or browsing history. An easy procedure a criminal might follow to conceal crime activities are: 1) create a new user account; 2) commit a crime through the just-created account; 3) delete the account along with all files and directories that belong to it. To counter this kind of anti-forensic actions, this paper collects evidence from deleted user accounts. We seek artefacts in windows event logs, registry hives, RAM, Pagefile, and hard drive. Interestingly, this paper shows that several clues about deleted accounts can be harvested. To the best of our knowledge, we are the first to tackle such a problem.
Keywords: deleted user account; digital forensics; memory artifacts.
International Journal of Electronic Security and Digital Forensics, 2017 Vol.9 No.2, pp.167 - 179
Received: 27 Sep 2016
Accepted: 26 Jan 2017
Published online: 07 Apr 2017 *