Digital tool marks (DTMs): a forensic analysis of file wiping software

• Published in: Australian journal of forensic sciences Vol. 53; no. 1; pp. 96 - 111
• Main Author: Horsman, Graeme
• Format: Journal Article
• Language: English
• Published: Clovelly Taylor & Francis 02.01.2021; Copyright Agency Limited (Distributor)
• Subjects: Applications programs; Computer forensics; Computer programs; deletion; Digital forensic science; digital forensics; digital tool marks; File wiping; FORENSIC MEDICINE; Forensic science; forensics; MEDIA; Medical jurisprudence; METADATA; recovery; Software; SOFTWARE PROTECTION
• ISSN: 0045-0618; 1834-562X
• DOI: 10.1080/00450618.2019.1640793

Whilst difficult to ascertain the full extent to which so called anti-forensic software applications are in use by the public, their threat to an investigation of digital content is tangible, where of particular interest is the use of file wiping tools, which remains the focus of this work. This work presents the examination of eight freely available wiping tools in order to identify the existence of 'digital tool marks' (DMTs) left on a system following their use. Further attempts are made to ascertain whether such DTMs can be attributable to a particular wiping tool. Analysis is focused on the impact each tool has on system at a file system level, where in this work both FAT32 and NTFS are the subject of investigation. DMTs relating to each wiping tool are provided and recoverable file system metadata post-wipe is described.