A Digital Body Farm for Collecting Deleted File Decay Data.

Recovering deleted data can be a time-consuming task during digital forensic investigations. As tedious as the task is, it may not produce useful results. New files written to locations containing previously-deleted file data may render some or even all of the deleted file unrecoverable. Insights into the factors that influence deleted file decay are required to enable digital forensic professionals to determine if attempting file recovery is a wise use of time. Significant research efforts have focused on deleted file decay, but gaps in knowledge still exist. This chapter discusses an attempt at collecting data to help discover how deleted file content decays over time in computing systems running the Microsoft New Technology Filesystem (NTFS). In particular, it describes the implementation of a digital body farm that uses differential analysis to monitor and record patterns of decay as deleted data are erased or overwritten on secondary storage media attached to a live system. The collection of realistic file decay data and relevant system parameters can be used to create a model that provides useful insights into the deleted file decay process.