In forensics the analysis of digital data faces major challenges. The volume is growing exponentially and there is a wide variety of devices and formats. Jeroen van den Bos, PhD student at the Centrum Wiskunde & Informatica (CWI) in Amsterdam and software engineer at the Netherlands Forensic Institute (NFI), developed a new approach to develop flexible, automated digital forensics software. The researcher defends his thesis ‘Gathering Evidence’ on January 9th, 2014 at the University of Amsterdam. The results of his research are applied in practice for use in police investigations.
Digital evidence plays an increasing role in forensics. Police and judiciary apply forensic software for acquiring, recovering and analyzing data found on digital storage devices. Forensic software, however, must be continually adapted to deal with new types of information and new types of devices. Additionally, the software should be able to scale to terabytes of data. Van den Bos developed forensic software in which this process can be automated.
Van den Bos’s approach is based on modeling the structure of binary files formats using a domain-specific language (DSL). File format models are input to a code generator which automatically generates high-performance recovery tools. The high-level models are easier to understand and require modification of only a few lines when new versions or variants of file formats are encountered.
In comparison, using traditional techniques this would involve the modification of thousands of lines of low-level program code. Nevertheless, the generated tools compete with industrial forensics tools in terms of runtime performance. Van den Bos’ DSL was designed and implemented using the meta programming language Rascal, which is specifically designed for building DSLs. As a result, the DSL could be designed and prototyped in an incremental and iterative fashion.
As from 1 January 2014, Van den Bos will implement the results of this research at NFI. The research was conducted in the research group Software Analysis and Transformation of CWI. The work of the group involves the development of the meta programming Rascal. The research group stood also at the basis of the successful spin-off Software Improvement Group ( SIG).