The DFIR Research list is a list of potential digital forensic and incident response research projects contributed by community members in hopes of these topics being researched with information disclosed publicly. The AboutDFIR.com team hopes that this can help those new to the field or researchers looking for relevant topics to pursue. This is a great opportunity to propose topics that you have not had time to research or resources you wish existed within the #DFIR and #InfoSec communities. This is also an opportunity for researchers and mentors alike to bring together their unique capabilities, skill sets, and knowledge on a project. To contribute to this page you can propose a topic, volunteer to research, or volunteer to mentor. AboutDFIR.com does not own the research (unless explicitly stated or requested by the researchers), nor does it provide any guidance or team oversight. At present, the AboutDFIR.com team is strictly providing a central location and repository for the betterment of the community at large.
Looking to submit a Research Idea or Request? Use the form.
Research Ideas
| Topic | Description |
|---|---|
| Chain of Custody from Cloud Providers | Potential solution for cloud-based artifacts to establish/maintain chain of custody could be the use of private/public key encryption combined with a secure server at a fusion center, or other law enforcement controlled location. Warrant information served to the cloud provider would include instructions to encrypt the responsive data using a public PGP key and then send the data to the requester via a trusted, encrypted FTP server. Issues involved would include what encryption to use, what SFTP service to use, how much volume the network would need to handle, and finally, how to keep track of all of the returned information to provide to the requesting offices. |
| Forensic Tool Testing and Verification Policy | Survey Law Enforcement lab policy on forensic tool testing as well as tool artifact verification.Masyer's thesis research |
| Image Creation: Android Marshmallow (6.x) | Forensic image for public consumption, testing, and educational purposes of device running Android Marshmallow (6.x) with robust documentation |
| Image Creation: Android Pie (9.x) | Forensic image for public consumption, testing, and educational purposes of device running Android Pie (9.x) with robust documentation. |
| Image Creation: iOS 10 | Forensic image for public consumption, testing, and educational purposes of device running iOS 10 with robust documentation |
| Image Creation: iOS 11 | Forensic image for public consumption, testing, and educational purposes of device running iOS 11 with robust documentation |
| Image Creation: Windows 10 | Forensic image for public consumption, testing, and educational purposes of device running Windows 10 with robust documentation. |
| ISP pinout for Alexa Show | Easy for someone with experience, but there is a fair amount of training or experience and equipment required to perform this work. |
| Memory Acquisition | Compare the data obtained and acquisition time/ease of use of current memory acquisition tools on Windows 10. |
| Parsing iOS and Android Operating Systems Methodology | In depth methodology for parsing iOS and Android OS artifacts utilizing APOLLO, ILEAPP, and ALEAP, along with Magnet Axiom. Explore different storage methods of user data such as, sqlite, protobuf, real, flat files, xml, and json. |
| Search Engines: Baidu.com | Baidu.com search engine URL parsing. |
| Search Engines: Bing.com | Bing.com search engine URL parsing. |
| Search Engines: Quora.com | Quora.com search engine URL parsing. |
| Search Engines: Yahoo.com | Yahoo.com search engine URL parsing. |
| SIM card/PUK Unlocking | PUK unlocking for SIM Cards |
| Volatile Memory Acquisition in FreeBSD | Generation of forensically sound memory images with minimum smearing in FreeBSD has not been yet achieved. Some preliminary work has been done in (https://github.com/mbhatt1/FreeBmAM). This tool lacks many basic features, for instance TCP support. There also needs to be sound forensic testing for various FreeBSD versions. |
Completed Research
| Topic | Description | Mentor(s) | Researcher(s) | Status | Link | Published Research |
|---|---|---|---|---|---|---|
| ETL files | Focus the study on the folder and content of SleepStudy, where there are several files '.etl' of considerable importance to determine the activity of a Windows 10 system. | Nicole Ibrahim (@nicoleibrahim) | Complete | ETW Event Tracing for Windows and ETL Files | ||
| Google Glass | Identify the time artifacts on Google Glass, Test and verify what exactly these time structures indicate, and provide a way for examiners to create a timeline of activity that happened on Google Glass. | Julie Desautels | Complete | Google Glass Timeline Forensics | Google Glass Forensics||[PDF] | |
| Image Creation: Android Nougat (7.x) | Forensic image for public consumption, testing, and educational purposes of device running Android Nougat (7.x) with robust documentation | Jessica Hyde (@B1N2H3X) | @josh_hickman1 | Complete | Android Nougat (7.x) Image | |
| Image Creation: Android Oreo (8.x) | Forensic image for public consumption, testing, and educational purposes of device running Android Oreo (8.x) with robust documentation | Jessica Hyde (@B1N2H3X) | @josh_hickman1 | Complete | Grab Your Glass of Milk! Android Oreo Image Now Available (8.x) | |
| Image Creation: Android Pie (9.x) | Forensic image for public consumption, testing, and educational purposes of device running Android Pie (9.x) with robust documentation. | @josh_hickman1 | Complete | Android Pie (9.0) Image Is Available. Come Get A Piece! | ||
| Image Virtualization: Android | Virtualization of Windows based images is incredibly useful for investigations, so virtualisation of Android images (both physical and file system images) could be very helpful. | @alexisbrignoni | Complete | Viewing extracted Android app data using an emulator | ||
| IoT Forensics - Amazon Echo | IoT Forensics- Finding reliable sources of Evidence from Amazon Echo | Adhirath Kapoor | Complete | Forensic Analysis of digital evidence extracted from Amazon Echo | ||
| Memory Acquisition | Compare the data obtained and acquisition time/ease of use of current memory acquisition tools on Windows 10. | Marcos Fuentes Martínez, (@_N4rr34n6_) | Complete | Choose your weapon well. Calculate the impact. | ||
| MFT Resident File | To determine the conditions and sizes so that a file is a file resident in the MFT, or is not a file resident in the MFT, as well as to observe its behavior in Windows 7 and Windows 10 systems. | Marcos Fuentes Martínez, (@_N4rr34n6_) | Complete | One byte makes the difference: MFT Resident File | ||
| Mobile Forensics | A Methodology for Verification Testing of Data Evidence in Mobile Forensics | Lorie Hermesdorf (@lor1050) | Complete | A Methodology for Verification Testing of Data Evidence in Mobile Forensics | ||
| Search Engines: Google.com | Google.com search engine URL parsing. | Phill Moore | Complete | Google URL Parsing with GSERPENT | ||
| SleepStudy (ETL) | SleepStudy tracks System activity and provides general information about each session, including uptime and downtime. This type of session begins when the System enters the new modern standby mode and ends when it leaves that state. | Marcos Fuentes Martínez, (@_N4rr34n6_) | Complete | "UserNotPresent", When does Windows understand that the user is not present? |