Digital Evidence Analysis: Data Carving and Search String Tools
On this page, find:
The Role of Data Carving and Search Strings in Uncovering Useful Data
Investigators need to search electronic devices for digital evidence. When searching for names, phone numbers, addresses and
other information, law enforcement officers use sequences of words or phrases known as "search strings." Giving the large
amounts of information stored on electronic devices, investigators need tools that will help find data relevant to a particular
case, a process known as "data carving."
Three Problems With Current Tools That Create Waste and Redundancy
- Lack of automated tools. Search strings aim to find specific pieces of information within a database or collection of files,
but without any automated computer tools, investigators could spends days trying to manually gather useful results.
- Basic search tools miss important evidence. Poorly constructed search strings can compound problems, as these searches may
yield inaccurate data while overlooking crucial evidence. Current search tools can locate simple key terms and words, but
they are unable to perform advanced and robust inquiries, which are vital to thorough forensic work.
- No method for sharing search strings. Law enforcement officers have also identified problems concerning the lack of sharing
and communication between investigators. Similar cases could use the same search strings, meaning that search strings for
one case could be reused in subsequent investigations. However, there currently is no method for sharing search strings that
investigators have found to be effective.
NIJ is funding research at the University of Rhode Island's Digital Forensics Center that aims to produce better data-carving
The current project, still under development, intends to give law enforcement a data-carving tool that could:
- Automatically generate search expressions based on keywords and data entered by the investigator.
- Reduce time spent creating and using search strings.
- Create advanced search string syntax for in-depth analyses.
- Store previously created search expressions.
- Compile a searchable repository for law enforcement search strings.
- Allow investigators to test search strings and comment on accuracy of stored search terms.
The tool will be distributed for free to state and local law enforcement and will be compatible with current digital forensics
software. The expected launch is as soon as fall 2010.
Date Modified: December 3, 2010