Gathering evidence : model-driven software engineering in automated digital forensics

Digital forensics concerns the acquisition, recovery and analysis of information on digital devices to answer legal questions. Exponential increases in available storage, as well as growing device adoption by the public, have made manual inspection of all information infeasible. A solution is automated digital forensics, which is the use of software to perform tasks in digital forensics automatically, reducing the time required. Software engineering techniques exist to construct high performance solutions. However, one requirement complicates the application of standard techniques: handling the high variability in how investigated information is stored. The number of different devices and applications is huge and constantly changing. This leads to a constant stream of required changes to digital forensics software in order to recover as much information as possible.

Factoring out commonality so that the changing aspects of a solution can evolve separately is a supposed strength of model-driven software engineering (MDSE). This separation of concerns is achieved through the use of a domain-specific language (DSL). Changes expressed in this DSL are then automatically applied through the use of transformation tools, which handle fixed requirements such as high performance. The research in this thesis forms an extensive case study in the application of MDSE in the domain of automated digital forensics, using the Rascal metaprogramming language. It provides concrete evidence for the successful application of MDSE in automated digital forensics, and contributes to knowledge about the application of MDSE in general. The implementations illustrate the usefulness of Rascal in DSL engineering.