COLLOQUIUM ON COMPUTATIONAL SCIENCES AND INFORMATICS – Digital Data Persistence, Decay, and Recovery – Dr. Jim Jones

April 30, 2018 @ 4:30 pm – 5:45 pm
Exploratory Hall, Room 3301
Matthias Renz


Dr. Jim Jones, Associate Professor
Digital Forensics and Cyber Analysis program, ECE Department
George Mason University

Digital Data Persistence, Decay, and Recovery

 Monday, April 30, 4:30-5:45
Exploratory Hall, Room 3301


Digital data dies an uncertain death. Delete a file today, and the content might be entirely destroyed immediately, or maybe some of it survives for a few hours, days, or longer. For a forensic investigator, this is good news – residual fragments of a deleted file might be recoverable days, months, even years after the file was deleted. But why? What factors drive this persistence, and can those factors be understood well enough to predict the decay pattern of different files on different systems and under different circumstances? To help answer this question, we developed a methodology and software tools to trace the contents of a deleted file over time using sequential snapshots. By recording the actions taken between each snapshot, and by conducting controlled experiments with many files, we generate decay curves and datasets which can be subsequently analyzed for factors affecting deleted file content persistence. Understanding these factors can support triage decisions and interpretation of results, e.g., should I expect to find anything on media X from event Y at time T, and what does it mean if I don’t? I will present our methodology and software tools (GitHub: jjonesu/DeletedFilePersistence), as well as a collection of preliminary results on magnetic hard disks, flash memory sticks, SD cards, and embedded flash memory.


Jim Jones is an Associate Professor in the Digital Forensics and Cyber Analysis program within the ECE Department. Dr. Jones earned his Bachelor’s degree from Georgia Tech (Industrial and Systems Engineering, 1989), Master’s degree from Clemson University (Mathematical Sciences, 1995), and PhD from George Mason University (Computational Sciences and Informatics, 2008). He has been a cyber security practitioner, researcher, and educator for over 20 years. During that time, he has led and performed network and system vulnerability and penetration tests, led a cyber incident response team, conducted digital forensics investigations, and taught university courses in cyber security, penetration testing, digital forensics, and programming. Past and current funded research sponsors include DARPA, DHS, NSF, and DoD. His research interests are focused on digital artifact persistence, extraction, analysis, and manipulation.