Determining the Origin of Downloaded Files Using Metadata Associations

Determining the “origin of a file” in a file system is often required during digital investigations. While the problem of “origin of a file” appears intractable in isolation, it often becomes simpler if one considers the environmental context, viz., the presence of browser history, cache logs, cookies and so on. Metadata can help bridge this contextual gap. Majority of the current tools, with their search-and-query interface, while enabling extraction of metadata stops short of leading the investigator to the “associations” that metadata potentially point to, thereby enabling an approach to solving the “origin of a file” problem. In this paper, we develop a method to identify the origin of files downloaded from the Internet using metadata based associations. Metadata based associations are derived though metadata value matches on the digital artifacts and the artifacts thus associated, are grouped together automatically. These associations can reveal certain higher-order relationships across different sources such as file systems and log files. We define four relationships between files on file systems and log records in log files which we use to determine the origin of a particular file. The files in question are tracked from the user file system under examination to the different browser logs generated during a user’s online activity to their points of origin in the Internet.