Analyzing registry, log files, and prefetch files in finding digital evidence in graphic design applications




The products of graphic design applications leave behind traces of digital information which can be used during a digital forensic investigation in cases where counterfeit documents have been created. This paper analyzes the digital forensics involved in the creation of counterfeit documents. This is achieved by first recognizing the digital forensic artifacts left behind from the use of graphic design applications, and then analyzing the files associated with these applications. When analyzing digital forensic artifacts generated by an application, the specific focus is on determining whether the graphic design application was installed, whether the application was used, and determining whether an association can be made between the application’s actions and such a digital crime. This is accomplished by locating such information from the registry, log files and prefetch files. The file analysis involves analyzing files associated with these applications for file signatures and metadata. In the end it becomes possible to determine if a system has been used for creating counterfeit documents or not.


[1] Bloomberg News, “Stocks weaken after Fed Statements, The New York Times”, 12 June 2011.

[2] M. G. Solomon, D. Barett, and N. Broom, Computer Forensics Jumpstart, Sybex, London, 2005, pp. 51.

[3] E. Casey, Digital evidence and computer crime, London, Academic Press, 2000, pp. 10.

[4] Gartner Research, “Which operating system will be 2011’s bestseller”, Accessed 11 August 2011.

[5] D. Jones, “Adobe 2Q Net Up 54% On Broad Sales Gains, Higher Margins”, The Wall Street Journal, Accessed 21 June 2011.

[6] A. Jones, C. Valli, Building a digital forensic laboratory, Burlington, Elsevier, 2008, pp. 285.

[7] F. Cohan, “Towards a science of digital forensic investigation”, IFIP Advances Digital Forensics VI, China, 2010, pp. 17-35.

[8] J. Grama, “Legal issues in information security”, MA, USA, Jones and Bartlett, 2011, pp. 460-471.

[9] M. V. Zelkowitz, Advances in computers; information security. Academic Press-Elsevier, 2009.

[10] Tech Specs,, Accessed 22 June 2011.

[11] “A roadmap for Digital Forensic Research”, Digital Forensic Research Workshop, 2001, pp. 16.

[12] U.S. National Institute of Justice, Electronic Crime Scene Investigation Guide: A guide for First Responders, 2001.

[13] Top Tech News, “Windows 7, Office Drive Record Microsoft Revenue”, Accessed 23 July 2010.

[14] H. Carvey, Windows Forensic Analysis Dvd Toolkit, 2nd Ed., Elsevier, 2009, pp. 296.

[15] I. Rawoot, “Terrorists favour ’easy’ fake SA passports”, Mail and Guardian, 17 June 2011.

[16] H. Carvey, Windows Registry Analysis, 2nd Ed., Elsevier, 2009, pp. 194.

[17] Reglite software,, Accessed 14 July 2011.

[18] Regview,, Accessed 14 July 2011.

[19] T. Padova, “Adobe Acrobat 9 PDF Bible”, Indianapolis, Wiley, 2008.

[20] Winhex,, Accessed 13 June 2011.

[21] Porn detection stick,, Accessed 9 August 2011.

[22] C. Altheide, H. Carvey, Digital Forensics with Open Source tools, Elsevier, MA USA, 2011, pp.2.

[23] J. Ingram, “Criminal evidence”, 11th ed., John C Klotter Justice Administration legal Series, USA, Elsevier, 2012, pp. 846.

[24] Regslack, Downloads,, Accessed September 2011.

[25] G. Kesler, File signatures,, Accessed 19 December 2012.

[26] M. Reddy, Graphic design file format database,, Accessed 19 December 2012.

[27] Adobe XMP, products/ xmp/index.html, Accessed 19 December 2012.

[28] E. K. Mabuto, H. S. Venter, “User-generated evidence from graphic design applications”, International conference on cyber security, cyber warfare and digital forensics, CyberSec2012, pp. 195-200.

[29] Open Source Computer Vision (OpenCV),, Accessed 11 September 2012.

[30] Metadata Extraction Tool,, Accessed 11 July 2012.

[31] J. Bargas, “Brazilian man attempted to open a bank account using a fake Jack Nicholson ID”, International Business Times,, 2 March, 2012.

[32] C. C. Lien, “Fast forgery detection with the intrinsic resampling properties”, Journal of information security, vol. 1, no. 1, 2010, pp. 11-22.

[33] M. C. Stamm, “Forensic detection of image tampering using intrinsic statistical fingerprints in histograms”. APSIPA Annual summit and conference, Japan, 2009, pp. 563-572.

[34] K. Cohen, “Digital Still Camera Forensics”, Small scale digital device forensics Journal, vol. 1, no. 1, June 2007, pp. 2-8.

[35] H. Farid, “Image forgery detection”, IEEE Signal Processing Magazine, 2009, pp. 16-25.

[36] S. Bayram, I. Avcibas, B. Sankur, N. Memon, “Image manipulation detection”, Journal of Electronic Imaging, vol. 15, no. 4, 2006, pp. 41-52.

[37] J. Wang, “Image forensics based on manual blurred edge detection”, Multimedia information networking and security (MINES), 2010, pp. 907-911.

[38] N. Memon, “Photo Forensics”, International workshop on information security, NYU, 2012, pp. 1-27.