The number of Child Sexual Abuse Material (CSAM) cases has increased dramatically in recent years. This leads to the need to automate various steps in digital forensic processing, especially for CSAM investigations. For instance if CSAM pictures are found on a device, the investigator aims at finding traces about the origin and possible further dissemination, respectively. In this paper we address this challenge with respect to the widespread Windows operating system. We model different common scenarios of system use by CSAM offenders in the scope of file inbound and outbound transfer channels. This gives us insights about digital traces in the Windows operating system and its applications to get knowledge about origin and possible destination of a file. We review available concepts and applications to support this issue. Furthermore we develop a recursive-based approach and provide a prototype as plugin for the open source application Autopsy. We call our prototype AutoTrack. Our evaluation against the different models of Windows system usage reveals that Autotrack is superior to existing solutions and provides support of an investigator to find digital traces about the origin and possible further dissemination of files. We publish our AutoTrack plugin and thus provide full reproducibility of our approach.    «

The number of Child Sexual Abuse Material (CSAM) cases has increased dramatically in recent years. This leads to the need to automate various steps in digital forensic processing, especially for CSAM investigations. For instance if CSAM pictures are found on a device, the investigator aims at finding traces about the origin and possible further dissemination, respectively. In this paper we address this challenge with respect to the widespread Windows operating system. We model different common s...    »