DFIR Research Ideas

I'm enrolled in Champlain College's M.S. in Digital Forensic Science program, and I'm coming up on my capstone research thesis and project, which I'll begin in the Summer of 2016. The intent is to conduct original research, or expand on existing research, into a problem related to the digital forensics or incident response fields.

I'd like to tackle a useful, immediately practical research topic rather than something more academic or theoretical. So, with that, I'm soliciting research ideas from the DFIR community. What problems have you experienced in your work where you thought more research was needed? Have you ever encountered a situation that you wish you had a better understanding of? Are there any emerging technologies or issues you regularly encounter but for which limited research or understanding exists? Ideas might be related to an operating system, and OS artifact, an application, a forensic technique, etc.

I'm aware of the ForensicWiki research topics and Forensic Focus project ideas pages. I'm considering some of those, although they are of varying ages and some may be of lesser relevance than when they were originally proposed.

Please feel free to leave your comments below. There's no reason to be overly detailed; I'm not asking you to do the research for me! Just a brief statement of what you are interested in will suffice. If I use anyone's idea, or a variation thereof, I'll be sure to provide appropriate attribution.

  1. - Apply nearly anything from Windows to OSX. Even for tools that already exist on OSX, it'd be nice to have a translation guide for folks coming from Windows forensics to OSX to explain what new terms and tools are. Ex. ASEP -> Launchd. Autoruns -> KnockKnock.
    - Much of forensics views systems in isolation, but especially for enterprises, we have thousands of systems that are supposed to be more or less the same and we'd like to see just the differences when doing IR.