Do you dare to try Test-Driven Forensics? Increasing Trust in Desktop Forensics with ADARE
arXiv SecurityArchived May 28, 2026✓ Full text saved
arXiv:2605.28476v1 Announce Type: new Abstract: Digital forensic relies on validated tools and established procedures, yet the underlying operating systems, applications, and analysis tools evolve rapidly. This evolution can cause artifact behavior and tool outputs to drift, silently degrading repeatability and confidence in long-lived forensic interpretations. We present test-driven forensics, a practical approach that treats forensic expectations as executable specifications: expected artifact
Full text archived locally
✦ AI Summary· Claude Sonnet
Computer Science > Cryptography and Security
[Submitted on 27 May 2026]
Do you dare to try Test-Driven Forensics? Increasing Trust in Desktop Forensics with ADARE
Michael Külper, Martin Lambertz, Mariia Rybalka
Digital forensic relies on validated tools and established procedures, yet the underlying operating systems, applications, and analysis tools evolve rapidly. This evolution can cause artifact behavior and tool outputs to drift, silently degrading repeatability and confidence in long-lived forensic interpretations. We present test-driven forensics, a practical approach that treats forensic expectations as executable specifications: expected artifacts and expected tool outputs are encoded as tests that can be rerun across versions to detect regressions. Crucially, our approach also enables State Transition Testing, validating the system's expected state after each user action rather than only performing post-mortem checks on a final disk image; this supports causal attribution and makes transient behavior testable. We implement the methodology in ADARE, an open-source framework that runs controlled experiments in virtual machines and simulates realistic user activity via computer-vision-guided GUI automation. ADARE includes a companion web platform for sharing experiments, environments, and results to facilitate independent reruns and peer verification. We evaluate ADARE in five case studies spanning artifact research and tool validation. In particular, a 25-version regression study of Autopsy reveals substantial, largely undocumented changes in exported report outputs, demonstrating how executable tests make drift measurable and reproducible at scale.
Subjects: Cryptography and Security (cs.CR)
ACM classes: K.6.5; D.2.5
Cite as: arXiv:2605.28476 [cs.CR]
(or arXiv:2605.28476v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2605.28476
Focus to learn more
Submission history
From: Michael Külper [view email]
[v1] Wed, 27 May 2026 13:38:06 UTC (656 KB)
Access Paper:
HTML (experimental)
view license
Current browse context:
cs.CR
< prev | next >
new | recent | 2026-05
Change to browse by:
cs
References & Citations
NASA ADS
Google Scholar
Semantic Scholar
Export BibTeX Citation
Bookmark
Bibliographic Tools
Bibliographic and Citation Tools
Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
Connected Papers Toggle
Connected Papers (What is Connected Papers?)
Litmaps Toggle
Litmaps (What is Litmaps?)
scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
Code, Data, Media
Demos
Related Papers
About arXivLabs
Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)