This repository contains the datasets, figures, and supplementary analysis files used in the study:
"SoK: Anti-Forensics Evolution, Platform Coverage, and Mobile Residual Evidence" (2026)
This research provides a comprehensive Systematic Literature Review (SLR) of Anti-Forensics (AF), with a particular focus on Mobile Anti-Forensics (MAF).
The study analyzed 197 primary papers published between 2005 and 2024 to identify AF techniques, platform distribution, and residual forensic artifacts after AF activity.
All data files in this repository directly support the quantitative analyses and visualizations reported in the paper (Sections RQ1–RQ3).
| Section | Description | Files |
|---|---|---|
| RQ1 — Anti-Forensic Techniques Examined | Datasets related to AF taxonomy, extraction outputs, high-level categories, domain-level publication patterns, and yearly trends. | master_paper.xlsx, master_paper.csv, AAF_extraction_output.csv, Domains.csv, publishers_domain_distribution_with_CV.csv, subcategory_pgfplots_data_top15.csv, category_yearly_trends.csv |
| RQ2 — Platform and Device Focus | Data showing platform/device distribution, category distribution across platforms, and percentage-based heatmap data for visualization. | device_type_counts.csv, rq2_platform_totals_unique_papers.csv, category_by_platform_copy.csv, cell5_pct_plot_percent_heatmap.csv |
| RQ3 — Residual Forensic Artifacts on Mobile Devices | Data mapping residual artifacts, their storage locations, platform-level persistence, and artifact-technique relationships across mobile studies. | mobile-artifacts-28-studies.csv, RQ3_mobile_artifacts_studies_18.csv, RQ3_mobile_stack_counts.csv, RQ3_platform_by_type_counts.csv, RQ3_store_by_platform_Android_iOS_only.csv, RQ3_Figure7_store_by_bucket_counts.csv, Location_bucket_count.csv, RQ3_table6_counts.csv, RQ3_table6_pairs_long.csv |
Each dataset is cited within the manuscript and directly supports a corresponding figure or table in the published paper.
- RQ1: What anti-forensic techniques have been examined in the literature, and how have they evolved?
- RQ2: How is AF research distributed across platforms, and to what extent do studies address mobile devices?
- RQ3: What forensic artifacts persist after AF activity on mobile devices, and how can they be categorized?
- RQ1: AF research has evolved from data-hiding and wiping methods to AI-driven adversarial deception.
- RQ2: Research remains dominated by desktop and open systems (Windows, Android), with limited cross-platform validation.
- RQ3: AF rarely achieves full erasure; evidence often persists in SQLite databases, logs, and file-system metadata.
All datasets are provided in .csv format and can be analyzed directly in Python (pandas), R, or Excel.
Column names are self-descriptive and correspond to variables referenced in the paper.
Example (Python):
import pandas as pd
df = pd.read_csv("rq2_device_type_counts.csv")
df.head()