Forensic analysis commonly involves searching for personal identifiable information in an investigation case. However, current popular digital forensic tools are developed and maintained by companies in the United States of America (USA) and thus some of their unique identifiers are specific only to USA such as the Social Security Number (SSN).
An Inland Revenue Department (IRD) number is a unique identifier, which is used for taxation purposes in New Zealand and can provide evidence in a digital investigation such as perpetrator identity, transaction information and electronic fraud.
This thesis has designed and developed a bulk_extractor feature scanner to detect and validate IRD numbers (features). The IRD scanner is tested on training data sets to ensure the functionality works correctly. A large real world data set is then used to determine scanner effectiveness and efficiency between similar digital forensic tools in a realistic investigation scenario. A post processing technique is used to determine the disk volume split between different computer artefacts such as unallocated space, windows file, documents, deleted files, etc.
The real world data set testing highlighted a very high number of false positive features detected by the IRD scanner. To combat this, a post processing technique was used to identify forensically interesting IRD numbers by performing a feature context search. The post processing findings proved that feature context searching is an effective data reduction technique that identified a low number of directly relevant IRD numbers.
