In case of discovery of information security violations incidents there is a task of identification of their motives and persons involved as a part of investigation. The evidence is gathered, the main sources of which are often electronic recording media. Different approaches can be used by electronic security violators to hide or delete forensic evidence among which dubbing and files’ encryption are one of the most efficient because it is very difficult or even impossible to get access to the file content depending on the approach.

The search of overwritten files is an important task in conducting the research of the electronic information-carrying medium because detection of reasons of deleting and information about the deleted file can tell about used programs, hidden data, the time of file use etc. Without the detection of the fact of file overwriting the traces of data on the electronic information-carrying medium can be skipped which will lead to wrong conclusions as a part of the information security violations incidents’ investigation.

Acting Head of the “Cryptology and discrete mathematics” Department № 42 Anna Epishkina is sure that the tendency of broad use of batch data transmission networks will be as spread in the nearest future as nowadays. “This perspective makes a significant threat for secret use of IP for hidden terminal transmission of information with limited access through communication channels outside of limits of information objects”.

“Cryptology and discrete mathematics” Department is actively working out the development of new ways of encrypted files’ detection. One of such methods of data analysis used in computer criminology has been offered by the “Cryptology and discrete mathematics” Department employee V.S. Matveeva.

Mathematical description of statistical regularities has been obtained for encrypted files which can be used for local irregularities in the file content distribution.

As a result, a new method of digital forensics in encrypted files’ detection which lets locally and integrally evaluate the file contents has been worked out. A program tool for detection has been developed which lets get access to the file contents and evaluate the contents of separate clusters making work with free place of the information carrier possible.