Document Type

Article

Publication Date

8-2014

Subject: LCSH

Cyber forensics, Computer forensics, Hashing (Computer science)

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security

Abstract

In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.

Comments

(C) 2014 Digital Forensics Research Workshop. Published by Elsevier Ltd. All rights reserved. Posted with permission. http://www.dfrws.org/2014/proceedings/DFRWS2014-3.pdf

Dr. Baggili was appointed to the University of New Haven's Elder Family Endowed Chair in 2015.

DOI

10.1016/j.diin.2014.05.015

Publisher Citation

Mohamed, A. F. A. L., Marrington, A., Iqbal, F., & Baggili, I. (2014). Testing the forensic soundness of forensic examination environments on bootable media. From the Fourteenth Annual DFRWS Conference. Digital Investigation, 11, S22-S29.

Download

Check your library

Share

COinS