Cyber forensics, Computer forensics, Hashing (Computer science)
Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security
In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.
Mohamed, Ahmed F.A.L.; Marrington, Andrew; Iqbal, Farkhund; and Baggili, Ibrahim, "Testing the Forensic Soundness of Forensic Examination Environments on Bootable Media" (2014). Electrical & Computer Engineering and Computer Science Faculty Publications. 12.
Mohamed, A. F. A. L., Marrington, A., Iqbal, F., & Baggili, I. (2014). Testing the forensic soundness of forensic examination environments on bootable media. From the Fourteenth Annual DFRWS Conference. Digital Investigation, 11, S22-S29.