Document Type

Conference Proceeding

Source of Publication

Digital Investigation

Publication Date

1-1-2014

Abstract

In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.

ISSN

1742-2876

Publisher

Digital Forensic Research Workshop

Volume

11

Issue

2

First Page

S22

Last Page

S29

Disciplines

Computer Sciences

Keywords

Computer crime; Computer hardware; Computer operating systems; Electronic crime countermeasures; Hash functions; Image acquisition; Image analysis; Bootable CD; Bootable examination environment; Differential analysis; Forensic analysis; Forensic examinations; Hash value; Image files; Linux distributions; Computer forensics

Scopus ID

84904624668

Indexed in Scopus

yes

Open Access

yes

Open Access Type

Hybrid: This publication is openly available in a subscription-based journal/series

Share

COinS