Source of Publication
In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.
Digital Forensic Research Workshop
Computer crime; Computer hardware; Computer operating systems; Electronic crime countermeasures; Hash functions; Image acquisition; Image analysis; Bootable CD; Bootable examination environment; Differential analysis; Forensic analysis; Forensic examinations; Hash value; Image files; Linux distributions; Computer forensics
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
Mohamed, Ahmed Fathy Abdul Latif; Marrington, Andrew; Iqbal, Farkhund; and Baggili, Ibrahim, "Testing the forensic soundness of forensic examination environments on bootable media" (2014). All Works. 3327.
Indexed in Scopus
Open Access Type
Hybrid: This publication is openly available in a subscription-based journal/series