Source of Publication
In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.
Digital Forensic Research Workshop
Computer crime, Computer hardware, Computer operating systems, Electronic crime countermeasures, Hash functions, Image acquisition, Image analysis, Bootable CD, Bootable examination environment, Differential analysis, Forensic analysis, Forensic examinations, Hash value, Image files, Linux distributions, Computer forensics
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Mohamed, Ahmed Fathy Abdul Latif; Marrington, Andrew; Iqbal, Farkhund; and Baggili, Ibrahim, "Testing the forensic soundness of forensic examination environments on bootable media" (2014). All Works. 3327.
Indexed in Scopus
Open Access Type
Hybrid: This publication is openly available in a subscription-based journal/series