Document Type

Conference Proceeding

Source of Publication

Digital Investigation

Publication Date

1-1-2014

Abstract

In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.

ISSN

1742-2876

Publisher

Digital Forensic Research Workshop

Volume

11

Issue

2

First Page

S22

Last Page

S29

Disciplines

Computer Sciences

Keywords

Computer crime, Computer hardware, Computer operating systems, Electronic crime countermeasures, Hash functions, Image acquisition, Image analysis, Bootable CD, Bootable examination environment, Differential analysis, Forensic analysis, Forensic examinations, Hash value, Image files, Linux distributions, Computer forensics

Scopus ID

84904624668

Indexed in Scopus

yes

Open Access

yes

Open Access Type

Hybrid: This publication is openly available in a subscription-based journal/series

Download

Share

COinS