In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.
- Computer crime,
- Computer hardware,
- Computer operating systems,
- Electronic crime countermeasures,
- Hash functions,
- Image acquisition,
- Image analysis,
- Bootable CD,
- Bootable examination environment,
- Differential analysis,
- Forensic analysis,
- Forensic examinations,
- Hash value,
- Image files,
- Linux distributions,
- Computer forensics
Available at: http://works.bepress.com/andrew-marrington/34/