![](https://d3ilqtpdwi981i.cloudfront.net/nQyXgeETj53T6QiMAHjm0uAvfOI=/425x550/smart/https://bepress-attached-resources.s3.amazonaws.com/uploads/2f/47/11/2f4711d9-41e3-479b-b0d6-098a643b6796/thumbnail_3e6e8061-e999-4e27-9b3d-cf8fb9c503cc.jpg)
In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.
- Computer crime,
- Computer hardware,
- Computer operating systems,
- Electronic crime countermeasures,
- Hash functions,
- Image acquisition,
- Image analysis,
- Bootable CD,
- Bootable examination environment,
- Differential analysis,
- Forensic analysis,
- Forensic examinations,
- Hash value,
- Image files,
- Linux distributions,
- Computer forensics
Available at: http://works.bepress.com/andrew-marrington/34/