![](https://d3ilqtpdwi981i.cloudfront.net/KeauHko2oRl3sT0xkVaK_EY3_VY=/425x550/smart/https://bepress-attached-resources.s3.amazonaws.com/uploads/c2/96/5f/c2965f63-e7c6-4090-92cd-7982f4cb9d35/thumbnail_07449374-5c90-417e-9627-6083e288892b.jpg)
In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is performed on the image files. The differential analysis allows us to quantify and explain the alterations made to the image files by the bootable CD/DVD examination. Our approach can be used to experimentally validate new bootable CD/DVD distributions as forensically sound.
- Computer crime,
- Computer hardware,
- Computer operating systems,
- Electronic crime countermeasures,
- Hash functions,
- Image acquisition,
- Image analysis,
- Bootable CD,
- Bootable examination environment,
- Differential analysis,
- Forensic analysis,
- Forensic examinations,
- Hash value,
- Image files,
- Linux distributions,
- Computer forensics
Available at: http://works.bepress.com/farkhund-iqbal/115/