Low Budget Forensic Drive Imaging Using Arm Based Single Board Computers

Traditional forensic analysis of hard disks and external media typically involves a powered down machine and “dead analysis” of these devices. Forensic acquisition of hard drives and external media has traditionally been by one of several means: standalone forensic duplicator; using a hardware write-blocker or dock attached to a laptop, computer, workstation, etc., forensic operating systems that live boot from a USB, CD/DVD or virtual machines with preinstalled operating systems. Standalone forensics acquisition and imaging devices generally cost thousands of dollars. In this paper, we propose the use of single board computers as forensic imaging devices. Single board computers can provide a low budget forensic imaging solution that can be used in a lab, remote acquisition, or even be configured as portable imaging devices. This project tests different ARM processor based single board computers and the software available at the present time. The project includes image acquisition using a write-blocker, software write-blockers and without write-blockers to test the various configurations. The final results demonstrate clearly that ARM based single board computers can be used as low cost and low energy forensic imaging devices

The Potential for cross-drive analysis using automated digital forensic timelines

Cross-Drive Analysis (CDA) is a technique designed to allow an investigator to “simultaneously consider information from across a corpus of many data sources”. Existing approaches include multi-drive correlation using text searching, e.g. email addresses, message IDs, credit card numbers or social security numbers. Such techniques have the potential to identify drives of interest from a large set, provide additional information about events that occurred on a single disk, and potentially determine social network membership. Another analysis technique that has significantly advanced in recent years is the use of timelines. Tools currently exist that can extract dates and times from the file system metadata (i.e. MACE times) and also examine the content of certain file types and extract metadata from within. This approach provides a great deal of data that can assist with an investigation, but also compounds the problem of having too much data to examine. A recent paper adds an additional timeline analysis capability, by automatically producing a high-level summary of the activity on a computer system, by combining sets of low-level events into high-level events, for example reducing a setupapi event and several events from the Windows Registry to a single event of ‘a USB stick was connected’. This paper provides an investigation into the extent to which events in such a high-level timeline have the properties suitable to assist with Cross-Drive Analysis. The paper provides several examples that use timelines generated from multiple disk images, including USB stick connections, Skype calls, and access to files on a memory card

Rethinking Digital Forensics

© IAER 2019In the modern socially-driven, knowledge-based virtual computing environment in which organisations are operating, the current digital forensics tools and practices can no longer meet the need for scientific rigour. There has been an exponential increase in the complexity of the networks with the rise of the Internet of Things, cloud technologies and fog computing altering business operations and models. Adding to the problem are the increased capacity of storage devices and the increased diversity of devices that are attached to networks, operating autonomously. We argue that the laws and standards that have been written, the processes, procedures and tools that are in common use are increasingly not capable of ensuring the requirement for scientific integrity. This paper looks at a number of issues with current practice and discusses measures that can be taken to improve the potential of achieving scientific rigour for digital forensics in the current and developing landscapePeer reviewe