Electronic Evidence: 4th Edition

This well-established practitioner text provides an exhaustive treatment of electronic evidence. The revised outline for the fourth edition will continue to follow the tradition in English evidence text books by basing the text on the law of England and Wales, with appropriate citations of relevant case law and legislation from other jurisdictions

Digital forensics: A demonstration of the effectiveness of the sleuth kit and autopsy forensic browser

The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system analysis. The Autopsy Forensic Browser is a graphical user interface that provides a user friendly interface to the command line tools contained within The Sleuth Kit. This research project investigates the use of The Sleuth Kit and Autopsy Forensic Browser as forensic investigation tools, with the aim of demonstrating the effectiveness of these tools in real world case studies as digital forensic tools. The research found that The Sleuth Kit and Autopsy Forensic Browser provide an effective file system analysis toolset. The flexibility of the tools contained within The Sleuth Kit often lead to complex command line strings, the complexity of which is overcome by the automation provided by the Autopsy Forensic Browser. Not only do The Sleuth Kit and Autopsy Forensic browser provide an effective toolset, they also offer an affordable alternative to expensive commercial or proprietary based toolsets. Digital Forensics is an area of increasing importance with an expanding field of coverage requiring many different tools to help perform varying functions. It is with this in mind that the focus of this research project is three case studies that are utilised to demonstrate the effectiveness of The Sleuth Kit and Autopsy Forensic Browser. The demonstration of The Sleuth Kit and Autopsy Forensic Browser contained within the case studies could serve as an introductory overview of a new toolset for investigators looking for an alternative or complementary Digital Forensics toolset.UnpublishedNIJ, Solicitation for Concept Papers - Electronic Crime Research and Development. 2005. p. 1-13. Carrier, B., Open Source Digital Forensic Tools: The Legal Argument. 2002. Farmer, D. and W. Venema. The Coroners Toolkit Project Page. 2004 [cited; Available from: httpi//wwwporcupine.org/forensics/tct.html. Vacca, J.R., Computer Forensics: Computer Crime Scene Investigation. 2002, Hingham, Massachusetts: David F. Pallai. 731. Casio Computer Company Ltd. Casio E-Data Bank Watches. 2005 [cited; Available from: http://world.casio.com/pacific/wat/e_data/. MacSema Inc. Contact Memory Button (CMB'S). 2001 [cited; Available from: http://www.macsema.com/buttonmemory.htrn. Wikimedia Foundation. Wikipedia - Data Recovery Definition. 2005 [cited; Available from: http://en.wikipedia.org/wiki/Data recovery. Lee, H., T. Palmbach, and M. Miller, Henry Lee's Crime Scene Handbook. 2001, London: Academic Press. Ltd, C.F.N. Data Recovery & Computer Investigations. 2005 [cited; Available from: http://www.datarecovery.co.nz/datarecovery/ index.html?source=adwords-datarecov. New Zealand Police E-crime Lab. Fighting e-crime in New Zealand. 2002 [cited; Available from: http://www.police.govt.nz/service/ecrime/. Wikimedia Foundation. Wikipedia - Sulphonylurea Definition. 2005 [cited; Available from: http://en.wikipedia.org/wiki/Sulphonylurea. NZHerald.co.nz. Jury quick to convict doctor of murder. 2001 [cited; Available from: http://www.nzherald.co.nz/index.cfm?Ob'ectiD=229152. Police, N.Z. New Zealand Police Youth Education Service. 2005 [cited; Available from: http://www.police.govt.nz/service/yes/. Police, N.Z. Keeping Ourselves Safe. 2005 [cited; Available from: http://www.police. ovt.nz/service/yes/resources/violence/kos.html. Farmer, D. and W. Venema, Forensic Discovery. 2004: Addison-Wesley. Office of e-Government. Forensic Plan. 2004 [cited; Available from: http://www.egov.dpc.wa.gov.au/. Gutmann, P., Secure Deletion of Data from Magnetic and Solid-State Memory, in Sixth USENIX Security Symposium Proceedings. 1996, University of Auckland. Gutmann, P. Data Remanence in Semiconductor Devices. 2001 [cited. Carrier, B., File System Forensic Analysis. 2005: Addison-Wesley. Optical Storage Technology Association. Understanding CD-R CD-RW Disc Longevity. 2001 [cited; Available from: http://www.osta.org/technolo /cda13.htm. Instruments, V. Veeco Instruments Web Site. 2005 [cited; Available from: http://www.veeco.com/. Garfinkel, S.L. and A. Shelat, Remembrance of Data Passed: A Study of Disk Sanitization Practices. 2003, Massachusetts Institute of Technology. American Institute of Physics. Heisenberg - Quantum Mechanics, 1925 - 1927: The Uncertainty Principle. 2005 [cited; Available from: http://www.aip.org/history/heisenberg/p08.htm. Seagate. Seagate Barracuda 7200.8 ST3400832A Specs. 2005 [cited; Available from: http://www.seagate.com/cda/products/discsales/marketing/detail/0.html. ACPO. ALPO Good Practice Guide to Computer Based Evidence. 2003 [cited; Version 3.0:[Available from: http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf. New Technologies Inc. File Slack Defined. 2004 [cited; Available from: http://www.forensics-intl.com/def6.html. PCTechGuide. Hard Disks. 2003 [cited; Available from: http://www.pctechguide.com/04disks.htm. Wikimedia Foundation. Wikipedia - Endianness. 2005 [cited; Available from: http://en.wiki edia.or /wiki/Biendian. 29. www.lookuptables.com. ASCII Table and Description. 2005 [cited; Available from: http://www.lookuptables.com/. Inc, U. Unicode Home Page. 2005 [cited; Available from: http://www .unicode.org/ Inc, U. Unicode v4.1.0. 2005 [cited; Available from: http://www.unicode.org/versions/Unicode4.1.0/. Microsoft. FAT32 File System Specification. 2000 [cited; Available from: http://www.microsoft ..oiT!/vvlidc/system/platform/fin-nware/fa en.ms x: Carrier, B. The Sleuth Kit and Autopsy Project Page. 2004 [cited; Available from: http://www.sleuthkit.org. Brzitwa, M. gpart - Guess PC-type hard disk partitions. 2001 [cited; Available from: http://www.stud.uni-hannover.de/user/76201/gpart/. cgSecurity. TestDisk - Tool to check and undelete partition. 2005 [cited; Available from: htt.://www.c_ security.org/index.html?testdisk.html. PJRC. Understanding FAT32 Filesystems. 2005 [cited; Available from: http://www.pjrc.com/tech/8051/ide/fat32.html. Brouwer, A. Partition Types. 2005 [cited; Available from: http://www.win.tue.n1/~aeb/partitions/partition_types.html. Microsoft. Encrypting File System Overview. 2005 [cited; Available from: http://www.microsoft.com/resources/documentation/windows/x /all/proddocs/ en-us/encrypt_overview.mspx. PGP Corporation. PGP Corporation Website. 2005 [cited; Available from: http://www.com/. Devine, C. Encrypted Root Filesystem HOWTO. 2005 [cited; Available from: http://linuxfromscratch.org/~devine/erfs-howto.html Wolfe, H., Penetrating Encrypted Evidence. Journal of Digital Investigation, 2004. 1(2). "@stake". "gstake.com". 2004 [cited; Available from: http://www.atstake.com/. NIST. National Software Reference Library. [Project Web Site] 2004 [cited; Available from: http://www.nsrl.nist.gov/index.html. The Honeynet Project. The Honeynet Project Website. The Honeynet Project 2004 [cited; Available from: http://www.honeynet.org/misc/project.html. The Honeynet Project. The Honeynet Project Scan of the Month 24. The Honeynet Project 2001 [cited; Available from: http://www.honeynet.org/scans/scan24/. The Honeynet Project. The Honeynet Project Scan of the Month 26. The Honeynet Project 2002 [cited; Available from: http://www.honeynet.org/scans/scan26/. The Honeynet Project. The Honeynet Project Forensic Challenge. The Honeynet Project 2001 [cited; Available from: http://www.honeynet.org/challenge/index.html. Digital Forensic Research Workshop. Digital Forensic Research Workshop website. 2005 [cited; Available from: http://www.dfrws.org/. 49. Hamilton, E. JPEG File Interchange Format v1.02. 1992 [cited; Available from: http://www.w3.org/Graphics/JPEG/. Kessler, G. File Signature Table. 2005 [cited; Available from: http//www.garykessler.net/library/file_sigs.html. United States Air Force Office of Special Investigation. Foremost - Webpage. 2005 [cited; Available from: http://foremost.sourceforge.net/. Provos, N. Stegdetect - Webpage. 2005 [cited; Available from: http//www.outguess.org/. NeoByte Solutions. Invisible Secrets - Webpage. 2005 [cited; Available from: http://www.invisiblesecrets.com/. Roesch, M. SNORT. 2005 [cited; Available from: http://www.snort.org/. Roesller, T. Lastlog File Analyser Source File. 2000 [cited; Available from: http://www.honeynet.org/challenge/results/submissions/roessler/files/lastlog.c. CERT/CC. CERT® Coordination Center (CERT/CC). 2005 [cited; Available from: http://www.cert.org/nav/index_main.html. CERT/CC. CERT® Advisory CA-2000-17 Input Validation Problem in rpc.statd. 2000 [cited; Available from: http://www.cert.org/advisories/CA- 2000-17.html. Red Hat Network. Revised advisory: Updated package for nfs-utils available. 2000 [cited; Available from: https://rhn.redhat.com/errata/RHSA-2000- 043.html

Digital Forensics: A Demonstration of the Effectiveness of The Sleuth Kit and Autopsy Forensic Browser

The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system analysis. The Autopsy Forensic Browser is a graphical user interface that provides a user friendly interface to the command line tools contained within The Sleuth Kit. This research project investigates the use of The Sleuth Kit and Autopsy Forensic Browser as forensic investigation tools, with the aim of demonstrating the effectiveness of these tools in real world case studies as digital forensic tools. The research found that The Sleuth Kit and Autopsy Forensic Browser provide an effective file system analysis toolset. The flexibility of the tools contained within The Sleuth Kit often lead to complex command line strings, the complexity of which is overcome by the automation provided by the Autopsy Forensic Browser. Not only do The Sleuth Kit and Autopsy Forensic browser provide an effective toolset, they also offer an affordable alternative to expensive commercial or proprietary based toolsets. Digital Forensics is an area of increasing importance with an expanding field of coverage requiring many different tools to help perform varying functions. It is with this in mind that the focus of this research project is three case studies that are utilised to demonstrate the effectiveness of The Sleuth Kit and Autopsy Forensic Browser. The demonstration of The Sleuth Kit and Autopsy Forensic Browser contained within the case studies could serve as an introductory overview of a new toolset for investigators looking for an alternative or complementary Digital Forensics toolset.NIJ, Solicitation for Concept Papers - Electronic Crime Research and Development. 2005. p. 1-13. Carrier, B., Open Source Digital Forensic Tools: The Legal Argument. 2002. Farmer, D. and W. Venema. The Coroners Toolkit Project Page. 2004 [cited; Available from: httpi//wwwporcupine.org/forensics/tct.html. Vacca, J.R., Computer Forensics: Computer Crime Scene Investigation. 2002, Hingham, Massachusetts: David F. Pallai. 731. Casio Computer Company Ltd. Casio E-Data Bank Watches. 2005 [cited; Available from: http://world.casio.com/pacific/wat/e_data/. MacSema Inc. Contact Memory Button (CMB'S). 2001 [cited; Available from: http://www.macsema.com/buttonmemory.htrn. Wikimedia Foundation. Wikipedia - Data Recovery Definition. 2005 [cited; Available from: http://en.wikipedia.org/wiki/Data recovery. Lee, H., T. Palmbach, and M. Miller, Henry Lee's Crime Scene Handbook. 2001, London: Academic Press. Ltd, C.F.N. Data Recovery & Computer Investigations. 2005 [cited; Available from: http://www.datarecovery.co.nz/datarecovery/ index.html?source=adwords-datarecov. New Zealand Police E-crime Lab. Fighting e-crime in New Zealand. 2002 [cited; Available from: http://www.police.govt.nz/service/ecrime/. Wikimedia Foundation. Wikipedia - Sulphonylurea Definition. 2005 [cited; Available from: http://en.wikipedia.org/wiki/Sulphonylurea. NZHerald.co.nz. Jury quick to convict doctor of murder. 2001 [cited; Available from: http://www.nzherald.co.nz/index.cfm?Ob'ectiD=229152. Police, N.Z. New Zealand Police Youth Education Service. 2005 [cited; Available from: http://www.police.govt.nz/service/yes/. Police, N.Z. Keeping Ourselves Safe. 2005 [cited; Available from: http://www.police. ovt.nz/service/yes/resources/violence/kos.html. Farmer, D. and W. Venema, Forensic Discovery. 2004: Addison-Wesley. Office of e-Government. Forensic Plan. 2004 [cited; Available from: http://www.egov.dpc.wa.gov.au/. Gutmann, P., Secure Deletion of Data from Magnetic and Solid-State Memory, in Sixth USENIX Security Symposium Proceedings. 1996, University of Auckland. Gutmann, P. Data Remanence in Semiconductor Devices. 2001 [cited. Carrier, B., File System Forensic Analysis. 2005: Addison-Wesley. Optical Storage Technology Association. Understanding CD-R CD-RW Disc Longevity. 2001 [cited; Available from: http://www.osta.org/technolo /cda13.htm. Instruments, V. Veeco Instruments Web Site. 2005 [cited; Available from: http://www.veeco.com/. Garfinkel, S.L. and A. Shelat, Remembrance of Data Passed: A Study of Disk Sanitization Practices. 2003, Massachusetts Institute of Technology. American Institute of Physics. Heisenberg - Quantum Mechanics, 1925 - 1927: The Uncertainty Principle. 2005 [cited; Available from: http://www.aip.org/history/heisenberg/p08.htm. Seagate. Seagate Barracuda 7200.8 ST3400832A Specs. 2005 [cited; Available from: http://www.seagate.com/cda/products/discsales/marketing/detail/0.html. ACPO. ALPO Good Practice Guide to Computer Based Evidence. 2003 [cited; Version 3.0:[Available from: http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf. New Technologies Inc. File Slack Defined. 2004 [cited; Available from: http://www.forensics-intl.com/def6.html. PCTechGuide. Hard Disks. 2003 [cited; Available from: http://www.pctechguide.com/04disks.htm. Wikimedia Foundation. Wikipedia - Endianness. 2005 [cited; Available from: http://en.wiki edia.or /wiki/Biendian. 29. www.lookuptables.com. ASCII Table and Description. 2005 [cited; Available from: http://www.lookuptables.com/. Inc, U. Unicode Home Page. 2005 [cited; Available from: http://www .unicode.org/ Inc, U. Unicode v4.1.0. 2005 [cited; Available from: http://www.unicode.org/versions/Unicode4.1.0/. Microsoft. FAT32 File System Specification. 2000 [cited; Available from: http://www.microsoft ..oiT!/vvlidc/system/platform/fin-nware/fa en.ms x: Carrier, B. The Sleuth Kit and Autopsy Project Page. 2004 [cited; Available from: http://www.sleuthkit.org. Brzitwa, M. gpart - Guess PC-type hard disk partitions. 2001 [cited; Available from: http://www.stud.uni-hannover.de/user/76201/gpart/. cgSecurity. TestDisk - Tool to check and undelete partition. 2005 [cited; Available from: htt.://www.c_ security.org/index.html?testdisk.html. PJRC. Understanding FAT32 Filesystems. 2005 [cited; Available from: http://www.pjrc.com/tech/8051/ide/fat32.html. Brouwer, A. Partition Types. 2005 [cited; Available from: http://www.win.tue.n1/~aeb/partitions/partition_types.html. Microsoft. Encrypting File System Overview. 2005 [cited; Available from: http://www.microsoft.com/resources/documentation/windows/x /all/proddocs/ en-us/encrypt_overview.mspx. PGP Corporation. PGP Corporation Website. 2005 [cited; Available from: http://www.com/. Devine, C. Encrypted Root Filesystem HOWTO. 2005 [cited; Available from: http://linuxfromscratch.org/~devine/erfs-howto.html Wolfe, H., Penetrating Encrypted Evidence. Journal of Digital Investigation, 2004. 1(2). "@stake". "gstake.com". 2004 [cited; Available from: http://www.atstake.com/. NIST. National Software Reference Library. [Project Web Site] 2004 [cited; Available from: http://www.nsrl.nist.gov/index.html. The Honeynet Project. The Honeynet Project Website. The Honeynet Project 2004 [cited; Available from: http://www.honeynet.org/misc/project.html. The Honeynet Project. The Honeynet Project Scan of the Month 24. The Honeynet Project 2001 [cited; Available from: http://www.honeynet.org/scans/scan24/. The Honeynet Project. The Honeynet Project Scan of the Month 26. The Honeynet Project 2002 [cited; Available from: http://www.honeynet.org/scans/scan26/. The Honeynet Project. The Honeynet Project Forensic Challenge. The Honeynet Project 2001 [cited; Available from: http://www.honeynet.org/challenge/index.html. Digital Forensic Research Workshop. Digital Forensic Research Workshop website. 2005 [cited; Available from: http://www.dfrws.org/. 49. Hamilton, E. JPEG File Interchange Format v1.02. 1992 [cited; Available from: http://www.w3.org/Graphics/JPEG/. Kessler, G. File Signature Table. 2005 [cited; Available from: http//www.garykessler.net/library/file_sigs.html. United States Air Force Office of Special Investigation. Foremost - Webpage. 2005 [cited; Available from: http://foremost.sourceforge.net/. Provos, N. Stegdetect - Webpage. 2005 [cited; Available from: http//www.outguess.org/. NeoByte Solutions. Invisible Secrets - Webpage. 2005 [cited; Available from: http://www.invisiblesecrets.com/. Roesch, M. SNORT. 2005 [cited; Available from: http://www.snort.org/. Roesller, T. Lastlog File Analyser Source File. 2000 [cited; Available from: http://www.honeynet.org/challenge/results/submissions/roessler/files/lastlog.c. CERT/CC. CERT® Coordination Center (CERT/CC). 2005 [cited; Available from: http://www.cert.org/nav/index_main.html. CERT/CC. CERT® Advisory CA-2000-17 Input Validation Problem in rpc.statd. 2000 [cited; Available from: http://www.cert.org/advisories/CA- 2000-17.html. Red Hat Network. Revised advisory: Updated package for nfs-utils available. 2000 [cited; Available from: https://rhn.redhat.com/errata/RHSA-2000- 043.html

Digital forensics: A demonstration of the effectiveness of the sleuth kit and autopsy forensic browser

The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system analysis. The Autopsy Forensic Browser is a graphical user interface that provides a user friendly interface to the command line tools contained within The Sleuth Kit. This research project investigates the use of The Sleuth Kit and Autopsy Forensic Browser as forensic investigation tools, with the aim of demonstrating the effectiveness of these tools in real world case studies as digital forensic tools. The research found that The Sleuth Kit and Autopsy Forensic Browser provide an effective file system analysis toolset. The flexibility of the tools contained within The Sleuth Kit often lead to complex command line strings, the complexity of which is overcome by the automation provided by the Autopsy Forensic Browser. Not only do The Sleuth Kit and Autopsy Forensic browser provide an effective toolset, they also offer an affordable alternative to expensive commercial or proprietary based toolsets. Digital Forensics is an area of increasing importance with an expanding field of coverage requiring many different tools to help perform varying functions. It is with this in mind that the focus of this research project is three case studies that are utilised to demonstrate the effectiveness of The Sleuth Kit and Autopsy Forensic Browser. The demonstration of The Sleuth Kit and Autopsy Forensic Browser contained within the case studies could serve as an introductory overview of a new toolset for investigators looking for an alternative or complementary Digital Forensics toolset.UnpublishedNIJ, Solicitation for Concept Papers - Electronic Crime Research and Development. 2005. p. 1-13. Carrier, B., Open Source Digital Forensic Tools: The Legal Argument. 2002. Farmer, D. and W. Venema. The Coroners Toolkit Project Page. 2004 [cited; Available from: httpi//wwwporcupine.org/forensics/tct.html. Vacca, J.R., Computer Forensics: Computer Crime Scene Investigation. 2002, Hingham, Massachusetts: David F. Pallai. 731. Casio Computer Company Ltd. Casio E-Data Bank Watches. 2005 [cited; Available from: http://world.casio.com/pacific/wat/e_data/. MacSema Inc. Contact Memory Button (CMB'S). 2001 [cited; Available from: http://www.macsema.com/buttonmemory.htrn. Wikimedia Foundation. Wikipedia - Data Recovery Definition. 2005 [cited; Available from: http://en.wikipedia.org/wiki/Data recovery. Lee, H., T. Palmbach, and M. Miller, Henry Lee's Crime Scene Handbook. 2001, London: Academic Press. Ltd, C.F.N. Data Recovery & Computer Investigations. 2005 [cited; Available from: http://www.datarecovery.co.nz/datarecovery/ index.html?source=adwords-datarecov. New Zealand Police E-crime Lab. Fighting e-crime in New Zealand. 2002 [cited; Available from: http://www.police.govt.nz/service/ecrime/. Wikimedia Foundation. Wikipedia - Sulphonylurea Definition. 2005 [cited; Available from: http://en.wikipedia.org/wiki/Sulphonylurea. NZHerald.co.nz. Jury quick to convict doctor of murder. 2001 [cited; Available from: http://www.nzherald.co.nz/index.cfm?Ob'ectiD=229152. Police, N.Z. New Zealand Police Youth Education Service. 2005 [cited; Available from: http://www.police.govt.nz/service/yes/. Police, N.Z. Keeping Ourselves Safe. 2005 [cited; Available from: http://www.police. ovt.nz/service/yes/resources/violence/kos.html. Farmer, D. and W. Venema, Forensic Discovery. 2004: Addison-Wesley. Office of e-Government. Forensic Plan. 2004 [cited; Available from: http://www.egov.dpc.wa.gov.au/. Gutmann, P., Secure Deletion of Data from Magnetic and Solid-State Memory, in Sixth USENIX Security Symposium Proceedings. 1996, University of Auckland. Gutmann, P. Data Remanence in Semiconductor Devices. 2001 [cited. Carrier, B., File System Forensic Analysis. 2005: Addison-Wesley. Optical Storage Technology Association. Understanding CD-R CD-RW Disc Longevity. 2001 [cited; Available from: http://www.osta.org/technolo /cda13.htm. Instruments, V. Veeco Instruments Web Site. 2005 [cited; Available from: http://www.veeco.com/. Garfinkel, S.L. and A. Shelat, Remembrance of Data Passed: A Study of Disk Sanitization Practices. 2003, Massachusetts Institute of Technology. American Institute of Physics. Heisenberg - Quantum Mechanics, 1925 - 1927: The Uncertainty Principle. 2005 [cited; Available from: http://www.aip.org/history/heisenberg/p08.htm. Seagate. Seagate Barracuda 7200.8 ST3400832A Specs. 2005 [cited; Available from: http://www.seagate.com/cda/products/discsales/marketing/detail/0.html. ACPO. ALPO Good Practice Guide to Computer Based Evidence. 2003 [cited; Version 3.0:[Available from: http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf. New Technologies Inc. File Slack Defined. 2004 [cited; Available from: http://www.forensics-intl.com/def6.html. PCTechGuide. Hard Disks. 2003 [cited; Available from: http://www.pctechguide.com/04disks.htm. Wikimedia Foundation. Wikipedia - Endianness. 2005 [cited; Available from: http://en.wiki edia.or /wiki/Biendian. 29. www.lookuptables.com. ASCII Table and Description. 2005 [cited; Available from: http://www.lookuptables.com/. Inc, U. Unicode Home Page. 2005 [cited; Available from: http://www .unicode.org/ Inc, U. Unicode v4.1.0. 2005 [cited; Available from: http://www.unicode.org/versions/Unicode4.1.0/. Microsoft. FAT32 File System Specification. 2000 [cited; Available from: http://www.microsoft ..oiT!/vvlidc/system/platform/fin-nware/fa en.ms x: Carrier, B. The Sleuth Kit and Autopsy Project Page. 2004 [cited; Available from: http://www.sleuthkit.org. Brzitwa, M. gpart - Guess PC-type hard disk partitions. 2001 [cited; Available from: http://www.stud.uni-hannover.de/user/76201/gpart/. cgSecurity. TestDisk - Tool to check and undelete partition. 2005 [cited; Available from: htt.://www.c_ security.org/index.html?testdisk.html. PJRC. Understanding FAT32 Filesystems. 2005 [cited; Available from: http://www.pjrc.com/tech/8051/ide/fat32.html. Brouwer, A. Partition Types. 2005 [cited; Available from: http://www.win.tue.n1/~aeb/partitions/partition_types.html. Microsoft. Encrypting File System Overview. 2005 [cited; Available from: http://www.microsoft.com/resources/documentation/windows/x /all/proddocs/ en-us/encrypt_overview.mspx. PGP Corporation. PGP Corporation Website. 2005 [cited; Available from: http://www.com/. Devine, C. Encrypted Root Filesystem HOWTO. 2005 [cited; Available from: http://linuxfromscratch.org/~devine/erfs-howto.html Wolfe, H., Penetrating Encrypted Evidence. Journal of Digital Investigation, 2004. 1(2). "@stake". "gstake.com". 2004 [cited; Available from: http://www.atstake.com/. NIST. National Software Reference Library. [Project Web Site] 2004 [cited; Available from: http://www.nsrl.nist.gov/index.html. The Honeynet Project. The Honeynet Project Website. The Honeynet Project 2004 [cited; Available from: http://www.honeynet.org/misc/project.html. The Honeynet Project. The Honeynet Project Scan of the Month 24. The Honeynet Project 2001 [cited; Available from: http://www.honeynet.org/scans/scan24/. The Honeynet Project. The Honeynet Project Scan of the Month 26. The Honeynet Project 2002 [cited; Available from: http://www.honeynet.org/scans/scan26/. The Honeynet Project. The Honeynet Project Forensic Challenge. The Honeynet Project 2001 [cited; Available from: http://www.honeynet.org/challenge/index.html. Digital Forensic Research Workshop. Digital Forensic Research Workshop website. 2005 [cited; Available from: http://www.dfrws.org/. 49. Hamilton, E. JPEG File Interchange Format v1.02. 1992 [cited; Available from: http://www.w3.org/Graphics/JPEG/. Kessler, G. File Signature Table. 2005 [cited; Available from: http//www.garykessler.net/library/file_sigs.html. United States Air Force Office of Special Investigation. Foremost - Webpage. 2005 [cited; Available from: http://foremost.sourceforge.net/. Provos, N. Stegdetect - Webpage. 2005 [cited; Available from: http//www.outguess.org/. NeoByte Solutions. Invisible Secrets - Webpage. 2005 [cited; Available from: http://www.invisiblesecrets.com/. Roesch, M. SNORT. 2005 [cited; Available from: http://www.snort.org/. Roesller, T. Lastlog File Analyser Source File. 2000 [cited; Available from: http://www.honeynet.org/challenge/results/submissions/roessler/files/lastlog.c. CERT/CC. CERT® Coordination Center (CERT/CC). 2005 [cited; Available from: http://www.cert.org/nav/index_main.html. CERT/CC. CERT® Advisory CA-2000-17 Input Validation Problem in rpc.statd. 2000 [cited; Available from: http://www.cert.org/advisories/CA- 2000-17.html. Red Hat Network. Revised advisory: Updated package for nfs-utils available. 2000 [cited; Available from: https://rhn.redhat.com/errata/RHSA-2000- 043.html