A computer forensic investigator must find information relevant to a case and also determine what events led to the creation of that information. Much of this information is stored by the operating system. This information includes file timestamps, Internet search history, user registry information, username and passwords, encrypted files, and many other types of information that may be admissible before a court. Depending on how an operating system is designed and implemented, it can hinder or support a digital forensic investigation. In Huebner and Henskens' article, The Role of Operating Systems in Computer Forensics, they present several articles that discuss many of the problems encountered in computer forensics. which are associated with operating systems. This report will address some of the underlying issues in computer forensics in conjunction with the issues raised by Huebner and Henskens. Issues covered include operating system instrumentation, software issues in digital forensics, computer forensics of virtual systems, disk encryption in forensic analysis, and computer forensics case management . The problem with operating systems used instrumentally for digital forensics is that current digital forensics techniques do not allow full use of an operating system's existing forensic capabilities. For example, live data acquisition requires the acquisition of volatile RAM storage before the computer is shut down. There is currently no scientifically reliable method for acquiring an image of a system's memory without connecting specialized hardware (Kornblum & Libster). Inserting an external device can change the system state, for example by modifying the SYSTEM hive of the registry on a Windows machine, with ...... middle of paper ...... monitoring a virtual machine allowing the user to extract information from it without affecting its functionality or state (Flores & Atkison). From a forensic point of view, this is very useful because it will allow the investigator to perform a live analysis on the virtual machine without affecting the state of the machine. A problem with introspection on a virtual machine is that a raw representation of data is obtained when introspection is performed on a virtual machine. The data is difficult to understand because the native operating system application programming interface is not available to interpret the data. The inability to obtain high-level data from low-level data is known as the semantic gap (Flores & Atkison). One solution to bridge the semantic gap is to create extensions from the existing forensic framework and combine them with VMI methodologies..

Essay / A computer forensic investigator must find information relevant to a case and also determine what events led to the creation of that information. Much of this information is stored by the operating system. This information includes file timestamps, Internet search history, user registry information, username and passwords, encrypted files, and many other types of information that may be admissible before a court. Depending on how an operating system is designed and implemented, it can hinder or support a digital forensic investigation. In Huebner and Henskens' article, The Role of Operating Systems in Computer Forensics, they present several articles that discuss many of the problems encountered in computer forensics. which are associated with operating systems. This report will address some of the underlying issues in computer forensics in conjunction with the issues raised by Huebner and Henskens. Issues covered include operating system instrumentation, software issues in digital forensics, computer forensics of virtual systems, disk encryption in forensic analysis, and computer forensics case management . The problem with operating systems used instrumentally for digital forensics is that current digital forensics techniques do not allow full use of an operating system's existing forensic capabilities. For example, live data acquisition requires the acquisition of volatile RAM storage before the computer is shut down. There is currently no scientifically reliable method for acquiring an image of a system's memory without connecting specialized hardware (Kornblum & Libster). Inserting an external device can change the system state, for example by modifying the SYSTEM hive of the registry on a Windows machine, with ...... middle of paper ...... monitoring a virtual machine allowing the user to extract information from it without affecting its functionality or state (Flores & Atkison). From a forensic point of view, this is very useful because it will allow the investigator to perform a live analysis on the virtual machine without affecting the state of the machine. A problem with introspection on a virtual machine is that a raw representation of data is obtained when introspection is performed on a virtual machine. The data is difficult to understand because the native operating system application programming interface is not available to interpret the data. The inability to obtain high-level data from low-level data is known as the semantic gap (Flores & Atkison). One solution to bridge the semantic gap is to create extensions from the existing forensic framework and combine them with VMI methodologies..

Navigation

« Prev 1 2 3 4 5 Next »

Get In Touch