1 |
Assessing the reliability of digital evidence from live investigations involving encryptionHargreaves, Christopher James January 2009 (has links)
The traditional approach to a digital investigation when a computer system is encountered in a running state is to remove the power, image the machine using a write blocker and then analyse the acquired image. This has the advantage of preserving the contents of the computer’s hard disk at that point in time. However, the disadvantage of this approach is that the preservation of the disk is at the expense of volatile data such as that stored in memory, which does not remain once the power is disconnected. There are an increasing number of situations where this traditional approach of ‘pulling the plug’ is not ideal since volatile data is relevant to the investigation; one of these situations is when the machine under investigation is using encryption. If encrypted data is encountered on a live machine, a live investigation can be performed to preserve this evidence in a form that can be later analysed. However, there are a number of difficulties with using evidence obtained from live investigations that may cause the reliability of such evidence to be questioned. This research investigates whether digital evidence obtained from live investigations involving encryption can be considered to be reliable. To determine this, a means of assessing reliability is established, which involves evaluating digital evidence against a set of criteria; evidence should be authentic, accurate and complete. This research considers how traditional digital investigations satisfy these requirements and then determines the extent to which evidence from live investigations involving encryption can satisfy the same criteria. This research concludes that it is possible for live digital evidence to be considered to be reliable, but that reliability of digital evidence ultimately depends on the specific investigation and the importance of the decision being made. However, the research provides structured criteria that allow the reliability of digital evidence to be assessed, demonstrates the use of these criteria in the context of live digital investigations involving encryption, and shows the extent to which each can currently be met.
|
2 |
Assessing the Reliability of Digital Evidence from Live Investigations Involving EncryptionHargreaves, C J 24 November 2009 (has links)
The traditional approach to a digital investigation when a computer system is
encountered in a running state is to remove the power, image the machine using a
write blocker and then analyse the acquired image. This has the advantage of
preserving the contents of the computer’s hard disk at that point in time. However, the
disadvantage of this approach is that the preservation of the disk is at the expense of
volatile data such as that stored in memory, which does not remain once the power is
disconnected. There are an increasing number of situations where this traditional
approach of ‘pulling the plug’ is not ideal since volatile data is relevant to the
investigation; one of these situations is when the machine under investigation is using
encryption. If encrypted data is encountered on a live machine, a live investigation
can be performed to preserve this evidence in a form that can be later analysed.
However, there are a number of difficulties with using evidence obtained from live
investigations that may cause the reliability of such evidence to be questioned. This
research investigates whether digital evidence obtained from live investigations
involving encryption can be considered to be reliable. To determine this, a means of
assessing reliability is established, which involves evaluating digital evidence against
a set of criteria; evidence should be authentic, accurate and complete. This research
considers how traditional digital investigations satisfy these requirements and then
determines the extent to which evidence from live investigations involving encryption
can satisfy the same criteria. This research concludes that it is possible for live digital
evidence to be considered to be reliable, but that reliability of digital evidence
ultimately depends on the specific investigation and the importance of the decision
being made. However, the research provides structured criteria that allow the
reliability of digital evidence to be assessed, demonstrates the use of these criteria in
the context of live digital investigations involving encryption, and shows the extent to
which each can currently be met.
|
Page generated in 0.1794 seconds