The traditional approach to a digital investigation when a computer system is
encountered in a running state is to remove the power, image the machine using a
write blocker and then analyse the acquired image. This has the advantage of
preserving the contents of the computer’s hard disk at that point in time. However, the
disadvantage of this approach is that the preservation of the disk is at the expense of
volatile data such as that stored in memory, which does not remain once the power is
disconnected. There are an increasing number of situations where this traditional
approach of ‘pulling the plug’ is not ideal since volatile data is relevant to the
investigation; one of these situations is when the machine under investigation is using
encryption. If encrypted data is encountered on a live machine, a live investigation
can be performed to preserve this evidence in a form that can be later analysed.
However, there are a number of difficulties with using evidence obtained from live
investigations that may cause the reliability of such evidence to be questioned. This
research investigates whether digital evidence obtained from live investigations
involving encryption can be considered to be reliable. To determine this, a means of
assessing reliability is established, which involves evaluating digital evidence against
a set of criteria; evidence should be authentic, accurate and complete. This research
considers how traditional digital investigations satisfy these requirements and then
determines the extent to which evidence from live investigations involving encryption
can satisfy the same criteria. This research concludes that it is possible for live digital
evidence to be considered to be reliable, but that reliability of digital evidence
ultimately depends on the specific investigation and the importance of the decision
being made. However, the research provides structured criteria that allow the
reliability of digital evidence to be assessed, demonstrates the use of these criteria in
the context of live digital investigations involving encryption, and shows the extent to
which each can currently be met.
| Identifer | oai:union.ndltd.org:CRANFIELD1/oai:dspace.lib.cranfield.ac.uk:1826/4007 |
| Date | 24 November 2009 |
| Creators | Hargreaves, C J |
| Contributors | Chivers, Prof H |
| Publisher | Department of Informatics and Sensors |
| Source Sets | CRANFIELD1 |
| Detected Language | English |
| Type | Thesis or dissertation, Doctoral, DBA |
Page generated in 0.0072 seconds