Abstract
In a computer forensic investigation, there is always a divergence between the time required to
visualize data from evidence and the times when investigators need the data to evaluate it.
On the one hand, the processing time that is required for the analysis of existing and deleted
data, and on the other hand, the time that elapses to make potentially existing data visible. Data,
which the investigator needs immediately because it can be crucial for solving the case.
The motivation for this master thesis is to shorten the time it takes to invest until the first sight-
ing of data.
More and more often, offenders try to disguise their illegal activities on data carriers with new
methods and acquired expertise. Therefore, it is important for the investigator to be able to ac-
cess hidden or deleted data. This in turn, depending on the amount of data and complexity, often
entails immense processing time. The first step of the forensic-process is to create a forensic
clone of a disk image and store it in a file. A clone meaning a copy of the evidence data. With
this copy further forensic investigations are then made.
In special cases, such as terrorism or hostage-taking means, it applies in a very short reaction
time, to being able to access data from the evidence without changing the evidence itself (e.g.,
changing timestamps). With the results of the forensic investigation, follow-up measures can
then be recognized and initiated. These follow-up measures are required to take place immedi-
ately. Under certain circumstances, indications of further assassination, accomplices or escape
routes can be obtained from this data. This would prevent the possibility of imminent actions,
thus save lives and/or arrest the perpetrators which in turn prevent further acts. That would not
be possible without an immediate inspection of the data. Now, following the well-tried method,
a lot of time would be lost until the first data could be used from the evidence.
To produce this result, Information Technology (IT) specialists (forensic scientists) are needed
to process this data and make it available to the investigator in an appropriate manner so that the
investigator is able to use the data in the ongoing investigation. This takes a lot of time. Time
and knowledge are the limits of this method, currently.
The aim of this master thesis is to study whether an investigator without the special IT know-
how can work out the required data and everything in the shortest possible time.
Two ways would be conceivable, on the one hand with standard Linux programs to mount par-
titions from the evidence (hard disk or image), on the other hand with standard Linux programs
to virtualize the evidence as ”Virtual Machine”, in a new way. Now the detailed results would
be available in a much shorter time even without an IT specialist. If the investigator is able
to view the data of the evidence, he can review the possible data contents of the applications
(e-mail, chats, internet protocol, own documents and recently used documents, etc.). He does
not need any particular knowledge of the structure of the used file system, the can simply start
the applications and watch the results as if he were operating the physical PC. It may then be
very important to use this data in the ongoing investigation and deduce further follow-up.