In a computer forensic investigation, there is always a divergence between the time required tovisualize data from evidence and the times when investigators need the data to evaluate it.On the one hand, the processing time that is required for the analysis of existing and deleteddata, and on the other hand, the time that elapses to make potentially existing data visible. Data,which the investigator needs immediately because it can be crucial for solving the case.The motivation for this master thesis is to shorten the time it takes to invest until the first sight-ing of data.More and more often, offenders try to disguise their illegal activities on data carriers with newmethods and acquired expertise. Therefore, it is important for the investigator to be able to ac-cess hidden or deleted data. This in turn, depending on the amount of data and complexity, oftenentails immense processing time. The first step of the forensic-process is to create a forensicclone of a disk image and store it in a file. A clone meaning a copy of the evidence data. Withthis copy further forensic investigations are then made.In special cases, such as terrorism or hostage-taking means, it applies in a very short reactiontime, to being able to access data from the evidence without changing the evidence itself (e.g.,changing timestamps). With the results of the forensic investigation, follow-up measures canthen be recognized and initiated. These follow-up measures are required to take place immedi-ately. Under certain circumstances, indications of further assassination, accomplices or escaperoutes can be obtained from this data. This would prevent the possibility of imminent actions,thus save lives and/or arrest the perpetrators which in turn prevent further acts. That would notbe possible without an immediate inspection of the data. Now, following the well-tried method,a lot of time would be lost until the first data could be used from the evidence.To produce this result, Information Technology (IT) specialists (forensic scientists) are neededto process this data and make it available to the investigator in an appropriate manner so that theinvestigator is able to use the data in the ongoing investigation. This takes a lot of time. Timeand knowledge are the limits of this method, currently.
The aim of this master thesis is to study whether an investigator without the special IT know-how can work out the required data and everything in the shortest possible time.Two ways would be conceivable, on the one hand with standard Linux programs to mount par-titions from the evidence (hard disk or image), on the other hand with standard Linux programsto virtualize the evidence as ”Virtual Machine”, in a new way. Now the detailed results wouldbe available in a much shorter time even without an IT specialist. If the investigator is ableto view the data of the evidence, he can review the possible data contents of the applications(e-mail, chats, internet protocol, own documents and recently used documents, etc.). He doesnot need any particular knowledge of the structure of the used file system, the can simply startthe applications and watch the results as if he were operating the physical PC. It may then bevery important to use this data in the ongoing investigation and deduce further follow-up.