Vis enkel innførsel

dc.contributor.advisorFranke, Katrin
dc.contributor.advisorHansen, Kurt H.
dc.contributor.authorDumstorff, Horst
dc.date.accessioned2019-09-19T14:01:07Z
dc.date.available2019-09-19T14:01:07Z
dc.date.issued2019
dc.identifier.urihttp://hdl.handle.net/11250/2617760
dc.description.abstract
dc.description.abstractAbstract In a computer forensic investigation, there is always a divergence between the time required to visualize data from evidence and the times when investigators need the data to evaluate it. On the one hand, the processing time that is required for the analysis of existing and deleted data, and on the other hand, the time that elapses to make potentially existing data visible. Data, which the investigator needs immediately because it can be crucial for solving the case. The motivation for this master thesis is to shorten the time it takes to invest until the first sight- ing of data. More and more often, offenders try to disguise their illegal activities on data carriers with new methods and acquired expertise. Therefore, it is important for the investigator to be able to ac- cess hidden or deleted data. This in turn, depending on the amount of data and complexity, often entails immense processing time. The first step of the forensic-process is to create a forensic clone of a disk image and store it in a file. A clone meaning a copy of the evidence data. With this copy further forensic investigations are then made. In special cases, such as terrorism or hostage-taking means, it applies in a very short reaction time, to being able to access data from the evidence without changing the evidence itself (e.g., changing timestamps). With the results of the forensic investigation, follow-up measures can then be recognized and initiated. These follow-up measures are required to take place immedi- ately. Under certain circumstances, indications of further assassination, accomplices or escape routes can be obtained from this data. This would prevent the possibility of imminent actions, thus save lives and/or arrest the perpetrators which in turn prevent further acts. That would not be possible without an immediate inspection of the data. Now, following the well-tried method, a lot of time would be lost until the first data could be used from the evidence. To produce this result, Information Technology (IT) specialists (forensic scientists) are needed to process this data and make it available to the investigator in an appropriate manner so that the investigator is able to use the data in the ongoing investigation. This takes a lot of time. Time and knowledge are the limits of this method, currently. The aim of this master thesis is to study whether an investigator without the special IT know- how can work out the required data and everything in the shortest possible time. Two ways would be conceivable, on the one hand with standard Linux programs to mount par- titions from the evidence (hard disk or image), on the other hand with standard Linux programs to virtualize the evidence as ”Virtual Machine”, in a new way. Now the detailed results would be available in a much shorter time even without an IT specialist. If the investigator is able to view the data of the evidence, he can review the possible data contents of the applications (e-mail, chats, internet protocol, own documents and recently used documents, etc.). He does not need any particular knowledge of the structure of the used file system, the can simply start the applications and watch the results as if he were operating the physical PC. It may then be very important to use this data in the ongoing investigation and deduce further follow-up.
dc.languageeng
dc.publisherNTNU
dc.titleVirtualize A Piece Of Evidence Or Mount Its Partition With Linux
dc.typeMaster thesis


Tilhørende fil(er)

Thumbnail

Denne innførselen finnes i følgende samling(er)

Vis enkel innførsel