"What is the single most important new technology that has affected digital forensics in the last five years and why?" The paper has to be well referenced. I need at least two "peer reviewed"...

Digital Forensics 1



Digital Forensics 2

Abstract

Digital evidence encompasses all digital data that can establish that a crime has been committed
or can provide a link between a crime and its victim or a crime and its perpetrator. Intrusion
Detection Systems are a great source of digital evidence. They collect information from a variety
of system and network sources then analyze the information for signs of intrusion and misuse.
The whole process has witnessed the importance of technologies in the digital forensics. This
paper will discuss some of the technologies, which have affected the process of investigation in
the last five years.
Digital Forensics 3

Introduction

With the advancement in computer technology, and devices such as desktops, laptops and mobile
phones being an instrumental evidence in the crime, digital Forensics has established itself an
important and diversified area of computer field. It supports investigation by providing key
evidence to the proceedings of legal, finding out methods of different attacks and data gathering
in order to find out the extent to which the security of a system has been exploited. Researchers
of digital forensics field often place their analysis on the incomplete information or has been
recorded by those tools, which have already been attacked by intrusion attacks.
For instance, in quiescent analysis, a traditional procedure of incident response, the
attacked system is first sealed in custody, shutdown, copy digital media and then carry out
analysis of copy of the media by various tools certified for digital forensics which will include
both hardware and software based tools. The process of shutdown can be of two types: normal
shutdown and improper shutdown. In both the types, it is evident that there is no means of
determining the state of the system before shutdown. In case of proper shutdown, data is
write/read to the hard disk, which may also results in erasing of forensic relevant data.
On the other hand, improper shutdown involves pulling out the cable cord, which results
in inconsistency of data in cache and hard disk. Besides this, a basic problem also exists in
digital forensics. Researchers are burdened with the analysis huge data and information of
interest. This information can be a list of process, configuration of kernel, status of network,
encryption and decryption of data. Some of these data would be stored in the RAM and as and
when the computer is shut down, everything is lost. At this point, Virtual Machine finds its place.
With increase in the availability of virtualization, investigators can carry out complete analysis
with full access to the state of the target system without even losing anything stored in the ram.
Digital Forensics 4
Digital Forensics 5

The number of home users who are making use of tools like TrueCrypt and PGP (good Privacy)
has been increasing with every year. These encryption tools i.e. TrueCrypt and PGP are open
source and freely available software. Anyone can use Truecrypt to encrypt the complete hard
drive partition or say a USB Pendrive. Home users who are using PGP in their home would be
able to erase easily any Inculpatory evidence which otherwise might be persistent and picked up
by investigators. US National Security Agency (NSA) has approved the strength and design of
the encryption offered by TrueCrypt and the same kind of encryption is being used to encrypt
their classified documents as well. In absence of proper credentials to the encrypted device,
forensic investigator has only one option to gain access to it by obtaining an image of forensic of
live system when the data was not encrypted. In this case, it is not feasible for traditional
techniques to make bit-by-bit copy of source data in the destination drive. The copy of data is
required to be done while making sure that original data is read-only so that forensic process can
be done on it. However yet, throughout the world, Digital investigators are being taught a
technology, which is decades old, which begins with first by pulling the plug on the machines
and under investigation during seizure and search process (Forensics).
The investigation of the primary storage...