Computer Forensics Essay

The goal of a computer forensic investigator is to find information relevant to a case and to also determine what events lead to the creation of that information. A lot of this information is stored by the operating system. This information includes file time stamps, internet search history, user registry information, username and passwords, encrypted files, and many other types of information which may be admissible in court. Depending on how an operating system is design and implemented, it may hinder or support a digital forensic investigation.

In Huebner and Henskens article, The Role of Operating Systems in Computer Forensics, they introduce several papers which discuss several of the problems found in computer forensics that are associated with operating systems. This report will discuss some of the underlying problems in computer forensics in conjunction with the issues brought up by Huebner and Henskens. The problems addressed include operating systems instrumentation, software issues in digital forensics, computer forensics of virtual systems, disk encryption in forensic analysis, and computer forensics case management.

The problem with operating systems used instrumentally for digital forensics is that current digital forensic techniques do not fully utilize the existing forensic capabilities of an operating system. For example, live data acquisition requires the acquisition of volatile storage on RAM before the computer is shut down. There are currently no forensically sound methods of acquiring an image of a system’s memory without attaching specialized hardware (Kornblum & Libster). Inserting an external device may change the state of the system such as altering the SYSTEM hive of the registry on a Windows machine, w...

... middle of paper ...

...onitor a virtual machine allowing the user to extract information from it without affecting its functionality or state (Flores & Atkison). From a digital forensic point of view this is very useful because this will allow the investigator to perform a live analysis on the virtual machine without affecting the state of the machine. A problem with virtual machine introspection is that a raw representation of data is obtained when in introspection is performed on a virtual machine. The data is difficult to understand because the native operating system’s application programming interface is not available to interpret the data. The inability to obtain high level data from low level data is known as the semantic gap (Flores & Atkison). A solution to overcome the semantic gap is to create extensions from existing forensic framework and combine them with VMI methodologies.