![]() ![]() Live acquisition can then be followed by static/dead acquisition, where the investigator shuts down the suspect machine, removes the hard disk, and then acquires its forensic image. Examination of volatile information assists in determining the logical timeline of a security incident and the users that are likely to be responsible for it. It must therefore be acquired in real time. is dynamic, and is likely to be lost if the device to be investigated is turned off. Volatile information, as present in the contents of RAM, cache, DLLs, etc. Involves the collection of volatile data from devices when they are live or powered on. ![]() We next delve into further details of these two categories of data acquisition along with the sources of data that they capture. Other sources of non-volatile data include CD-ROMs, USB thumb drives, smartphones, and PDAs. Investigators can recover such data from hard drives as well as from slack space, swap files, and unallocated drive space. In dead or static data acquisition, nonvolatile data that remains unaltered in the system even after shutdown is collected. Further, volatile data such as that in RAM are dynamic and change rapidly, and therefore must be collected in real-time. Such data reside in registries, caches, and RAM. This enables the collection of volatile data that are fragile and lost when the system loses power or is switched off. In live data acquisition, data is acquired from a computer that is already powered on (either locked or in sleep mode). From this perspective, data acquisition can be either categorized as live data acquisition or dead data acquisition. While data in some sources such hard drives remain unaltered and can be collected even after the system is shut down, data in some sources such as the RAM are highly volatile and dynamic and must therefore be collected in real-time. A fundamental factor to consider in the acquisition of forensic data is time. This enhances the admissibility of the acquired data or evidence in the court of law. Specifically, the acquisition methodology adopted must be verifiable and repeatable. However, investigators need to ensure that the acquisition methodology used is forensically sound. With the progress of technology, the process of data acquisition is becoming increasingly accurate, simple, and versatile. This information can then be analyzed to gain insight into a crime or incident. The investigation of file system can reveal the purpose and the contents of the BitTorrent client session.A process of imaging or collecting information using established methods from various media according to certain standards for their forensic value. ![]() The evidence remains in the registry even after the removal of the application, although it can really prove the fact of usage of the application only. The experiment revealed that BitTorrent client application creates Windows registry artefacts that can contain information which might be used as evidence during an investigation. Changes in Windows registry were collected and joined into tables. The snapshots of registry were taken and compared prior and after each step. ![]() The experiment was carried out in three steps: installation, download, and uninstallation. If order to fight against this type of cybercrime we carried out the research, during which we investigated the evidences left by BitTorrent client application in registry under Windows 8 operating system. This forensic investigation-based research revealed that evidence of data remnants subsequent to the installation and deletion of bitcoin wallets by the user did exist.īitTorrent client application is a popular tool to download large files from Internet, but this application is quite frequently used for illegal purposes that are one of the types of cybercrimes. It was undertaken to determine what data remnants and traces may remain on a Windows 10 operating system. The research focused on bitcoin as a case study to investigate a security incident involving suspected criminal activities using bitcoins, a cryptocurrency used in peer-to-peer technology. Bitcoin wallets such as MultiBit HD, Armory, mSIGNA, Bitpay, Bither, and Electrum were installed. Tools such as VMware Workstation Pro, OSForensics, MagnetRAM Capture, HxD have been used to retrieve some bitcoin artefacts. It was aimed to recover any evidence that would be present on a user's system even after they were deleted by the user. This research Digital forensic investigation into the remnants and traces left behind on a user system by Bitcoin wallets at all junctures following installation through transaction and deletion. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |