A Novel Forensic Triage Approach for the Windows Operating System

Celice, C. (2014). A Novel Forensic Triage Approach for the Windows Operating System (BEng (Hons) CSN Dissertation). 2014 (Macfarlane, R., Buchanan, B.).


ISBN:
ISSN:

Abstract

Digital Forensics has been an exponentially growing area where a good number of crimes are committed from a range of electronic devices such as computers, mobile phones and even tablets. A key factor in the undergoing of a digital forensic investigation is the increasing amount of data to be processed to find digital evidence, notably when dealing with computers. This has created scenarios where investigations could take up to several days before any type of evidence is retrieved.

This dissertation looks at ways on how computer triage is used and whether there is a better approach to use considering multiple factors such as the amount of information retrieved in a short amount of time, and research on current methodologies and scenarios. Multiple triage applications were looked into, as well as collaboration with the Scottish Crime and Drug Enforcement Agency (SCDEA), in order to propose a technique which can be used in the development of a new type of computer triage tool.
Amongst the three most available Operating Systems to the general public, the Windows platform was chosen for experimentation for its popularity. The tool was then developed in Python and assessed using the appropriate metrics based on researched triage assessment methods and current tools such as COFEE and TriageIR. For the evaluation, the prototype tool was run on a range of experiments and the collected results compared. Its functionality and performance was then also compared to another open-source triage tool: TriageIR.

After successfully implementing and evaluating the prototype tool, not without issues, and comparing its functionalities with another open-source triage tool, it was concluded that an approach in quickly determining a course of action after running a simple application could help make digital forensic processes generally quicker. The investigator is now able to know as soon as possible if any traces of suspicious activity are present on the machine, and do not have to wait for a tool to perform complete analysis of the entire media. From that, they can safely assume that there is a high possibility for interesting evidence being present on the digital device.
[Read More]

Authors

Charley Celice
Researcher
c.celice@napier.ac.uk
+44 131 455

Areas of Expertise

Cyber-Security
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Associated Projects