NICTA Embedded Systems Public Seminar
The Role of Operating Systems in Computer Forensics
Ewa Huebner, Computer & Network Forensics Group, University of Western Sydney
Time/Venue
Monday 18 August 2008, 12 pm
National ICT Australia Ltd, Level 1 Seminar Room, 223 Anzac Parade (Building L5), Kensington NSW 2052
Abstract
The aim of the computer forensics investigator is to find information relevant to the case in question, as well as the chain of events leading to the creation of this information in a computer system. In other words the questions to be answered are "What incriminating information is present in the system?" and "How did the incriminating information get there?"
How hard or easy it is to answer these questions depends in all cases on how the information of interest is stored by the operating system (i.e. the internal structure), and the analysis tools the operating system provides (i.e. the functionality). Mainstream modern operating systems were not specifically designed to be forensically friendly, and forensic investigators struggle with the obstacles this creates in their daily practice.
Operating systems, and the file systems they support, could be intrinsically designed and implemented in a way which makes forensic investigation less time consuming and more reliable. Currently there are many external software tools which investigators use, and all of them rely on the interface the operating system provides. In a sense these tools' access to the information is "second hand". For example, even when dealing with a fundamental issue such as post-mortem examination of hard disk images, the available information depends on how the time stamps on files were handled in a live system, what was the process of deleting or overwriting files, which file system events were logged etc.
The rules of evidence, which determine the admissibility of findings in the court of law, demand that the accuracy of the methods used to collect the evidence is known, and the evidence is not tampered with in the process of its analysis. Some believe that hardware offers the only guaranteed method of collecting evidence from computer systems. This belief can only change if the underlying software (operating system and file system) creates and maintains information in a more structured and reliable way.
Biography
Ewa Huebner is a senior lecturer and the leader of the Computer and Network Forensics Research group at the School of Computing and Mathematics, University of Western Sydney. She was awarded the PhD degree in 1999 by the University of Sydney for her research into persistent operating systems. Prior to her academic career she worked as a systems programmer and administrator for the government and industry. Her current research interests are operating systems and computer forensics, specifically memory forensics and live system investigations. In recognition of her contribution to the profession in 2008 she was elected to the grade of Fellow by the Australian Computer Society.