Application forensics presented at Virus Bulletin 2007

by Tim Ebringer (CA),

Tags: Security


Summary : "Computer forensics has traditionally focused on the acquisition, analysis and presentation of 'images' of storage media,
with a view to its later presentation as evidence in a court or law. This analysis sometimes reveals executable software
which may be of interest to the forensic analyst; indeed it may be a key link in associating a relatively unskilled
user with a sophisticated offence.Prosecuting or defending a case against a user who allegedly used such an application presents particular evidentiary
challenges. This paper relates our experience in forensic examination, documentation and legal presentation of
executable applications. We detail the workflow of such an examination, from initial acquisition to eventual
presentation in court. We explain how to compile and present findings of fact such that they will satisfy the
requirements of computer evidence, and offer the reader suggestions on how to successfully navigate a potentially
gruelling cross-examination.