Incollection
Online Acquisition of Digital Forensic Evidence
Contribution Summary
The RAFT system is a remote forensic hard drive imaging tool that enables law enforcement officers to remotely transfer images of suspect computers to a forensic laboratory for analysis. This reduces the time wasted by forensic investigators in collecting digital evidence and ensures court-admissible evidence through secure and verifiable client/server imaging architecture. The system is designed to be easy to use, requiring minimal technical knowledge, and is compatible with various storage configurations, including netbooks. The RAFT system also ensures the integrity of the evidence through regular hash checking using SHA-512, a 512-bit secure hashing algorithm. The system has several advantages, including compatibility, cost-effectiveness, automated acquisition, and speed. However, it also has some potential limitations, such as firewall restrictions, transfer speed, non-functional CD drives, live system limitations, and boot passwords.
Keywords: Digital Forensics; Remote Acquisition; Forensic Evidence; Hard Drive Imaging; Client/Server Architecture; Secure Hashing; Court-Admissible Evidence; Law Enforcement
Abstract
Providing the ability to any law enforcement officer to remotely transfer an image from any suspect computer directly to a forensic laboratory for analysis, can only help to greatly reduce the time wasted by forensic investigators in conducting on-site collection of computer equipment. RAFT (Remote Acquisition Forensic Tool) is a system designed to facilitate forensic investigators by remotely gathering digital evidence. This is achieved through the implementation of a secure, verifiable client/server imaging architecture. The RAFT system is designed to be relatively easy to use, requiring minimal technical knowledge on behalf of the user. One of the key focuses of RAFT is to ensure that the evidence it gathers remotely is court admissible. This is achieved by ensuring that the image taken using RAFT is verified to be identical to the original evidence on a suspect computer.
BibTeX
@incollection{scanlon2010online,
title="{Online Acquisition of Digital Forensic Evidence}",
author={Scanlon, Mark and Kechadi, M-Tahar},
booktitle="{Proceedings of International Conference on Digital Forensics and Cyber Crime (ICDF2C 2009)}",
pages="122-131",
month=09,
year=2009,
address={Albany, New York, USA},
publisher={Springer},
abstract="Providing the ability to any law enforcement officer to remotely transfer an image from any suspect computer directly to a forensic laboratory for analysis, can only help to greatly reduce the time wasted by forensic investigators in conducting on-site collection of computer equipment. RAFT (Remote Acquisition Forensic Tool) is a system designed to facilitate forensic investigators by remotely gathering digital evidence. This is achieved through the implementation of a secure, verifiable client/server imaging architecture. The RAFT system is designed to be relatively easy to use, requiring minimal technical knowledge on behalf of the user. One of the key focuses of RAFT is to ensure that the evidence it gathers remotely is court admissible. This is achieved by ensuring that the image taken using RAFT is verified to be identical to the original evidence on a suspect computer.",
doi={10.1007/978-3-642-11534-9_12},
}