The Association of Digital Forensics, Security and Law (ADFSL)


The research reported in this paper introduces new techniques to aid in the identification of recovered notebook computers so they may be returned to the rightful owner. We identify non-volatile data storage areas as a means of facilitating the safe storing of computer identification information. A forensic proof of concept tool has been designed to test the feasibility of several storage locations identified within this work to hold the data needed to uniquely identify a computer. The tool was used to perform the creation and extraction of created information in order to allow the analysis of the non-volatile storage locations as valid storage areas capable of holding and preserving the data created within them. While the format of the information used to identify the machine itself is important, this research only discusses the insertion, storage and ability to retain such information.


AbsoluteSoftware (2006a), AbsoluteTrack DS, . accessed 22nd October 2006.

AbsoluteSoftware (2006b). Computrace LoJack for Laptops, . accessed 22nd October 2006.

Armstrong, H, Wynne, M & O'Shea, T. (2004). 'Who has the keys to the vault? Protecting secrets on laptops'. Proceedings of the 2004 IEEE IA Workshop, USMA WestPoint New York.

Beachhead, S (2006). Mobile Data Vulnerability, .. accessed 20th, October 2006.

Boeck, H (2004). xTended FDISK 0.9.3, . accessed 4th, June 2006.

Bursky, D (2003). 'Nonvolatile memory: more than a flash in the pan', Electronic Design, vol. 51, no. 15, pp. 41-6.

DataRecovery, O (2006). FDISK Glosary, . accessed 13th August 2006..

DeMaria, MJ (2002). 'Gone in 6.0 seconds [laptop security]', Network Computing, vol. 13, no. 20, pp. 77-90.

eSupport.com (2004). BIOS Utilities - Flash Loaders, http://www.unicore.com/techsupport/award/awardutils.htm>.accessed 5th July 2006,

Gershteyn, P, Davis, M & Shenoi, S (2006), Detection and recovery of Hidden Data from Award BIOS Chips, Springer, Dortrecht, The Netherlands,

Gupta, MR, Hoeschele, MD & Rogers, MK. (2006). 'Hidden Disk Areas: HPA and DCO', International Journal of Digital Evidence, Fall, p. 8.

Heasman, J (2006). Implementing and Detecting an ACPI BIOS Rootkit, Netherlands. Hewlett-Packard, Intel, Microsoft, Phoenix & Toshiba (1999). ACPI - Advanced Configuration & Power Interface, ., accessed 30th, June 2006.

Hewlett-Packard, Intel, Microsoft, Phoenix & Toshiba (2004). ACPI Specifications 3.0a, .accessed 30th, June 2006.

Layton, R (2003). MBRWizard 1.53, .accessed 3rd, June 2006.

Microsoft (2005). How to Use the Fdisk Tool and the Format Tool to Partition or Repartition a Hard Disk, Microsoft Corporation, . accessed 3rd, July 2006.

NTFS.COM (2006). Master Boot Record (MBR), NTFS.COM, .accessed 2nd July 2006.

PointSec (2006). Security Products Laptop, . accessed 21st, October 2006.

PTDD-Soft (2005). Super FDISK 1.0, . accessed 1st June 2006. ranish.com (1998). Partitioning Primer. . accessed 1st, June 2006.

Reifsnyder, BE (2001). Free FDISK 1.21, . accessed 1st, June 2006.

Slay, J, Broucek, V, Hannan, M & Turner, P (2004). ‘Developing Forensic Computing Tools and Techniques within a holistic framework: an Australian Approach’, in Proceedings of the 2004 IEEE IA Workshop, USMA WestPoint New York.

Symantec (2006). Introduction To GDISK, . accessed 1st June 2006.

Symantec (1998). Partition Magic, . accessed 1st June 2006.

TheFreeDictionary.com (2005). ACPI, Farlex, Inc.. accessed 1st June 2006.

Zary, O (2005), UniFlash, . accessed 1st June 2006.




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.