•  
  •  
 

Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

Traditional forensic analysis of hard disks and external media typically involves a powered down machine and “dead analysis” of these devices. Forensic acquisition of hard drives and external media has traditionally been by one of several means: standalone forensic duplicator; using a hardware write-blocker or dock attached to a laptop, computer, workstation, etc., forensic operating systems that live boot from a USB, CD/DVD or virtual machines with preinstalled operating systems. Standalone forensics acquisition and imaging devices generally cost thousands of dollars. In this paper, we propose the use of single board computers as forensic imaging devices. Single board computers can provide a low budget forensic imaging solution that can be used in a lab, remote acquisition, or even be configured as portable imaging devices. This project tests different ARM processor based single board computers and the software available at the present time. The project includes image acquisition using a write-blocker, software write-blockers and without write-blockers to test the various configurations. The final results demonstrate clearly that ARM based single board computers can be used as low cost and low energy forensic imaging devices.

References

AccessData. (2016). AccessData Product Download. Retrieved from http://accessdata.com/product-download

Bearnes, B. (2015, May 04). External Drive as Raspberry Pi Root. Retrieved from Adafruit: https://learn.adafruit.com/external-drive-as-raspberry-pi-root?view=all

Carlton, G. K. (2014). A Study of Forensic Imaging in the Absence of Write-Blockers. Journal of Digital Forensics, Security and Law, 9(3), 51-58.

Carrier, B. (2003, September). Open Source Digital Forensic Tools - The Legal Argument. Retrieved from Digital Evidance: http://www.digital-evidence.org/papers/opensrc_legal.pdf

Champlain College LCDI. (2016, February 16). Raspberry Pi Forensics. Retrieved from http://www.champlain.edu/Documents/Raspberry%20Pi%20Forensics%20(1).pdf

Convert-Me. (2016). Convert - Data Transfer Rate. Retrieved from http://www.convert-me.com/en/convert/data_transfer_rate/

DC3 / Defense Cyber Crime Institute (DCCI). (2016). DC3 Tools. Retrieved from DC3 / Defense Cyber Crime Institute (DCCI) / Tools: http://www.dc3.mil/tools

Forensicswiki - Category: Disk Imaging. (2016). Retrieved from http://forensicswiki.org/wiki/Category:Disk_Imaging

Foundation, R. P. (2016). Raspberry Pi 2 Model B. Retrieved from RaspberryPi.org: https://www.raspberrypi.org/products/raspberry-pi-2-model-b/

Gladyshev, L. T. (2015). Open Forensic Devices. Journal of Digital Forensics, Security and Law, 10(4), 97-104.

Guidance Software. (n.d.). Encase Forensic Imager. Retrieved from Guidance Software: https://www2.guidancesoftware.com/resources/Pages/doclib/Document-Library/EnCase-Forensic-Imager.aspx

Hardkernel. (2015). Odroid-XU4. Retrieved from Hardkernel: http://www.hardkernel.com/main/products/prdt_info.php?g_code=G143452239825

Hardkernel. (2016). Hardkernel Odroid C2. (Hardkernel) Retrieved from http://www.hardkernel.com/main/products/prdt_info.php

Hardkernel. (n.d.). Hardkernel - Odroid XU4 Cloudshell. Retrieved from http://www.hardkernel.com/main/products/prdt_info.php?g_code=G143599699669

Kali Linux Official Documentation - Kali Linux - Raspberry Pi. (n.d.). Retrieved from http://docs.kali.org/kali-on-arm/install-kali-linux-arm-raspberry-pi

Knight, D. (n.d.). DietPi. Retrieved from http://dietpi.com/

LCDI, C. (2015, 12 13). Raspberry Pi Forensics Update - Computer & Digital Forensics Blog. Retrieved from http://computerforensicsblog.champlain.edu/2015/12/13/1623/

Lemaker. (2016). Lemaker Banana Pro Specifications. (Lemaker) Retrieved from http://www.lemaker.org/product-bananapro-specification.html

Morra, S. (2013, December). Confirming the Integrity and Utility of Open Source Forensic Tools. Retrieved from Utica Online: http://programs.online.utica.edu/pdf/Morra_6_Gonnella_Confirming_the_Integrity_and_Utility_of_Open_Source_Forensic_Tools_December.pdf

Morrissy, D. B. (2014). Digital Forensic Evidence in the Courtroom: Understanding Content and Quality. Northwestern Journal of Technology and Intellectual Property, 121-128.

MSuhanov Linux Write Blocker. (2016). Retrieved from Github: https://github.com/msuhanov/Linux-write-blocker

NetworkDLS - DiskMark. (n.d.). Retrieved from http://www.networkdls.com/Software/View/DiskMark

NIST & US Department of Homeland Security. (2013, December 27). Test Results for Digital Data Acquisition Tool: DCFLDD 1.3.4-1. Retrieved from https://www.dhs.gov/sites/default/files/publications/DCFLDD%201%203%204-1%20Test%20Report_updated.pdf

odroid XU4 with Kali 2, read only file system. (2015, August). Retrieved from Kali Linux Forums: https://forums.kali.org/showthread.php?26431-odroid-XU4-with-Kali-2-read-only-file-system/

Offensive Security. (2016). Kali Linux Arm Images. Retrieved from https://www.offensive-security.com/kali-linux-arm-images/

Polstra, D. P. (2016). PPolstra. Retrieved from http://philpolstra.com/Home/

Polstra, P. (2014). Hacking and Penetration Testing with Low Power Devices. Syngress.

Raspberry Pi Forums - Any negative impact with setting `max_usb_current=1`? (2015, February 15). Retrieved from https://www.raspberrypi.org/forums/viewtopic.php?f=29&t=100244

Runge, K. (n.d.). X11VNC. Retrieved from http://www.karlrunge.com/x11vnc/

Sumuri. (2016). Sumuri Paladin. Retrieved from http://www.sumuri.com/product-category/paladin/

TedTechnology. (2016, March 21). SourceForge - Quick Hash GUI. (SourceForge) Retrieved from https://sourceforge.net/projects/quickhash/

Tobin, L. (2013). Github Firebrick. Retrieved from https://github.com/leetobin/firebrick

US Energy Information Administration. (2016). Electricity. Retrieved from EIA.gov: https://www.eia.gov/forecasts/steo/report/electricity.cfm

Webopedia. (2016). What is a Single Board Computer (SBC)? Webopedia Definition. Retrieved from http://www.webopedia.com/TERM/S/sbc_single_board_computer.html

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.