Use this URL to cite or link to this record in EThOS:
Title: Assessing the reliability of digital evidence from live investigations involving encryption
Author: Hargreaves, Christopher James
ISNI:       0000 0004 2682 8500
Awarding Body: Cranfield University
Current Institution: Cranfield University
Date of Award: 2009
Availability of Full Text:
Access from EThOS:
Access from Institution:
The traditional approach to a digital investigation when a computer system is encountered in a running state is to remove the power, image the machine using a write blocker and then analyse the acquired image. This has the advantage of preserving the contents of the computer’s hard disk at that point in time. However, the disadvantage of this approach is that the preservation of the disk is at the expense of volatile data such as that stored in memory, which does not remain once the power is disconnected. There are an increasing number of situations where this traditional approach of ‘pulling the plug’ is not ideal since volatile data is relevant to the investigation; one of these situations is when the machine under investigation is using encryption. If encrypted data is encountered on a live machine, a live investigation can be performed to preserve this evidence in a form that can be later analysed. However, there are a number of difficulties with using evidence obtained from live investigations that may cause the reliability of such evidence to be questioned. This research investigates whether digital evidence obtained from live investigations involving encryption can be considered to be reliable. To determine this, a means of assessing reliability is established, which involves evaluating digital evidence against a set of criteria; evidence should be authentic, accurate and complete. This research considers how traditional digital investigations satisfy these requirements and then determines the extent to which evidence from live investigations involving encryption can satisfy the same criteria. This research concludes that it is possible for live digital evidence to be considered to be reliable, but that reliability of digital evidence ultimately depends on the specific investigation and the importance of the decision being made. However, the research provides structured criteria that allow the reliability of digital evidence to be assessed, demonstrates the use of these criteria in the context of live digital investigations involving encryption, and shows the extent to which each can currently be met.
Supervisor: Chivers, H. Sponsor: Not available
Qualification Name: Thesis (D.B.A.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available
Keywords: Forensic engineering - Data processing ; Forensic Computing ; Microcomputers ; Data encryption - Computer science ; Computer security ; Criminal investigation ; Electronic records - Law and legislation ; Digital signatures