using oss for forensic purposes

8/22/2019 Using OSS for Forensic Purposes

1/7

Using Open Source for Forensic PurposesManuel Delgado

ISCTE-IULR. Manuel Ferreira Andrade

29-C 1500-416 Lisboa+351966778699

[email protected]

Manuela AparcioISCTE-IUL

Av. das Foras Armadas1649-026 Lisboa+351999999999

[email protected]

Carlos CostaISCTE-IUL

Av. das Foras Armadas1649-026 Lisboa+351999999999

[email protected]

ABSTRACTThis article provides an overview of the basic digital forensic

process. In different contexts of crime, the use of "computer

forensics" is a usual way to gather evidence. Digital data is

collected and analyzed in order to be presented in court asevidence of illegal activities. This is already a first-line option in

most cases for criminal investigation. For some types of crime,

particularly economic and financial research focuses on the

storage devices.

In the context of a crime, create and certify a full Image of

suspect devices is vital to preserve its integrity. The disk image,

take sector by sector copy usually for forensic purposes, and assuch will contain some mechanism (internal verification) to prove

that the copy is accurate and has not changed. In this work we

present some Open Source tools to perform an effective role in

computer forensics, which ensure the realization of these images,fulfilling all the requirements, so that any evidence recovered

from his analysis, may be admitted in court.

Categories and Subject DescriptorsK.4.2 [COMPUTERS AND SOCIETY]: Social Issues;

D.4.6 [OPERATING SYSTEMS]: Security and Protection;

General Terms

Experimentation, Security, Legal Aspects, Verification.

KeywordsElectronic Crime, Financial Crime, Computer Forensics, Open

Source.

1. INTRODUCTIONOne of the most significant developments in Information and

Communication Technologies in business, has to do with the

increasing dematerialization of supporting documents, is already

finding that most of the information generated in the world is

created and stored in digital format and it is estimated that morethan half of the documentation related to economic activity, never

leave the digital domain. This means that paper documents

associated with business world, are only a small part, being

significantly longer majority, the number of documents in digital

format. [1].

This reality contrasts with the rule, that paper documentscontinues to play in the field of justice where, with apparent

indifference to the impact of technological change at all levels oftoday society, the research teams, particularly in the economic

crime area, continue to base his work on "paper discovery."

The transfer of documentary support to the digital world, causes

the computer equipment in addition to instrument and / or target

of computer crimes, may constitute today as huge repositories of

evidence of crimes the most varied nature, including economic,making it now essential their contribution, to the discovery of

truth in most of the investigations, regardless of the type of crime

committed[2].

Despite the growing awareness of the importance of digital

evidence, is still not peaceful its acceptance in court, given thedivergent views of various judicial actors.

Concerning the reliability of such evidence, some judges believe

that the precision and objectivity of the electronic evidence make

it more reliable; other judges think that the lack of means to verifythe authenticity of the electronic evidence makes it more

vulnerable and, therefore, less reliable than traditional evidence in

general.

Many technical experts highlight some positive properties about

electronic evidence: exact, complete, clear, precise, true,

objective, and neutral, and the fact that in many instances,electronic evidence appears to be essential for the resolution of

certain type of crime.

For judges, electronic evidence is easy to be collected, stored, andpreserved. About the inconveniences, law professionals often

invoke the establishment of legal value on this type of evidence as

a difficulty due to the existing ignorance about procedures of dataprocessing and the interpretation of prosecutorial law in this

mater.

Permission to make digital or hard copies of all or part of this work for

personal or classroom use is granted without fee provided that copies are

not made or distributed for profit or commercial advantage and that copies

bear this notice and the full citation on the first page. To copy otherwise, or

republish, to post on servers or to redistribute to lists, requires prior specific

permission and/or a fee.

Conference10, Month 12, 2010, City, State, Country.

Copyright 2010 ACM 1-58113-000-0/00/0010$10.00. This difficulty is generated by the lack of suitable and systematic

regulation and also the lack of homogeneous jurisprudence.Jurists admit their fears of the vulnerability (the high degree of

volatility of electronic evidences nature). On the other side,
http://dl.acm.org/ccs.cfm?part=author&coll=DL&dl=ACM&row=D.4&idx=4&CFID=88090005&CFTOKEN=56488093http://dl.acm.org/ccs.cfm?part=author&coll=DL&dl=ACM&row=D.4&idx=4&CFID=88090005&CFTOKEN=56488093


2/7

judges and prosecutors do not understand very well this kind of

evidence and that is the reason why they often reject it in trials.

All of we as computer experts, have responsibility not only tomake clear to law enforcement officials, the real value of digital

evidence, but rather to investigate and develop tools to isolate this

type of evidence in a safe and reliable manner and also timely

useful.

As in Portugal, the use of Computer Forensics is still very limited,

particularly in the economic crime investigation, I think it isimportant to disclose the reasons and potential to promote this

scientific area as a new field of research.

This paper as a survey paper of previous results, aims to show that

tools are available that enable a qualitative jump in research

processes, without jeopardizing the budget balance of justice

departments, as current economic situation requires.

2. METHODOLOGYIn addition to the literature review, the material in this paper is

based on the authors' experience using computer forensics in the

economic crimes investigation.

The paper is very much a descriptive reflection about the

importance of computer forensics in economic crime

investigations, warning to the existence of tools to develop this

work with quality and reduced costs.

3. ECONOMIC AND FINANCIALCRIMECorruption and all practices related to economic and financial

crime, should be seen as acts of deviant and criminal nature. Inaddition to violating the rules for the normal functioning of

institutions as a whole, acts of this type contribute to raise the

citizens, general feelings of social mistrust and may, at worst,

degenerate into a dizzying process of decay of the most

elementary rules of healthy social life cultural, economic and

political [3].

3.1 Definition and Range"Economic and Financial crime" means any form of non-violentcrime which results in a financial loss. This type of crime thus,

encompassing a wide range of illegal activities such ascorruption, fraud, tax evasion and money laundering.

It is, however, difficult to define the notion of "economic crime",

and its exact concept remains a challenge. The task is further

complicated due to technological advances that provide new ways

to develop and perpetuate such crimes [4].

It is also difficult to determine the overall extent of the

phenomenon, partly due to the absence of a clear concept and

accepted by all, by virtue of the registration systems of economicand financial crime, differ considerably from country to country

as well, because the companies or financial institutions choose to

resolve incidents internally, refraining from participating to the

authorities [5].

Since, most of the economic crimes, committed on the basis of

technology, do not require the physical presence of the offender.

Thanks to significant differences between the legal frameworks ofdifferent countries, this allows criminals to choose to base their

activities, on countries with more lenient legal frameworks.

The available data clearly suggest that the economic and financial

crime continues to grow rapidly [6], mainly under the influence ofnew information technologies, the spread of electronic banking

and the expansion of Internet services on a global scale.

3.2 Impact on Sustainable DevelopmentUsually fraudulent activities, take the place of legitimate

economic activity, discouraging investment. Hence, the economic

and financial crimes constitute the long term, a serious threat to

the peaceful and democratic socio-economic development. Thecountries where the illegal economic and financial activities are

socially accepted, do not offer conditions for financial markets to

develop, given the high standards and professional values, legal

and moral, in which they are based. The mere notion of beingcommitted illegal economic and financial acts, can cause

irreparable economic harm. The public suspicion inevitably

undermines the legitimacy of government [7].

The universality of this phenomenon is an inescapable reality.

Jain states that the effects of corruption tend to have repercussions

throughout the economy, not confined to the specific act. It found

that in a country with an inefficient legal system, the level of

corruption tends to increase and may lead to their political elitecannot resist the increased income it provides. Once corrupted,

the elite will try to reduce the effectiveness of legal systems,

through the manipulation of resource allocation and appointments

to key positions. In turn, reducing the resources, the match will

condition, thereby allowing the further spread of corruption [8].

The recent economic crisis, made to multiply the voices calling

for the urgent need to investigate and punish the guilty, to the

point, eminent experts, advocate that the magnitude of some ofthe crimes should lead to its being classified as "crimes against

humanity"[9].

4. COMPUTER FORENSICSOur increasingly complex world, puts us at a very particular

social and cultural crossroad. At no other time the society was so

dependent on technology in its various expressions. Nearly everyfacet of our lives suffer in some way the impact of technology (e-

mail, instant messaging, online banking, video and digital music,

etc..). This dependence and, in general, dependence on

technology, had a cascading effect on other less obvious areas ofsociety, as eloquently portrays Bruse Schneier, in his book

Secrets and Lies - Digital Security in a Networked World[10].

One such area is law enforcement and, more specifically, the part

that concerns the criminal investigation [11]. Historically, thecriminal investigation had concepts such as physical evidence,

eyewitnesses, and confessions. Today, the criminal investigator

cannot fail to recognize that a significant part of the proof lies in

electronic or digital form.

As Carrier stated in his Article "Getting physical with DigitalInvestigation Process", [12], for many crimes of today, the crime

scene may consist of a simple computer that, by itself, can hold a

large number of evidence, as opposed to the traditional physicalcrime scene. The witness today, can be tomorrow a 'log' file

generated on a computer.

In order to deal effectively with this new reality, computer

forensics, while embryonic branch of science, has been

developing methodologies and creating rules aimed at drawing

attention to the care that must be taken to ensure that it is not


3/7

overlooked the primary objective of research process, which

ultimately aims to identify the party or parties responsible forillegal practices.

4.1 Forensic ScienceSuch as medicine or engineering, forensic analysis of physical

evidence is an applied science, which relies on the basic scientific

principles of physics, chemistry and biology. As such, every

experience and each case must follow the scientific method oftesting hypothesis.

Notwithstanding the conclusions reached by Inmon and Rudin, in

his work "Principles and Practice of Criminalistics," referring to

the legal practice is not strictly experimental, given the nature of

the sample completely uncontrolled, which characterizes the

process of investigation, as opposed to highly controlledconditions in which scientific experiments are carried out with

variables intentionally altered, one at a time, etc., the scientific

method has been one of the most powerful tools available to the

forensic investigator to ensure the fulfillment of his responsibility

to provide accurate relevant evidence in an objective and

impartial manner, [13]

Starting with a collection of facts, continues with the formulationof a hypothesis based on the evidence available, while retaining

the awareness of the possibility that the observations andanalyzes, may not be correct. Thus, to assess the veracity of the

hypothesis is not only necessary to seek support for the evidence

found but equally important to consider alternative hypotheses.

The process of trying to refute our own hypothesis involves

performing experiments that allow testing our underlyingassumptions and obtaining a better understanding of digital tracks

that we are considering.

This is a process inherently inductive, in that, the results obtained

from a forensic sample, are not a simple experiment, but a test or

analysis in which the analyst collects material on a piece of

evidence that later, will combine with other facts and hypotheses,to form a theory about what actually happened in the case.

4.2 Locard Exchange PrincipleThe fundamental rule followed by forensic science is the Locard

exchange principle, according to which, every contact leavestraces."No one can act [commit a crime] with the force [intensity]

that the criminal act requires without leaving behind numerous

signs [marks] of it: either the wrong-doer [felon; malefactor,

offender] has left signs at the scene of the crime, or, on the other

hand, has taken away with him on his person [body] or clothes

indications of where he has been or what he has done.[13]".

Based on the definition of digital evidence by three leading

organizations in this field:

"Information Transmitted or stored in binary form That may

be relied upon in court" [14];

"Information of probative value that is stored in binary form

or Transmitted" [15];

"Information and data of investigative value that is stored on

or Transmitted by a computer" [16].

We must say that, "Digital Evidence" is any information stored or

transmitted in digital format, with probative value in criminal or

civil prosecution. Again, the Locard exchange principle is valid,

[17], thanks to the control loop currently available in operating

systems, allowing the screening of all activities on the systems.

Thus, a basic principle that cannot be overlooked, is the

preservation of all original traces, which advises that the research

be done on the original media, but whenever possible, on a full

and exact copy of that, Bit Stream Image,[18].

Investigation of digital evidence is a process that develops in two

areas: investigative and legal domain, however, remains a gap thatseparates them, and the size of that gap, varies inversely with the

computer literacy of prosecutors.

As represented in figure 1, the first concern in the investigative

domain, relates to the preservation of evidence, which is usually

ensured by carrying out a "bit stream image" of the suspect

device. This image is in the final, certified through a hashfunction.

Than it must be done a search on the image, usually based on akeyword list, searching all spaces of the device including

unallocated and slack spaces as well within any kind of hidden

control files at the operating system level, such as swap, log and

registry files, among others, in order to locate and select the

evidence.

Finally Validation relates to the question of whether the locatedevidence is what it seems to be. For instance, the assertion that an

important file, was deleted would require confirmation of the

existence of the deleted file, in the unallocated space. This phase

ends with a detailed report.

Figure 1. Computer Forensic Domains.[19]


4/7

The Legal Domain has to do with the intervention of the lawyer,

who, based on the report supplied by the investigator, shall testeach piece of evidence to determine its weight in legal argument

and its suitability for use to prove or disprove the case.

4.3 Forensic science in the digital fieldRegarding Computer Forensics, some authors consider that it

combines the advantages of forensic science with the art ofresearch. Farmer and Venema in his book Forensic Discovery,

note that sometimes the expert acts as an archaeologist (digital),

others as a geologist (digital). [20].

Digital Archaeology, when acting on the direct effects of user

activity, such as the file contents, access times, deleted file

information, and information about network traffic;

Digital geology, when acting on the autonomous process system,

on which the user has no direct control, as the allocation and

recycling of disk blocks, file identifiers, memory pages or

process identifiers.

As an example, the authors note that users have direct controlover the content of the files (archeology), but when a file is

deleted, users no longer have any control over the sequence of

destruction wrought by the system (geology).

Similarly, Carrier, reflects on how this activity should be assigned

by comparing it with the common forensic analysis. In his

opinion, contrary to common forensic analysis (physics), in which

the expert is confronted with a discrete set of questions aboutsamples (fluids, bullets, samples of skin, hair, etc.), which are

delivered by a detective, being responsible for tasks of

identification and individualization, computer forensics

encompasses the role of the detective himself, developing into

two steps: searching for evidence, then its analysis andinterpretation. To that extent, the author proposes for this activity,

the name "Computer Forensic Investigation" or "Digital Forensic

Investigation". [21].

Figure 2.

Digital Forensic Model.

4.4 Digital Investigation Methodology

The first Digital Forensic Research Workshop (DFRWS) held in

2001 produced the following definition:

The use of scientifically derived and proven methods toward

the preservation, collection, validation, identification,

analysis, interpretation, documentation and presentation of

digital evidence derived from digital sources for the purpose

of facilitating or furthering the reconstruction of events found

to be criminal, or helping to anticipate unauthorized actions

shown to be disruptive to planned operations [22].

This definition itself, contains a sequential procedure translated in

Table 1, which in general constitute a framework for furtherresearch in this area.

Table 1. Investigative Process for Digital Forensic Science[23]

Table 1 shows the main categories or phases of the investigativeprocess in the header. The contents of the columns below of each

category, are techniques or methods used in the developmenttasks related to the phase that heads the column. This paper will

only deal with the first three phases: Identification, Collection and

Preservation.

In practice, the investigation process referred in Figure 1, isdeveloped in two stages, as represented in Figure 2:

- first phase takes place in the field, ensuring targetidentification,

information gathering

and preservation;

- second phase isdeveloped in the

laboratory and ensures

examination, analysisand presentation of

results.

5. FORENSICTOOLSDigital forensic tools, aims

the analysis of digital

information, in order to

incriminate or exoneratesomeone suspected of

illegal activities. Often in

decision context, the usual

confrontation Open Source

vs Closed Source, is notonly just reduced to the

mere philosophical

questions, but also other

reasons arise such as costs or security.

Computer Forensics, is more focused on the reliability of the

results provided by the tools. It is essential to assess to whatextent the tools meet the legal requirements governing the

admissibility of evidence.


5/7

In the article "Gatekeeping Out Of The Box: Open Source

Software As A Mechanism To Assess Reliability For Digital

Evidence", published in the Virginia Journal of Law and

Technology Association, Kenneally done a fairly comprehensive

analysis on this dichotomy, and its surroundings in the middle

court, concluding that, allow unrestricted access to code their own

tools, in this context, confers a significant advantage to open

source, given the "black box" proprietary [24].

5.1 Targets of the toolsGiven the retrospective nature that characterizes the process of

investigating economic and financial crimes, normally, computers

play in this type of crime, the role of mere repository of evidence,

making their storage units the main target of analysis.

According to the recommendations of the Working Group on

Digital Evidence Software [25], the analysis of digital evidenceshould not be performed on the original media, but over a full

copy of that, as indicated in 4.2, in order to preserve any damage

that could cause direct manipulation.

Figure 3. EnCase GUI. Tool: Acquire.

Figure 5. Creating Image with dd.

Figure 7. Hashing the device to confirm (MD5)

Figure 6. Hashing the created image (MD5)

There are several Open Source tools that fully accomplish all the

requirements of this process, as will shown in the followingsection.

6. USAGE SCENARIO

In a real case, after identifying the target device, the first step to

accomplish is the creation of their image, " Bit Stream Image ", in

which the researcher will then perform the analysis.

By way of demonstration, this task is first performed using the

proprietary platform for forensic analysis, "EnCase Forencic."

The same operation is repeated with the use of Open Source tools,

and in the end, the results are compared.

6.1 Bit Stream Image using EnCase

The suspect device that, under this case study, will be analyzed, is

a USB Flash Pen 1 GB of which will start by creating an image.

The process of creating the image provides a set of options such

as:

- partitioning of the image files of a given size, in this case itwas decided to split into files of 640 MB so that it can be

burned to CD-ROM;

- two compression ratios, this option should take into accounttrade-off, more compression / high speed. In this case, the

choice was "best" that corresponds to the higher rate of

compression which makes the acquisition process slower;

- the possibility of calculating the HASH certification, based on

MD5 and SHA1 algorithms, individually or jointly. We chose

the first, which corresponds to the most common practiceadopted by the community.

At the end of the EnCase process returns the particulars given infigure 4.

Figure 4. Final Process information.

6.2 Bit Stream Image using ddThe "dd" command is a common Unix program whose primary

purpose is the low-level copying and conversion of raw data,

designed to perform copy and convert files from one place to

another. (there is also a version for Windows systems).

This command has not been created for forensic purposes, so it

does not include any specific features such as compression,certification, etc., being necessary to perform these tasks inaddition, using other tools.


6/7

Figure 8. EwfAcquire characteristics of the target device

Figure 9. EwfAcquire parameters required

6.3 Bit Stream Image using EwfAcquireThe "ewfacquire" is an Open Source utility included in the

"LIBEWF" library, designed to acquire data from various storage

devices (floppy, Zip, Jaz, CDROM, DVDs, flash drives, hard

drives, among others).

It records files in the EWF format (Expert Witness Compression

format), adopted by the two most spread proprietary Forensic

platforms: EnCase Forensic and Forensic Toolkit (FTK) Imager.

Figure 10. Summary of the introduced parameters

Figure 11. Final Process information.

Figure 12. Hashing the device to confirm (MD5)

When running Ewfacquire this command requests, by commandline, a wide range of elements, not only for the parameterization

of the image we want to achieve, but also identification elementsof the case in research and the identification of the technician who

performs the work, among other elements.

All that data will be part of the image metadata.

Calculating the hash of the original device, if it matches the hashreturned by Ewfacquire, we have the image properly certified.

7. CONCLUSIONIn practice this small example covers the first three phases of a

research process:

1. Identification - After the incident notice, was isolated

suspicious device - USB Flash Pen 1 GB;

2. Preservation - were taken every precaution so that the

content does not undergo any changes by inhibiting the option

of writing to the device (Write blocking / mounting device in

read only mode);

3 - Collection and certification - Creating a "Bit-Stream"image using "dd" and EwfAcquire and calculating the hash

signature with the "md5sum" command.


7/7

Using these samples and taking into account the matching of the

hash calculated A845445FB5A07E677FD51C0D4B4EAB89

on the result of the different commands, and the content of thetarget device, we can ensure that, as regards the process of

"acquisition", Open Source tools do not show any disadvantage

for the proprietary reference tool "EnCase Forensic" or any other.

Similar conclusions can be obtained in the broad field of analysis

of digital evidence, characterized by multiple specificities, for

which there is a huge variety of open source tools ready for use,most of which, validated and certified.

Most of these Open Source tools in no way are less reliable andeffective, when compared with the proprietary suits who join on

the same platform, a wide range of features of friendly usability,

but whose reliability is not always possible to evaluate or certify,

However this does not prevent the huge licensing costs,

sometimes even prohibitive.

8. REFERENCES[1] Gantz, John e Reinsel, David - The Digital Universe Decade

Are You Ready? IDC IVIEW http://www.emc.com/collateral/demos/microsites/emc-digital-universe-

2011/index.htm

[2] Vacca, Jonh R(2005) Computer Forensics ComputerCrime scene Investigation 2. Edio - Published by pela

editora Charles River Media - ISBN: 1-58450-389-0

[3] Jain A. (2001) Corruption: A Review- Journal ofEconomic Surveys Vol. 15, n. 1 Concordia University

[4] UNODC (2005) Economic and Financial Crimes: Challengesto Sustainable Development - http://www.unis.unvienna.org/

pdf/05-82108_E_5_pr_SFS.pdf

[5] Pimenta, C. (2009) Esboo de Quantificao da Fraude emPortugal Working Papers N 3/2009 OBEGEF

Observatrio de Economia e Gesto de Fraude.

[6] Pwc, 2011 - Global economic crime survey 2011http://www.pwc.com/gx/en/economic-crime-

survey/download-economic-crime-people-culture-

controls.jhtml

[7] Branco, M. 2010 Empresas, Responsabilidade Social eCorrupo Working Papers N 6/2010 OBEGEF

Observatrio de Economia e Gesto de Fraude

[8] Jain A. (2001) Corruption: A Review- Journal ofEconomic Surveys Vol. 15, n. 1 Concordia University

[9] Zuboff, S. (2009) Wall Street's Economic Crimes Against

Humanity - BusinessWeek VIEWPOINT - March 20, 2009http://www.businessweek.com/managing/content/mar2009/c

a20090319_591214.htm

[10]Schneier, B , 2004 Secrets and Lies - Digital Security in aNetworked World - Wiley Computer Publishing, Inc

[11]Kruse, Warren G., Heiser, Jay G., 2001. Computer forensicsincident response essentials Published by Addison-Wesley

Professional; 1 edition.

[12]Carrier, B. 2002 Defining Digital Forensic Examination andAnalysis Tools. Digital Forensic Research Workshop 2002,

Syracuse - http://www.dfrws.org/2002/papers/Papers/Brian

_carrier.pdf.

[13]Inmon, Keith e Rudin, Norah (2001) - Principles andPractice of Criminalistics - The Profession of Forensic

Science

[14]IOCE International Organization on Computer Evidence -General Definitions relating to digital evidence -http://www.ioce.org/core.php?ID=5 .

[15]SWGDE - Best Practices for Computer Forensics -http://www.swgde.org/documents/current-documents/ .

[16]ACPO Association of Chief Police Officers UK GoodPractice Guide for Computer-Based Electronic Evidence

http://www.7safe.com/electronic_evidence/ACPO_guideline

s_computer_evidence.pdf

[17]Carrey Eoghan, 2009 Handbook of Digital Forensics andInvestigation Published by Elsevier Academic Press

[18]Brown, Christopher L. T. 2006 - Computer evidence:Collection & Preservation Thomson/Delmar learning.

published by: Charles River Media, inc.Tavel, P. 2007.

Modeling and Simulation Design. AK Peters Ltd., Natick,MA.

[19]Boddington R.,Hobbs V. and Mann G. - Validating digitalevidence for legal argument - Murdoch University

[20]Farmer, D. Venema, W. 2005 Forensic DiscoveryAddison-Wesley Professional Computing Series

[21]Carrier, B. 2006 Digital Investigation and Digital ForensicBasics - Disponivel em: http://www.digital-evidence.org/

di_basics.html

[22]Palmer, Gary L. 2001 A Road Map for Digital ForensicResearch. Technical Report DTR-T001-01, DFRWS,

November 2001. Report From the First Digital Forensic

Research Workshop (DFRWS).

[23]DFRWS TECHNICAL REPORT, 2001 - A Road Map forDigital Forensic Research. -Report From the First DigitalForensic Research Workshop (DFRWS)

[24]Kenneally, Erin E. - Open Source Software As A Mechanism

To Assess Reliability For Digital Evidence Published byVirginia Journal of Law and Technology Association -

http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally

.html#_edn3

[25]SWGDE - Best Practices for Computer Forensics -http://www.swgde.org/documents/current-documents/
http://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.ioce.org/core.php?ID=5http://www.swgde.org/documents/current-documents/http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.swgde.org/documents/current-documents/http://www.swgde.org/documents/current-documents/http://www.swgde.org/documents/current-documents/http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.digital-evidence.org/%20di_basics.htmlhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.swgde.org/documents/current-documents/http://www.ioce.org/core.php?ID=5http://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htm

using oss for forensic purposes

Documents