using oss for forensic purposes

Upload: manuel-delgado

Post on 08-Aug-2018

213 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/22/2019 Using OSS for Forensic Purposes

    1/7

    Using Open Source for Forensic PurposesManuel Delgado

    ISCTE-IULR. Manuel Ferreira Andrade

    29-C 1500-416 Lisboa+351966778699

    [email protected]

    Manuela AparcioISCTE-IUL

    Av. das Foras Armadas1649-026 Lisboa+351999999999

    [email protected]

    Carlos CostaISCTE-IUL

    Av. das Foras Armadas1649-026 Lisboa+351999999999

    [email protected]

    ABSTRACTThis article provides an overview of the basic digital forensic

    process. In different contexts of crime, the use of "computer

    forensics" is a usual way to gather evidence. Digital data is

    collected and analyzed in order to be presented in court asevidence of illegal activities. This is already a first-line option in

    most cases for criminal investigation. For some types of crime,

    particularly economic and financial research focuses on the

    storage devices.

    In the context of a crime, create and certify a full Image of

    suspect devices is vital to preserve its integrity. The disk image,

    take sector by sector copy usually for forensic purposes, and assuch will contain some mechanism (internal verification) to prove

    that the copy is accurate and has not changed. In this work we

    present some Open Source tools to perform an effective role in

    computer forensics, which ensure the realization of these images,fulfilling all the requirements, so that any evidence recovered

    from his analysis, may be admitted in court.

    Categories and Subject DescriptorsK.4.2 [COMPUTERS AND SOCIETY]: Social Issues;

    D.4.6 [OPERATING SYSTEMS]: Security and Protection;

    General Terms

    Experimentation, Security, Legal Aspects, Verification.

    KeywordsElectronic Crime, Financial Crime, Computer Forensics, Open

    Source.

    1. INTRODUCTIONOne of the most significant developments in Information and

    Communication Technologies in business, has to do with the

    increasing dematerialization of supporting documents, is already

    finding that most of the information generated in the world is

    created and stored in digital format and it is estimated that morethan half of the documentation related to economic activity, never

    leave the digital domain. This means that paper documents

    associated with business world, are only a small part, being

    significantly longer majority, the number of documents in digital

    format. [1].

    This reality contrasts with the rule, that paper documentscontinues to play in the field of justice where, with apparent

    indifference to the impact of technological change at all levels oftoday society, the research teams, particularly in the economic

    crime area, continue to base his work on "paper discovery."

    The transfer of documentary support to the digital world, causes

    the computer equipment in addition to instrument and / or target

    of computer crimes, may constitute today as huge repositories of

    evidence of crimes the most varied nature, including economic,making it now essential their contribution, to the discovery of

    truth in most of the investigations, regardless of the type of crime

    committed[2].

    Despite the growing awareness of the importance of digital

    evidence, is still not peaceful its acceptance in court, given thedivergent views of various judicial actors.

    Concerning the reliability of such evidence, some judges believe

    that the precision and objectivity of the electronic evidence make

    it more reliable; other judges think that the lack of means to verifythe authenticity of the electronic evidence makes it more

    vulnerable and, therefore, less reliable than traditional evidence in

    general.

    Many technical experts highlight some positive properties about

    electronic evidence: exact, complete, clear, precise, true,

    objective, and neutral, and the fact that in many instances,electronic evidence appears to be essential for the resolution of

    certain type of crime.

    For judges, electronic evidence is easy to be collected, stored, andpreserved. About the inconveniences, law professionals often

    invoke the establishment of legal value on this type of evidence as

    a difficulty due to the existing ignorance about procedures of dataprocessing and the interpretation of prosecutorial law in this

    mater.

    Permission to make digital or hard copies of all or part of this work for

    personal or classroom use is granted without fee provided that copies are

    not made or distributed for profit or commercial advantage and that copies

    bear this notice and the full citation on the first page. To copy otherwise, or

    republish, to post on servers or to redistribute to lists, requires prior specific

    permission and/or a fee.

    Conference10, Month 12, 2010, City, State, Country.

    Copyright 2010 ACM 1-58113-000-0/00/0010$10.00. This difficulty is generated by the lack of suitable and systematic

    regulation and also the lack of homogeneous jurisprudence.Jurists admit their fears of the vulnerability (the high degree of

    volatility of electronic evidences nature). On the other side,

    http://dl.acm.org/ccs.cfm?part=author&coll=DL&dl=ACM&row=D.4&idx=4&CFID=88090005&CFTOKEN=56488093http://dl.acm.org/ccs.cfm?part=author&coll=DL&dl=ACM&row=D.4&idx=4&CFID=88090005&CFTOKEN=56488093
  • 8/22/2019 Using OSS for Forensic Purposes

    2/7

    judges and prosecutors do not understand very well this kind of

    evidence and that is the reason why they often reject it in trials.

    All of we as computer experts, have responsibility not only tomake clear to law enforcement officials, the real value of digital

    evidence, but rather to investigate and develop tools to isolate this

    type of evidence in a safe and reliable manner and also timely

    useful.

    As in Portugal, the use of Computer Forensics is still very limited,

    particularly in the economic crime investigation, I think it isimportant to disclose the reasons and potential to promote this

    scientific area as a new field of research.

    This paper as a survey paper of previous results, aims to show that

    tools are available that enable a qualitative jump in research

    processes, without jeopardizing the budget balance of justice

    departments, as current economic situation requires.

    2. METHODOLOGYIn addition to the literature review, the material in this paper is

    based on the authors' experience using computer forensics in the

    economic crimes investigation.

    The paper is very much a descriptive reflection about the

    importance of computer forensics in economic crime

    investigations, warning to the existence of tools to develop this

    work with quality and reduced costs.

    3. ECONOMIC AND FINANCIALCRIMECorruption and all practices related to economic and financial

    crime, should be seen as acts of deviant and criminal nature. Inaddition to violating the rules for the normal functioning of

    institutions as a whole, acts of this type contribute to raise the

    citizens, general feelings of social mistrust and may, at worst,

    degenerate into a dizzying process of decay of the most

    elementary rules of healthy social life cultural, economic and

    political [3].

    3.1 Definition and Range"Economic and Financial crime" means any form of non-violentcrime which results in a financial loss. This type of crime thus,

    encompassing a wide range of illegal activities such ascorruption, fraud, tax evasion and money laundering.

    It is, however, difficult to define the notion of "economic crime",

    and its exact concept remains a challenge. The task is further

    complicated due to technological advances that provide new ways

    to develop and perpetuate such crimes [4].

    It is also difficult to determine the overall extent of the

    phenomenon, partly due to the absence of a clear concept and

    accepted by all, by virtue of the registration systems of economicand financial crime, differ considerably from country to country

    as well, because the companies or financial institutions choose to

    resolve incidents internally, refraining from participating to the

    authorities [5].

    Since, most of the economic crimes, committed on the basis of

    technology, do not require the physical presence of the offender.

    Thanks to significant differences between the legal frameworks ofdifferent countries, this allows criminals to choose to base their

    activities, on countries with more lenient legal frameworks.

    The available data clearly suggest that the economic and financial

    crime continues to grow rapidly [6], mainly under the influence ofnew information technologies, the spread of electronic banking

    and the expansion of Internet services on a global scale.

    3.2 Impact on Sustainable DevelopmentUsually fraudulent activities, take the place of legitimate

    economic activity, discouraging investment. Hence, the economic

    and financial crimes constitute the long term, a serious threat to

    the peaceful and democratic socio-economic development. Thecountries where the illegal economic and financial activities are

    socially accepted, do not offer conditions for financial markets to

    develop, given the high standards and professional values, legal

    and moral, in which they are based. The mere notion of beingcommitted illegal economic and financial acts, can cause

    irreparable economic harm. The public suspicion inevitably

    undermines the legitimacy of government [7].

    The universality of this phenomenon is an inescapable reality.

    Jain states that the effects of corruption tend to have repercussions

    throughout the economy, not confined to the specific act. It found

    that in a country with an inefficient legal system, the level of

    corruption tends to increase and may lead to their political elitecannot resist the increased income it provides. Once corrupted,

    the elite will try to reduce the effectiveness of legal systems,

    through the manipulation of resource allocation and appointments

    to key positions. In turn, reducing the resources, the match will

    condition, thereby allowing the further spread of corruption [8].

    The recent economic crisis, made to multiply the voices calling

    for the urgent need to investigate and punish the guilty, to the

    point, eminent experts, advocate that the magnitude of some ofthe crimes should lead to its being classified as "crimes against

    humanity"[9].

    4. COMPUTER FORENSICSOur increasingly complex world, puts us at a very particular

    social and cultural crossroad. At no other time the society was so

    dependent on technology in its various expressions. Nearly everyfacet of our lives suffer in some way the impact of technology (e-

    mail, instant messaging, online banking, video and digital music,

    etc..). This dependence and, in general, dependence on

    technology, had a cascading effect on other less obvious areas ofsociety, as eloquently portrays Bruse Schneier, in his book

    Secrets and Lies - Digital Security in a Networked World[10].

    One such area is law enforcement and, more specifically, the part

    that concerns the criminal investigation [11]. Historically, thecriminal investigation had concepts such as physical evidence,

    eyewitnesses, and confessions. Today, the criminal investigator

    cannot fail to recognize that a significant part of the proof lies in

    electronic or digital form.

    As Carrier stated in his Article "Getting physical with DigitalInvestigation Process", [12], for many crimes of today, the crime

    scene may consist of a simple computer that, by itself, can hold a

    large number of evidence, as opposed to the traditional physicalcrime scene. The witness today, can be tomorrow a 'log' file

    generated on a computer.

    In order to deal effectively with this new reality, computer

    forensics, while embryonic branch of science, has been

    developing methodologies and creating rules aimed at drawing

    attention to the care that must be taken to ensure that it is not

  • 8/22/2019 Using OSS for Forensic Purposes

    3/7

    overlooked the primary objective of research process, which

    ultimately aims to identify the party or parties responsible forillegal practices.

    4.1 Forensic ScienceSuch as medicine or engineering, forensic analysis of physical

    evidence is an applied science, which relies on the basic scientific

    principles of physics, chemistry and biology. As such, every

    experience and each case must follow the scientific method oftesting hypothesis.

    Notwithstanding the conclusions reached by Inmon and Rudin, in

    his work "Principles and Practice of Criminalistics," referring to

    the legal practice is not strictly experimental, given the nature of

    the sample completely uncontrolled, which characterizes the

    process of investigation, as opposed to highly controlledconditions in which scientific experiments are carried out with

    variables intentionally altered, one at a time, etc., the scientific

    method has been one of the most powerful tools available to the

    forensic investigator to ensure the fulfillment of his responsibility

    to provide accurate relevant evidence in an objective and

    impartial manner, [13]

    Starting with a collection of facts, continues with the formulationof a hypothesis based on the evidence available, while retaining

    the awareness of the possibility that the observations andanalyzes, may not be correct. Thus, to assess the veracity of the

    hypothesis is not only necessary to seek support for the evidence

    found but equally important to consider alternative hypotheses.

    The process of trying to refute our own hypothesis involves

    performing experiments that allow testing our underlyingassumptions and obtaining a better understanding of digital tracks

    that we are considering.

    This is a process inherently inductive, in that, the results obtained

    from a forensic sample, are not a simple experiment, but a test or

    analysis in which the analyst collects material on a piece of

    evidence that later, will combine with other facts and hypotheses,to form a theory about what actually happened in the case.

    4.2 Locard Exchange PrincipleThe fundamental rule followed by forensic science is the Locard

    exchange principle, according to which, every contact leavestraces."No one can act [commit a crime] with the force [intensity]

    that the criminal act requires without leaving behind numerous

    signs [marks] of it: either the wrong-doer [felon; malefactor,

    offender] has left signs at the scene of the crime, or, on the other

    hand, has taken away with him on his person [body] or clothes

    indications of where he has been or what he has done.[13]".

    Based on the definition of digital evidence by three leading

    organizations in this field:

    "Information Transmitted or stored in binary form That may

    be relied upon in court" [14];

    "Information of probative value that is stored in binary form

    or Transmitted" [15];

    "Information and data of investigative value that is stored on

    or Transmitted by a computer" [16].

    We must say that, "Digital Evidence" is any information stored or

    transmitted in digital format, with probative value in criminal or

    civil prosecution. Again, the Locard exchange principle is valid,

    [17], thanks to the control loop currently available in operating

    systems, allowing the screening of all activities on the systems.

    Thus, a basic principle that cannot be overlooked, is the

    preservation of all original traces, which advises that the research

    be done on the original media, but whenever possible, on a full

    and exact copy of that, Bit Stream Image,[18].

    Investigation of digital evidence is a process that develops in two

    areas: investigative and legal domain, however, remains a gap thatseparates them, and the size of that gap, varies inversely with the

    computer literacy of prosecutors.

    As represented in figure 1, the first concern in the investigative

    domain, relates to the preservation of evidence, which is usually

    ensured by carrying out a "bit stream image" of the suspect

    device. This image is in the final, certified through a hashfunction.

    Than it must be done a search on the image, usually based on akeyword list, searching all spaces of the device including

    unallocated and slack spaces as well within any kind of hidden

    control files at the operating system level, such as swap, log and

    registry files, among others, in order to locate and select the

    evidence.

    Finally Validation relates to the question of whether the locatedevidence is what it seems to be. For instance, the assertion that an

    important file, was deleted would require confirmation of the

    existence of the deleted file, in the unallocated space. This phase

    ends with a detailed report.

    Figure 1. Computer Forensic Domains.[19]

  • 8/22/2019 Using OSS for Forensic Purposes

    4/7

    The Legal Domain has to do with the intervention of the lawyer,

    who, based on the report supplied by the investigator, shall testeach piece of evidence to determine its weight in legal argument

    and its suitability for use to prove or disprove the case.

    4.3 Forensic science in the digital fieldRegarding Computer Forensics, some authors consider that it

    combines the advantages of forensic science with the art ofresearch. Farmer and Venema in his book Forensic Discovery,

    note that sometimes the expert acts as an archaeologist (digital),

    others as a geologist (digital). [20].

    Digital Archaeology, when acting on the direct effects of user

    activity, such as the file contents, access times, deleted file

    information, and information about network traffic;

    Digital geology, when acting on the autonomous process system,

    on which the user has no direct control, as the allocation and

    recycling of disk blocks, file identifiers, memory pages or

    process identifiers.

    As an example, the authors note that users have direct controlover the content of the files (archeology), but when a file is

    deleted, users no longer have any control over the sequence of

    destruction wrought by the system (geology).

    Similarly, Carrier, reflects on how this activity should be assigned

    by comparing it with the common forensic analysis. In his

    opinion, contrary to common forensic analysis (physics), in which

    the expert is confronted with a discrete set of questions aboutsamples (fluids, bullets, samples of skin, hair, etc.), which are

    delivered by a detective, being responsible for tasks of

    identification and individualization, computer forensics

    encompasses the role of the detective himself, developing into

    two steps: searching for evidence, then its analysis andinterpretation. To that extent, the author proposes for this activity,

    the name "Computer Forensic Investigation" or "Digital Forensic

    Investigation". [21].

    Figure 2.

    Digital Forensic Model.

    4.4 Digital Investigation Methodology

    The first Digital Forensic Research Workshop (DFRWS) held in

    2001 produced the following definition:

    The use of scientifically derived and proven methods toward

    the preservation, collection, validation, identification,

    analysis, interpretation, documentation and presentation of

    digital evidence derived from digital sources for the purpose

    of facilitating or furthering the reconstruction of events found

    to be criminal, or helping to anticipate unauthorized actions

    shown to be disruptive to planned operations [22].

    This definition itself, contains a sequential procedure translated in

    Table 1, which in general constitute a framework for furtherresearch in this area.

    Table 1. Investigative Process for Digital Forensic Science[23]

    Table 1 shows the main categories or phases of the investigativeprocess in the header. The contents of the columns below of each

    category, are techniques or methods used in the developmenttasks related to the phase that heads the column. This paper will

    only deal with the first three phases: Identification, Collection and

    Preservation.

    In practice, the investigation process referred in Figure 1, isdeveloped in two stages, as represented in Figure 2:

    - first phase takes place in the field, ensuring targetidentification,

    information gathering

    and preservation;

    - second phase isdeveloped in the

    laboratory and ensures

    examination, analysisand presentation of

    results.

    5. FORENSICTOOLSDigital forensic tools, aims

    the analysis of digital

    information, in order to

    incriminate or exoneratesomeone suspected of

    illegal activities. Often in

    decision context, the usual

    confrontation Open Source

    vs Closed Source, is notonly just reduced to the

    mere philosophical

    questions, but also other

    reasons arise such as costs or security.

    Computer Forensics, is more focused on the reliability of the

    results provided by the tools. It is essential to assess to whatextent the tools meet the legal requirements governing the

    admissibility of evidence.

  • 8/22/2019 Using OSS for Forensic Purposes

    5/7

    In the article "Gatekeeping Out Of The Box: Open Source

    Software As A Mechanism To Assess Reliability For Digital

    Evidence", published in the Virginia Journal of Law and

    Technology Association, Kenneally done a fairly comprehensive

    analysis on this dichotomy, and its surroundings in the middle

    court, concluding that, allow unrestricted access to code their own

    tools, in this context, confers a significant advantage to open

    source, given the "black box" proprietary [24].

    5.1 Targets of the toolsGiven the retrospective nature that characterizes the process of

    investigating economic and financial crimes, normally, computers

    play in this type of crime, the role of mere repository of evidence,

    making their storage units the main target of analysis.

    According to the recommendations of the Working Group on

    Digital Evidence Software [25], the analysis of digital evidenceshould not be performed on the original media, but over a full

    copy of that, as indicated in 4.2, in order to preserve any damage

    that could cause direct manipulation.

    Figure 3. EnCase GUI. Tool: Acquire.

    Figure 5. Creating Image with dd.

    Figure 7. Hashing the device to confirm (MD5)

    Figure 6. Hashing the created image (MD5)

    There are several Open Source tools that fully accomplish all the

    requirements of this process, as will shown in the followingsection.

    6. USAGE SCENARIO

    In a real case, after identifying the target device, the first step to

    accomplish is the creation of their image, " Bit Stream Image ", in

    which the researcher will then perform the analysis.

    By way of demonstration, this task is first performed using the

    proprietary platform for forensic analysis, "EnCase Forencic."

    The same operation is repeated with the use of Open Source tools,

    and in the end, the results are compared.

    6.1 Bit Stream Image using EnCase

    The suspect device that, under this case study, will be analyzed, is

    a USB Flash Pen 1 GB of which will start by creating an image.

    The process of creating the image provides a set of options such

    as:

    - partitioning of the image files of a given size, in this case itwas decided to split into files of 640 MB so that it can be

    burned to CD-ROM;

    - two compression ratios, this option should take into accounttrade-off, more compression / high speed. In this case, the

    choice was "best" that corresponds to the higher rate of

    compression which makes the acquisition process slower;

    - the possibility of calculating the HASH certification, based on

    MD5 and SHA1 algorithms, individually or jointly. We chose

    the first, which corresponds to the most common practiceadopted by the community.

    At the end of the EnCase process returns the particulars given infigure 4.

    Figure 4. Final Process information.

    6.2 Bit Stream Image using ddThe "dd" command is a common Unix program whose primary

    purpose is the low-level copying and conversion of raw data,

    designed to perform copy and convert files from one place to

    another. (there is also a version for Windows systems).

    This command has not been created for forensic purposes, so it

    does not include any specific features such as compression,certification, etc., being necessary to perform these tasks inaddition, using other tools.

  • 8/22/2019 Using OSS for Forensic Purposes

    6/7

    Figure 8. EwfAcquire characteristics of the target device

    Figure 9. EwfAcquire parameters required

    6.3 Bit Stream Image using EwfAcquireThe "ewfacquire" is an Open Source utility included in the

    "LIBEWF" library, designed to acquire data from various storage

    devices (floppy, Zip, Jaz, CDROM, DVDs, flash drives, hard

    drives, among others).

    It records files in the EWF format (Expert Witness Compression

    format), adopted by the two most spread proprietary Forensic

    platforms: EnCase Forensic and Forensic Toolkit (FTK) Imager.

    Figure 10. Summary of the introduced parameters

    Figure 11. Final Process information.

    Figure 12. Hashing the device to confirm (MD5)

    When running Ewfacquire this command requests, by commandline, a wide range of elements, not only for the parameterization

    of the image we want to achieve, but also identification elementsof the case in research and the identification of the technician who

    performs the work, among other elements.

    All that data will be part of the image metadata.

    Calculating the hash of the original device, if it matches the hashreturned by Ewfacquire, we have the image properly certified.

    7. CONCLUSIONIn practice this small example covers the first three phases of a

    research process:

    1. Identification - After the incident notice, was isolated

    suspicious device - USB Flash Pen 1 GB;

    2. Preservation - were taken every precaution so that the

    content does not undergo any changes by inhibiting the option

    of writing to the device (Write blocking / mounting device in

    read only mode);

    3 - Collection and certification - Creating a "Bit-Stream"image using "dd" and EwfAcquire and calculating the hash

    signature with the "md5sum" command.

  • 8/22/2019 Using OSS for Forensic Purposes

    7/7

    Using these samples and taking into account the matching of the

    hash calculated A845445FB5A07E677FD51C0D4B4EAB89

    on the result of the different commands, and the content of thetarget device, we can ensure that, as regards the process of

    "acquisition", Open Source tools do not show any disadvantage

    for the proprietary reference tool "EnCase Forensic" or any other.

    Similar conclusions can be obtained in the broad field of analysis

    of digital evidence, characterized by multiple specificities, for

    which there is a huge variety of open source tools ready for use,most of which, validated and certified.

    Most of these Open Source tools in no way are less reliable andeffective, when compared with the proprietary suits who join on

    the same platform, a wide range of features of friendly usability,

    but whose reliability is not always possible to evaluate or certify,

    However this does not prevent the huge licensing costs,

    sometimes even prohibitive.

    8. REFERENCES[1] Gantz, John e Reinsel, David - The Digital Universe Decade

    Are You Ready? IDC IVIEW http://www.emc.com/collateral/demos/microsites/emc-digital-universe-

    2011/index.htm

    [2] Vacca, Jonh R(2005) Computer Forensics ComputerCrime scene Investigation 2. Edio - Published by pela

    editora Charles River Media - ISBN: 1-58450-389-0

    [3] Jain A. (2001) Corruption: A Review- Journal ofEconomic Surveys Vol. 15, n. 1 Concordia University

    [4] UNODC (2005) Economic and Financial Crimes: Challengesto Sustainable Development - http://www.unis.unvienna.org/

    pdf/05-82108_E_5_pr_SFS.pdf

    [5] Pimenta, C. (2009) Esboo de Quantificao da Fraude emPortugal Working Papers N 3/2009 OBEGEF

    Observatrio de Economia e Gesto de Fraude.

    [6] Pwc, 2011 - Global economic crime survey 2011http://www.pwc.com/gx/en/economic-crime-

    survey/download-economic-crime-people-culture-

    controls.jhtml

    [7] Branco, M. 2010 Empresas, Responsabilidade Social eCorrupo Working Papers N 6/2010 OBEGEF

    Observatrio de Economia e Gesto de Fraude

    [8] Jain A. (2001) Corruption: A Review- Journal ofEconomic Surveys Vol. 15, n. 1 Concordia University

    [9] Zuboff, S. (2009) Wall Street's Economic Crimes Against

    Humanity - BusinessWeek VIEWPOINT - March 20, 2009http://www.businessweek.com/managing/content/mar2009/c

    a20090319_591214.htm

    [10]Schneier, B , 2004 Secrets and Lies - Digital Security in aNetworked World - Wiley Computer Publishing, Inc

    [11]Kruse, Warren G., Heiser, Jay G., 2001. Computer forensicsincident response essentials Published by Addison-Wesley

    Professional; 1 edition.

    [12]Carrier, B. 2002 Defining Digital Forensic Examination andAnalysis Tools. Digital Forensic Research Workshop 2002,

    Syracuse - http://www.dfrws.org/2002/papers/Papers/Brian

    _carrier.pdf.

    [13]Inmon, Keith e Rudin, Norah (2001) - Principles andPractice of Criminalistics - The Profession of Forensic

    Science

    [14]IOCE International Organization on Computer Evidence -General Definitions relating to digital evidence -http://www.ioce.org/core.php?ID=5 .

    [15]SWGDE - Best Practices for Computer Forensics -http://www.swgde.org/documents/current-documents/ .

    [16]ACPO Association of Chief Police Officers UK GoodPractice Guide for Computer-Based Electronic Evidence

    http://www.7safe.com/electronic_evidence/ACPO_guideline

    s_computer_evidence.pdf

    [17]Carrey Eoghan, 2009 Handbook of Digital Forensics andInvestigation Published by Elsevier Academic Press

    [18]Brown, Christopher L. T. 2006 - Computer evidence:Collection & Preservation Thomson/Delmar learning.

    published by: Charles River Media, inc.Tavel, P. 2007.

    Modeling and Simulation Design. AK Peters Ltd., Natick,MA.

    [19]Boddington R.,Hobbs V. and Mann G. - Validating digitalevidence for legal argument - Murdoch University

    [20]Farmer, D. Venema, W. 2005 Forensic DiscoveryAddison-Wesley Professional Computing Series

    [21]Carrier, B. 2006 Digital Investigation and Digital ForensicBasics - Disponivel em: http://www.digital-evidence.org/

    di_basics.html

    [22]Palmer, Gary L. 2001 A Road Map for Digital ForensicResearch. Technical Report DTR-T001-01, DFRWS,

    November 2001. Report From the First Digital Forensic

    Research Workshop (DFRWS).

    [23]DFRWS TECHNICAL REPORT, 2001 - A Road Map forDigital Forensic Research. -Report From the First DigitalForensic Research Workshop (DFRWS)

    [24]Kenneally, Erin E. - Open Source Software As A Mechanism

    To Assess Reliability For Digital Evidence Published byVirginia Journal of Law and Technology Association -

    http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally

    .html#_edn3

    [25]SWGDE - Best Practices for Computer Forensics -http://www.swgde.org/documents/current-documents/

    http://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.ioce.org/core.php?ID=5http://www.swgde.org/documents/current-documents/http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.swgde.org/documents/current-documents/http://www.swgde.org/documents/current-documents/http://www.swgde.org/documents/current-documents/http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally%20.html%23_edn3http://www.digital-evidence.org/%20di_basics.htmlhttp://www.digital-evidence.org/%20di_basics.htmlhttp://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdfhttp://www.swgde.org/documents/current-documents/http://www.ioce.org/core.php?ID=5http://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.dfrws.org/2002/papers/Papers/Brian%20_carrier.pdfhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.businessweek.com/managing/content/mar2009/ca20090319_591214.htmhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.pwc.com/gx/en/economic-crime-survey/download-economic-crime-people-culture-controls.jhtmlhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.unis.unvienna.org/%20pdf/05-82108_E_5_pr_SFS.pdfhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htmhttp://www.emc.com/%20collateral/demos/microsites/emc-digital-universe-2011/index.htm