Monday, 5 October 2009

Forensic Cop Journal 1(3) 2009: Forensically Sound Write Protect on Ubuntu

Actually this journal is derived from my previous post concerning forensically write protect on Ubuntu which has been experimented successfully before. After considering this topic is so significant, so I take it to be an official journal. For this journal, I just put Introduction and Experiments Preparation for this post; therfore for full version of pdf of this journal, it can be downloaded at

The first principle according to ACPO (Association of Chief Police Officers) in the UK is “No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court” (ACPO, p4). This principle which is applied and used by forensic investigators in the world requires the investigators to pay more attention when dealing with data stored in computer storage media. Once it is changed, the next phases of examination will be considered weak and doubt, even the results of examination could be rejected by court. However the changes are still allowed when the investigators can know exactly their actions and its implications such as when performing live imaging.

In order to accommodate this principle, the investigators apply write protect during their examination process, particularly when making forensic imaging at the first time. This write protect can be in the form of either software or hardware. In Ms Windows OS, there are many forensically sound write protect tools offered to users. Most of them are commercial. Write protect is also available on Ubuntu, but this is for free. We just make a little modification on fstab file to configure Ubuntu machine becomes forensically sound write protect. This journal discusses about it including the experiments performed and the results obtained.

Experiments Preparation

The 4GB flash disk is used as the object of these experiments. It is set up by using GParted in order to configure the partition, so that it has 4 partitions with different file systems. Below is the specification of each partition with the operating system installed within it by using Unetbootin.

Partition 1: size=996.19 MB and file system of ntfs.
Partition 2: size=996.22 MB and file system of fat16 with BartPE as operating system.
Partition 3: size=996.19 MB and file system of ext2 with Helix 3.0 as operating system.
Partition 4: size=847.15 MB and file system of ext3 with Ubuntu 8.10 as operating system.

Particularly for partition 1, there is no OS installed in it because it is designed for storing files. This configuration is intended to make a condition of flash disk becomes closely similar with a real hard disk having some partitions with different file systems.

Friday, 2 October 2009

Forensic Cop Journal 1 (2) 2009: Similarities and Differences between Ubuntu and Windows on Forensic Applications

This post is the form of development of previous post concerning the same topic. It is about similarities and differences between Ubuntu and Windows on forensic applications. The previous post only discuss it in general and is like brief summary of experiments performed before; therefore in order to make the topic becomes comprehensive view, this post in the form of journal is issued. I only put the sections of Introduction and Research Preparation below. If you wish, the PDF full version of this journal can be downloaded at

In dealing with computer crime, the forensic investigators are faced to volatile digital evidence which must be discovered as soon as possible because sooner it can be recovered, better the criminal investigators handle the case, even it can make the duty of the investigators become easy to locate and catch the perpetrators. There are many ways to carry out forensic investigation on cases of computer crime. Although there is a bunch of various different techniques for this purpose, essentially they have same goal, namely to recover the digital evidence, and then serve it for court. 

There are two conditions in which the forensic investigators often deal with; they are forensic analysis under Microsoft Windows and under Linux OS such as Ubuntu. In this case, Ms Windows and Ubuntu have their own advantages and disadvantages regarding with computer forensic examination. In some extent, they have similarities, but in the other cases, they also have differences. This journal will describe the topic about “similarities and differences between Ubuntu and Ms Windows on forensic applications”. The descriptions also include practical samples of forensic tools in order to support the opinion.

Research Preparation

In order to run this research on the track, I make some experiments based on my experience in investigating the case of computer crime by setting up 4 GB flash disk as experimental object. I configure it to be 3 partitions by using Partition Editor application from Ubuntu. The first partition is FAT32 with the size of 1000 Mbyte in which I install Helix Forensics by using USB Startup Creator from Intrepid so that it becomes bootable flash disk to run Helix Forensics live, then I also put some files which have different file extensions such as pdf, doc, odt, ppt, jpg, odp and so on in different folders, some of these files are then deleted. The first partition becomes one of the objects of experiments. To be more focus on analysing, I limit the similarities in 5 points of view and differences in 3 points of view.