:Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. [[Forensic Linux Live CD issues|Read More...]]
2016-03-30: Site Maintenance on 2016-04-01 Attention Forensic Wiki community, site maintenance will be occurring on 1 April 2016 from 9AM EST to 1PM EST. During this time Forensic Wiki will not be available as it will be offline to perform environment upgrades.
2015-08-26: – A support email address (support AT forensicswiki.org) was created for all your forensicswiki needs. This is a mailing list that goes to the appropriate staff that will assist with site maintenance, issues, etc. If you have questions or issues with the site please send us an email.
2015-07-18: Forensic Wiki has been acquired by Harris Corporation for the betterment of the community. All licensing and data rights are staying the same, there’s just corporate funding behind the site now. The wiki will remain as an international resource, with no editorial input from Harris whatsoever. All of the existing editorial controls and checks and balances will remain in place. All of the existing accounts carry forward.
Abstract: Criminal investigations today can hardly be imagined without the forensic analysis of digital devices, regardless of whether it is a desktop computer, a mobile phone, or a navigation system. This not only holds true for cases of cybercrime, but also for traditional delicts such as murder or blackmail, and also private corporate investigations rely on digital forensics. This leads to an increasing number of cases with an ever-growing amount of data, that exceeds the capacity of the forensic experts. To support investigators to work more efficiently, we introduce a novel approach to automatically reconstruct events that previously occurred on the examined system and to provide a quick overview to the investigator as a starting point for further investigation. In contrast to the few existing approaches, our solution does not rely on any previously profiled system behavior or knowledge about specific applications, log files, or file formats. We further present a prototype implementation of our so-called zero knowledge event reconstruction approach, that solely tries to make sense of characteristic structures in file system metadata such as file- and folder-names and timestamps.
APFS, or Apple File System, is the file system designed by Apple Computer to supersede HFS+ and take advantage of flash/SSD storage and native encryption support. APFS also introduced file system snapshots, support for sparse files, and greater time stamp granularity.