a computer forensic investigator must find information relevant to a case and also determine what events lead to the creation of that information. Much of this information is stored by the operating system. This information includes file timestamps, Internet search history, user log information, username and password, encrypted files, and many other types of information that may be admissible in court. Depending on how an operating system is designed and implemented, it can hinder or support a digital forensic investigation. In Huebner and Hensken's article, The Role of Operating Systems in Computer Forensics, they introduce several articles that discuss many of the problems encountered in computer forensics. associated with operating systems. This report will discuss some of the underlying issues in computer forensics along with the issues raised by Huebner and Henskens. Problems addressed include instrumentation of operating systems, software issues in digital forensics, computer forensics of virtual systems, disk encryption in forensics, and computer forensics case management. The problem with operating systems used instrumentally for digital forensic analysis is that current digital forensic techniques do not do this. fully utilize an operating system's existing forensic capabilities. For example, capturing real-time data requires capturing volatile memory in RAM before shutting down the computer. There are currently no forensically sound methods for taking a memory image of a system without attaching specialized hardware (Kornblum & Libster). Inserting an external device can change the state of the system, for example by altering the SYSTEM hive of the registry on a Windows machine, w...... middle of paper ......monitor a virtual machine that allows the user to extract information from it without affecting its functionality or state (Flores & Atkison). From a digital forensics point of view this is very useful because it will allow the investigator to perform real-time analysis on the virtual machine without affecting the state of the machine. One problem with virtual machine introspection is that when you introspect on a virtual machine you get a crude representation of the data. The data is difficult to understand because the native operating system's application programming interface is not available to interpret the data. The inability to obtain high-level data from low-level data is known as a semantic gap (Flores & Atkison). One solution to overcome the semantic gap is to create extensions from the existing forensic framework and combine them with VMI methodologies.

Topic > a computer forensic investigator must find information relevant to a case and also determine what events lead to the creation of that information. Much of this information is stored by the operating system. This information includes file timestamps, Internet search history, user log information, username and password, encrypted files, and many other types of information that may be admissible in court. Depending on how an operating system is designed and implemented, it can hinder or support a digital forensic investigation. In Huebner and Hensken's article, The Role of Operating Systems in Computer Forensics, they introduce several articles that discuss many of the problems encountered in computer forensics. associated with operating systems. This report will discuss some of the underlying issues in computer forensics along with the issues raised by Huebner and Henskens. Problems addressed include instrumentation of operating systems, software issues in digital forensics, computer forensics of virtual systems, disk encryption in forensics, and computer forensics case management. The problem with operating systems used instrumentally for digital forensic analysis is that current digital forensic techniques do not do this. fully utilize an operating system's existing forensic capabilities. For example, capturing real-time data requires capturing volatile memory in RAM before shutting down the computer. There are currently no forensically sound methods for taking a memory image of a system without attaching specialized hardware (Kornblum & Libster). Inserting an external device can change the state of the system, for example by altering the SYSTEM hive of the registry on a Windows machine, w...... middle of paper ......monitor a virtual machine that allows the user to extract information from it without affecting its functionality or state (Flores & Atkison). From a digital forensics point of view this is very useful because it will allow the investigator to perform real-time analysis on the virtual machine without affecting the state of the machine. One problem with virtual machine introspection is that when you introspect on a virtual machine you get a crude representation of the data. The data is difficult to understand because the native operating system's application programming interface is not available to interpret the data. The inability to obtain high-level data from low-level data is known as a semantic gap (Flores & Atkison). One solution to overcome the semantic gap is to create extensions from the existing forensic framework and combine them with VMI methodologies.