IFIP Advances in Information
and Communication Technology 337
Editor-in-Chief
A. Joe Turner, Seneca, SC, USA
Editorial Board
Foundations of Computer Science
Mike Hinchey, Lero, Limerick, Ireland
Software: Theory and Practice
Bertrand Meyer, ETH Zurich, Switzerland
Education
Bernard Cornu, CNED-EIFAD, Poitiers, France
Information Technology Applications
Ronald Waxman, EDA Standards Consulting, Beachwood, OH, USA
Communication Systems
Guy Leduc, Université de Liège, Belgium
System Modeling and Optimization
Jacques Henry, Université de Bordeaux, France
Information Systems
Barbara Pernici, Politecnico di Milano, Italy
Relationship between Computers and Society
Chrisanthi Avgerou, London School of Economics, UK
Computer Systems Technology
Paolo Prinetto, Politecnico di Torino, Italy
Security and Privacy Protection in Information Processing Systems
Kai Rannenberg, Goethe University Frankfurt, Germany
Artificial Intelligence
Max A. Bramer, University of Portsmouth, UK
Human-Computer Interaction
Annelise Mark Pejtersen, Center of Cognitive Systems Engineering, Denmark
Entertainment Computing
Ryohei Nakatsu, National University of Singapore
IFIP – The International Federation for Information Processing
IFIP was founded in 1960 under the auspices of UNESCO, following the First
World Computer Congress held in Paris the previous year. An umbrella organi-
zation for societies working in information processing, IFIP’s aim is two-fold:
to support information processing within its member countries and to encourage
technology transfer to developing nations.As its mission statement clearly states,
IFIP’s mission is to be the leading, truly international, apolitical
organization which encourages and assists in the development, ex-
ploitation and application of information technology for the benefit
of all people.
IFIP is a non-profitmaking organization, run almost solely by 2500 volunteers. It
operates through a number of technical committees, which organize events and
publications. IFIP’s events range from an international congress to local seminars,
but the most important are:
• The IFIP World Computer Congress, held every second year;
• Open conferences;
• Working conferences.
The flagship event is the IFIP World Computer Congress, at which both invited
and contributed papers are presented. Contributed papers are rigorously refereed
and the rejection rate is high.
As with the Congress, participation in the open conferences is open to all and
papers may be invited or submitted. Again, submitted papers are stringently ref-
ereed.
The working conferences are structured differently. They are usually run by a
working group and attendance is small and by invitation only. Their purpose is
to create an atmosphere conducive to innovation and development. Refereeing is
less rigorous and papers are subjected to extensive group discussion.
Publications arising from IFIP events vary. The papers presented at the IFIP
World Computer Congress and at open conferences are published as conference
proceedings, while the results of the working conferences are often published as
collections of selected and edited papers.
Any national society whose primary activity is in information may apply to be-
come a full member of IFIP, although full membership is restricted to one society
per country. Full members are entitled to vote at the annual General Assembly,
National societies preferring a less committed involvement may apply for asso-
ciate or corresponding membership. Associate members enjoy the same benefits
as full members, but without voting rights. Corresponding members are not rep-
resented in IFIP bodies. Affiliated membership is open to non-national societies,
and individual and honorary membership schemes are also offered.
Kam-Pui Chow Sujeet Shenoi (Eds.)
Advances in
Digital Forensics VI
Sixth IFIP WG 11.9 International Conference
on Digital Forensics
Hong Kong, China, January 4-6, 2010
Revised Selected Papers
13
Volume Editors
Kam-Pui Chow
University of Hong Kong, Department of Computer Science
Hong Kong, China
E-mail: chow@cs.hku.hk
Sujeet Shenoi
University of Tulsa, Department of Computer Science
Tulsa, OK 74104, USA
E-mail: sujeet@utulsa.edu
Library of Congress Control Number: 2010934317
CR Subject Classification (1998): H.3, C.2, K.6.5, D.4.6, F.2, E.3
ISSN
1868-4238
ISBN-10
3-642-15505-7 Springer Berlin Heidelberg New York
ISBN-13
978-3-642-15505-5 Springer Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
springer.com
© International Federation for Information Processing 2010
Printed in Germany
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper 219/3180
Contents
Contributing Authors ix
Preface xvii
PART I THEMES AND ISSUES
1
A History of Digital Forensics
3
Mark Pollitt
2
Toward a Science of Digital Forensic Evidence Examination
17
Fred Cohen
3
Using a Local Search Warrant to Acquire Evidence Stored Overseas
via the Internet
37
Kenny Wang
4
An Analysis of the Green Dam Youth Escort Software
49
Frankie Li, Hilton Chan, Kam-Pui Chow and Pierre Lai
PART II FORENSIC TECHNIQUES
5
Forensic Analysis of a PlayStation 3 Console
65
Scott Conrad, Greg Dorn and Philip Craiger
6
A Consistency Study of the Windows Registry
77
Yuandong Zhu, Joshua James and Pavel Gladyshev