Title

A forensically tested tool for identification of notebook computers to aid recovery: LIARS phase 1 proof of concept

Document Type

Conference Proceeding

Publisher

School of Computer and Information Science, Edith Cowan University

Faculty

Computing, Health and Science

School

School of Computer and Information Science, Centre for Security Research

RAS ID

4051

Comments

This paper was originally published as: Hannay, P., Woodward, A., & Cope, N. (2007, December). A forensically tested tool for identification of notebook computers to aid recovery: LIARS phase I proof of concept. In Proceedings of the 5th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia. Original article available here

Abstract

The LIARS tool was designed to enable identification, and potentially the return, to the rightful owner of stolen laptop or notebook computers. Many laptops are discovered by Police, but time constraints prevent recovered devices from being identified. This project has produced a proof of concept tool which can be used by virtually any police officer, or other investigator, which does not alter the hard drive in any fashion. The tool uses a modified version of the chntpw software, and is based on a forensically tested live Linux CD. The tool examines registry hives for known location of keys which may provide information about the owner of the laptop. This paper outlines the successful first phase of the project and looks at future directions.