Application forensics

Tim Ebringer CA

Computer forensics has traditionally focused on the acquisition, analysis and presentation of 'images' of storage media, with a view to its later presentation as evidence in a court or law. This analysis sometimes reveals executable software which may be of interest to the forensic analyst; indeed it may be a key link in associating a relatively unskilled user with a sophisticated offence.

Prosecuting or defending a case against a user who allegedly used such an application presents particular evidentiary challenges. This paper relates our experience in forensic examination, documentation and legal presentation of executable applications. We detail the workflow of such an examination, from initial acquisition to eventual presentation in court. We explain how to compile and present findings of fact such that they will satisfy the requirements of computer evidence, and offer the reader suggestions on how to successfully navigate a potentially gruelling cross-examination.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.