Acquiring volatile operating system data tools and techniques

Andrew Blyth, Iain Sutherland, J. Evans, T. Tryfonas

Allbwn ymchwil: Cyfraniad at gyfnodolynErthygladolygiad gan gymheiriaid


The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.
Iaith wreiddiolSaesneg
Tudalennau (o-i)65 - 73
Nifer y tudalennau8
CyfnodolynACM SIGOPS Operating Systems Review
Rhif cyhoeddi3
Dynodwyr Gwrthrych Digidol (DOIs)
StatwsCyhoeddwyd - 1 Ebr 2008

Ôl bys

Gweld gwybodaeth am bynciau ymchwil 'Acquiring volatile operating system data tools and techniques'. Gyda’i gilydd, maen nhw’n ffurfio ôl bys unigryw.

Dyfynnu hyn