Abstract
The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.
Original language | English |
---|---|
Pages (from-to) | 65 - 73 |
Number of pages | 8 |
Journal | ACM SIGOPS Operating Systems Review |
Volume | 42 |
Issue number | 3 |
DOIs | |
Publication status | Published - 1 Apr 2008 |
Keywords
- operating system