Acquiring volatile operating system data tools and techniques

Andrew Blyth; Iain Sutherland; J. Evans; T. Tryfonas

doi:10.1145/1368506.1368516

Acquiring volatile operating system data tools and techniques

Andrew Blyth, Iain Sutherland, J. Evans, T. Tryfonas

Faculty of Computing, Engineering and Science

Research output: Contribution to journal › Article › peer-review

Abstract

The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.

Original language	English
Pages (from-to)	65 - 73
Number of pages	8
Journal	ACM SIGOPS Operating Systems Review
Volume	42
Issue number	3
DOIs	https://doi.org/10.1145/1368506.1368516
Publication status	Published - 1 Apr 2008

Keywords

operating system

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1145/1368506.1368516

Cite this

@article{971a600beae74e5eba1b3b4433e94193,

title = "Acquiring volatile operating system data tools and techniques",

abstract = "The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.",

keywords = "operating system",

author = "Andrew Blyth and Iain Sutherland and J. Evans and T. Tryfonas",

year = "2008",

month = apr,

day = "1",

doi = "10.1145/1368506.1368516",

language = "English",

volume = "42",

pages = "65 -- 73",

journal = "ACM SIGOPS Operating Systems Review",

issn = "0163-5980",

publisher = "ACM Press",

number = "3",

}

TY - JOUR

T1 - Acquiring volatile operating system data tools and techniques

AU - Blyth, Andrew

AU - Sutherland, Iain

AU - Evans, J.

AU - Tryfonas, T.

PY - 2008/4/1

Y1 - 2008/4/1

N2 - The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.

AB - The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.

KW - operating system

U2 - 10.1145/1368506.1368516

DO - 10.1145/1368506.1368516

M3 - Article

VL - 42

SP - 65

EP - 73

JO - ACM SIGOPS Operating Systems Review

JF - ACM SIGOPS Operating Systems Review

SN - 0163-5980

IS - 3

ER -

Acquiring volatile operating system data tools and techniques

Abstract

Keywords

UN SDGs

Access to Document

Fingerprint

Cite this