Combining static and live digital forensic analysis in virtual environment
Sasa Mrdovic,Alvin Huseinovic,Ernedin Zajko +2 more
- pp 1-6
TLDR
Tests with sample system confirm viability of proposed combination of static and live analysis, and investigator can have interactive session with virtual machine without violating evidence integrity.Abstract:
Traditional digital forensics is performed through static analysis of data preserved on permanent storage media. Not all data needed to understand the state of examined system exists in nonvolatile memory. Live analysis uses running system to obtain volatile data for deeper understanding of events going on. Sampling running system might irreversibly change its state making collected evidence invalid. This paper proposes combination of static and live analysis. Virtualization is used to bring static data to life. Volatile memory dump is used to enable offline analysis of live data. Using data from memory dump, virtual machine created from static data can be adjusted to provide better picture of the live system at the time when the dump was made. Investigator can have interactive session with virtual machine without violating evidence integrity. Tests with sample system confirm viability of proposed approach.read more
Citations
More filters
Journal ArticleDOI
A survey of main memory acquisition and analysis techniques for the windows operating system
Stefan Vömel,Felix C. Freiling +1 more
TL;DR: An overview of the prevailing techniques and methods to collect and analyze a computer's memory is given and the characteristics, benefits, and drawbacks are described and opportunities for future research in this evolving field of IT security are outlined.
Exploring Static and Live Digital Forensics: Methods, Practices and Tools
Mamoona Rafique,Matiullah Khan +1 more
TL;DR: A critical review of static and live analysis approaches is presented and the reliability of different tools and tech- niques used instatic and live digital forensic analysis is evaluated.
Journal ArticleDOI
Triage in Live Digital Forensic Analysis
TL;DR: A critical review of the triage in live forensic is presented and several techniques being used for performing live forensic analysis are discussed and critically evaluate their efficacy in terms of their applicability and reliability.
Journal ArticleDOI
Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition
Stefan Vömel,Felix C. Freiling +1 more
TL;DR: Three fundamental criteria, correctness, atomicity, and integrity, that determine the quality of a forensic memory image are formalized.
Proceedings ArticleDOI
MACE: high-coverage and robust memory analysis for commodity operating systems
TL;DR: MACE is presented, a memory analysis system that can extract a more complete view of the kernel data structures for closed-source operating systems and significantly improve the robustness by only leveraging pointer constraints and evaluating these constraint globally.
References
More filters
Journal ArticleDOI
A hardware-based memory acquisition procedure for digital investigations
Brian D. Carrier,Joe Grand +1 more
TL;DR: A procedure for acquiring volatile memory using a hardware expansion card that can copy memory to an external storage device and the initial results of the hardware implementation of the procedure are presented.
Journal ArticleDOI
Searching for processes and threads in Microsoft Windows memory dumps
TL;DR: This article analyzes the in-memory structures which represent processes and threads and develops search patterns which will then be used to scan the whole memory dump for traces of said objects, independent from the aforementioned lists.
Journal ArticleDOI
From fingerprint to writeprint
TL;DR: Identifying the key features to help identify and trace online authorship are identified.
Journal ArticleDOI
Live forensics: diagnosing your system without killing it first
TL;DR: Live forensics gathers data from running systems, providing additional contextual information that is not available in a disk-only forensic analysis.
Journal ArticleDOI
FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory
TL;DR: FATKit allows analysts to focus on higher-level tasks by providing novel methods for automatically deriving digital object definitions from C source code, extracting those objects from memory images, and visualizing the underlying data in various ways.