Acquiring volatile operating system data tools and techniques

Authors:
Iain Sutherland;Jon Evans;Theodore Tryfonas;Andrew Blyth
Affiliations:
University of Glamorgan, Wales, United Kingdom;Gwent Police Headquarters, United Kingdom;University of Glamorgan, Wales, United Kingdom;University of Glamorgan, Wales, United Kingdom
Venue:
ACM SIGOPS Operating Systems Review
Year:
2008

Citing 11
Cited 4

Microsoft Word 6 for Windows resource kit

Microsoft Word 6 for Windows resource kit
Forensic Discovery

Forensic Discovery
Investigating sophisticated security breaches

Communications of the ACM - Next-generation cyber forensics
Risks of live digital forensic analysis

Communications of the ACM - Next-generation cyber forensics
Live forensics: diagnosing your system without killing it first

Communications of the ACM - Next-generation cyber forensics
Windows Forensics and Incident Recovery (The Addison-Wesley Microsoft Technology Series)

Windows Forensics and Incident Recovery (The Addison-Wesley Microsoft Technology Series)
The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage

Digital Investigation: The International Journal of Digital Forensics & Incident Response
User data persistence in physical memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Instant messaging investigations on a live Windows XP system

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Vis: virtualization enhanced live acquisition for native system

Proceedings of the Second Asia-Pacific Workshop on Systems
A survey of main memory acquisition and analysis techniques for the windows operating system

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A partially reconstructed previous Gmail session by live digital evidences investigation through volatile data acquisition

Security and Communication Networks
Pypette: A Platform for the Evaluation of Live Digital Forensics

International Journal of Digital Crime and Forensics

Quantified Score

Hi-index	0.00

Visualization

Abstract

The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.