Persistent systems techniques in forensic acquisition of memory

Authors:
Ewa Huebner;Derek Bem;Frans Henskens;Mark Wallis
Affiliations:
School of Computing and Mathematics, University of Western Sydney, Penrith Campus, Locked bag 1797, Penrith South DC NSW 1797, Australia;School of Computing and Mathematics, University of Western Sydney, Penrith Campus, Locked bag 1797, Penrith South DC NSW 1797, Australia;School of Electrical Engineering and Computer Science, University of Newcastle, Australia;School of Electrical Engineering and Computer Science, University of Newcastle, Australia
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2007

Citing 14
Cited 1

Grasshopper: an orthogonally persistent operating system

Computing Systems
Inside Microsoft Windows 2000

Inside Microsoft Windows 2000
An algorithm for stabilising multiple stores

EW 9 Proceedings of the 9th workshop on ACM SIGOPS European workshop: beyond the PC: new challenges for the operating system
Persistent Systems Architectures

Proceedings of the Third International Workshop on Persistent Object Systems
Support for Objects in the MONADS Architecture

Proceedings of the Third International Workshop on Persistent Object Systems
An Approach to Implementing Persistent Computations

POS-9 Revised Papers from the 9th International Workshop on Persistent Object Systems
Using directed graphs to describe entity dependency in stable distributed persistent stores

HICSS '95 Proceedings of the 28th Hawaii International Conference on System Sciences
Digital Evidence and Computer Crime

Digital Evidence and Computer Crime
Forensic Discovery

Forensic Discovery
Mac OS X Internals

Mac OS X Internals
FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Data hiding in the NTFS file system

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Automated Windows Memory File Extraction for Cyber Forensics Investigation

Journal of Digital Forensic Practice

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we discuss how operating system design and implementation influence the methodology for computer forensics investigations, with the focus on forensic acquisition of memory. In theory the operating system could support such investigations both in terms of tools for analysis of data and by making the system data readily accessible for analysis. Conventional operating systems such as Windows and UNIX derivatives offer some memory-related tools that are geared towards the analysis of system crashes, rather than forensic investigations. In this paper we demonstrate how techniques developed for persistent operating systems, where lifetime of data is independent of the method of its creation and storage, could support computer forensics investigations delivering higher efficiency and accuracy. It is proposed that some of the features offered by persistent systems could be built into conventional operating systems to make illicit activities easier to identify and analyse. We further propose a new technique for forensically sound acquisition of memory based on the persistence paradigm.