Title :
Towards Proactive Forensic Evidentiary Collection
Author_Institution :
Dept. of Comput. Sci., Georgetown Univ., Washington, DC, USA
Abstract :
Forensic investigations have traditionally relied on data that exists as a by-product of normal operating system and application operation on a system following an incident. We propose a research agenda targeted at expanding the information available to an investigator in computing environments in which software can be installed on the target systems ahead of any incident. In these cases, information can be preserved proactively and stored until needed for examination. In our first ongoing project, we are working to modify a file system to selectively recover disk blocks that are less likely to contain useful information when space is needed for a new file. In our second, we are keeping small amounts of information about files on a system that are deleted, copied, or modified. This allows us to perform certain types of investigations on files that are overwritten or otherwise missing from the system.
Keywords :
computer forensics; file organisation; computing environments; disk blocks; file system; forensic investigations; information expand; normal operating system; proactive forensic evidentiary collection; research agenda; software installation; Application software; Computer science; Current measurement; Databases; File systems; Fingerprint recognition; Forensics; Information retrieval; Linux; Operating systems;
Conference_Titel :
System Sciences (HICSS), 2010 43rd Hawaii International Conference on
Conference_Location :
Honolulu, HI
Print_ISBN :
978-1-4244-5509-6
Electronic_ISBN :
1530-1605
DOI :
10.1109/HICSS.2010.408
