Towards Proactive Forensic Evidentiary Collection

Author

Shields, Clay

Author_Institution

Dept. of Comput. Sci., Georgetown Univ., Washington, DC, USA

fYear

2010

fDate

5-8 Jan. 2010

Firstpage

1

Lastpage

9

Abstract

Forensic investigations have traditionally relied on data that exists as a by-product of normal operating system and application operation on a system following an incident. We propose a research agenda targeted at expanding the information available to an investigator in computing environments in which software can be installed on the target systems ahead of any incident. In these cases, information can be preserved proactively and stored until needed for examination. In our first ongoing project, we are working to modify a file system to selectively recover disk blocks that are less likely to contain useful information when space is needed for a new file. In our second, we are keeping small amounts of information about files on a system that are deleted, copied, or modified. This allows us to perform certain types of investigations on files that are overwritten or otherwise missing from the system.

Keywords

computer forensics; file organisation; computing environments; disk blocks; file system; forensic investigations; information expand; normal operating system; proactive forensic evidentiary collection; research agenda; software installation; Application software; Computer science; Current measurement; Databases; File systems; Fingerprint recognition; Forensics; Information retrieval; Linux; Operating systems;

fLanguage

English

Publisher

ieee

Conference_Titel

System Sciences (HICSS), 2010 43rd Hawaii International Conference on

Conference_Location

Honolulu, HI

ISSN

1530-1605

Print_ISBN

978-1-4244-5509-6

Electronic_ISBN

1530-1605

Type

conf

DOI

10.1109/HICSS.2010.408

Filename

5428489