Title :
How to Deal with Blurriness in Live Forensics: A Case of Study
Author :
Savoldi, Antonio ; Gubian, Paolo ; Echizen, Isao
Author_Institution :
Dept. of Electron. for Autom., Univ. of Brescia, Brescia, Italy
Abstract :
When dealing with live forensics cases, we should modify the volatile memory of the investigated system as little as possible, since it may contain plenty of evidential data. Usually, state-of-the-art live forensics best practices mention very little about how much the volatile memory is affected during a live investigation. As a result, there are only vague and imprecise ideas regarding the uncertainty of the resulting evidence. In this paper we would like to present a clear overview of how to measure the uncertainty of the dd collection tool, which is widely used for obtaining the full memory contents of a live computer-based system. As a result, it will become clear how to control and reduce the error when collecting evidence from the volatile memory.
Keywords :
security of data; storage management; blurriness; computer-based system; evidential data; live forensics; volatile memory; Automation; Best practices; Computer crime; Computer errors; Digital forensics; Error correction; Informatics; Linux; Measurement uncertainty; Mission critical systems; Blurriness; Error measure; Live forensics; Volatile memory;
Conference_Titel :
INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference on
Conference_Location :
Seoul
Print_ISBN :
978-1-4244-5209-5
Electronic_ISBN :
978-0-7695-3769-6
DOI :
10.1109/NCM.2009.75
