Title :
Snapshot Filtering Based on Resource-Usage Profiles
Author :
Adelstein, Frank ; Marceau, Carla
Abstract :
Live forensic tools provide investigators with new sources of information. Unfortunately, the amount of data gathered by such tools can be overwhelming, with a low signal-to-noise ratio. The authors use an innovative method of monitoring the resource use of running processes to build a profile of the application´s normal resource use, which they then exploit to filter out extraneous, forensically uninteresting data from a list of open file handles and dynamically loaded libraries attached to a process. Preliminary results show a dramatic reduction in the number of file and registry handles and DLLs, greatly reducing the forensic haystack, allowing the investigator to more easily spot the needles.
Keywords :
information filtering; libraries; security of data; DLL; dynamic-link library; dynamical loaded library; live forensic tool; resource monitoring; resource-usage profile; snapshot filtering; Conferences; Digital filters; Digital forensics; Information filtering; Information filters; Information resources; Libraries; Monitoring; Needles; Signal to noise ratio; DLLs; filtering; live forensics; normal resource usage; open handles; profiling;
Conference_Titel :
Systematic Approaches to Digital Forensic Engineering, 2009. SADFE '09. Fourth International IEEE Workshop on
Conference_Location :
Berkeley, CA
Print_ISBN :
978-0-7695-3792-4
DOI :
10.1109/SADFE.2009.15
