Extraction of Persistence and Volatile Forensics Evidences from Computer System

  IJCOT-book-cover
 
International Journal of Computer Trends and Technology (IJCTT)          
 
© - May Issue 2013 by IJCTT Journal
Volume-4 Issue-5                           
Year of Publication : 2013
Authors :Esan P. Panchal

MLA

Esan P. Panchal "Extraction of Persistence and Volatile Forensics Evidences from Computer System"International Journal of Computer Trends and Technology (IJCTT),V4(5):964-968 May Issue 2013 .ISSN 2231-2803.www.ijcttjournal.org. Published by Seventh Sense Research Group.

Abstract: -Forensic Investigations are carried out in order to find who committed a crime, from where and how using a computer system. Consider a scenario that in an organization an employee might have disclosed company’s private data through the organization’s computer. This would result in financial as well as reputation loss. Forensic Investigators need to get an access of all the computers, say, 100 computers throughout the organization. The normal procedure carried out by forensic investigators in order to collect the Evidences is Hard Disk Imaging and further analyzing it in a laboratory. This involves extraction of Persistent and Volatile Data from the Windows Registry as well as the slack space and allocated space.This involves doing the Live Analysis, Dead Analysis or Postmortem for finding the hidden and deleted files from the clusters. This investigation becomes a tedious task when Investigators have to take images of hundreds of hard disks and each of 1 TB. There are many disadvantages of performing this task in terms of time, money and resources. Even there are issues as to where to securely store 100 TB data? All these questions would make an investigator’s task very complex and time consuming. If this time is reduced to half then it would be beneficial to investigators as well as the organizations. Current techniques perform the analysis of a computer systems and help to find evidences but leads to time constraints for any entity. Henceforth, there should be a technique which saves time, money and resources for the organizations and make the job of the investigators easy and less laborious.

 

References-
[1] http://en.wikipedia.org/wiki/Computer_forensics
[2]http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Presentations/DigitalEvidence.pdf
[3] http://www.us-cert.gov/reading_room/forensics.pdf
[4] http://www.windowmeister.com/computer_forensics.htm
[5] B. Carrier: File system forensic analysis, Addison-Wesley Professional, USA, (2008).C. V. Marsico and M. K. Rogers, “ipod forensics,” International Journalof Digital Evidence, vol. 4, no. 2, 2005.
[6] M. Kiley, T. Shinbara, and M. K. Rogers, “ipod forensics update,”International Journal of Digital Evidence, vol. 6, no. 1, 2007.
[7] S. Willassen, “Forensic analysis of mobile phone internal memory,” inAdvances in Digital Forensics, 2005, pp. 191–204.

Keywords —Forensic Investigations, Hard Disk Imaging, Evidences, Persistent Data, Volatile Data, Slack Space, Allocated Space, Windows Registry, Live Analysis, Dead Analysis, Postmortem.