Research Article | Open Access | Download PDF
Volume 4 | Issue 5 | Year 2013 | Article Id. IJCTT-V4I5P1 | DOI : https://doi.org/10.14445/22312803/IJCTT-V4I5P1
Extraction of Persistence and Volatile Forensics Evidences from Computer System
Esan P. Panchal
Citation :
Esan P. Panchal, "Extraction of Persistence and Volatile Forensics Evidences from Computer System," International Journal of Computer Trends and Technology (IJCTT), vol. 4, no. 5, pp. 964-968, 2013. Crossref, https://doi.org/10.14445/22312803/IJCTT-V4I5P1
Abstract
Forensic Investigations are carried out in order to find who committed a crime, from where and how using a computer system. Consider a scenario that in an organization an employee might have disclosed company’s private data through the organization’s computer. This would result in financial as well as reputation loss. Forensic Investigators need to get an access of all the computers, say, 100 computers throughout the organization. The normal procedure carried out by forensic investigators in order to collect the Evidences is Hard Disk Imaging and further analyzing it in a laboratory. This involves extraction of Persistent and Volatile Data from the Windows Registry as well as the slack space and allocated space.This involves doing the Live Analysis, Dead Analysis or Postmortem for finding the hidden and deleted files from the clusters. This investigation becomes a tedious task when Investigators have to take images of hundreds of hard disks and each of 1 TB. There are many disadvantages of performing this task in terms of time, money and resources. Even there are issues as to where to securely store 100 TB data? All these questions would make an investigator’s task very complex and time consuming. If this time is reduced to half then it would be beneficial to investigators as well as the organizations. Current techniques perform the analysis of a computer systems and help to find evidences but leads to time constraints for any entity. Henceforth, there should be a technique which saves time, money and resources for the organizations and make the job of the investigators easy and less laborious.
Keywords
Forensic Investigations, Hard Disk Imaging, Evidences, Persistent Data, Volatile Data, Slack Space, Allocated Space, Windows Registry, Live Analysis, Dead Analysis, Postmortem.
References
[1] http://en.wikipedia.org/wiki/Computer_forensics
[2] http://infohost.nmt.edu/~sfs/Students/HarleyKozushk o/Presentations/DigitalEvidence.pdf
[3] http://www.us-cert.gov/reading_room/forensics.pdf
[4] http://www.windowmeister.com/computer_forensics. htm
[5] B. Carrier: File system forensic analysis, AddisonWesley Professional, USA, (2008).C. V. Marsico and M. K. Rogers, “ipod forensics,” International Journalof Digital Evidence, vol. 4, no. 2, 2005.
[6] M. Kiley, T. Shinbara, and M. K. Rogers, “ipod forensics update,”International Journal of Digital Evidence, vol. 6, no. 1, 2007.
[7] S. Willassen, “Forensic analysis of mobile phone internal memory,” inAdvances in Digital Forensics, 2005, pp. 191–204.
[8] J. Sammes, Anthony and B. Jenkinson, “The treatment of pcs,” inForensic Computing. London: Springer, 2007, pp. 277–299.
[9] W. H. Allen, “Computer forensics,” Security & Privacy, IEEE, vol. 3,no. 4, pp. 59–62, 2005. [10] Forensic Analysis of the Windows Registry by LihWernWong
[11] OFFLINE FORENSIC ANALYSIS OF MICROSOFT® WINDOWS® XP PHYSICAL MEMORY by John S. Schultz
[12] Techniques and Tools for Recovering and Analyzing Data from Volatile Memory by Kristine Amari
[13] http://www.williballenthin.com/registry/index.html
PDF 
Citation
Abstract
Keywords
References