An Evidence Acquisition Tool for Live Systems
Evidence acquisition is concerned with the collection of evidence from digital devices for subsequent analysis and presentation. It is extremely important that the digital evidence is collected in a forensically-sound manner using acquisition tools that do not affect the integrity of the evidence. This paper describes a forensic acquisition tool that may be used to access files on a live system without compromising the state of the files in question. This is done in the context of the Reco Platform, an open source forensic framework that was used to develop the prototype evidence acquisition tool both quickly and efficiently. The paper also discusses the implementation of the prototype and the results obtained.
KeywordsLive systems evidence acquisition Reco Platform
- BrunoLinux.com, FSTAB and MTAB (www.brunolinux.com/02-The Terminal/Fstab and Mtab.html).
- E. Casey, Error, uncertainty and loss in digital evidence, International Journal of Digital Evidence, vol. 1(2), 2002.Google Scholar
- Free Software Foundation, GNU general public license, Boston, Massachusetts (www.gnu.org/copyleft/gpl.html).
- R. Koen, Reco Platform (sourceforge.net/projects/reco).Google Scholar
- R. Koen and M. Olivier, An open-source forensics platform, Proceedings of the Southern African Telecommunication Network and Applications Conference, 2007.Google Scholar
- Linux Journal Staff, Take command: What is dd? Linux Journal, vol. 1996(32es), no. 11, 1996.Google Scholar
- J. Lyle, NIST CFTT: Testing disk imaging tools, International Journal of Digital Evidence, vol. 1(4), 2003.Google Scholar
- D. Manson, A. Carlin, S. Ramos, A. Gyger, M. Kaufman and J. Treichelt, Is the open way a better way? Digital forensics using open source tools, Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences, p. 266b, 2007.Google Scholar
- Microsoft Corporation, CreateFile Function, Redmond, Washington (msdn2.microsoft.com/en-us/library/aa363858.aspx).Google Scholar
- Microsoft Corporation, GetLogicalDrives Function, Redmond, Washington (msdn2.microsoft.com/en-us/library/aa364972.aspx).Google Scholar
- D. Rusling, The File System (www.science.unitn.it/fiorella/guide linux/tlk/node94.html).
- T. Stallard and K. Levitt, Automated analysis for digital forensic science: Semantic integrity checking, Proceedings of the Nineteenth Annual Computer Security Applications Conference, pp. 160-167, 2003.Google Scholar
- C. Walker, Computer forensics: Bringing the evidence to court (www.infosecwriters.com/textresources/pdf/Computer Forensics to Court.pdf ), 2007.
- wxWidgets, What is wxWidgets? (www.wxwidgets.org).