An Evidence Acquisition Tool for Live Systems

  • Renico Koen
  • Martin Olivier
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 285)


Evidence acquisition is concerned with the collection of evidence from digital devices for subsequent analysis and presentation. It is extremely important that the digital evidence is collected in a forensically-sound manner using acquisition tools that do not affect the integrity of the evidence. This paper describes a forensic acquisition tool that may be used to access files on a live system without compromising the state of the files in question. This is done in the context of the Reco Platform, an open source forensic framework that was used to develop the prototype evidence acquisition tool both quickly and efficiently. The paper also discusses the implementation of the prototype and the results obtained.


Live systems evidence acquisition Reco Platform 


  1. [1]
    F. Adelstein, Live forensics: Diagnosing your system without killing it first, Communications of the ACM, vol. 49(2), pp. 63-66, 2006.CrossRefGoogle Scholar
  2. [2]
  3. [3]
    B. Carrier, Risks of live digital forensic analysis, Communications of the ACM, vol. 49(2), pp. 56-61, 2006.CrossRefGoogle Scholar
  4. [4]
    E. Casey, Error, uncertainty and loss in digital evidence, International Journal of Digital Evidence, vol. 1(2), 2002.Google Scholar
  5. [5]
    E. Casey and A. Stanley, Tool review - Remote forensic preservation and examination tools, Digital Investigation, vol. 1(4), pp. 284-297, 2006.CrossRefGoogle Scholar
  6. [6]
    Free Software Foundation, GNU general public license, Boston, Massachusetts (
  7. [7]
    R. Koen, Reco Platform ( Scholar
  8. [8]
    R. Koen and M. Olivier, An open-source forensics platform, Proceedings of the Southern African Telecommunication Network and Applications Conference, 2007.Google Scholar
  9. [9]
    W. Kuhnhauser, Root kits: An operating systems viewpoint, ACM SIGOPS Operating Systems Review, vol. 38(1), pp. 12-23, 2004.CrossRefGoogle Scholar
  10. [10]
    Linux Journal Staff, Take command: What is dd? Linux Journal, vol. 1996(32es), no. 11, 1996.Google Scholar
  11. [11]
    J. Lyle, NIST CFTT: Testing disk imaging tools, International Journal of Digital Evidence, vol. 1(4), 2003.Google Scholar
  12. [12]
    D. Manson, A. Carlin, S. Ramos, A. Gyger, M. Kaufman and J. Treichelt, Is the open way a better way? Digital forensics using open source tools, Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences, p. 266b, 2007.Google Scholar
  13. [13]
    Microsoft Corporation, CreateFile Function, Redmond, Washington ( Scholar
  14. [14]
    Microsoft Corporation, GetLogicalDrives Function, Redmond, Washington ( Scholar
  15. [15]
  16. [16]
    T. Stallard and K. Levitt, Automated analysis for digital forensic science: Semantic integrity checking, Proceedings of the Nineteenth Annual Computer Security Applications Conference, pp. 160-167, 2003.Google Scholar
  17. [17]
    C. Walker, Computer forensics: Bringing the evidence to court ( Forensics to Court.pdf ), 2007.
  18. [18]
    S. Wang, Measures of retaining digital evidence to prosecute computer-based cyber-crimes, Computer Standards and Interfaces, vol. 29(2), pp. 216-223, 2007.CrossRefGoogle Scholar
  19. [19]
    wxWidgets, What is wxWidgets? (

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Renico Koen
    • 1
  • Martin Olivier
    • 1
  1. 1.The University of PretoriaPretoriaSouth Africa

Personalised recommendations