Recovery of Live Evidence from Internet Applications

Part of the Advances in Intelligent Systems and Computing book series (volume 167)

Abstract

Advanced internet technologies providing services like e-mail, social networking, online banking, online shopping etc., have made day-to-day activities simple and convenient. Increasing dependency on the internet, convenience, and decreasing cost of electronic devices have resulted in frequent use of online services. However, increased indulgence in the internet by people has also accelerated the pace of digital crimes. The increase in number and complexity of digital crime cases has caught the attention of forensic investigators. The Digital Investigators are faced with the challenge of gathering accurate digital evidence from as many sources as possible. In this paper, an attempt was made to recover digital evidence from a system’s RAM in the form of information about the most recent browsing session of the user. Four different applications were chosen for the experiment and it was found that crucial information about the target user such as, user name, passwords, etc., was recoverable.

Keywords

Digital forensic Digital evidence Live acquisition Internet application 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Caloyannides, M.A.: Forensics Is So ”Yesterday”. IEEE Security and Privacy 7(2), 18–25 (2009), doi:10.1109/MSP.2009.37CrossRefGoogle Scholar
  2. 2.
    Carrier, B.: Open Source Digital Forensics Tools: The Legal Argument, @stake Research Report (2002), http://www.digital-evidence.org/papers/opensrc_legal.pdf
  3. 3.
    Carrier, B.D.: Digital Forensics Works. IEEE Security and Privacy 7(2), 26–29 (2009), doi:10.1109/MSP.2009.35CrossRefGoogle Scholar
  4. 4.
    Cohen, F.B.: Fundamentals of Digital Forensic Evidence. In: Stavroulakis, P.P., Stamp, M. (eds.) Handbook of Information and Communications Security, 1st edn., pp. 789–808. Springer (2010), doi:10.1007/978-1-84882-684-7Google Scholar
  5. 5.
    Davis, N.: Live Memory Acquisition for Windows Operating Systems: Tools and Techniques for Analysis. IA 328, Eastern Michigan University, USA, http://www.emich.edu/ia/pdf/research/Live%20Memory%20Acquisition%20for%20Windows%20Operating%20Systems,%20Naja%20Davis.pdf
  6. 6.
    Fei, B.K.L.: Data Visualization in Digital Forensics. Dissertation, University of Pretoria, South Africa (2007), http://upetd.up.ac.za
  7. 7.
    Free Hex Editor Neo Version 4.97.01.3661. HHD SOFTWARE (March 2011), http://www.hhdsoftware.com/free-hex-editor
  8. 8.
    FTK Imager Lite Version 2.9.0. AccessData (June 2010), http://accessdata.com/support/adownloads#FTKImager
  9. 9.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold Boot Attacks on Encryption Keys. In: 17th USENIX Security Symposium (Sec 2008), pp. 45–60 (2008)Google Scholar
  10. 10.
    Command Reference: Example usage cases and output for Volatility commands, http://code.google.com/p/volatility/wiki/CommandReference#strings
  11. 11.
    Hay, B., Bishop, M., Nance, K.: Live Analysis: Progress and Challenges. IEEE Security and Privacy 7(2), 30–37 (2009), doi:10.1109/MSP.2009.43CrossRefGoogle Scholar
  12. 12.
    Mrdovic, S., Huseinovic, A., Zajko, E.: Combining Static and Live Digital Forensic Analysis in Virtual Environment. In: XXII International Symposium on Information, Communication and Automation Technologies (ICAT 2009), pp. 1–6. IEEE Press (2009), doi:10.1109/ICAT.2009.5348415Google Scholar
  13. 13.
    Nigilant32: windows after dark forensic. Agile Risk Management LLC, http://www.agileriskmanagement.com/publications_4.html
  14. 14.
    Reith, M., Carr, C., Gunsch, G.: An examination of digital forensic models. International Journal of Digital Evidence 1(3), 1–12 (2002)Google Scholar
  15. 15.
    Sammes, T., Jenkinson, B.: Forensic computing: a practitioner’s guide. Springer (2000)Google Scholar
  16. 16.
    Simon, M., Slay, J.: Recovery of Skype Application Activity Data From Physical Memory. In: Fifth International Conference on Availability, Reliability and Security (ARES 2010), pp. 283–288. IEEE Press (2010), doi:10.1109/ARES.2010.73Google Scholar
  17. 17.
    Russinovich, M.: Strings - Windows Sysinternals (2009), http://technet.microsoft.com/en-us/sysinternals/bb897439
  18. 18.
    Vacca, J.R.: Computer forensic: computer crime scene investigation. Charles River Media (2002)Google Scholar
  19. 19.
    Volatility 2.0, The Volatility Framework: Volatile memory artifact extraction utility framework (2011), Volatile Systems, https://www.volatilesystems.com/default/volatility
  20. 20.
    Waits, C., Akinyele, J.A., Nolan, R., Rogers, L.: Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis. Technical Note, CERT Program, United States: Software Engineering Institute, Carnegie Mellon University (2008), http://www.sei.cmu.edu/library/abstracts/reports/08tn017.cfm

Copyright information

© Springer-Verlag GmbH Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringNational Institute of TechnologyTiruchirappalliIndia

Personalised recommendations