FACE: Automated digital evidence discovery and correlation

Digital Investigation

Volumn 5, Issue SUPPL., 2008, Pages

  Case, Andrew ^a   Cristina, Andrew ^a   Marziale, Lodovico ^a   Richard, Golden G ^a   Roussev, Vassil ^a  

^a USA   (United States)

Author keywords

Digital forensics; Disk image; Evidence correlation; Forensics tool; Log file; Memory analysis; Network capture; Physical memory

Indexed keywords

COMPUTER OPERATING SYSTEMS; DIGITAL FORENSICS; ELECTRONIC CRIME COUNTERMEASURES; OPEN SYSTEMS;

DISK IMAGES; EVIDENCE CORRELATION; FORENSICS TOOL; LOG FILE; MEMORY ANALYSIS; NETWORK CAPTURE; PHYSICAL MEMORY;

IMAGE ANALYSIS;

EID: 48749115314     PISSN: 17422876     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.diin.2008.05.008     Document Type: Article

References (21)

1. Adelstein F. MFP: the Mobile Forensic Platform. International Journal of Digital Evidence 1 1 (2003)
2. Arasteh A. Forensic memory analysis: from stack and code execution history. In: Proceedings of the 2007 Digital Forensic Research Workshop (DFRWS), 2007.
3. Carrier B. The Sleuthkit and Autopsy, http://www.sleuthkit.org/.
4. Carrier B., and Grand J. Hardware-based memory aquisition procedure for digital investigations. Journal of Digital Investigation 1 1 (2004)
5. Carrier B. File system forensic analysis (2005), Addison-Wesley, Reading, PA
6. Chow J, Pfaff B, Garfinkel T, Christopher K, Rosenblum M. Understanding data lifetime via whole system simulation. In: Proceedings of the 13th USENIX security symposium, August 2004.
7. Dolan-Gavitt B. The VAD tree: a process-eye view of physical memory. In: Proceedings of the 2007 Digital Forensic Research Workshop (DFRWS), 2007.
8. FBI. RCFL Program Annual Report for Fiscal Year 2006 (2006). http://www.rcfl.gov/Downloads/Documents/RCFL_Nat_Annual06.pdf p. 7
9. Kornblum J. Exploiting the Rootkit Paradox with Windows memory analysis. International Journal of Digital Evidence 5 1 (Fall 2006)
10. Kornblum J. Using every part of the buffalo in Windows memory analysis. Digital Investigation (January 2007)
11. Boileau A. Firewire, DMA, and Windows. http://www.storm.net.nz/projects/16
12. Burdach M. idetect, http://forensic.seccure.net/tools/idetect.tar.gz.
13. Richard III GG, Roussev V. Scalpel: a frugal, high-performance file carver. In: Proceedings of the 2005 Digital Forensics Research Workshop (DFRWS 2005).
14. Rutkowska J. Beyond the CPU: defeating hardware based RAM acquisition tools (part I: AMD case), BlackHat DC 2007 presentation.
15. Ruff N, Suiche M. Enter Sandman (why you should never go to sleep). In: PacSec applied security conference, 2007, Tokyo, Japan.
16. Schatz B. BodySnatcher: towards reliable volatile memory acquisition by software. In: Proceedings of the 2007 Digital Forensic Research Workshop (DFRWS), 2007.
17. Schuster A. Searching for processes and threads in Microsoft Windows memory dumps. In: Proceedings of the 2006 Digital Forensic Research Workshop (DFRWS), 2006a.
18. Schuster A. Pool allocations as an information source in Windows memory forensics. In: International conference on IT-incident management and IT-forensics, October 2006b.
19. Solomon J., Huebner E., Bem D., and Szezynska M. User data persistence in physical memory. Digital Investigation 4 2 (June 2007) 68-72
20. Urrea JM. An analysis of Linux RAM Forensics. Naval Post Graduate School thesis; March 2006.
21. Vidas T. The acquisition and analysis of Random Access Memory. Journal of Digital Forensic Practice 1 4 (December 2006) 315-323