The ever growing capacity of hard drives poses a severe problem to forensic practitioners who strive to deal with digital investigations in a timely manner. Therefore, the on-the-spot digital investigation paradigm is emerging as a new standard to select only that evidence which is important for the case being investigated. In the light of this issue, we propose an incident response tool which is able to speed up the investigation by finding crime-related evidence in a faster way compared with the traditional state-of-the-art post-mortem analysis tools. The tool we have implemented is called Live Data Forensic System (LDFS). LDFS is an on-the-spot live forensic toolkit, which can be used to collect and analyze relevant data in a timely manner and to perform a triage of a Microsoft Windows-based system. Particularly, LDFS demonstrates the ability of the tool to automatically gather evidence according to general categories, such as live data, Windows Registry, file system metadata, instant messaging services clients, web browser artifacts, memory dump and page file. In addition, unified analysis tools of ELF provide a fast and effective way to obtain a picture of the system at the time the analysis is done. The result of the analysis from different categories can be easily correlated to provide useful clues for the sake of the investigation.
- Automated digital investigation process
- Live forensics
- On-the-spot digital investigation
ASJC Scopus subject areas
- Modelling and Simulation
- Computer Science Applications