Combining static and live digital forensic analysis in virtual environment

Mrdović, Saša; Huseinovic, Alvin; Zajko, Ernedin

doi:10.1109/icat.2009.5348415

Cited by 29 publications

(19 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Any scientific procedure adopted during investigation should make no changes to the evidence in order to ensure its admissibility in the court. In case of any alteration due to forensic procedures, a proper explanation must be provided [4].…”

Section: Introductionmentioning

confidence: 99%

Information Retrieval from Internet Applications for Digital Forensic

Mohanty¹

2012

IJSPTM

View full text Add to dashboard Cite

Advanced internet technologies providing services like e-mail, social networking, online banking, online shopping etc., have made day-to-day activities simple and convenient. Increasing dependency on the internet, convenience, and decreasing cost of electronic devices have resulted in frequent use of online services. However, increased indulgence over the internet has also accelerated the pace of digital crimes. The increase in number and complexity of digital crimes has caught the attention of forensic investigators. The Digital Investigators are faced with the challenge of gathering accurate digital evidence from as many sources as possible. In this paper, an attempt was made to recover digital evidence from a system's RAM in the form of information about the most recent browsing session of the user. Four different applications were chosen and the experiment was conducted across two browsers. It was found that crucial information about the target user such as, user name, passwords, etc., was recoverable.

show abstract

Section: Introductionmentioning

confidence: 99%

Information Retrieval from Internet Applications for Digital Forensic

Mohanty¹

2012

IJSPTM

View full text Add to dashboard Cite

show abstract

“…Then comes the likelihood of inappropriate application of tools and procedures; propelled by inadequate understanding of architectural layout and operations of a target system [11]. Integrity takes all the blows, and belated response to these could yield undesirable phenomena characterised by wrong or unjust acquittals, or false prosecutions [25].…”

Section: International Journal Of Computer Applications (0975 -8887) mentioning

confidence: 99%

“…One adoptable technique towards guaranteeing integrity with relation to volatile evidence in the Windows platform included the utilization of the in-built memory dump utility (Microsoft Windows Hibernation), the creation of a bit image, and subsequent analysis of such acquired bit-image using CERT's LiveView image analysis utility in a virtual machine [25]. This process of image mounting and booting allowed for the efficient acquisition of an interactive user-level access and perspective of the operating environment with modifications to the underlying image or contents therein.…”

Section: Im(proving) Integrity: Related Workmentioning

confidence: 99%

Safeguarding Forensic Integrity of Virtual Environment Evidence

Daniel¹,

Epiphaniou²

2013

IJCA

View full text Add to dashboard Cite

Virtual machine technology has emerged with powerful features, offering several benefits and promising revolutionary outcomes. It is one technology that combines into one package several computing concepts like resource management, emulation, time-sharing, isolation and partitioning. These features have made evidence acquisition and preservation difficult and in some cases unfeasible. The aftermath is that conventional approaches to integrity preservation have not yielded the best results required to facilitate acceptability. Subjects around virtualization forensics, its affiliation with digital evidence integrity, and impacts on admissibility have been decisively examined. A part of this discourse dwelt on recognising potential threats to the integrity and reliability of evidence from a virtual environment; specifically using VMware Virtual Machine Monitor as a case study. A theoretical framework for preserving the integrity of digital evidence from such environments is introduced. This structure highlights guidelines, processes and parameters essential for keeping the accuracy, consistency and trustworthiness of digital evidence, made possible via abstractions from eminent integrity principles of well-formed transactions and separation of duties as proposed by Clark and Wilson. Key parameters in the model include; strength of hash functions, number of evidence attributes, and number of evidence cycle covered; all represented conceptually in a mathematical model. This is further consolidated with the introduction of an integrity rating factor/threshold and the definition of an integrity enforcement process in line with globally recommended standards. While still working on practical demonstration of the proposed model, the work done so far is seen to open a path for unification and amplification of trust levels required for the admissibility of virtual environment evidence.

show abstract

“…Investigators need to detect malfunction and analyze malware in virtual environments. Currently digital forensics covers a very vast field where there are abundant developments of novel approaches for investigating digital crimes [4].…”

Section: Introductionmentioning

confidence: 99%

A Digital Forensic Framework for Cloud Based on VMI

Yang¹,

Ren²,

Bai³

et al. 2017

dtcse

View full text Add to dashboard Cite

Abstract. Traditional digital forensic methods become exceedingly feeble in cloud due to the fact that the basic infrastructure turns to virtualized environment. Leveraging properties of virtualization, virtual machine introspection has showed potential for cloud forensic. In this paper, we propose a novel framework, which contains a trustworthy independent agency, to provide memory digital forensic analysis (DFA) for virtual machines (VMs) in cloud. With the assistance of cloud platform, memory dump files can be obtained and transferred to the agency for further DFA, where information of VMs can be extracted using the proper tools. We described the constructional design of the framework. Test results showed the versatility of DFA and ability of malware detection. The framework indicates DFA can be purchased as a service only when there is a need in order to reduce the expenditures on maintaining exclusive facility and furnish standard procedure to multiple cloud platforms.

show abstract

Combining static and live digital forensic analysis in virtual environment

Cited by 29 publications

References 13 publications

Information Retrieval from Internet Applications for Digital Forensic

Information Retrieval from Internet Applications for Digital Forensic

Safeguarding Forensic Integrity of Virtual Environment Evidence

A Digital Forensic Framework for Cloud Based on VMI

Contact Info

Product

Resources

About