First Responders Guide to Computer Forensics

Nolan, Richard A.; O'Sullivan, Colin J.; Branson, Jake; Waits, Cal

doi:10.21236/ada443483

Cited by 25 publications

(13 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The Forensics begins initially by extracting and analysis of hidden evidence. Hidden evidence comes in different forms, evidence recovered from the blood by examining the DNA and fingerprints left at the crime scene to the files on computer storage devices [1]. Computer forensics is also known as cyber-forensics which is the major application of computer investigation and analysis techniques to collect very strong proofs based on real facts and figures for presentation in a court of law.…”

Section: Forensics and Computer Forensicmentioning

confidence: 99%

Scientific Awareness about the Computer Forensic to Face the E-Criminal Activities of the E-User

Brohi¹,

Kamran²

2012

IJCA

View full text Add to dashboard Cite

Computer has influenced our daily work, activities and played a vital role in every corner of our life. We are surfing the net for news, jobs, entertainment, transferring information and data online, purchasing, checking accounts, sending and receiving emails almost every day. For this widespread use, some computer users have misused this technology in illegal activities. As a result the computer forensic and investigation has emerged to carry out the investigation process for solving and discovering different types of internet or computer crimes and bring it to the court. In the paper we will discuss the challenging aspects of forensic investigation, skills needed by a computer forensics, knowledge needed by computer forensic investigator, and phases of computer forensic investigation. Overall the purpose of the paper is to provide the scientific awareness about the computer forensic to face the e-criminal activities of the euser.

show abstract

Section: Forensics and Computer Forensicmentioning

confidence: 99%

Scientific Awareness about the Computer Forensic to Face the E-Criminal Activities of the E-User

Brohi¹,

Kamran²

2012

IJCA

View full text Add to dashboard Cite

show abstract

“…This inaccuracy in computer-generated timestamps is "natural", that is to say, it is the result of the normal operation of the computer system. The solution for addressing this issue suggested most frequently in the literature is to note the system clock time of a computer under investigation at the time of its examination and to determine the discrepancy between that time and the time of a reference clock (Boyd and Forster, 2004;Nolan et al, 2005). However, this solution does not address the issue of clock skew varying over time prior to the examination of the computer system, and it is this variance which may lead to inaccuracies in timelines.…”

Section: Related Workmentioning

confidence: 99%

CAT Detect (Computer Activity Timeline Detection): A tool for detecting inconsistency in computer activity timelines

Marrington

Baggili

Mohay

et al. 2011

Digital Investigation

View full text Add to dashboard Cite

a b s t r a c tThe construction of timelines of computer activity is a part of many digital investigations.These timelines of events are composed of traces of historical activity drawn from system logs and potentially from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work introduces a software tool (CAT Detect) for the detection of inconsistency within timelines of computer activity. We examine the impact of deliberate tampering through experiments conducted with our prototype software tool. Based on the results of these experiments, we discuss techniques which can be employed to deal with such temporal inconsistencies.

show abstract

“…During incident response, in order to gain insight about system state, one might issue several commands and catalog the responses. Typical response may include creating more than thirty processes [3]. The more detailed the responses, the more accurate the portrayal of the system state, but the portrayal depends upon the granularity of the tools and the accurate recording and interpretation of the tool output.…”

Section: The Case For Copying Rammentioning

confidence: 99%

“…On the other hand, while pulling the plug does preserve the current contents of the hard disk drive, it allows little or no insight into what operations the system was performing at the time when the power was removed. In light of this lack of knowledge, others have provided incident response steps to perform in order to gain insight about the state of the system (Nolan et al [3], among others).…”

Section: Introductionmentioning

confidence: 99%

The Acquisition and Analysis of Random Access Memory

Vidas

2007

Journal of Digital Forensic Practice

View full text Add to dashboard Cite

Mainstream operating systems (and the hardware they run on) fail to purge the contents of portions of volatile memory when that portion is no longer required for operation. Similar to how many file systems simply mark a file as deleted instead of actually purging the space that the file occupies on disk, random access memory (RAM) is commonly littered with old information in unallocated space waiting to be reused. Additionally, RAM contains constructs and caching regions that include a wealth of state-related information. The availability of this information, along with techniques to recover it, provides new methods for investigation. This article discusses the benefits and drawbacks of traditional incident response methods compared to an augmented model that includes the capture and subsequent analysis of a suspect system's memory, provides a foundation for analyzing captured memory, and provides suggestions for related work in an effort to encourage forward progress in this relatively new area of digital forensics.

show abstract

First Responders Guide to Computer Forensics

Abstract: The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange. FOR THE COMMANDER

Cited by 25 publications

References 6 publications

Scientific Awareness about the Computer Forensic to Face the E-Criminal Activities of the E-User

Scientific Awareness about the Computer Forensic to Face the E-Criminal Activities of the E-User

CAT Detect (Computer Activity Timeline Detection): A tool for detecting inconsistency in computer activity timelines

The Acquisition and Analysis of Random Access Memory

Contact Info

Product

Resources

About