SlackStick : signature-based file identification for live digital forensics examinations

Hegarty, R ORCID: https://orcid.org/0000-0003-3805-5974 and Haggerty, J 2016, SlackStick : signature-based file identification for live digital forensics examinations , in: 2015 European Intelligence and Security Informatics Conference, 7-9 September 2015, Manchester, UK.

Full text not available from this repository. (Request a copy)

Abstract

A digital forensics investigation may involve procedures for both live forensics and for gathering evidence from a device in a forensics laboratory. Due to the focus on capturing volatile data during a live forensics investigation, tools have been developed that are aimed at capturing specific data surrounding state information. However, there may be circumstances whereby non-volatile data analysis, such as the identification of files of interest, is also required. In such an investigation, the ability to use file-wise, or hash, signatures is precluded due to pre-processing requirements by the forensics tools. Therefore, this paper presents SlackStick, a novel automated approach run from a USB memory device for the identification of files of interest or non-volatile evidence triage using an alternative signature scheme. Moreover, the approach may be used by inexpert users during a first-response phase of an investigation. The results of the case study presented in this paper demonstrate the applicability of the approach.

Item Type: Conference or Workshop Item (Paper)
Schools: Schools > School of Computing, Science and Engineering
Journal or Publication Title: 2015 European Intelligence and Security Informatics Conference
Publisher: IEEE
ISBN: 9781479986576
Related URLs:
Depositing User: Dr R Hegarty
Date Deposited: 03 Feb 2020 09:12
Last Modified: 10 Feb 2020 14:06
URI: http://usir.salford.ac.uk/id/eprint/56338

Actions (login required)

Edit record (repository staff only) Edit record (repository staff only)