SlackStick : signature-based file identification for live digital forensics examinations

Hegarty, R ORCID: https://orcid.org/0000-0003-3805-5974 and Haggerty, J 2016, SlackStick : signature-based file identification for live digital forensics examinations , in: 2015 European Intelligence and Security Informatics Conference, 7-9 September 2015, Manchester, UK.

Full text not available from this repository.

Abstract

A digital forensics investigation may involve procedures for both live forensics and for gathering evidence from a device in a forensics laboratory. Due to the focus on capturing volatile data during a live forensics investigation, tools have been developed that are aimed at capturing specific data surrounding state information. However, there may be circumstances whereby non-volatile data analysis, such as the identification of files of interest, is also required. In such an investigation, the ability to use file-wise, or hash, signatures is precluded due to pre-processing requirements by the forensics tools. Therefore, this paper presents SlackStick, a novel automated approach run from a USB memory device for the identification of files of interest or non-volatile evidence triage using an alternative signature scheme. Moreover, the approach may be used by inexpert users during a first-response phase of an investigation. The results of the case study presented in this paper demonstrate the applicability of the approach.

Item Type:	Conference or Workshop Item (Paper)
Schools:	Schools > School of Computing, Science and Engineering
Journal or Publication Title:	2015 European Intelligence and Security Informatics Conference
Publisher:	IEEE
ISBN:	9781479986576
Related URLs:	Organisation
Depositing User:	Dr R Hegarty
Date Deposited:	03 Feb 2020 09:12
Last Modified:	27 Aug 2021 21:36
URI:	https://usir.salford.ac.uk/id/eprint/56338

Actions (login required)

Edit record (repository staff only)