Pypette: A Platform for the Evaluation of Live Digital Forensics

Pypette: A Platform for the Evaluation of Live Digital Forensics

Brett Lempereur, Madjid Merabti, Qi Shi
DOI: 10.4018/978-1-4666-4006-1.ch009
OnDemand:
(Individual Chapters)
Available
$33.75
List Price: $37.50
10% Discount:-$3.75
TOTAL SAVINGS: $3.75

Abstract

Live digital forensics presents unique challenges with respect to maintaining forensic soundness, but also offers the ability to examine information that is unavailable to quiescent analysis. Any perturbation of a live operating system by a forensic examiner will have far-reaching effects on the state of the system being analysed. Numerous approaches to live digital forensic evidence acquisition have been proposed in the literature, but relatively little attention has been paid to the problem of identifying how the effects of these approaches, and their improvements over other techniques, can be evaluated and quantified. In this paper, the authors present Pypette, a novel platform enabling the automated, repeatable analysis of live digital forensic acquisition techniques.
Chapter Preview
Top

Introduction

Traditional approaches to digital forensic investigation are quiescent, in that they require the examiner to power-off the subject machine and make a bit-for-bit copy of non-volatile storage media before proceeding with any examination. As the nature and scale of computing systems continues to change this approach is, in some cases, impractical; examiners must often rely on an in-situ investigation of the live computing environment (Adelstein, 2006; Hay, Nance, & Bishop, 2009).

Live digital forensics presents unique challenges with respect to maintaining forensic soundness, but also offers the ability to examine information that is unavailable to quiescent analysis, namely the operational state of the system. The evidence gained from this approach, however, lacks credibility (Wang, Zhang, & Zhang, 2009). This problem is exacerbated by the possibility of malicious software altering the output from live digital forensic software (Rutkowska, 2007). Despite this, there has been no systematic attempt to examine the side effects and accuracy of live digital forensic approaches to evidence acquisition.

Scale is a pervasive problem in Digital Forensics. In 1999, McKemmish (McKemmish, 1999) published a report for the Australian Institute of Criminology in which he identified the volume of data and prevalence of digital devices as future research issues. More than ten years later, this is still the case (Distefano & Me, 2008; Haggerty & Taylor, 2007; Richard & Roussev, 2006). The growth in static storage has been “tremendous,” and the number of embedded devices that could feasibly be used to participate in crime, often equipped with their own proprietary operating systems, is increasing (Mohay, 2005).

Figure 1 illustrates the scale of the problem through a visualisation of the interactions that occur between processes and files in a typical Microsoft Windows machine during a 25-minute period. Vertices in the diagram represent the files and processes on the system, with edges indicating process creation and operations performed on files. There is a high-degree of interdependence, and any perturbation of a live operating system by a forensic examiner will have far-reaching effects on the state of the system being analysed.

Figure 1.

Visualisation of inter-process communication and file handle interaction

978-1-4666-4006-1.ch009.f01

We believe that live digital forensic evidence, which describes how a computer was actually used, is a useful addition to inferences drawn from artefacts in documents and files, and that if employed correctly it can be a significant aid to an investigation. In this paper, we propose a novel approach to evaluating the effects and accuracy of live digital forensic acquisition techniques. Where existing approaches have focused on evaluation based on a percentage of memory change before and after acquiring live forensic evidence, we consider the accuracy and effects of methods in terms of the artefacts forensic examiners actually need to extract from systems, and the mechanisms they use for achieving this. The result of this work is Pypette, a platform for performing automated, repeatable experiments on live digital forensic acquisition techniques.

The rest of this paper is organised as follows. We begin with a discussion of general concepts in live digital forensics and initial work towards evaluating live digital forensics techniques. In the next section, we present the design of our live forensic experimentation platform, and then explain the results from our implementation and feasibility assessment. We conclude the paper with a summary of our approach and directions for further work.

Top

When a system cannot be powered off, because of legal, technical, or other reasons, analysts must perform a live forensic analysis. Regardless of whether the examiner is taking a quiescent or live approach, acquiring and analysing evidence in a forensically sound manner is paramount to the success of an investigation and the acceptance of evidence in court. To be considered forensically sound, processes must meet the following criteria (McKemmish, 2008):

Complete Chapter List

Search this Book:
Reset