Live Forensics


Speakers: Dr. Frank Adelstein, ATC-NY and Dr. Golden Richard, University of New Orleans
Time: Monday 12/11/2006 Full-Day Tutorial

Traditional digital forensics focuses on analyzing a copy (or "image") of a disk to extract information, such as deleted files, file fragments, web browsing history, and to build a timeline that provides a partial view of what happened on the computer. Live forensics, an emerging area in which information is gathered on running systems, offers some distinct advantages over traditional "dead" forensics, which focuses on disk images. Live forensics can provide information on the running state of the machine that cannot be gathered by static methods, such as running processes, memory dumps, open network connections, and unencrypted versions of encrypted files. This information can both serve as digital evidence and help direct or focus traditional analysis methods.

This tutorial covers the area of live forensics, including the types of information that can be gathered, how the evidence can be analyzed, and how it can work in conjunction with traditional methods, as well as satisfy forensic requirements. We will briefly review static disk analysis techniques, briefly cover network packet analysis, and then discuss gathering information on a live machine. The tutorial includes demonstrations. At the end, the students should understand what live state information is available on a computer, some of the different methods to gather the information, and the "best practices" that should be observed when performing a live analysis.

Prerequisites: None. This tutorial focuses on the emerging area of forensic analysis of live systems. The tutorial does not assume students have a background in forensics and will spend approximately 25% of the time reviewing the basic ideas of digital forensics. The rest of the course will focus on gathering and analyzing live data (network and host based forensics). Those familiar with "traditional" or static forensic analysis but who are interested in live forensics should also benefit from the course. This course will not cover legal issues.

High Level Outline

  1. Introduction
  2. Traditional Forensics Background (1.5 hours)
  3. Network Analysis (1.0 hours)
  4. Live Forensics (2.5 hours)
  5. Big Demo/Scenario of putting it all together (0.5 hours)
  6. Summary/Wrap up

About the Intructors

Dr. Frank Adelstein is the technical director of computer security at ATC-NY in Ithaca, NY. He is the principal designer of a live forensic investigation product (marketed as Online Digital Forensic Suite&tm; and LiveWire Investigator&tm;) and has worked in the area of live investigation for the last 5 years. He has also been the principal investigator on numerous research and development projects including security, wireless networking, intrusion detection, and training.

Professor Golden G. Richard III is an Associate Professor at the University of New Orleans, where he developed the Information Assurance curriculum and coordinated the effort to have the University of New Orleans certified by the National Science Foundation as a Center of Academic Excellence. He teaches courses in digital forensics, computer security, and operating systems internals. He is also a co-founder of Digital Forensic Solutions, LLC and is the author of the digital forensics tool "Scalpel."

Richard and Adelstein are the chair and vice-chair of the Digital Forensic Research Workshop, the premier workshop on research advances in the area of digital forensics. They have co-authored the book "Fundamentals of Mobile and Pervasive Computing" (from McGraw-Hill). Return to the Publication list.

Last updated by Frank Adelstein on Dec-11-2002