Snapshot Filtering Based On Resource-Usage Profiles
Abstract
Live forensic tools provide investigators with new sources of information.
Unfortunately, the amount of data gathered by such tools can be
overwhelming, with a low signal-to-noise ratio. The authors use an
innovative method of monitoring the resource use of running processes to
build a profile of the application.s normal resource use, which they then
exploit to filter out extraneous, forensically uninteresting data from a
list of open file handles and dynamically loaded libraries attached to
a process. Preliminary results show a dramatic reduction in the number
of file and registry handles and DLLs, greatly reducing the forensic
haystack, allowing the investigator to more easily spot the needles.
Keywords: live forensics, filtering, DLLs, open handles,
normal resource usage, profiling
Return to the Publication list.
This page last modified Oct 27, 2009.
Home
feed
![[Title Bar]](/images/header.gif)