IJoFCS (2013) 1, 35-44 The International Journal of FORENSIC COMPUTER SCIENCE

www.IJoFCS.org

DOI: 10.5769/J201301005 or http://dx.doi.org/10.5769/J201301005

Triage in Live Digital Forensic Analysis

Muhammad Shamraiz Bashir(1) and M. N. A. Khan(2) (1) Department of Computing, Shaheed Zulfikar Ali Bhutto Institute of Science And Technology (SZ- ABIST), Islamabad, Pakistan. Email: [email protected] (2) Department of Computing, Shaheed Zulfikar Ali Bhutto Institute of Science And Technology (SZ- ABIST), Islamabad, Pakistan. Email: [email protected]

Abstract - Due to frequent use of Internet and with technological advancements, cyber and malware attacks over the digital devices have increased manifold. Activities performed electronically can be investigated by means of digital forensic analysis methodologies. Live digital forensic tools are used for digital evidence collection and investigations of malicious activities that occurred on a standalone system or networks. Since compromised system remains active while using these tools, some serious issues relating to malicious functionalities and policy violations could lead to serious damages like theft or . In this paper, we present a critical review of the triage in live forensic. This paper discusses several techniques being used for performing live forensic analysis and critically evaluate their efficacy in terms of their applicability and reliability. A brief anecdote about the pros and cons of these techniques are also discussed. We present the findings of our study in the critical section.

Key words: Digital forensic, digital evidence, forensic analysis, Triage, live analysis.

I. Introduction like misleading functionality or data theft. To prevent or suppress these kinds of attacks, per- tinent procedures must be defined to identify Digital communication techniques such as such threats and respond to them quickly and email, SMS, blogs etc. have progressed rapidly appropriately. during the last two decades. Email is one of the most commonly used communication technique. Digital forensics, also known as forensic Emails can be sent/received on laptops, comput- computing, is a controlled and systematic in- ers and mobile phones as well as on some other vestigation that entails collecting, analyzing and digital devices such as PDAs and Notebooks. De- validating digital evidence. Data residing on a spite its benefits, it can also lead to malware computer or an IT device is gathered in the first or cyber attacks in the digital society through step. The gathered data might be in the shape different means. Generally, such attacks occur of messages, logs or email etc. Then log analy- over the Internet and result in serious damages sis indentifies part of the system infected by the

Paper submitted on June 4th, 2013. Triage in Live Digital Forensic Analysis 36 malware or cyber attack. Afterwards, -by-bit that in contrast to the former technique, the lat- memory content analysis is done by means of ter technique help avoid risk of trailing volatile hardware and software methods. A hardware evidence such as suspended processes. That is system identifies the infected drive and loads it why memory image analysis due to the very spe- into the memory, which usually alters content cific reasons highlighted above has become an and memory state. Subsequently, the memory essential part of the live incident handling. analyzation can be done using software meth- Live forensics, sometime referred as live in- ods. cident response, is a methodology to extract Static or traditional analysis method is used memory, system processes and network related for analyzing evidence from the targeted com- information – even the terminated and cached puter after turning it off which obliterates many processes. However, live forensics is simply not running processes including n e t w o r k a pure forensic response as it does not reveal ports. Resultantly the opened connec- underlying operating state of the system. De- tions become unavailable and memory contents spite this, it helps understand the impacts of are lost; therefore, a meticulous analysis be- the running system and network processes on comes less effective. In addition, shutting down the overall system's state. It would be more the systems can be unaffordable for some or- appropriate to say that live forensics can be con- ganization depending upon the nature of their sidered as the first step towards an incident re- business. sponse scenario. In the modern era of computing, live foren- Professionals responsible for incident of sics is complementary to static analysis. Live computer security and digital forensic analysis forensics allows recovering and analyzing mem- need to continually update their procedures, ory content, processes and data without shut- skills and forensic tools due to ever changing ting down the system. Live digital forensics technology. Examiners capture an image of the plays a vital role during system examinations memory content to analyze it by using various due to the potential availability of the digital tools.WFT (Windows Forensic Toolchest) is one evidence in the such as running such a tool to automate live response on a Win- processes, network connections, opened ports dows system. It collects information from the and encryption keys etc. Windows system for system examination.When a forensic tool is invoked on a running system, Live forensic analysis primarily targets the it causes a minor change in original memory volatile data which can only be collected from a content. When a forensic tool is run from any running system; hence, the term "live" is coined removable media, causes alteration in volatile for such type of examinations as otherwise such data. Likewise, remote forensic tools require information cannot be extracted from a "dead" network connections, command for execution in system whose power cord is pulled out. Perform- memory and make other alternations on the af- ing live forensics has become necessary in the fected machine. modern era because to hack data from a target machine, the malware authors now write Tro- In this paper we provide an insight into the jans that do not depart any footprint on hard systematic set of procedures required to per- disk. For example, Witty, SQL Slammer and Code form live forensic analysis of a running comput- Red worm are such type of malware whose ex- er system. The triage is based on the different istence can only be detected by analyzing the techniques and methodologies proposed in the physical memory. Aljadid et al [16] highlight the contemporary literature.This paper is organized significance and limitations of live response with into five sections. After describing an introduc- respect to memory image analysis and report tion to live forensic analysis in the first section, Muhammad Shamraiz Bashir and M. N. A. Khan 37 we discuss the related wok in section II. The which are encrypted through BitLocker using next section describes merits and demerits of its USB-only mode feature. The proposed solu- the various live forensics and memory imaging tion is primarily based on discovering “.BEK” or analysis techniques. Section IV highlights the 48-digit password file during live forensic analy- grey areas and key challenges that are faced sis or image dump to recover BitLocker drive. For while performing live forensic analysis. This sec- this purpose, brute force attack can also be used tion also point outs the perspective dimensions to recover the drive whether on a live forensic to this research. Finally, we conclude in the analysis or physical memory dump file. last section Digital evidence can also be extracted from the data structure residing in memory by using differ- ent tools. Chan et al. [3] proposed a tool named 2. LITTRETURE REVIEW as ‘Cafegrid’ which can be used for deep analysis and recovery of data structure of programs from The purpose of this literature review is to memory in Widow and Linux. This tool also build highlight the significance of live digital forensic a map of object systematically and track the use analysis. In this section we analyze and identify of memory structure during program execution. the strength and limitation of live digital foren- Summary statistics produced by this tool contain sic analysis using various methods. details of the memory accesses and variations Decryption keys play a vital role in forensic made on the structure of data by intercepting analysis as they can reveal the true nature of the allocation and deallocation requests of data the action performed by certain processes par- structure during program execution. This all is ticularly the malware. Forensic analysis of a done by this tool after monitoring the running disk cannot be done when a system is switched program and tracing the allocation of dynamic off because the decrypted content is no longer memory. This tool can help forensic analysts in available. Bolagh and Pondelik [1] proposed a evidentiary analysis process as the data structure technique to recover the decryption keys from information can be equally used for offline or live the dump of the live image of a volatile mem- analysis in digital forensics. ory. Proposed approach works on windows and Balaz and Hlinka [4] described different steps Linux with TrueCrypt – a free open source tool to acquire memory contents for forensic analysis that performs on-the-fly . The au- Linux system which is compromised. For ease thors also suggested a method to decrease the to professionals responsible for responding to size of dump image considerably, especially in the security incidents, the authors have also case when TrueCrypt is used for encryption, the suggested the set of different tools required size can be limited to 1-2 MB only. However, for each step of the investigative process for the proposed technique bears a limitation that searching and analyzing the information ac- the image should be present locally for forensic quired from the victim system. Linux command analysis. In addition, decryption keys are locat- line tool ‘grep’ can also be used to analyze and ed through content search, and if certain data parse data from the physical memory so that degradation happens in a disk then it becomes data gathered for analysis is more targeted, impossible to extract keys. lesser in size and relevant. Sifting of the perti- nent data assists forensic analysts in identifica- Advances in data encryption technologies tion and preparation of evidentiary data in live have made the job of cyber investigators really and static forensic analysis. tough. Dija et al. [2] proposed a technique to unseal encrypted drives. The proposed solution Professionally sound and highly focused work can merely decrypt only those sealed drives is required for the collection of digital evidence. Triage in Live Digital Forensic Analysis 38

XOVAL [5] which is an extension of OVAL (Open normalized and noise is removed from it. Third Vulnerability Assessment Language) and is an and the final step is called data classification XML language, used to collect the digital data and triaging. In this step, evidence classifica- automatically. XOVAL framework keeps track of tion is done by ordering and predicting similar the specified data collected from target system data by using knowledge management classifica- and presents in a declarative way. Definition and tion algorithms so that amount of data could be identification of forensic primitives, which can reduced for better performance in mobile foren- be reused within multiple procedures, is a key sic analysis. Such an approach limits the inter- feature of XOVAL. est area and reduces the number of evidence by selecting the relevant and necessary evidence Li et al. [6] outlined a systematic procedure associated with each other for forensic analysis. for reconstruction of malicious events to quickly identify the behavior and deduce the functional- Yang and Yen [8] emphasize that live and ity of malware or suspicious code running over dead forensic analysis can be carried out by Android mobile operating system. Identification saving the necessary scripts and different tools of malicious program on Android platform can like Autopsy, FDumper, Scalpel, Fundl etc on a be done by using Logcat which is a built-in API USB or DVD. Such an approach can help in per- of Androids. Obfuscation, strings encryption forming live analysis of a running compromised and environmental configuration of the pro- system by plugging in the DVD/USB into the gram code can be analyzed through decompila- system. The script/tools stored on the DVD/USB tion and deobfuscation to help analyst to quickly when launched will collect the volatile informa- locate the malicious events. Since code encryp- tion such as opened ports, user login history tion in Android is always done through Data and active services etc. from the memory of Encryption Standard (DES) algorithm; therefore victim system and stores it on the USB. Simi- the same procedure can also be done by PCAP larly, the static analysis can be done by using (packet capture) analysis followed by strings AIR (Automated Image and Restore) software. decryption by rebuilding and decrypting the The information thus collected can be analyzed code with DES. However, these malicious events by using Scalpel and Fundl software stored on a are reconstructed for Android-based live mo- DVD/USB. Fore forensic perspective, log on/log bile malware forensic analysis. Nevertheless, off, date and time, kernel level information and to perform such type of malware analysis, the recently executed commands including process- Android mobile users should be well educated es and network status are of much importance and should have sufficient resources to perform for a forensic analyst in making appropriate such procedures for identification and analysis decision about the significance of the forensic of malware forensics on their handsets. evidence. In mobile forensics, examination of proce- HDFS (Hadoop Distributed ) [9] dures for evidence identification, collection, was used to forensically analyze large amount of and its documentation is deliberated. Martura- data by performing indexed searching on client- na et al. [7] introduced the concept of triaging server architecture. In HDFS, the servers con- and adaptation of self-knowledge for identifica- tain a master and a slave system, while client tion of device, acquisition of data, and reporting contains the web applications. Firstly, the fo- the device-specific investigations after analysis. rensic data is stored on a NAS (Network Access Triaging is normally done after the data acquisi- Storage), and then it is analyzed by ETL (Extract tion, but before the detailed analysis. Triaging in ,Transform and Load). In this process, data is mobile forensic consists of three stages, Firstly, extracted from NAS is transformed for the op- the evidence is collected from victim’s mobile. erational activities and then it is loaded into Secondly, the data related to forensic analysis is Hbase table in which multiple columns belong Muhammad Shamraiz Bashir and M. N. A. Khan 39 to a particular column family. In this approach, and the nature of the user interaction with the the encrypted data is decrypted into plain text, system [12]. For extracting and investigating and data filtration and searching through index forensically relevant data, ”Niglant32” tool was patterns are applied to reduce the amount of used to capture the image of memory allocated data for analysis. The composition of Hbase by the applications. Then text data was segre- database not only improves the data sharing gated from image using “strings”. In the next rate, but also enhances ease for the analysts to step, pattern matching is performed to catego- perform digital forensic investigations. rize the user activities instances and memory allocation to processes. In this process, origi- LECT (Linux Evidence Collection Tool) [10] nal user input is used by the pattern matching is capable to perform live forensic analysis on to match it with partial fragments or with text Linux systems. It collects forensic evidence in information that was extracted from memory console mode which is stored on USB and gener- dump. This will reveal the user input stored in ates reports in XML format which includes the applications i.e., what activities a user carried relevant information about the investigation like out through launching a certain application timestamp and hashes. This proposed system and which memory was allocated to user process automatically indentifies the target system, then as well as the information retrieved is dispersed collects the evidence automatically and also or in a whole fragment, also it is assured that tools used in information is valid for forensic relevant or not. this framework are so consistent that they do This information could be more useful for foren- not change or makes very minor changes in the sic investigation. memory contents during the evidence collection A cryptographic model is presented by Law phase, so that the integrity of evidence is not et al. [13] to protect data secrecy during digital disturbed. investigation. In this model, investigators ex- A framework proposed by Lempereur et al. [11] amine the bit stream image instead of examin- monitors the system behavior of heterogeneous ing the complete memory contents on storage computing environment at runtime. The main arti- media. Then encryption key is generated by the facts included in monitoring are hidden processes, data owner. Indexes are built after scanning files and network connection status within the sys- the image contents and are encrypted not to tem and between the host machines. This system reveal the data for investigation. Subsequently, also identifies the violence of security policies on keywords are generated by the investigators to standalone system as well as on network. In this perform searching in digital evidence from im- system, actors and repositories was introduced ages acquired by trap door. Data owner usually to store digital forensic information. Actors facili- provides trap door in response of request from tate information transformation from one channel investigator. Then searching is performed over to other, this flow of information is always from the encrypted index files by means of trap door source to sink and records only events stream during digital investigation process by the inves- that perform successful operations. Afterwards, tigator. source and sink channels are combined to define Mrdovic et al. [14] proposed performing live the security policy, which are applied by travers- and static digital analysis simultaneously, which ing the graph from head to tail node of channel. enhances the understanding of events and pro- Then the monitor agent is executed on each node vides ancillary insight into the present state of to transform the review stream into information system for examination. Live digital analysis is flow model. done through virtualization while memory dump The physical memory of Windows applica- is used for static analysis. Memory dump of tar- tion can reveal the applications run on a system geted system is taken before system shut down Triage in Live Digital Forensic Analysis 40 so that it can be subsequently booted using VM- Firstly, authenticity tops the list as it pertains to ware for performing live forensic analysis. Mem- identifying a key question about the data valid- ory dump contains list of processes along with ity i.e., how much evidentiary data is affected by their startup time. The process list also includes the evidence collection tools. Then integrity is hidden programs like rootkits which are gener- considered to check whether the data gathered ally hidden in live analysis. While live analysis is complete or not. The next step is to verify that is done after setting the system in hibernation data is consistent and meet the requirement of mode. In this process volatile memory is pre- forensic analyst besides verifying that analysis served, and OS is started from disk image with- procedure is consistent. Then repeatability and out changing image in virtual environment. The applicability is assured. Finally, it is imperative live and static combination assist digital inves- to analyze that the method used for the forensic tigators to analyze the image of system as well analysis is fault- tolerant i.e., method should as memory contents while compromised system not be interrupted if some evidentiary data is is running. missing or tampered. A meticulous deliberation of the aforesaid aspects will assist and improve To resolve deficiencies in the current digital the credibility of forensic analyst. live forensic methods Wang et al. [15] proposed a physical memory analysis model for live fo- rensic. For live forensic analysis, it is suggested 3. CRITICAL EVALUATION to clearly separate different phases of live fo- rensic analysis such as evidence collection, ex- In this section we provide a critical review of amination, analysis and report generation. The different approaches used for live digital foren- proposed model underlines some aspects to sic analysis. maintain the credibility of live forensic analysis.

Ref. Focused Area Technique Used Merits Limitations/Caveats Recovers decryption keys In case data degradation Forensic analysis of [1] TrueCrypt from dump of the live happens on a disk, then encrypted drives it is impossible to extract image of a volatile memory. decryption keys. This feature pertains to It can find “.BEK” file and AES and Brute force attack Window 7 or NTFS Live forensic analysis password file for algorithms. drives. Other operating [2] of BitLocker encrypted BitLocker drive to decrypt Step by step procedure to systems and FAT do not drives. it by using brute force analyze BitLocker drive. attack. support bitlock drive en- cryption feature. This tool only works on shared libraries and bina- Cafegrid tool deeply ana- ries in which Data structure analysis lyzes and recovers data compilation is done with [3] for live and static forensic Cafegrid structure of a program debugging. Cafegrid does analysis. from memory in Windows not work properly on and Linux environment. common compilers which stores pointers in registers rather than the stack. Classification and training of evidentiary data in live and static forensic analysis This is only specific to Forensic analysis of Command line tool “Grep” is done by using ‘grep’ Linux system and [4] Linux systems. has been used. tool. It reduces the amount requires client server archi- of data by selecting the tecture. relevant evidence from data. Muhammad Shamraiz Bashir and M. N. A. Khan 41

Ref. Focused Area Technique Used Merits Limitations/Caveats Key feature of this frame- work is that it collects The proposed technique Automatic collection of digital data automatically collects data of only those [5] forensic data from digital XOVAL framework from a compromised sys- objects which are defined tem and presents it in a in the XOVAL framework devices. declarative way by defining and ignores system objects data primitives for live fo- like user login information. rensic analysis. This approach requires performing all the steps Android mobile Logcat and PCAP (Packet Identifies malware in mo- [6] manually. Therefore, it is malware forensic analysis. Capture) analysis. biles and decrypts code. time consuming and entails expertise. This technique uses self- knowledge and triaging It is only adoptable for concept for identification, cold or dead analysis. This acquisition and reporting technique also endures Triaging and self-knowl- of device-specific investiga- classification problems e.g., [7] Mobile forensic different input produces edge. tions. It also reduces the same output. It also lacks amount of concerned reports and rel- for forensic analysis by evant data which is neces- sary for forensic analysis. classifying the relevant and similar data. It supports both live and Autopsy, FDumper, Scalpel, static forensic analyses and Digital forensic using automatically collects It is not a centralized [8] Fundl and AIR (Automated approach as it supports USB/DVD. volatile information such Image and Restore). as opened ports, user login only Chinese language. history, active services on Window and Linux systems. It is a live analysis tech- nique and supports re- mote services. It reduces amount of hardware required for Effective ETL process is Using forensic as a HDFS (Hadoop Distributed [9] File System) and ETL (Ex- forensic analysis. It also required for handling large service tract Transform, and Load) supports wired and wireless amount of data. connections. Index match- ing is fast and reduces the amount of data for forensic analysis. Automatic identification of targeted system. Report It works only for specific Digital forensic LECT (Linux Evidence generation based on hash [10] Linux versions such as analysis of Linux systems Collection Tool) framework. values and timestamps. It Ubuntu, Debian and Fedora also maintains integrity of (Red hat). evidence. Identifies the violation of security policies and also Monitoring of policies Live monitoring of system automatically monitors the Complexity in monitoring [11] hidden processes and net- of network nodes and col- violation on network. behavior. work connections on both laboration among them. local (standalone) and net- work systems. Forensic related data Detects applications used Gathered information is ”Niglant32” and pattern and events performed by incoherent and huge in size [12] extraction from matching tools. user and categorizes/ which is usually less Windows system. groups the relevant events. forensic relevant. Gathered data for forensic Irrelevant data is also analysis is in encrypted encrypted, due to which in- Protection of data for form, and index file [13] Cryptographic model. dex file size increases, thus digital investigation. search is performed. Only making the process the data requested by the execution slow. investigators is decrypted. Triage in Live Digital Forensic Analysis 42

Ref. Focused Area Technique Used Merits Limitations/Caveats The proposed approach suggest performing foren- sic analysis of the captured memory image The system allows live on a virtual machine. How- and static combination of Performing ever, advanced malware VMware and memory image of system as well stop operating or some- [14] simultaneous live and static dump. as memory contents, and time disguise themselves digital analyses. on a virtual environment. lists rootkits while system There is also a caveat that is in running mode. evidence extracted through performing forensic analy- sis on a virtual machine might not be acceptable in a court of law. Identifies the completion and integrity of evidentiary data, and also The proposed system Physical memory verifies consistency of the [15] Live digital forensic model. requires employing manual analysis. analysis procedure. It en- procedure. hances scientific creditability of digital evi- dence.

3.1 Tools Commonly Used for Digital Fo- description and availability in tabulated way. rensic Analysis Table I. below lists some of thekey forensic In this section we list different commonly used analysis tools used for perfuming live forensic for live digital forensic analysis, their platform, analysis.

Table I. Live Forensic Analysis Tools.

Tool Name Platform Description Availability AIR (Automated Image and A GUI to create live image Freeware/Commercia Windows Restore) dump of memory. l Autopsy Window/Linux It is used for disk analysis. Freeware This tool is used to take live PDUMP Windows Freeware memory dump. Used to automate the inci- WFT (Windows Forensic dent response and perform Windows Freeware Toolchest) live digital analysis. Performs live digital forensic SMART Linux Commercial analysis. DEFT ( Digital Evidence DEFT is used in live computer Linux Commercial & Forensic Toolkit) forensic systems. This tool is the extension of IDA pro. It identifies and highlights BinDiff Windows the changes and compares Commercial code of program before and after running. It is multipurpose tool to per- SIFT (SAN Investigation Ubuntu form live digital forensic in Commercial Forensics Toolkit) operating system. IEF (Internet Evidence This tool is used to collect Windows Freeware Finder) evidence from the Internet. It is multipurpose tool which FTK (Forensic Toolkit) Windows is used to indexing of digital Commercial evidence. DFF (Digital Forensic Digital evidence collection Windows / Linux/Mac Commercial Framework) and analysis toolkit. Muhammad Shamraiz Bashir and M. N. A. Khan 43

Tool Name Platform Description Availability This tool is used to perform forensic analysis on web Freeware/ OS Forensics Windows browsers, Commercial emails, Files, and Images. CAINE (Computer Aided Toolkit for live computer Freeware/ Linux Investigative Environment) forensics on Linux. Commercial COFEE(Computer A generic toolkit for live digi- Online Forensic Evidence Windows Commercial tal forensic analysis. Extractor) CMAT (Compile Memory Windows Memory analyzer tool. Freeware Analysis Tool) Captures and analyzes pack- Wire Shark Windows/Mac/Linux Open source ets on network. Extracts files, images and other metadata from PCAP Network Miner Windows/Linux files on the Freeware network. Database application for stor- Hash Keeper Windows Freeware ing file hash signatures.

4. Key Challenges for Performing Live Digital Forensic 5. CONCLUSIONS

Device diversity is one of the key challenges Modification of memory content is unavoid- in live digital analysis, which leads to time con- able while performing live forensic analysis to striction to locate and acquire relevant data. collect evidence. In live forensic analysis, the so- Since examiners have to look into the large phisticated forensic tools are not only required to collect and analyze data, but are also need volumes of data gathered for digital analysis; to resolve any ambiguity or conflicts introduced therefore, it is imperative to reduce data size due to their execution. For example, memory by filtering the unnecessary information so that image capturing tools can swap or reallocate the it becomes handy to perform analysis. In this memory addresses. It is very difficult to calculate study, we have observed that digital evidence impact of memory alteration due to execution of is very diverse and distributed in nature; hence forensic tool, but it is not practically impossible. relevant event should be categorized to per- So it is more important to measure the content form effective analysis. Anti-forensic techniques alteration of volatile memory due to execution also pose many difficulties while gathering and of forensic tool; therefore, data acquired by the analyzing digital data. The potentially incom- memory analysis tools should be consistent with plete view of system (because of presence of the actual data and correspond to the real live rootkits etc.) during the live forensic analysis is system status at that instant. Memory alteration a major problem. Therefore, the extracted sig- occurs due to many reasons; one of them is nificant events should be protected and handled loading and running of memory contents gath- carefully. We have also found in this research ering tools, which affect the key traces. that mostly open source tools are used for gathering and analysis of digital evidence which Due to rapid increase in the number of In- may affect in testing and validation process. ternet users across the world, the frequency of Triage in Live Digital Forensic Analysis 44

[4] A. Balaz, R. Hlinka. “Forensic Analysis of Compromised Systems”. In digital attacks has increased manifold. There- th fore, there is a need to devise effective meth- Proceedings of 10 Emerging eLearning Technologies & Applications (ICETA), pages 27--30, Stara Lesna, 8-9 November. 2012. odologies and develop efficient tools to detect [5] Martin Barrere, Gustavo Betarte and Marcelo Rodriguez. “Towards machine-assisted formal procedures for the collection of digital these attacks timely and triage the appropriate th evidence”. In Proceedings of 9 Annual International Conference on procedures without disturbing the functionality Privacy, Security and Trust (PST), pages 32--35, Montreal, QC, 19-21 of the running system. Considerable amount of July 2011. [6] Juanru Li, Dawu Gu, Yuhao Luo. “Android Malware Forensics: nd work is required to develop pertinent triage for Reconstruction of Malicious Events”. In Proceedings of 32 live digital forensic analysis. In this paper, we International Conference on Distributed Computing Systems Workshops (ICDCSW), pages 552--558, Macau, 18-21 June 2012. have critically examined different techniques for [7] Fabio Marturana, Gianluigi Me, Rosamaria Berte and Simone Tacconi. “A quantitative approach to Triaging in Mobile Forensics”. In performing live forensic analysis. This research th Proceedings of 10 International Conference on Trust, Security and produces a comparative study of the tools and Privacy in Computing and Communications (TrustCom), pages 582-- techniques regarding digital forensic analysis. 588, Changsha, 16-18 November 2011. [8] Chung-Huang Yang , Pei-Hua Yen. “Fast Deployment of Computer Forensics with USBs”. In Proceedings of International Conference on Broadband, Wireless Computing, Communication and Applications 6. FUTURE WORK (BWCCA), pages 413--416, Fukuoka, 4-6 November 2010. [9] Jooyoung Lee and Sungyong Un. “Digital Forensic as a Service : A Case Study of forensic Indexed Search”. In Proceedings of International Conference on ICT Convergence (ICTC), pages 499--503, Jeju There are still many feasible and optimal ways Island, 15-17 October 2012. to conduct live digital forensic analysis. The cur- [10] Joonho choi,Antinio Savoldi, Paolo Gubian, Seokhee Lee and Sangjin Lee. “Live Forensic Analysis of a Compromised Linux System rent live forensic analysis tools do not produce Using LECT (Linux Evidence Collection Tool)”. In Proceedings of the desired results, due to which suitability of International Conference on Information Security and Assurance (ISA), pages 231--236, Busan, 24-26 April 2008. the process or technique cannot be determined. [11] Brett Lempereur, Madjid Merabti, Qi Shi. “Information Flow So, there is a need to devise effective method- Monitoring: Model, Policy, and Analysis”. In Proceedings of ologies and develop efficient tools to detect International Conference on Developments in E-systems Engineering (DeSE), pages 227--232, Dubai, 6-8 December 2011. these attacks timely and triage the appropriate [12] Funminiyi Olajide, Nick Savage, Galyna Akmayeva and Charles procedures without disturbing the functionality Shoniregun. “Extracting Forensically Relevant Information from Windows Applications”. In Proceedings of International Conference on of the running system. Considerable amount of Information Society (i-Society), pages 423--428, London, 25-28 June work is required to develop pertinent triage for 2012. [13] FrankY.W.Law,PatrickP.F.Chan,S.M.Yiu,K.P.Chow, live digital forensic analysis. As a future dimen- MichaelY.K.Kwan,HaysonK.S.Tse, PierreK.Y.Lai. “Protecting Digital Data Privacy in Computer Forensic Examination”. In Proceedings sion to this research, we intend to propose a th of 6 International Workshop on Systematic Approaches to Digital new framework to triage the procedures in live Forensic Engineering (SADFE), pages 1--6, Oakland, CA, 26 May digital analysis. 2011. [14] [14] Sasa Mrdovic, Alvin Huseinovic, Ernedin Zajko. “Combining Static and Live Digital Forensic Analysis in Virtual Environment”. th In Proceedings of 12 International Symposium on Information, REFERENCES Communication and Automation Technologies ( ICAT), pages 1--6, Bosnia, 29-31 October 2009. [15] Lianhai Wang, Ruichao Zhang, Shuhui Zhang. “A Model of Computer Live Forensics Based on Physical Memory Analysis”. In Proceedings of [1] Stefan Bolagh, Matej Pondelik. “Capturing Encryption Keys for Digital st th 1 International Conference on Information Science and Engineering Analysis”. In Proceedings 6 International Conference on Intelligent (ICISE), pages 4647--4649, Nanjing, 26-28 December 2009. Data Acquisition and Advanced Computing Systems(IDAACS), pages [16] Aljaedi A., Lindskog D., Zavarsky P., Ruhl, Almari F. “Comparative 759--763, Prague, 15-17 September 2011. Analysis of Volatile Memory Forensics: Live Response vs. Memory [2] Dija S, Balan C, Anoop V and Ramani B. “Towards Successful Forensic rd th Imaging”. In Proceedings of 3 International Conference on Privacy, Recovery of BitLocked Volumes”. In Proceedings 6 International security, risk and trust (passat), pages 1253--1258, Boston, MA, 9-11 Conference on System of Systems Engineering (SoSE), pages 317-- October 2011. 322 , Albuquerque, NM, 27-30 June 2011. [3] Ellick Chan, Shivaram Venkataraman, Alejandro Gutierrez, Roy H. Campbell. “Characterizing Data Structures for Volatile Forensics”. In th Proceedings of 11 International Workshop on Systematic Approaches to Digital Forensic Engineering(SADFE), pages 1--9, Washington, DC, USA, 2011.