SlackStick: Signature-based File Identification for Live Digital Forensics Examinations

Hegarty, RC and Haggerty, J (2016) SlackStick: Signature-based File Identification for Live Digital Forensics Examinations. In: Intelligence and Security Informatics Conference 2015(EISIC), 7-9 September 2015, Manchester.

Preview

Available under License In Copyright. Download (292kB) | Preview

Abstract

A digital forensics investigation may involve procedures for both live forensics and for gathering evidence from a device in a forensics laboratory. Due to the focus on capturing volatile data during a live forensics investigation, tools have been developed that are aimed at capturing specific data surrounding state information. However, there may be circumstances whereby non-volatile data analysis, such as the identification of files of interest, is also required. In such an investigation, the ability to use file-wise, or hash, signatures is precluded due to pre-processing requirements by the forensics tools. Therefore, this paper presents SlackStick, a novel automated approach run from a USB memory device for the identification of files of interest or non-volatile evidence triage using an alternative signature scheme. Moreover, the approach may be used by inexpert users during a first-response phase of an investigation. The results of the case study presented in this paper demonstrate the applicability of the approach.