Manchester Metropolitan University's Research Repository

SlackStick: Signature-based File Identification for Live Digital Forensics Examinations

Hegarty, RC and Haggerty, J (2016) SlackStick: Signature-based File Identification for Live Digital Forensics Examinations. In: Intelligence and Security Informatics Conference 2015(EISIC), 7-9 September 2015, Manchester.


Download (292kB) | Preview


A digital forensics investigation may involve procedures for both live forensics and for gathering evidence from a device in a forensics laboratory. Due to the focus on capturing volatile data during a live forensics investigation, tools have been developed that are aimed at capturing specific data surrounding state information. However, there may be circumstances whereby non-volatile data analysis, such as the identification of files of interest, is also required. In such an investigation, the ability to use file-wise, or hash, signatures is precluded due to pre-processing requirements by the forensics tools. Therefore, this paper presents SlackStick, a novel automated approach run from a USB memory device for the identification of files of interest or non-volatile evidence triage using an alternative signature scheme. Moreover, the approach may be used by inexpert users during a first-response phase of an investigation. The results of the case study presented in this paper demonstrate the applicability of the approach.

Impact and Reach


Activity Overview

Additional statistics for this dataset are available via IRStats2.


Actions (login required)

View Item View Item