e-space
Manchester Metropolitan University's Research Repository

    SlackStick: Signature-based File Identification for Live Digital Forensics Examinations

    Hegarty, RC and Haggerty, J (2016) SlackStick: Signature-based File Identification for Live Digital Forensics Examinations. In: Intelligence and Security Informatics Conference 2015(EISIC), 7-9 September 2015, Manchester.

    [img]
    Preview

    Available under License In Copyright.

    Download (292kB) | Preview

    Abstract

    A digital forensics investigation may involve procedures for both live forensics and for gathering evidence from a device in a forensics laboratory. Due to the focus on capturing volatile data during a live forensics investigation, tools have been developed that are aimed at capturing specific data surrounding state information. However, there may be circumstances whereby non-volatile data analysis, such as the identification of files of interest, is also required. In such an investigation, the ability to use file-wise, or hash, signatures is precluded due to pre-processing requirements by the forensics tools. Therefore, this paper presents SlackStick, a novel automated approach run from a USB memory device for the identification of files of interest or non-volatile evidence triage using an alternative signature scheme. Moreover, the approach may be used by inexpert users during a first-response phase of an investigation. The results of the case study presented in this paper demonstrate the applicability of the approach.

    Impact and Reach

    Statistics

    Activity Overview
    6 month trend
    847Downloads
    6 month trend
    361Hits

    Additional statistics for this dataset are available via IRStats2.

    Altmetric

    Repository staff only

    Edit record Edit record