Primary Exploration of Reliability Evaluation of Computer Live Forensics Model on Physical Memory Analysis

Lian-Hai Wang^1,2, Qiu-Liang Xu¹

(1. School of Computer Science and Technology, Shandong University, Jinan 250101, China; 2. Shandong Provincial Key Laboratory of Computer Network, Shandong Computer Science Center(National Supercomputer Center in Jinan), Jinan 250014, China)



Abstract:

The integrity and fidelity of digital evidence are very important in live forensics. Previous studies have focused the uncertainty of live forensics based on different memory snapshots. However, this kind of method is not effective in practice. In fact, memory images are usually acquired by using forensics tools instead of using snapshots. Therefore, the integrity and fidelity of live evidence should be evaluated during the acquisition process. In this paper, we study the problem in a novel viewpoint. Firstly, several definitions about memory acquisition measure error are introduced to describe the trusty. Then, we analyze the experimental error and propose some suggestions on how to reduce it. A novel method is also developed to calculate the system error in detail. The results of a case study on Windows 7 and VMware virtual machine show that the experimental error has good accuracy and precision, which demonstrate the efficacy of the proposed reducing methods. The system error is also evaluated, that is, it accounts for the whole error from 30％ to 50％.

Key words:  digital investigation  live forensics  volatile memory acquisition  trusted probability

DOI：10.11916/j.issn.1005-9113.2014.04.019

Clc Number:TP309

Fund: