Forenscope: A framework for live forensics

Ellick Chan, Shivaram Venkataraman, Francis David, Amey Chaugule, Roy Campbell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Current post-mortem cyber-forensic techniques may cause significant disruption to the evidence gathering process by breaking active network connections and unmounting encrypted disks. Although newer live forensic analysis tools can preserve active state, they may taint evidence by leaving footprints in memory. To help address these concerns we present Forenscope, a framework that allows an investigator to examine the state of an active system without the effects of taint or forensic blurriness caused by analyzing a running system. We show how Forenscope can fit into accepted workflows to improve the evidence gathering process. Forenscope preserves the state of the running system and allows running processes, open files, encrypted filesystems and open network sockets to persist during the analysis process. Forenscope has been tested on live systems to show that it does not operationally disrupt critical processes and that it can perform an analysis in less than 15 seconds while using only 125 KB of memory. We show that Forenscope can detect stealth rootkits, neutralize threats and expedite the investigation process by finding evidence in memory.

Original languageEnglish (US)
Title of host publicationProceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010
Pages307-316
Number of pages10
DOIs
StatePublished - Dec 1 2010
Event26th Annual Computer Security Applications Conference, ACSAC 2010 - Austin, TX, United States
Duration: Dec 6 2010Dec 10 2010

Publication series

NameProceedings - Annual Computer Security Applications Conference, ACSAC
ISSN (Print)1063-9527

Other

Other26th Annual Computer Security Applications Conference, ACSAC 2010
CountryUnited States
CityAustin, TX
Period12/6/1012/10/10

    Fingerprint

Keywords

  • forensics
  • introspection
  • memory remanence

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Cite this

Chan, E., Venkataraman, S., David, F., Chaugule, A., & Campbell, R. (2010). Forenscope: A framework for live forensics. In Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010 (pp. 307-316). (Proceedings - Annual Computer Security Applications Conference, ACSAC). https://doi.org/10.1145/1920261.1920307