Freeware Live Forensics tools evaluation and operation tips

Abstract

Highlighted by a digital forensics investigation specialists from FBI in DFRWS 2006, live forensics investigations already become one of the most important procedures in digital forensics investigations. Many digital forensics investigation product companies have already joint the battlefield in developing their only live forensics tools. However, similar to the development trend in traditional digital forensics, evaluation criteria for Live Digital Forensics could only be standardized after operating procedures being standardized. One way to standardize the Live Digital Forensics Investigation procedure is to define the investigation objectives around the core digital forensics principles. Through the use of FORZA framework, a more legal and investigation oriented live digital forensics investigation procedures have been outlined. Based on the FORZA based procedure, a set of operation best practices, operational tips and evaluation criteria was derived. Using the derived criteria, various free Live Forensics toolkits including Windows Forensics Toolchest (WFT), Incident Response Collection Report (IRCR), First Responders Evidence Disk (FRED) and Computer Online Forensic Evidence (COFEE) were evaluated and reported in this paper

    Similar works