TY - GEN
T1 - Tools for collecting volatile data
T2 - 2013 International Conference on Technological Advances in Electrical, Electronics and Computer Engineering, TAEECE 2013
AU - Carvajal, Leonardo
AU - Varol, Cihan
AU - Chen, Lei
N1 - Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied
PY - 2013
Y1 - 2013
N2 - Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied in which options they offer to users. This paper compares six forensic tools including: FTK Imager, Pro Discover, Win32dd, Nigilant32, Memoryze, and Helix3 (dd). The evaluation of each forensic tool is based on the following capabilities: user interface, reporting, processing time, training, and leaving fingerprints or artifacts. We have observed that if time is the concern, command line forensic tools such as Win32dd and Memoryze are faster in acquiring physical memory contents than the graphical user interface tools such as FTK imager, ProDiscover, Nigilant32, and Helix3. In addition, Win32dd leaves the least fingerprints using 13.55 MB in memory when loaded. On the other hand, FKT Imager leaves the most fingerprints using 155 MB of RAM
AB - Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied in which options they offer to users. This paper compares six forensic tools including: FTK Imager, Pro Discover, Win32dd, Nigilant32, Memoryze, and Helix3 (dd). The evaluation of each forensic tool is based on the following capabilities: user interface, reporting, processing time, training, and leaving fingerprints or artifacts. We have observed that if time is the concern, command line forensic tools such as Win32dd and Memoryze are faster in acquiring physical memory contents than the graphical user interface tools such as FTK imager, ProDiscover, Nigilant32, and Helix3. In addition, Win32dd leaves the least fingerprints using 13.55 MB in memory when loaded. On the other hand, FKT Imager leaves the most fingerprints using 155 MB of RAM
KW - forensic tools
KW - memory acquisition
KW - volatile data
UR - https://www.scopus.com/pages/publications/84882247838
U2 - 10.1109/TAEECE.2013.6557293
DO - 10.1109/TAEECE.2013.6557293
M3 - Conference article
SN - 9781467356121
T3 - 2013 The International Conference on Technological Advances in Electrical, Electronics and Computer Engineering, TAEECE 2013
SP - 318
EP - 322
BT - 2013 The International Conference on Technological Advances in Electrical, Electronics and Computer Engineering, TAEECE 2013
Y2 - 9 May 2013 through 11 May 2013
ER -