Selective Imaging of File System Data on Live Systems

Faust F, Thierry A, Müller T, Freiling F (2021)

Publication Type: Journal article

Publication year: 2021

Journal

Forensic Science International: Digital Investigation Elsevier

Book Volume: 36

DOI: 10.1016/j.fsidi.2021.301115

Abstract

In contrast to the common habit of taking full bitwise copies of storage devices before analysis, selective imaging promises to alleviate the problems created by the increasing capacity of storage devices. Imaging is selective if only selected data objects from an image that were explicitly chosen are included in the copied data. While selective imaging has been defined for post-mortem data acquisition, performing this process live, i.e., by using the system that contains the evidence also to execute the imaging software, is less well defined and understood. We present the design and implementation of a new live Selective Imaging Tool for Windows, called SIT, which is based on the DFIR ORC framework and uses AFF4 as a container format. (c) 2021 The Author(s). Published by Elsevier Ltd.

Authors with CRIS profile

Tilo Müller Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

Involved external institutions

QuoSec GmbH DE Germany (DE)

How to cite

APA:

Faust, F., Thierry, A., Müller, T., & Freiling, F. (2021). Selective Imaging of File System Data on Live Systems. Forensic Science International: Digital Investigation, 36. https://dx.doi.org/10.1016/j.fsidi.2021.301115

MLA:

Faust, Fabian, et al. "Selective Imaging of File System Data on Live Systems." Forensic Science International: Digital Investigation 36 (2021).

BibTeX: Download