The acquisition of volatile memory from a compromised computer is di#cult to perform reliably because the acquisition procedure should not rely on untrusted code, such as the operating system or applications executing on top of it. In this paper, we present a procedure for acquiring volatile memory using a hardware expansion card that can copy memory to an external storage device. The card is installed into a PCI bus slot before an incident occurs and is disabled until a physical switch on the back of the system is pressed. The card cannot easily be detected by an attacker and the acquisition procedure does not rely on untrusted resources. We present general requirements for memory acquisition tools, our acquisition procedure, and the initial results of our hardware implementation of the procedure.

In this paper, we present a framework for digital forensics that includes an investigation process model based on physical crime scene procedures. In this model, each digital device is considered a digital crime scene, which is included in the physical crime scene where it is located. The investigation includes the preservation of the system, the search for digital evidence, and the reconstruction of digital events. The focus of the investigation is on the reconstruction of events using evidence so that hypotheses can be developed and tested. This paper also includes definitions and descriptions of the basic and core concepts that the framework uses.

To my parents,

In this paper, we present a framework for digital forensics that includes an investigation process model based on physical crime scene procedures. In this model, each digital device is considered a digital crime scene, which is included in the physical crime scene where it is located. The investigation includes the preservation of the system, the search for digital evidence, and the reconstruction of digital events. The focus of the investigation is on the reconstruction of events using evidence so that hypotheses can be developed and tested. This paper also includes definitions and descriptions of the basic and core concepts that the framework uses.

In this paper, we define, model, and show the uses of evidence in an investigation, specifically a digital investigation. Digital evidence has been used in the courts to help prove cases, but its characteristics and role in an investigation have not been formally defined or challenged. This paper defines digital evidence by observing the role of evidence in a physical investigation, modeling the role, and applying the model to a digital investigation. The model shows the data flow between objects and how the data can be interpreted to produce information and evidence of the incident. The model can also be used to identify the source of an incident and to find additional evidence at a crime scene. The class and individual characteristics of digital evidence are given and the data flow for the 4.4 BSD kernel is used as a case study.