Enhancing the Admissibility of Live Box Data Capture in Digital Forensics: Creation of the Live Box Computer Preservation Response (LBCPR) and Comparative Study Against Dead Box Data Acquisition
Abstract
There are several techniques and methods on how to capture data during a Live Box response in computer forensics, but the key towards these acquisitions is to keep the collected data admissible in a judicial court process. Different approaches during a Live Box examination will lead to data changes in the computer, due to the volatile nature of data stored in memory. The inevitable changes of volatile data are what cause the controversy when admitting digital evidence to court room proceedings.The main goal of this dissertation was to create a process model, titled Live Box Computer Preservation Response (LBCPR), that would assist in ensuing validity, reliably and accuracy of evidence in a court of law. This approach maximizes the admissibly of digital data derived from a Live Box response.The LBCPR was created to meet legal and technical requirements in acquiring data from a live computer. With captured Live Box computer data, investigators can further add value to their investigation when processing and analyzing the captured data set, that would have otherwise been permanently unrecoverable upon powering down the machine. By collecting the volatile data prior to conducting Dead Box forensics, there is an increased amount of information that that can be a utilized to understand the state of the machine upon collection when combined with the stored data contents.This study created a comparative analysis on data collection with the LBCPR method versus traditional Dead Box forensics techniques, further proving the expected results of Live Box techniques capturing volatile data. However, due to the structure of the LBCPR, there were enhanced capabilities of obtaining value from the randomization of memory dumps, because of the assistance of the collected logs in the process model. In addition, with the legal admissibility focus, there was incorporation of techniques to keep data admissible in a court of law.
Degree
Ph.D.
Advisors
Rogers, Purdue University.
Subject Area
Computer science|Criminology|Law|Law enforcement|Management|Organizational behavior|Pharmaceutical sciences|Forensic sciences
Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server.