Live Forensics—Diagnosing Your System Without Killing It First

Frank Adelstein

Abstract: Traditional methods of digital forensics analyze a static disk image—a bitstream copy of a disk created while the system is offline. Recent trends—including greatly increased disk capacity and the proliferation of mission-critical systems requiring continuous uptime—have limited the effectiveness and applicability of this approach. Live forensics gathers data from running systems, providing additional contextual information that is not available in a disk-only forensic analysis. This article describes what information live forensics can gather, how to use that information as evidence, and what information is best obtained by live forensic analysis.

Download the full article (28K PDF).

© ACM, 2006. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Communications of the ACM, {Vol. 49, No. 2, February 2006} http://doi.acm.org/10.1145/1113034.1113070.