This year I attended the American Academy of Forensic Sciences (“AAFS”) conference in Seattle and presented in the digital and multimedia section. The following post is a summary of the oral presentation along with my slide set.

For those who do not know, I hold an M.S. in computer science with concentration in Information Assurance. I am presently a Ph.D. student in Engineering and Applied Sciences at the University of New Orleans. I expect to be ABD by fall of this year when I start law school as a J.D. student. Professionally, I work for a litigation support vendor in New Orleans dealing primarily with the civil side of digital forensics, eDiscovery, and other related areas. I have a somewhat unique perspective on the field by having one foot in academia and the other in industry.

One cannot begin a discussion of future trends and the need for new approaches without first examining the current state. At present the field has three main phases of practice: acquisition, analysis, reporting. Acquisition originated in dead acquisition where the data storage medium, such as a hard drive, is imaged byte-for-byte to produce an exact duplicate when the system is powered off. The duplicate is hashed for later verification after analysis is complete. In a more modern twist, Live analysis involves acquiring data from a system while it is still running. Live acquisition allows for preserving more ephemeral data such as memory dumps, active network connections, logged on users, running programs, etc which would otherwise be lost in powering the system down for dead acquisition. Live acquisition risks the triggering of anti-forensics tools, malicious commands from still logged in users, and damaging the system state. Continue reading →