Integrity and Fidelity Evaluation of Digital Evidence in Live Forensics

Abstract

The integrity and fidelity of digital evidence are very important in live forensics. Previous research has studied the uncertainty of live forensics based on different memory snapshots. However, this kind of method is not effective in practice. In fact, memory images are usually acquired by using forensics tools instead of using snapshots. Therefore, the integrity and fidelity of live evidence should be evaluated during the acquisition process. In this paper, we give a new viewpoint that memory acquisition can be regarded as a measurement of memory data. From this viewpoint, we evaluate the integrity and fidelity of live evidence in the process of physical memory acquisition. Firstly, several definitions about memory acquisition measure error are introduced to describe the trusty. Then, we analyze the experimental error and propose some suggestions on how to reduce it. A novel method is also developed to calculate the system error in detail. The results of a case study on Windows 7 and VMware virtual machine show that the experimental error has good accuracy and precision, which demonstrate the efficacy of the proposed reducing methods. The system error is also evaluated, that is, it accounts for the whole error from 30% to 50%. Last, a method is proposed to calculate changes or error of system process.