Why Do Criminals Use Dead-Box Forensics?

1157 Words5 Pages
Computer crimes and crimes involving the use of computers have become a fact in our world today. Crimes no longer involve just hackers seeking to make a name for themselves. We now store critical information for our lives on our computers, cell phones and tablets. Just as the average home user uses their computers for more and more of their daily activities, the same can be said of criminals. On our computers are our finances, schedules, contacts, addresses, pictures and videos, phone numbers, medical information, research and internet history. According to a 2014 McAfee report, their extrapolated, estimated annual cost to the global economy as a result of cybercrime is over $400 billion. (CSIS & McAfee, 2014) Additionally, crime does not just…show more content…
Their methods include memory malware, encryption, and anti-forensics to cover their tracks while defeating dead-box forensics. Dead-box forensics refers to the act of “pulling the plug” prior to acquiring an exact copy of the hard drive. This technique results in data-at-rest analysis. (Cummings, 2008) Live-box forensics allows an investigator access to the live system. This includes the volatile information, which is contained in the RAM. Volatile file data is lost when a system is shut down or powered off. According to Cummings, clearing 4 GB of RAM is equivalent to “throwing away 1 million pages of single-spaced printed text.” (Cummings, 2008) The file data found in RAM is calculated at runtime, exists only in the memory, and as a result, would not be available to an analyst performing only dead-box forensics.
The crucial importance of RAM in forensic investigations is that any information or data that has been actively used by a program or hardware will run through a system’s RAM while it is being used. Input and/or output from a computer program travels through the system’s memory. The length of its stay within the RAM depends on the RAM size and the system’s need for additional space in the
…show more content…
RAM capture and analysis can beneficial in many of these instances. One particular instance is when live CD is utilized. Instead of traditional operating system installed on the system’s hard drive, live CD is an operating system packaged on a CD or DVD. Live CDs store data, to include the file system, in the system’s volatile memory. To enable recovery of file contents, directory structure and metadata in these cases, Digital Forensics Solutions developed a Volatility memory-analysis plug-in. The plugin locates AUFS filesystem in the memory and enumerates the files and directories. The plugin copies the files and associated metadata to an output directory. While metadata of a file can be recovered, deleted information recovery is not as successful. When a file is deleted, the file content storage becomes unstable. In these cases, deleted file analysis can only be used to prove certain program were installed or files were purposely deleted. (Case & Pfeif,

More about Why Do Criminals Use Dead-Box Forensics?

Get Access