| Article ID | Journal | Published Year | Pages | File Type |
|---|---|---|---|---|
| 4955666 | Digital Investigation | 2017 | 9 Pages |
Abstract
We study the problem of evidence collection in environments where abstraction layers are used to organize data storage. Based on a formal model, the problem of evidence collection is defined as the task to reconstruct high-level from low-level storage. We investigate the conditions under which different levels of evidence collection can be performed and show that abstraction layers, in general, make it harder to acquire evidence. We illustrate our findings by describing several practical scenarios from file systems, memory management, and disk volume management.
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
Felix Freiling, Thomas Glanzmann, Hans P. Reiser,