First Steps, Lasting Impact: Platform-Aware Forensics for the Next Generation of Analysts
- URL: http://arxiv.org/abs/2602.00160v1
- Date: Thu, 29 Jan 2026 19:43:46 GMT
- Title: First Steps, Lasting Impact: Platform-Aware Forensics for the Next Generation of Analysts
- Authors: Vinayak Jain, Sneha Sudhakaran, Saranyan Senthivel,
- Abstract summary: Disk and memory forensic acquisition techniques across samples representing Windows and Linux systems.<n>Windows typically supports reliable disk imaging and analysis through established tools such as FTK Imager and Autopsy/Sleuth Kit.<n> Linux environments, which rely on file systems like ext4 and XFS, generally offer greater transparency.<n>Memory analysis on Linux systems benefits from tools like LiME, snapshot utilities, and dd for memory acquisition.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: The reliability of cyber forensic evidence acquisition is strongly influenced by the underlying operating systems, Windows, macOS, and Linux - due to inherent variations in file system structures, encryption protocols, and forensic tool compatibility. Disk forensics, one of the most widely used techniques in digital investigations, faces distinct obstacles on each platform. Windows, with its predominantly NTFS and FAT file systems, typically supports reliable disk imaging and analysis through established tools such as FTK Imager and Autopsy/Sleuth Kit. However, encryption features frequently pose challenges to evidence acquisition. Conversely, Linux environments, which rely on file systems like ext4 and XFS, generally offer greater transparency, yet the transient nature of log retention often complicates forensic analysis. In instances where anti-forensic strategies such as encryption and compression render traditional disk forensics insufficient, memory forensics becomes crucial. While memory forensic methodologies demonstrate robustness across Windows and Linux platforms forms through frameworks like Volatility, platform-specific difficulties persist. Memory analysis on Linux systems benefits from tools like LiME, snapshot utilities, and dd for memory acquisition; nevertheless, live memory acquisition on Linux can still present challenges. This research systematically assesses both disk and memory forensic acquisition techniques across samples representing Windows and Linux systems. By identifying effective combinations of forensic tools and configurations tailored to each operating system, the study aims to improve the accuracy and reliability of evidence collection. It further evaluates current forensic tools and highlights a persistent gap: consistently assuring forensic input reliability and footprint integrity.
Related papers
- Propose and Rectify: A Forensics-Driven MLLM Framework for Image Manipulation Localization [49.71303998618939]
This paper presents a novel Propose-Rectify framework that bridges semantic reasoning with forensic-specific analysis.<n>Our framework ensures that initial semantic proposals are systematically validated and enhanced through concrete technical evidence, resulting in comprehensive detection accuracy and localization precision.
arXiv Detail & Related papers (2025-08-25T12:43:53Z) - Certifiably robust malware detectors by design [48.367676529300276]
We propose a new model architecture for robust malware detection by design.<n>We show that every robust detector can be decomposed into a specific structure, which can be applied to learn empirically robust malware detectors.<n>Our framework ERDALT is based on this structure.
arXiv Detail & Related papers (2025-08-10T09:19:29Z) - Digital Forensic Investigation of the ChatGPT Windows Application [0.037698262166557465]
This study focuses on identifying and recovering digital artifacts for investigative purposes.<n>This research explores different methods to extract and analyze cache, chat logs, metadata, and network traffic from the application.<n>Our key findings also demonstrate the history of the application's chat, user interactions, and system-level traces that can be recovered even after deletion.
arXiv Detail & Related papers (2025-05-29T18:41:13Z) - A Comprehensive Quantification of Inconsistencies in Memory Dumps [13.796554685139855]
We develop a system to track all write operations performed by the OS kernel during a memory acquisition process.<n>We quantify how different acquisition modes, file systems, and hardware targets influence the frequency of kernel writes during the dump.
arXiv Detail & Related papers (2025-03-19T10:02:54Z) - UEFI Memory Forensics: A Framework for UEFI Threat Analysis [22.944352324963546]
We introduce a framework for UEFI memory forensics.<n>The proposed framework consists of two primary components: UefiMemDump, a memory acquisition tool, and UEFIDumpAnalysis, an extendable collection of analysis modules.<n>Our work enables researchers and practitioners to investigate firmware-level threats, develop additional analysis modules, and advance overall below-OS security.
arXiv Detail & Related papers (2025-01-28T14:05:06Z) - SHIELD: Secure Host-Independent Extensible Logging for Tamper-Proof Detection and Real-Time Mitigation of Ransomware Threats [17.861324495723487]
We introduce SHIELD: a metric acquisition framework leveraging low-level monitoring and Network Block Device (NBD) technology to provide off-host, tamper-proof measurements for continuous observation of disk activity.<n>We employ deep features along with simplified metrics aggregated based on frequency of disk actions, making the metrics impervious to obfuscation while avoiding reliance on vulnerable host-based logs.<n>In a proof-of-concept deployment, we demonstrate real-time mitigation using models trained on these metrics by halting malicious disk operations after ransomware detection with minimum file loss and memory corruption.
arXiv Detail & Related papers (2025-01-28T01:33:03Z) - Ensemble Method for System Failure Detection Using Large-Scale Telemetry Data [0.0]
This research paper presents an in-depth analysis of extensive system telemetry data, proposing an ensemble methodology for detecting system failures.
The proposed ensemble technique integrates a diverse set of algorithms, including Long Short-Term Memory (LSTM) networks, isolation forests, one-class support vector machines (OCSVM), and local outlier factors (LOF)
Experimental evaluations demonstrate the remarkable efficacy of our models, achieving a notable detection rate in identifying system failures.
arXiv Detail & Related papers (2024-06-07T06:35:17Z) - Cooperative Hardware-Prompt Learning for Snapshot Compressive Imaging [51.65127848056702]
We propose a Federated Hardware-Prompt learning (FedHP) framework to cooperatively optimize snapshot compressive imaging systems.<n>FedHP learns a hardware-conditioned prompter to align inconsistent data distribution across clients, serving as an indicator of the data inconsistency among different hardware.<n>Experiments demonstrate that the proposed FedHP coordinates the pre-trained model to multiple hardware configurations, outperforming prevalent FL frameworks for 0.35dB.
arXiv Detail & Related papers (2023-06-01T22:21:28Z) - Fourier Document Restoration for Robust Document Dewarping and
Recognition [73.44057202891011]
This paper presents FDRNet, a Fourier Document Restoration Network that can restore documents with different distortions.
It dewarps documents by a flexible Thin-Plate Spline transformation which can handle various deformations effectively without requiring deformation annotations in training.
It outperforms the state-of-the-art by large margins on both dewarping and text recognition tasks.
arXiv Detail & Related papers (2022-03-18T12:39:31Z) - Efficient video integrity analysis through container characterization [77.45740041478743]
We introduce a container-based method to identify the software used to perform a video manipulation.
The proposed method is both efficient and effective and can also provide a simple explanation for its decisions.
It achieves an accuracy of 97.6% in distinguishing pristine from tampered videos and classifying the editing software.
arXiv Detail & Related papers (2021-01-26T14:13:39Z) - Multi-Modal Video Forensic Platform for Investigating Post-Terrorist
Attack Scenarios [55.82693757287532]
Large scale Video Analytic Platforms (VAP) assist law enforcement agencies (LEA) in identifying suspects and securing evidence.
We present a video analytic platform that integrates visual and audio analytic modules and fuses information from surveillance cameras and video uploads from eyewitnesses.
arXiv Detail & Related papers (2020-04-02T14:29:27Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.