Research Article
Remote Air-Gap Live Forensics
@INPROCEEDINGS{10.1007/978-3-030-68734-2_10, author={Tom Van der Mussele and Babak Habibnia and Pavel Gladyshev}, title={Remote Air-Gap Live Forensics}, proceedings={Digital Forensics and Cyber Crime. 11th EAI International Conference, ICDF2C 2020, Boston, MA, USA, October 15-16, 2020, Proceedings}, proceedings_a={ICDF2C}, year={2021}, month={2}, keywords={Digital forensics Live forensics Air-gap Remote forensics Forensic dongle}, doi={10.1007/978-3-030-68734-2_10} }- Tom Van der Mussele
Babak Habibnia
Pavel Gladyshev
Year: 2021
Remote Air-Gap Live Forensics
ICDF2C
Springer
DOI: 10.1007/978-3-030-68734-2_10
Abstract
This paper describes a solution to build a scalable means to perform remote live forensics, which introduces minimal and traceable changes to the air-gap systems. The solution can respect the air-gap and not introduce network connectivity to the air-gap systems. It provided a central management system with the solution; this allows the solution to be used in an incident across multiple systems. Full traceable actions, built in the solution, allow the investigator to respect the second ACPO rule during the live forensics. The solution introduces low impact changes to aim for maximum stability and preservation of evidence during the investigation of the air-gap system. The solution needs to be operational with minimal interaction behind the keyboard. In this paper, it will compare and benchmark other industry solutions with proposed solution in this research.
