Process Forensics :Snapshots Of Digital Footprints

Internet growth in the U.S. is around 2 million new users each month, according to the U.S. Department of Commerce, and security-related incidents have increased every year since 1998 and doubled from 2001 to 2003, according to the CERT Coordination Center.Checkpointing software is a computer tool designed to allow administrators to backup and recover data and more smoothly introduce new systems into a network.Process forensics involves extracting information from a process’s address space for the purpose of finding digital evidence pertaining to a computer crime. The tool stores the state of a running program, or process, so that it can be restarted from that point.
Researchers from the University of Florida have combined the concept of checkpointing with that of intrusion detection - determining when an unauthorized user is accessing a computer - to come up with a new tool that could help in computer crime investigations. Like in the real world,computer forensics involves determining who did what after an attack has taken place. Although intrusion prevention is the ultimate goal, as long as intruders continue to be successful, there's a need for good ways to collect data concerning intrusions.

Forensic investigators looking for evidence of a computer crime typically analyze several types of files looking for data that will allow them to piece together computer activity. These include log files, which keep track of computer events; swap files, which are used by the computer as a temporary holding space for data and could still house evidence of the illicit computer activity; and unallocated space and slack space, which may contain data from files that were deleted but have not yet been completely overwritten. In contrast to this data saved in files, checkpointing saves data that resides in memory and is usually discarded when it is no longer needed by the process or when the computer is turned off.