Measure of integrity leakage in live forensic context

When a live digital forensic investigation is performed, a measure of integrity leakage related to the collection phase should be mandatory, by stating clearly the grade of blurredness of the acquired data object, such as the RAM memory. Current software approaches, which are often used for data acquisition, have not been able to quantify the dependency of the integrity leakage of factors observed from the host machine, which include the CPU usage, the size of the memory RAM and pagefile, and the execution priority of the acquisition tool. This paper analyzes the factors which affect preponderantly the integrity of the memory being collected from a live computer system. By applying fuzzy measures, we establish an integrity leakage function. © 2008 IEEE.