Tampered digital evidence may jeopardize its correct interpretation. To assess the risks in a court of law, it is helpful to quantify the necessary effort to perform a convincing manipulation of digital evidence. Based on a sequence of controlled experiments with graduate students and digital forensics professionals, we study the effort to manipulate copies of main memory taken during a digital investigation. Confirming previous results on hard disc image tampering, manipulating main memory dumps can be considered hard in the sense that most forgeries were successfully detected. However, while the effort to detect a manipulation is generally bounded by the tampering effort, some forgeries fooled the analysts and caused analysis effort that was higher than the manipulation effort. The detection effort by graduate students, however, was generally higher than that of professionals. We study different manipulation and detection approaches and their success. Overall, tampering with main memory dumps appears to be harder than tampering with hard disc images but the probability to fool an analyst is higher too.
History
Name of Conference
Digital Forensics Research Conference (DFRWS)
CISPA Affiliation
No
Journal
Forensic Science International: Digital Investigation
Volume
32
Page Range
300924-300924
Publisher
Elsevier
Open Access Type
Unknown
BibTeX
@inproceedings{Schneider:Wolf:Freiling:2020,
title = "Tampering with digital evidence is hard: The case of main memory images",
author = "Schneider, Janine" AND "Wolf, Julian" AND "Freiling, Felix",
year = 2020,
month = 4,
journal = "Forensic Science International: Digital Investigation",
number = "DFRWS 2020 EU – Proceedings of the Seventh Annual DFRWS Europe",
pages = "300924--300924",
publisher = "Elsevier",
issn = "2666-2825"
}