Technical Report: Selective Imaging of File System Data on Live Systems

TL;DR

This paper introduces SIT, a live selective imaging tool for Windows that enables targeted data acquisition from active systems, addressing challenges of traditional full disk copying.

Contribution

It presents the design, implementation, and evaluation of SIT, a novel live selective imaging tool based on the DFIR ORC framework and AFF4 container format.

Findings

SIT effectively captures selected data objects from live Windows systems.

The tool demonstrates efficiency and accuracy in selective imaging tasks.

SIT offers a practical solution for forensic data acquisition on active systems.

Abstract

In contrast to the common habit of taking full bitwise copies of storage devices before analysis, selective imaging promises to alleviate the problems created by the increasing capacity of storage devices. Imaging is selective if only selected data objects from an image that were explicitly chosen are included in the copied data. While selective imaging has been defined for post-mortem data acquisition, performing this process live, i.e., by using the system that contains the evidence also to execute the imaging software, is less well defined and understood. We present the design and implementation of a new live Selective Imaging Tool for Windows, called SIT, which is based on the DFIR ORC framework and uses AFF4 as a container format. We discuss the rationale behind the design of SIT and evaluate its effectiveness.