Skip to content
/ forenscope Public

Forenscope preserves the state of the running system and allows running processes, open files, encrypted filesystems and open network sockets to persist during the analysis process.

License

View license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

uiuc-srg/forenscope

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.svn
.svn
 
 
.tmp_versions
.tmp_versions
 
 
Documentation
Documentation
 
 
arch
arch
 
 
block
block
 
 
bootkit
bootkit
 
 
crypto
crypto
 
 
drivers
drivers
 
 
fs
fs
 
 
include
include
 
 
init
init
 
 
ipc
ipc
 
 
kernel
kernel
 
 
lib
lib
 
 
mm
mm
 
 
net
net
 
 
ramdisk
ramdisk
 
 
scripts
scripts
 
 
security
security
 
 
sound
sound
 
 
usr
usr
 
 
..tmp_kallsyms1.o.cmd
..tmp_kallsyms1.o.cmd
 
 
..tmp_kallsyms2.o.cmd
..tmp_kallsyms2.o.cmd
 
 
..tmp_vmlinux1.cmd
..tmp_vmlinux1.cmd
 
 
..tmp_vmlinux2.cmd
..tmp_vmlinux2.cmd
 
 
.config
.config
 
 
.config.old
.config.old
 
 
.gitignore
.gitignore
 
 
.mailmap
.mailmap
 
 
.missing-syscalls.d
.missing-syscalls.d
 
 
.tmp_System.map
.tmp_System.map
 
 
.tmp_kallsyms1.S
.tmp_kallsyms1.S
 
 
.tmp_kallsyms1.o
.tmp_kallsyms1.o
 
 
.tmp_kallsyms2.S
.tmp_kallsyms2.S
 
 
.tmp_kallsyms2.o
.tmp_kallsyms2.o
 
 
.tmp_vmlinux1
.tmp_vmlinux1
 
 
.tmp_vmlinux2
.tmp_vmlinux2
 
 
.version
.version
 
 
.vmlinux.cmd
.vmlinux.cmd
 
 
COPYING
COPYING
 
 
CREDITS
CREDITS
 
 
Kbuild
Kbuild
 
 
MAINTAINERS
MAINTAINERS
 
 
Makefile
Makefile
 
 
Module.symvers
Module.symvers
 
 
README
README
 
 
README.md
README.md
 
 
REPORTING-BUGS
REPORTING-BUGS
 
 
System.map
System.map
 
 
vmlinux
vmlinux
 
 

Repository files navigation

forenscope

Current post-mortem cyber-forensic techniques may cause significant disruption to the evidence gathering process by breaking active network connections and unmounting encrypted disks. Although newer live forensic analysis tools can preserve active state, they may taint evidence by leaving footprints in memory. To help address these concerns we present Forenscope, a framework that allows an investigator to examine the state of an active system without the effects of taint or forensic blurriness caused by analyzing a running system. We show how Forenscope can fit into accepted workflows to improve the evidence gathering process.

Forenscope preserves the state of the running system and allows running processes, open files, encrypted filesystems and open network sockets to persist during the analysis process. Forenscope has been tested on live systems to show that it does not operationally disrupt critical processes and that it can perform an analysis in less than 15 seconds while using only 125 KB of memory. Forenscope can detect stealth rootkits, neutralize threats and expedite the investigation process by finding evidence in memory.

About

Forenscope preserves the state of the running system and allows running processes, open files, encrypted filesystems and open network sockets to persist during the analysis process.

Resources

Readme

License

View license
Activity
Custom properties

Stars

6 stars

Watchers

9 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published