Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic Computing
Jenny Ottmann, Frank Breitinger, Felix Freiling
TL;DR
This paper tackles the problem of capturing memory snapshots for forensic analysis when system freezing is not possible, arguing that snapshots should respect causality while increasingly resembling an instantaneous view of memory. It introduces two new atomicity notions, instantaneous and quasi-instantaneous consistency, and shows how copy-on-write can achieve quasi-instantaneous snapshots while maintaining a link to causal consistency under certain assumptions. Alongside, it refines the integrity concept into restrictive and permissive forms to better capture measurement-induced changes, and presents a model-agnostic framework along with methods to measure and eventually evaluate these notions using vector clocks or real-time clocks. The work provides a practical path toward more trustworthy forensic storage snapshots, with implications for tool selection, evidential value, and future research directions in formalizing and validating snapshot quality in real-world investigations.
Abstract
The acquisition of data from main memory or from hard disk storage is usually one of the first steps in a forensic investigation. We revisit the discussion on quality criteria for "forensically sound" acquisition of such storage and propose a new way to capture the intent to acquire an instantaneous snapshot from a single target system. The idea of our definition is to allow a certain flexibility into when individual portions of memory are acquired, but at the same time require being consistent with causality (i.e., cause/effect relations). Our concept is much stronger than the original notion of atomicity defined by Vomel and Freiling (2012) but still attainable using copy-on-write mechanisms. As a minor result, we also fix a conceptual problem within the original definition of integrity.