Process Forensics: A Pilot Study on the Use of Checkpointing Technology in Computer Forensics

The goal of this paper is to introduce a new area of computer forensics: process forensics. Process forensics involves extracting information from a process’s address space for the purpose of finding digital evidence pertaining to a computer crime. The challenge of this sub-field is that the address space of a given process is usually lost long before the forensic investigator is analyzing the hard disk and file system of a computer. Therefore, the authors make the case that an accurate and reliable checkpointing tool could create a new source of evidence for the forensic investigator. The technology of checkpointing is nothing new when considering process migration, fault tolerance, or load balancing. However, with respect to computer forensics, the gains from checkpointing have yet to be explored.