This report presents the results of an evaluation of a forensic tool designed to capture data that might be lost from a running computer when the power cord to the computer is pulled at the time it is physically seized by authorities.
This report was prepared by the National Institute of Justice Electronic Crime Technology Center of Excellence and presents the results of an evaluation of new forensic tool for use in the seizure of computers. This tool, the USB Live Acquisition and Triage Tool (US-LATT), is designed to capture data on a running computer that could be lost if the power source to the computer is pulled at the time the computer is seized by authorities. Information is presented in this report on what US-LATT is, the functions it performs, and how it can be used. US-LATT is a forensic tool with two components - a hardware component and a system-analysis component, that is used for conducting live investigation and triage of computer data and computers that may be compromised as a result of power disruptions when the computers are seized by authorities. This report includes information on system requirements for using US-LATT, target system requirements and suggestions, and US-LATT configuration applications. Additional information is included on which computer platforms were used for test-bed configurations in this evaluation. The final section of the report contains the results of the evaluation of the tool on three different computers: a shop-built computer, a Dell laptop, and a Samsung laptop. The evaluation of US-LATT indicates that it is a powerful tool for use by investigators who wish to gain access to computer files and data that would not have been available if the computer had been simply shut down at the time of seizure. Tables, figures