In this paper we present preliminary results for a real time computer forensics agent that logs computer activity on a Windows computer system for subsequent forensic investigation. The agent, which is developed using the .NET 2010 framework includes six modules. Each module is dedicated to keep track and record a specific category of user activities. For instance, the Windows Event Watcher logs the Windows OS events and the Removable Devices Detector logs any external devices that are plugged in or removed from a system. Currently, the aforementioned two modules are implemented and tested with carefully designed scenarios using Windows XP and Windows 7 operating systems.
展开▼
