MODULE 6: LIVE ACQUISITIONS, VOLATILE DATA, AND TOOLS FOR THE FIELD
When using the tool it is important
-be logged as root, superuser -working knowledge of CMD -Linux command line
two broad categories of volatile data and identifies some of the artifacts that may be recoverable from a live memory capture:
-volatile information -volatile network information
Live Forensics
Bridge between static and dynamic data
Incident response
Concerned with the examination of a live running computer systems -dynamic data
Legal Considerations
Electronically document and preserve the state of the computer network and electronic storage media, and conduct preview screening of the computer data storage media for contraband utilizing data recovery software (2006, p10).
FTK imager
FTK Imager is a free and portable tool, but you will need FTK to view the results. After capturing volatile data from a computer, the files were loaded into FTK and the results become viewable under the tab labeled "Volatile." In the left column you can view the categories of data collected such as Process List, DLL List, and Devices. You will see that the dump for Process List has been selected. In the upper right column the list of processes is displayed. FTK Imager is selected and in the bottom right column you can see the DLLs displayed that are specifically associated with that program.
Computer Forensics
Focuses on reconstructing past events -static data
Tools for live memory capture
Helix by e-fense is a tool that has been around for quite some time. The "live" side of the software is Windows only. The "bootable side" of the software is Linux-based and is reportedly universal.
Document the time that the process is completed
TRUE
Document the exact time of each step in the capture process to establish an audit trail of each forensic tool or command used.
True
Incident response and computer forensics two different fields?
True
Volatile data
Volatile data is stored in system memory and is lost once power is removed from the system or it is rebooted.
DumpIt by MoonSols
a command-line utility available in a free version and costs $7,500 and higher: http://www.moonsols.com/#pricing
Failing to capture live memory
certain guarantee that artifacts of potential evidentiary value will not be collected at all
The volatile network information category of volatile data is defined as a collection of information about which of the following?
current configuration and running state of the suspect computer
Live Memory Capture is
freeze-frame photograph, so to speak, of activity in progress that cannot ever again be duplicated exactly.
Persistent Data
persistent data is stored on drives and other media and is not lost if the system is powered-off or rebooted
Capturing live memory introduces the risk of losing some ovidence
true
The smaller the amount of installed memory, the greater the amount of change to the memory over time if the computer is left running.
true
What is for the digital forensic first responders?
whether the volatile data needs to be collected before the subject's system is shut down and seized things to consider: capturing volatile data evidence stored in RAM documentation volatile categories legal considerations
Collect all types of volatile system and network information
• Memory dump • Paging files • Hibernation files
Volatile Network Information: A collection of information about the network state of the suspect computer.
• Open connections • Open ports and sockets • Routing information and configuration • Network interface status and configuration • ARP cache
Document preliminary information
• Recording the date and time • Completing a log of the command history • Photographing the scene as found • Recording the operating system running on machine
Evidence stored in RAM
• Running processes • Executed console commands • Passwords in clear text • Unencrypted data • Instant messages (IMs) • Internet Protocol (IP) addresses • Trojan Horses • Users logged into the system • Open ports and listening applications • Currently running processes • Registry information • System information • Attached devices
Volatile System Information: A collection of information about the current configuration and running state of the suspect computer
• System profile • Current system date and time • Command history • Current system uptime • Running processes and user identification, malicious processes • Open files, startup files, clipboard data, user passwords in plain text • Logged on users both local and remote, authorized users, user account data • DLLs or shared libraries
