MODULE 6: LIVE ACQUISITIONS, VOLATILE DATA, AND TOOLS FOR THE FIELD

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

When using the tool it is important

-be logged as root, superuser -working knowledge of CMD -Linux command line

two broad categories of volatile data and identifies some of the artifacts that may be recoverable from a live memory capture:

-volatile information -volatile network information

Live Forensics

Bridge between static and dynamic data

Incident response

Concerned with the examination of a live running computer systems -dynamic data

Legal Considerations

Electronically document and preserve the state of the computer network and electronic storage media, and conduct preview screening of the computer data storage media for contraband utilizing data recovery software (2006, p10).

FTK imager

FTK Imager is a free and portable tool, but you will need FTK to view the results. After capturing volatile data from a computer, the files were loaded into FTK and the results become viewable under the tab labeled "Volatile." In the left column you can view the categories of data collected such as Process List, DLL List, and Devices. You will see that the dump for Process List has been selected. In the upper right column the list of processes is displayed. FTK Imager is selected and in the bottom right column you can see the DLLs displayed that are specifically associated with that program.

Computer Forensics

Focuses on reconstructing past events -static data

Tools for live memory capture

Helix by e-fense is a tool that has been around for quite some time. The "live" side of the software is Windows only. The "bootable side" of the software is Linux-based and is reportedly universal.

Document the time that the process is completed

TRUE

Document the exact time of each step in the capture process to establish an audit trail of each forensic tool or command used.

True

Incident response and computer forensics two different fields?

True

Volatile data

Volatile data is stored in system memory and is lost once power is removed from the system or it is rebooted.

DumpIt by MoonSols

a command-line utility available in a free version and costs $7,500 and higher: http://www.moonsols.com/#pricing

Failing to capture live memory

certain guarantee that artifacts of potential evidentiary value will not be collected at all

The volatile network information category of volatile data is defined as a collection of information about which of the following?

current configuration and running state of the suspect computer

Live Memory Capture is

freeze-frame photograph, so to speak, of activity in progress that cannot ever again be duplicated exactly.

Persistent Data

persistent data is stored on drives and other media and is not lost if the system is powered-off or rebooted

Capturing live memory introduces the risk of losing some ovidence

true

The smaller the amount of installed memory, the greater the amount of change to the memory over time if the computer is left running.

true

What is for the digital forensic first responders?

whether the volatile data needs to be collected before the subject's system is shut down and seized things to consider: capturing volatile data evidence stored in RAM documentation volatile categories legal considerations

Collect all types of volatile system and network information

• Memory dump • Paging files • Hibernation files

Volatile Network Information: A collection of information about the network state of the suspect computer.

• Open connections • Open ports and sockets • Routing information and configuration • Network interface status and configuration • ARP cache

Document preliminary information

• Recording the date and time • Completing a log of the command history • Photographing the scene as found • Recording the operating system running on machine

Evidence stored in RAM

• Running processes • Executed console commands • Passwords in clear text • Unencrypted data • Instant messages (IMs) • Internet Protocol (IP) addresses • Trojan Horses • Users logged into the system • Open ports and listening applications • Currently running processes • Registry information • System information • Attached devices

Volatile System Information: A collection of information about the current configuration and running state of the suspect computer

• System profile • Current system date and time • Command history • Current system uptime • Running processes and user identification, malicious processes • Open files, startup files, clipboard data, user passwords in plain text • Logged on users both local and remote, authorized users, user account data • DLLs or shared libraries


संबंधित स्टडी सेट्स

MindTap Module 13: Reviewing the Basics Quiz

View Set

ef3 beg 2B Wh- and How questions with be

View Set