Week 4 - Evidence Acquisition 3 - RAM
Methodology which advocates extracting the live system data before pulling the plug to preserve memory, process, and network information that would be lost in traditional methods of forensic approach.
- Memory
- Process Information
- Network information
- Does have a minor impact on the machine
- Must Save the data collected to external device
No action done should change the data which may be relied upon in court
If someone needs to access the original data that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions
- Minimal Downtime
- Provides context for static analysis
- Some data is only stored in RAM
- Long data lifetime even after days
- Evolution of enterprise network (Can logon remotely)
- Evolution of data storage
- Running processes
- System Information (e.g. time since last reboot)
- Open network connections
- Recent web browsing activities including private mode
- Unpacked/Decrypted version of protected programs
- Webmail & social networking logon sessions
- Running malware/Trojans
- Legal process
- Integrity (RAM forensics leaves a footprint)
- Destroy evidence (accidentally or by anti-forensics)
- Weigh the risk to the investigation
- Importance/Urgency (info on a bomb threat vs Evidence of fraud)
-
Criminal Investigations (LOW RISK)
- Ask suspect for password/PIN.
- Police can forcefully take fingerprints. (Regulation of Investigatory Act 2000)
-
Password Attacks (HIGH RISK)
-
Network Attacks (HIGH RISK)
- Register, Cache
- Main Physical memory
- Virtual memory
- Network status
- Running processes
- Hard drive
- External Storage Media
Collect all and examine later
Use Various tools to probe different aspects of the running system
Must be on a external device to not contaminate device