Hello colleague and me had a debate about forensic memory acquisition on a live machine.
Anyways the debate was about what to acquire first (as general rule), active network connections or do memory acquisition (image). He stated that he would first acquire active network connections and only then do memory acquisition, because of the possibility of losing active network connections between memory acquisition process.
But my practice is different, as I always do ram acquisition first and start tinkering with the system only after I have the image.
What are you thoughts about this subject?
since network connections are in memory, get memory. even if something drops while its imaging, volatility will still see it the majority of the time.
i dont see it hurting anything doing a netstat or similar first, but memory trumps all for volatile stuff. i would be surprised if netstat ever gave more than looking at a memory dump