Hi,
I am preparing for a security cert I just thought of knowing your insights in the below scenario.
Scenario - In a incident scene if you found a computer is on, what are the steps that need to be taken to record the evidence clearly and how it needs to be taken so that you don't miss out the volatile data.
I have searched on google and i was not able to find out how the data can be extracted from a live system and also wanted to know how it is done on a real time basis.
Thanks in advance.
You mean taking an image of RAM?
http//
jaclaz
@jaclaz - thanks for the quick reply, its not only about RAM. I just wanted to know what all should be taken as evidences from a live system.
If the system is in OFF state, I know we can take the bit by bit image of the HDD and before doing that we will mark all the cables connecting to the system and take a snapshot of whole scene as well.
I was really puzzled about the evidences that can be collected from a live system, i realize that the question which i have asked is really exhaustive but i just wanted to know how it is done in the real world.
Let's think through this logically from the standpoint that you are the investigator. You are there at the search scene and the computer is on. Its unlocked, you can see the desktop…now what? Throw some ideas out there and we'll guide. I'm personally not one for giving the answers (nor do I have them all myself) as I don't think that's the best way for individuals to learn. Its my humble opinion, but I learn by working through problems and having a guide to re-direct me if I get off course.
Hints Think of what is volatile that could be lost if you power the system off.
If the system is in OFF state, I know we can take the bit by bit image of the HDD and before doing that we will mark all the cables connecting to the system and take a snapshot of whole scene as well.
Hmmm, I would think that in that case the computer would be seized and the imaging would have been done later in the lab.
Maybe
https://
jaclaz