I am confused to the order in which volatile data needs to be collected. Most of the place I read it’s written that RAM should be collected first. The question I have is what about other volatile data that can be lost very soon like time, network connections and process information. The amount of time it takes to acquire RAM these information would change by that time. Also specially, when these days we see server having 16 to 32 GB of RAM?
I guess it would depend on the circumstance. I think theory that you should collect RAM first is based on the fact that any other tools you run to gather the other volatile data load and run in memory. Getting RAM first gives you a somewhat more pristine image.
So if the circumstance were that someone was actively connected to a machine, you might want to run your network tools first.
Greetings,
Also, some of the other volatile data resides in RAM so you can recover some of it from RAM if you fail to get it via other mechanisms.
-David
Dumping the contents of memory first will allow you to get an as-pristine copy of memory as possible. Network connections may terminate while memory is being collected, but if you're using Volatility, you will be able to collect information about disconnected connections, if you didn't get the information while they were active.
You may, however, have the need to retrieve volatile data first…it all depends on your environment. Keep in mind that tools such as Volatility will allow you to retrieve data structures that were no longer in use by the system within memory, even at a later date. Running your tools will overwrite those sections of memory that were marked available for reuse.
The key, however, is that you document your justification and what you do. If you collect volatile memory first, as part of a documented policy, with exception of very technical discussions, no one can really argue that…
Really appreciate everyone’s response. It seems need to explore more on volatility framework- “if you're using Volatility, you will be able to collect information about disconnected connections”. “Volatility will allow you to retrieve data structures that were no longer in use by the system within memory” Thanks
Ajay Ramani
Just a note that other physical memory analysis tools will also retrieve this other collected volatile data from a RAM Dump.
Data in physical memory may be crucial to a case, malware analysis, decryption efforts, etc… So you wouldn't want to risk losing that data if you can get it. Yes, with larger RAM there is a longer wait time, but usually it is not too bad and worth it.
My suggestion is read the Windows Forensics Analysis book if you have not.
Regards,
Chris
RFC 3227 gives sound advice (although a little dated) on this
Section 2.1
Just wondering if those of you who are collecting memory dumps are seeing many 64 bit systems?
Mostly asking because this puts a bit of a kink into using Volatility
http//