I know that Windows bootup process changes some registry entries and such, so it becomes very important to capture all the data on a power down (dead) system.
How do you capture volatile memory on a Hard Disk?
Does Linux/MacOS have volatile data on their hard disks too? Or is it only a Windows issue?
Volatile memory is not on the HDD, it is in RAM. When the RAM is swapped to the HDD it is no longer volatile. However if you have the computer setup for it you can force a memory dump to the HDD by creating a BSoD.
Performing live memory forensics is a decision you have to make before "pulling the plug." This is where tools like Memoryze, Volatility Framework and similar come into play.
I agree that the content of RAM is the true volatile memory. However, some operating systems (especially Windows) during the startup process make changes to the registry or other OS artifacts.
If a powered off system has been confiscated then you don't power it on right away. You do have to make a bit-for-bit copy of the hard drive and then work on that image.
My question is, how do you prevent the volatile data on the HD? There are write-blockers that I know. Is there any other way (excluding write-blockers) that you can create a bit-for-bit copy of the HD without loosing the volatile data?
Thank you.
My question is, how do you prevent the volatile data on the HD? There are write-blockers that I know. Is there any other way (excluding write-blockers) that you can create a bit-for-bit copy of the HD without loosing the volatile data?
You could mount the HDD in an OS other than Windows. In Xnix the drive can be mounted read only.
Probably a boot disk like Knoppix would help create this image without loosing any data on the confiscated disk. The only mistake first responder can do is to forget to change the boot settings in BIOS of the confiscated PC.
The only mistake first responder can do is to forget to change the boot settings in BIOS of the confiscated PC.
I guess I am a careful sort. Since the suspect machine is dead, I would pull the drive and attach it to my exam machine either via a write blocker or under a known nix config.
I am affraid that you have lost me here kleanchap. Modern hard drives have rather large on-board caches (~8 MiB). This memory is indeed volatile. However most mdoern drives will attempt to flush the cache to disk when power is lost. The period when power is being lost is only a few milliseconds at most. Once power is lost the information in the cache is essentially lost unless it was successfully written to disk. Maybe theoretically you might be able to perform some sort of coldboot acquisition of the cache, but I rather doubt the practical value of that. If the cache was successfully written to disk then it is by definition no longer volatile. Anyway, whether information may be present in the HD's cache is a funciton of the drive and has nothing to do with the operating system.
It is true, as you say, that the Windows OS makes some changes to the registry and other files that are never written to disk. The win32 api includes a flag to create a registry key that is volatile. There are also a lot of other volatile artifacts that are never written to disk. But you will have to look in main computer memory (RAM) for that. The HD isn't going to help you with that.
It is true also that an examiner may alter non-volatile evidence on a HD if proper forensic procedures are not followed. But I have never heard of HD evidence being referred to as "volatile" for that reason.