Hi,
I'm new to forensics and i would like to know if I should always perform live data collection if I'm able to or are there instances where I should avoid it?
In the latter case, can you provide me some examples?
PS I will most likely perform forensics investigations in a corporate environment as an internal investigator
Hello,
In my experiance, there are a few cases where you want to obtain information from a live system
1. In order to collect volatile data stores in ram. There are extensive amounts of information that han be extracted from ram. I sugest that you search online for More information about this field. I belive volatility is a very popular tool to perform men dump analysis. This is almost always required when investigating malware breaches, since it can highjack processen in order to disguise itself.
2. Encrypted hard drive as you mentioned that you work in a corporate enviroment where access to encryption keys may be common. However, should you not have The encryption keys then you may need to gather as much data as possible while The computer is unlocked. Should you find The computer encrypted and unlocked, then its possible to extracted enc. Keys from memory.
It may be timeconsuming to learn memory forensics so IF you prefer to gather The information by hand, you can do so. Remember to document!
I blame all typos ön my gnarly autocorrection!
/sent from a tiny device with a tiny screen by a man with huge fingers.
Daniel
From what i understand, live data collection should only be performed when the investigator feels its necessary, but i don't know if this statement is actually correct.
So if anyone can confirm.
It depends on the situation. To say that it should be performed when the investigator feels it's necessary is heavily dependent upon the knowledge and experience of the investigator.
When encountering a live system, the *first* thing I would recommend is to collect the contents of physical memory. Running a batch file of other tools will not get you the deleted or expired data, and doing so will stomp all over memory, as multiple tools are loaded into memory and executed.
Now, if you do not have the ability to collect the contents of physical memory, then that's a different story.
I'm not experienced/smart enough to decide when i should collect volatile data and when not.
I think I'm going to collect them systematically while taking precautions to not alter data stored on the hard drive.
I'm not experienced/smart enough to decide when i should collect volatile data and when not.
In my experience, if you look at what your directives and environment are, study the topic, and ask specific questions, you'll see that you are, in fact, smart enough. For example, you said you're going to be an internal investigator within a corporation…who would know that environment better than you? Not me.
I think I'm going to collect them systematically while taking precautions to not alter data stored on the hard drive.
Before throwing in the towel, there are some things you should consider.
For example, depending upon the situation, anything you do will cause data on the hard drive to be altered. For example, if you need to access a user's system that's locked, and you decide to use a domain admin account, it's going to make all kinds of changes to the data stored on the hard drive, particularly if that account has never been used to access the system. Windows Event Log records will be generated (Security Log, TaskScheduler Log, and possibly others, depending upon the version of Windows that you've encountered…). If the account has never been used to access the system, a profile will be created, creating folders and files within the file system.
Also, depending on the situation, anything you DON'T do will cause data on the hard drive to be altered. Ever sat in front of a Windows system with ProcMon running and just watched it?
What happened every 24 hrs (by default) on Windows XP? A Restore Point was created, and possibly one was even deleted? Let a Windows 7 system for any amount of time, and you're going to have all sorts of things happen that alter files on the hard drive, all without anyone ever touching a key.
The fact is that making changes to data on the hard drive isn't the issue. Why do I say that? Because police investigate crimes (stabbings, shootings, thefts, etc.) all the time, when it's been raining, and when the victims have been moved to the hospital, been operated on, and may even have passed…and in many cases they're able to ultimately convict someone of the crime. Why? Because they documented what they did. That's the key.
Here's what I would suggest…consider the types of investigations you'll be performing. Write them down. Violation of acceptable use policies? Employees doing bad things? Data breaches?
Now, consider in each case why you would need volatile data. If an employee was thought to be looking at images that they shouldn't, why would you need volatile data? What would be available in the volatile data that would make a significant difference in your findings?
I think that once you do that, you'll find that there are cases in which you will not need volatile data, or that due to how the incident is discovered, volatile data may be of little to no use. Yes, I've had cases where I wished that the client hadn't turned off the system before calling me, but those cases were when someone observed something on the screen, or saw network activity. In cases where the incident occurred 6 months ago, the admin (or AV) removed the malware, and the system has been rebooted dozens of times, volatile data would simply be of no use.
Thanks keydet89 for your excellent answer.
If I understand correctly, the decision to collect or not volatile data should rely on the investigator's assement of
* The context;
* The investigation's goals;
* The potential value of the volatile data.
If the volatile data have no value or their collection might put the case in jeopardy it's better to not collect them
PS
Imho, in the case of an employee browsing an unauthorized web site, if the incident occured not long ago, it might be useful to collect volatile data, the employee might be using the browser's private mode, and in that case browser's data are mainly stored in volatile memory.
If I understand correctly, the decision to collect or not volatile data should rely on the investigator's assement of
* The context;
* The investigation's goals;
* The potential value of the volatile data.If the volatile data have no value or their collection might put the case in jeopardy it's better to not collect them
Essentially, yes. Based on my own experience, I would re-order that list, putting the goals first. But otherwise, that's an accurate list.
PS
Imho, in the case of an employee browsing an unauthorized web site, if the incident occured not long ago, it might be useful to collect volatile data, the employee might be using the browser's private mode, and in that case browser's data are mainly stored in volatile memory.
I'm not sure that volatile data would help you even at that point.
Also, remember that "private" browsing doesn't really mean what you think it means. 😉