The collection of volatile data has become an essential component of a forensic examiner’s processes. While traditional forensic practices have always focused around avoiding any modification of evidence in order to preserve the integrity of the data, this is no longer an option for many investigations. Capturing memory and other live system artifacts is essential to understanding the activity on a system, and can sometimes be the only source of relevant evidence for a case.
Many times, I have worked on malware or intrusion cases where the only evidence found on a live system was in memory. If I had followed the traditional forensic practices of shutting down the computer, I would have destroyed the only clue to understanding how the infection took place…
