On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
O Digital forensics (sometimes known as digital forensic
science) is a branch of forensic science encompassing the
recovery and investigation of material found in digital
devices, often in relation to computer crime.
O "Gathering and analysing data in a manner as free from
distortion or bias as possible to reconstruct data or what
happened in the past on a system [or a network]“
-Dan Farmer / Wietse Venema
Action Plan- First Response
Machine state = OFF
Machine state = ON
Order of Volatility
• CPU, cache and register content
• Routing table, ARP cache, process table,
• Temporary file system / swap space
•Data on hard disk
•Remotely logged data
•Raw Disk Blocks
O “LIVE” Forensics
O “DEAD” Forensics
O The dead analysis is more common to acquire data.
O A dead acquisition copies the data without the
assistance of the suspect’s (operating) system.
O Analysing a “dead” system that has had it’s power
O During data acquisition an exact (typically bitwise)
copy of storage media is created.
O Least chance of modifying data on disk, but “live”
data is lost forever.
O Focuses on extracting and examination of the
volatile forensic data that would be lost on power
O A live acquisition copies the data using the
suspect’s (operating) system
O Live forensics is not a “pure” forensic response as
it will have minor impacts to the underlying
machine’s operating state
– The key is the impacts are known
O Often used in incident handling to determine if an
event has occurred
O May or may not proceed a full traditional forensic
O If you work on a suspect’s system you should
boot/use trusted tools (e.g. CD, USB stick):
THE IMAGE WILL HAVE
No two images can have the “same hash value”
Forensic Response Principles
– Maintain forensic integrity
– Require minimal user interaction
– Gather all pertinent information to
determine if an incident occurred for later
- Enforce sound data and evidence collection
In MEMORY data??
O Current running processes and terminated
O Open TCP/UDP ports/raw sockets/active
O -Web addresses, typed commands, passwords,
clipboards, SAM databases, edited files.
O Memory mapped files
O -Executable, shared, objects(modules/drivers), text
O Collecting Memory dumps:
DUMPIT by MOONSOLS
O Analysing Memory dumps:
WinHex and Volatility Framework 2.3