What's a practical example of how volatile information can be preserved in a digital forensics investigation?

Question

I'm taking a study course on CCSP and am going over a section on the digital forensics investigation process. In particular, the instructor discussed the following:

I'm curious on two bullet points here:

• Capture an accurate image of the system.
• Work from volatile to persistent evidence.

Both of those make sense by themselves but I'm wondering if/how it's possible to capture an image of a system INCLUDING volatile evidence.

Wouldn't I have to shut the system down (or reboot) in order to collect an image? If so, wouldn't I lose a large chunk of volatile information (e.g. running processes, memory, etc)?

From a practical perspective, how can volatile evidence be preserved?

Answer 1

Wouldn't I have to shut the system down (or reboot) in order to collect an image?

No, you can use a validated memory capture tool to collect the volatile evidence in RAM.

If so, wouldn't I lose a large chunk of volatile information (e.g. running processes, memory, etc)?

Maybe, it's really hard to say. Research at Princeton University has shown that RAM fades rather than disappears. Cooling allows examiners more time to collect the volatile data. There are a few other concerns with pulling the plug:

1. Encryption. Powering off the machine could encrypt files that are unencrypted while the machine is running, meaning a loss of evidence.
2. Damaged data. Turning off the machine could render data unreadable.
3. Unrecorded evidence. Evidence may not be recorded unless the machine is properly shut down.

From a practical perspective, how can volatile evidence be preserved?

You need to take a series of steps:

1. Once you begin, make sure you work uninterruptedly, otherwise you invite mistakes.
2. Gather your materials: report forms, pens, memory capture tools, etc.
3. If you need to press a key to wake the machine up, document it.
4. Note the date and time as it appears on the computer.
5. Record visible icons and running applications, and document running processes. This could help identify malware. You can access this information via the task manager.
6. Use a validated memory capture tool to collect the volatile evidence in RAM.
7. Properly shut down the machine to allow any running application a chance to write any artifacts to the desk, which will allow you to recover them later.

You can read more about this process in The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons.

Answer 2

Shutting the system down is closer to the end of the collection process.

Capturing volatile data involves capturing the following items: Memory dump/core dump, Network connections & traffic, Process list

Once you that data you can then move on to a deeper dive on root cause and what was tampered with. This often involves changing run levels, dumping/cloning the disk(s) then methodically sifting through memory segments from a core dump and process memory to find modified binaries or even just a modified process running in memory.

Another advanced focus is that of firmware compromise leading to an advanced persistent threat. While less likely, use of a jtag editor to extract a systems current firmware is one of the only methods of ensuring good evidence producing snapshot of a hardware compromise.