Live Evidence Investigation

Live Evidence Investigation

Project Name: Live Evidence Investigation
Description: Live Evidence Investigation is a very difficult level of sophisticated job. In this blog we will try to understand step by step guide to concepts of Live Evidence Investigation.

Author: Rohit D Sadgune

Summary of Contents

·         RAM Forensics Basic ·         Volatile Data Forensics ·         Step by Stem guide to RAM Acquisition

Different types of information that may be retrieved are artifacts such as running processes, network connections (e.g. open network ports & those in a closing state) and data stored in memory.

Live Memory also often contains useful information such as decrypted applications (useful if a machine has encryption software installed) online references or passwords and any resource & reference that has not been saved to disk etc.

If the power to the device is removed, such artifacts will be lost.

If memory evidence is acquired before removing the power, an analysis may have a bunch of information from the machine’s volatile state, in conjunction with the evidence on the hard disk.

Creating category of the forensic footprint of trusted volatile data forensic tools an forensics analyst will be in a position to understand the impact of using such tools and will therefore consider this during the investigation and when presenting evidence

Volatile data resides in cache, RAM, Temporary file & many more. With respect to live acquisition it is very difficult to control evidence tamper because the software running uses dll, libraries.It may trigger the malware from system to damage evidence.

RAM Forensics 

  • Memory resident data
  • Correlation with Swap Areas
  • Anti-Forensics against the data:
  1. Data contraception
  2. Data hiding
  3. Data destruction
  • Anti-Forensic methods:
  1. Data contraception against File System Analysis
  2. Data hiding against Memory Analysis
Live Evidence Invetigation
Live Evidence Invetigation

Live Evidence List

  • Process listings.
  • Service listings.
  • System information.
  • Logged on & registered users.
  • Network information including listening ports, open ports and closed ports.
  • ARP (address resolution protocol) cache.
  • Auto-start information.
  • Registry information.
  • A binary dump of memory.
  • Password in clear text
  • Instant messages
  • Commands Executed on System
  • Malware, Trojans or any malicious programs
  • Attached devices

Live Evidence Order

  • System cache
  • Running Processes, System statistics, Kernal Information,Date,Time
  • System and applications Temporary files
  • Storage devices, data resting devices
  • Network related activities
Live Evidence Order
Live Evidence Order

Steps for Live Data Forensics Acquisition

  • Do not power-off the system till all relevant volatilte data gets acquired.
  • Maintain traces for all activities that has been performed during live acquisition
  • Take picture of running processes & files which open on suspected systems.
  • Find out operating system working on devices
  • Please consider system dat & time fore further forensics references.
  • Acquire the RAM using any knwon forensics technology
  • Please make sure that no administrative privilleges utilities are performed on suspected system.
  • Note all procedure which you have performed for volatile data forensics this could be useful for writing final report.

Prodiscover, FTK, Encase or capable software could run but the final result of analysis should not have impact of evidence & no error should come in respective way. So best method to approach live evidence is scripted method.

Step by Step guide for Live Evidence Investigation

To acquire RAM you can use multiple technologies.. but more prominent is ProDiscover Incident Response. Here I have demonstrated how to perform volitile data forensics using ProDiscover Incident Response.

ProDiscover Incident Response = PIR

First of all open a PIR & create a forensics case in it.

ProDiscover Incident Response Case Window

ProDiscover Incident Response Case Window

In PIR many options are there one of them is “Find Unseen Files” to launch this go to

PIR —> Click on IR —> Click on FInd Useen Files

ProDiscover Incident Response Unseen files
ProDiscover Incident Response Unseen files


On further note you can also look into useen process of suspected systems

PIR —> Click on IR —> Click on FInd Useen Process


ProDiscover Incident Response Unseen Processes
ProDiscover Incident Response Unseen Processes


Similarly, you can drill down your analysis to following areas

  • Open & Close ports
  • Running Processes
  • Systems State
  • HDD Capacity
  • Operating System references


You can also perform basic malware forensics by comparing baseline. Forensics baseline comparision is a term refer to comparing older MAC (Modified Accessed Created) instance with current state of file system. Here you can get maximum output with respect to malfunction changes in suspected system.

PIR —> Click on IR —> Click on Compare Baseline


ProDiscover Incident Response Comparing Baseline
ProDiscover Incident Response Comparing Baseline


For acquisition of RAM

PIR —> Click on Capture Image –>

Then following window will appear for your reference


ProDiscover Incident Response Capture Image
ProDiscover Incident Response Capture Image


Select appropriate form for image i.e prodiscover can acquire RAM in two formats, one standard “DD” format & second is prodiscover proprietary “eve” format. Here I have selected “DD” format

Click on Ok after giving absolute path to store forensics image.

ProDiscover Incident Response RAM Acquisition
ProDiscover Incident Response RAM Acquisition


In this way one can work on Live Evdence Invetigation using prodiscover Incident Respose.

Note: – Entire demonstration of ProDiscvover Incident Response is developed on eductional license of ProDiscover Incident Response