Live Evidence Investigation
Project Name: Live Evidence Investigation
Description: Live Evidence Investigation is a very difficult level of sophisticated job. In this blog we will try to understand step by step guide to concepts of Live Evidence Investigation.
Author: Rohit D Sadgune
Summary of Contents
|· RAM Forensics Basic||· Volatile Data Forensics||· Step by Stem guide to RAM Acquisition|
Different types of information that may be retrieved are artifacts such as running processes, network connections (e.g. open network ports & those in a closing state) and data stored in memory.
Live Memory also often contains useful information such as decrypted applications (useful if a machine has encryption software installed) online references or passwords and any resource & reference that has not been saved to disk etc.
If the power to the device is removed, such artifacts will be lost.
If memory evidence is acquired before removing the power, an analysis may have a bunch of information from the machine’s volatile state, in conjunction with the evidence on the hard disk.
Creating category of the forensic footprint of trusted volatile data forensic tools an forensics analyst will be in a position to understand the impact of using such tools and will therefore consider this during the investigation and when presenting evidence
Volatile data resides in cache, RAM, Temporary file & many more. With respect to live acquisition it is very difficult to control evidence tamper because the software running uses dll, libraries.It may trigger the malware from system to damage evidence.
- Memory resident data
- Correlation with Swap Areas
- Anti-Forensics against the data:
- Data contraception
- Data hiding
- Data destruction
- Anti-Forensic methods:
- Data contraception against File System Analysis
- Data hiding against Memory Analysis
Live Evidence List
- Process listings.
- Service listings.
- System information.
- Logged on & registered users.
- Network information including listening ports, open ports and closed ports.
- ARP (address resolution protocol) cache.
- Auto-start information.
- Registry information.
- A binary dump of memory.
- Password in clear text
- Instant messages
- Commands Executed on System
- Malware, Trojans or any malicious programs
- Attached devices
Live Evidence Order
- System cache
- Running Processes, System statistics, Kernal Information,Date,Time
- System and applications Temporary files
- Storage devices, data resting devices
- Network related activities
Steps for Live Data Forensics Acquisition
- Do not power-off the system till all relevant volatilte data gets acquired.
- Maintain traces for all activities that has been performed during live acquisition
- Take picture of running processes & files which open on suspected systems.
- Find out operating system working on devices
- Please consider system dat & time fore further forensics references.
- Acquire the RAM using any knwon forensics technology
- Please make sure that no administrative privilleges utilities are performed on suspected system.
- Note all procedure which you have performed for volatile data forensics this could be useful for writing final report.
Prodiscover, FTK, Encase or capable software could run but the final result of analysis should not have impact of evidence & no error should come in respective way. So best method to approach live evidence is scripted method.
Step by Step guide for Live Evidence Investigation
To acquire RAM you can use multiple technologies.. but more prominent is ProDiscover Incident Response. Here I have demonstrated how to perform volitile data forensics using ProDiscover Incident Response.
ProDiscover Incident Response = PIR
First of all open a PIR & create a forensics case in it.
ProDiscover Incident Response Case Window
In PIR many options are there one of them is “Find Unseen Files” to launch this go to
PIR —> Click on IR —> Click on FInd Useen Files
On further note you can also look into useen process of suspected systems
PIR —> Click on IR —> Click on FInd Useen Process
Similarly, you can drill down your analysis to following areas
- Open & Close ports
- Running Processes
- Systems State
- HDD Capacity
- Operating System references
You can also perform basic malware forensics by comparing baseline. Forensics baseline comparision is a term refer to comparing older MAC (Modified Accessed Created) instance with current state of file system. Here you can get maximum output with respect to malfunction changes in suspected system.
PIR —> Click on IR —> Click on Compare Baseline
For acquisition of RAM
PIR —> Click on Capture Image –>
Then following window will appear for your reference
Select appropriate form for image i.e prodiscover can acquire RAM in two formats, one standard “DD” format & second is prodiscover proprietary “eve” format. Here I have selected “DD” format
Click on Ok after giving absolute path to store forensics image.
In this way one can work on Live Evdence Invetigation using prodiscover Incident Respose.
Note: – Entire demonstration of ProDiscvover Incident Response is developed on eductional license of ProDiscover Incident Response