- Understand the concepts of “Live Acquisition”
- Understand volatile data and the Order of Volatility
- Understand live acquisition issues and limitations
- Demonstrate live acquisition knowledge and skills using various tools and techniques
Definitions
Live Acquisition
Acquiring data from a suspect system which is currently running
Dead Acquisition
Local storage is physically removed from a suspect system
Physical Memory / RAM
Contents of RAM are lost when the system is powered down; contains
info concerning currently running processes, open files, encryption keys, etc.
Volatile Data
Data is retained ONLY when the user leaves the system running ,ex.
RAM
Order of Volatility (most volatile to least volatile)
RAM / Hard Drive / Remote logging data / floppy disks / CD-ROM, DVD,
printouts
Live Response
- Live Response involves the identification and capture of data from a system that is powered on and running when you encounter it.
- Live Response could be done before you shut down a system, or instead of shutting down a system.
Order of Volatility
- The Order of Volatility illustrates that some forms of evidence have a shorter life span than others.
- The Order of Volatility should be considered when deciding which evidence to preserve first.
Order of Volatility
- Registers, cache (milliseconds)
- Routing tables, ARP cache, process list, RAM (milliseconds)
- Temporary files (minutes)
- Disk contents (minutes-years)
- Remote logging (hours-days)
- Physical configuration, network topology (months-years)
- Archival media (years)
