Wednesday, 17 July 2013


Since, traditional digital forensic investigation is conducted after pulling the power plug off the target
machine regardless to the state of machine whether it is “On/Live” or “Off/Dead”. A lot of “volatile” information is stored in the RAM or simply memory of the computer and pulling the power plug from the running computer alters or deletes hundreds of files on the system which could contain crucial information like passwords, network information, running indecent images and other data that could facilitate in examining the case successfully. Hence, the investigator loses a lot of crucial evidence/ information which could be very helpful by pulling the plug. It therefore becomes very vital to perform a “Live” acquisition of the RAM/ Memory of the running machine. The contents of the memory can be acquired and saved on an external forensically wiped drive by using hardware or software based acquisition techniques and tools such as Firewire, Helix Live Response USB, MandiantMDD, Win32dd. The contents of the RAM could later be analyzed using powerful tools such as Volatility, EnCase, FTK.

In order to perform the acquisition of a live/running computer, a tested methodology is very critical and
is considered to be the foundation for “Live” and “Traditional Forensic Investigation”.
The paper will critically analyse the contents of “volatile” memory, techniques and tools to acquire the
RAM and volatile data residing in RAM, and a methodology for conducting a sound Live Forensic Acquisition in Corporate Environment.

Keywords: Live Forensics, Incident Response, Acquisition, Memory, Digital Forensics, RAM, Volatile Data

The rapid development in the field of Information and Communication Technology (ICT) has provided
unparalleled prospective for storing and retrieving information, searching data and exchanging or transferring
information around the world at an immensely fast speed. The computers in the corporate environment were
initially used only for accessing the email and searching the internet. However, advanced technologies such as
LAN (Local Area Network), WAN (Wide Area Network), Mobile Broadband and Wifi facilitated corporate organisations to store, retrieve, search and transfer information or data from around the globe at any given time.

With the introduction of E- commerce, the businesses now use computers for not only communicating
and storing critical information and plans but are also used for marketing and managing purchases since the
introduction of payment facilities such as Credit Cards, Paypal etc. The loopholes or security holes within the
cyber world or internet opened up the world to vulnerabilities and threats that could be exploited by criminals in order to commit crimes. The traditional crimes such as shoplifting, piracy, identity theft, robbery, and adultery started being replaced with modernized crimes such as malicious hacking, online identity theft (including credit card fraud), online stalking, online scams and pedophiles.

The contemporary world is using internet based technology in order to meet the ever increasing
consumer (or user) demands, and to enhance their businesses. The increase in use of computers or internet
based technologies in businesses and organizations led to the shocking increase in cybercrime1. The internet
(or businesses using computers) undoubtedly became a primary target for cybercrime, and the motives of the
cybercriminals2 was primarily for financial gain, but now their motives have expanded to political, religious,
revenge, power, and terrorism.

According to ACPO3 e-crime is: “The use of networked computers, telephony or Internet technology to
commit or facilitate the commission of crime.”
The following definition of E- Crime will be used for this paper:
“Any crime committed through the use of computer or any electronic devices is known as E- crime or
cybercrime and the person committing the crime is known as a cybercriminal. Cybercrime includes cases
ranging from identity theft, software piracy, insider attacks, unauthorized intrusions, virus and malware
infections, credit card fraud, and money laundering etc. to extreme cases like murder, rape, pedophile, and

The exponential rises in cybercrimes ultimately lead to Computer Forensics, and according to
McKemmish, R. (1999) Digital Forensics is “the process of identifying, preserving, analysing and presenting
digital evidence in a manner that is legally acceptable"
The following definition of Computer Forensics/ Digital Forensics has been proposed for the paper
“The identification, collection, preservation and analysis of digital evidence after following a forensically
sound methodology which does not alter the original state of evidence so that the “evidence” can be
presented in a manner which would be admissible in a court of law”.

1. The term cyber crime is used where a computer is used as a tool in committing a crime or offense. Throughout the report, the terms ‘e- crime’, ‘computer crime’, ‘high tech crime’ and ‘digital crime’ may be used interchangeably with ‘cyber crime’.
2. The term cyber criminal is used for the attacker or person responsible for the ‘cyber crime’ or offense.
Throughout the report, the terms ‘cyber criminals, ‘attackers’ may be used interchangeably with ‘cyber
3. ACPO – Association of Chief Police Officers

Live Forensics is the digital forensic investigation performed on a “live” or “running” computer. It is a
relatively new advancement in the field of digital forensics which is considered to be still at its infancy stage.
Nowadays, with various sophisticated tools available like Helix Live Response USB Stick, Nigilant32 etc. Live Forensic Investigations can be performed without much hassle of time and training, although initial certification of training is mandatory for performing DFI by all digital forensic analysts (DFA).
In order to critically discuss and analyze the role of Live Forensics in a corporate environment, it is
necessary to understand its need or importance, benefits, values and challenges in conducting this type of

Need of Live Forensics/ Limitations of Dead Forensics
Since, traditional digital forensic investigation is conducted after pulling the power plug off the target
machine regardless to the state of machine whether it is “On/Live” or “Off/Dead”. A lot of “volatile” information is stored in the RAM or simply memory of the computer, it is therefore very important to image the contents stored in the memory. Pulling the power plug from the running computer alters or deletes hundreds of files on the system which could contain crucial information like passwords, running indecent images and scripts that could facilitate in the court trial. Hence, the investigator loses a lot of crucial evidence/ information which could be very helpful in the case.
This gave rise to the field of Live Forensics, which is relatively at infancy stage as compared to Traditional Digital Forensics. Live Forensics is conducted by not pulling the plug of the running computer, but by acquiring/ imaging the contents of the RAM or simply ‘Memory’ in a forensically sound manner. Then the
forensically sound image of the memory is analysed using advanced forensic software like EnCase, Volatility,
FTK etc. in order to reveal the contents or information hiding/residing in the memory of the target system. The contents of the RAM may include information like running processes, passwords, scripts, ports etc (Adelstein, F. 2006.) Hence, an investigator can gain a lot of crucial evidence/ information which could be very helpful in the case. Currently, the acquisition in live forensic investigation is conducted in two ways:
1. Physical Access to machine: on a running machine in a workplace (eg, running computer on the desk
office, home etc.).
2. No physical access to machine: Over the Network

In the corporate environment, various organizations try to handle non– criminal issues internally and
conduct digital or sometimes live forensic investigations, in order to avoid charges or negative media hype.
Some organization’s have computer forensics team that is trained and certified to perform investigations following a methodology while some companies do not function in the same way. Since, internal non – criminal cases sometimes lead to the court, therefore, it is very crucial that the digital evidence is acquired and analysed in a forensically sound manner every time so that it can be admissible in a court of law if the need arises.
In order to perform the acquisition of a live/running computer, a tested methodology is very critical and
is considered to be the foundation for “Live” and “Traditional Forensic Investigation”. Currently, there are
various tools and methods available for Acquiring Memory from running computer, but there is no established and comprehensive Best Practice Guide on Live Forensic Acquisition in Corporate Environment.
This paper outlines a Methodology that could be followed for conducting Live Forensic Acquisition
which will facilitate the investigators in performing Live Forensic Investigations in the Corporate as well as Law Enforcement Environment.

Reasons to collect volatile information and conducting Live Forensic Acquisition
1. Increasing Size of Hard Disks: Since, the size of the hard disks is increasing day by day and currently
500 gb are common whereas 1TB, 2TB and around 10 TB will be common in less than 5 years of time.
Therefore, a lot of time maybe months and years will be required in order to analyse these huge hard disks.
Hence, live forensics could help in avoiding backlog or resolving cases in a fast and efficient way.
2. Determine ongoing activity of the suspect: may help determine ongoing criminal activity on the system
3. Passwords: may contain passwords which could have been used for encryption on the target system
which makes it difficult to analyze.
4. Anti- Forensic Techniques: reveal use of anti forensic techniques being used by the suspect such as
manipulation of data, native operating system tools, data hiding in memory or practically unreachable
places (LESSING, M. and SOLMS, B. 2008)
5. Running Malware or Virus: it might also reveal malware, virus or Trojan that could be residing in the
memory which would go unnoticed by the examiner conducting hard disk analysis.
6. Business Requirements: NetSecurity, 2009 stated that some businesses require the systems to
continuously be running and therefore, cannot be shutdown. Pulling the power plug off the back of a
system might create legal responsibility for investigators for unintentional loss of data or equipment.

Challenges in collecting volatile data
In practice, live acquisition of memory will alter evidence to some degree.
1. Running Computer: The first and foremost challenge in collecting volatile data is the need of “running or
live computer”. If the computer is not running then it is very difficult to conduct live forensic investigation.
2. Laws: Current laws therefore need to be amended or need some flexibility for justifying the reason of
alteration while acquiring live evidence.
3. Alteration to Memory: During the acquisition, there will be alteration to a certain degree but the goal of
collecting of volatile data or RAM is to substantially minimize the footprint left on the memory when using
collection tools, methods or procedures for acquiring the memory and volatile data.
4. Not repeatable: The memory acquisition results cannot be repeated to give same results because RAM is
always changing. Although, images of the RAM can be acquired as many times as required but the image
hash will not match with the previous acquired image because of the ever-changing nature of RAM.
5. Untrained Staff: Untrained live forensic data collectors alter or destroy the evidence completely
6. Untested Tools or methods: Untested toolkits and software may also destroy the evidence completely.
7. Lack of established procedures or set guidelines: Untested or lack of established procedures and
guidelines make it difficult for a live investigation to be repeatable.
8. Changes to the system and all actions must be properly documented, explained and justified which include
registry changes, memory changes and alteration to system clock, date and times.

Since, there is now an understanding to what data can be found residing in memory which is volatile in nature
and needs to be captured; hence, it is important to understand the order of volatility in order to acquire the data residing in the memory before it is lost. Order of volatility in memory can be defined as the order in which the data residing inside the memory is lost, which means the data which is more volatile is lost before the less volatile data. It is therefore essential to understand the order of volatility, in order to safely acquire the contents of the RAM by acquiring the more volatile data prior to acquiring the less volatile data residing in the memory.

The order of volatility can be understood with the help of the following figure:

Farmer, D. and Venema, W. 2005 proposed the life span of data residing in various sources. A table detailing the approximate life span of each type of stored data in various sources can be found below:


According to figure above the following information is obtained:
- Registers, cache: These are considered to be most volatile and it is very hard to collect the data residing
in registers and cache. The data inside the registers and cache is believed to have a lifespan of nanoseconds.
Registers are memory cells on the processor that contain the temporary data needed by the CPU, specifically the ALU (Arithmetical and Logical Unit) in order to execute a process. It loads, fetches and stores the instructions in the various registers in the control unit inside the processor to execute a process.
Cache is a kind of very expensive memory which is located between the CPU and the main memory. There are different types of Cache: L1, L2 and L3 cache which come in sizes of kilobytes to megabytes. When a process is executed first time, it is loaded into the cache first and then onto the memory and then it is executed. It makes the execution of processes faster by storing temporary information or bits of data from previously executed instructions or processes. Therefore, temporary information can be residing in the cache of the system which can be useful for the investigation.
                                                                                                                                    - (Stokes, J. 2006)

- Memory or RAM: As the technology and speed of ICT is increasing day by day, the size of RAM is also
increasing simultaneously. Nowadays, gigabytes of RAM are common and there are computers known to be
having 64GB of memory which can contain millions of files. The information on RAM can include temporary or recently viewed programs or files, websites visited, unencrypted passwords, clipboard data etc. Therefore, the temporary data that resides inside the large sizes of “temporary or volatile hard disks” can be very crucial for an investigation.
- Network State: It includes data residing in Routing table, ARP cache, and Network statistics. It is
considered to be volatile but the data such as ports open and currently being used; active connections; IP and MAC addresses; messenger chats or logs; ARP and routes can also be found, traced and extracted using specialized tools (open source and commercial) discussed in the forthcoming chapter. The analysis of the network statistics reveals:
  •  unusual IP addresses and ports
  •  genuine connections on abnormal ports (established through commands like telnet, ssh, ftp, and netuse) or backdoor
- Running processes: These are the processes that are running on the system. It contains information
about each process such as process name, memory or CPU usage and the username that executed the
process. This information can be useful in detecting if suspicious programs such as rootkits, viruses or
malware were running on the system.
- Temporary File systems: The type of files which are actively used by the running computer and that can
be useful for the investigation such as hyberfil.sys and pagefile.sys files.

The hyberfil.sys file contains information of the computer when it prepares to be or is currently in hibernation
mode. It contains information such as user profile, preferences, and recent files history.
The pagefile.sys file is a windows swap file which resides in the memory and contains or records temporary
information on the recently viewed programs, websites and user activity.
There are tools which can dump these active files and system profile information such as OS Type, last logon
date and time, installed applications etc. which can later be analyzed as a part of the investigation.

The tools with screenshots will be available in my next post........ sooon

Hope you enjoyed reading, now looking forward to your feedback and recommendations.

No comments:

Post a Comment