Previous exercises have examined looked at
- Acquiring evidence through the use of a number of imaging techniques.
- Carving out files from image data, again using a variety of techniques. These techniques van be used for recovering existing and deleted files.
- Finding hidden data through searches of file-names and string text.
- Time-line activity through the use of Autopsy
All the tools and techniques have been focussed on non-volatile data or data saved on various types of storage media (hard disk, USB pen drives etc).
However there other techniques that can be used to capture volatile data. This is data that exists in the memory of the device.
Looking at computing devices there are essentially two principal sources of where data can be acquired. The first are the storage devices where evidence can be gathered. The evidence can be saved in plain site, hidden or deleted form.
The second source is the RAM memory of the computer. Memory is classed as volatile, because when the computer is switched off, any record of what the computer has been doing when its been switched off is lost. And this can can include lots and lots of valuable information, such as:-
- List of all processes that happened to have been loaded into RAM at the time. For example
- Malware inadvertently or deliberately loaded by the user e.g. viruses
- Hacking deliberately loaded by the user, for example sniffing programmes, or key-loggers.
- Hashed passwords: Which may be necessary to crack if a user has tried to block access to investigators.
- Connections to the outside world which may provide the source of an attack, malware or places where data might be hidden.