![]() ![]() Data is considered volatile when it is going to be lost when a machine is powered off or rebooted. Volatile memory analysis has become a significant part of the digital investigation because there is digital evidence that resides only in physical memory (RAM) and nothing is written to the hard disk that indicates its presence. Nihad Ahmad Hassan, Rami Hijazi, in Data Hiding Techniques in Windows OS, 2017 Capture Volatile Memory To be effective and to limit challenges you must be able to build and update the Live-CD as patches are made available for the software you use. Each case file should include a copy of the inventory document as it existed during the investigation (for reproduceability). This inventory should be placed under configuration control so that as you make changes you will simultaneously update the documentation. Baca developed the Penguin Sleuth Kit and later made a VMware version and placed the VM appliance and documentation on the VMware site, Once the system is assembled, you should create an inventory of all systems, applications, and hardware used. Once you have secured the system, it will be useful to create a Live-CD of the system similar to the one created by Ernie Baca. For VMware you can find guidance for this process in the VMware security guide or in the ESX Server Security Technical Implementation Guide produced by the Defense Information Systems Agency in April 2008. The computer and your VM environment should be secured against external and internal attacks, and particularly attacks from within the virtual system. Some have argued that every case requires new hard drives. In some cases (for example, cases involving government-classified “above secret” or cases where you attempt to recover previously overwritten data) you should use new hard drives for each case. When cases are removed from the hard drive, you will want to use a secure delete utility such as sdelete for Windows Shred (RHEL), gshred (Solaris), or scrub (erase partition) for Unix or the Secure Empty Trash option on a Mac, to ensure that no vestigial data remains. ![]() These hard drives should be single-purpose and should not be used for any other storage. If you are working in a forensic lab where you can segregate your networks, the hard drives could be networked drives or SANS. ![]() The computer should be the fastest computer you can find, with USB 2.0 ports, firewire, or the ability to connect IDE, SATA, or PATA drives without opening the case a large, fast internal hard drive and a large enough external hard drive to house several of the biggest hard drives found in your environment. In Virtualization for Security, 2009 Preparing Your Forensic Environmentīefore capturing the suspect's machine and creating images, you should prepare a computer for use as your forensic system. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |