Week 6 - Live Data Forensics Flashcards
What is Live Data Forensics and Why Do We Do It?
Live data forensics is the process of examing or imaging a device while the device is still connected to power and running. It will capture the RAM and cloud storage and encrypted data.
Because the data is running it is in a volatile state meaning the data is being constantly changed. Potentially a dangerous process.
(Remember RAM may contain passwords, chat history, clipboard contents).
We might need to do it if the machine is encrypted and shutting off the powere would prevent any access to data.
Or at critical server level investigations where it is impossible to switch off / seize the device
Where we need to obtain information from cloud storage or passwords.
Or when speed is a necissity (e.e life at risk) - PM forensics is much slower
Encryption and cloud storage is increasing - programs like truecrypt are readily available which allows whole disk encryption or some volume encryption. Post mortem forensics will not capture this, but Live Data Forensics will if the encrypted volumes are open
Many people use online storage (e.g Google Dropbox etc) but often a local copy is not stored on the local drive - therefore PM forensics will not obtain these - even if PMF tells us it was there because it had been previously mounted. LDF will capture this.
What are the negatives of LDF?
The data is volatile. Ebery action taken during LDF is altering the comntents of the suspect’s machine.
There is a risk of remote wiping or sheduled wiping to occur while the machine is running.
Person conducting it must be an expert and understand exactly what they are doing and what the potential repercussions are.
