Book Image

Practical Windows Forensics

Book Image

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.
Table of Contents (20 chapters)
Practical Windows Forensics
About the Authors
About the Reviewers

Chapter 3. Volatile Data Collection

This chapter is dedicated to some issues that are related to the acquisition of data, which has changed very fast. Due to its nature, it reflects the state of the system at a certain time because the collection of data takes place on a live system.

The Request for Comments RFC 3227 document provides a list of digital evidence and the order in which it should be collected. The main principle that should guide this is that the most rapidly changing data should be collected first.

The list of evidence from RFC comprises the following:

  • Registers and cache CPU

  • Routing table, ARP cache, process table, kernel statistics, and memory

  • Temporary filesystems

  • Disk

  • Remote logging and monitoring data that is relevant to the system's media

  • Physical configuration and network topology

  • Archival media

According to this list, the volatile data which should be collected first are memory and network related data.