Automated Live Acquisition of Volatile Data : Through the use of a programmable HID control chip

Berggren, Tommy, Denham-Smith, Adam

January 2013

This research lays a foundation for automated acquisition of volatile data by presenting a prototype device which carries out the deeds of a forensic investigator, essentially making it a “forensic investigator on a stick”. The Teensy 3.0 device is programmed to interact with an external USB device for storage purposes. All interaction with a live target system must be documented thoroughly according to forensic best practices. Therefore quantitative measurements of system contamination related to the device actions are presented. The device is conclusively able to perform a memory dump and provide a warning of the existence of Truecrypt encrypted containers.

Automation

Live Acquisition

Volatile Data

Truecrypt

Memory Dump

Teensy

Enhancing the Admissibility of Live Box Data Capture in Digital Forensics: Creation of the Live Box Computer Preservation Response (LBCPR) and Comparative Study Against Dead Box Data Acquisition

Emilia Mancilla (14202911)

05 December 2022

<p>There are several techniques and methods on how to capture data during a Live Box response in computer forensics, but the key towards these acquisitions is to keep the collected data admissible in a judicial court process. Different approaches during a Live Box examination will lead to data changes in the computer, due to the volatile nature of data stored in memory. The inevitable changes of volatile data are what cause the controversy when admitting digital evidence to court room proceedings.</p> <p>The main goal of this dissertation was to create a process model, titled Live Box Computer Preservation Response(LBCPR), that would assist in ensuing validity, reliably and accuracy of evidence in a court of law. This approach maximizes the admissibly of digital data derived from a Live Box response. </p> <p>The LBCPR was created to meet legal and technical requirements in acquiring data from a live computer. With captured Live Box computer data, investigators can further add value to their investigation when processing and analyzing the captured data set, that would have otherwise been permanently unrecoverable upon powering down the machine. By collecting the volatile data prior to conducting Dead Box forensics, there is an increased amount of information that that can be a utilized to understand the state of the machine upon collection when combined with the stored data contents. </p> <p>This study created a comparative analysis on data collection with the LBCPR method versus traditional Dead Box forensics techniques, further proving the expected results of Live Box techniques capturing volatile data. However, due to the structure of the LBCPR, there were enhanced capabilities of obtaining value from the randomization of memory dumps, because of the assistance of the collected logs in the process model. In addition, with the legal admissibility focus, there was incorporation of techniques to keep data admissible in a court of law. </p>

Digital forensics

digital forensics

live box

dead box

LBCPR

process model

Incident Response

volatile data

admissibility of evidence