Abstract
The common and best practice for conducting a forensic examination is to create a bit-by-bit copy of the storage device that you are set to examine and then analyze the copy. Working in this manner ensures that the actual storage device is not contaminated and can even provide performance benefits. This chapter begins with a description of how to create this bit-by-bit copy, called a disk image, using the tool Forensic ToolKit (FTK) Imager on a running or turned-off computer. The chapter then describes how to collect volatile data including taking a memory dump and extracting registry hives from a Windows computer during a live examination. At times, you find a computer that is turned on and you are not able to extract any data from the computer because it is logged out or likewise. In those cases, it is possible to extract information from memory using invasive techniques. This chapter introduces two such techniques, direct memory access (DMA) attack and cold boot attack. At the end of the chapter, some constraints and considerations relating to analyzing running machines during house searches are presented.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Amari K (2009) Techniques and tools for recovering and analyzing data from volatile memory. SANS Institute InfoSec Reading Room
Break and Enter (2017) Inception. Retrieved from http://www.breaknenter.org/projects/inception/. Accessed on 03 June 2017
ForensicsWiki (2017) Forensic file formats. Retrieved from http://www.forensicswiki.org/wiki/Category:Forensics_File_Formats. Accessed on 03 June 2017
Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W, Calandrino JA (2009) Lest we remember: cold-boot attacks on encryption keys. Commun ACM 52(5):91–98
Kroll (2023) What is a DMA attack? understanding and mitigating the threat. Retrieved from https://www.kroll.com/en/insights/publications/cyber/what-is-dma-attack-understanding-mitigating-threat. Accessed on 03 June 2017
PCILeech (2023) PCILeech summary. Retrieved from https://github.com/ufrisk/pcileech. Accessed on 03 Aug 2017
Witherden F (2010) Memory forensics over the IEEE 1394 interface. Retrieved from https://freddie.witherden.org/pages/ieee-1394-forensics/revisions/c1c615827b7647933e5a3d00668d6183.pdf. Accessed on 03 Aug 2017
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kävrestad, J., Birath, M., Clarke, N. (2024). Collecting Data. In: Fundamentals of Digital Forensics. Texts in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-031-53649-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-53649-6_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-53648-9
Online ISBN: 978-3-031-53649-6
eBook Packages: Computer ScienceComputer Science (R0)