A media blog about gadgets, media, software, and technology.
The greatest challenge when collecting application and operating system data is that normally no single application is able to collect the data desired, and each application used in collection increases the investigators’ interaction with the system and subsequently causes greater adverse effects on the system.
Understanding the exact nature of any application code added to memory while extracting the remaining memory is critical to any challenges against the investigators that the evidence gleaned during capture was actually placed there by the collection agent application.
Key questions investigators must ask themselves include: Given the situation, will the case investigation benefit from the capture of physical memory? and Can I capture this information in a least-intrusive manner? Armed with the answers to these questions and an understanding of the effects on the evidence made by their action and tools, investigators can [...]
Tribble is a hardware expansion card design to reliably acquire the volatile memory of a live system. Acquired memory is captured and extracted to a removable storage system. The hardware device accesses memory directly, and because it does not require software to be loaded, it overwrites possible evidence.
When accessing volatile memory one of the first things a computer forensics investigator may recall is the basic scientific principle that the very act of observing something changes it. Certainly there is no exception to this principle in the case of accessing volatile memory.