Carv > I'm still not all that clear on _why_ you'd ever want > to perform imaging of a "live" system. I can see why > one would want to collect volatile data from the > system, and then perhaps (based on decisions made > regarding the situation) move on to disconnecting the > system, and then imaging the drive. It just depends. Sometimes collecting volatile info only becomes tedious and cumbersome, and really puts your footprints all over the system (more so than just imaging the live system). > > Agreed. However, I think we need to address the issue > of methodologies...like develop one. From my > perspective at this point, very few admins are > collecting this information. I'm not sure about admins and what they're doing. From the investigative side I think some folks are doing it right. Methodologies do exist in various formats for a) steps to be taken b) tools to use c) chain of custody for evidence, etc. For both live and post mortem analysis. Data forensics has been going on for a long time now and when looking at a stand alone pc or a simple server that's a no brainer. The toughies are now the handhelds and other non-standard PC devices that contain electronic data. As well as mainframes, mid frames, etc. As for tools . . . I think it would be 'difficult' for a tool to grab all necessary volatile info - especially an automated one. The nuances between operating systems, running applications, etc. are many. This is why I prefer to create an image of a live system sometimes first, then do my analysis on the running system for key volatile info (connections, processes, swap) documenting as I go (both in notes and in photo/video), then shutdown the suspect machine if I can. farmerdude ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 07:48:47 PDT