Wednesday, 23 July 2008

Evidence Collection and Volitility

Electronic evidence varies in its volitility. Some evidence (such as memory), is far less robust than other evidence (such as a backup tape or CD). For this reason, it is crucial to ensure that the evidence is collected in the order of most to least volatile.

When evidence is "equally volatile", collect that which is deemed the most important item first.

If a system is live, snapshop the memory and running processes. Collect all of the volatile evidence PRIOR to turning the host off. When you have collected all the evidence and it is time that a system is shutdown, do so hard when possible. In a clean shutdown, the drive is written to. Swap files are purged, TMP filesystems are cleansed.

When collecting evidence, do so in the following order:

  1. Memory (RAM, then other types such as flash)
  2. Swap and Page File data
  3. Network information and Tables (Arp entries, Routing tables, DNS Cache, etc)
  4. Process tables and Kernal Statistics
  5. The TMP file system (tempory file systems)
  6. Disk Blocks
  7. Remote logging and data from monitoring systems (eg. external syslog)
  8. Physical Configuration data and Network Topography, cabling etc
  9. External drive devices (Eg. Flash drives, USB Sticks etc)
  10. Backup Media such as Magnetic Tapes
  11. CD ROM, DVD Rom (etc) media types
  12. Other Read Only Media

Mess it up and at the least you lose evidence, at the worst, you can have the evidence made inadmissible.

No comments: