Computer Forensics: Live vs. Postmortem Forensics

Live and Postmortem Forensics

  • Live Forensics

    • System is running and logged in.

    • Attach external storage or connect to network share.

    • Capture data, including RAM and hard disk.

  • Postmortem Forensics

    • System is powered off.

    • Remove hard drive and image it with a write-blocker.

    • Does not capture RAM.

Advantages of Live Forensics

  • Can capture RAM.

  • Essential for capturing malware in RAM and recovering passwords from RAM.

Risks of Live Forensics

  • Remote wipe possible if system is networked.

  • Examiner actions may overwrite data, causing data loss.

  • IR teams focus on rootkits and malware.

  • RAM is often more important in IR investigations.

Imaging the Hard Drive

  • Image live to preserve state; do before analysis to avoid changing files and datestamps.

When Live Forensics is the Best Option

  • Live Imaging

  • Incident Response

  • Malware Analysis

  • Encrypted Systems

  • Nonsupported File Systems

  • Enterprise Forensic Tools

Live Imaging

  • Copying a hard drive while the system is running.

  • Required when system downtime is not an option.

  • Easier for RAID/SAN storage due to driver issues and array recreation difficulties.

Minimizing Impact

  • Run tools and store evidence on external storage.

  • Minimizes impact on the evidence system.

Incident Response

  • Investigation after a security incident (breach, malware).

  • DFIR (Digital Forensics / Incident Response)

Incident Response Details

  • Live forensics needed to track attackers via memory and network activity.

  • Postmortem forensics may be used later.

Malware Analysis

  • Inspect system memory to see malware actions.

  • Captured memory can be parsed; malware cannot hide actions.

Encrypted Systems

  • Image live OS in a decrypted state without keys.

  • Encryption keys may be in memory.

Nonsupported File Systems

  • Traditional image may be useless; back up the live system to intermediary storage.

  • Document unusual procedures.

  • Updated tools support more old systems.

Enterprise Forensic Tools

  • Deploy agents to collect data, which is live forensics.

  • Agent loaded before incident has less effect on evidence.

Memory Dumping

  • Must be administrator/root.

  • Use 64-bit tools for 64-bit systems; results vary slightly.

Memory Dumping from Windows

  • Tools: Memoryze, Mdd, DumpIt, FTK Imager.

Memory Dumping from Linux

  • dd (older kernels only)

  • Fmem (creates /dev/fmem for imaging with dd)

  • Second Look (commercial tool)

Memory Analysis Tools

  • Tools: Volatility (free, Kali Linux), FTK, Memoryze.

Live Disk Imaging Tools

  • Caution: System may be untrustworthy; use tools from external media.

  • Windows: FTK Imager Lite (free, no install).

  • Linux: dd (or dcfldd with hashes).

Advantages of Postmortem Forensics

  • Low risk: system off, no external threats, no credentials needed (unless encrypted).

Risks of Postmortem Forensics

  • Imaging errors (e.g., no write-blocker).

  • Such errors heavily scrutinized.

RAM Data in a Disk Image

  • Core dumps

  • Hibernation files

Core Dumps

  • Windows crashes save some memory on disk (not complete).

Core Dump Files

  • Windows: .DMP files; Linux: Core or code.

Hibernation Files

  • Hiberfil.sys contains RAM copy from hibernation.