Subject: Digital Forensics

Topic: Initial response and forensic duplication

Difficulty: High

We most frequently perform live responses, also called LRs, during an intrusion investigation

However, it may be prudent to do so during other types of investigations.

We have five important factors to consider when deciding if a live response is appropriate in your current situation:

1. Is there reason to believe volatile data contains information critical to the investigation that is not present elsewhere?

2. Can the live response be run in an ideal manner, minimizing changes to the target system?

3. Is the number of affected systems large, making it infeasible to perform forensic duplication on all of them?

4. Is there risk that forensic duplication will take an excessive amount of time, or potentially fail?

5. Are there legal or other considerations that make it wise to preserve as much data as possible?

There are also some potential downsides to performing a live response. The process may cause the system to crash or even destroy evidence. Be sure to evaluate the following questions to determine if the risk of performing the live response is too great:

• Have you tested the live response process on a similar system?

• Is the system particularly sensitive to performance issues?

• If the system crashes, what would the impact be?

• Have you communicated with all stakeholders and received their approval? In some cases, written approvals may be prudent.